Merge pull request #11 from trimble-oss/cidr_check_not_grants

Only check cidr in query auth scenario.
trimble-oss · Mar 7, 2024 · f08eaec · f08eaec
2 parents 6bc5051 + 820714b
commit f08eaec
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 26 deletions.
diff --git a/sql/analyzer/privileges.go b/sql/analyzer/privileges.go
@@ -38,7 +38,7 @@ func validatePrivileges(ctx *sql.Context, a *Analyzer, n sql.Node, scope *Scope,
 	}
 
 	client := ctx.Session.Client()
-	user := mysqlDb.GetUser(client.User, client.Address, false)
+	user := mysqlDb.GetUser(client.User, client.Address, false, false)
 	if user == nil {
 		return nil, transform.SameTree, mysql.NewSQLError(mysql.ERAccessDeniedError, mysql.SSAccessDeniedError, "Access denied for user '%v'", ctx.Session.Client().User)
 	}

diff --git a/sql/mysql_db/mysql_db.go b/sql/mysql_db/mysql_db.go
@@ -283,7 +283,7 @@ func (db *MySQLDb) LockUser(readUserEntry *User) {
 
 // GetUser returns a user matching the given user and host if it exists. Due to the slight difference between users and
 // roles, roleSearch changes whether the search matches against user or role rules.
-func (db *MySQLDb) GetUser(user string, host string, roleSearch bool) *User {
+func (db *MySQLDb) GetUser(user string, host string, roleSearch bool, skipCidrChecks bool) *User {
 	//TODO: Determine what the localhost is on the machine, then handle the conversion between IP and localhost.
 	// For now, this just treats localhost and 127.0.0.1 as the same.
 	//TODO: Determine how to match anonymous roles (roles with an empty user string), which differs from users
@@ -303,6 +303,9 @@ func (db *MySQLDb) GetUser(user string, host string, roleSearch bool) *User {
 
 	if len(userEntries) == 1 {
 		readUserEntry := userEntries[0].(*User)
+		if skipCidrChecks {
+			return readUserEntry
+		}
 
 		if lockTime, isLocked := lockUserMap.GetUser(readUserEntry); isLocked {
 			if time.Since(lockTime) > time.Hour {
@@ -321,9 +324,6 @@ func (db *MySQLDb) GetUser(user string, host string, roleSearch bool) *User {
 				if hostIp != nil && network.Contains(hostIp) {
 					return readUserEntry
 				} else {
-					if readUserEntry.IsSuperUser {
-						return readUserEntry
-					}
 					return nil
 				}
 			} else {
@@ -340,6 +340,9 @@ func (db *MySQLDb) GetUser(user string, host string, roleSearch bool) *User {
 		})
 		for _, readUserEntry := range userEntries {
 			readUserEntry := readUserEntry.(*User)
+			if skipCidrChecks {
+				return readUserEntry
+			}
 
 			if lockTime, isLocked := lockUserMap.GetUser(readUserEntry); isLocked {
 				if time.Since(lockTime) > time.Hour {
@@ -381,7 +384,7 @@ func (db *MySQLDb) UserActivePrivilegeSet(ctx *sql.Context) PrivilegeSet {
 	}
 
 	client := ctx.Session.Client()
-	user := db.GetUser(client.User, client.Address, false)
+	user := db.GetUser(client.User, client.Address, false, false)
 	if user == nil {
 		return NewPrivilegeSet()
 	}
@@ -395,7 +398,7 @@ func (db *MySQLDb) UserActivePrivilegeSet(ctx *sql.Context) PrivilegeSet {
 	//TODO: System variable "activate_all_roles_on_login", if set, will set all roles as active upon logging in
 	for _, roleEdgeEntry := range roleEdgeEntries {
 		roleEdge := roleEdgeEntry.(*RoleEdge)
-		role := db.GetUser(roleEdge.FromUser, roleEdge.FromHost, true)
+		role := db.GetUser(roleEdge.FromUser, roleEdge.FromHost, true, false)
 		if role != nil {
 			privSet.UnionWith(role.PrivilegeSet)
 		}
@@ -489,7 +492,7 @@ func (db *MySQLDb) AuthMethod(user, addr string) (string, error) {
 		host = splitHost
 	}
 
