PS-9033 postfix: audit_log_filter plugin, does not register remote accesses

https://perconadev.atlassian.net/browse/PS-9033

'audit_log_filter' now properly handles anonymous MySQL accounts
(e.g. ''@'127.0.0.1'). Removed unnecessary restriction in
'AuditLogFilter::get_connection_user()' that was checking for user
name and host name parts of the user account to be non-empty and
could lead to not registering events from such accounts in the audit
log file.

Added new 'audit_log_filter.filter_definition_filter_by_anonymous_user'
MTR test case which checks that connection events coming from
anonymous MySQL accounts are not ignored / skipped in the audit
log.

Author: percona-ysorokin

plugin/audit_log_filter/audit_log_filter.cc

@@ -617,12 +617,16 @@ bool AuditLogFilter::get_connection_user(Security_context_handle &ctx,
     return false;
   }
 
-  if (user.length == 0 || host.length == 0) {
-    return false;
+  if (user.length == 0) {
+    user_name.clear();
+  } else {
+    user_name.assign(user.str, user.length);
+  }
+  if (host.length == 0) {
+    user_host.clear();
+  } else {
+    user_host.assign(host.str, host.length);
   }
-
-  user_name = user.str;
-  user_host = host.str;
 
   return true;
 }

plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_anonymous_user.result

@@ -0,0 +1,51 @@
+CREATE USER ''@'127.0.0.1';
+SET @filter = '{
+  "filter": {
+    "class": {
+      "name": "connection",
+      "event": {
+        "name": "connect"
+      }
+    }
+  }
+}';
+SELECT audit_log_filter_set_filter('log_connect', @filter);
+audit_log_filter_set_filter('log_connect', @filter)
+OK
+###
+### 1. Connecting as an anonymous user with no rules set
+###
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 2. Connecting as an anonymous user with default rule set
+###
+SELECT audit_log_filter_set_user('%', 'log_connect');
+audit_log_filter_set_user('%', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 3. Connecting as an anonymous user with a dedicated rule for this anonymous user
+###
+SELECT audit_log_filter_remove_user('%');
+audit_log_filter_remove_user('%')
+OK
+SELECT audit_log_filter_set_user('@127.0.0.1', 'log_connect');
+audit_log_filter_set_user('@127.0.0.1', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+SELECT audit_log_filter_remove_user('@127.0.0.1');
+audit_log_filter_remove_user('@127.0.0.1')
+OK
+DROP USER ''@'127.0.0.1';

plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user-master.opt

@@ -0,0 +1 @@
+--audit_log_filter_format=JSON

plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user.test

@@ -0,0 +1,75 @@
+--source audit_tables_init.inc
+
+--let $anonymous_user_name = foobarbaz
+--let $ipv4_localhost = 127.0.0.1
+
+--let $MYSQL_PORT = `SELECT @@port`
+
+eval CREATE USER ''@'$ipv4_localhost';
+
+SET @filter = '{
+  "filter": {
+    "class": {
+      "name": "connection",
+      "event": {
+        "name": "connect"
+      }
+    }
+  }
+}';
+SELECT audit_log_filter_set_filter('log_connect', @filter);
+
+--echo ###
+--echo ### 1. Connecting as an anonymous user with no rules set
+--echo ###
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 0 AS no_connection_events_must_be_logged`)
+
+
+--echo ###
+--echo ### 2. Connecting as an anonymous user with default rule set
+--echo ###
+SELECT audit_log_filter_set_user('%', 'log_connect');
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 1 AS one_connection_event_must_be_logged`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.user') = '$anonymous_user_name' AS event_must_be_from_fake_user_name`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.ip') = '$ipv4_localhost' AS event_must_be_from_ipv4_localhost`)
+
+
+--echo ###
+--echo ### 3. Connecting as an anonymous user with a dedicated rule for this anonymous user
+--echo ###
+SELECT audit_log_filter_remove_user('%');
+eval SELECT audit_log_filter_set_user('@$ipv4_localhost', 'log_connect');
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 1 AS one_connection_event_must_be_logged`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.user') = '$anonymous_user_name' AS event_must_be_from_fake_user_name`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.ip') = '$ipv4_localhost' AS event_must_be_from_ipv4_localhost`)
+
+
+eval SELECT audit_log_filter_remove_user('@$ipv4_localhost');
+
+eval DROP USER ''@'$ipv4_localhost';
+
+--source audit_tables_cleanup.inc