~drizzle-trunk/drizzle/development : contents of plugin/auth_schema/auth

~drizzle-trunk/drizzle/development : (revision 2460)

/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright 2011 Daniel Nichter
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#pragma once
#include <drizzled/session.h>
#include <drizzled/plugin/authentication.h>
#include PCRE_HEADER

using namespace std;
using namespace drizzled;

namespace drizzle_plugin {
namespace auth_schema {

class AuthSchema : public drizzled::plugin::Authentication
{
public:
  AuthSchema(bool enabled);
  ~AuthSchema();

  /**
   * @brief
   *   Set the authentication table.
   *
   * @param[in] table Schema-qualified table name.
   *
   * @retval false Success, new auth table set
   * @retval true  Failure, auth table not changed
   */
  bool setTable(const string &table);

  /**
   * These are the query_log system variables.  So sysvar_enabled is
   * auth_schema_enabled in SHOW VARIABLES, etc.  They are all global
   * and dynamic.
   */
  bool sysvar_enabled;
  string sysvar_table;

private:
  /**
   * Base class method to check authentication for a user.
   */
  bool authenticate(const identifier::User &sctx, const string &password);

  /**
   * @brief
   *   Verify that the client password matches the real password.
   *
   * @details
   *   This method compares two MySQL hashed passwords: one from the
   *   client who is trying to authenticate, and the other from an
   *   auth table with the real password.  The client's password is
   *   hashed with the scramble bytes that Drizzle sent when the client
   *   connected, so we hash the real password with these bytes, too.
   *   This method is a modified copy of auth_file::verifyMySQLHash(),
   *   written by Eric Day, so credit the credit is his for the algos.
   *
   * @param[in] real_password   Real password, double-hashed but not yet
   *                            scrambled with the scramble bytes.
   * @param[in] scramble_bytes  Random bytes sent by Drizzle to client.
   * @param[in] client_password Password sent by client, double-hashed and
   *                            scrambled with the scramble bytes.
   *
   * @return True if the passwords match, else false.
   */
  bool verifyMySQLPassword(const string &real_password,
                           const string &scramble_bytes,
                           const string &client_password);

  /**
   * @brief
   *   Split, escape, and quote the auth table name.
   *
   * @details
   *   This function is called by setTable().
   *   The auth table name must be schema-qualified, so it should have
   *   the form schema.table or `schema`.`table`, etc.  This function
   *   splits the table name on the period, checks each half (the schema
   *   name and the table name), and escapes and backtick quotes each
   *   if necessary.  The result is that the auth table name is always
   *   finally of the form `schema`.`table`.
   *
   * @param[in] table Schema-qualified auth table name
   *
   * @return Escaped and backtick-quoted auth table name
   */
  string escapeQuoteAuthTable(const string &table);

  /**
   * @brief
   *   Escape and quote an identifier.
   *
   * @param[in] input Identifer, possibly already quoted
   *
   * @return Escaped and backtick-quoted identifier
   */
  string escapeQuoteIdentifier(const string &input);

  /**
   * @brief
   *   Escape a string for use as a single-quoted string value.
   *
   * @details
   *   The string is escaped so that it can be used as a value in single quotes, like:
   *   col='untrusted value'.  Therefore, double quotes are not escaped because they're
   *   valid inside single-quoted values.  Escaping helps avoid SQL injections.
   *
   * @param[in] input Untrusted string
   *
   * @return Escaped string
   */
  string escapeString(const string &input);

  pcre *_ident_re;
  Session::shared_ptr _session; ///< Internal session for querying auth table
};

} /* end namespace drizzle_plugin::auth_schema */
} /* end namespace drizzle_plugin */