-	u := db.GetUser(user, host, false)
+	u := db.GetUser(user, host, false, false)
 	if u == nil {
 		return "", mysql.NewSQLError(mysql.ERAccessDeniedError, mysql.SSAccessDeniedError, "User not found '%v'", user)
 	}
@@ -521,7 +524,7 @@ func (db *MySQLDb) ValidateHash(salt []byte, user string, authResponse []byte, a
 		return MysqlConnectionUser{User: user, Host: host}, nil
 	}
 
-	userEntry := db.GetUser(user, host, false)
+	userEntry := db.GetUser(user, host, false, false)
 	if userEntry == nil || userEntry.Locked {
 		return nil, mysql.NewSQLError(mysql.ERAccessDeniedError, mysql.SSAccessDeniedError, "Access denied for user '%v'", user)
 	}
@@ -555,7 +558,7 @@ func (db *MySQLDb) Negotiate(c *mysql.Conn, user string, addr net.Addr) (mysql.G
 	if !db.Enabled {
 		return connUser, nil
 	}
-	userEntry := db.GetUser(user, host, false)
+	userEntry := db.GetUser(user, host, false, false)
 
 	if userEntry.Plugin != "" {
 		authplugin, ok := db.plugins[userEntry.Plugin]

diff --git a/sql/plan/drop_user.go b/sql/plan/drop_user.go
@@ -106,7 +106,7 @@ func (n *DropUser) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 	userTableData := mysqlDb.UserTable().Data()
 	roleEdgesData := mysqlDb.RoleEdgesTable().Data()
 	for _, user := range n.Users {
-		existingUser := mysqlDb.GetUser(user.Name, user.Host, false)
+		existingUser := mysqlDb.GetUser(user.Name, user.Host, false, true)
 		if existingUser == nil {
 			if n.IfExists {
 				continue

diff --git a/sql/plan/grant.go b/sql/plan/grant.go
@@ -209,7 +209,7 @@ func (n *Grant) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, fmt.Errorf("GRANT has not yet implemented user assumption")
 		}
 		for _, grantUser := range n.Users {
-			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false)
+			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -235,7 +235,7 @@ func (n *Grant) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, fmt.Errorf("GRANT has not yet implemented user assumption")
 		}
 		for _, grantUser := range n.Users {
-			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false)
+			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -262,7 +262,7 @@ func (n *Grant) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, fmt.Errorf("GRANT has not yet implemented user assumption")
 		}
 		for _, grantUser := range n.Users {
-			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false)
+			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -638,7 +638,7 @@ func (n *GrantRole) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOp
 	//TODO: only active roles may be assigned if the SUPER privilege is not held
 	mysqlDb := n.MySQLDb.(*mysql_db.MySQLDb)
 	client := ctx.Session.Client()
-	user := mysqlDb.GetUser(client.User, client.Address, false)
+	user := mysqlDb.GetUser(client.User, client.Address, false, true)
 	if user == nil {
 		return false
 	}
@@ -647,7 +647,7 @@ func (n *GrantRole) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedOp
 		ToUser: user.User,
 	})
 	for _, roleName := range n.Roles {
-		role := mysqlDb.GetUser(roleName.Name, roleName.Host, true)
+		role := mysqlDb.GetUser(roleName.Name, roleName.Host, true, true)
 		if role == nil {
 			return false
 		}
@@ -677,12 +677,12 @@ func (n *GrantRole) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error)
 	}
 	roleEdgesData := mysqlDb.RoleEdgesTable().Data()
 	for _, targetUser := range n.TargetUsers {
-		user := mysqlDb.GetUser(targetUser.Name, targetUser.Host, false)
+		user := mysqlDb.GetUser(targetUser.Name, targetUser.Host, false, true)
 		if user == nil {
 			return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetUser.String("`"))
 		}
 		for _, targetRole := range n.Roles {
-			role := mysqlDb.GetUser(targetRole.Name, targetRole.Host, true)
+			role := mysqlDb.GetUser(targetRole.Name, targetRole.Host, true, true)
 			if role == nil {
 				return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetRole.String("`"))
 			}

