MySQL 8.4.2
Source Code Documentation
sql_mfa.h
Go to the documentation of this file.
1/* Copyright (c) 2021, 2024, Oracle and/or its affiliates.
2 This program is free software; you can redistribute it and/or modify
3 it under the terms of the GNU General Public License, version 2.0,
4 as published by the Free Software Foundation.
5
6 This program is designed to work with certain software (including
7 but not limited to OpenSSL) that is licensed under separate terms,
8 as designated in a particular file or component or in included license
9 documentation. The authors of MySQL hereby grant you an additional
10 permission to link the program and your derivative works with the
11 separately licensed software that they have either included with
12 the program or referenced in the documentation.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef SQL_MFA_INCLUDED
24#define SQL_MFA_INCLUDED
25
26#include <string>
27#include <vector>
28
29#include "sql-common/json_dom.h" // Json_array
31#include "sql/auth/user_table.h"
33#include "sql/sql_class.h"
34#include "sql/table.h"
35
37
40
42 std::vector<std::pair<std::string, std::string>>;
43
44/**
45 An interface to access information about Multi factor authentication
46 methods. This interface represents a chain of authentication plugins
47 for a given user account.
48*/
50 public:
51 virtual ~I_multi_factor_auth() = default;
52 /**
53 Helper methods to verify and update ALTER USER sql
54 when altering Multi factor authentication methods.
55 */
56 virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }
57 virtual void alter_mfa(I_multi_factor_auth *) {}
58 /**
59 Helper method to validate Multi factor authentication methods.
60 */
62 THD *thd, const authentication_policy::Factors &policy_factors) = 0;
63 /**
64 Helper method to validate Multi factor authentication methods are
65 correct compared to authentication policy.
66 */
69 return false;
70 }
71 /**
72 method to add/delete Multi factor authentication methods in user_attributes
73 column.
74 */
75 virtual bool update_user_attributes() = 0;
76 virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}
77 /**
78 Helper methods to convert this interface into a valid JSON object
79 and vice versa.
80 */
81 virtual bool serialize(Json_array &mfa_arr) = 0;
82 virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;
83 /**
84 Helper methods to do registration step.
85 */
86 virtual bool init_registration(THD *, uint) = 0;
87 virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;
88 virtual bool is_passwordless() = 0;
89
90 /**
91 Fill needed info in LEX_USER::mfa_list for query rewrite
92 */
93 virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;
94 /**
95 Fill in generated passwords from respective Multi factor authentication
96 methods
97 */
98 virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,
99 const char *h) = 0;
100 /**
101 Fill in server challenge generated as part of initiate registration step.
102 */
104 /**
105 Get methods.
106 */
108 return down_cast<Multi_factor_auth_list *>(this);
109 }
110
112 return down_cast<Multi_factor_auth_info *>(this);
113 }
114};
115
116template <typename T>
117using my_vector = std::vector<T, Mem_root_allocator<T>>;
118
120 private:
121 /* multi_factor_auth hierarchy */
123
124 public:
126 ~Multi_factor_auth_list() override;
128 size_t get_mfa_list_size();
129 bool is_alter_allowed(THD *, LEX_USER *) override;
130 void alter_mfa(I_multi_factor_auth *) override;
132 THD *thd, const authentication_policy::Factors &policy_factors) override;
134 THD *thd, const authentication_policy::Factors &policy_factors) override;
135 bool update_user_attributes() override;
136 void add_factor(I_multi_factor_auth *m) override;
137 bool serialize(Json_array &mfa_arr) override;
138 bool deserialize(uint f, Json_dom *mfa_dom) override;
139 bool init_registration(THD *, uint) override;
140 bool finish_registration(THD *, LEX_USER *, uint) override;
141 bool is_passwordless() override;
142 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
143 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
144 const char *h) override;
146
147 private:
148 /*
149 This methods ensures that hierarchy of m_factor is always
150 2FA followed by 3FA.
