Skip to content

Commit

Permalink
FB8-53: Expose user certificate details to command line (facebook#959) (
Browse files Browse the repository at this point in the history
facebook#959)

Summary:
Jira ticket: https://jira.percona.com/browse/FB8-53

Reference Patch: facebook@f29eb03
Reference Patch: facebook@c631017

'THD' class extended with the following convenience methods:
- 'has_net_vio()'
- 'get_net_vio()'
- 'has_net_vio_ssl_arg()'
- 'get_net_vio_ssl_arg()'
- 'get_peer_certificate_info()'

Implemented new 'Fill_authinfo_list' class derived from 'Do_THD_Impl'
which populates 'INFORMATION_SCHEMA.AUTHINFO' table.

This is a change to help the implementation of SSL based authentication
efforts. Currently the certificate details are unavailable to the sys admin.
The v3 extensions usually carry important information for identifying the
user.

This change adds a new table to the information schema to expose auth
details. It is organized by process ID like processlist table.
Pull Request resolved: facebook#959

Reviewed By: lloyd

Differential Revision: D14137362

Pulled By: lth
  • Loading branch information
percona-ysorokin authored and inikep committed Jul 31, 2024
1 parent 462c3ad commit 37a9bba
Show file tree
Hide file tree
Showing 22 changed files with 305 additions and 22 deletions.
1 change: 1 addition & 0 deletions mysql-test/r/dd_is_compatibility_ci.result
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ SELECT * FROM v1;
table_name
ADMINISTRABLE_ROLE_AUTHORIZATIONS
APPLICABLE_ROLES
AUTHINFO
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
Expand Down
1 change: 1 addition & 0 deletions mysql-test/r/dd_is_compatibility_cs.result
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ SELECT * FROM v1;
table_name
ADMINISTRABLE_ROLE_AUTHORIZATIONS
APPLICABLE_ROLES
AUTHINFO
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
Expand Down
6 changes: 6 additions & 0 deletions mysql-test/r/information_schema_authinfo.result
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#
# Test case for information_schema.authinfo table
# (SSL connection)
#
include/assert.inc [SSL field for the current connection must be set to 1]
include/assert.inc [Info field (peer certificate) for the current connection must be non-empty]
6 changes: 6 additions & 0 deletions mysql-test/r/information_schema_authinfo_nossl.result
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#
# Test case for information_schema.authinfo table
# (non-SSL connection)
#
include/assert.inc [SSL field for the current connection must be set to 0]
include/assert.inc [Info field (peer certificate) for the current connection must be NULL]
6 changes: 5 additions & 1 deletion mysql-test/r/information_schema_ci.result
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ select * from v1;
c
ADMINISTRABLE_ROLE_AUTHORIZATIONS
APPLICABLE_ROLES
AUTHINFO
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
Expand Down Expand Up @@ -895,7 +896,7 @@ table_schema IN ('mysql', 'information_schema', 'test', 'mysqltest')
AND table_name not like 'ndb%' AND table_name COLLATE utf8_general_ci not like 'innodb_%'
GROUP BY TABLE_SCHEMA;
TABLE_SCHEMA count(*)
information_schema 49
information_schema 50
mysql 35
create table t1 (i int, j int);
