MySQL 8.3.0
Source Code Documentation
auth_ldap_sasl_mechanism.h
Go to the documentation of this file.
1/* Copyright (c) 2020, 2023, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef AUTH_LDAP_SASL_MECHANISM_H_
24#define AUTH_LDAP_SASL_MECHANISM_H_
25
26#include "my_config.h"
27
28#ifdef HAVE_SASL_SASL_H
29#include <sys/types.h>
30#endif
31#include <sasl/sasl.h>
32
33#include <string>
34
35#if defined(KERBEROS_LIB_CONFIGURED)
36#include "auth_ldap_kerberos.h"
37#endif
38
39namespace auth_ldap_sasl_client {
40
42
43/**
44 Base class representing SASL mechanism. The child classes are used to perform
45 all mechanism specific SASL operations.
46*/
48 public:
49 /** GSSAPI string */
50 static const char SASL_GSSAPI[];
51 /** SCRAM-SHA-1 string */
52 static const char SASL_SCRAM_SHA1[];
53 /** SCRAM-SHA-256 string */
54 static const char SASL_SCRAM_SHA256[];
55
56 /**
57 Destructor.
58 */
59 virtual ~Sasl_mechanism() = default;
60 /**
61 Preauthentication step, e.g. obtaining Kerberos ticket. Not needed by most
62 methods, so the default implementation just returns success.
63
64 @param user [in] user mname
65 @param password [in] user password
66
67 @return true -success
68 */
69 bool virtual preauthenticate([[maybe_unused]] const char *user,
70 [[maybe_unused]] const char *password) {
71 return true;
72 }
73 /**
74 Get LDAP host. Not needed by most methods, return nullptr by default.
75
76 @return LDAP host URL or nullptr on failure
77 */
78 virtual const char *get_ldap_host() { return nullptr; }
79
80 /**
81 Get default user name. Called if no user name was provided as parameter to
82 the client. Most methods don't provide default user name.
83
84 @param name [out] default user name
85 @return false -failure
86 */
87 virtual bool get_default_user([[maybe_unused]] std::string &name) {
88 return false;
89 }
90
91 /**
92 Get list of supported SASL callbacks.
93
94 @return List of callbacks.
95 */
96 virtual const sasl_callback_t *get_callbacks() { return nullptr; }
97
98 /**
99 Gets constans string describing mechanism name.
100
101 @return mechanism name
102 */
103 const char *get_mechanism_name() { return m_mechanism_name; }
104
105 /**
106 Check if the authentication method requires conclusion message from the
107 server. Most authentication mechanisms don't require to be concluded by MySQL
108 server, so the base class implementation always returns false.
109
110 @return false
111 */
112 virtual bool require_conclude_by_server() { return false; }
113
114 /**
115 SASL mechanism factory function. Creates mechanism object based on mechanism
116 name.
117
118 @param mechanism_name [in] name of the mechanism
119 @param mechanism [out] created mechanism object
120
121 @retval true success
122 @retval false failure
123 */
124 static bool create_sasl_mechanism(const char *mechanism_name,
125 Sasl_mechanism *&mechanism);
126
127 protected:
128 /**
129 Constructor. Made protected to avoid creating direct objects of this class.
130
131 @param mechanism_name [in] name of the mechanism
132 */
133 Sasl_mechanism(const char *mechanism_name)
134 : m_mechanism_name(mechanism_name) {}
135
136 private:
137 /** array of SASL callbacks */
138 static const sasl_callback_t callbacks[];
139 /** name of the mechanism */
140 const char *m_mechanism_name;
141};
142
143#if defined(KERBEROS_LIB_CONFIGURED)
144/**
145 Class representing GSSAPI/Kerberos mechanism
146*/
148 public:
149 /**
150 Constructor.
151 */
153 /**
154 Destructor.
155 */
156 ~Sasl_mechanism_kerberos() override = default;
157 /**
158 Preauthentication step. Obtains Kerberos ticket.
159
160 @param user [in] user mname
161 @param password [in] user password
162
163 @retval true success
164 @retval false failure
165 */
166 bool preauthenticate(const char *user, const char *password) override;
167 /**
168 Get LDAP host.
169
170 @return LDAP host URL or nullptr on failure
171 */
172 const char *get_ldap_host() override;
173
174 /**
175 Get default user name. Called if no user name was provided as parameter to
176 the client. The name is the default principal.
177
178 @param name [out] default user name
179
180 @retval true success
181 @retval false failure
182 */
183 bool get_default_user(std::string &name) override;
184 /**
185 Gets array of SASL callbacks supported by the mechanism.
186
187 @return array of callbacks
188 */
189 const sasl_callback_t *get_callbacks() override { return callbacks; }
190 /**
191 GSSAPI authentication must be concluded by MySQL server.
192
193 @return true
194 */
195 bool require_conclude_by_server() override { return true; }
196
197 private:
198 /** URL of the LDAP server */
200 /** Kerberos object used to perform Kerberos operations */
202 /** Array of SASL callbacks supported by this mechanism */
203 static const sasl_callback_t callbacks[];
204};
205#endif
206
207#if defined(SCRAM_LIB_CONFIGURED)
