FB8-53: Expose user certificate details to command line (facebook#959) (

facebook#959)

Summary:
Jira ticket: https://jira.percona.com/browse/FB8-53

Reference Patch: facebook@f29eb03
Reference Patch: facebook@c631017

'THD' class extended with the following convenience methods:
- 'has_net_vio()'
- 'get_net_vio()'
- 'has_net_vio_ssl_arg()'
- 'get_net_vio_ssl_arg()'
- 'get_peer_certificate_info()'

Implemented new 'Fill_authinfo_list' class derived from 'Do_THD_Impl'
which populates 'INFORMATION_SCHEMA.AUTHINFO' table.

This is a change to help the implementation of SSL based authentication
efforts. Currently the certificate details are unavailable to the sys admin.
The v3 extensions usually carry important information for identifying the
user.

This change adds a new table to the information schema to expose auth
details. It is organized by process ID like processlist table.
Pull Request resolved: facebook#959

Reviewed By: lloyd

Differential Revision: D14137362

Pulled By: lth

mysql-test/r/dd_is_compatibility_ci.result

@@ -155,6 +155,7 @@ SELECT * FROM v1;
 table_name
 ADMINISTRABLE_ROLE_AUTHORIZATIONS
 APPLICABLE_ROLES
+AUTHINFO
 CHARACTER_SETS
 CHECK_CONSTRAINTS
 COLLATIONS

mysql-test/r/dd_is_compatibility_cs.result

@@ -155,6 +155,7 @@ SELECT * FROM v1;
 table_name
 ADMINISTRABLE_ROLE_AUTHORIZATIONS
 APPLICABLE_ROLES
+AUTHINFO
 CHARACTER_SETS
 CHECK_CONSTRAINTS
 COLLATIONS

mysql-test/r/information_schema_authinfo.result

@@ -0,0 +1,6 @@
+#
+# Test case for information_schema.authinfo table
+# (SSL connection)
+#
+include/assert.inc [SSL field for the current connection must be set to 1]
+include/assert.inc [Info field (peer certificate) for the current connection must be non-empty]

mysql-test/r/information_schema_authinfo_nossl.result

@@ -0,0 +1,6 @@
+#
+# Test case for information_schema.authinfo table
+# (non-SSL connection)
+#
+include/assert.inc [SSL field for the current connection must be set to 0]
+include/assert.inc [Info field (peer certificate) for the current connection must be NULL]

mysql-test/r/information_schema_ci.result

@@ -63,6 +63,7 @@ select * from v1;
 c
 ADMINISTRABLE_ROLE_AUTHORIZATIONS
 APPLICABLE_ROLES
+AUTHINFO
 CHARACTER_SETS
 CHECK_CONSTRAINTS
 COLLATIONS
@@ -899,7 +900,7 @@ AND table_name COLLATE utf8_general_ci not like 'innodb_%'
 AND table_name COLLATE utf8_general_ci not like 'rocksdb_%'
 GROUP BY TABLE_SCHEMA;
 TABLE_SCHEMA	count(*)
-information_schema	49
+information_schema	50
 mysql	35
 create table t1 (i int, j int);
 create trigger trg1 before insert on t1 for each row
@@ -1353,6 +1354,7 @@ group by t.table_name order by num1, t.table_name COLLATE utf8_general_ci;
 TABLE_NAME	group_concat(t.table_schema, '.', t.table_name)	num1
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	information_schema.ADMINISTRABLE_ROLE_AUTHORIZATIONS	1
 APPLICABLE_ROLES	information_schema.APPLICABLE_ROLES	1
+AUTHINFO	information_schema.AUTHINFO	1
 CHARACTER_SETS	information_schema.CHARACTER_SETS	1
 CHECK_CONSTRAINTS	information_schema.CHECK_CONSTRAINTS	1
 COLLATIONS	information_schema.COLLATIONS	1
@@ -2484,6 +2486,7 @@ c1.column_name COLLATE utf8_general_ci;
 TABLE_NAME	COLUMN_NAME
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	USER
 APPLICABLE_ROLES	USER
+AUTHINFO	ID
 CHARACTER_SETS	CHARACTER_SET_NAME
 CHECK_CONSTRAINTS	CONSTRAINT_SCHEMA
 COLLATIONS	COLLATION_NAME
@@ -2553,6 +2556,7 @@ c1.column_name COLLATE utf8_general_ci;
 TABLE_NAME	COLUMN_NAME
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	USER
 APPLICABLE_ROLES	USER
+AUTHINFO	ID
 CHARACTER_SETS	CHARACTER_SET_NAME
 CHECK_CONSTRAINTS	CONSTRAINT_SCHEMA
 COLLATIONS	COLLATION_NAME

