MySQL 9.1.0
Source Code Documentation
http_auth_backend.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2018, 2024, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is designed to work with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have either included with
14 the program or referenced in the documentation.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24*/
25
26#ifndef ROUTER_HTTP_AUTH_BACKEND_INCLUDED
27#define ROUTER_HTTP_AUTH_BACKEND_INCLUDED
28
29#include <map>
30#include <string>
31#include <system_error>
32
33#include "my_rapidjson_size_t.h"
34
35#include <rapidjson/document.h>
36
37#include <sys/stat.h>
38#include <sys/types.h>
39
41
42/**
43 * Base class of all AuthBackends.
44 */
46 public:
47 HttpAuthBackend() = default;
48 HttpAuthBackend(const HttpAuthBackend &) = default;
52
53 /**
54 * authentication username with authdata against backend.
55 */
56 virtual std::error_code authenticate(const std::string &username,
57 const std::string &authdata) = 0;
58
59 /**
60 * destructor.
61 */
62 virtual ~HttpAuthBackend() = 0;
63};
64
65struct FileMeta {
66 using stat_res = std::pair<std::error_code, struct stat>;
67
68 FileMeta() : res{} {}
69 FileMeta(const std::string &filename) : res{stat(filename)} {}
70
71 /**
72 * calls the systems stat().
73 */
74 static stat_res stat(const std::string &filename);
75
77};
78
79/**
80 * check if a file was modified.
81 */
83 public:
84 FileModified() = default;
85 explicit FileModified(const FileMeta &meta) : meta_(meta) {}
86
87 /**
88 * check if two FileModified's are equal.
89 */
90 bool operator==(const FileModified &b) const;
91
92 private:
94};
95
96/**
97 * hashed key store.
98 *
99 * - each line contains username and auth-data, separated by colon
100 * - auth-data should be based on PHC
101 *
102 * PHC
103 * : `$<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]`
104 *
105 * id | name | supported
106 * -------------:|---------------|-----
107 * 1 | md5_crypt | never
108 * 2 | bcrypt | never
109 * 2a | bcrypt | no
110 * 2b | bcrypt | no
111 * 5 | sha256_crypt | yes
112 * 6 | sha512_crypt | yes
113 * pbkdf2-sha256 | pkbdf2_sha256 | no
114 * pbkdf2-sha512 | pkbdf2_sha512 | no
115 * scrypt | scrypt | no
116 * argon2 | argon2 | no
117 * bcrypt | bcrypt | no
118 *
119 * @see
120 * https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
121 */
123 : public HttpAuthBackend {
124 public:
125 using key_type = std::string;
126 using value_type = std::string;
127 using cache_type = std::string;
128
129 /**
130 * iterator
131 */
132 using iterator = std::map<key_type, value_type>::iterator;
133
134 /**
135 * const iterator
136 */
137 using const_iterator = std::map<key_type, value_type>::const_iterator;
138
139 /**
140 * replace cache with content from file.
141 */
142 std::error_code from_file(const std::string &filename);
143
144 /**
145 * replace cache with content of input-stream.
146 *
147 * @returns error-code
148 * @retval false when no error happened
149 */
150 std::error_code from_stream(std::istream &is);
151
152 /**
153 * write cache content to output-stream.
154 */
155 void to_stream(std::ostream &os);
156
157 /**
158 * remove username from credential cache.
159 */
160 size_t erase(const key_type &username) {
161 credentials_cache_.erase(username);
162 return credentials_.erase(username);
163 }
164
165 /**
166 * set username and password in cache.
167 *
168 * if username exists in cache, overwrite entry with password,
169 * otherwise create new entry for username
170 */
171 void set(const key_type &username, const value_type &authdata) {
172 auto res = credentials_.insert({username, authdata});
173 if (!res.second) {
174 auto elem_it = res.first;
175
176 elem_it->second = authdata;
177 }
178 }
179
180 /**
181 * find username in cache.
182 */
183 iterator find(const key_type &username) {
184 return credentials_.find(username);
185 }
186
187 /**
188 * find username in cache.
189 */
190 const_iterator find(const key_type &username) const {
191 return credentials_.find(username);
192 }
193
194 /**
195 * end iterator.
196 */
197 iterator end() noexcept { return credentials_.end(); }
198
199 /**
200 * const end iterator.
201 */
202 const_iterator end() const noexcept { return credentials_.end(); }
203
204 /**
205 * begin iterator.
