MySQL 9.3.0
Source Code Documentation
gcs_xcom_networking.h
Go to the documentation of this file.
1/* Copyright (c) 2016, 2025, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef GCS_XCOM_NETWORKING_H
25#define GCS_XCOM_NETWORKING_H
26
27#include <map>
28#include <string>
29#include <vector>
30
33
34#ifdef _WIN32
35typedef u_short sa_family_t;
36#endif
37
38/**
39 * @brief Interface to decouple XCom sock_probe implementation to allow
40 * unit testing.
41 */
43 public:
45 virtual ~Gcs_sock_probe_interface() = default;
46
47 virtual int init_sock_probe(sock_probe *s) = 0;
48 virtual int number_of_interfaces(sock_probe *s) = 0;
50 struct sockaddr **out) = 0;
52 struct sockaddr **out) = 0;
53 virtual char *get_if_name(sock_probe *s, int count) = 0;
54 virtual bool_t is_if_running(sock_probe *s, int count) = 0;
55 virtual void close_sock_probe(sock_probe *s) = 0;
56
59 default; // move constructor must be explicit because copy is
61 default;
63 default; // move assignment must be explicit because move is
64};
65
66/**
67 * @brief Implementation of @class Gcs_sock_probe_interface
68 */
70 public:
72 ~Gcs_sock_probe_interface_impl() override = default;
73
74 int init_sock_probe(sock_probe *s) override;
75 int number_of_interfaces(sock_probe *s) override;
77 struct sockaddr **out) override;
79 struct sockaddr **out) override;
80 char *get_if_name(sock_probe *s, int count) override;
81 bool_t is_if_running(sock_probe *s, int count) override;
82 void close_sock_probe(sock_probe *s) override;
83
86 default; // move constructor must be explicit because copy is
88 const Gcs_sock_probe_interface_impl &) = default;
90 default; // move assignment must be explicit because move is
91};
92
93/**
94 This function gets all network addresses on this host and their
95 subnet masks as a string.
96
97 @param[out] sock_probe Socket probe interface
98 @param[out] out maps IP addresses to subnetmasks
99 @param filter_out_inactive If set to true, only active interfaces will be
100 added to out
101 @return false on success, true otherwise.
102 */
104 std::map<std::string, int> &out,
105 bool filter_out_inactive = false);
106
107/**
108 This function gets all private network addresses and their
109 subnet masks as a string. IPv4 only. (SOCK_STREAM only)
110 @param[out] out maps IP addresses to subnetmasks
111 @param filter_out_inactive If set to true, only active interfaces will be added
112 to out
113 @return false on success, true otherwise.
114 */
115bool get_local_private_addresses(std::map<std::string, int> &out,
116 bool filter_out_inactive = false);
117
118/**
119 This function translates hostnames to all possible IP addresses.
120
121 @param[in] name The hostname to translate.
122 @param[out] ips The IP addresses after translation.
123
124 @return false on success, true otherwise.
125 */
127 const std::string &name,
128 std::vector<std::pair<sa_family_t, std::string>> &ips);
129
130/**
131 This function translates hostname to all possible IP addresses.
132
133 @param[in] name The hostname to translate.
134 @param[out] ip The IP addresses after translation.
135
136 @return false on success, true otherwise.
137 */
138bool resolve_ip_addr_from_hostname(const std::string &name,
139 std::vector<std::string> &ip);
140
141/**
142 Converts an address in string format (X.X.X.X/XX) into network octet format
143
144 @param[in] addr IP address in X.X.X.X format
145 @param[in] mask Network mask associated with the address
146 @param[out] out_pair IP address and netmask, in binary format (network byte
147 order)
148
149 @return false on success, true otherwise.
150 */
151bool get_address_for_allowlist(const std::string &addr, const std::string &mask,
152 std::pair<std::vector<unsigned char>,
153 std::vector<unsigned char>> &out_pair);
154
155/**
156 @class Gcs_ip_allowlist_entry
157 @brief Base abstract class for the allowlist entries.