mysql-test/r/information_schema_cs.result

@@ -63,6 +63,7 @@ select * from v1;
 c
 ADMINISTRABLE_ROLE_AUTHORIZATIONS
 APPLICABLE_ROLES
+AUTHINFO
 CHARACTER_SETS
 CHECK_CONSTRAINTS
 COLLATIONS
@@ -899,7 +900,7 @@ AND table_name COLLATE utf8_general_ci not like 'innodb_%'
 AND table_name COLLATE utf8_general_ci not like 'rocksdb_%'
 GROUP BY TABLE_SCHEMA;
 TABLE_SCHEMA	count(*)
-information_schema	49
+information_schema	50
 mysql	35
 create table t1 (i int, j int);
 create trigger trg1 before insert on t1 for each row
@@ -1353,6 +1354,7 @@ group by t.table_name order by num1, t.table_name COLLATE utf8_general_ci;
 TABLE_NAME	group_concat(t.table_schema, '.', t.table_name)	num1
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	information_schema.ADMINISTRABLE_ROLE_AUTHORIZATIONS	1
 APPLICABLE_ROLES	information_schema.APPLICABLE_ROLES	1
+AUTHINFO	information_schema.AUTHINFO	1
 CHARACTER_SETS	information_schema.CHARACTER_SETS	1
 CHECK_CONSTRAINTS	information_schema.CHECK_CONSTRAINTS	1
 COLLATIONS	information_schema.COLLATIONS	1
@@ -2484,6 +2486,7 @@ c1.column_name COLLATE utf8_general_ci;
 TABLE_NAME	COLUMN_NAME
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	USER
 APPLICABLE_ROLES	USER
+AUTHINFO	ID
 CHARACTER_SETS	CHARACTER_SET_NAME
 CHECK_CONSTRAINTS	CONSTRAINT_SCHEMA
 COLLATIONS	COLLATION_NAME
@@ -2553,6 +2556,7 @@ c1.column_name COLLATE utf8_general_ci;
 TABLE_NAME	COLUMN_NAME
 ADMINISTRABLE_ROLE_AUTHORIZATIONS	USER
 APPLICABLE_ROLES	USER
+AUTHINFO	ID
 CHARACTER_SETS	CHARACTER_SET_NAME
 CHECK_CONSTRAINTS	CONSTRAINT_SCHEMA
 COLLATIONS	COLLATION_NAME

mysql-test/r/mysqlshow_ci.result

@@ -81,6 +81,7 @@ Database: information_schema
 +---------------------------------------+
 | ADMINISTRABLE_ROLE_AUTHORIZATIONS     |
 | APPLICABLE_ROLES                      |
+| AUTHINFO                              |
 | CHARACTER_SETS                        |
 | CHECK_CONSTRAINTS                     |
 | COLLATION_CHARACTER_SET_APPLICABILITY |
@@ -181,6 +182,7 @@ Database: INFORMATION_SCHEMA
 +---------------------------------------+
 | ADMINISTRABLE_ROLE_AUTHORIZATIONS     |
 | APPLICABLE_ROLES                      |
+| AUTHINFO                              |
 | CHARACTER_SETS                        |
 | CHECK_CONSTRAINTS                     |
 | COLLATION_CHARACTER_SET_APPLICABILITY |