151 */
152 void sort_mfa();
153};
154
155/*
156 This class represents each individual factor from chain of
157 authentication plugins for a given user account.
158*/
160 private:
164
165 public:
169 /* validate Multi factor authentication plugins during ACL DDL */
171 THD *thd, const authentication_policy::Factors &policy_factors) override;
172 /* update user attributes */
173 bool update_user_attributes() override;
174 /* construct json object out of user attributes column */
175 bool serialize(Json_array &mfa_arr) override;
176 bool deserialize(uint f, Json_dom *mfa_dom) override;
177 /* helper methods to do registration */
178 bool init_registration(THD *, uint) override;
179 bool finish_registration(THD *, LEX_USER *, uint) override;
180 bool is_passwordless() override;
181 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
182 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
183 const char *h) override;
185
186 /* during ALTER USER copy attributes from ACL_USER */
188
189 private:
190 /*
191 validate Multi factor authentication attributes read from row of
192 mysql.user table
193 */
194 bool validate_row();
195
196 public:
197 bool is_identified_by();
198 bool is_identified_with();
200
201 const char *get_auth_str();
202 size_t get_auth_str_len();
203
204 const char *get_plugin_str();
205 size_t get_plugin_str_len();
206
207 const char *get_generated_password_str();
209
210 const char *get_client_plugin_str();
211 size_t get_client_plugin_len();
212
214 unsigned int get_nth_factor();
215 bool is_add_factor();
216 bool is_drop_factor();
217 bool is_modify_factor();
218
222 bool get_unregister();
224
225 void set_auth_str(const char *, size_t);
226 void set_plugin_str(const char *, size_t);
227 void set_generated_password(const char *, size_t);
228 void set_client_plugin(const char *, size_t);
229 void set_factor(nthfactor f);
230 void set_passwordless(int v);
231 void set_init_registration(bool v);
232 void set_finish_registration(bool v);
233 void set_requires_registration(int v);
234
235 std::string get_command_string(enum_sql_command sql_command);
236};
237
238#endif /* SQL_MFA_INCLUDED */
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1128
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:49
virtual bool finish_registration(THD *, LEX_USER *, uint)=0
virtual bool validate_against_authentication_policy(THD *, const authentication_policy::Factors &)
Helper method to validate Multi factor authentication methods are correct compared to authentication ...
Definition: sql_mfa.h:67
virtual bool is_alter_allowed(THD *, LEX_USER *)
Helper methods to verify and update ALTER USER sql when altering Multi factor authentication methods.
Definition: sql_mfa.h:56
virtual ~I_multi_factor_auth()=default
Multi_factor_auth_info * get_multi_factor_auth_info()
Definition: sql_mfa.h:111
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h)=0
Fill in generated passwords from respective Multi factor authentication methods.
virtual void get_server_challenge_info(server_challenge_info_vector &sc)=0
Fill in server challenge generated as part of initiate registration step.
virtual void alter_mfa(I_multi_factor_auth *)
Definition: sql_mfa.h:57
virtual void add_factor(I_multi_factor_auth *m)
Definition: sql_mfa.h:76
virtual bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors)=0
Helper method to validate Multi factor authentication methods.
virtual bool init_registration(THD *, uint)=0
Helper methods to do registration step.
virtual bool deserialize(uint f, Json_dom *mfa_dom)=0
virtual bool is_passwordless()=0
virtual void get_info_for_query_rewrite(THD *, LEX_USER *)=0
Fill needed info in LEX_USER::mfa_list for query rewrite.
virtual bool update_user_attributes()=0
method to add/delete Multi factor authentication methods in user_attributes column.
virtual bool serialize(Json_array &mfa_arr)=0
Helper methods to convert this interface into a valid JSON object and vice versa.
Multi_factor_auth_list * get_multi_factor_auth_list()
Get methods.
Definition: sql_mfa.h:107
Represents a JSON array container, i.e.
Definition: json_dom.h:516
JSON DOM abstract base class.