158
159 This is the base class for the Allowlist entries. Any derived class must
160 implement its two abstract methods:
161 - init_value();
162 - get_value();
163 */
165 public:
166 /**
167 Constructor
168
169 @param[in] addr IP address or hostname of this entry
170 @param[in] mask Network mask of this entry.
171 */
172 Gcs_ip_allowlist_entry(std::string addr, std::string mask);
173
174 virtual ~Gcs_ip_allowlist_entry() = default;
175
176 /**
177 Entry initialization.
178
179 If one needs to initialize internal values, it should be done in this
180 method.
181
182 @return false on success, true otherwise
183 */
184 virtual bool init_value() = 0;
185
186 /**
187 Virtual Method that implements value retrieval for this entry.
188
189 The returned value must be a list of std::pairs that contains both the
190 address and the mask in network octet value. This is in list format because
191 in the case of allowlist names, we can have multiple value for the same
192 entry
193
194 @return an std::vector of std::pair with ip and mask in network octet form
195 */
196 virtual std::vector<
197 std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
198 *get_value() = 0;
199
200 /** Getters */
201 std::string get_addr() const { return m_addr; }
202 std::string get_mask() const { return m_mask; }
203
204 private:
205 std::string m_addr;
206 std::string m_mask;
207};
208
211 const Gcs_ip_allowlist_entry *rhs) const {
212 // Check if addresses are different in content
213 if (lhs->get_addr() != rhs->get_addr()) { // Then compare only the
214 // addresses
215 return lhs->get_addr() < rhs->get_addr();
216 } else { // If addresses are equal, then compare the masks to untie.
217 return lhs->get_mask() < rhs->get_mask();
218 }
219 }
220};
221
222/**
223 @class Gcs_ip_allowlist_entry_ip
224 @brief Implementation of Gcs_ip_allowlist_entry to use with
225 raw IP addresses in format X.X.X.X/XX
226 */
228 public:
229 Gcs_ip_allowlist_entry_ip(std::string addr, std::string mask);
230
231 public:
232 bool init_value() override;
233 std::vector<std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
234 *get_value() override;
235
236 private:
237 std::pair<std::vector<unsigned char>, std::vector<unsigned char>> m_value;
238};
239
240/**
241 @class Gcs_ip_allowlist_entry_hostname
242 @brief Implementation of Gcs_ip_allowlist_entry to use with
243 hostnames
244 */
246 public:
247 Gcs_ip_allowlist_entry_hostname(std::string addr, std::string mask);
248 Gcs_ip_allowlist_entry_hostname(std::string addr);
249
250 public:
251 bool init_value() override;
252 std::vector<std::pair<std::vector<unsigned char>, std::vector<unsigned char>>>
253 *get_value() override;
254};
255
257 public:
258 static const std::string DEFAULT_ALLOWLIST;
259
260 private:
262 private:
263 /**
264 * @brief When true, it is locked. When false it is not.
265 */
266 std::atomic_flag &m_guard;
267
268 public:
269 Atomic_lock_guard(std::atomic_flag &guard) : m_guard(guard) {
270 // keep trying until it is unlocked, then lock
271 while (m_guard.test_and_set()) {
272 std::this_thread::yield();
273 }
274 }
275
277 };
278
279 private:
280 /*
281 The IP allowlist. It is a list of tuples Hexadecimal IP number
282 and subnet mask also in Hexadecimal. E.g.: 192.168.1.2/24 or 127.0.0.1/32.
283
284 This is for optimization purposes, so that we don't calculate the
285 values each time we want to check.
286 */
287 std::set<Gcs_ip_allowlist_entry *, Gcs_ip_allowlist_entry_pointer_comparator>
289
290 /**
291 This is the list that originally submitted to be parsed and to configure
292 the allowlist.