mysql-test/r/mysqlshow_cs.result

@@ -81,6 +81,7 @@ Database: information_schema
 +---------------------------------------+
 | ADMINISTRABLE_ROLE_AUTHORIZATIONS     |
 | APPLICABLE_ROLES                      |
+| AUTHINFO                              |
 | CHARACTER_SETS                        |
 | CHECK_CONSTRAINTS                     |
 | COLLATIONS                            |
@@ -182,6 +183,7 @@ Database: INFORMATION_SCHEMA
 +---------------------------------------+
 | ADMINISTRABLE_ROLE_AUTHORIZATIONS     |
 | APPLICABLE_ROLES                      |
+| AUTHINFO                              |
 | CHARACTER_SETS                        |
 | CHECK_CONSTRAINTS                     |
 | COLLATIONS                            |

mysql-test/suite/funcs_1/r/is_columns_is_cs.result

@@ -24,6 +24,11 @@ def	information_schema	APPLICABLE_ROLES	ROLE_HOST	6	NULL	YES	varchar	256	1024	NU
 def	information_schema	APPLICABLE_ROLES	IS_GRANTABLE	7		NO	varchar	3	9	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(3)			select			NULL
 def	information_schema	APPLICABLE_ROLES	IS_DEFAULT	8	NULL	YES	varchar	3	9	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(3)			select			NULL
 def	information_schema	APPLICABLE_ROLES	IS_MANDATORY	9		NO	varchar	3	9	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(3)			select			NULL
+def	information_schema	AUTHINFO	ID	1		NO	bigint	NULL	NULL	NULL	NULL	NULL	NULL	NULL	bigint unsigned			select			NULL
+def	information_schema	AUTHINFO	USER	2		NO	varchar	26	80	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(80)			select			NULL
+def	information_schema	AUTHINFO	HOST	3		NO	varchar	86	260	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(260)			select			NULL
+def	information_schema	AUTHINFO	SSL	4		NO	int	NULL	NULL	NULL	NULL	NULL	NULL	NULL	int			select			NULL
+def	information_schema	AUTHINFO	INFO	5		YES	varchar	21845	65535	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(65535)			select			NULL
 def	information_schema	CHARACTER_SETS	CHARACTER_SET_NAME	1	NULL	NO	varchar	64	192	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(64)			select			NULL
 def	information_schema	CHARACTER_SETS	DEFAULT_COLLATE_NAME	2	NULL	NO	varchar	64	192	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(64)			select			NULL
 def	information_schema	CHARACTER_SETS	DESCRIPTION	3	NULL	NO	varchar	2048	6144	NULL	NULL	NULL	utf8mb3	utf8mb3_general_ci	varchar(2048)			select			NULL
@@ -624,6 +629,7 @@ COL_CML	DATA_TYPE	CHARACTER_SET_NAME	COLLATION_NAME
 3.0088	varchar	utf8mb3	utf8mb3_general_ci
 3.0118	varchar	utf8mb3	utf8mb3_general_ci
 3.0156	varchar	utf8mb3	utf8mb3_general_ci
+3.0233	varchar	utf8mb3	utf8mb3_general_ci
 3.0238	varchar	utf8mb3	utf8mb3_general_ci
 3.0303	varchar	utf8mb3	utf8mb3_general_ci
 3.0476	varchar	utf8mb3	utf8mb3_general_ci
@@ -689,6 +695,11 @@ COL_CML	TABLE_SCHEMA	TABLE_NAME	COLUMN_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	C
 3.0000	information_schema	APPLICABLE_ROLES	IS_GRANTABLE	varchar	3	9	utf8mb3	utf8mb3_general_ci	varchar(3)
 3.0000	information_schema	APPLICABLE_ROLES	IS_DEFAULT	varchar	3	9	utf8mb3	utf8mb3_general_ci	varchar(3)
 3.0000	information_schema	APPLICABLE_ROLES	IS_MANDATORY	varchar	3	9	utf8mb3	utf8mb3_general_ci	varchar(3)
+NULL	information_schema	AUTHINFO	ID	bigint	NULL	NULL	NULL	NULL	bigint unsigned
+3.0769	information_schema	AUTHINFO	USER	varchar	26	80	utf8mb3	utf8mb3_general_ci	varchar(80)
+3.0233	information_schema	AUTHINFO	HOST	varchar	86	260	utf8mb3	utf8mb3_general_ci	varchar(260)
+NULL	information_schema	AUTHINFO	SSL	int	NULL	NULL	NULL	NULL	int
+3.0000	information_schema	AUTHINFO	INFO	varchar	21845	65535	utf8mb3	utf8mb3_general_ci	varchar(65535)
 3.0000	information_schema	CHARACTER_SETS	CHARACTER_SET_NAME	varchar	64	192	utf8mb3	utf8mb3_general_ci	varchar(64)
 3.0000	information_schema	CHARACTER_SETS	DEFAULT_COLLATE_NAME	varchar	64	192	utf8mb3	utf8mb3_general_ci	varchar(64)
 3.0000	information_schema	CHARACTER_SETS	DESCRIPTION	varchar	2048	6144	utf8mb3	utf8mb3_general_ci	varchar(2048)

