mysql-server/latest/sql__mfa_8h_source.html

/* Copyright (c) 2021, 2025, Oracle and/or its affiliates.

   This program is free software; you can redistribute it and/or modify

   it under the terms of the GNU General Public License, version 2.0,

   as published by the Free Software Foundation.


   This program is designed to work with certain software (including

   but not limited to OpenSSL) that is licensed under separate terms,

   as designated in a particular file or component or in included license

   documentation.  The authors of MySQL hereby grant you an additional

   permission to link the program and your derivative works with the

   separately licensed software that they have either included with

   the program or referenced in the documentation.


   This program is distributed in the hope that it will be useful,

   but WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

   GNU General Public License, version 2.0, for more details.


   You should have received a copy of the GNU General Public License

   along with this program; if not, write to the Free Software

   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */


#ifndef SQL_MFA_INCLUDED

#define SQL_MFA_INCLUDED


#include <string>

#include <vector>


#include "sql-common/json_dom.h"  // Json_array

#include "sql/auth/authentication_policy.h"

#include "sql/auth/user_table.h"

#include "sql/mem_root_allocator.h"

#include "sql/sql_class.h"

#include "sql/table.h"


enum class nthfactor { NONE = 1, SECOND_FACTOR, THIRD_FACTOR };


class Multi_factor_auth_list;

class Multi_factor_auth_info;


using server_challenge_info_vector =

    std::vector<std::pair<std::string, std::string>>;


/**

  An interface to access information about Multi factor authentication

  methods. This interface represents a chain of authentication plugins

  for a given user account.

*/

class I_multi_factor_auth {

 public:

  virtual ~I_multi_factor_auth() = default;

  /**

    Helper methods to verify and update ALTER USER sql

    when altering Multi factor authentication methods.

  */

  virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }

  virtual void alter_mfa(I_multi_factor_auth *) {}

  /**

    Helper method to validate Multi factor authentication methods.

  */

  virtual bool validate_plugins_in_auth_chain(

      THD *thd, const authentication_policy::Factors &policy_factors) = 0;

  /**

    Helper method to validate Multi factor authentication methods are

    correct compared to authentication policy.

  */

  virtual bool validate_against_authentication_policy(

      THD *, const authentication_policy::Factors &) {

    return false;

  }

  /**

    method to add/delete Multi factor authentication methods in user_attributes

    column.

  */

  virtual bool update_user_attributes() = 0;

  virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}

  /**

    Helper methods to convert this interface into a valid JSON object

    and vice versa.

  */

  virtual bool serialize(Json_array &mfa_arr) = 0;

  virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;

  /**

    Helper methods to do registration step.

  */

  virtual bool init_registration(THD *, uint) = 0;

  virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;

  virtual bool is_passwordless() = 0;


  /**

    Fill needed info in LEX_USER::mfa_list for query rewrite

  */

  virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;

  /**

    Fill in generated passwords from respective Multi factor authentication

    methods

  */

  virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,

                                       const char *h) = 0;

  /**

    Fill in server challenge generated as part of initiate registration step.

  */

  virtual void get_server_challenge_info(server_challenge_info_vector &sc) = 0;

  /**

    Get methods.

  */

  Multi_factor_auth_list *get_multi_factor_auth_list() {

    return down_cast<Multi_factor_auth_list *>(this);

  }


  Multi_factor_auth_info *get_multi_factor_auth_info() {

    return down_cast<Multi_factor_auth_info *>(this);

  }

};


template <typename T>

using my_vector = std::vector<T, Mem_root_allocator<T>>;


class Multi_factor_auth_list : public I_multi_factor_auth {

 private:

  /* multi_factor_auth hierarchy */

  my_vector<I_multi_factor_auth *> m_factor;


 public:

  Multi_factor_auth_list(MEM_ROOT *);

  ~Multi_factor_auth_list() override;

  my_vector<I_multi_factor_auth *> &get_mfa_list();

  size_t get_mfa_list_size();

  bool is_alter_allowed(THD *, LEX_USER *) override;

  void alter_mfa(I_multi_factor_auth *) override;

  bool validate_plugins_in_auth_chain(

      THD *thd, const authentication_policy::Factors &policy_factors) override;

  bool validate_against_authentication_policy(

      THD *thd, const authentication_policy::Factors &policy_factors) override;

  bool update_user_attributes() override;

  void add_factor(I_multi_factor_auth *m) override;

  bool serialize(Json_array &mfa_arr) override;

  bool deserialize(uint f, Json_dom *mfa_dom) override;

  bool init_registration(THD *, uint) override;

  bool finish_registration(THD *, LEX_USER *, uint) override;

  bool is_passwordless() override;

  void get_info_for_query_rewrite(THD *, LEX_USER *) override;

  void get_generated_passwords(Userhostpassword_list &gp, const char *u,

                               const char *h) override;

  void get_server_challenge_info(server_challenge_info_vector &sc) override;


 private:

  /*

    This methods ensures that hierarchy of m_factor is always

    2FA followed by 3FA.

