Address review comments, add unit test

4b31e6dc · Vladislav Vaintroub · c1bf5ba2 · 4b31e6dc · 4b31e6dc · 4b31e6dc
Commit 4b31e6dc authored Jan 27, 2016 by Vladislav Vaintroub
5 changed files
--- a/mysql-test/r/auth_named_pipe.result
+++ b/mysql-test/r/auth_named_pipe.result
+INSTALL SONAME 'auth_named_pipe';
+CREATE USER USERNAME IDENTIFIED WITH named_pipe;
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+USERNAME@localhost	USERNAME@%
+DROP USER USERNAME;
+CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
+ERROR 28000: Access denied for user 'nosuchuser'@'localhost'
+DROP USER nosuchuser;
+UNINSTALL SONAME 'auth_named_pipe';
--- a/mysql-test/t/auth_named_pipe-master.opt
+++ b/mysql-test/t/auth_named_pipe-master.opt
+--loose-enable-named-pipe
--- a/mysql-test/t/auth_named_pipe.test
+++ b/mysql-test/t/auth_named_pipe.test
+--source include/windows.inc
+
+INSTALL SONAME 'auth_named_pipe';
+
+--replace_result $USERNAME USERNAME
+eval CREATE USER $USERNAME IDENTIFIED WITH named_pipe;
+# Connect using named pipe, correct username
+connect(pipe_con,localhost,$USERNAME,,,,,PIPE);
+--replace_result $USERNAME USERNAME
+SELECT USER(),CURRENT_USER();
+disconnect pipe_con;
+connection default;
+--replace_result $USERNAME USERNAME
+eval DROP USER $USERNAME;
+
+# test invalid user name
+CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
+--disable_query_log
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+connect(pipe_con,localhost,nosuchuser,,,,,PIPE);
+--enable_query_log
+DROP USER nosuchuser;
+UNINSTALL SONAME 'auth_named_pipe';
\ No newline at end of file
--- a/plugin/auth_pipe/CMakeLists.txt
+++ b/plugin/auth_pipe/CMakeLists.txt
-# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
-# 
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; version 2 of the
-# License.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
-
 IF(WIN32)
-  MYSQL_ADD_PLUGIN(auth_pipe auth_pipe.c MODULE_ONLY)
+  MYSQL_ADD_PLUGIN(auth_named_pipe auth_pipe.c)
 ENDIF()
--- a/plugin/auth_pipe/auth_pipe.c
+++ b/plugin/auth_pipe/auth_pipe.c
@@ -17,44 +17,27 @@
 /**
  @file

-  auth_pipd authentication plugin.
+  auth_pipe authentication plugin.

-  Authentication is successful if the connection is done via a named pip and
-  the owner of the client process matches the user name that was used when
-  connecting to mysqld.
+  Authentication is successful if the connection is done via a named pipe 
+  pipe peer name matches mysql user name
 */

-
 #include <mysql/plugin_auth.h>
 #include <string.h>
 #include <lmcons.h>


-
-
-
 /**
-  perform the named pipe´based authentication
-
-  This authentication callback performs a named pipe based authentication -
-  it gets the uid of the client process and considers the user authenticated
-  if it uses username of this uid. That is - if the user is already
-  authenticated to the OS (if she is logged in) - she can use MySQL as herself
+  This authentication callback obtains user name using named pipe impersonation
 */
-
 static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 {
  unsigned char *pkt;
-  PTOKEN_USER pTokenUser= NULL;
-  HANDLE hToken;
  MYSQL_PLUGIN_VIO_INFO vio_info;
-  DWORD dLength= 0;
-  int Ret= CR_ERROR;
-  TCHAR username[UNLEN + 1];
-  DWORD username_length= UNLEN + 1;
-  char domainname[DNLEN + 1];
-  DWORD domainsize=DNLEN + 1;
-  SID_NAME_USE sidnameuse;
+  char username[UNLEN + 1];
+  size_t username_length;
+  int ret;

  /* no user name yet ? read the client handshake packet with the user name */
  if (info->user_name == 0)
@@ -62,41 +45,26 @@ static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
    if (vio->read_packet(vio, &pkt) < 0)
      return CR_ERROR;
  }
-
  info->password_used= PASSWORD_USED_NO_MENTION;
-
  vio->info(vio, &vio_info);
  if (vio_info.protocol != MYSQL_VIO_PIPE)
    return CR_ERROR;

-  /* get the UID of the client process */
+  /* Impersonate the named pipe peer, and retrieve the user name */
  if (!ImpersonateNamedPipeClient(vio_info.handle))
    return CR_ERROR;
-  
-  if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken))
-    goto end;
-   
- /* determine length of TokenUser */
- GetTokenInformation(hToken, TokenUser, NULL, 0, &dLength);
- if (!dLength)
-   goto end;
-
- if (!(pTokenUser= (PTOKEN_USER)LocalAlloc(0, dLength)))
-   goto end;
-
- if (!GetTokenInformation(hToken, TokenUser, (PVOID)pTokenUser, dLength, &dLength))
-   goto end;
-
- if (!LookupAccountSid(NULL, pTokenUser->User.Sid, username, &username_length, domainname, &domainsize, &sidnameuse))
-   goto end;

- Ret= strcmp(username, info->user_name) ? CR_ERROR : CR_OK;
-end:
-  if (pTokenUser)
-    LocalFree(pTokenUser);
+  username_length= sizeof(username) - 1;
+  ret= CR_ERROR;
+  if (GetUserName(username, &username_length))
+  {
+    /* Always compare names case-insensitive on Windows.*/
+    if (_stricmp(username, info->user_name) == 0)
+      ret= CR_OK;
+  }
  RevertToSelf();
-  /* now it's simple as that */
-  return Ret;
+
+  return ret;
 }

 static struct st_mysql_auth pipe_auth_handler=
@@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler=
  pipe_auth
 };

-maria_declare_plugin(socket_auth)
+maria_declare_plugin(auth_named_pipe)
 {
  MYSQL_AUTHENTICATION_PLUGIN,
  &pipe_auth_handler,
-  "windows_pipe",
+  "named_pipe",
  "Vladislav Vaintroub, Georg Richter",
  "Windows named pipe based authentication",
  PLUGIN_LICENSE_GPL,