MySQL 8.0.39
Source Code Documentation
sql_mfa.h
Go to the documentation of this file.
1/* Copyright (c) 2021, 2024, Oracle and/or its affiliates.
2 This program is free software; you can redistribute it and/or modify
3 it under the terms of the GNU General Public License, version 2.0,
4 as published by the Free Software Foundation.
5
6 This program is designed to work with certain software (including
7 but not limited to OpenSSL) that is licensed under separate terms,
8 as designated in a particular file or component or in included license
9 documentation. The authors of MySQL hereby grant you an additional
10 permission to link the program and your derivative works with the
11 separately licensed software that they have either included with
12 the program or referenced in the documentation.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef SQL_MFA_INCLUDED
24#define SQL_MFA_INCLUDED
25
26#include <string>
27#include <vector>
28
29#include "sql-common/json_dom.h" // Json_array
30#include "sql/auth/user_table.h"
32#include "sql/sql_class.h"
33#include "sql/table.h"
34
36
39
40/**
41 An interface to access information about Multi factor authentication
42 methods. This interface represents a chain of authentication plugins
43 for a given user account.
44*/
46 public:
47 virtual ~I_multi_factor_auth() = default;
48 /**
49 Helper methods to verify and update ALTER USER sql
50 when altering Multi factor authentication methods.
51 */
52 virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }
53 virtual void alter_mfa(I_multi_factor_auth *) {}
54 /**
55 Helper method to validate Multi factor authentication methods.
56 */
57 virtual bool validate_plugins_in_auth_chain(THD *thd) = 0;
58 /**
59 Helper method to validate Multi factor authentication methods are
60 correct compared to authentication policy.
61 */
62 virtual bool validate_against_authentication_policy(THD *) { return false; }
63 /**
64 method to add/delete Multi factor authentication methods in user_attributes
65 column.
66 */
67 virtual bool update_user_attributes() = 0;
68 virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}
69 /**
70 Helper methods to convert this interface into a valid JSON object
71 and vice versa.
72 */
73 virtual bool serialize(Json_array &mfa_arr) = 0;
74 virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;
75 /**
76 Helper methods to do registration step.
77 */
78 virtual bool init_registration(THD *, uint) = 0;
79 virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;
80 virtual bool is_passwordless() = 0;
81
82 /**
83 Fill needed info in LEX_USER::mfa_list for query rewrite
84 */
85 virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;
86 /**
87 Fill in generated passwords from respective Multi factor authentication
88 methods
89 */
90 virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,
91 const char *h) = 0;
92 /**
93 Fill in server challenge generated as part of initiate registration step.
94 */
95 virtual void get_server_challenge(std::vector<std::string> &sc) = 0;
96 /**
97 Get methods.
98 */
100 return down_cast<Multi_factor_auth_list *>(this);
101 }
102
104 return down_cast<Multi_factor_auth_info *>(this);
105 }
106};
107
108template <typename T>
109using my_vector = std::vector<T, Mem_root_allocator<T>>;
110
112 private:
113 /* multi_factor_auth hierarchy */
115
116 public:
118 ~Multi_factor_auth_list() override;
120 size_t get_mfa_list_size();
121 bool is_alter_allowed(THD *, LEX_USER *) override;
122 void alter_mfa(I_multi_factor_auth *) override;
123 bool validate_plugins_in_auth_chain(THD *thd) override;
125 bool update_user_attributes() override;
126 void add_factor(I_multi_factor_auth *m) override;
127 bool serialize(Json_array &mfa_arr) override;
128 bool deserialize(uint f, Json_dom *mfa_dom) override;
129 bool init_registration(THD *, uint) override;
130 bool finish_registration(THD *, LEX_USER *, uint) override;
131 bool is_passwordless() override;
132 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
133 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
134 const char *h) override;
135 void get_server_challenge(std::vector<std::string> &sc) override;
136
137 private:
138 /*
139 This methods ensures that hierarchy of m_factor is always
140 2FA followed by 3FA.
141 */
142 void sort_mfa();
143};
144
145/*
146 This class represents each individual factor from chain of
147 authentication plugins for a given user account.