mysql-test/suite/funcs_1/r/is_tables_is.result

@@ -64,6 +64,29 @@ user_comment
 Separator	-----------------------------------------------------
 TABLE_CATALOG	def
 TABLE_SCHEMA	information_schema
+TABLE_NAME	AUTHINFO
+TABLE_TYPE	SYSTEM VIEW
+ENGINE	NULL
+VERSION	10
+ROW_FORMAT	NULL
+TABLE_ROWS	#TBLR#
+AVG_ROW_LENGTH	#ARL#
+DATA_LENGTH	#DL#
+MAX_DATA_LENGTH	#MDL#
+INDEX_LENGTH	#IL#
+DATA_FREE	#DF#
+AUTO_INCREMENT	#AI#
+CREATE_TIME	#CRT#
+UPDATE_TIME	#UT#
+CHECK_TIME	#CT#
+TABLE_COLLATION	NULL
+CHECKSUM	NULL
+CREATE_OPTIONS	#CO#
+TABLE_COMMENT	#TC#
+user_comment	
+Separator	-----------------------------------------------------
+TABLE_CATALOG	def
+TABLE_SCHEMA	information_schema
 TABLE_NAME	CHARACTER_SETS
 TABLE_TYPE	SYSTEM VIEW
 ENGINE	NULL
@@ -1188,6 +1211,29 @@ user_comment
 Separator	-----------------------------------------------------
 TABLE_CATALOG	def
 TABLE_SCHEMA	information_schema
+TABLE_NAME	AUTHINFO
+TABLE_TYPE	SYSTEM VIEW
+ENGINE	NULL
+VERSION	10
+ROW_FORMAT	NULL
+TABLE_ROWS	#TBLR#
+AVG_ROW_LENGTH	#ARL#
+DATA_LENGTH	#DL#
+MAX_DATA_LENGTH	#MDL#
+INDEX_LENGTH	#IL#
+DATA_FREE	#DF#
+AUTO_INCREMENT	#AI#
+CREATE_TIME	#CRT#
+UPDATE_TIME	#UT#
+CHECK_TIME	#CT#
+TABLE_COLLATION	NULL
+CHECKSUM	NULL
+CREATE_OPTIONS	#CO#
+TABLE_COMMENT	#TC#
+user_comment	
+Separator	-----------------------------------------------------
+TABLE_CATALOG	def
+TABLE_SCHEMA	information_schema
 TABLE_NAME	CHARACTER_SETS
 TABLE_TYPE	SYSTEM VIEW
 ENGINE	NULL

mysql-test/suite/information_schema/r/information_schema_db.result

@@ -8,6 +8,7 @@ show tables where Tables_in_information_schema NOT LIKE 'INNODB%' and Tables_in_
 Tables_in_information_schema
 ADMINISTRABLE_ROLE_AUTHORIZATIONS
 APPLICABLE_ROLES
+AUTHINFO
 CHARACTER_SETS
 CHECK_CONSTRAINTS
 COLLATIONS

mysql-test/t/information_schema_authinfo-client.opt

@@ -0,0 +1,4 @@
+--ssl-mode=VERIFY_CA
+--ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
+--ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem
+--ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem

