MySQL 8.3.0
Source Code Documentation
gcs_xcom_networking.h
Go to the documentation of this file.
1/* Copyright (c) 2016, 2023, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef GCS_XCOM_NETWORKING_H
24#define GCS_XCOM_NETWORKING_H
25
26#include <map>
27#include <string>
28#include <vector>
29
32
33#ifdef _WIN32
34typedef u_short sa_family_t;
35#endif
36
37/**
38 * @brief Interface to decouple XCom sock_probe implementation to allow
39 * unit testing.
40 */
42 public:
44 virtual ~Gcs_sock_probe_interface() = default;
45
46 virtual int init_sock_probe(sock_probe *s) = 0;
47 virtual int number_of_interfaces(sock_probe *s) = 0;
49 struct sockaddr **out) = 0;
51 struct sockaddr **out) = 0;
52 virtual char *get_if_name(sock_probe *s, int count) = 0;
53 virtual bool_t is_if_running(sock_probe *s, int count) = 0;
54 virtual void close_sock_probe(sock_probe *s) = 0;
55
58 default; // move constructor must be explicit because copy is
60 default;
62 default; // move assignment must be explicit because move is
63};
64
65/**
66 * @brief Implementation of @class Gcs_sock_probe_interface
67 */
69 public:
71 ~Gcs_sock_probe_interface_impl() override = default;
72
73 int init_sock_probe(sock_probe *s) override;
74 int number_of_interfaces(sock_probe *s) override;
76 struct sockaddr **out) override;
78 struct sockaddr **out) override;
79 char *get_if_name(sock_probe *s, int count) override;
80 bool_t is_if_running(sock_probe *s, int count) override;
81 void close_sock_probe(sock_probe *s) override;
82
85 default; // move constructor must be explicit because copy is
87 const Gcs_sock_probe_interface_impl &) = default;
89 default; // move assignment must be explicit because move is
90};
91
92/**
93 This function gets all network addresses on this host and their
94 subnet masks as a string.
95
96 @param[out] sock_probe Socket probe interface
97 @param[out] out maps IP addresses to subnetmasks
98 @param filter_out_inactive If set to true, only active interfaces will be
99 added to out
100 @return false on success, true otherwise.
101 */
103 std::map<std::string, int> &out,
104 bool filter_out_inactive = false);
105
106/**
107 This function gets all private network addresses and their
108 subnet masks as a string. IPv4 only. (SOCK_STREAM only)
109 @param[out] out maps IP addresses to subnetmasks
110 @param filter_out_inactive If set to true, only active interfaces will be added
111 to out
112 @return false on success, true otherwise.
113 */
114bool get_local_private_addresses(std::map<std::string, int> &out,
115 bool filter_out_inactive = false);
116
117/**
118 This function translates hostnames to all possible IP addresses.
119
120 @param[in] name The hostname to translate.
121 @param[out] ips The IP addresses after translation.
122
123 @return false on success, true otherwise.
124 */
126 std::string name, std::vector<std::pair<sa_family_t, std::string>> &ips);
127
128/**
129 This function translates hostname to all possible IP addresses.
130
131 @param[in] name The hostname to translate.
132 @param[out] ip The IP addresses after translation.
133
134 @return false on success, true otherwise.
135 */
136bool resolve_ip_addr_from_hostname(std::string name,
137 std::vector<std::string> &ip);
138
139/**
140 Converts an address in string format (X.X.X.X/XX) into network octet format
141
142 @param[in] addr IP address in X.X.X.X format
143 @param[in] mask Network mask associated with the address
144 @param[out] out_pair IP address and netmask, in binary format (network byte
145 order)
146
147 @return false on success, true otherwise.
148 */
149bool get_address_for_allowlist(std::string addr, std::string mask,
150 std::pair<std::vector<unsigned char>,
151 std::vector<unsigned char>> &out_pair);
152
153/**
154 @class Gcs_ip_allowlist_entry
155 @brief Base abstract class for the allowlist entries.
156
157 This is the base class for the Allowlist entries. Any derived class must
158 implement its two abstract methods:
159 - init_value();
160 - get_value();
161 */
163 public:
164 /**
165 Constructor
166
167 @param[in] addr IP address or hostname of this entry
168 @param[in] mask Network mask of this entry.
169 */
170 Gcs_ip_allowlist_entry(std::string addr, std::string mask);
171
172 virtual ~Gcs_ip_allowlist_entry() = default;
173
174 /**
175 Entry initialization.
176
177 If one needs to initialize internal values, it should be done in this
178 method.