diff --git a/sql/plan/revoke.go b/sql/plan/revoke.go
@@ -202,7 +202,7 @@ func (n *Revoke) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, sql.ErrGrantRevokeIllegalPrivilege.New()
 		}
 		for _, revokeUser := range n.Users {
-			user := mysqlDb.GetUser(revokeUser.Name, revokeUser.Host, false)
+			user := mysqlDb.GetUser(revokeUser.Name, revokeUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -222,7 +222,7 @@ func (n *Revoke) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, sql.ErrGrantRevokeIllegalPrivilege.New()
 		}
 		for _, revokeUser := range n.Users {
-			user := mysqlDb.GetUser(revokeUser.Name, revokeUser.Host, false)
+			user := mysqlDb.GetUser(revokeUser.Name, revokeUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -243,7 +243,7 @@ func (n *Revoke) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error) {
 			return nil, fmt.Errorf("GRANT has not yet implemented object types")
 		}
 		for _, grantUser := range n.Users {
-			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false)
+			user := mysqlDb.GetUser(grantUser.Name, grantUser.Host, false, true)
 			if user == nil {
 				return nil, sql.ErrGrantUserDoesNotExist.New()
 			}
@@ -590,7 +590,7 @@ func (n *RevokeRole) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedO
 	//TODO: only active roles may be revoked if the SUPER privilege is not held
 	mysqlDb := n.MySQLDb.(*mysql_db.MySQLDb)
 	client := ctx.Session.Client()
-	user := mysqlDb.GetUser(client.User, client.Address, false)
+	user := mysqlDb.GetUser(client.User, client.Address, false, true)
 	if user == nil {
 		return false
 	}
@@ -599,7 +599,7 @@ func (n *RevokeRole) CheckPrivileges(ctx *sql.Context, opChecker sql.PrivilegedO
 		ToUser: user.User,
 	})
 	for _, roleName := range n.Roles {
-		role := mysqlDb.GetUser(roleName.Name, roleName.Host, true)
+		role := mysqlDb.GetUser(roleName.Name, roleName.Host, true, true)
 		if role == nil {
 			return false
 		}
@@ -629,12 +629,12 @@ func (n *RevokeRole) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error)
 	}
 	roleEdgesData := mysqlDb.RoleEdgesTable().Data()
 	for _, targetUser := range n.TargetUsers {
-		user := mysqlDb.GetUser(targetUser.Name, targetUser.Host, false)
+		user := mysqlDb.GetUser(targetUser.Name, targetUser.Host, false, true)
 		if user == nil {
 			return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetUser.String("`"))
 		}
 		for _, targetRole := range n.Roles {
-			role := mysqlDb.GetUser(targetRole.Name, targetRole.Host, true)
+			role := mysqlDb.GetUser(targetRole.Name, targetRole.Host, true, true)
 			if role == nil {
 				return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetRole.String("`"))
 			}

diff --git a/sql/plan/show_grants.go b/sql/plan/show_grants.go
@@ -154,7 +154,7 @@ func (n *ShowGrants) RowIter(ctx *sql.Context, row sql.Row) (sql.RowIter, error)
 			Host: client.Address,
 		}
 	}
-	user := mysqlDb.GetUser(n.For.Name, n.For.Host, false)
+	user := mysqlDb.GetUser(n.For.Name, n.For.Host, false, true)
 	if user == nil {
 		return nil, sql.ErrShowGrantsUserDoesNotExist.New(n.For.Name, n.For.Host)
 	}