MySQL 8.1.0
Source Code Documentation
sql_mfa.h
Go to the documentation of this file.
1/* Copyright (c) 2021, 2023, Oracle and/or its affiliates.
2 This program is free software; you can redistribute it and/or modify
3 it under the terms of the GNU General Public License, version 2.0,
4 as published by the Free Software Foundation.
5
6 This program is also distributed with certain software (including
7 but not limited to OpenSSL) that is licensed under separate terms,
8 as designated in a particular file or component or in included license
9 documentation. The authors of MySQL hereby grant you an additional
10 permission to link the program and your derivative works with the
11 separately licensed software that they have included with MySQL.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License, version 2.0, for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
21
22#ifndef SQL_MFA_INCLUDED
23#define SQL_MFA_INCLUDED
24
25#include <string>
26#include <vector>
27
28#include "sql-common/json_dom.h" // Json_array
29#include "sql/auth/user_table.h"
31#include "sql/sql_class.h"
32#include "sql/table.h"
33
35
38
39/**
40 An interface to access information about Multi factor authentication
41 methods. This interface represents a chain of authentication plugins
42 for a given user account.
43*/
45 public:
46 virtual ~I_multi_factor_auth() = default;
47 /**
48 Helper methods to verify and update ALTER USER sql
49 when altering Multi factor authentication methods.
50 */
51 virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }
52 virtual void alter_mfa(I_multi_factor_auth *) {}
53 /**
54 Helper method to validate Multi factor authentication methods.
55 */
56 virtual bool validate_plugins_in_auth_chain(THD *thd) = 0;
57 /**
58 Helper method to validate Multi factor authentication methods are
59 correct compared to authentication policy.
60 */
61 virtual bool validate_against_authentication_policy(THD *) { return false; }
62 /**
63 method to add/delete Multi factor authentication methods in user_attributes
64 column.
65 */
66 virtual bool update_user_attributes() = 0;
67 virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}
68 /**
69 Helper methods to convert this interface into a valid JSON object
70 and vice versa.
71 */
72 virtual bool serialize(Json_array &mfa_arr) = 0;
73 virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;
74 /**
75 Helper methods to do registration step.
76 */
77 virtual bool init_registration(THD *, uint) = 0;
78 virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;
79 virtual bool is_passwordless() = 0;
80
81 /**
82 Fill needed info in LEX_USER::mfa_list for query rewrite
83 */
84 virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;
85 /**
86 Fill in generated passwords from respective Multi factor authentication
87 methods
88 */
89 virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,
90 const char *h) = 0;
91 /**
92 Fill in server challenge generated as part of initiate registration step.
93 */
94 virtual void get_server_challenge(std::vector<std::string> &sc) = 0;
95 /**
96 Get methods.
97 */
99 return down_cast<Multi_factor_auth_list *>(this);
100 }
101
103 return down_cast<Multi_factor_auth_info *>(this);
104 }
105};
106
107template <typename T>
108using my_vector = std::vector<T, Mem_root_allocator<T>>;
109
111 private:
112 /* multi_factor_auth hierarchy */
114
115 public:
117 ~Multi_factor_auth_list() override;
119 size_t get_mfa_list_size();
120 bool is_alter_allowed(THD *, LEX_USER *) override;
121 void alter_mfa(I_multi_factor_auth *) override;
122 bool validate_plugins_in_auth_chain(THD *thd) override;
124 bool update_user_attributes() override;
125 void add_factor(I_multi_factor_auth *m) override;
126 bool serialize(Json_array &mfa_arr) override;
127 bool deserialize(uint f, Json_dom *mfa_dom) override;
128 bool init_registration(THD *, uint) override;
129 bool finish_registration(THD *, LEX_USER *, uint) override;
130 bool is_passwordless() override;
131 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
132 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
133 const char *h) override;
134 void get_server_challenge(std::vector<std::string> &sc) override;
135
136 private:
137 /*
138 This methods ensures that hierarchy of m_factor is always
139 2FA followed by 3FA.
140 */
141 void sort_mfa();
142};
143
144/*
145 This class represents each individual factor from chain of
146 authentication plugins for a given user account.
