MySQL 9.4.0
Source Code Documentation
authorize_manager.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2021, 2025, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is designed to work with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have either included with
14 the program or referenced in the documentation.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24 */
25
26#ifndef ROUTER_SRC_REST_MRS_SRC_MRS_AUTHENTICATION_AUTH_MANAGER_H_
27#define ROUTER_SRC_REST_MRS_SRC_MRS_AUTHENTICATION_AUTH_MANAGER_H_
28
29#include <chrono>
30#include <map>
31#include <memory>
32#include <mutex>
33#include <optional>
34#include <vector>
35
36#include "helper/mysql_time.h"
37#include "helper/token/jwt.h"
47
48namespace mrs {
49namespace authentication {
50
53 public:
57 std::shared_ptr<mrs::interface::AuthHandlerFactory>;
58 using RestHandlerPtr = std::shared_ptr<RestHandler>;
61 using EndpointConfigurationPtr = std::shared_ptr<EndpointConfiguration>;
62 using Container = std::vector<AuthorizeHandlerPtr>;
64 using steady_clock = std::chrono::steady_clock;
65
66 public:
68 collector::MysqlCacheManager *cache_manager,
69 const std::string &jwt_secret, QueryFactory *query_factory,
70 AuthHandlerFactoryPtr factory);
71
72 void update(const Entries &entries) override;
73 void configure(const std::string &options) override;
74
75 bool unauthorize(const SessionPtr &session, http::Cookie *cookies) override;
76 bool authorize(const std::string &proto, const std::string &host,
77 ServiceId id, bool passthrough_db_user,
78 rest::RequestContext &ctxt, AuthUser *out_user) override;
80 AuthUser *user) override;
81
82 std::string get_jwt_token(UniversalId service_id,
83 const SessionPtr &) override;
84 void discard_current_session(ServiceId id, http::Cookie *cookies) override;
88 void clear() override;
89 void update_users_cache(const ChangedUsersIds &changed_users_ids) override;
90
91 void collect_garbage();
92
93 private:
97 http::Cookie &cookies);
98 std::vector<std::pair<std::string, SessionId>> get_session_ids_cookies(
99 const UniversalId &service_id, http::Cookie *cookies);
100 std::vector<SessionId> get_session_ids_from_cookies(
101 const UniversalId &service_id, http::Cookie *cookies);
102 bool get_handler_by_id(const UniversalId auth_id, Container::iterator *it);
103 bool get_handler_by_id(const UniversalId auth_id,
104 AuthorizeHandlerPtr &out_it);
107 rest::RequestContext &ctxt, ServiceId service_id,
108 const std::optional<std::string> &app_name);
109
110 /**
111 * Validate the JWT token, and get/create session for it.
112 *
113 * @returns session pointer
114 */
115 SessionPtr authorize_jwt(const UniversalId service_id,
116 const helper::Jwt &jwt);
117
118 private: // AuthorizeHandlerCallbacks
120 const std::string &account) override;
121
123 public:
130 };
131
132 using ServiceAuthorizePtr = std::shared_ptr<ServiceAuthorize>;
133 using MapOfServices = std::map<ServiceId, ServiceAuthorizePtr>;
134
140 std::string jwt_secret_;
145 steady_clock::time_point last_garbage_collection_{};
147
148 /*
149 * Random data, created at `authorization_manager` creation.
150 *
151 * Those data should be used for fake keys generation. Which concated with
152 * user name, may be used for the generation and user shouldn't be able to
153 * detect the fake generation was used.
154 *
155 * Ideally, the data should be constant while the whole live of the service.
156 * For example the attacker should be able to query the user and store its
157 * "salt", and after logner time the same query should return the same salt
158 * (even if the user doesn't exists).
159 */
160 const std::string random_data_;
161};
162
163} // namespace authentication
164} // namespace mrs
165
166#endif // ROUTER_SRC_REST_MRS_SRC_MRS_AUTHENTICATION_AUTH_MANAGER_H_
Definition: mysql_cache_manager.h:87
The handler class is the interface for dynamically loadable storage engines.