  */

  void sort_mfa();

};


/*

  This class represents each individual factor from chain of

  authentication plugins for a given user account.

*/

class Multi_factor_auth_info : public I_multi_factor_auth {

 private:

  MEM_ROOT *m_mem_root;

  LEX_MFA *m_multi_factor_auth;

  acl_table::Pod_user_what_to_update m_update;


 public:

  Multi_factor_auth_info(MEM_ROOT *mem_root);

  Multi_factor_auth_info(MEM_ROOT *mem_root, LEX_MFA *m);

  ~Multi_factor_auth_info() override {}

  /* validate Multi factor authentication plugins during ACL DDL */

  bool validate_plugins_in_auth_chain(

      THD *thd, const authentication_policy::Factors &policy_factors) override;

  /* update user attributes */

  bool update_user_attributes() override;

  /* construct json object out of user attributes column */

  bool serialize(Json_array &mfa_arr) override;

  bool deserialize(uint f, Json_dom *mfa_dom) override;

  /* helper methods to do registration */

  bool init_registration(THD *, uint) override;

  bool finish_registration(THD *, LEX_USER *, uint) override;

  bool is_passwordless() override;

  void get_info_for_query_rewrite(THD *, LEX_USER *) override;

  void get_generated_passwords(Userhostpassword_list &gp, const char *u,

                               const char *h) override;

  void get_server_challenge_info(server_challenge_info_vector &sc) override;


  /* during ALTER USER copy attributes from ACL_USER */

  Multi_factor_auth_info &operator=(Multi_factor_auth_info &new_af);


 private:

  /*

    validate Multi factor authentication attributes read from row of

    mysql.user table

  */

  bool validate_row();


 public:

  bool is_identified_by();

  bool is_identified_with();

  LEX_CSTRING &plugin_name();


  const char *get_auth_str();

  size_t get_auth_str_len();


  const char *get_plugin_str();

  size_t get_plugin_str_len();


  const char *get_generated_password_str();

  size_t get_generated_password_len();


  const char *get_client_plugin_str();

  size_t get_client_plugin_len();


  nthfactor get_factor();

  unsigned int get_nth_factor();

  bool is_add_factor();

  bool is_drop_factor();

  bool is_modify_factor();


  bool get_init_registration();

  bool get_finish_registration();

  bool get_requires_registration();

  bool get_unregister();

  LEX_MFA *get_lex_mfa();


  void set_auth_str(const char *, size_t);

  void set_plugin_str(const char *, size_t);

  void set_generated_password(const char *, size_t);

  void set_client_plugin(const char *, size_t);

  void set_factor(nthfactor f);

  void set_passwordless(int v);

  void set_init_registration(bool v);

  void set_finish_registration(bool v);

  void set_requires_registration(int v);


  std::string get_command_string(enum_sql_command sql_command);

};


#endif /* SQL_MFA_INCLUDED */

Userhostpassword_list
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1136

authentication_policy.h

I_multi_factor_auth
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:49

I_multi_factor_auth::finish_registration
virtual bool finish_registration(THD *, LEX_USER *, uint)=0

I_multi_factor_auth::validate_against_authentication_policy
virtual bool validate_against_authentication_policy(THD *, const authentication_policy::Factors &)
Helper method to validate Multi factor authentication methods are correct compared to authentication ...
Definition: sql_mfa.h:67

I_multi_factor_auth::is_alter_allowed
virtual bool is_alter_allowed(THD *, LEX_USER *)
Helper methods to verify and update ALTER USER sql when altering Multi factor authentication methods.
Definition: sql_mfa.h:56

I_multi_factor_auth::~I_multi_factor_auth
virtual ~I_multi_factor_auth()=default

I_multi_factor_auth::get_multi_factor_auth_info
Multi_factor_auth_info * get_multi_factor_auth_info()
Definition: sql_mfa.h:111

I_multi_factor_auth::get_generated_passwords
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h)=0
Fill in generated passwords from respective Multi factor authentication methods.

I_multi_factor_auth::get_server_challenge_info
virtual void get_server_challenge_info(server_challenge_info_vector &sc)=0
Fill in server challenge generated as part of initiate registration step.

