-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathauth_ldap_sasl_mechanism.h
239 lines (195 loc) · 6.53 KB
/
auth_ldap_sasl_mechanism.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
/* Copyright (c) 2020, 2025, Oracle and/or its affiliates.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2.0,
as published by the Free Software Foundation.
This program is designed to work with certain software (including
but not limited to OpenSSL) that is licensed under separate terms,
as designated in a particular file or component or in included license
documentation. The authors of MySQL hereby grant you an additional
permission to link the program and your derivative works with the
separately licensed software that they have either included with
the program or referenced in the documentation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License, version 2.0, for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#ifndef AUTH_LDAP_SASL_MECHANISM_H_
#define AUTH_LDAP_SASL_MECHANISM_H_
#include "my_config.h"
#ifdef HAVE_SASL_SASL_H
#include <sys/types.h>
#endif
#include <sasl/sasl.h>
#include <string>
#if defined(KERBEROS_LIB_CONFIGURED)
#include "auth_ldap_kerberos.h"
#endif
namespace auth_ldap_sasl_client {
const int SASL_ERROR_INVALID_METHOD = -2;
/**
Base class representing SASL mechanism. The child classes are used to perform
all mechanism specific SASL operations.
*/
class Sasl_mechanism {
public:
/** GSSAPI string */
static const char SASL_GSSAPI[];
/** SCRAM-SHA-1 string */
static const char SASL_SCRAM_SHA1[];
/** SCRAM-SHA-256 string */
static const char SASL_SCRAM_SHA256[];
/**
Destructor.
*/
virtual ~Sasl_mechanism() = default;
/**
Preauthentication step, e.g. obtaining Kerberos ticket. Not needed by most
methods, so the default implementation just returns success.
@param user [in] user mname
@param password [in] user password
@return true -success
*/
bool virtual preauthenticate([[maybe_unused]] const char *user,
[[maybe_unused]] const char *password) {
return true;
}
/**
Get LDAP host. Not needed by most methods, return nullptr by default.
@return LDAP host URL or nullptr on failure
*/
virtual const char *get_ldap_host() { return nullptr; }
/**
Get default user name. Called if no user name was provided as parameter to
the client. Most methods don't provide default user name.
@param name [out] default user name
@return false -failure
*/
virtual bool get_default_user([[maybe_unused]] std::string &name) {
return false;
}
/**
Get list of supported SASL callbacks.
@return List of callbacks.
*/
virtual const sasl_callback_t *get_callbacks() { return nullptr; }
/**
Gets constans string describing mechanism name.
@return mechanism name
*/
const char *get_mechanism_name() { return m_mechanism_name; }
/**
Check if the authentication method requires conclusion message from the
server. Most authentication mechanisms don't require to be concluded by MySQL
server, so the base class implementation always returns false.
@return false
*/
virtual bool require_conclude_by_server() { return false; }
/**
SASL mechanism factory function. Creates mechanism object based on mechanism
name.
@param mechanism_name [in] name of the mechanism
@param mechanism [out] created mechanism object
@retval true success
@retval false failure
*/
static bool create_sasl_mechanism(const char *mechanism_name,
Sasl_mechanism *&mechanism);
protected:
/**
Constructor. Made protected to avoid creating direct objects of this class.
@param mechanism_name [in] name of the mechanism
*/
Sasl_mechanism(const char *mechanism_name)
: m_mechanism_name(mechanism_name) {}
private:
/** array of SASL callbacks */
static const sasl_callback_t callbacks[];
/** name of the mechanism */
const char *m_mechanism_name;
};
#if defined(KERBEROS_LIB_CONFIGURED)
/**
Class representing GSSAPI/Kerberos mechanism
*/
class Sasl_mechanism_kerberos : public Sasl_mechanism {
public:
/**
Constructor.
*/
Sasl_mechanism_kerberos() : Sasl_mechanism(SASL_GSSAPI) {}
/**
Destructor.
*/
~Sasl_mechanism_kerberos() override = default;
/**
Preauthentication step. Obtains Kerberos ticket.
@param user [in] user mname
@param password [in] user password
@retval true success
@retval false failure
*/
bool preauthenticate(const char *user, const char *password) override;
/**
Get LDAP host.
@return LDAP host URL or nullptr on failure
*/
const char *get_ldap_host() override;
/**
Get default user name. Called if no user name was provided as parameter to
the client. The name is the default principal.
@param name [out] default user name
@retval true success
@retval false failure
*/
bool get_default_user(std::string &name) override;
/**
Gets array of SASL callbacks supported by the mechanism.
@return array of callbacks
*/
const sasl_callback_t *get_callbacks() override { return callbacks; }
/**
GSSAPI authentication must be concluded by MySQL server.
@return true
*/
bool require_conclude_by_server() override { return true; }
private:
/** URL of the LDAP server */
std::string m_ldap_server_host;
/** Kerberos object used to perform Kerberos operations */
Kerberos m_kerberos;
/** Array of SASL callbacks supported by this mechanism */
static const sasl_callback_t callbacks[];
};
#endif
#if defined(SCRAM_LIB_CONFIGURED)
/**
Class representing SCRAM family of SASL mechanisms (currently SCRAM-SHA-1 and
SCRAM-SHA-256).
*/
class Sasl_mechanism_scram : public Sasl_mechanism {
public:
/**
Constructor.
@param mechanism_name [in] mame of the mechanism
*/
Sasl_mechanism_scram(const char *mechanism_name)
: Sasl_mechanism(mechanism_name) {}
/**
Destructor.
*/
~Sasl_mechanism_scram() override = default;
/**
Gets array of SASL callbacks supported by the mechanism.
@return array of callbacks
*/
const sasl_callback_t *get_callbacks() override { return callbacks; }
private:
/** Array of SASL callbacks supported by this mechanism */
static const sasl_callback_t callbacks[];
};
#endif
} // namespace auth_ldap_sasl_client
#endif // AUTH_LDAP_SASL_MECHANISM_H_