208/**
209 Class representing SCRAM family of SASL mechanisms (currently SCRAM-SHA-1 and
210 SCRAM-SHA-256).
211*/
213 public:
214 /**
215 Constructor.
216
217 @param mechanism_name [in] mame of the mechanism
218 */
219 Sasl_mechanism_scram(const char *mechanism_name)
220 : Sasl_mechanism(mechanism_name) {}
221 /**
222 Destructor.
223 */
224 ~Sasl_mechanism_scram() override = default;
225 /**
226 Gets array of SASL callbacks supported by the mechanism.
227
228 @return array of callbacks
229 */
230 const sasl_callback_t *get_callbacks() override { return callbacks; }
231
232 private:
233 /** Array of SASL callbacks supported by this mechanism */
234 static const sasl_callback_t callbacks[];
235};
236#endif
237} // namespace auth_ldap_sasl_client
238#endif // AUTH_LDAP_SASL_MECHANISM_H_
Kerberos class is built around kerberos library.
Definition: auth_ldap_kerberos.h:57
Class representing GSSAPI/Kerberos mechanism.
Definition: auth_ldap_sasl_mechanism.h:147
bool require_conclude_by_server() override
GSSAPI authentication must be concluded by MySQL server.
Definition: auth_ldap_sasl_mechanism.h:195
const char * get_ldap_host() override
Get LDAP host.
Definition: auth_ldap_sasl_mechanism.cc:109
Kerberos m_kerberos
Kerberos object used to perform Kerberos operations.
Definition: auth_ldap_sasl_mechanism.h:201
std::string m_ldap_server_host
URL of the LDAP server.
Definition: auth_ldap_sasl_mechanism.h:199
bool preauthenticate(const char *user, const char *password) override
Preauthentication step.
Definition: auth_ldap_sasl_mechanism.cc:66
Sasl_mechanism_kerberos()
Constructor.
Definition: auth_ldap_sasl_mechanism.h:152
bool get_default_user(std::string &name) override
Get default user name.
Definition: auth_ldap_sasl_mechanism.cc:62
const sasl_callback_t * get_callbacks() override
Gets array of SASL callbacks supported by the mechanism.
Definition: auth_ldap_sasl_mechanism.h:189
~Sasl_mechanism_kerberos() override=default
Destructor.
static const sasl_callback_t callbacks[]
Array of SASL callbacks supported by this mechanism.
Definition: auth_ldap_sasl_mechanism.h:203
Class representing SCRAM family of SASL mechanisms (currently SCRAM-SHA-1 and SCRAM-SHA-256).
Definition: auth_ldap_sasl_mechanism.h:212
const sasl_callback_t * get_callbacks() override
Gets array of SASL callbacks supported by the mechanism.
Definition: auth_ldap_sasl_mechanism.h:230
Sasl_mechanism_scram(const char *mechanism_name)
Constructor.
Definition: auth_ldap_sasl_mechanism.h:219
~Sasl_mechanism_scram() override=default
Destructor.
static const sasl_callback_t callbacks[]
Array of SASL callbacks supported by this mechanism.
Definition: auth_ldap_sasl_mechanism.h:234
Base class representing SASL mechanism.
Definition: auth_ldap_sasl_mechanism.h:47
virtual bool get_default_user(std::string &name)
Get default user name.
Definition: auth_ldap_sasl_mechanism.h:87
const char * m_mechanism_name
name of the mechanism
Definition: auth_ldap_sasl_mechanism.h:140
virtual const char * get_ldap_host()
Get LDAP host.
Definition: auth_ldap_sasl_mechanism.h:78
virtual bool require_conclude_by_server()
Check if the authentication method requires conclusion message from the server.
Definition: auth_ldap_sasl_mechanism.h:112
Sasl_mechanism(const char *mechanism_name)
Constructor.
Definition: auth_ldap_sasl_mechanism.h:133
static bool create_sasl_mechanism(const char *mechanism_name, Sasl_mechanism *&mechanism)
SASL mechanism factory function.
Definition: auth_ldap_sasl_mechanism.cc:115
static const sasl_callback_t callbacks[]
array of SASL callbacks
Definition: auth_ldap_sasl_mechanism.h:138
static const char SASL_SCRAM_SHA256[]
SCRAM-SHA-256 string.
Definition: auth_ldap_sasl_mechanism.h:54
virtual ~Sasl_mechanism()=default
Destructor.
const char * get_mechanism_name()
Gets constans string describing mechanism name.
Definition: auth_ldap_sasl_mechanism.h:103
virtual bool preauthenticate(const char *user, const char *password)
Preauthentication step, e.g.
Definition: auth_ldap_sasl_mechanism.h:69
virtual const sasl_callback_t * get_callbacks()
Get list of supported SASL callbacks.
Definition: auth_ldap_sasl_mechanism.h:96
static const char SASL_SCRAM_SHA1[]
SCRAM-SHA-1 string.
Definition: auth_ldap_sasl_mechanism.h:52
static const char SASL_GSSAPI[]
GSSAPI string.
Definition: auth_ldap_sasl_mechanism.h:50
static char * password
Definition: mysql_secure_installation.cc:57
char * user
Definition: mysqladmin.cc:64
Definition: auth_ldap_kerberos.cc:29
const int SASL_ERROR_INVALID_METHOD
Definition: auth_ldap_sasl_mechanism.h:41
case opt name
Definition: sslopt-case.h:32