293 */
294 std::string m_original_list;
295
296 public:
298 m_atomic_guard.clear();
299 }
300 virtual ~Gcs_ip_allowlist();
301
302 /**
303 This member function shall be used to configure the allowlist.
304
305 @param the_list The list with IP addresses. This list is a comma separated
306 list formatted only with IP addresses and/or in the form of
307 a subnet range, e.g., IP/netbits.
308 @return true if the configuration failed, false otherwise.
309 */
310 bool configure(const std::string &the_list);
311
312 /**
313 This member function shall be used to validate the list that is used as
314 input to the configure member function.
315
316 @param the_list The list with IP addresses. This list is a comma separated
317 list formatted only with IP addresses and/or in the form of
318 a subnet range, e.g., IP/netbits.
319
320 @return true if the configuration failed, false otherwise.
321 */
322 bool is_valid(const std::string &the_list);
323
324 /**
325 This member function SHALL return true if the given IP is to be blocked,
326 false otherwise.
327
328 @param ip_addr a string representation of an IPv4 address.
329 @param xcom_config the latest XCom configuration.
330
331 @return true if the ip should be blocked, false otherwise.
332 */
333 bool shall_block(const std::string &ip_addr,
334 site_def const *xcom_config = nullptr);
335
336 /**
337 This member function SHALL return true if the IP of the given file
338 descriptor is to be blocked, false otherwise.
339
340 @param fd the file descriptor of the accepted socket to check.
341 @param xcom_config the latest XCom configuration.
342
343 @return true if the ip should be blocked, false otherwise.
344 */
345 bool shall_block(int fd, site_def const *xcom_config = nullptr);
346
347 /**
348 This member function gets the textual representation of the list as
349 provided to the configure member function.
350 */
351 const std::string get_configured_ip_allowlist() {
352 // lock the list
354 return m_original_list;
355 }
356
357 /**
358 A string representation of the internal list of IP addresses. Can have
359 more addresses than those submitted through the configure member
360 function, since there are addresses that are implicitly added when
361 configuring the list.
362 */
363 std::string to_string() const;
364
365 private:
366 bool do_check_block(struct sockaddr_storage *sa,
367 site_def const *xcom_config) const;
369 std::vector<unsigned char> const &incoming_octets) const;
370 bool do_check_block_xcom(std::vector<unsigned char> const &incoming_octets,
371 site_def const *xcom_config) const;
372 bool add_address(const std::string &addr, const std::string &mask);
373
374 /**
375 @brief Clears the contents of this Allowlist object.
376
377 It deletes all entries and clears the internal set.
378 */
379 void clear();
380
381 /**
382 * @brief An atomic lock to guard the ip allowlist.
383 */
384 std::atomic_flag m_atomic_guard;
385
386 private:
389};
390
391#endif /* GCS_XCOM_NETWORKING_H */
Definition: gcs_xcom_networking.h:261
Atomic_lock_guard(std::atomic_flag &guard)
Definition: gcs_xcom_networking.h:269
std::atomic_flag & m_guard
When true, it is locked.
Definition: gcs_xcom_networking.h:266
~Atomic_lock_guard()
Definition: gcs_xcom_networking.h:276
Implementation of Gcs_ip_allowlist_entry to use with hostnames.
Definition: gcs_xcom_networking.h:245
Gcs_ip_allowlist_entry_hostname(std::string addr, std::string mask)
Definition: gcs_xcom_networking.cc:512
std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value() override
Virtual Method that implements value retrieval for this entry.
Definition: gcs_xcom_networking.cc:523
bool init_value() override
Entry initialization.
Definition: gcs_xcom_networking.cc:520
Implementation of Gcs_ip_allowlist_entry to use with raw IP addresses in format X....
Definition: gcs_xcom_networking.h:227
bool init_value() override
Entry initialization.
Definition: gcs_xcom_networking.cc:499
Gcs_ip_allowlist_entry_ip(std::string addr, std::string mask)
Definition: gcs_xcom_networking.cc:495
std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value() override
Virtual Method that implements value retrieval for this entry.
