src-d · ajnavarro · Oct 25, 2018 · Oct 23, 2018 · Oct 23, 2018 · Oct 24, 2018
@@ -0,0 +1,53 @@
+package auth
+
+import (
+	"strings"
+
+	"gopkg.in/src-d/go-vitess.v1/mysql"
+)
+
+// Permission holds permissions required by a query or grated to a user.
+type Permission int
+
+const (
+	// ReadPerm means that it reads.
+	ReadPerm Permission = 1 << iota
+	// WritePerm means that it writes.
+	WritePerm
+)
+
+var (
+	// AllPermissions hold all defined permissions.
+	AllPermissions = ReadPerm | WritePerm
+	// DefaultPermissions are the permissions granted to a user if not defined.
+	DefaultPermissions = ReadPerm
+
+	// PermissionNames is used to translate from human and machine
+	// representations.
+	PermissionNames = map[string]Permission{
+		"read":  ReadPerm,
+		"write": WritePerm,
+	}
+
+	// ErrNoPermission is returned when the user lacks needed permissions.
+	ErrNoPermission = "user does not have permission: %s"
+)
+
+// String returns all the permissions set to on.
+func (p Permission) String() string {
+	var str []string
+	for k, v := range PermissionNames {
+		if p&v != 0 {
+			str = append(str, k)
+		}
+	}
+
+	return strings.Join(str, ", ")
+}
+
+// Auth interface provides mysql authentication methods and permission checking
+// for users.
+type Auth interface {
+	Mysql() mysql.AuthServer
+	Allowed(user string, permission Permission) error
+}
@@ -0,0 +1,142 @@
+package auth
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"regexp"
+	"strings"
+
+	"gopkg.in/src-d/go-vitess.v1/mysql"
+)
+
+var regNative = regexp.MustCompile(`^\*[0-9A-F]{40}$`)
+
+// ErrUnknownPermission happens when a user permission is not defined.
+const ErrUnknownPermission = "error parsing user file, unknown permission %s"
+
+// nativeUser holds information about credentials and permissions for user.
+type nativeUser struct {
+	Name            string
+	Password        string
+	JSONPermissions []string `json:"Permissions"`
+	Permissions     Permission
+}
+
+// Allowed checks if the user has certain permission.
+func (u nativeUser) Allowed(p Permission) error {
+	if u.Permissions&p == p {
+		return nil
+	}
+
+	// permissions needed but not granted to the user
+	p2 := (^u.Permissions) & p
+
+	return fmt.Errorf(ErrNoPermission, p2)
+}
+
+// NativePassword generates a mysql_native_password string.
+func NativePassword(password string) string {
+	if len(password) == 0 {
+		return ""
+	}
+
+	// native = sha1(sha1(password))
+
+	hash := sha1.New()
+	hash.Write([]byte(password))
+	s1 := hash.Sum(nil)
+
+	hash.Reset()
+	hash.Write(s1)
+	s2 := hash.Sum(nil)
+
+	s := strings.ToUpper(hex.EncodeToString(s2))
+
+	return fmt.Sprintf("*%s", s)
+}
+
+// Native holds mysql_native_password users.
+type Native struct {
+	users map[string]nativeUser
+}
+
+// NewNativeSingle creates a NativeAuth with a single user.
+func NewNativeSingle(name, password string) *Native {
+	users := make(map[string]nativeUser)
+	users[name] = nativeUser{
+		Name:        name,
+		Password:    NativePassword(password),
+		Permissions: AllPermissions,
+	}
+
+	return &Native{users}
+}
+
+// NewNativeFile creates a NativeAuth and loads users from a JSON file.
+func NewNativeFile(file string) (*Native, error) {
+	var data []nativeUser
+
+	raw, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := json.Unmarshal(raw, &data); err != nil {
+		return nil, err
+	}
+
+	users := make(map[string]nativeUser)
+	for _, u := range data {
+		_, ok := users[u.Name]
+		if ok {
+			return nil, fmt.Errorf("duplicate user: %s", u.Name)
+		}
+
+		if !regNative.MatchString(u.Password) {
+			u.Password = NativePassword(u.Password)
+		}
+
+		if len(u.JSONPermissions) == 0 {
+			u.Permissions = DefaultPermissions
+		}
+
+		for _, p := range u.JSONPermissions {
+			perm, ok := PermissionNames[strings.ToLower(p)]
+			if !ok {
+				return nil, fmt.Errorf(ErrUnknownPermission, p)
+			}
+
+			u.Permissions |= perm
+		}
+
+		users[u.Name] = u
+	}
+
+	return &Native{users}, nil
+}
+
+// Mysql implements Auth interface.
+func (s *Native) Mysql() mysql.AuthServer {
+	auth := mysql.NewAuthServerStatic()
+
+	for k, v := range s.users {
+		auth.Entries[k] = []*mysql.AuthServerStaticEntry{
+			{MysqlNativePassword: v.Password},
+		}
+	}
+
+	return auth
+}
+
+// Allowed implements Auth interface.
+func (s *Native) Allowed(name string, permission Permission) error {
+	u, ok := s.users[name]
+	if !ok {
+		return fmt.Errorf(ErrNoPermission, permission)
+	}
+
+	return u.Allowed(permission)
+}
@@ -0,0 +1,16 @@
+package auth
+
+import "gopkg.in/src-d/go-vitess.v1/mysql"
+
+// None is a Auth method that always succeeds.
+type None struct{}
+
+// Mysql implements Auth interface.
+func (n *None) Mysql() mysql.AuthServer {
+	return new(mysql.AuthServerNone)
+}
+
+// Mysql implements Auth interface.
+func (n *None) Allowed(user string, permission Permission) error {
+	return nil
+}
@@ -3,6 +3,7 @@ package sqle // import "gopkg.in/src-d/go-mysql-server.v0"
 import (
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/sirupsen/logrus"
+	"gopkg.in/src-d/go-mysql-server.v0/auth"
 	"gopkg.in/src-d/go-mysql-server.v0/sql"
 	"gopkg.in/src-d/go-mysql-server.v0/sql/analyzer"
 	"gopkg.in/src-d/go-mysql-server.v0/sql/expression/function"
@@ -14,12 +15,15 @@ import (
 type Config struct {
 	// VersionPostfix to display with the `VERSION()` UDF.
 	VersionPostfix string
+	// Auth used for authentication and authorization.
+	Auth auth.Auth
 }
 