Definition: json_dom.h:173
Definition: sql_mfa.h:159
void set_passwordless(int v)
Definition: sql_mfa.cc:1260
bool is_passwordless() override
Definition: sql_mfa.cc:1212
bool is_modify_factor()
Definition: sql_mfa.cc:1208
bool update_user_attributes() override
Method to update User_attributes column in mysql.user table.
Definition: sql_mfa.cc:710
void set_requires_registration(int v)
Definition: sql_mfa.cc:1272
void get_info_for_query_rewrite(THD *, LEX_USER *) override
This method will fill in missing details like plugin name or authentication string,...
Definition: sql_mfa.cc:1045
size_t get_client_plugin_len()
Definition: sql_mfa.cc:1184
void set_client_plugin(const char *, size_t)
Definition: sql_mfa.cc:1247
void set_finish_registration(bool v)
Definition: sql_mfa.cc:1268
const char * get_auth_str()
Definition: sql_mfa.cc:1157
bool get_unregister()
Definition: sql_mfa.cc:1228
bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors) override
This method validates nth factor authentication plugin during ALTER/CREATE USER sql.
Definition: sql_mfa.cc:566
void set_init_registration(bool v)
Definition: sql_mfa.cc:1264
bool is_identified_with()
Definition: sql_mfa.cc:1149
void get_server_challenge_info(server_challenge_info_vector &sc) override
This method will return randomly generated server challenge as part of ALTER USER .
Definition: sql_mfa.cc:1119
size_t get_auth_str_len()
Definition: sql_mfa.cc:1161
std::string get_command_string(enum_sql_command sql_command)
Definition: sql_mfa.cc:1276
unsigned int get_nth_factor()
Definition: sql_mfa.cc:1197
bool deserialize(uint f, Json_dom *mfa_dom) override
Helper function to read details from Json object representing Multi factor authentication methods and...
Definition: sql_mfa.cc:766
Multi_factor_auth_info(MEM_ROOT *mem_root)
Definition: sql_mfa.cc:542
bool is_add_factor()
Definition: sql_mfa.cc:1201
size_t get_generated_password_len()
Definition: sql_mfa.cc:1169
bool get_requires_registration()
Definition: sql_mfa.cc:1224
MEM_ROOT * m_mem_root
Definition: sql_mfa.h:161
acl_table::Pod_user_what_to_update m_update
Definition: sql_mfa.h:163
const char * get_client_plugin_str()
Definition: sql_mfa.cc:1180
bool get_finish_registration()
Definition: sql_mfa.cc:1220
bool finish_registration(THD *, LEX_USER *, uint) override
This method reads the credential details received from FIDO device and saves in user_attributes colum...
Definition: sql_mfa.cc:927
bool validate_row()
Interface method to validate the auth plugin chain if user_attributes in mysql.user table is modified...
Definition: sql_mfa.cc:672
const char * get_plugin_str()
Definition: sql_mfa.cc:1173
void set_plugin_str(const char *, size_t)
Definition: sql_mfa.cc:1238
LEX_CSTRING & plugin_name()
Definition: sql_mfa.cc:1153
LEX_MFA * m_multi_factor_auth
Definition: sql_mfa.h:162
const char * get_generated_password_str()
Definition: sql_mfa.cc:1165
bool get_init_registration()
Definition: sql_mfa.cc:1216
void set_auth_str(const char *, size_t)
Definition: sql_mfa.cc:1234
size_t get_plugin_str_len()
Definition: sql_mfa.cc:1176
~Multi_factor_auth_info() override
Definition: sql_mfa.h:168
bool is_identified_by()
Definition: sql_mfa.cc:1146
bool init_registration(THD *, uint) override
This method initiates registration step.
Definition: sql_mfa.cc:818
nthfactor get_factor()
Definition: sql_mfa.cc:1188
bool serialize(Json_array &mfa_arr) override
Helper function to convert an instance of Multi_factor_auth_info into a JSON object.