create trigger trg1 before insert on t1 for each row
Expand Down Expand Up @@ -1348,6 +1349,7 @@ group by t.table_name order by num1, t.table_name COLLATE utf8_general_ci;
TABLE_NAME group_concat(t.table_schema, '.', t.table_name) num1
ADMINISTRABLE_ROLE_AUTHORIZATIONS information_schema.ADMINISTRABLE_ROLE_AUTHORIZATIONS 1
APPLICABLE_ROLES information_schema.APPLICABLE_ROLES 1
AUTHINFO information_schema.AUTHINFO 1
CHARACTER_SETS information_schema.CHARACTER_SETS 1
CHECK_CONSTRAINTS information_schema.CHECK_CONSTRAINTS 1
COLLATIONS information_schema.COLLATIONS 1
Expand Down Expand Up @@ -2489,6 +2491,7 @@ c1.column_name COLLATE utf8mb3_general_ci;
TABLE_NAME COLUMN_NAME
ADMINISTRABLE_ROLE_AUTHORIZATIONS USER
APPLICABLE_ROLES USER
AUTHINFO ID
CHARACTER_SETS CHARACTER_SET_NAME
CHECK_CONSTRAINTS CONSTRAINT_SCHEMA
COLLATIONS COLLATION_NAME
Expand Down Expand Up @@ -2558,6 +2561,7 @@ c1.column_name COLLATE utf8mb3_general_ci;
TABLE_NAME COLUMN_NAME
ADMINISTRABLE_ROLE_AUTHORIZATIONS USER
APPLICABLE_ROLES USER
AUTHINFO ID
CHARACTER_SETS CHARACTER_SET_NAME
CHECK_CONSTRAINTS CONSTRAINT_SCHEMA
COLLATIONS COLLATION_NAME
Expand Down
6 changes: 5 additions & 1 deletion mysql-test/r/information_schema_cs.result
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ select * from v1;
c
ADMINISTRABLE_ROLE_AUTHORIZATIONS
APPLICABLE_ROLES
AUTHINFO
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
Expand Down Expand Up @@ -899,7 +900,7 @@ AND table_name COLLATE utf8mb3_general_ci not like 'innodb_%'
AND table_name COLLATE utf8mb3_general_ci not like 'rocksdb_%'
GROUP BY TABLE_SCHEMA;
TABLE_SCHEMA count(*)
information_schema 49
information_schema 50
mysql 35
create table t1 (i int, j int);
create trigger trg1 before insert on t1 for each row
Expand Down Expand Up @@ -1353,6 +1354,7 @@ group by t.table_name order by num1, t.table_name COLLATE utf8mb3_general_ci;
TABLE_NAME group_concat(t.table_schema, '.', t.table_name) num1
ADMINISTRABLE_ROLE_AUTHORIZATIONS information_schema.ADMINISTRABLE_ROLE_AUTHORIZATIONS 1
APPLICABLE_ROLES information_schema.APPLICABLE_ROLES 1
AUTHINFO information_schema.AUTHINFO 1
CHARACTER_SETS information_schema.CHARACTER_SETS 1
CHECK_CONSTRAINTS information_schema.CHECK_CONSTRAINTS 1
COLLATIONS information_schema.COLLATIONS 1
Expand Down Expand Up @@ -2494,6 +2496,7 @@ c1.column_name COLLATE utf8mb3_general_ci;
TABLE_NAME COLUMN_NAME
ADMINISTRABLE_ROLE_AUTHORIZATIONS USER
APPLICABLE_ROLES USER
AUTHINFO ID
CHARACTER_SETS CHARACTER_SET_NAME
CHECK_CONSTRAINTS CONSTRAINT_SCHEMA
COLLATIONS COLLATION_NAME
Expand Down Expand Up @@ -2563,6 +2566,7 @@ c1.column_name COLLATE utf8mb3_general_ci;
TABLE_NAME COLUMN_NAME
ADMINISTRABLE_ROLE_AUTHORIZATIONS USER
APPLICABLE_ROLES USER
AUTHINFO ID
CHARACTER_SETS CHARACTER_SET_NAME
CHECK_CONSTRAINTS CONSTRAINT_SCHEMA
COLLATIONS COLLATION_NAME
Expand Down
2 changes: 2 additions & 0 deletions mysql-test/r/mysqlshow_ci.result
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ Database: information_schema
+---------------------------------------+
| ADMINISTRABLE_ROLE_AUTHORIZATIONS |
| APPLICABLE_ROLES |
| AUTHINFO |
| CHARACTER_SETS |
| CHECK_CONSTRAINTS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
Expand Down Expand Up @@ -181,6 +182,7 @@ Database: INFORMATION_SCHEMA
+---------------------------------------+
