Skip to content

Commit e0601da

Browse files
fulghumfulghum
authored
Merge pull request #3291 from dolthub/fulghum/mutual_tls
Add support for configuring a user's TLS connection requirements
2 parents 312762f + 4177216 commit e0601da

File tree

7 files changed

+272
-334
lines changed

7 files changed

+272
-334
lines changed

enginetest/queries/priv_auth_queries.go

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222

2323
sqle "github.com/dolthub/go-mysql-server"
2424
"github.com/dolthub/go-mysql-server/sql"
25+
"github.com/dolthub/go-mysql-server/sql/encodings"
2526
"github.com/dolthub/go-mysql-server/sql/mysql_db"
2627
"github.com/dolthub/go-mysql-server/sql/plan"
2728
"github.com/dolthub/go-mysql-server/sql/types"
@@ -772,6 +773,48 @@ var UserPrivTests = []UserPrivilegeTest{
772773
},
773774
},
774775
},
776+
{
777+
Name: "User creation with SSL/TLS requirements",
778+
SetUpScript: []string{
779+
"CREATE USER testuser1@`127.0.0.1` REQUIRE NONE;",
780+
"CREATE USER testuser2@`127.0.0.1` REQUIRE SSL;",
781+
"CREATE USER testuser3@`127.0.0.1` REQUIRE X509;",
782+
"CREATE USER testuser4@`127.0.0.1` IDENTIFIED WITH caching_sha2_password by 'pass1' REQUIRE X509;",
783+
"CREATE USER testuser5@`127.0.0.1` REQUIRE SUBJECT 'cert_subject';",
784+
"CREATE USER testuser6@`127.0.0.1` REQUIRE ISSUER 'cert_issuer';",
785+
"CREATE USER testuser7@`127.0.0.1` REQUIRE CIPHER 'cipher';",
786+
},
787+
Assertions: []UserPrivilegeTestAssertion{
788+
{
789+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser1';",
790+
Expected: []sql.Row{{"testuser1", "", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
791+
},
792+
{
793+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser2';",
794+
Expected: []sql.Row{{"testuser2", "ANY", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
795+
},
796+
{
797+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser3';",
798+
Expected: []sql.Row{{"testuser3", "X509", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
799+
},
800+
{
801+
Query: "select user, plugin, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser4';",
802+
Expected: []sql.Row{{"testuser4", "caching_sha2_password", "X509", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
803+
},
804+
{
805+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser5';",
806+
Expected: []sql.Row{{"testuser5", "SPECIFIED", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("cert_subject")}},
807+
},
808+
{
809+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser6';",
810+
Expected: []sql.Row{{"testuser6", "SPECIFIED", encodings.StringToBytes(""), encodings.StringToBytes("cert_issuer"), encodings.StringToBytes("")}},
811+
},
812+
{
813+
Query: "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser7';",
814+
Expected: []sql.Row{{"testuser7", "SPECIFIED", encodings.StringToBytes("cipher"), encodings.StringToBytes(""), encodings.StringToBytes("")}},
815+
},
816+
},
817+
},
775818
{
776819
Name: "Dynamic privilege support",
777820
SetUpScript: []string{

sql/mysql_db/fbs/mysql_db.fbs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,10 @@ table User {
5454
locked:bool;
5555
attributes:string; // represents *string
5656
identity:string;
57+
ssl_type:string;
58+
ssl_cipher:string;
59+
x509_issuer:string;
60+
x509_subject:string;
5761
}
5862

5963
// Entries in the role_edges table

sql/mysql_db/mysql_db_load.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,10 @@ func LoadUser(serialUser *serial.User) *User {
137137
Locked: serialUser.Locked(),
138138
Attributes: attributes,
139139
Identity: string(serialUser.Identity()),
140+
SslType: string(serialUser.SslType()),
141+
SslCipher: string(serialUser.SslCipher()),
142+
X509Issuer: string(serialUser.X509Issuer()),
143+
X509Subject: string(serialUser.X509Subject()),
140144
}
141145
}
142146

sql/mysql_db/mysql_db_serialize.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,10 @@ func serializeUser(b *flatbuffers.Builder, users []*User) flatbuffers.UOffsetT {
172172
authString := b.CreateString(user.AuthString)
173173
attributes := serializeAttributes(b, user.Attributes)
174174
identity := b.CreateString(user.Identity)
175+
sslType := b.CreateString(user.SslType)
176+
sslCipher := b.CreateString(user.SslCipher)
177+
x509Issuer := b.CreateString(user.X509Issuer)
178+
x509Subject := b.CreateString(user.X509Subject)
175179

176180
serial.UserStart(b)
177181
serial.UserAddUser(b, userName)
@@ -183,6 +187,10 @@ func serializeUser(b *flatbuffers.Builder, users []*User) flatbuffers.UOffsetT {
183187
serial.UserAddLocked(b, user.Locked)
184188
serial.UserAddAttributes(b, attributes)
185189
serial.UserAddIdentity(b, identity)
190+
serial.UserAddSslType(b, sslType)
191+
serial.UserAddSslCipher(b, sslCipher)
192+
serial.UserAddX509Issuer(b, x509Issuer)
193+
serial.UserAddX509Subject(b, x509Subject)
186194

187195
offsets[len(users)-i-1] = serial.UserEnd(b) // reverse order
188196
}

0 commit comments

Comments
 (0)