MySQL 8.3.0
Source Code Documentation
sql_mfa.h
Go to the documentation of this file.
1/* Copyright (c) 2021, 2023, Oracle and/or its affiliates.
2 This program is free software; you can redistribute it and/or modify
3 it under the terms of the GNU General Public License, version 2.0,
4 as published by the Free Software Foundation.
5
6 This program is also distributed with certain software (including
7 but not limited to OpenSSL) that is licensed under separate terms,
8 as designated in a particular file or component or in included license
9 documentation. The authors of MySQL hereby grant you an additional
10 permission to link the program and your derivative works with the
11 separately licensed software that they have included with MySQL.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License, version 2.0, for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
21
22#ifndef SQL_MFA_INCLUDED
23#define SQL_MFA_INCLUDED
24
25#include <string>
26#include <vector>
27
28#include "sql-common/json_dom.h" // Json_array
29#include "sql/auth/user_table.h"
31#include "sql/sql_class.h"
32#include "sql/table.h"
33
35
38
40 std::vector<std::pair<std::string, std::string>>;
41
42/**
43 An interface to access information about Multi factor authentication
44 methods. This interface represents a chain of authentication plugins
45 for a given user account.
46*/
48 public:
49 virtual ~I_multi_factor_auth() = default;
50 /**
51 Helper methods to verify and update ALTER USER sql
52 when altering Multi factor authentication methods.
53 */
54 virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }
55 virtual void alter_mfa(I_multi_factor_auth *) {}
56 /**
57 Helper method to validate Multi factor authentication methods.
58 */
59 virtual bool validate_plugins_in_auth_chain(THD *thd) = 0;
60 /**
61 Helper method to validate Multi factor authentication methods are
62 correct compared to authentication policy.
63 */
64 virtual bool validate_against_authentication_policy(THD *) { return false; }
65 /**
66 method to add/delete Multi factor authentication methods in user_attributes
67 column.
68 */
69 virtual bool update_user_attributes() = 0;
70 virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}
71 /**
72 Helper methods to convert this interface into a valid JSON object
73 and vice versa.
74 */
75 virtual bool serialize(Json_array &mfa_arr) = 0;
76 virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;
77 /**
78 Helper methods to do registration step.
79 */
80 virtual bool init_registration(THD *, uint) = 0;
81 virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;
82 virtual bool is_passwordless() = 0;
83
84 /**
85 Fill needed info in LEX_USER::mfa_list for query rewrite
86 */
87 virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;
88 /**
89 Fill in generated passwords from respective Multi factor authentication
90 methods
91 */
92 virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,
93 const char *h) = 0;
94 /**
95 Fill in server challenge generated as part of initiate registration step.
96 */
98 /**
99 Get methods.
100 */
102 return down_cast<Multi_factor_auth_list *>(this);
103 }
104
106 return down_cast<Multi_factor_auth_info *>(this);
107 }
108};
109
110template <typename T>
111using my_vector = std::vector<T, Mem_root_allocator<T>>;
112
114 private:
115 /* multi_factor_auth hierarchy */
117
118 public:
120 ~Multi_factor_auth_list() override;
122 size_t get_mfa_list_size();
123 bool is_alter_allowed(THD *, LEX_USER *) override;
124 void alter_mfa(I_multi_factor_auth *) override;
125 bool validate_plugins_in_auth_chain(THD *thd) override;
127 bool update_user_attributes() override;
128 void add_factor(I_multi_factor_auth *m) override;
129 bool serialize(Json_array &mfa_arr) override;
130 bool deserialize(uint f, Json_dom *mfa_dom) override;
131 bool init_registration(THD *, uint) override;
132 bool finish_registration(THD *, LEX_USER *, uint) override;
133 bool is_passwordless() override;
134 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
135 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
136 const char *h) override;
138
139 private:
140 /*
141 This methods ensures that hierarchy of m_factor is always
142 2FA followed by 3FA.