179
180 @return false on success, true otherwise
181 */
182 virtual bool init_value() = 0;
183
184 /**
185 Virtual Method that implements value retrieval for this entry.
186
187 The returned value must be a list of std::pairs that contains both the
188 address and the mask in network octet value. This is in list format because
189 in the case of allowlist names, we can have multiple value for the same
190 entry
191
192 @return an std::vector of std::pair with ip and mask in network octet form
193 */
194 virtual std::vector<
195 std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
196 *get_value() = 0;
197
198 /** Getters */
199 std::string get_addr() const { return m_addr; }
200 std::string get_mask() const { return m_mask; }
201
202 private:
203 std::string m_addr;
204 std::string m_mask;
205};
206
209 const Gcs_ip_allowlist_entry *rhs) const {
210 // Check if addresses are different in content
211 if (lhs->get_addr() != rhs->get_addr()) { // Then compare only the
212 // addresses
213 return lhs->get_addr() < rhs->get_addr();
214 } else { // If addresses are equal, then compare the masks to untie.
215 return lhs->get_mask() < rhs->get_mask();
216 }
217 }
218};
219
220/**
221 @class Gcs_ip_allowlist_entry_ip
222 @brief Implementation of Gcs_ip_allowlist_entry to use with
223 raw IP addresses in format X.X.X.X/XX
224 */
226 public:
227 Gcs_ip_allowlist_entry_ip(std::string addr, std::string mask);
228
229 public:
230 bool init_value() override;
231 std::vector<std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
232 *get_value() override;
233
234 private:
235 std::pair<std::vector<unsigned char>, std::vector<unsigned char>> m_value;
236};
237
238/**
239 @class Gcs_ip_allowlist_entry_hostname
240 @brief Implementation of Gcs_ip_allowlist_entry to use with
241 hostnames
242 */
244 public:
245 Gcs_ip_allowlist_entry_hostname(std::string addr, std::string mask);
246 Gcs_ip_allowlist_entry_hostname(std::string addr);
247
248 public:
249 bool init_value() override;
250 std::vector<std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
251 *get_value() override;
252};
253
255 public:
256 static const std::string DEFAULT_ALLOWLIST;
257
258 private:
260 private:
261 /**
262 * @brief When true, it is locked. When false it is not.
263 */
264 std::atomic_flag &m_guard;
265
266 public:
267 Atomic_lock_guard(std::atomic_flag &guard) : m_guard(guard) {
268 // keep trying until it is unlocked, then lock
269 while (m_guard.test_and_set()) {
270 std::this_thread::yield();
271 }
272 }
273
275 };
276
277 private:
278 /*
279 The IP allowlist. It is a list of tuples Hexadecimal IP number
280 and subnet mask also in Hexadecimal. E.g.: 192.168.1.2/24 or 127.0.0.1/32.
281
282 This is for optimization purposes, so that we don't calculate the
283 values each time we want to check.
284 */
285 std::set<Gcs_ip_allowlist_entry *, Gcs_ip_allowlist_entry_pointer_comparator>
287
288 /**
289 This is the list that originally submitted to be parsed and to configure
290 the allowlist.
291 */
292 std::string m_original_list;
293
294 public:
296 m_atomic_guard.clear();
297 }
298 virtual ~Gcs_ip_allowlist();
299
300 /**
301 This member function shall be used to configure the allowlist.
302
303 @param the_list The list with IP addresses. This list is a comma separated
304 list formatted only with IP addresses and/or in the form of
305 a subnet range, e.g., IP/netbits.
306 @return true if the configuration failed, false otherwise.
307 */
308 bool configure(const std::string &the_list);
309
310 /**
311 This member function shall be used to validate the list that is used as
312 input to the configure member function.
313
314 @param the_list The list with IP addresses. This list is a comma separated
315 list formatted only with IP addresses and/or in the form of
316 a subnet range, e.g., IP/netbits.
317
318 @return true if the configuration failed, false otherwise.
319 */
320 bool is_valid(const std::string &the_list);
321
322 /**
323 This member function SHALL return true if the given IP is to be blocked,
324 false otherwise.
325
326 @param ip_addr a string representation of an IPv4 address.
327 @param xcom_config the latest XCom configuration.
328
329 @return true if the ip should be blocked, false otherwise.
330 */
331 bool shall_block(const std::string &ip_addr,
332 site_def const *xcom_config = nullptr);
333
334 /**
335 This member function SHALL return true if the IP of the given file
336 descriptor is to be blocked, false otherwise.
337
338 @param fd the file descriptor of the accepted socket to check.
339 @param xcom_config the latest XCom configuration.
340
341 @return true if the ip should be blocked, false otherwise.
342 */
343 bool shall_block(int fd, site_def const *xcom_config = nullptr);
344
345 /**
346 This member function gets the textual representation of the list as
347 provided to the configure member function.
348 */
349 const std::string get_configured_ip_allowlist() {
350 // lock the list
352 return m_original_list;
353 }
354
355 /**
356 A string representation of the internal list of IP addresses. Can have
357 more addresses than those submitted through the configure member
358 function, since there are addresses that are implicitly added when
359 configuring the list.