Definition: sql_mfa.cc:731
bool is_drop_factor()
Definition: sql_mfa.cc:1205
void set_generated_password(const char *, size_t)
Definition: sql_mfa.cc:1242
Multi_factor_auth_info & operator=(Multi_factor_auth_info &new_af)
Definition: sql_mfa.cc:1129
LEX_MFA * get_lex_mfa()
Definition: sql_mfa.cc:1232
void set_factor(nthfactor f)
Definition: sql_mfa.cc:1251
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
This method will return randomly generated passwords as part of IDENTIFIED BY RANDOM PASSWORD clause,...
Definition: sql_mfa.cc:1099
Definition: sql_mfa.h:119
bool validate_against_authentication_policy(THD *thd, const authentication_policy::Factors &policy_factors) override
This method checks the modified Multi factor authentication interface methods based on ALTER USER sql...
Definition: sql_mfa.cc:318
void get_server_challenge_info(server_challenge_info_vector &sc) override
Interface method to fill in generated server challenge from init registration step.
Definition: sql_mfa.cc:529
void alter_mfa(I_multi_factor_auth *) override
This method modifies the Multi factor authentication interface based on ALTER USER sql.
Definition: sql_mfa.cc:206
void add_factor(I_multi_factor_auth *m) override
Definition: sql_mfa.cc:1142
bool update_user_attributes() override
Interface method to update user_attributes.
Definition: sql_mfa.cc:400
bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors) override
Interface method to validate the auth plugin chain before updating the user_attributes in mysql....
Definition: sql_mfa.cc:385
Multi_factor_auth_list(MEM_ROOT *)
Definition: sql_mfa.cc:46
void get_info_for_query_rewrite(THD *, LEX_USER *) override
Interface method to fill in Multi factor authentication method details during query rewrite.
Definition: sql_mfa.cc:498
bool deserialize(uint f, Json_dom *mfa_dom) override
Interface method to convert a valid JSON object into this interface.
Definition: sql_mfa.cc:435
bool is_alter_allowed(THD *, LEX_USER *) override
This method checks MFA methods present in ACL_USER against new factor specified as part of ALTER USER...
Definition: sql_mfa.cc:63
bool serialize(Json_array &mfa_arr) override
Interface method to convert this interface into a valid JSON object.
Definition: sql_mfa.cc:418
bool is_passwordless() override
Interface method to check if registration step in for passwordless authentication method.
Definition: sql_mfa.cc:483
my_vector< I_multi_factor_auth * > m_factor
Definition: sql_mfa.h:122
void sort_mfa()
Helper method to sort nth factor methods in multi-factor authentication interface such that 2nd facto...
Definition: sql_mfa.cc:363
my_vector< I_multi_factor_auth * > & get_mfa_list()
Definition: sql_mfa.cc:536
bool init_registration(THD *, uint) override
Interface method to initiate registration.
Definition: sql_mfa.cc:450
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
Interface method to fill in generated passwords from Multi factor authentication methods.
Definition: sql_mfa.cc:514
size_t get_mfa_list_size()
Definition: sql_mfa.cc:540
bool finish_registration(THD *, LEX_USER *, uint) override
Interface method to finish registration step.
Definition: sql_mfa.cc:468
~Multi_factor_auth_list() override
Definition: sql_mfa.cc:49
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36
Definition: user_table.h:47
static MEM_ROOT mem_root
Definition: client_plugin.cc:114
JSON DOM.
enum_sql_command
Definition: my_sqlcommand.h:46
std::vector< Factor > Factors
Type of container with authentication policy factors.
Definition: authentication_policy.h:135
std::vector< std::pair< std::string, std::string > > server_challenge_info_vector
Definition: sql_mfa.h:42
std::vector< T, Mem_root_allocator< T > > my_vector
Definition: sql_mfa.h:117
nthfactor
Definition: sql_mfa.h:36
Definition: table.h:2622
Definition: table.h:2731
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83
Definition: mysql_lex_string.h:40