I_multi_factor_auth::alter_mfa
virtual void alter_mfa(I_multi_factor_auth *)
Definition: sql_mfa.h:57

I_multi_factor_auth::add_factor
virtual void add_factor(I_multi_factor_auth *m)
Definition: sql_mfa.h:76

I_multi_factor_auth::validate_plugins_in_auth_chain
virtual bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors)=0
Helper method to validate Multi factor authentication methods.

I_multi_factor_auth::init_registration
virtual bool init_registration(THD *, uint)=0
Helper methods to do registration step.

I_multi_factor_auth::deserialize
virtual bool deserialize(uint f, Json_dom *mfa_dom)=0

I_multi_factor_auth::is_passwordless
virtual bool is_passwordless()=0

I_multi_factor_auth::get_info_for_query_rewrite
virtual void get_info_for_query_rewrite(THD *, LEX_USER *)=0
Fill needed info in LEX_USER::mfa_list for query rewrite.

I_multi_factor_auth::update_user_attributes
virtual bool update_user_attributes()=0
method to add/delete Multi factor authentication methods in user_attributes column.

I_multi_factor_auth::serialize
virtual bool serialize(Json_array &mfa_arr)=0
Helper methods to convert this interface into a valid JSON object and vice versa.

I_multi_factor_auth::get_multi_factor_auth_list
Multi_factor_auth_list * get_multi_factor_auth_list()
Get methods.
Definition: sql_mfa.h:107

Json_array
Represents a JSON array container, i.e.
Definition: json_dom.h:513

Json_dom
JSON DOM abstract base class.
Definition: json_dom.h:172

Multi_factor_auth_info
Definition: sql_mfa.h:159

Multi_factor_auth_info::set_passwordless
void set_passwordless(int v)
Definition: sql_mfa.cc:1266

Multi_factor_auth_info::is_passwordless
bool is_passwordless() override
Definition: sql_mfa.cc:1218

Multi_factor_auth_info::is_modify_factor
bool is_modify_factor()
Definition: sql_mfa.cc:1214

Multi_factor_auth_info::update_user_attributes
bool update_user_attributes() override
Method to update User_attributes column in mysql.user table.
Definition: sql_mfa.cc:710

Multi_factor_auth_info::set_requires_registration
void set_requires_registration(int v)
Definition: sql_mfa.cc:1278

Multi_factor_auth_info::get_info_for_query_rewrite
void get_info_for_query_rewrite(THD *, LEX_USER *) override
This method will fill in missing details like plugin name or authentication string,...
Definition: sql_mfa.cc:1051

Multi_factor_auth_info::get_client_plugin_len
size_t get_client_plugin_len()
Definition: sql_mfa.cc:1190

Multi_factor_auth_info::set_client_plugin
void set_client_plugin(const char *, size_t)
Definition: sql_mfa.cc:1253

Multi_factor_auth_info::set_finish_registration
void set_finish_registration(bool v)
Definition: sql_mfa.cc:1274

Multi_factor_auth_info::get_auth_str
const char * get_auth_str()
Definition: sql_mfa.cc:1163

Multi_factor_auth_info::get_unregister
bool get_unregister()
Definition: sql_mfa.cc:1234

Multi_factor_auth_info::validate_plugins_in_auth_chain
bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors) override
This method validates nth factor authentication plugin during ALTER/CREATE USER sql.
Definition: sql_mfa.cc:566

Multi_factor_auth_info::set_init_registration
void set_init_registration(bool v)
Definition: sql_mfa.cc:1270

Multi_factor_auth_info::is_identified_with
bool is_identified_with()
Definition: sql_mfa.cc:1155

Multi_factor_auth_info::get_server_challenge_info
void get_server_challenge_info(server_challenge_info_vector &sc) override
This method will return randomly generated server challenge as part of ALTER USER .
Definition: sql_mfa.cc:1125

Multi_factor_auth_info::get_auth_str_len
size_t get_auth_str_len()
Definition: sql_mfa.cc:1167

Multi_factor_auth_info::get_command_string
std::string get_command_string(enum_sql_command sql_command)
Definition: sql_mfa.cc:1282

Multi_factor_auth_info::get_nth_factor
unsigned int get_nth_factor()
Definition: sql_mfa.cc:1203

Multi_factor_auth_info::deserialize
bool deserialize(uint f, Json_dom *mfa_dom) override
Helper function to read details from Json object representing Multi factor authentication methods and...
Definition: sql_mfa.cc:766