143 */
144 void sort_mfa();
145};
146
147/*
148 This class represents each individual factor from chain of
149 authentication plugins for a given user account.
150*/
152 private:
156
157 public:
161 /* validate Multi factor authentication plugins during ACL DDL */
162 bool validate_plugins_in_auth_chain(THD *thd) override;
163 /* update user attributes */
164 bool update_user_attributes() override;
165 /* construct json object out of user attributes column */
166 bool serialize(Json_array &mfa_arr) override;
167 bool deserialize(uint f, Json_dom *mfa_dom) override;
168 /* helper methods to do registration */
169 bool init_registration(THD *, uint) override;
170 bool finish_registration(THD *, LEX_USER *, uint) override;
171 bool is_passwordless() override;
172 void get_info_for_query_rewrite(THD *, LEX_USER *) override;
173 void get_generated_passwords(Userhostpassword_list &gp, const char *u,
174 const char *h) override;
176
177 /* during ALTER USER copy attributes from ACL_USER */
179
180 private:
181 /*
182 validate Multi factor authentication attributes read from row of
183 mysql.user table
184 */
185 bool validate_row();
186
187 public:
188 bool is_identified_by();
189 bool is_identified_with();
191
192 const char *get_auth_str();
193 size_t get_auth_str_len();
194
195 const char *get_plugin_str();
196 size_t get_plugin_str_len();
197
198 const char *get_generated_password_str();
200
201 const char *get_client_plugin_str();
202 size_t get_client_plugin_len();
203
205 unsigned int get_nth_factor();
206 bool is_add_factor();
207 bool is_drop_factor();
208 bool is_modify_factor();
209
213 bool get_unregister();
215
216 void set_auth_str(const char *, size_t);
217 void set_plugin_str(const char *, size_t);
218 void set_generated_password(const char *, size_t);
219 void set_client_plugin(const char *, size_t);
220 void set_factor(nthfactor f);
221 void set_passwordless(int v);
222 void set_init_registration(bool v);
223 void set_finish_registration(bool v);
224 void set_requires_registration(int v);
225
226 std::string get_command_string(enum_sql_command sql_command);
227};
228
229#endif /* SQL_MFA_INCLUDED */
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1123
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:47
virtual bool finish_registration(THD *, LEX_USER *, uint)=0
virtual bool validate_against_authentication_policy(THD *)
Helper method to validate Multi factor authentication methods are correct compared to authentication ...
Definition: sql_mfa.h:64
virtual bool validate_plugins_in_auth_chain(THD *thd)=0
Helper method to validate Multi factor authentication methods.
virtual bool is_alter_allowed(THD *, LEX_USER *)
Helper methods to verify and update ALTER USER sql when altering Multi factor authentication methods.
Definition: sql_mfa.h:54
virtual ~I_multi_factor_auth()=default
Multi_factor_auth_info * get_multi_factor_auth_info()
Definition: sql_mfa.h:105
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h)=0
Fill in generated passwords from respective Multi factor authentication methods.
virtual void get_server_challenge_info(server_challenge_info_vector &sc)=0
Fill in server challenge generated as part of initiate registration step.
virtual void alter_mfa(I_multi_factor_auth *)
Definition: sql_mfa.h:55
virtual void add_factor(I_multi_factor_auth *m)
Definition: sql_mfa.h:70
virtual bool init_registration(THD *, uint)=0
Helper methods to do registration step.
virtual bool deserialize(uint f, Json_dom *mfa_dom)=0
virtual bool is_passwordless()=0
virtual void get_info_for_query_rewrite(THD *, LEX_USER *)=0
Fill needed info in LEX_USER::mfa_list for query rewrite.
virtual bool update_user_attributes()=0
method to add/delete Multi factor authentication methods in user_attributes column.
virtual bool serialize(Json_array &mfa_arr)=0
Helper methods to convert this interface into a valid JSON object and vice versa.
Multi_factor_auth_list * get_multi_factor_auth_list()
Get methods.
Definition: sql_mfa.h:101
Represents a JSON array container, i.e.
