Address review comments, add unit test

2025-08-08 11:22:35 +03:00 · 2016-01-27 15:23:42 +01:00
parent c1bf5ba27e
commit 4b31e6dc95
5 changed files with 55 additions and 69 deletions
--- a/plugin/auth_pipe/auth_pipe.c
+++ b/plugin/auth_pipe/auth_pipe.c
@@ -17,44 +17,27 @@
 /**
  @file

-  auth_pipd authentication plugin.
+  auth_pipe authentication plugin.

-  Authentication is successful if the connection is done via a named pip and
-  the owner of the client process matches the user name that was used when
-  connecting to mysqld.
+  Authentication is successful if the connection is done via a named pipe 
+  pipe peer name matches mysql user name
 */

-
 #include <mysql/plugin_auth.h>
 #include <string.h>
 #include <lmcons.h>


-
-
-
 /**
-  perform the named pipe´based authentication
-
-  This authentication callback performs a named pipe based authentication -
-  it gets the uid of the client process and considers the user authenticated
-  if it uses username of this uid. That is - if the user is already
-  authenticated to the OS (if she is logged in) - she can use MySQL as herself
+  This authentication callback obtains user name using named pipe impersonation
 */
-
 static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 {
  unsigned char *pkt;
-  PTOKEN_USER pTokenUser= NULL;
-  HANDLE hToken;
  MYSQL_PLUGIN_VIO_INFO vio_info;
-  DWORD dLength= 0;
-  int Ret= CR_ERROR;
-  TCHAR username[UNLEN + 1];
-  DWORD username_length= UNLEN + 1;
-  char domainname[DNLEN + 1];
-  DWORD domainsize=DNLEN + 1;
-  SID_NAME_USE sidnameuse;
+  char username[UNLEN + 1];
+  size_t username_length;
+  int ret;

  /* no user name yet ? read the client handshake packet with the user name */
  if (info->user_name == 0)
@@ -62,41 +45,26 @@ static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
    if (vio->read_packet(vio, &pkt) < 0)
      return CR_ERROR;
  }
-
  info->password_used= PASSWORD_USED_NO_MENTION;
-
  vio->info(vio, &vio_info);
  if (vio_info.protocol != MYSQL_VIO_PIPE)
    return CR_ERROR;

-  /* get the UID of the client process */
+  /* Impersonate the named pipe peer, and retrieve the user name */
  if (!ImpersonateNamedPipeClient(vio_info.handle))
    return CR_ERROR;
-  
-  if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken))
-    goto end;
-   
- /* determine length of TokenUser */
- GetTokenInformation(hToken, TokenUser, NULL, 0, &dLength);
- if (!dLength)
-   goto end;

- if (!(pTokenUser= (PTOKEN_USER)LocalAlloc(0, dLength)))
-   goto end;
-
- if (!GetTokenInformation(hToken, TokenUser, (PVOID)pTokenUser, dLength, &dLength))
-   goto end;
-
- if (!LookupAccountSid(NULL, pTokenUser->User.Sid, username, &username_length, domainname, &domainsize, &sidnameuse))
-   goto end;
-
- Ret= strcmp(username, info->user_name) ? CR_ERROR : CR_OK;
-end:
-  if (pTokenUser)
-    LocalFree(pTokenUser);
+  username_length= sizeof(username) - 1;
+  ret= CR_ERROR;
+  if (GetUserName(username, &username_length))
+  {
+    /* Always compare names case-insensitive on Windows.*/
+    if (_stricmp(username, info->user_name) == 0)
+      ret= CR_OK;
+  }
  RevertToSelf();
-  /* now it's simple as that */
-  return Ret;
+
+  return ret;
 }

 static struct st_mysql_auth pipe_auth_handler=
@@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler=
  pipe_auth
 };

-maria_declare_plugin(socket_auth)
+maria_declare_plugin(auth_named_pipe)
 {
  MYSQL_AUTHENTICATION_PLUGIN,
  &pipe_auth_handler,
-  "windows_pipe",
+  "named_pipe",
  "Vladislav Vaintroub, Georg Richter",
  "Windows named pipe based authentication",
  PLUGIN_LICENSE_GPL,