206 */
207 iterator begin() noexcept { return credentials_.begin(); }
208
209 /**
210 * const begin iterator.
211 */
212 const_iterator begin() const noexcept { return credentials_.begin(); }
213
214 /**
215 * validate user and authdata against backend.
216 *
217 * @returns error
218 * @retval false no authentication error
219 */
220 std::error_code authenticate(const key_type &username,
221 const value_type &authdata) override;
222
223 private:
224 /**
225 * Calculate hash of plain-text password
226 *
227 * The hash generated by this function should be used at http basic
228 * authentication to speed up verification of the transferred credentials
229 * against account information stored in `passwd` file. There are no direct
230 * requirement how the hash should be calculated. Currently it uses following
231 * formula: HASH=SHA256(SHA256(plain-text-password)).
232 */
233 static std::string hash_password(const std::string &password);
234 std::error_code from_stream_(std::istream &is);
235
236 bool is_file_{false};
237 std::string filename_;
239
240 std::map<key_type, value_type> credentials_;
241 std::map<key_type, cache_type> credentials_cache_;
242};
243
244#endif
check if a file was modified.
Definition: http_auth_backend.h:82
FileModified(const FileMeta &meta)
Definition: http_auth_backend.h:85
FileModified()=default
bool operator==(const FileModified &b) const
check if two FileModified's are equal.
Definition: http_auth_backend.cc:70
FileMeta meta_
Definition: http_auth_backend.h:93
hashed key store.
Definition: http_auth_backend.h:123
iterator begin() noexcept
begin iterator.
Definition: http_auth_backend.h:207
std::string cache_type
Definition: http_auth_backend.h:127
const_iterator begin() const noexcept
const begin iterator.
Definition: http_auth_backend.h:212
const_iterator end() const noexcept
const end iterator.
Definition: http_auth_backend.h:202
iterator find(const key_type &username)
find username in cache.
Definition: http_auth_backend.h:183
const_iterator find(const key_type &username) const
find username in cache.
Definition: http_auth_backend.h:190
std::map< key_type, value_type > credentials_
Definition: http_auth_backend.h:240
size_t erase(const key_type &username)
remove username from credential cache.
Definition: http_auth_backend.h:160
std::string key_type
Definition: http_auth_backend.h:125
std::string value_type
Definition: http_auth_backend.h:126
void set(const key_type &username, const value_type &authdata)
set username and password in cache.
Definition: http_auth_backend.h:171
std::map< key_type, value_type >::iterator iterator
iterator
Definition: http_auth_backend.h:132
std::map< key_type, cache_type > credentials_cache_
Definition: http_auth_backend.h:241
iterator end() noexcept
end iterator.
Definition: http_auth_backend.h:197
FileModified file_meta_
Definition: http_auth_backend.h:238
std::string filename_
Definition: http_auth_backend.h:237
std::map< key_type, value_type >::const_iterator const_iterator
const iterator
Definition: http_auth_backend.h:137
Base class of all AuthBackends.
Definition: http_auth_backend.h:45
HttpAuthBackend(HttpAuthBackend &&)=default
HttpAuthBackend & operator=(const HttpAuthBackend &)=default
virtual ~HttpAuthBackend()=0
destructor.
HttpAuthBackend(const HttpAuthBackend &)=default
virtual std::error_code authenticate(const std::string &username, const std::string &authdata)=0
authentication username with authdata against backend.
HttpAuthBackend & operator=(HttpAuthBackend &&)=default
HttpAuthBackend()=default
#define HTTP_AUTH_BACKEND_LIB_EXPORT
Definition: http_auth_backend_lib_export.h:15
Define rapidjson::SizeType to be std::uint64_t.
static char * password
Definition: mysql_secure_installation.cc:58
uint16_t value_type
Definition: vt100.h:184
int key_type
Definition: method.h:38
const char * filename
Definition: pfs_example_component_population.cc:67
Definition: http_auth_backend.h:65
stat_res res
Definition: http_auth_backend.h:76
FileMeta()
Definition: http_auth_backend.h:68
std::pair< std::error_code, struct stat > stat_res
Definition: http_auth_backend.h:66
FileMeta(const std::string &filename)
Definition: http_auth_backend.h:69
static stat_res stat(const std::string &filename)
calls the systems stat().
Definition: http_auth_backend.cc:43