| ADMINISTRABLE_ROLE_AUTHORIZATIONS |
| APPLICABLE_ROLES |
| AUTHINFO |
| CHARACTER_SETS |
| CHECK_CONSTRAINTS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
Expand Down
2 changes: 2 additions & 0 deletions mysql-test/r/mysqlshow_cs.result
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ Database: information_schema
+---------------------------------------+
| ADMINISTRABLE_ROLE_AUTHORIZATIONS |
| APPLICABLE_ROLES |
| AUTHINFO |
| CHARACTER_SETS |
| CHECK_CONSTRAINTS |
| COLLATIONS |
Expand Down Expand Up @@ -182,6 +183,7 @@ Database: INFORMATION_SCHEMA
+---------------------------------------+
| ADMINISTRABLE_ROLE_AUTHORIZATIONS |
| APPLICABLE_ROLES |
| AUTHINFO |
| CHARACTER_SETS |
| CHECK_CONSTRAINTS |
| COLLATIONS |
Expand Down
11 changes: 11 additions & 0 deletions mysql-test/suite/funcs_1/r/is_columns_is_cs.result
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ def information_schema APPLICABLE_ROLES ROLE_HOST 6 NULL YES varchar 256 1024 NU
def information_schema APPLICABLE_ROLES IS_GRANTABLE 7 NO varchar 3 9 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(3) select NULL
def information_schema APPLICABLE_ROLES IS_DEFAULT 8 NULL YES varchar 3 9 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(3) select NULL
def information_schema APPLICABLE_ROLES IS_MANDATORY 9 NO varchar 3 9 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(3) select NULL
def information_schema AUTHINFO ID 1 NO bigint NULL NULL NULL NULL NULL NULL NULL bigint unsigned select NULL
def information_schema AUTHINFO USER 2 NO varchar 26 80 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(80) select NULL
def information_schema AUTHINFO HOST 3 NO varchar 86 260 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(260) select NULL
def information_schema AUTHINFO SSL 4 NO int NULL NULL NULL NULL NULL NULL NULL int select NULL
def information_schema AUTHINFO INFO 5 YES varchar 21845 65535 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(65535) select NULL
def information_schema CHARACTER_SETS CHARACTER_SET_NAME 1 NULL NO varchar 64 192 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(64) select NULL
def information_schema CHARACTER_SETS DEFAULT_COLLATE_NAME 2 NULL NO varchar 64 192 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(64) select NULL
def information_schema CHARACTER_SETS DESCRIPTION 3 NULL NO varchar 2048 6144 NULL NULL NULL utf8mb3 utf8mb3_general_ci varchar(2048) select NULL
Expand Down Expand Up @@ -624,6 +629,7 @@ COL_CML DATA_TYPE CHARACTER_SET_NAME COLLATION_NAME
3.0088 varchar utf8mb3 utf8mb3_general_ci
3.0118 varchar utf8mb3 utf8mb3_general_ci
3.0156 varchar utf8mb3 utf8mb3_general_ci
3.0233 varchar utf8mb3 utf8mb3_general_ci
3.0238 varchar utf8mb3 utf8mb3_general_ci
3.0303 varchar utf8mb3 utf8mb3_general_ci
3.0476 varchar utf8mb3 utf8mb3_general_ci
Expand Down Expand Up @@ -689,6 +695,11 @@ COL_CML TABLE_SCHEMA TABLE_NAME COLUMN_NAME DATA_TYPE CHARACTER_MAXIMUM_LENGTH C
3.0000 information_schema APPLICABLE_ROLES IS_GRANTABLE varchar 3 9 utf8mb3 utf8mb3_general_ci varchar(3)
3.0000 information_schema APPLICABLE_ROLES IS_DEFAULT varchar 3 9 utf8mb3 utf8mb3_general_ci varchar(3)
3.0000 information_schema APPLICABLE_ROLES IS_MANDATORY varchar 3 9 utf8mb3 utf8mb3_general_ci varchar(3)