Definition: handler.h:4666
Definition: authorize_handler_callbacks.h:35
Definition: jwt.h:42
RestHandlerPtr authorization_result_handler_
Definition: authorize_manager.h:127
RestHandlerPtr list_handler_
Definition: authorize_manager.h:129
RestHandlerPtr authorize_handler_
Definition: authorize_manager.h:124
RestHandlerPtr unauthorize_handler_
Definition: authorize_manager.h:126
RestHandlerPtr user_handler_
Definition: authorize_manager.h:128
RestHandlerPtr status_handler_
Definition: authorize_manager.h:125
Definition: authorize_manager.h:52
void clear() override
Definition: authorize_manager.cc:887
Container get_handlers_by_service_id(const UniversalId service_id)
Definition: authorize_manager.cc:306
AuthorizeManager(const EndpointConfigurationPtr &configuration, collector::MysqlCacheManager *cache_manager, const std::string &jwt_secret, QueryFactory *query_factory, AuthHandlerFactoryPtr factory)
Definition: authorize_manager.cc:238
std::vector< std::pair< std::string, SessionId > > get_session_ids_cookies(const UniversalId &service_id, http::Cookie *cookies)
Definition: authorize_manager.cc:489
RateControlFor< std::string > hosts_rate_
Definition: authorize_manager.h:143
std::vector< SessionId > get_session_ids_from_cookies(const UniversalId &service_id, http::Cookie *cookies)
Definition: authorize_manager.cc:507
std::chrono::steady_clock steady_clock
Definition: authorize_manager.h:64
EndpointConfigurationPtr configuration_
Definition: authorize_manager.h:135
bool authorize(const std::string &proto, const std::string &host, ServiceId id, bool passthrough_db_user, rest::RequestContext &ctxt, AuthUser *out_user) override
Definition: authorize_manager.cc:733
void update(const Entries &entries) override
Definition: authorize_manager.cc:273
uint32_t passthrough_db_user_session_pool_size_
Definition: authorize_manager.h:146
minutes jwt_expire_timeout
Definition: authorize_manager.h:144
std::shared_ptr< EndpointConfiguration > EndpointConfigurationPtr
Definition: authorize_manager.h:61
users::UserManager * get_user_manager() override
Definition: authorize_manager.cc:841
SessionPtr get_session_id_from_cookie(const UniversalId &service_id, http::Cookie &cookies)
Definition: authorize_manager.cc:719
void update_users_cache(const ChangedUsersIds &changed_users_ids) override
Definition: authorize_manager.cc:889
RateControlFor< std::string > accounts_rate_
Definition: authorize_manager.h:142
collector::MysqlCacheManager * get_cache() override
Definition: authorize_manager.h:86
AuthorizeHandlerPtr create_authentication_application(const AuthApp &entry)
Definition: authorize_manager.cc:343
std::shared_ptr< RestHandler > RestHandlerPtr
Definition: authorize_manager.h:58
const std::string random_data_
Definition: authorize_manager.h:160
bool unauthorize(const SessionPtr &session, http::Cookie *cookies) override
Definition: authorize_manager.cc:405
collector::MysqlCacheManager * cache_manager_
Definition: authorize_manager.h:136
http::SessionManager session_manager_
Definition: authorize_manager.h:138
std::chrono::minutes minutes
Definition: authorize_manager.h:63
void pre_authorize_account(interface::AuthorizeHandler *handler, const std::string &account) override
Definition: authorize_manager.cc:384
std::vector< AuthorizeHandlerPtr > Container
Definition: authorize_manager.h:62
void configure(const std::string &options) override
Definition: authorize_manager.cc:254
std::string get_jwt_token(UniversalId service_id, const SessionPtr &) override
Definition: authorize_manager.cc:455
void discard_current_session(ServiceId id, http::Cookie *cookies) override
Definition: authorize_manager.cc:880
void collect_garbage()
Definition: authorize_manager.cc:897
AuthorizeHandlerPtr choose_authentication_handler(rest::RequestContext &ctxt, ServiceId service_id, const std::optional< std::string > &app_name)
Definition: authorize_manager.cc:609
std::shared_ptr< ServiceAuthorize > ServiceAuthorizePtr
Definition: authorize_manager.h:132
steady_clock::time_point last_garbage_collection_
Definition: authorize_manager.h:145
bool get_handler_by_id(const UniversalId auth_id, Container::iterator *it)
Definition: authorize_manager.cc:320
SessionPtr authorize_jwt(const UniversalId service_id, const helper::Jwt &jwt)
Validate the JWT token, and get/create session for it.
Definition: authorize_manager.cc:530
std::map< ServiceId, ServiceAuthorizePtr > MapOfServices
Definition: authorize_manager.h:133
Container get_supported_authentication_applications(ServiceId id) override
Definition: authorize_manager.cc:526
std::string jwt_secret_
Definition: authorize_manager.h:140
std::shared_ptr< mrs::interface::AuthHandlerFactory > AuthHandlerFactoryPtr
Definition: authorize_manager.h:57
AuthHandlerFactoryPtr factory_
Definition: authorize_manager.h:141
Container container_
Definition: authorize_manager.h:139
users::UserManager user_manager_
Definition: authorize_manager.h:137
bool is_authorized(ServiceId id, rest::RequestContext &ctxt, AuthUser *user) override
Definition: authorize_manager.cc:845
Definition: rate_control_for.h:48
Definition: cookie.h:38
Definition: session_manager.h:52
Definition: authorize_handler.h:53
Definition: authorize_manager.h:58
std::shared_ptr< AuthorizeHandler > AuthorizeHandlerPtr
Definition: authorize_manager.h:64
database::entry::AuthUser AuthUser
Definition: authorize_manager.h:67
std::vector< AuthApp > Entries
Definition: authorize_manager.h:68
UniversalId ServiceId
Definition: authorize_manager.h:69
mrs::users::UserManager::ChangedUsersIds ChangedUsersIds
Definition: authorize_manager.h:72
http::SessionManager::SessionPtr SessionPtr
Definition: authorize_manager.h:62
Definition: endpoint_configuration.h:35
Definition: query_factory.h:55
Definition: rest_handler.h:141
Definition: user_manager.h:41
const char * host
Definition: mysqladmin.cc:66
mrs::database::entry::AuthApp AuthApp
Definition: oauth2_handler.cc:58
std::chrono::minutes minutes
Definition: authorize_manager.cc:69
AuthorizeManager::AuthorizeHandlerPtr AuthorizeHandlerPtr
Definition: authorize_manager.cc:77
AuthorizeManager::SessionPtr SessionPtr
Definition: authorize_manager.cc:78
DbServiceEndpoint::EndpointConfiguration EndpointConfiguration
Definition: db_service_endpoint.cc:49
Definition: authorize_manager.h:48
mrs::database::entry::UniversalId UniversalId
Definition: universal_id.h:33
Definition: options.cc:57
required string configuration
Definition: replication_asynchronous_connection_failover.proto:49
Definition: completion_hash.h:35
Definition: request_context.h:47