Definition: json_dom.h:514
JSON DOM abstract base class.
Definition: json_dom.h:171
Definition: sql_mfa.h:151
void set_passwordless(int v)
Definition: sql_mfa.cc:1256
bool is_passwordless() override
Definition: sql_mfa.cc:1208
bool is_modify_factor()
Definition: sql_mfa.cc:1204
bool update_user_attributes() override
Method to update User_attributes column in mysql.user table.
Definition: sql_mfa.cc:706
void set_requires_registration(int v)
Definition: sql_mfa.cc:1268
void get_info_for_query_rewrite(THD *, LEX_USER *) override
This method will fill in missing details like plugin name or authentication string,...
Definition: sql_mfa.cc:1041
size_t get_client_plugin_len()
Definition: sql_mfa.cc:1180
void set_client_plugin(const char *, size_t)
Definition: sql_mfa.cc:1243
void set_finish_registration(bool v)
Definition: sql_mfa.cc:1264
const char * get_auth_str()
Definition: sql_mfa.cc:1153
bool get_unregister()
Definition: sql_mfa.cc:1224
bool validate_plugins_in_auth_chain(THD *thd) override
This method validates nth factor authentication plugin during ALTER/CREATE USER sql.
Definition: sql_mfa.cc:562
void set_init_registration(bool v)
Definition: sql_mfa.cc:1260
bool is_identified_with()
Definition: sql_mfa.cc:1145
void get_server_challenge_info(server_challenge_info_vector &sc) override
This method will return randomly generated server challenge as part of ALTER USER .
Definition: sql_mfa.cc:1115
size_t get_auth_str_len()
Definition: sql_mfa.cc:1157
std::string get_command_string(enum_sql_command sql_command)
Definition: sql_mfa.cc:1272
unsigned int get_nth_factor()
Definition: sql_mfa.cc:1193
bool deserialize(uint f, Json_dom *mfa_dom) override
Helper function to read details from Json object representing Multi factor authentication methods and...
Definition: sql_mfa.cc:762
Multi_factor_auth_info(MEM_ROOT *mem_root)
Definition: sql_mfa.cc:539
bool is_add_factor()
Definition: sql_mfa.cc:1197
size_t get_generated_password_len()
Definition: sql_mfa.cc:1165
bool get_requires_registration()
Definition: sql_mfa.cc:1220
MEM_ROOT * m_mem_root
Definition: sql_mfa.h:153
acl_table::Pod_user_what_to_update m_update
Definition: sql_mfa.h:155
const char * get_client_plugin_str()
Definition: sql_mfa.cc:1176
bool get_finish_registration()
Definition: sql_mfa.cc:1216
bool finish_registration(THD *, LEX_USER *, uint) override
This method reads the credential details received from FIDO device and saves in user_attributes colum...
Definition: sql_mfa.cc:923
bool validate_row()
Interface method to validate the auth plugin chain if user_attributes in mysql.user table is modified...
Definition: sql_mfa.cc:668
const char * get_plugin_str()
Definition: sql_mfa.cc:1169
void set_plugin_str(const char *, size_t)
Definition: sql_mfa.cc:1234
LEX_CSTRING & plugin_name()
Definition: sql_mfa.cc:1149
LEX_MFA * m_multi_factor_auth
Definition: sql_mfa.h:154
const char * get_generated_password_str()
Definition: sql_mfa.cc:1161
bool get_init_registration()
Definition: sql_mfa.cc:1212
void set_auth_str(const char *, size_t)
Definition: sql_mfa.cc:1230
size_t get_plugin_str_len()
Definition: sql_mfa.cc:1172
~Multi_factor_auth_info() override
Definition: sql_mfa.h:160
bool is_identified_by()
Definition: sql_mfa.cc:1142
bool init_registration(THD *, uint) override
This method initiates registration step.
Definition: sql_mfa.cc:814
nthfactor get_factor()
Definition: sql_mfa.cc:1184
bool serialize(Json_array &mfa_arr) override
Helper function to convert an instance of Multi_factor_auth_info into a JSON object.
