Skip to content

Commit f777a2f

Browse files
mohitkhullarmohitkhullar
committed
Check for passwords along with IAM
Signed-off-by: mohitkhullar <[email protected]>
1 parent 5112760 commit f777a2f

File tree

1 file changed

+43
-77
lines changed

1 file changed

+43
-77
lines changed

db/db_access.c

Lines changed: 43 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,19 @@ void get_client_origin(char *out, size_t outlen, struct sqlclntstate *clnt) {
7171
clnt->conninfo.pid);
7272
}
7373

74+
static void report_access_denied(const char *action, const char *table, const char *user, int bdberr, errstat_t *err) {
75+
char msg[1024];
76+
if (bdberr)
77+
snprintf(msg, sizeof(msg), "%s access denied to table %s for user %s bdberr=%d", action, table, user, bdberr);
78+
else
79+
snprintf(msg, sizeof(msg), "%s access denied to table %s for user %s", action, table, user);
80+
logmsg(LOGMSG_INFO, "%s\n", msg);
81+
if (err) {
82+
errstat_set_rc(err, SQLITE_ACCESS);
83+
errstat_set_str(err, msg);
84+
}
85+
}
86+
7487
int gbl_fdb_auth_error = 0;
7588

7689
/* If user password does not match this function
@@ -126,7 +139,8 @@ int check_user_password(struct sqlclntstate *clnt)
126139
clnt->allow_make_request = 1;
127140
ATOMIC_ADD64(gbl_num_auth_allowed, 1);
128141
}
129-
return rc;
142+
if (rc || !gbl_uses_password)
143+
return rc;
130144
}
131145