NULL information_schema AUTHINFO ID bigint NULL NULL NULL NULL bigint unsigned
3.0769 information_schema AUTHINFO USER varchar 26 80 utf8mb3 utf8mb3_general_ci varchar(80)
3.0233 information_schema AUTHINFO HOST varchar 86 260 utf8mb3 utf8mb3_general_ci varchar(260)
NULL information_schema AUTHINFO SSL int NULL NULL NULL NULL int
3.0000 information_schema AUTHINFO INFO varchar 21845 65535 utf8mb3 utf8mb3_general_ci varchar(65535)
3.0000 information_schema CHARACTER_SETS CHARACTER_SET_NAME varchar 64 192 utf8mb3 utf8mb3_general_ci varchar(64)
3.0000 information_schema CHARACTER_SETS DEFAULT_COLLATE_NAME varchar 64 192 utf8mb3 utf8mb3_general_ci varchar(64)
3.0000 information_schema CHARACTER_SETS DESCRIPTION varchar 2048 6144 utf8mb3 utf8mb3_general_ci varchar(2048)
Expand Down
46 changes: 46 additions & 0 deletions mysql-test/suite/funcs_1/r/is_tables_is.result
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,29 @@ user_comment
Separator -----------------------------------------------------
TABLE_CATALOG def
TABLE_SCHEMA information_schema
TABLE_NAME AUTHINFO
TABLE_TYPE SYSTEM VIEW
ENGINE NULL
VERSION 10
ROW_FORMAT NULL
TABLE_ROWS #TBLR#
AVG_ROW_LENGTH #ARL#
DATA_LENGTH #DL#
MAX_DATA_LENGTH #MDL#
INDEX_LENGTH #IL#
DATA_FREE #DF#
AUTO_INCREMENT #AI#
CREATE_TIME #CRT#
UPDATE_TIME #UT#
CHECK_TIME #CT#
TABLE_COLLATION NULL
CHECKSUM NULL
CREATE_OPTIONS #CO#
TABLE_COMMENT #TC#
user_comment
Separator -----------------------------------------------------
TABLE_CATALOG def
TABLE_SCHEMA information_schema
TABLE_NAME CHARACTER_SETS
TABLE_TYPE SYSTEM VIEW
ENGINE NULL
Expand Down Expand Up @@ -1188,6 +1211,29 @@ user_comment
Separator -----------------------------------------------------
TABLE_CATALOG def
TABLE_SCHEMA information_schema
TABLE_NAME AUTHINFO
TABLE_TYPE SYSTEM VIEW
ENGINE NULL
VERSION 10
ROW_FORMAT NULL
TABLE_ROWS #TBLR#
AVG_ROW_LENGTH #ARL#
DATA_LENGTH #DL#
MAX_DATA_LENGTH #MDL#
INDEX_LENGTH #IL#
DATA_FREE #DF#
AUTO_INCREMENT #AI#
CREATE_TIME #CRT#
UPDATE_TIME #UT#
CHECK_TIME #CT#
TABLE_COLLATION NULL
CHECKSUM NULL
CREATE_OPTIONS #CO#
TABLE_COMMENT #TC#
user_comment
Separator -----------------------------------------------------
TABLE_CATALOG def
TABLE_SCHEMA information_schema
TABLE_NAME CHARACTER_SETS
TABLE_TYPE SYSTEM VIEW
ENGINE NULL
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ show tables where Tables_in_information_schema NOT LIKE 'INNODB%' and Tables_in_
Tables_in_information_schema
ADMINISTRABLE_ROLE_AUTHORIZATIONS
APPLICABLE_ROLES
AUTHINFO
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
Expand Down
4 changes: 4 additions & 0 deletions mysql-test/t/information_schema_authinfo-client.opt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
--ssl-mode=VERIFY_CA
--ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem
4 changes: 4 additions & 0 deletions mysql-test/t/information_schema_authinfo-master.opt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
--ssl=1
--ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/server-key.pem
12 changes: 12 additions & 0 deletions mysql-test/t/information_schema_authinfo.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
--echo #
--echo # Test case for information_schema.authinfo table
--echo # (SSL connection)
--echo #