Definition: gcs_xcom_networking.cc:506
std::pair< std::vector< unsigned char >, std::vector< unsigned char > > m_value
Definition: gcs_xcom_networking.h:237
Base abstract class for the allowlist entries.
Definition: gcs_xcom_networking.h:164
virtual ~Gcs_ip_allowlist_entry()=default
std::string m_mask
Definition: gcs_xcom_networking.h:206
std::string m_addr
Definition: gcs_xcom_networking.h:205
virtual bool init_value()=0
Entry initialization.
std::string get_mask() const
Definition: gcs_xcom_networking.h:202
virtual std::vector< std::pair< std::vector< unsigned char >, std::vector< unsigned char > > > * get_value()=0
Virtual Method that implements value retrieval for this entry.
std::string get_addr() const
Getters.
Definition: gcs_xcom_networking.h:201
Gcs_ip_allowlist_entry(std::string addr, std::string mask)
Constructor.
Definition: gcs_xcom_networking.cc:491
Definition: gcs_xcom_networking.h:256
bool do_check_block_xcom(std::vector< unsigned char > const &incoming_octets, site_def const *xcom_config) const
Definition: gcs_xcom_networking.cc:832
std::set< Gcs_ip_allowlist_entry *, Gcs_ip_allowlist_entry_pointer_comparator > m_ip_allowlist
Definition: gcs_xcom_networking.h:288
std::string to_string() const
A string representation of the internal list of IP addresses.
Definition: gcs_xcom_networking.cc:573
Gcs_ip_allowlist(Gcs_ip_allowlist const &)
const std::string get_configured_ip_allowlist()
This member function gets the textual representation of the list as provided to the configure member ...
Definition: gcs_xcom_networking.h:351
bool do_check_block(struct sockaddr_storage *sa, site_def const *xcom_config) const
Definition: gcs_xcom_networking.cc:901
Gcs_ip_allowlist & operator=(Gcs_ip_allowlist const &)
Gcs_ip_allowlist()
Definition: gcs_xcom_networking.h:297
bool shall_block(const std::string &ip_addr, site_def const *xcom_config=nullptr)
This member function SHALL return true if the given IP is to be blocked, false otherwise.
Definition: gcs_xcom_networking.cc:987
static const std::string DEFAULT_ALLOWLIST
Definition: gcs_xcom_networking.h:258
bool do_check_block_allowlist(std::vector< unsigned char > const &incoming_octets) const
Definition: gcs_xcom_networking.cc:795
bool add_address(const std::string &addr, const std::string &mask)
Definition: gcs_xcom_networking.cc:771
virtual ~Gcs_ip_allowlist()
Definition: gcs_xcom_networking.cc:769
void clear()
Clears the contents of this Allowlist object.
Definition: gcs_xcom_networking.cc:761
bool configure(const std::string &the_list)
This member function shall be used to configure the allowlist.
Definition: gcs_xcom_networking.cc:641
std::string m_original_list
This is the list that originally submitted to be parsed and to configure the allowlist.
Definition: gcs_xcom_networking.h:294
std::atomic_flag m_atomic_guard
An atomic lock to guard the ip allowlist.
Definition: gcs_xcom_networking.h:384
bool is_valid(const std::string &the_list)
This member function shall be used to validate the list that is used as input to the configure member...
