Address review comments, add unit test

vaintroub · vaintroub · commit 4b31e6dc95c7 · 2016-01-27T16:34:05.000+01:00
diff --git a/mysql-test/r/auth_named_pipe.result b/mysql-test/r/auth_named_pipe.result
@@ -0,0 +1,10 @@
+INSTALL SONAME 'auth_named_pipe';
+CREATE USER USERNAME IDENTIFIED WITH named_pipe;
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+USERNAME@localhost	USERNAME@%
+DROP USER USERNAME;
+CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
+ERROR 28000: Access denied for user 'nosuchuser'@'localhost'
+DROP USER nosuchuser;
+UNINSTALL SONAME 'auth_named_pipe';
diff --git a/mysql-test/t/auth_named_pipe-master.opt b/mysql-test/t/auth_named_pipe-master.opt
@@ -0,0 +1 @@
+--loose-enable-named-pipe
diff --git a/mysql-test/t/auth_named_pipe.test b/mysql-test/t/auth_named_pipe.test
@@ -0,0 +1,23 @@
+--source include/windows.inc
+
+INSTALL SONAME 'auth_named_pipe';
+
+--replace_result $USERNAME USERNAME
+eval CREATE USER $USERNAME IDENTIFIED WITH named_pipe;
+# Connect using named pipe, correct username
+connect(pipe_con,localhost,$USERNAME,,,,,PIPE);
+--replace_result $USERNAME USERNAME
+SELECT USER(),CURRENT_USER();
+disconnect pipe_con;
+connection default;
+--replace_result $USERNAME USERNAME
+eval DROP USER $USERNAME;
+
+# test invalid user name
+CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
+--disable_query_log
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+connect(pipe_con,localhost,nosuchuser,,,,,PIPE);
+--enable_query_log
+DROP USER nosuchuser;
+UNINSTALL SONAME 'auth_named_pipe';
diff --git a/plugin/auth_pipe/CMakeLists.txt b/plugin/auth_pipe/CMakeLists.txt
@@ -1,19 +1,3 @@
-# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
-# 
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; version 2 of the
-# License.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
-
 IF(WIN32)
-  MYSQL_ADD_PLUGIN(auth_pipe auth_pipe.c MODULE_ONLY)
+  MYSQL_ADD_PLUGIN(auth_named_pipe auth_pipe.c)
 ENDIF()
diff --git a/plugin/auth_pipe/auth_pipe.c b/plugin/auth_pipe/auth_pipe.c
@@ -17,86 +17,54 @@
 /**
   @file
 
-  auth_pipd authentication plugin.
+  auth_pipe authentication plugin.
 
-  Authentication is successful if the connection is done via a named pip and
-  the owner of the client process matches the user name that was used when
-  connecting to mysqld.
+  Authentication is successful if the connection is done via a named pipe 
+  pipe peer name matches mysql user name
 */
 
-
 #include <mysql/plugin_auth.h>
 #include <string.h>
 #include <lmcons.h>
 
 
-
-
-
 /**
-  perform the named pipe�based authentication
-
-  This authentication callback performs a named pipe based authentication -
-  it gets the uid of the client process and considers the user authenticated
-  if it uses username of this uid. That is - if the user is already
-  authenticated to the OS (if she is logged in) - she can use MySQL as herself
+  This authentication callback obtains user name using named pipe impersonation
 */
-
 static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 {
   unsigned char *pkt;
-  PTOKEN_USER pTokenUser= NULL;
-  HANDLE hToken;
   MYSQL_PLUGIN_VIO_INFO vio_info;
-  DWORD dLength= 0;
-  int Ret= CR_ERROR;
-  TCHAR username[UNLEN + 1];
-  DWORD username_length= UNLEN + 1;
-  char domainname[DNLEN + 1];
-  DWORD domainsize=DNLEN + 1;
-  SID_NAME_USE sidnameuse;
+  char username[UNLEN + 1];
+  size_t username_length;
+  int ret;
 
   /* no user name yet ? read the client handshake packet with the user name */
   if (info->user_name == 0)
   {
     if (vio->read_packet(vio, &pkt) < 0)
       return CR_ERROR;
   }
-
   info->password_used= PASSWORD_USED_NO_MENTION;
-
   vio->info(vio, &vio_info);
   if (vio_info.protocol != MYSQL_VIO_PIPE)
     return CR_ERROR;
 
-  /* get the UID of the client process */
+  /* Impersonate the named pipe peer, and retrieve the user name */
   if (!ImpersonateNamedPipeClient(vio_info.handle))
     return CR_ERROR;
-  
-  if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken))
-    goto end;
-   
- /* determine length of TokenUser */
- GetTokenInformation(hToken, TokenUser, NULL, 0, &dLength);
- if (!dLength)
-   goto end;
-
- if (!(pTokenUser= (PTOKEN_USER)LocalAlloc(0, dLength)))
-   goto end;
-
- if (!GetTokenInformation(hToken, TokenUser, (PVOID)pTokenUser, dLength, &dLength))
-   goto end;
-
- if (!LookupAccountSid(NULL, pTokenUser->User.Sid, username, &username_length, domainname, &domainsize, &sidnameuse))
-   goto end;
 
- Ret= strcmp(username, info->user_name) ? CR_ERROR : CR_OK;
-end:
-  if (pTokenUser)
-    LocalFree(pTokenUser);
+  username_length= sizeof(username) - 1;
+  ret= CR_ERROR;
+  if (GetUserName(username, &username_length))
+  {
+    /* Always compare names case-insensitive on Windows.*/
+    if (_stricmp(username, info->user_name) == 0)
+      ret= CR_OK;
+  }
   RevertToSelf();
-  /* now it's simple as that */
-  return Ret;
+
+  return ret;
 }
 
 static struct st_mysql_auth pipe_auth_handler=
@@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler=
   pipe_auth
 };
 
-maria_declare_plugin(socket_auth)
+maria_declare_plugin(auth_named_pipe)
 {
   MYSQL_AUTHENTICATION_PLUGIN,
   &pipe_auth_handler,
-  "windows_pipe",
+  "named_pipe",
   "Vladislav Vaintroub, Georg Richter",
   "Windows named pipe based authentication",
   PLUGIN_LICENSE_GPL,