147*/
149 private:
153
154 public:
158 /* validate Multi factor authentication plugins during ACL DDL */
159 bool validate_plugins_in_auth_chain(THD *thd) override;
160 /* update user attributes */
161 bool update_user_attributes() override;
162 /* construct json object out of user attributes column */
163 bool serialize(Json_array &mfa_arr) override;
164 bool deserialize(uint f, Json_dom *mfa_dom) override;
165 /* helper methods to do registration */
166 bool init_registration(THD *, uint) override;
167 bool finish_registration(THD *, LEX_USER *, uint) override;
168 bool is_passwordless() override;
169 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
170 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
171 const char *h) override;
172 void get_server_challenge(std::vector<std::string> &sc) override;
173
174 /* during ALTER USER copy attributes from ACL_USER */
176
177 private:
178 /*
179 validate Multi factor authentication attributes read from row of
180 mysql.user table
181 */
182 bool validate_row();
183
184 public:
185 bool is_identified_by();
186 bool is_identified_with();
188
189 const char *get_auth_str();
190 size_t get_auth_str_len();
191
192 const char *get_plugin_str();
193 size_t get_plugin_str_len();
194
195 const char *get_generated_password_str();
197
199 unsigned int get_nth_factor();
200 bool is_add_factor();
201 bool is_drop_factor();
202 bool is_modify_factor();
203
207 bool get_unregister();
209
210 void set_auth_str(const char *, size_t);
211 void set_plugin_str(const char *, size_t);
212 void set_generated_password(const char *, size_t);
213 void set_factor(nthfactor f);
214 void set_passwordless(int v);
215 void set_init_registration(bool v);
216 void set_finish_registration(bool v);
217 void set_requires_registration(int v);
218
219 std::string get_command_string(enum_sql_command sql_command);
220};
221
222#endif /* SQL_MFA_INCLUDED */
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1122
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:44
virtual bool finish_registration(THD *, LEX_USER *, uint)=0
virtual bool validate_against_authentication_policy(THD *)
Helper method to validate Multi factor authentication methods are correct compared to authentication ...
Definition: sql_mfa.h:61
virtual bool validate_plugins_in_auth_chain(THD *thd)=0
Helper method to validate Multi factor authentication methods.
virtual bool is_alter_allowed(THD *, LEX_USER *)
Helper methods to verify and update ALTER USER sql when altering Multi factor authentication methods.
Definition: sql_mfa.h:51
virtual ~I_multi_factor_auth()=default
Multi_factor_auth_info * get_multi_factor_auth_info()
Definition: sql_mfa.h:102
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h)=0
Fill in generated passwords from respective Multi factor authentication methods.
virtual void alter_mfa(I_multi_factor_auth *)
Definition: sql_mfa.h:52
virtual void add_factor(I_multi_factor_auth *m)
Definition: sql_mfa.h:67
virtual bool init_registration(THD *, uint)=0
Helper methods to do registration step.
virtual bool deserialize(uint f, Json_dom *mfa_dom)=0
virtual bool is_passwordless()=0
virtual void get_info_for_query_rewrite(THD *, LEX_USER *)=0
Fill needed info in LEX_USER::mfa_list for query rewrite.
virtual bool update_user_attributes()=0
method to add/delete Multi factor authentication methods in user_attributes column.
virtual bool serialize(Json_array &mfa_arr)=0
Helper methods to convert this interface into a valid JSON object and vice versa.
Multi_factor_auth_list * get_multi_factor_auth_list()
Get methods.
Definition: sql_mfa.h:98
virtual void get_server_challenge(std::vector< std::string > &sc)=0
Fill in server challenge generated as part of initiate registration step.
Represents a JSON array container, i.e.
Definition: json_dom.h:521
JSON DOM abstract base class.
Definition: json_dom.h:174
Definition: sql_mfa.h:148
void set_passwordless(int v)
Definition: sql_mfa.cc:1232
bool is_passwordless() override
Definition: sql_mfa.cc:1188
bool is_modify_factor()
Definition: sql_mfa.cc:1184
bool update_user_attributes() override
Method to update User_attributes column in mysql.user table.
Definition: sql_mfa.cc:706
void set_requires_registration(int v)
Definition: sql_mfa.cc:1244
void get_info_for_query_rewrite(THD *, LEX_USER *) override
This method will fill in missing details like plugin name or authentication string,...
Definition: sql_mfa.cc:1032
void get_server_challenge(std::vector< std::string > &sc) override
This method will return randomly generated server challenge as part of ALTER USER .
Definition: sql_mfa.cc:1106
void set_finish_registration(bool v)
Definition: sql_mfa.cc:1240
const char * get_auth_str()
Definition: sql_mfa.cc:1141
bool get_unregister()
Definition: sql_mfa.cc:1204
bool validate_plugins_in_auth_chain(THD *thd) override
This method validates nth factor authentication plugin during ALTER/CREATE USER sql.
Definition: sql_mfa.cc:562
void set_init_registration(bool v)
Definition: sql_mfa.cc:1236
bool is_identified_with()
Definition: sql_mfa.cc:1133
size_t get_auth_str_len()
Definition: sql_mfa.cc:1145
std::string get_command_string(enum_sql_command sql_command)
Definition: sql_mfa.cc:1248
unsigned int get_nth_factor()
Definition: sql_mfa.cc:1173
bool deserialize(uint f, Json_dom *mfa_dom) override
Helper function to read details from Json object representing Multi factor authentication methods and...
Definition: sql_mfa.cc:762
Multi_factor_auth_info(MEM_ROOT *mem_root)
Definition: sql_mfa.cc:539
bool is_add_factor()
Definition: sql_mfa.cc:1177
size_t get_generated_password_len()
Definition: sql_mfa.cc:1153
bool get_requires_registration()
Definition: sql_mfa.cc:1200
MEM_ROOT * m_mem_root
Definition: sql_mfa.h:150
acl_table::Pod_user_what_to_update m_update
Definition: sql_mfa.h:152
bool get_finish_registration()
Definition: sql_mfa.cc:1196
bool finish_registration(THD *, LEX_USER *, uint) override
This method reads the credential details received from FIDO device and saves in user_attributes colum...