Multi_factor_auth_info::Multi_factor_auth_info
Multi_factor_auth_info(MEM_ROOT *mem_root)
Definition: sql_mfa.cc:542

Multi_factor_auth_info::is_add_factor
bool is_add_factor()
Definition: sql_mfa.cc:1207

Multi_factor_auth_info::get_generated_password_len
size_t get_generated_password_len()
Definition: sql_mfa.cc:1175

Multi_factor_auth_info::get_requires_registration
bool get_requires_registration()
Definition: sql_mfa.cc:1230

Multi_factor_auth_info::m_mem_root
MEM_ROOT * m_mem_root
Definition: sql_mfa.h:161

Multi_factor_auth_info::m_update
acl_table::Pod_user_what_to_update m_update
Definition: sql_mfa.h:163

Multi_factor_auth_info::get_client_plugin_str
const char * get_client_plugin_str()
Definition: sql_mfa.cc:1186

Multi_factor_auth_info::get_finish_registration
bool get_finish_registration()
Definition: sql_mfa.cc:1226

Multi_factor_auth_info::finish_registration
bool finish_registration(THD *, LEX_USER *, uint) override
This method reads the credential details received from FIDO device and saves in user_attributes colum...
Definition: sql_mfa.cc:933

Multi_factor_auth_info::validate_row
bool validate_row()
Interface method to validate the auth plugin chain if user_attributes in mysql.user table is modified...
Definition: sql_mfa.cc:672

Multi_factor_auth_info::get_plugin_str
const char * get_plugin_str()
Definition: sql_mfa.cc:1179

Multi_factor_auth_info::set_plugin_str
void set_plugin_str(const char *, size_t)
Definition: sql_mfa.cc:1244

Multi_factor_auth_info::plugin_name
LEX_CSTRING & plugin_name()
Definition: sql_mfa.cc:1159

Multi_factor_auth_info::m_multi_factor_auth
LEX_MFA * m_multi_factor_auth
Definition: sql_mfa.h:162

Multi_factor_auth_info::get_generated_password_str
const char * get_generated_password_str()
Definition: sql_mfa.cc:1171

Multi_factor_auth_info::get_init_registration
bool get_init_registration()
Definition: sql_mfa.cc:1222

Multi_factor_auth_info::set_auth_str
void set_auth_str(const char *, size_t)
Definition: sql_mfa.cc:1240

Multi_factor_auth_info::get_plugin_str_len
size_t get_plugin_str_len()
Definition: sql_mfa.cc:1182

Multi_factor_auth_info::~Multi_factor_auth_info
~Multi_factor_auth_info() override
Definition: sql_mfa.h:168

Multi_factor_auth_info::is_identified_by
bool is_identified_by()
Definition: sql_mfa.cc:1152

Multi_factor_auth_info::init_registration
bool init_registration(THD *, uint) override
This method initiates registration step.
Definition: sql_mfa.cc:818

Multi_factor_auth_info::get_factor
nthfactor get_factor()
Definition: sql_mfa.cc:1194

Multi_factor_auth_info::serialize
bool serialize(Json_array &mfa_arr) override
Helper function to convert an instance of Multi_factor_auth_info into a JSON object.
Definition: sql_mfa.cc:731

Multi_factor_auth_info::is_drop_factor
bool is_drop_factor()
Definition: sql_mfa.cc:1211

Multi_factor_auth_info::set_generated_password
void set_generated_password(const char *, size_t)
Definition: sql_mfa.cc:1248

Multi_factor_auth_info::operator=
Multi_factor_auth_info & operator=(Multi_factor_auth_info &new_af)
Definition: sql_mfa.cc:1135

Multi_factor_auth_info::get_lex_mfa
LEX_MFA * get_lex_mfa()
Definition: sql_mfa.cc:1238

Multi_factor_auth_info::set_factor
void set_factor(nthfactor f)
Definition: sql_mfa.cc:1257

Multi_factor_auth_info::get_generated_passwords
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
This method will return randomly generated passwords as part of IDENTIFIED BY RANDOM PASSWORD clause,...
Definition: sql_mfa.cc:1105

Multi_factor_auth_list
Definition: sql_mfa.h:119

Multi_factor_auth_list::validate_against_authentication_policy
bool validate_against_authentication_policy(THD *thd, const authentication_policy::Factors &policy_factors) override
This method checks the modified Multi factor authentication interface methods based on ALTER USER sql...
Definition: sql_mfa.cc:318

Multi_factor_auth_list::get_server_challenge_info
void get_server_challenge_info(server_challenge_info_vector &sc) override
Interface method to fill in generated server challenge from init registration step.
Definition: sql_mfa.cc:529