148*/
150 private:
154
155 public:
159 /* validate Multi factor authentication plugins during ACL DDL */
160 bool validate_plugins_in_auth_chain(THD *thd) override;
161 /* update user attributes */
162 bool update_user_attributes() override;
163 /* construct json object out of user attributes column */
164 bool serialize(Json_array &mfa_arr) override;
165 bool deserialize(uint f, Json_dom *mfa_dom) override;
166 /* helper methods to do registration */
167 bool init_registration(THD *, uint) override;
168 bool finish_registration(THD *, LEX_USER *, uint) override;
169 bool is_passwordless() override;
170 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
171 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
172 const char *h) override;
173 void get_server_challenge(std::vector<std::string> &sc) override;
174
175 /* during ALTER USER copy attributes from ACL_USER */
177
178 private:
179 /*
180 validate Multi factor authentication attributes read from row of
181 mysql.user table
182 */
183 bool validate_row();
184
185 public:
186 bool is_identified_by();
187 bool is_identified_with();
189
190 const char *get_auth_str();
191 size_t get_auth_str_len();
192
193 const char *get_plugin_str();
194 size_t get_plugin_str_len();
195
196 const char *get_generated_password_str();
198
200 unsigned int get_nth_factor();
201 bool is_add_factor();
202 bool is_drop_factor();
203 bool is_modify_factor();
204
208 bool get_unregister();
210
211 void set_auth_str(const char *, size_t);
212 void set_plugin_str(const char *, size_t);
213 void set_generated_password(const char *, size_t);
214 void set_factor(nthfactor f);
215 void set_passwordless(int v);
216 void set_init_registration(bool v);
217 void set_finish_registration(bool v);
218 void set_requires_registration(int v);
219
220 std::string get_command_string(enum_sql_command sql_command);
221};
222
223#endif /* SQL_MFA_INCLUDED */
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1131
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:45
virtual bool finish_registration(THD *, LEX_USER *, uint)=0
virtual bool validate_against_authentication_policy(THD *)
Helper method to validate Multi factor authentication methods are correct compared to authentication ...
Definition: sql_mfa.h:62
virtual bool validate_plugins_in_auth_chain(THD *thd)=0
Helper method to validate Multi factor authentication methods.
virtual bool is_alter_allowed(THD *, LEX_USER *)
Helper methods to verify and update ALTER USER sql when altering Multi factor authentication methods.
Definition: sql_mfa.h:52
virtual ~I_multi_factor_auth()=default
Multi_factor_auth_info * get_multi_factor_auth_info()
Definition: sql_mfa.h:103
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h)=0
Fill in generated passwords from respective Multi factor authentication methods.
virtual void alter_mfa(I_multi_factor_auth *)
Definition: sql_mfa.h:53
virtual void add_factor(I_multi_factor_auth *m)
Definition: sql_mfa.h:68
virtual bool init_registration(THD *, uint)=0
Helper methods to do registration step.
virtual bool deserialize(uint f, Json_dom *mfa_dom)=0
virtual bool is_passwordless()=0
virtual void get_info_for_query_rewrite(THD *, LEX_USER *)=0
Fill needed info in LEX_USER::mfa_list for query rewrite.
virtual bool update_user_attributes()=0
method to add/delete Multi factor authentication methods in user_attributes column.
virtual bool serialize(Json_array &mfa_arr)=0
Helper methods to convert this interface into a valid JSON object and vice versa.
Multi_factor_auth_list * get_multi_factor_auth_list()
Get methods.
Definition: sql_mfa.h:99
virtual void get_server_challenge(std::vector< std::string > &sc)=0
Fill in server challenge generated as part of initiate registration step.
Represents a JSON array container, i.e.
Definition: json_dom.h:520
JSON DOM abstract base class.
Definition: json_dom.h:173
Definition: sql_mfa.h:149
void set_passwordless(int v)
Definition: sql_mfa.cc:1233
bool is_passwordless() override
Definition: sql_mfa.cc:1189
bool is_modify_factor()
Definition: sql_mfa.cc:1185
bool update_user_attributes() override
Method to update User_attributes column in mysql.user table.
Definition: sql_mfa.cc:707
void set_requires_registration(int v)
Definition: sql_mfa.cc:1245
void get_info_for_query_rewrite(THD *, LEX_USER *) override
This method will fill in missing details like plugin name or authentication string,...
Definition: sql_mfa.cc:1033
void get_server_challenge(std::vector< std::string > &sc) override
This method will return randomly generated server challenge as part of ALTER USER .
Definition: sql_mfa.cc:1107
void set_finish_registration(bool v)
Definition: sql_mfa.cc:1241
const char * get_auth_str()
Definition: sql_mfa.cc:1142
bool get_unregister()
Definition: sql_mfa.cc:1205
bool validate_plugins_in_auth_chain(THD *thd) override
This method validates nth factor authentication plugin during ALTER/CREATE USER sql.
Definition: sql_mfa.cc:563
void set_init_registration(bool v)
Definition: sql_mfa.cc:1237
bool is_identified_with()
Definition: sql_mfa.cc:1134
size_t get_auth_str_len()
Definition: sql_mfa.cc:1146
std::string get_command_string(enum_sql_command sql_command)
Definition: sql_mfa.cc:1249
unsigned int get_nth_factor()
Definition: sql_mfa.cc:1174
bool deserialize(uint f, Json_dom *mfa_dom) override
Helper function to read details from Json object representing Multi factor authentication methods and...
Definition: sql_mfa.cc:763
Multi_factor_auth_info(MEM_ROOT *mem_root)
Definition: sql_mfa.cc:540
bool is_add_factor()
Definition: sql_mfa.cc:1178
size_t get_generated_password_len()
Definition: sql_mfa.cc:1154
bool get_requires_registration()
Definition: sql_mfa.cc:1201
MEM_ROOT * m_mem_root
Definition: sql_mfa.h:151
acl_table::Pod_user_what_to_update m_update
Definition: sql_mfa.h:153
bool get_finish_registration()
Definition: sql_mfa.cc:1197
bool finish_registration(THD *, LEX_USER *, uint) override
This method reads the credential details received from FIDO device and saves in user_attributes colum...
