MDEV-17950 SHOW GRANTS FOR does not work for a user identified with non-existing plugin

Revert the side effect of 7c40996cc8. Do not convert password hash to its binary representation when a user entry is loaded. Do it lazily on the first authenticatation attempt. As a collateral - force all authentication plugins to follow the protocol and read_packet at least once before accessing info->username (username is not available before first client handshake packet is read). Fix PAM and GSSAPI plugins to behave.
2025-08-08 11:22:35 +03:00 · 2019-01-12 15:56:25 +01:00
parent 3742f6f9aa
commit c94ec9fc67
13 changed files with 186 additions and 145 deletions
--- a/plugin/auth_gssapi/gssapi_server.cc
+++ b/plugin/auth_gssapi/gssapi_server.cc
@@ -145,7 +145,7 @@ int plugin_deinit()
 }


-int auth_server(MYSQL_PLUGIN_VIO *vio,const char *user, size_t userlen, int use_full_name)
+int auth_server(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *auth_info)
 {

  int rc= CR_ERROR; /* return code */
@@ -157,6 +157,9 @@ int auth_server(MYSQL_PLUGIN_VIO *vio,const char *user, size_t userlen, int use_
  gss_name_t client_name;
  gss_buffer_desc client_name_buf, input, output;
  char *client_name_str;
+  const char *user= 0;
+  size_t userlen;
+  int use_full_name;

  /* server acquires credential */
  major= gss_acquire_cred(&minor, service_name, GSS_C_INDEFINITE,
@@ -180,6 +183,21 @@ int auth_server(MYSQL_PLUGIN_VIO *vio,const char *user, size_t userlen, int use_
      log_error(0, 0, "fail to read token from client");
      goto cleanup;
    }
+    if (!user)
+    {
+      if (auth_info->auth_string_length > 0)
+      {
+        use_full_name= 1;
+        user= auth_info->auth_string;
+        userlen= auth_info->auth_string_length;
+      }
+      else
+      {
+        use_full_name= 0;
+        user= auth_info->user_name;
+        userlen= auth_info->user_name_length;
+      }
+    }

    input.length= len;
    major= gss_accept_sec_context(&minor, &ctxt, cred, &input,
--- a/plugin/auth_gssapi/server_plugin.cc
+++ b/plugin/auth_gssapi/server_plugin.cc
@@ -64,41 +64,11 @@ unsigned long srv_mech;
 */
 static int gssapi_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *auth_info)
 {
-  int use_full_name;
-  const char *user;
-  int user_len;
-
-  /* No user name yet ? Read the client handshake packet with the user name. */
-  if (auth_info->user_name == 0)
-  {
-    unsigned char *pkt;
-    if (vio->read_packet(vio, &pkt) < 0)
-      return CR_ERROR;
-  }
-  
  /* Send first packet with target name and mech name */
  if (vio->write_packet(vio, (unsigned char *)first_packet, first_packet_len))
-  {
    return CR_ERROR;
-  }

-  /* Figure out whether to use full name (as given in IDENTIFIED AS clause)
-   * or just short username auth_string
-   */
-  if (auth_info->auth_string_length > 0)
-  {
-    use_full_name= 1;
-    user= auth_info->auth_string;
-    user_len= auth_info->auth_string_length;
-  }
-  else
-  {
-    use_full_name= 0;
-    user= auth_info->user_name;
-    user_len= auth_info->user_name_length;
-  }
-
-  return auth_server(vio, user, user_len, use_full_name);
+  return auth_server(vio, auth_info);
 }

 static int initialize_plugin(void *unused)
--- a/plugin/auth_gssapi/server_plugin.h
+++ b/plugin/auth_gssapi/server_plugin.h
@@ -48,4 +48,4 @@ extern char *srv_keytab_path;
 int plugin_init();
 int plugin_deinit();

-int auth_server(MYSQL_PLUGIN_VIO *vio, const char *username, size_t  username_len, int use_full_name);
+int auth_server(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *auth_info);
--- a/plugin/auth_gssapi/sspi_server.cc
+++ b/plugin/auth_gssapi/sspi_server.cc
@@ -140,7 +140,7 @@ static int get_client_name_from_context(CtxtHandle *ctxt,
 }


-int auth_server(MYSQL_PLUGIN_VIO *vio, const char *user, size_t user_len, int compare_full_name)
+int auth_server(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *auth_info)
 {
  int ret;
  SECURITY_STATUS sspi_ret;
@@ -155,6 +155,8 @@ int auth_server(MYSQL_PLUGIN_VIO *vio, const char *user, size_t user_len, int co
  SecBuffer     outbuf;
  void*         out= NULL;
  char client_name[MYSQL_USERNAME_LENGTH + 1];
+  const char *user= 0;
+  int compare_full_name;

  ret= CR_ERROR;
  SecInvalidateHandle(&cred);
@@ -207,6 +209,19 @@ int auth_server(MYSQL_PLUGIN_VIO *vio, const char *user, size_t user_len, int co
      log_error(SEC_E_OK, "communication error(read)");
      goto cleanup;
    }
+    if (!user)
+    {
+      if (auth_info->auth_string_length > 0)
+      {
+        compare_full_name= 1;
+        user= auth_info->auth_string;
+      }
+      else
+      {
+        compare_full_name= 0;
+        user= auth_info->user_name;
+      }
+    }
    inbuf.cbBuffer= len;
    outbuf.cbBuffer= SSPI_MAX_TOKEN_SIZE;
    sspi_ret= AcceptSecurityContext(