360 */
361 std::string to_string() const;
362
363 private:
364 bool do_check_block(struct sockaddr_storage *sa,
365 site_def const *xcom_config) const;
367 std::vector<unsigned char> const &incoming_octets) const;
368 bool do_check_block_xcom(std::vector<unsigned char> const &incoming_octets,
369 site_def const *xcom_config) const;
370 bool add_address(std::string addr, std::string mask);
371
372 /**
373 @brief Clears the contents of this Allowlist object.
374
375 It deletes all entries and clears the internal set.
376 */
377 void clear();
378
379 /**
380 * @brief An atomic lock to guard the ip allowlist.
381 */
382 std::atomic_flag m_atomic_guard;
383
384 private:
387};
388
389#endif /* GCS_XCOM_NETWORKING_H */
Definition: gcs_xcom_networking.h:259
Atomic_lock_guard(std::atomic_flag &guard)
Definition: gcs_xcom_networking.h:267
std::atomic_flag & m_guard
When true, it is locked.
Definition: gcs_xcom_networking.h:264
~Atomic_lock_guard()
Definition: gcs_xcom_networking.h:274
Implementation of Gcs_ip_allowlist_entry to use with hostnames.
Definition: gcs_xcom_networking.h:243
Gcs_ip_allowlist_entry_hostname(std::string addr, std::string mask)
Definition: gcs_xcom_networking.cc:511
std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value() override
Virtual Method that implements value retrieval for this entry.
Definition: gcs_xcom_networking.cc:522
bool init_value() override
Entry initialization.
Definition: gcs_xcom_networking.cc:519
Implementation of Gcs_ip_allowlist_entry to use with raw IP addresses in format X....
Definition: gcs_xcom_networking.h:225
bool init_value() override
Entry initialization.
Definition: gcs_xcom_networking.cc:498
Gcs_ip_allowlist_entry_ip(std::string addr, std::string mask)
Definition: gcs_xcom_networking.cc:494
std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value() override
Virtual Method that implements value retrieval for this entry.
Definition: gcs_xcom_networking.cc:505
std::pair< std::vector< unsigned char >, std::vector< unsigned char > > m_value
Definition: gcs_xcom_networking.h:235
Base abstract class for the allowlist entries.
Definition: gcs_xcom_networking.h:162
virtual ~Gcs_ip_allowlist_entry()=default
std::string m_mask
Definition: gcs_xcom_networking.h:204
std::string m_addr
Definition: gcs_xcom_networking.h:203
virtual bool init_value()=0
Entry initialization.
std::string get_mask() const
Definition: gcs_xcom_networking.h:200
virtual std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value()=0
Virtual Method that implements value retrieval for this entry.
std::string get_addr() const
Getters.
Definition: gcs_xcom_networking.h:199
Gcs_ip_allowlist_entry(std::string addr, std::string mask)
Constructor.
Definition: gcs_xcom_networking.cc:490
Definition: gcs_xcom_networking.h:254
bool do_check_block_xcom(std::vector< unsigned char > const &incoming_octets, site_def const *xcom_config) const
Definition: gcs_xcom_networking.cc:828
std::set< Gcs_ip_allowlist_entry *, Gcs_ip_allowlist_entry_pointer_comparator > m_ip_allowlist
Definition: gcs_xcom_networking.h:286
std::string to_string() const
A string representation of the internal list of IP addresses.
Definition: gcs_xcom_networking.cc:569
Gcs_ip_allowlist(Gcs_ip_allowlist const &)
const std::string get_configured_ip_allowlist()
This member function gets the textual representation of the list as provided to the configure member ...
Definition: gcs_xcom_networking.h:349
bool do_check_block(struct sockaddr_storage *sa, site_def const *xcom_config) const
Definition: gcs_xcom_networking.cc:896
Gcs_ip_allowlist & operator=(Gcs_ip_allowlist const &)
Gcs_ip_allowlist()
Definition: gcs_xcom_networking.h:295
bool shall_block(const std::string &ip_addr, site_def const *xcom_config=nullptr)
This member function SHALL return true if the given IP is to be blocked, false otherwise.
Definition: gcs_xcom_networking.cc:982
static const std::string DEFAULT_ALLOWLIST
Definition: gcs_xcom_networking.h:256
bool do_check_block_allowlist(std::vector< unsigned char > const &incoming_octets) const
Definition: gcs_xcom_networking.cc:791
virtual ~Gcs_ip_allowlist()
Definition: gcs_xcom_networking.cc:766
void clear()
Clears the contents of this Allowlist object.
Definition: gcs_xcom_networking.cc:757
bool configure(const std::string &the_list)
This member function shall be used to configure the allowlist.
Definition: gcs_xcom_networking.cc:637
std::string m_original_list
This is the list that originally submitted to be parsed and to configure the allowlist.