Multi_factor_auth_list::alter_mfa
void alter_mfa(I_multi_factor_auth *) override
This method modifies the Multi factor authentication interface based on ALTER USER sql.
Definition: sql_mfa.cc:206

Multi_factor_auth_list::add_factor
void add_factor(I_multi_factor_auth *m) override
Definition: sql_mfa.cc:1148

Multi_factor_auth_list::update_user_attributes
bool update_user_attributes() override
Interface method to update user_attributes.
Definition: sql_mfa.cc:400

Multi_factor_auth_list::validate_plugins_in_auth_chain
bool validate_plugins_in_auth_chain(THD *thd, const authentication_policy::Factors &policy_factors) override
Interface method to validate the auth plugin chain before updating the user_attributes in mysql....
Definition: sql_mfa.cc:385

Multi_factor_auth_list::Multi_factor_auth_list
Multi_factor_auth_list(MEM_ROOT *)
Definition: sql_mfa.cc:46

Multi_factor_auth_list::get_info_for_query_rewrite
void get_info_for_query_rewrite(THD *, LEX_USER *) override
Interface method to fill in Multi factor authentication method details during query rewrite.
Definition: sql_mfa.cc:498

Multi_factor_auth_list::deserialize
bool deserialize(uint f, Json_dom *mfa_dom) override
Interface method to convert a valid JSON object into this interface.
Definition: sql_mfa.cc:435

Multi_factor_auth_list::is_alter_allowed
bool is_alter_allowed(THD *, LEX_USER *) override
This method checks MFA methods present in ACL_USER against new factor specified as part of ALTER USER...
Definition: sql_mfa.cc:63

Multi_factor_auth_list::serialize
bool serialize(Json_array &mfa_arr) override
Interface method to convert this interface into a valid JSON object.
Definition: sql_mfa.cc:418

Multi_factor_auth_list::is_passwordless
bool is_passwordless() override
Interface method to check if registration step in for passwordless authentication method.
Definition: sql_mfa.cc:483

Multi_factor_auth_list::m_factor
my_vector< I_multi_factor_auth * > m_factor
Definition: sql_mfa.h:122

Multi_factor_auth_list::sort_mfa
void sort_mfa()
Helper method to sort nth factor methods in multi-factor authentication interface such that 2nd facto...
Definition: sql_mfa.cc:363

Multi_factor_auth_list::get_mfa_list
my_vector< I_multi_factor_auth * > & get_mfa_list()
Definition: sql_mfa.cc:536

Multi_factor_auth_list::init_registration
bool init_registration(THD *, uint) override
Interface method to initiate registration.
Definition: sql_mfa.cc:450

Multi_factor_auth_list::get_generated_passwords
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
Interface method to fill in generated passwords from Multi factor authentication methods.
Definition: sql_mfa.cc:514

Multi_factor_auth_list::get_mfa_list_size
size_t get_mfa_list_size()
Definition: sql_mfa.cc:540

Multi_factor_auth_list::finish_registration
bool finish_registration(THD *, LEX_USER *, uint) override
Interface method to finish registration step.
Definition: sql_mfa.cc:468

Multi_factor_auth_list::~Multi_factor_auth_list
~Multi_factor_auth_list() override
Definition: sql_mfa.cc:49

THD
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36

acl_table::Pod_user_what_to_update
Definition: user_table.h:47

mem_root
static MEM_ROOT mem_root
Definition: client_plugin.cc:114

json_dom.h
JSON DOM.

mem_root_allocator.h

enum_sql_command
enum_sql_command
Definition: my_sqlcommand.h:46

authentication_policy::Factors
std::vector< Factor > Factors
Type of container with authentication policy factors.
Definition: authentication_policy.h:135

table.h

sql_class.h

server_challenge_info_vector
std::vector< std::pair< std::string, std::string > > server_challenge_info_vector
Definition: sql_mfa.h:42

my_vector
std::vector< T, Mem_root_allocator< T > > my_vector
Definition: sql_mfa.h:117

nthfactor
nthfactor
Definition: sql_mfa.h:36

nthfactor::THIRD_FACTOR
@ THIRD_FACTOR

nthfactor::NONE
@ NONE

nthfactor::SECOND_FACTOR
@ SECOND_FACTOR

LEX_MFA
Definition: table.h:2662

LEX_USER
Definition: table.h:2771

MEM_ROOT
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83

MYSQL_LEX_CSTRING
Definition: mysql_lex_string.h:40

user_table.h