 // Engine is a SQL engine.
 type Engine struct {
 	Catalog  *sql.Catalog
 	Analyzer *analyzer.Analyzer
+	Auth     auth.Auth
 }
 
 // New creates a new Engine with custom configuration. To create an Engine with
@@ -33,7 +37,15 @@ func New(c *sql.Catalog, a *analyzer.Analyzer, cfg *Config) *Engine {
 	c.RegisterFunctions(function.Defaults)
 	c.RegisterFunction("version", sql.FunctionN(function.NewVersion(versionPostfix)))
 
-	return &Engine{c, a}
+	// use auth.None if auth is not specified
+	var au auth.Auth
+	if cfg == nil || cfg.Auth == nil {
+		au = new(auth.None)
+	} else {
+		au = cfg.Auth
+	}
+
+	return &Engine{c, a, au}
 }
 
 // NewDefault creates a new default Engine.

@@ -55,18 +55,29 @@ func (s *SessionManager) nextPid() uint64 {
 	return s.pid
 }
 
-// NewSession creates a Session for the given connection.
+// newSession creates a Session for the given connection.
+func (s *SessionManager) newSession(conn *mysql.Conn) sql.Session {
+	return s.builder(conn, s.addr)
+}
+
+// NewSession creates a Session for the given connection and saves it to
+// session pool.
 func (s *SessionManager) NewSession(conn *mysql.Conn) {
 	s.mu.Lock()
-	s.sessions[conn.ConnectionID] = s.builder(conn, s.addr)
+	s.sessions[conn.ConnectionID] = s.newSession(conn)
 	s.mu.Unlock()
 }
 
 // NewContext creates a new context for the session at the given conn.
 func (s *SessionManager) NewContext(conn *mysql.Conn) *sql.Context {
 	s.mu.Lock()
-	sess := s.sessions[conn.ConnectionID]
+	sess, ok := s.sessions[conn.ConnectionID]
+	if !ok {
+		sess = s.newSession(conn)
+		s.sessions[conn.ConnectionID] = sess
+	}
 	s.mu.Unlock()
+
 	context := sql.NewContext(
 		context.Background(),
 		sql.WithSession(sess),