Definition: gcs_xcom_networking.cc:587
Definition: gcs_xcom_networking.h:69
Gcs_sock_probe_interface_impl()
Definition: gcs_xcom_networking.h:71
Gcs_sock_probe_interface_impl & operator=(Gcs_sock_probe_interface_impl &&)=default
void close_sock_probe(sock_probe *s) override
Definition: gcs_xcom_networking.cc:474
Gcs_sock_probe_interface_impl(Gcs_sock_probe_interface_impl &)=default
void get_sockaddr_netmask(sock_probe *s, int count, struct sockaddr **out) override
Definition: gcs_xcom_networking.cc:466
void get_sockaddr_address(sock_probe *s, int count, struct sockaddr **out) override
Definition: gcs_xcom_networking.cc:461
~Gcs_sock_probe_interface_impl() override=default
int number_of_interfaces(sock_probe *s) override
Definition: gcs_xcom_networking.cc:457
Gcs_sock_probe_interface_impl & operator=(const Gcs_sock_probe_interface_impl &)=default
char * get_if_name(sock_probe *s, int count) override
Definition: gcs_xcom_networking.cc:470
Gcs_sock_probe_interface_impl(Gcs_sock_probe_interface_impl &&)=default
bool_t is_if_running(sock_probe *s, int count) override
Definition: gcs_xcom_networking.cc:478
int init_sock_probe(sock_probe *s) override
Definition: gcs_xcom_networking.cc:453
Interface to decouple XCom sock_probe implementation to allow unit testing.
Definition: gcs_xcom_networking.h:42
Gcs_sock_probe_interface(Gcs_sock_probe_interface &)=default
virtual int init_sock_probe(sock_probe *s)=0
virtual char * get_if_name(sock_probe *s, int count)=0
Gcs_sock_probe_interface & operator=(const Gcs_sock_probe_interface &)=default
Gcs_sock_probe_interface & operator=(Gcs_sock_probe_interface &&)=default
virtual int number_of_interfaces(sock_probe *s)=0
virtual void close_sock_probe(sock_probe *s)=0
Gcs_sock_probe_interface(Gcs_sock_probe_interface &&)=default
virtual ~Gcs_sock_probe_interface()=default
virtual void get_sockaddr_address(sock_probe *s, int count, struct sockaddr **out)=0
virtual bool_t is_if_running(sock_probe *s, int count)=0
Gcs_sock_probe_interface()=default
virtual void get_sockaddr_netmask(sock_probe *s, int count, struct sockaddr **out)=0
bool get_local_addresses(Gcs_sock_probe_interface &sock_probe, std::map< std::string, int > &out, bool filter_out_inactive=false)
This function gets all network addresses on this host and their subnet masks as a string.
Definition: gcs_xcom_networking.cc:95
bool resolve_all_ip_addr_from_hostname(const std::string &name, std::vector< std::pair< sa_family_t, std::string > > &ips)
This function translates hostnames to all possible IP addresses.
Definition: gcs_xcom_networking.cc:302
bool get_local_private_addresses(std::map< std::string, int > &out, bool filter_out_inactive=false)
This function gets all private network addresses and their subnet masks as a string.
Definition: gcs_xcom_networking.cc:211
bool get_address_for_allowlist(const std::string &addr, const std::string &mask, std::pair< std::vector< unsigned char >, std::vector< unsigned char > > &out_pair)
Converts an address in string format (X.X.X.X/XX) into network octet format.
Definition: gcs_xcom_networking.cc:708
bool resolve_ip_addr_from_hostname(const std::string &name, std::vector< std::string > &ip)
This function translates hostname to all possible IP addresses.
Definition: gcs_xcom_networking.cc:260
static mi_bit_type mask[]
Definition: mi_packrec.cc:141
static int count
Definition: myisam_ftdump.cc:45
std::vector< T, ut::allocator< T > > vector
Specialization of vector which uses allocator.
Definition: ut0new.h:2876
struct sockaddr sockaddr
Definition: sock_probe_win32.h:63
case opt name
Definition: sslopt-case.h:29
Definition: gcs_xcom_networking.h:209
bool operator()(const Gcs_ip_allowlist_entry *lhs, const Gcs_ip_allowlist_entry *rhs) const
Definition: gcs_xcom_networking.h:210
Definition: site_struct.h:43
Definition: sock_probe_ix.h:54
__u_short u_short
Definition: types.h:72
int bool_t
Definition: types.h:35