Definition: sql_mfa.cc:914
bool validate_row()
Interface method to validate the auth plugin chain if user_attributes in mysql.user table is modified...
Definition: sql_mfa.cc:668
const char * get_plugin_str()
Definition: sql_mfa.cc:1157
void set_plugin_str(const char *, size_t)
Definition: sql_mfa.cc:1214
LEX_CSTRING & plugin_name()
Definition: sql_mfa.cc:1137
LEX_MFA * m_multi_factor_auth
Definition: sql_mfa.h:151
const char * get_generated_password_str()
Definition: sql_mfa.cc:1149
bool get_init_registration()
Definition: sql_mfa.cc:1192
void set_auth_str(const char *, size_t)
Definition: sql_mfa.cc:1210
size_t get_plugin_str_len()
Definition: sql_mfa.cc:1160
~Multi_factor_auth_info() override
Definition: sql_mfa.h:157
bool is_identified_by()
Definition: sql_mfa.cc:1130
bool init_registration(THD *, uint) override
This method initiates registration step.
Definition: sql_mfa.cc:814
nthfactor get_factor()
Definition: sql_mfa.cc:1164
bool serialize(Json_array &mfa_arr) override
Helper function to convert an instance of Multi_factor_auth_info into a JSON object.
Definition: sql_mfa.cc:727
bool is_drop_factor()
Definition: sql_mfa.cc:1181
void set_generated_password(const char *, size_t)
Definition: sql_mfa.cc:1218
Multi_factor_auth_info & operator=(Multi_factor_auth_info &new_af)
Definition: sql_mfa.cc:1113
LEX_MFA * get_lex_mfa()
Definition: sql_mfa.cc:1208
void set_factor(nthfactor f)
Definition: sql_mfa.cc:1223
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
This method will return randomly generated passwords as part of IDENTIFIED BY RANDOM PASSWORD clause,...
Definition: sql_mfa.cc:1086
Definition: sql_mfa.h:110
bool validate_plugins_in_auth_chain(THD *thd) override
Interface method to validate the auth plugin chain before updating the user_attributes in mysql....
Definition: sql_mfa.cc:383
void alter_mfa(I_multi_factor_auth *) override
This method modifies the Multi factor authentication interface based on ALTER USER sql.
Definition: sql_mfa.cc:204
void add_factor(I_multi_factor_auth *m) override
Definition: sql_mfa.cc:1126
bool update_user_attributes() override
Interface method to update user_attributes.
Definition: sql_mfa.cc:397
Multi_factor_auth_list(MEM_ROOT *)
Definition: sql_mfa.cc:44
void get_info_for_query_rewrite(THD *, LEX_USER *) override
Interface method to fill in Multi factor authentication method details during query rewrite.
Definition: sql_mfa.cc:495
bool deserialize(uint f, Json_dom *mfa_dom) override
Interface method to convert a valid JSON object into this interface.
Definition: sql_mfa.cc:432
bool is_alter_allowed(THD *, LEX_USER *) override
This method checks MFA methods present in ACL_USER against new factor specified as part of ALTER USER...
Definition: sql_mfa.cc:61
bool serialize(Json_array &mfa_arr) override
Interface method to convert this interface into a valid JSON object.
Definition: sql_mfa.cc:415
bool is_passwordless() override
Interface method to check if registration step in for passwordless authentication method.
Definition: sql_mfa.cc:480
my_vector< I_multi_factor_auth * > m_factor
Definition: sql_mfa.h:113
bool validate_against_authentication_policy(THD *thd) override
This method checks the modified Multi factor authentication interface methods based on ALTER USER sql...
Definition: sql_mfa.cc:315
void sort_mfa()
Helper method to sort nth factor methods in multi-factor authentication interface such that 2nd facto...
Definition: sql_mfa.cc:362
my_vector< I_multi_factor_auth * > & get_mfa_list()
Definition: sql_mfa.cc:533
bool init_registration(THD *, uint) override
Interface method to initiate registration.
Definition: sql_mfa.cc:447
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
Interface method to fill in generated passwords from Multi factor authentication methods.
Definition: sql_mfa.cc:511
void get_server_challenge(std::vector< std::string > &sc) override
Interface method to fill in generated server challenge from init registration step.
Definition: sql_mfa.cc:526
size_t get_mfa_list_size()
Definition: sql_mfa.cc:537
bool finish_registration(THD *, LEX_USER *, uint) override
Interface method to finish registration step.
Definition: sql_mfa.cc:465
~Multi_factor_auth_list() override
Definition: sql_mfa.cc:47
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:33
Definition: user_table.h:46
static MEM_ROOT mem_root
Definition: client_plugin.cc:113
JSON DOM.
enum_sql_command
Definition: my_sqlcommand.h:45
std::vector< T, Mem_root_allocator< T > > my_vector
Definition: sql_mfa.h:108
nthfactor
Definition: sql_mfa.h:34
Definition: table.h:2560
Definition: table.h:2667
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:82
Definition: mysql_lex_string.h:39