Definition: gcs_xcom_networking.h:292
bool add_address(std::string addr, std::string mask)
Definition: gcs_xcom_networking.cc:768
std::atomic_flag m_atomic_guard
An atomic lock to guard the ip allowlist.
Definition: gcs_xcom_networking.h:382
bool is_valid(const std::string &the_list)
This member function shall be used to validate the list that is used as input to the configure member...
Definition: gcs_xcom_networking.cc:583
Definition: gcs_xcom_networking.h:68
Gcs_sock_probe_interface_impl()
Definition: gcs_xcom_networking.h:70
Gcs_sock_probe_interface_impl & operator=(Gcs_sock_probe_interface_impl &&)=default
void close_sock_probe(sock_probe *s) override
Definition: gcs_xcom_networking.cc:473
Gcs_sock_probe_interface_impl(Gcs_sock_probe_interface_impl &)=default
void get_sockaddr_netmask(sock_probe *s, int count, struct sockaddr **out) override
Definition: gcs_xcom_networking.cc:465
void get_sockaddr_address(sock_probe *s, int count, struct sockaddr **out) override
Definition: gcs_xcom_networking.cc:460
~Gcs_sock_probe_interface_impl() override=default
int number_of_interfaces(sock_probe *s) override
Definition: gcs_xcom_networking.cc:456
Gcs_sock_probe_interface_impl & operator=(const Gcs_sock_probe_interface_impl &)=default
char * get_if_name(sock_probe *s, int count) override
Definition: gcs_xcom_networking.cc:469
Gcs_sock_probe_interface_impl(Gcs_sock_probe_interface_impl &&)=default
bool_t is_if_running(sock_probe *s, int count) override
Definition: gcs_xcom_networking.cc:477
int init_sock_probe(sock_probe *s) override
Definition: gcs_xcom_networking.cc:452
Interface to decouple XCom sock_probe implementation to allow unit testing.
Definition: gcs_xcom_networking.h:41
Gcs_sock_probe_interface(Gcs_sock_probe_interface &)=default
virtual int init_sock_probe(sock_probe *s)=0
virtual char * get_if_name(sock_probe *s, int count)=0
Gcs_sock_probe_interface & operator=(const Gcs_sock_probe_interface &)=default
Gcs_sock_probe_interface & operator=(Gcs_sock_probe_interface &&)=default
virtual int number_of_interfaces(sock_probe *s)=0
virtual void close_sock_probe(sock_probe *s)=0
Gcs_sock_probe_interface(Gcs_sock_probe_interface &&)=default
virtual ~Gcs_sock_probe_interface()=default
virtual void get_sockaddr_address(sock_probe *s, int count, struct sockaddr **out)=0
virtual bool_t is_if_running(sock_probe *s, int count)=0
Gcs_sock_probe_interface()=default
virtual void get_sockaddr_netmask(sock_probe *s, int count, struct sockaddr **out)=0
bool resolve_ip_addr_from_hostname(std::string name, std::vector< std::string > &ip)
This function translates hostname to all possible IP addresses.
Definition: gcs_xcom_networking.cc:257
bool get_local_addresses(Gcs_sock_probe_interface &sock_probe, std::map< std::string, int > &out, bool filter_out_inactive=false)
This function gets all network addresses on this host and their subnet masks as a string.
Definition: gcs_xcom_networking.cc:92
bool get_local_private_addresses(std::map< std::string, int > &out, bool filter_out_inactive=false)
This function gets all private network addresses and their subnet masks as a string.
Definition: gcs_xcom_networking.cc:208
bool get_address_for_allowlist(std::string addr, std::string mask, std::pair< std::vector< unsigned char >, std::vector< unsigned char > > &out_pair)
Converts an address in string format (X.X.X.X/XX) into network octet format.
Definition: gcs_xcom_networking.cc:704
bool resolve_all_ip_addr_from_hostname(std::string name, std::vector< std::pair< sa_family_t, std::string > > &ips)
This function translates hostnames to all possible IP addresses.
Definition: gcs_xcom_networking.cc:299
static mi_bit_type mask[]
Definition: mi_packrec.cc:140
static int count
Definition: myisam_ftdump.cc:44
std::vector< T, ut::allocator< T > > vector
Specialization of vector which uses allocator.
Definition: ut0new.h:2873
struct sockaddr sockaddr
Definition: sock_probe_win32.h:62
case opt name
Definition: sslopt-case.h:32
Definition: gcs_xcom_networking.h:207
bool operator()(const Gcs_ip_allowlist_entry *lhs, const Gcs_ip_allowlist_entry *rhs) const
Definition: gcs_xcom_networking.h:208
Definition: site_struct.h:42
Definition: sock_probe_ix.h:53
__u_short u_short
Definition: types.h:71
int bool_t
Definition: types.h:34