Bug #20041925: MAKE AUTH_SOCKET MORE FLEXIBLE

Before this fix the unix socket auth plugin returned true only when
the OS socket user id matches the mysql user name.
The authentication string was ignored.

This will still work, but in addition to this (if the comparison fails)
the socket user id is compared to the authentication_string too.

So effectively this plugin will now return a positive if the socket's
user name matches ether the mysql account user name or the mysql account
authentication string now.

Made the plugin to fill in the @@external_user variable.

Fixed a bug in how @@external_user's variable value was formed
(it was a copy of @@proxy_user instead of the value returned by the plugin).

Tests updated to reflect the proper @@external_user value.

Author: gkodinov

mysql-test/r/plugin_auth.result

@@ -234,7 +234,7 @@ NULL
 # in connection plug_con
 SELECT @@LOCAL.external_user;
 @@LOCAL.external_user
-'plug'@'%'
+plug_dest
 # in connection default
 WL#5706 -- show the above got logged/rewritten correctly
 SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('%IDENTIFIED ','WITH %');

mysql-test/r/plugin_auth_qa_2.result

@@ -46,7 +46,7 @@ NULL
 exec MYSQL PLUGIN_AUTH_OPT -h localhost -P MASTER_MYPORT -u qa_test_2_user --password=qa_test_2_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 mysql: [Warning] Using a password on the command line interface can be insecure.
 current_user()	user()	@@local.proxy_user	@@local.external_user
-authenticated_as@%	user_name@localhost	'qa_test_2_user'@'%'	'qa_test_2_user'@'%'
+authenticated_as@%	user_name@localhost	'qa_test_2_user'@'%'	externaluser
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 user	plugin	authentication_string
 authenticated_as	mysql_native_password	
@@ -63,7 +63,7 @@ GRANT PROXY ON qa_test_3_dest TO qa_test_3_user;
 exec MYSQL PLUGIN_AUTH_OPT -h localhost -P MASTER_MYPORT -u qa_test_3_user --password=qa_test_3_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 mysql: [Warning] Using a password on the command line interface can be insecure.
 current_user()	user()	@@local.proxy_user	@@local.external_user
-qa_test_3_dest@%	qa_test_3_user@localhost	'qa_test_3_user'@'%'	'qa_test_3_user'@'%'
+qa_test_3_dest@%	qa_test_3_user@localhost	'qa_test_3_user'@'%'	qa_test_3_dest
 DROP USER qa_test_3_user;
 DROP USER qa_test_3_dest;
 === Assign too low values for *length, which should have no effect ====
@@ -74,7 +74,7 @@ GRANT PROXY ON qa_test_4_dest TO qa_test_4_user;
 exec MYSQL PLUGIN_AUTH_OPT -h localhost -P MASTER_MYPORT -u qa_test_4_user --password=qa_test_4_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 mysql: [Warning] Using a password on the command line interface can be insecure.
 current_user()	user()	@@local.proxy_user	@@local.external_user
-qa_test_4_dest@%	qa_test_4_user@localhost	'qa_test_4_user'@'%'	'qa_test_4_user'@'%'
+qa_test_4_dest@%	qa_test_4_user@localhost	'qa_test_4_user'@'%'	qa_test_4_dest
 DROP USER qa_test_4_user;
 DROP USER qa_test_4_dest;
 === Assign empty string especially to authenticated_as (in plugin) ====

mysql-test/r/plugin_auth_qa_3.result

@@ -5,7 +5,7 @@ GRANT PROXY ON qa_test_11_dest TO qa_test_11_user;
 exec MYSQL PLUGIN_AUTH_OPT --default_auth=qa_auth_client -h localhost -P MASTER_MYPORT -u qa_test_11_user --password=qa_test_11_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 mysql: [Warning] Using a password on the command line interface can be insecure.
 current_user()	user()	@@local.proxy_user	@@local.external_user
-qa_test_11_dest@%	qa_test_11_user@localhost	'qa_test_11_user'@'%'	'qa_test_11_user'@'%'
+qa_test_11_dest@%	qa_test_11_user@localhost	'qa_test_11_user'@'%'	NULL
 exec MYSQL PLUGIN_AUTH_OPT --default_auth=qa_auth_client -h localhost -P MASTER_MYPORT -u qa_test_2_user --password=qa_test_11_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 mysql: [Warning] Using a password on the command line interface can be insecure.
 ERROR 1045 (28000): Access denied for user 'qa_test_2_user'@'localhost' (using password: YES)

plugin/auth/auth_socket.c

@@ -61,13 +61,20 @@ static int socket_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
   if (cred_len != sizeof(cred))
     return CR_ERROR;
 
-  /* and find the username for this uid */
+  /* and find the socket user name for this uid */
   getpwuid_r(cred.uid, &pwd_buf, buf, sizeof(buf), &pwd);
   if (pwd == NULL)
     return CR_ERROR;
 
-  /* now it's simple as that */
-  return strcmp(pwd->pw_name, info->user_name) ? CR_ERROR : CR_OK;
+  /* fill in the external user name used */
+  strncpy(info->external_user, pwd->pw_name, sizeof(info->external_user) - 1);
+  info->external_user[sizeof(info->external_user) - 1]= 0;
+
+  if (!strcmp(pwd->pw_name, info->user_name) ||
+      !strcmp(pwd->pw_name, info->auth_string))
+    return CR_OK;
+  else
+    return CR_ERROR;
 }
 
 static struct st_mysql_auth socket_auth_handler=
@@ -87,7 +94,7 @@ mysql_declare_plugin(socket_auth)
   PLUGIN_LICENSE_GPL,
   NULL,
   NULL,
-  0x0100,
+  0x0101,
   NULL,
   NULL,
   NULL,

sql/sys_vars.h

@@ -595,8 +595,10 @@ class Sys_var_external_user : public Sys_var_proxy_user
 protected:
   virtual uchar *session_value_ptr(THD *thd, LEX_STRING *base)
   {
-    return thd->security_ctx->proxy_user[0] ?
-      (uchar *) &(thd->security_ctx->proxy_user[0]) : NULL;
+    String *external_user= thd->security_ctx->get_external_user();
+
+    return external_user && external_user->length() ?
+      (uchar *) external_user->c_ptr_quick() : NULL;
   }
 };