MDEV-23959 GSSAPI plugin - support AD or local group name , and SIDs on Windows

Support membership tests in SSPI with special prefix form

CREATE USER u IDENTIFIED WITH gssapi AS "GROUP:<group_name>"
or
CREATE USER u IDENTIFIED WITH gssapi AS "SID:<sid>"

If user is created as one of the above, after successful SSPI handshake,
this will happen

1) If "GROUP:" prefix is used, then <group_name> is translated to SID
using LookupAccountName() API

2) SSPI user is checked for  SID membership with
ImpersonateSecurityContext() and CheckMembership() APIs

Note, that it <group>/<sid> do not need strictly to refer to an actual
group.
Identity test is also supported, e.g  "GROUP:<users_name>" or
"SID:<user_sid>" will work too.


Well-known SIDs (in SDDL syntax) appear to be supported such as
"SID:WD" will refer to World/Everyone (== "SID:S-1-1-0")
or
"SID:BA" will refer to Administrators (== "SID:S-1-5-32-544")

In UAC environments, for successful checks against Administrators group,
elevation(Run As Administrator) might be necessary, since CheckMembership()
needs groups to be marked as enabled in the token group list.

plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result

@@ -0,0 +1,44 @@
+INSTALL SONAME 'auth_gssapi';
+Warnings:
+Note	1105	SSPI: using principal name 'localhost', mech 'Negotiate'
+CREATE USER 'nosuchgroup' IDENTIFIED WITH gssapi AS 'GROUP:nosuchgroup';
+connect(localhost,nosuchuser,,test,MASTER_MYPORT,MASTER_MYSOCK);
+connect  con1,localhost,nosuchuser,,;
+ERROR 28000: Access denied for user 'nosuchuser'@'localhost' (using password: NO)
+DROP USER nosuchgroup;
+CREATE USER 'nullsid' IDENTIFIED WITH gssapi AS 'SID:S-1-0-0';
+connect(localhost,nullsid,,test,MASTER_MYPORT,MASTER_MYSOCK);
+connect  con1,localhost,nullsid,,;
+ERROR 28000: Access denied for user 'nullsid'@'localhost' (using password: NO)
+DROP USER nullsid;
+CREATE USER 'anonymous' IDENTIFIED WITH gssapi AS 'SID:AN';
+connect(localhost,anonymous,,test,MASTER_MYPORT,MASTER_MYSOCK);
+connect  con1,localhost,anonymous,,;
+ERROR 28000: Access denied for user 'anonymous'@'localhost' (using password: NO)
+DROP USER anonymous;
+CREATE USER 'group_everyone' IDENTIFIED WITH gssapi AS 'GROUP:Everyone';
+connect  con1,localhost,group_everyone,,;
+disconnect con1;
+connection default;
+DROP USER group_everyone;
+CREATE USER 'sid_wd' IDENTIFIED WITH gssapi AS 'SID:WD';
+connect  con1,localhost,sid_wd,,;
+disconnect con1;
+connection default;
+DROP USER sid_wd;
+CREATE USER 'S_1_1_0' IDENTIFIED WITH gssapi AS 'SID:S-1-1-0';
+connect  con1,localhost,S_1_1_0,,;
+disconnect con1;
+connection default;
+DROP USER S_1_1_0;
+CREATE USER 'me_short' IDENTIFIED WITH gssapi AS 'GROUP:GSSAPI_SHORTNAME';
+connect  con1,localhost,me_short,,;
+disconnect con1;
+connection default;
+DROP USER me_short;
+CREATE USER 'me_sid' IDENTIFIED WITH gssapi AS 'SID:MY-SID';
+connect  con1,localhost,me_sid,,;
+disconnect con1;
+connection default;
+DROP USER me_sid;
+UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test

@@ -0,0 +1,73 @@
+source include/windows.inc;
+--replace_regex /name '[^']+'/name 'localhost'/
+INSTALL SONAME 'auth_gssapi';
+
+
+# Invalid group name
+CREATE USER 'nosuchgroup' IDENTIFIED WITH gssapi AS 'GROUP:nosuchgroup';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+error ER_ACCESS_DENIED_ERROR;
+connect (con1,localhost,nosuchuser,,);
+DROP USER nosuchgroup;
+
+# Group with no members, NULL SID
+CREATE USER 'nullsid' IDENTIFIED WITH gssapi AS 'SID:S-1-0-0';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+error ER_ACCESS_DENIED_ERROR;
+connect (con1,localhost,nullsid,,);
+DROP USER nullsid;
+
+
+# Anonymous
+CREATE USER 'anonymous' IDENTIFIED WITH gssapi AS 'SID:AN';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+error ER_ACCESS_DENIED_ERROR;
+connect (con1,localhost,anonymous,,);
+DROP USER anonymous;
+
+
+# Positive tests
+
+# Everyone group
+CREATE USER 'group_everyone' IDENTIFIED WITH gssapi AS 'GROUP:Everyone';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+connect (con1,localhost,group_everyone,,);
+disconnect con1;
+connection default;
+DROP USER group_everyone;
+
+# Everyone AS well-known SID name
+CREATE USER 'sid_wd' IDENTIFIED WITH gssapi AS 'SID:WD';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+connect (con1,localhost,sid_wd,,);
+disconnect con1;
+connection default;
+DROP USER sid_wd;
+
+# Everyone AS SID S-1-1-0
+CREATE USER 'S_1_1_0' IDENTIFIED WITH gssapi AS 'SID:S-1-1-0';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+connect (con1,localhost,S_1_1_0,,);
+disconnect con1;
+connection default;
+DROP USER S_1_1_0;
+
+replace_result $GSSAPI_SHORTNAME GSSAPI_SHORTNAME;
+eval CREATE USER 'me_short' IDENTIFIED WITH gssapi AS 'GROUP:$GSSAPI_SHORTNAME';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+connect (con1,localhost,me_short,,);
+disconnect con1;
+connection default;
+DROP USER me_short;
+
+
+replace_result $SID MY-SID;
+eval CREATE USER 'me_sid' IDENTIFIED WITH gssapi AS 'SID:$SID';
+replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
+connect (con1,localhost,me_sid,,);
+disconnect con1;
+connection default;
+DROP USER me_sid;
+
+
+UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm

@@ -14,6 +14,9 @@ if ($^O eq "MSWin32")
   $fullname =~ s/\\/\\\\/; # SQL escaping for backslash
   $ENV{'GSSAPI_FULLNAME'}  = $fullname;
   $ENV{'GSSAPI_SHORTNAME'} = $ENV{'USERNAME'};
+  chomp(my $sid = `powershell -Command "([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value"`);
+  $ENV{'SID'} = $sid;
+
 }
 else
 {