diff --git a/go/mysql/auth_server.go b/go/mysql/auth_server.go index bcefa2992a0..be88f2d4178 100644 --- a/go/mysql/auth_server.go +++ b/go/mysql/auth_server.go @@ -24,7 +24,6 @@ import ( "crypto/sha1" "crypto/sha256" "crypto/subtle" - "crypto/x509" "encoding/hex" "net" "strings" @@ -132,7 +131,7 @@ const ( // such a hash based on the salt and auth response provided here after retrieving // the hashed password from the storage. type HashStorage interface { - UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) + UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) } // PlainTextStorage describes an object that is suitable to retrieve user information @@ -146,7 +145,7 @@ type HashStorage interface { // When comparing plain text passwords directly, please ensure to use `subtle.ConstantTimeCompare` // to prevent timing based attacks on the password. type PlainTextStorage interface { - UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error) + UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error) } // CachingStorage describes an object that is suitable to retrieve user information @@ -159,7 +158,7 @@ type PlainTextStorage interface { // such a hash based on the salt and auth response provided here after retrieving // the hashed password from the cache. type CachingStorage interface { - UserEntryWithCacheHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) + UserEntryWithCacheHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) } // NewMysqlNativeAuthMethod will create a new AuthMethod that implements the @@ -507,7 +506,7 @@ func (n *mysqlNativePasswordAuthMethod) HandleAuthPluginData(conn *Conn, user st return nil, NewSQLError(ERAccessDeniedError, SSAccessDeniedError, "Access denied for user '%v'", user) } salt := serverAuthPluginData[:len(serverAuthPluginData)-1] - return n.storage.UserEntryWithHash(conn.GetTLSClientCerts(), salt, user, clientAuthPluginData, remoteAddr) + return n.storage.UserEntryWithHash(conn, salt, user, clientAuthPluginData, remoteAddr) } type mysqlClearAuthMethod struct { @@ -532,7 +531,7 @@ func (n *mysqlClearAuthMethod) HandleAuthPluginData(conn *Conn, user string, ser if len(clientAuthPluginData) > 0 { password = string(clientAuthPluginData[:len(clientAuthPluginData)-1]) } - return n.storage.UserEntryWithPassword(conn.GetTLSClientCerts(), user, password, remoteAddr) + return n.storage.UserEntryWithPassword(conn, user, password, remoteAddr) } type mysqlDialogAuthMethod struct { @@ -557,7 +556,7 @@ func (n *mysqlDialogAuthMethod) AuthPluginData() ([]byte, error) { return result, nil } func (n *mysqlDialogAuthMethod) HandleAuthPluginData(conn *Conn, user string, serverAuthPluginData []byte, clientAuthPluginData []byte, remoteAddr net.Addr) (Getter, error) { - return n.storage.UserEntryWithPassword(conn.GetTLSClientCerts(), user, string(clientAuthPluginData[:len(clientAuthPluginData)-1]), remoteAddr) + return n.storage.UserEntryWithPassword(conn, user, string(clientAuthPluginData[:len(clientAuthPluginData)-1]), remoteAddr) } type mysqlCachingSha2AuthMethod struct { @@ -594,7 +593,7 @@ func (n *mysqlCachingSha2AuthMethod) HandleAuthPluginData(c *Conn, user string, return nil, NewSQLError(ERAccessDeniedError, SSAccessDeniedError, "Access denied for user '%v'", user) } salt := serverAuthPluginData[:len(serverAuthPluginData)-1] - result, cacheState, err := n.cache.UserEntryWithCacheHash(c.GetTLSClientCerts(), salt, user, clientAuthPluginData, remoteAddr) + result, cacheState, err := n.cache.UserEntryWithCacheHash(c, salt, user, clientAuthPluginData, remoteAddr) if err != nil { return nil, err } @@ -638,7 +637,7 @@ func (n *mysqlCachingSha2AuthMethod) HandleAuthPluginData(c *Conn, user string, if err != nil { return nil, err } - return n.storage.UserEntryWithPassword(c.GetTLSClientCerts(), user, password, remoteAddr) + return n.storage.UserEntryWithPassword(c, user, password, remoteAddr) } // ScrambleMysqlNativePassword computes the hash of the password using 4.1+ method. diff --git a/go/mysql/auth_server_clientcert.go b/go/mysql/auth_server_clientcert.go index a272c38c13f..b252c990a79 100644 --- a/go/mysql/auth_server_clientcert.go +++ b/go/mysql/auth_server_clientcert.go @@ -17,7 +17,6 @@ limitations under the License. package mysql import ( - "crypto/x509" "flag" "fmt" "net" @@ -83,7 +82,8 @@ func (asl *AuthServerClientCert) HandleUser(user string, remoteAddr net.Addr) bo } // UserEntryWithPassword is part of the PlaintextStorage interface -func (asl *AuthServerClientCert) UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error) { +func (asl *AuthServerClientCert) UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error) { + userCerts := conn.GetTLSClientCerts() if len(userCerts) == 0 { return nil, fmt.Errorf("no client certs for connection") } diff --git a/go/mysql/auth_server_none.go b/go/mysql/auth_server_none.go index 24761ef07c4..1a841ad3e60 100644 --- a/go/mysql/auth_server_none.go +++ b/go/mysql/auth_server_none.go @@ -17,7 +17,6 @@ limitations under the License. package mysql import ( - "crypto/x509" "net" querypb "github.com/dolthub/vitess/go/vt/proto/query" @@ -51,7 +50,7 @@ func (a *AuthServerNone) HandleUser(user string, remoteAddr net.Addr) bool { // UserEntryWithHash validates the user if it exists and returns the information. // Always accepts any user. -func (a *AuthServerNone) UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) { +func (a *AuthServerNone) UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) { return &NoneGetter{}, nil } diff --git a/go/mysql/auth_server_static.go b/go/mysql/auth_server_static.go index 451e9fa79bf..c2ad852e3e0 100644 --- a/go/mysql/auth_server_static.go +++ b/go/mysql/auth_server_static.go @@ -19,7 +19,6 @@ package mysql import ( "bytes" "crypto/subtle" - "crypto/x509" "encoding/json" "flag" "net" @@ -165,7 +164,7 @@ func (a *AuthServerStatic) HandleUser(user string, remoteAddr net.Addr) bool { // UserEntryWithPassword implements password lookup based on a plain // text password that is negotiated with the client. -func (a *AuthServerStatic) UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error) { +func (a *AuthServerStatic) UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error) { a.mu.Lock() entries, ok := a.entries[user] a.mu.Unlock() @@ -183,7 +182,7 @@ func (a *AuthServerStatic) UserEntryWithPassword(userCerts []*x509.Certificate, // UserEntryWithHash implements password lookup based on a // mysql_native_password hash that is negotiated with the client. -func (a *AuthServerStatic) UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) { +func (a *AuthServerStatic) UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) { a.mu.Lock() entries, ok := a.entries[user] a.mu.Unlock() @@ -213,7 +212,7 @@ func (a *AuthServerStatic) UserEntryWithHash(userCerts []*x509.Certificate, salt // UserEntryWithCacheHash implements password lookup based on a // caching_sha2_password hash that is negotiated with the client. -func (a *AuthServerStatic) UserEntryWithCacheHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) { +func (a *AuthServerStatic) UserEntryWithCacheHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) { a.mu.Lock() entries, ok := a.entries[user] a.mu.Unlock()