--let $assert_text= SSL field for the current connection must be set to 1
--let $assert_cond= [ SELECT `ssl` = 1 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
--source include/assert.inc

--let $assert_text= Info field (peer certificate) for the current connection must be non-empty
--let $assert_cond= [ SELECT LENGTH(info) > 0 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
--source include/assert.inc
12 changes: 12 additions & 0 deletions mysql-test/t/information_schema_authinfo_nossl.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
--echo #
--echo # Test case for information_schema.authinfo table
--echo # (non-SSL connection)
--echo #

--let $assert_text= SSL field for the current connection must be set to 0
--let $assert_cond= [ SELECT `ssl` = 0 FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
--source include/assert.inc

--let $assert_text= Info field (peer certificate) for the current connection must be NULL
--let $assert_cond= [ SELECT info IS NULL FROM information_schema.authinfo WHERE id = CONNECTION_ID() ]
--source include/assert.inc
9 changes: 4 additions & 5 deletions sql/auth/sql_authentication.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2636,9 +2636,6 @@ static bool read_client_connect_attrs(THD *thd, char **ptr,
return false;
}

typedef std::string Sql_string_t;
static Sql_string_t x509_cert_write(X509 *cert);

static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
Vio *vio = thd->get_protocol_classic()->get_vio();
SSL *ssl = (SSL *)vio->ssl_arg;
Expand Down Expand Up @@ -2667,7 +2664,6 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
if (vio_type(vio) == VIO_TYPE_SSL &&
SSL_get_verify_result(ssl) == X509_V_OK &&
(cert = SSL_get_peer_certificate(ssl))) {
thd->set_connection_certificate(x509_cert_write(cert));
X509_free(cert);
return false;
}
Expand Down Expand Up @@ -2717,7 +2713,6 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) {
}
OPENSSL_free(ptr);
}
thd->set_connection_certificate(x509_cert_write(cert));
X509_free(cert);
return false;
}
Expand Down Expand Up @@ -4438,6 +4433,8 @@ int acl_authenticate(THD *thd, enum_server_command command) {
goto end;
}

thd->update_connection_certificate();

/*
Check whether the account has been locked.
*/
Expand Down Expand Up @@ -5066,6 +5063,8 @@ static SYS_VAR *sha256_password_sysvars[] = {
MYSQL_SYSVAR(private_key_path), MYSQL_SYSVAR(public_key_path),
MYSQL_SYSVAR(auto_generate_rsa_keys), nullptr};

typedef std::string Sql_string_t;

/**
Exception free resize
Expand Down
3 changes: 2 additions & 1 deletion sql/handler.h
Original file line number Diff line number Diff line change
Expand Up @@ -949,7 +949,8 @@ enum enum_schema_tables : int {
SCH_USER_PRIVILEGES,
SCH_TMP_TABLE_COLUMNS,
SCH_TMP_TABLE_KEYS,
SCH_LAST = SCH_TMP_TABLE_KEYS
SCH_AUTHINFO,
SCH_LAST = SCH_AUTHINFO
};

enum ha_stat_type {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -978,8 +978,10 @@ DEFINE_BOOL_METHOD(Event_connection_bridge_implementation::notify,
plugin_data.ip = TO_LEXCSTRING(data->ip);
plugin_data.database = TO_LEXCSTRING(data->database);
plugin_data.connection_type = data->connection_type;
plugin_data.connection_certificate.str = thd->connection_certificate().c_str();
plugin_data.connection_certificate.length = thd->connection_certificate().size();
plugin_data.connection_certificate.str =
thd->get_connection_certificate().c_str();
plugin_data.connection_certificate.length =
thd->get_connection_certificate().size();
plugin_data.port = mysqld_port;

return event_class_dispatch(thd, MYSQL_AUDIT_CONNECTION_CLASS,
Expand Down
5 changes: 3 additions & 2 deletions sql/sql_audit.cc
Original file line number Diff line number Diff line change
Expand Up @@ -934,8 +934,9 @@ int mysql_event_tracking_connection_notify(
event.ip = {ip.str, ip.length};
event.database = {db.str, db.length};
event.connection_type = thd->get_vio_type();
event.connection_certificate.str = thd->connection_certificate().c_str();
event.connection_certificate.length = thd->connection_certificate().size();
event.connection_certificate.str = thd->get_connection_certificate().c_str();
event.connection_certificate.length =
thd->get_connection_certificate().size();
event.port = mysqld_port;

struct st_mysql_event_generic event_generic;
Expand Down
Loading

0 comments on commit 37a9bba

Please sign in to comment.