mysql-test/t/information_schema_authinfo-master.opt

@@ -0,0 +1,4 @@
+--ssl=1
+--ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
+--ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert.pem
+--ssl-key=$MYSQL_TEST_DIR/std_data/server-key.pem

mysql-test/t/information_schema_authinfo.test

@@ -0,0 +1,12 @@
+--echo #
+--echo # Test case for information_schema.authinfo table
+--echo # (SSL connection)
+--echo #
+
+--let $assert_text= SSL field for the current connection must be set to 1
+--let $assert_cond= [ SELECT `ssl` = 1 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
+--source include/assert.inc
+
+--let $assert_text= Info field (peer certificate) for the current connection must be non-empty
+--let $assert_cond= [ SELECT LENGTH(info) > 0 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
+--source include/assert.inc

mysql-test/t/information_schema_authinfo_nossl.test

@@ -0,0 +1,12 @@
+--echo #
+--echo # Test case for information_schema.authinfo table
+--echo # (non-SSL connection)
+--echo #
+
+--let $assert_text= SSL field for the current connection must be set to 0
+--let $assert_cond= [ SELECT `ssl` = 0 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
+--source include/assert.inc
+
+--let $assert_text= Info field (peer certificate) for the current connection must be NULL
+--let $assert_cond= [ SELECT info IS NULL FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
+--source include/assert.inc

sql/auth/sql_authentication.cc

@@ -2272,9 +2272,6 @@ static bool read_client_connect_attrs(THD *thd, char **ptr,
   return false;
 }
 
-typedef std::string Sql_string_t;
-static Sql_string_t x509_cert_write(X509 *cert);
-
 static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
   Vio *vio = thd->get_protocol_classic()->get_vio();
   SSL *ssl = (SSL *)vio->ssl_arg;
@@ -2303,7 +2300,6 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
       if (vio_type(vio) == VIO_TYPE_SSL &&
           SSL_get_verify_result(ssl) == X509_V_OK &&
           (cert = SSL_get_peer_certificate(ssl))) {
-        thd->set_connection_certificate(x509_cert_write(cert));
         X509_free(cert);
         return false;
       }
@@ -2353,7 +2349,6 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
         }
         OPENSSL_free(ptr);
       }
-      thd->set_connection_certificate(x509_cert_write(cert));
       X509_free(cert);
       return false;
   }
@@ -4067,6 +4062,8 @@ int acl_authenticate(THD *thd, enum_server_command command) {
         goto end;
       }
 
+      thd->update_connection_certificate();
+
       /*
         Check whether the account has been locked.
       */
@@ -4960,6 +4957,8 @@ static SYS_VAR *sha256_password_sysvars[] = {
     MYSQL_SYSVAR(private_key_path), MYSQL_SYSVAR(public_key_path),
     MYSQL_SYSVAR(auto_generate_rsa_keys), nullptr};
 
+typedef std::string Sql_string_t;
+
 /**
   Exception free resize
 

sql/handler.h

@@ -941,7 +941,8 @@ enum enum_schema_tables : int {
   SCH_USER_PRIVILEGES,
   SCH_TMP_TABLE_COLUMNS,
   SCH_TMP_TABLE_KEYS,
-  SCH_LAST = SCH_TMP_TABLE_KEYS
+  SCH_AUTHINFO,
+  SCH_LAST = SCH_AUTHINFO
 };
 
 enum ha_stat_type {

sql/sql_audit.cc

@@ -459,8 +459,9 @@ int mysql_audit_notify(THD *thd, mysql_event_connection_subclass_t subclass,
   event.database.str = thd->db().str;
   event.database.length = thd->db().length;
   event.connection_type = thd->get_vio_type();
-  event.connection_certificate.str = thd->connection_certificate().c_str();
-  event.connection_certificate.length = thd->connection_certificate().size();
+  event.connection_certificate.str = thd->get_connection_certificate().c_str();
+  event.connection_certificate.length =
+      thd->get_connection_certificate().size();
   event.port = mysqld_port;
 
   if (subclass == MYSQL_AUDIT_CONNECTION_DISCONNECT) {