Definition: sql_mfa.cc:727
bool is_drop_factor()
Definition: sql_mfa.cc:1201
void set_generated_password(const char *, size_t)
Definition: sql_mfa.cc:1238
Multi_factor_auth_info & operator=(Multi_factor_auth_info &new_af)
Definition: sql_mfa.cc:1125
LEX_MFA * get_lex_mfa()
Definition: sql_mfa.cc:1228
void set_factor(nthfactor f)
Definition: sql_mfa.cc:1247
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
This method will return randomly generated passwords as part of IDENTIFIED BY RANDOM PASSWORD clause,...
Definition: sql_mfa.cc:1095
Definition: sql_mfa.h:113
void get_server_challenge_info(server_challenge_info_vector &sc) override
Interface method to fill in generated server challenge from init registration step.
Definition: sql_mfa.cc:526
bool validate_plugins_in_auth_chain(THD *thd) override
Interface method to validate the auth plugin chain before updating the user_attributes in mysql....
Definition: sql_mfa.cc:383
void alter_mfa(I_multi_factor_auth *) override
This method modifies the Multi factor authentication interface based on ALTER USER sql.
Definition: sql_mfa.cc:204
void add_factor(I_multi_factor_auth *m) override
Definition: sql_mfa.cc:1138
bool update_user_attributes() override
Interface method to update user_attributes.
Definition: sql_mfa.cc:397
Multi_factor_auth_list(MEM_ROOT *)
Definition: sql_mfa.cc:44
void get_info_for_query_rewrite(THD *, LEX_USER *) override
Interface method to fill in Multi factor authentication method details during query rewrite.
Definition: sql_mfa.cc:495
bool deserialize(uint f, Json_dom *mfa_dom) override
Interface method to convert a valid JSON object into this interface.
Definition: sql_mfa.cc:432
bool is_alter_allowed(THD *, LEX_USER *) override
This method checks MFA methods present in ACL_USER against new factor specified as part of ALTER USER...
Definition: sql_mfa.cc:61
bool serialize(Json_array &mfa_arr) override
Interface method to convert this interface into a valid JSON object.
Definition: sql_mfa.cc:415
bool is_passwordless() override
Interface method to check if registration step in for passwordless authentication method.
Definition: sql_mfa.cc:480
my_vector< I_multi_factor_auth * > m_factor
Definition: sql_mfa.h:116
bool validate_against_authentication_policy(THD *thd) override
This method checks the modified Multi factor authentication interface methods based on ALTER USER sql...
Definition: sql_mfa.cc:315
void sort_mfa()
Helper method to sort nth factor methods in multi-factor authentication interface such that 2nd facto...
Definition: sql_mfa.cc:362
my_vector< I_multi_factor_auth * > & get_mfa_list()
Definition: sql_mfa.cc:533
bool init_registration(THD *, uint) override
Interface method to initiate registration.
Definition: sql_mfa.cc:447
void get_generated_passwords(Userhostpassword_list &gp, const char *u, const char *h) override
Interface method to fill in generated passwords from Multi factor authentication methods.
Definition: sql_mfa.cc:511
size_t get_mfa_list_size()
Definition: sql_mfa.cc:537
bool finish_registration(THD *, LEX_USER *, uint) override
Interface method to finish registration step.
Definition: sql_mfa.cc:465
~Multi_factor_auth_list() override
Definition: sql_mfa.cc:47
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:35
Definition: user_table.h:46
static MEM_ROOT mem_root
Definition: client_plugin.cc:113
JSON DOM.
enum_sql_command
Definition: my_sqlcommand.h:45
std::vector< std::pair< std::string, std::string > > server_challenge_info_vector
Definition: sql_mfa.h:40
std::vector< T, Mem_root_allocator< T > > my_vector
Definition: sql_mfa.h:111
nthfactor
Definition: sql_mfa.h:34
Definition: table.h:2611
Definition: table.h:2720
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:82
Definition: mysql_lex_string.h:39