2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	1	/* -- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; --
	2	* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
	3	*
	4	* Copyright 2011 Daniel Nichter
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; version 2 of the License.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	18	*/
	19
	20	#pragma once
	21	#include <drizzled/session.h>
	22	#include <drizzled/plugin/authentication.h>
2425.1.5 by Daniel Enable plugin by default. Always escape and backtick quote the auth table name.	23	#include PCRE_HEADER
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	24
	25	using namespace std;
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	26	using namespace drizzled;
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	27
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	28	namespace drizzle_plugin {
	29	namespace auth_schema {
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	30
	31	class AuthSchema : public drizzled::plugin::Authentication
	32	{
	33	public:
2425.1.5 by Daniel Enable plugin by default. Always escape and backtick quote the auth table name.	34	AuthSchema(bool enabled);
	35	~AuthSchema();
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	36
	37	/**
	38	* @brief
2425.1.4 by Daniel Escape user in SQL statement to avoid SQL injection. Verify auth table name. Include auth query in error message. Tweak formatting to match coding standards.	39	* Set the authentication table.
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	40	*
	41	* @param[in] table Schema-qualified table name.
	42	*
2425.1.4 by Daniel Escape user in SQL statement to avoid SQL injection. Verify auth table name. Include auth query in error message. Tweak formatting to match coding standards.	43	* @retval false Success, new auth table set
	44	* @retval true Failure, auth table not changed
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	45	*/
2425.1.4 by Daniel Escape user in SQL statement to avoid SQL injection. Verify auth table name. Include auth query in error message. Tweak formatting to match coding standards.	46	bool setTable(const string &table);
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	47
	48	/**
	49	* These are the query_log system variables. So sysvar_enabled is
	50	* auth_schema_enabled in SHOW VARIABLES, etc. They are all global
	51	* and dynamic.
	52	*/
	53	bool sysvar_enabled;
	54	string sysvar_table;
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	55
	56	private:
	57	/**
	58	* Base class method to check authentication for a user.
	59	*/
	60	bool authenticate(const identifier::User &sctx, const string &password);
	61
	62	/**
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	63	* @brief
	64	* Verify that the client password matches the real password.
	65	*
	66	* @details
	67	* This method compares two MySQL hashed passwords: one from the
	68	* client who is trying to authenticate, and the other from an
	69	* auth table with the real password. The client's password is
	70	* hashed with the scramble bytes that Drizzle sent when the client
	71	* connected, so we hash the real password with these bytes, too.
	72	* This method is a modified copy of auth_file::verifyMySQLHash(),
	73	* written by Eric Day, so credit the credit is his for the algos.
	74	*
	75	* @param[in] real_password Real password, double-hashed but not yet
	76	* scrambled with the scramble bytes.
	77	* @param[in] scramble_bytes Random bytes sent by Drizzle to client.
	78	* @param[in] client_password Password sent by client, double-hashed and
	79	* scrambled with the scramble bytes.
	80	*
	81	* @return True if the passwords match, else false.
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	82	*/
	83	bool verifyMySQLPassword(const string &real_password,
	84	const string &scramble_bytes,
	85	const string &client_password);
	86
2425.1.4 by Daniel Escape user in SQL statement to avoid SQL injection. Verify auth table name. Include auth query in error message. Tweak formatting to match coding standards.	87	/**
	88	* @brief
2425.1.5 by Daniel Enable plugin by default. Always escape and backtick quote the auth table name.	89	* Split, escape, and quote the auth table name.
	90	*
	91	* @details
	92	* This function is called by setTable().
	93	* The auth table name must be schema-qualified, so it should have
	94	* the form schema.table or `schema`.`table`, etc. This function
	95	* splits the table name on the period, checks each half (the schema
	96	* name and the table name), and escapes and backtick quotes each
	97	* if necessary. The result is that the auth table name is always
	98	* finally of the form `schema`.`table`.
	99	*
	100	* @param[in] table Schema-qualified auth table name
	101	*
	102	* @return Escaped and backtick-quoted auth table name
	103	*/
	104	string escapeQuoteAuthTable(const string &table);
	105
	106	/**
	107	* @brief
	108	* Escape and quote an identifier.
	109	*
	110	* @param[in] input Identifer, possibly already quoted
	111	*
	112	* @return Escaped and backtick-quoted identifier
	113	*/
	114	string escapeQuoteIdentifier(const string &input);
	115
	116	/**
	117	* @brief
2425.1.4 by Daniel Escape user in SQL statement to avoid SQL injection. Verify auth table name. Include auth query in error message. Tweak formatting to match coding standards.	118	* Escape a string for use as a single-quoted string value.
	119	*
	120	* @details
	121	* The string is escaped so that it can be used as a value in single quotes, like:
	122	* col='untrusted value'. Therefore, double quotes are not escaped because they're
	123	* valid inside single-quoted values. Escaping helps avoid SQL injections.
	124	*
	125	* @param[in] input Untrusted string
	126	*
	127	* @return Escaped string
	128	*/
	129	string escapeString(const string &input);
	130
2425.1.5 by Daniel Enable plugin by default. Always escape and backtick quote the auth table name.	131	pcre *_ident_re;
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	132	Session::shared_ptr _session; ///< Internal session for querying auth table
2425.1.1 by Daniel Nichter auth_schema (auth_db) working prototype.	133	};
	134
2425.1.2 by Daniel Add auth_schema_enabled sysvar. Use drizzle_plugin::auth_schema namespace. Add user docs and document code.	135	} /* end namespace drizzle_plugin::auth_schema */
	136	} /* end namespace drizzle_plugin */