132146
if ((!remsql_warned || gbl_fdb_auth_error) && (!gbl_uses_password && !gbl_uses_externalauth) &&
@@ -260,11 +274,7 @@ int access_control_check_sql_write(struct BtCursor *pCur,
260274
if ((authdata = get_authdata(clnt)) != NULL)
261275
clnt->authdata = authdata;
262276
char client_info[1024];
263-
snprintf(client_info, sizeof(client_info),
264-
"%s:origin:%s:pid:%d",
265-
clnt->argv0 ? clnt->argv0 : "?",
266-
clnt->origin ? clnt->origin: "?",
267-
clnt->conninfo.pid);
277+
get_client_origin(client_info, sizeof(client_info), clnt);
268278
if (!clnt->authdata && clnt->secure && !gbl_allow_anon_id_for_spmux) {
269279
return reject_anon_id(clnt);
270280
}
@@ -273,35 +283,23 @@ int access_control_check_sql_write(struct BtCursor *pCur,
273283
clnt->argv0 ? clnt->argv0 : "???", clnt->conninfo.pid, clnt->conninfo.node);
274284
} else if (externalComdb2AuthenticateUserWrite(clnt->authdata, table_name, client_info)) {
275285
ATOMIC_ADD64(gbl_num_auth_denied, 1);
276-
char msg[1024];
277-
snprintf(msg, sizeof(msg), "Write access denied to table %s for user %s",
278-
table_name, clnt->externalAuthUser ? clnt->externalAuthUser : "");
279-
logmsg(LOGMSG_INFO, "%s\n", msg);
280-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
281-
errstat_set_str(&thd->clnt->osql.xerr, msg);
286+
report_access_denied("Write", table_name, clnt->externalAuthUser ? clnt->externalAuthUser : "", 0, &thd->clnt->osql.xerr);
282287
return SQLITE_ABORT;
283288
}
284-
} else {
285-
/* Check read access if its not user schema. */
286-
/* Check it only if engine is open already. */
287-
if (gbl_uses_password && !clnt->current_user.bypass_auth && (thd->clnt->in_sqlite_init == 0)) {
288-
rc = bdb_check_user_tbl_access(
289-
pCur->db->dbenv->bdb_env, thd->clnt->current_user.name,
290-
pCur->db->tablename, ACCESS_WRITE, &bdberr);
291-
if (rc != 0) {
292-
ATOMIC_ADD64(gbl_num_auth_denied, 1);
293-
char msg[1024];
294-
snprintf(msg, sizeof(msg),
295-
"Write access denied to %s for user %s bdberr=%d",
296-
table_name, thd->clnt->current_user.name, bdberr);
297-
logmsg(LOGMSG_INFO, "%s\n", msg);
298-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
299-
errstat_set_str(&thd->clnt->osql.xerr, msg);
300-
301-
return SQLITE_ABORT;
302-
}
289+
}
290+
/* Check access if its not user schema. */
291+
/* Check it only if engine is open already. */
292+
if (gbl_uses_password && !clnt->current_user.bypass_auth && (thd->clnt->in_sqlite_init == 0)) {
293+
rc = bdb_check_user_tbl_access(
294+
pCur->db->dbenv->bdb_env, thd->clnt->current_user.name,
295+
pCur->db->tablename, ACCESS_WRITE, &bdberr);
296+
if (rc != 0) {
297+
ATOMIC_ADD64(gbl_num_auth_denied, 1);
298+
report_access_denied("Write", table_name, thd->clnt->current_user.name, bdberr, &thd->clnt->osql.xerr);
299+
return SQLITE_ABORT;
303300
}
304301
}
302+
305303
ATOMIC_ADD64(gbl_num_auth_allowed, 1);
306304
pCur->permissions |= ACCESS_WRITE;
307305
if (clnt->authz_write_tables && table_name) {
@@ -343,43 +341,26 @@ int access_control_check_sql_read(struct BtCursor *pCur, struct sql_thread *thd,
343341
if ((authdata = get_authdata(clnt)) != NULL)
344342
clnt->authdata = authdata;
345343
char client_info[1024];
346-
snprintf(client_info, sizeof(client_info),
347-
"%s:origin:%s:pid:%d",
348-
clnt->argv0 ? clnt->argv0 : "?",
349-
clnt->origin ? clnt->origin: "?",
350-
clnt->conninfo.pid);
344+
get_client_origin(client_info, sizeof(client_info), clnt);
351345
if (!clnt->authdata && clnt->secure && !gbl_allow_anon_id_for_spmux)
352346
return reject_anon_id(clnt);
353347
if (gbl_externalauth_warn && !clnt->authdata) {
354348
logmsg(LOGMSG_INFO, "Client %s pid:%d mach:%d is missing authentication data\n",
355349
clnt->argv0 ? clnt->argv0 : "???", clnt->conninfo.pid, clnt->conninfo.node);
356350
} else if (externalComdb2AuthenticateUserRead(clnt->authdata, table_name, client_info)) {
357351