Definition: sql_mfa.cc:915
bool validate_row()
Interface method to validate the auth plugin chain if user_attributes in mysql.user table is modified...
Definition: sql_mfa.cc:669
const char * get_plugin_str()
Definition: sql_mfa.cc:1158
void set_plugin_str(const char *, size_t)
Definition: sql_mfa.cc:1215
LEX_CSTRING & plugin_name()
Definition: sql_mfa.cc:1138
LEX_MFA * m_multi_factor_auth
Definition: sql_mfa.h:152
const char * get_generated_password_str()
Definition: sql_mfa.cc:1150
bool get_init_registration()
Definition: sql_mfa.cc:1193
void set_auth_str(const char *, size_t)
Definition: sql_mfa.cc:1211
size_t get_plugin_str_len()
Definition: sql_mfa.cc:1161
~Multi_factor_auth_info() override
Definition: sql_mfa.h:158
bool is_identified_by()
Definition: sql_mfa.cc:1131
bool init_registration(THD *, uint) override
This method initiates registration step.
Definition: sql_mfa.cc:815
nthfactor get_factor()
Definition: sql_mfa.cc:1165
bool serialize(Json_array &mfa_arr) override
Helper function to convert an instance of Multi_factor_auth_info into a JSON object.
Definition: sql_mfa.cc:728
bool is_drop_factor()
Definition: sql_mfa.cc:1182
void set_generated_password(const char *, size_t)
Definition: sql_mfa.cc:1219
Multi_factor_auth_info & operator=(Multi_factor_auth_info &new_af)
Definition: sql_mfa.cc:1114
LEX_MFA * get_lex_mfa()
Definition: sql_mfa.cc:1209
void set_factor(nthfactor f)
Definition: sql_mfa.cc:1224
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
This method will return randomly generated passwords as part of IDENTIFIED BY RANDOM PASSWORD clause,...
Definition: sql_mfa.cc:1087
Definition: sql_mfa.h:111
bool validate_plugins_in_auth_chain(THD *thd) override
Interface method to validate the auth plugin chain before updating the user_attributes in mysql....
Definition: sql_mfa.cc:384
void alter_mfa(I_multi_factor_auth *) override
This method modifies the Multi factor authentication interface based on ALTER USER sql.
Definition: sql_mfa.cc:205
void add_factor(I_multi_factor_auth *m) override
Definition: sql_mfa.cc:1127
bool update_user_attributes() override
Interface method to update user_attributes.
Definition: sql_mfa.cc:398
Multi_factor_auth_list(MEM_ROOT *)
Definition: sql_mfa.cc:45
void get_info_for_query_rewrite(THD *, LEX_USER *) override
Interface method to fill in Multi factor authentication method details during query rewrite.
Definition: sql_mfa.cc:496
bool deserialize(uint f, Json_dom *mfa_dom) override
Interface method to convert a valid JSON object into this interface.
Definition: sql_mfa.cc:433
bool is_alter_allowed(THD *, LEX_USER *) override
This method checks MFA methods present in ACL_USER against new factor specified as part of ALTER USER...
Definition: sql_mfa.cc:62
bool serialize(Json_array &mfa_arr) override
Interface method to convert this interface into a valid JSON object.
Definition: sql_mfa.cc:416
bool is_passwordless() override
Interface method to check if registration step in for passwordless authentication method.
Definition: sql_mfa.cc:481
my_vector< I_multi_factor_auth * > m_factor
Definition: sql_mfa.h:114
bool validate_against_authentication_policy(THD *thd) override
This method checks the modified Multi factor authentication interface methods based on ALTER USER sql...
Definition: sql_mfa.cc:316
void sort_mfa()
Helper method to sort nth factor methods in multi-factor authentication interface such that 2nd facto...
Definition: sql_mfa.cc:363
my_vector< I_multi_factor_auth * > & get_mfa_list()
Definition: sql_mfa.cc:534
bool init_registration(THD *, uint) override
Interface method to initiate registration.
Definition: sql_mfa.cc:448
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
Interface method to fill in generated passwords from Multi factor authentication methods.
Definition: sql_mfa.cc:512
void get_server_challenge(std::vector< std::string > &sc) override
Interface method to fill in generated server challenge from init registration step.
Definition: sql_mfa.cc:527
size_t get_mfa_list_size()
Definition: sql_mfa.cc:538
bool finish_registration(THD *, LEX_USER *, uint) override
Interface method to finish registration step.
Definition: sql_mfa.cc:466
~Multi_factor_auth_list() override
Definition: sql_mfa.cc:48
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Definition: user_table.h:47
static MEM_ROOT mem_root
Definition: client_plugin.cc:110
JSON DOM.
enum_sql_command
Definition: my_sqlcommand.h:46
std::vector< T, Mem_root_allocator< T > > my_vector
Definition: sql_mfa.h:109
nthfactor
Definition: sql_mfa.h:35
Definition: table.h:2551
Definition: table.h:2658
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83
Definition: mysql_lex_string.h:40
unsigned int uint
Definition: uca9-dump.cc:75