@@ -49,7 +49,6 @@ func (h *Handler) NewConnection(c *mysql.Conn) {
 	}
 	h.mu.Unlock()
 
-	h.sm.NewSession(c)
 	logrus.Infof("NewConnection: client %v", c.ConnectionID)
 }
 

@@ -174,7 +174,7 @@ func TestHandlerKill(t *testing.T) {
 	conn2 := newConn(2)
 	handler.NewConnection(conn2)
 
-	require.Len(handler.sm.sessions, 2)
+	require.Len(handler.sm.sessions, 0)
 	require.Len(handler.c, 2)
 
 	err := handler.ComQuery(conn2, "KILL QUERY 1", func(res *sqltypes.Result) error {
@@ -183,7 +183,7 @@ func TestHandlerKill(t *testing.T) {
 
 	require.NoError(err)
 
-	require.Len(handler.sm.sessions, 2)
+	require.Len(handler.sm.sessions, 1)
 	require.Len(handler.c, 2)
 	require.Equal(conn1, handler.c[1])
 	require.Equal(conn2, handler.c[2])
@@ -193,7 +193,7 @@ func TestHandlerKill(t *testing.T) {
 	})
 	require.NoError(err)
 
-	require.Len(handler.sm.sessions, 1)
+	require.Len(handler.sm.sessions, 0)
 	require.Len(handler.c, 1)
 	require.Equal(conn1, handler.c[1])
 }
@@ -5,6 +5,7 @@ import (
 
 	opentracing "github.com/opentracing/opentracing-go"
 	"gopkg.in/src-d/go-mysql-server.v0"
+	"gopkg.in/src-d/go-mysql-server.v0/auth"
 
 	"gopkg.in/src-d/go-vitess.v1/mysql"
 )
@@ -21,7 +22,7 @@ type Config struct {
 	// Address of the server.
 	Address string
 	// Auth of the server.
-	Auth mysql.AuthServer
+	Auth auth.Auth
 	// Tracer to use in the server. By default, a noop tracer will be used if
 	// no tracer is provided.
 	Tracer opentracing.Tracer
@@ -54,7 +55,8 @@ func NewServer(cfg Config, e *sqle.Engine, sb SessionBuilder) (*Server, error) {
 	}
 
 	handler := NewHandler(e, NewSessionManager(sb, tracer, cfg.Address))
-	l, err := mysql.NewListener(cfg.Protocol, cfg.Address, cfg.Auth, handler, cfg.ConnReadTimeout, cfg.ConnWriteTimeout)
+	a := cfg.Auth.Mysql()
+	l, err := mysql.NewListener(cfg.Protocol, cfg.Address, a, handler, cfg.ConnReadTimeout, cfg.ConnWriteTimeout)
 	if err != nil {
 		return nil, err
 	}

@@ -6,6 +6,7 @@ import (
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/src-d/go-errors.v1"
+	"gopkg.in/src-d/go-mysql-server.v0/auth"
 	"gopkg.in/src-d/go-mysql-server.v0/sql"
 )
 
@@ -46,6 +47,11 @@ func (ab *Builder) WithParallelism(parallelism int) *Builder {
 	return ab
 }
 
+// WithAuth adds add authorization rule.
+func (ab *Builder) WithAuth(a auth.Auth) *Builder {
+	return ab.AddPostValidationRule(CheckAuthorizationRule, CheckAuthorization(a))
+}
+
 // ReadOnly adds a rule that only allows read queries.
 func (ab *Builder) ReadOnly() *Builder {
 	return ab.AddPreAnalyzeRule(EnsureReadOnlyRule, EnsureReadOnly)
-Original file line number
+Diff line change
@@ Expand Up / @@ -49,7 +49,6 @@ func (h *Handler) NewConnection(c *mysql.Conn) { @@
     	}
     	h.mu.Unlock()
-    	h.sm.NewSession(c)
     	logrus.Infof("NewConnection: client %v", c.ConnectionID)
     }
@@ Expand Down @@