ATOMIC_ADD64(gbl_num_auth_denied, 1);
358-
char msg[1024];
359-
snprintf(msg, sizeof(msg), "Read access denied to table %s for user %s",
360-
table_name, clnt->externalAuthUser ? clnt->externalAuthUser : "");
361-
logmsg(LOGMSG_INFO, "%s\n", msg);
362-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
363-
errstat_set_str(&thd->clnt->osql.xerr, msg);
352+
report_access_denied("Read", table_name, clnt->externalAuthUser ? clnt->externalAuthUser : "", 0, &thd->clnt->osql.xerr);
364353
return SQLITE_ABORT;
365354
}
366-
} else {
367-
if (gbl_uses_password && !clnt->current_user.bypass_auth && pCur && thd->clnt->in_sqlite_init == 0) {
368-
rc = bdb_check_user_tbl_access(
369-
pCur->db->dbenv->bdb_env, thd->clnt->current_user.name,
370-
pCur->db->tablename, ACCESS_READ, &bdberr);
371-
if (rc != 0) {
372-
ATOMIC_ADD64(gbl_num_auth_denied, 1);
373-
char msg[1024];
374-
snprintf(msg, sizeof(msg),
375-
"Read access denied to %s for user %s bdberr=%d",
376-
table_name, thd->clnt->current_user.name, bdberr);
377-
logmsg(LOGMSG_INFO, "%s\n", msg);
378-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
379-
errstat_set_str(&thd->clnt->osql.xerr, msg);
380-
381-
return SQLITE_ABORT;
382-
}
355+
}
356+
if (gbl_uses_password && !clnt->current_user.bypass_auth && pCur && thd->clnt->in_sqlite_init == 0) {
357+
rc = bdb_check_user_tbl_access(
358+
pCur->db->dbenv->bdb_env, thd->clnt->current_user.name,
359+
pCur->db->tablename, ACCESS_READ, &bdberr);
360+
if (rc != 0) {
361+
ATOMIC_ADD64(gbl_num_auth_denied, 1);
362+
report_access_denied("Read", table_name, thd->clnt->current_user.name, bdberr, &thd->clnt->osql.xerr);
363+
return SQLITE_ABORT;
383364
}
384365
}
385366
if (pCur)
@@ -467,24 +448,15 @@ int comdb2_check_vtab_access(sqlite3 *db, sqlite3_module *module)
467448
&& !clnt->current_user.bypass_auth /* not analyze */) {
468449
clnt->authdata = get_authdata(clnt);
469450
char client_info[1024];
470-
snprintf(client_info, sizeof(client_info),
471-
"%s:origin:%s:pid:%d",
472-
clnt->argv0 ? clnt->argv0 : "?",
473-
clnt->origin ? clnt->origin: "?",
474-
clnt->conninfo.pid);
451+
get_client_origin(client_info, sizeof(client_info), clnt);
475452
if (!clnt->authdata && clnt->secure && !gbl_allow_anon_id_for_spmux)
476453
return reject_anon_id(clnt);
477454
if (gbl_externalauth_warn && !clnt->authdata) {
478455
logmsg(LOGMSG_INFO, "Client %s pid:%d mach:%d is missing authentication data\n",
479456
clnt->argv0 ? clnt->argv0 : "???", clnt->conninfo.pid, clnt->conninfo.node);
480457
} else if (externalComdb2AuthenticateUserRead(clnt->authdata, mod->zName, client_info)) {
481458
ATOMIC_ADD64(gbl_num_auth_denied, 1);
482-
char msg[1024];
483-
snprintf(msg, sizeof(msg), "Read access denied to table %s for user %s",
484-
mod->zName, clnt->externalAuthUser ? clnt->externalAuthUser : "");
485-
logmsg(LOGMSG_INFO, "%s\n", msg);
486-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
487-
errstat_set_str(&thd->clnt->osql.xerr, msg);
459+
report_access_denied("Read", mod->zName, clnt->externalAuthUser ? clnt->externalAuthUser : "", 0, &thd->clnt->osql.xerr);
488460
return SQLITE_ABORT;
489461
}
490462
return SQLITE_OK;
@@ -493,13 +465,7 @@ int comdb2_check_vtab_access(sqlite3 *db, sqlite3_module *module)
493465
thedb->bdb_env, thd->clnt->current_user.name,
494466
(char *)mod->zName, ACCESS_READ, &bdberr);
495467
if (rc != 0) {
496-
char msg[1024];
497-
snprintf(msg, sizeof(msg),
498-
"Read access denied to %s for user %s bdberr=%d",
499-
mod->zName, thd->clnt->current_user.name, bdberr);
500-
logmsg(LOGMSG_INFO, "%s\n", msg);
501-
errstat_set_rc(&thd->clnt->osql.xerr, SQLITE_ACCESS);
502-
errstat_set_str(&thd->clnt->osql.xerr, msg);
468+
report_access_denied("Read", mod->zName, thd->clnt->current_user.name, bdberr, &thd->clnt->osql.xerr);
503469
return SQLITE_AUTH;
504470
}
505471
return SQLITE_OK;

0 commit comments

Comments
 (0)