mirror of
https://github.com/MariaDB/server.git
synced 2025-10-27 00:48:30 +01:00
7b555ff2c5
SET PASSWORD = PASSWORD('foo') would fail for pam plugin with
ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin
but SET PASSWORD = 'foo' would not.
Now it will.
183 lines
5.3 KiB
C
183 lines
5.3 KiB
C
#ifndef MYSQL_PLUGIN_AUTH_INCLUDED
|
|
/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab
|
|
Copyright (c) 2010, Oracle and/or its affiliates.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
|
|
|
|
/**
|
|
@file
|
|
|
|
Authentication Plugin API.
|
|
|
|
This file defines the API for server authentication plugins.
|
|
*/
|
|
|
|
#define MYSQL_PLUGIN_AUTH_INCLUDED
|
|
|
|
#include <mysql/plugin.h>
|
|
|
|
#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0202
|
|
|
|
#include <mysql/plugin_auth_common.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/* defines for MYSQL_SERVER_AUTH_INFO.password_used */
|
|
|
|
#define PASSWORD_USED_NO 0
|
|
#define PASSWORD_USED_YES 1
|
|
#define PASSWORD_USED_NO_MENTION 2
|
|
|
|
|
|
/**
|
|
Provides server plugin access to authentication information
|
|
*/
|
|
typedef struct st_mysql_server_auth_info
|
|
{
|
|
/**
|
|
User name as sent by the client and shown in USER().
|
|
NULL if the client packet with the user name was not received yet.
|
|
*/
|
|
const char *user_name;
|
|
|
|
/**
|
|
Length of user_name
|
|
*/
|
|
unsigned int user_name_length;
|
|
|
|
/**
|
|
A corresponding column value from the mysql.user table for the
|
|
matching account name or the preprocessed value, if preprocess_hash
|
|
method is not NULL
|
|
*/
|
|
const char *auth_string;
|
|
|
|
/**
|
|
Length of auth_string
|
|
*/
|
|
unsigned long auth_string_length;
|
|
|
|
/**
|
|
Matching account name as found in the mysql.user table.
|
|
A plugin can override it with another name that will be
|
|
used by MySQL for authorization, and shown in CURRENT_USER()
|
|
*/
|
|
char authenticated_as[MYSQL_USERNAME_LENGTH+1];
|
|
|
|
|
|
/**
|
|
The unique user name that was used by the plugin to authenticate.
|
|
Not used by the server.
|
|
Available through the @@EXTERNAL_USER variable.
|
|
*/
|
|
char external_user[MYSQL_USERNAME_LENGTH+1];
|
|
|
|
/**
|
|
This only affects the "Authentication failed. Password used: %s"
|
|
error message. has the following values :
|
|
0 : %s will be NO.
|
|
1 : %s will be YES.
|
|
2 : there will be no %s.
|
|
Set it as appropriate or ignore at will.
|
|
*/
|
|
int password_used;
|
|
|
|
/**
|
|
Set to the name of the connected client host, if it can be resolved,
|
|
or to its IP address otherwise.
|
|
*/
|
|
const char *host_or_ip;
|
|
|
|
/**
|
|
Length of host_or_ip
|
|
*/
|
|
unsigned int host_or_ip_length;
|
|
|
|
/**
|
|
Current THD pointer (to use with various services)
|
|
*/
|
|
MYSQL_THD thd;
|
|
|
|
} MYSQL_SERVER_AUTH_INFO;
|
|
|
|
/**
|
|
Server authentication plugin descriptor
|
|
*/
|
|
struct st_mysql_auth
|
|
{
|
|
int interface_version; /**< version plugin uses */
|
|
/**
|
|
A plugin that a client must use for authentication with this server
|
|
plugin. Can be NULL to mean "any plugin".
|
|
*/
|
|
const char *client_auth_plugin;
|
|
/**
|
|
Function provided by the plugin which should perform authentication (using
|
|
the vio functions if necessary) and return 0 if successful. The plugin can
|
|
also fill the info.authenticated_as field if a different username should be
|
|
used for authorization.
|
|
*/
|
|
int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
|
|
/**
|
|
Create a password hash (or digest) out of a plain-text password
|
|
|
|
Used in SET PASSWORD, GRANT, and CREATE USER to convert user specified
|
|
plain-text password into a value that will be stored in mysql.user table.
|
|
|
|
@see preprocess_hash
|
|
|
|
@param password plain-text password
|
|
@param password_length plain-text password length
|
|
@param hash the digest will be stored there
|
|
@param hash_length in: hash buffer size
|
|
out: the actual length of the hash
|
|
|
|
@return 0 for ok, 1 for error
|
|
|
|
Can be NULL, in this case one will not be able to use SET PASSWORD or
|
|
PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
|
|
*/
|
|
int (*hash_password)(const char *password, size_t password_length,
|
|
char *hash, size_t *hash_length);
|
|
|
|
/**
|
|
Prepare the password hash for authentication.
|
|
|
|
Password hash is stored in the authentication_string column of the
|
|
mysql.user table in a text form. If a plugin needs to preprocess the
|
|
value somehow before the authentication (e.g. convert from hex or base64
|
|
to binary), it can do it in this method. This way the conversion
|
|
will happen only once, not for every authentication attempt.
|
|
|
|
The value written to the out buffer will be cached and later made
|
|
available to the authenticate_user() method in the
|
|
MYSQL_SERVER_AUTH_INFO::auth_string[] buffer.
|
|
|
|
@return 0 for ok, 1 for error
|
|
|
|
Can be NULL, in this case the mysql.user.authentication_string value will
|
|
be given to the authenticate_user() method as is, unconverted.
|
|
*/
|
|
int (*preprocess_hash)(const char *hash, size_t hash_length,
|
|
unsigned char *out, size_t *out_length);
|
|
};
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif
|
|
|