Skip to content

Commit 9227a43

Browse files
percona-ysorokinpercona-ysorokin
committed
PS-9024 fix: audit_log_filter_set_user does not allow wildcards in hostname
https://perconadev.atlassian.net/browse/PS-9024 Relaxed host name vaidation rules for 'audit_log_filter_set_user()' UDF. It is now possible to specify account names with wildcard characters ('%' and '_') in the host part (for instance 'usr@%'). Fixed minor formatting issues in generated JSON output. Added new 'audit_log_filter.filter_definition_filter_by_wildcard_host' MTR test case that checks different combination of wildcard MySQL users and associated audit log filters. Updated 'audit_log_filter.udf_audit_log_filter_set_user' MTR test case to reflect relaxed host name validation rules.
1 parent 278ed7d commit 9227a43

File tree

7 files changed

+358
-11
lines changed

7 files changed

+358
-11
lines changed

plugin/audit_log_filter/audit_udf.cc

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,8 @@ std::unique_ptr<UserNameInfo> check_parse_user_name_host(
7373

7474
const std::regex user_name_all_regex("^%$");
7575
const std::regex user_name_regex("(.*)@(.*)");
76-
const std::regex deprecated_symbols_regex("[\\*|\\%]");
76+
const std::regex deprecated_account_name_characters_regex("[*|%]");
77+
const std::regex deprecated_host_name_characters_regex("[*|]");
7778

7879
auto user_info_data = std::make_unique<UserNameInfo>();
7980

@@ -107,13 +108,15 @@ std::unique_ptr<UserNameInfo> check_parse_user_name_host(
107108
return nullptr;
108109
}
109110

110-
if (std::regex_search(user_name_match.str(), deprecated_symbols_regex)) {
111+
if (std::regex_search(user_name_match.str(),
112+
deprecated_account_name_characters_regex)) {
111113
std::snprintf(message, MYSQL_ERRMSG_SIZE,
112114
"Wrong argument: bad user name format");
113115
return nullptr;
114116
}
115117

116-
if (std::regex_search(user_host_match.str(), deprecated_symbols_regex)) {
118+
if (std::regex_search(user_host_match.str(),
119+
deprecated_host_name_characters_regex)) {
117120
std::snprintf(message, MYSQL_ERRMSG_SIZE,
118121
"Wrong argument: bad host name format");
119122
return nullptr;

plugin/audit_log_filter/log_record_formatter/json.cc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -406,7 +406,7 @@ AuditRecordString LogRecordFormatterJson::apply(
406406
<< "\",\n"
407407
<< R"( "status": )" << audit_record.event->status << ",\n"
408408
<< R"( "db": ")"
409-
<< make_escaped_string(&audit_record.event->database) << "\""
409+
<< make_escaped_string(&audit_record.event->database) << "\"\n"
410410
<< " }" << extra_attrs_to_string(audit_record.extended_info)
411411
<< "\n }";
412412

@@ -921,7 +921,7 @@ std::string LogRecordFormatterJson::extra_attrs_to_string(
921921
is_first_attr = false;
922922
}
923923

924-
result << "}";
924+
result << "\n }";
925925
}
926926

927927
return result.str();

plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_wildcard_host.result

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
SET @filter = '{
2+
"filter": {
3+
"class": {
4+
"name": "connection",
5+
"event": {
6+
"name": "connect"
7+
}
8+
}
9+
}
10+
}';
11+
SELECT audit_log_filter_set_filter('log_connect', @filter);
12+
audit_log_filter_set_filter('log_connect', @filter)
13+
OK
14+
###
15+
### 1.1 IPv4 and IPv6 users, default audit log rule
16+
###
17+
CREATE USER 'usr'@'127.0.0.1' IDENTIFIED BY 'password';
18+
CREATE USER 'usr'@'::1' IDENTIFIED BY 'password';
19+
SELECT audit_log_filter_set_user('%', 'log_connect');
20+
audit_log_filter_set_user('%', 'log_connect')
21+
OK
22+
SET @audit_filter_log_name = audit_log_rotate();
23+
USER() CURRENT_USER()
24+
usr@localhost [email protected]
25+
USER() CURRENT_USER()
26+
usr@localhost usr@::1
27+
SET @audit_filter_log_name = audit_log_rotate();
28+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
29+
###
30+
### 1.2 IPv4 and wildcard users, default audit log rule
31+
###
32+
DROP USER 'usr'@'::1';
33+
CREATE USER 'usr'@'%' IDENTIFIED BY 'password';
34+
USER() CURRENT_USER()
35+
usr@localhost [email protected]
36+
USER() CURRENT_USER()
37+
usr@localhost usr@%
38+
SET @audit_filter_log_name = audit_log_rotate();
39+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
40+
###
41+
### 1.3 Only wildcard user, default audit log rule
42+
###
43+
DROP USER 'usr'@'127.0.0.1';
44+
USER() CURRENT_USER()
45+
usr@localhost usr@%
46+
USER() CURRENT_USER()
47+
usr@localhost usr@%
48+
SET @audit_filter_log_name = audit_log_rotate();
49+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
50+
###
51+
### 2.1 Only wildcard user, IPv4 audit log rule
52+
###
53+
SELECT audit_log_filter_remove_user('%');
54+
audit_log_filter_remove_user('%')
55+
OK
56+
SELECT audit_log_filter_set_user('[email protected]', 'log_connect');
57+
audit_log_filter_set_user('[email protected]', 'log_connect')
58+
OK
59+
USER() CURRENT_USER()
60+
usr@localhost usr@%
61+
USER() CURRENT_USER()
62+
usr@localhost usr@%
63+
SET @audit_filter_log_name = audit_log_rotate();
64+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
65+
###
66+
### 2.2 IPv4 and wildcard users, IPv4 audit log rule
67+
###
68+
CREATE USER 'usr'@'127.0.0.1' IDENTIFIED BY 'password';
69+
USER() CURRENT_USER()
70+
usr@localhost [email protected]
71+
USER() CURRENT_USER()
72+
usr@localhost usr@%
73+
SET @audit_filter_log_name = audit_log_rotate();
74+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
75+
###
76+
### 2.3 IPv4 and IPv6 users, IPv4 audit log rule
77+
###
78+
DROP USER 'usr'@'%';
79+
CREATE USER 'usr'@'::1' IDENTIFIED BY 'password';
80+
USER() CURRENT_USER()
81+
usr@localhost [email protected]
82+
USER() CURRENT_USER()
83+
usr@localhost usr@::1
84+
SET @audit_filter_log_name = audit_log_rotate();
85+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
86+
###
87+
### 3.1 IPv4 and IPv6 users, wildcard audit log rule
88+
###
89+
SELECT audit_log_filter_remove_user('[email protected]');
90+
audit_log_filter_remove_user('[email protected]')
91+
OK
92+
SELECT audit_log_filter_set_user('usr@%', 'log_connect');
93+
audit_log_filter_set_user('usr@%', 'log_connect')
94+
OK
95+
SET @audit_filter_log_name = audit_log_rotate();
96+
USER() CURRENT_USER()
97+
usr@localhost [email protected]
98+
USER() CURRENT_USER()
99+
usr@localhost usr@::1
100+
SET @audit_filter_log_name = audit_log_rotate();
101+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
102+
###
103+
### 3.2 IPv4 and wildcard users, wildcard audit log rule
104+
###
105+
DROP USER 'usr'@'::1';
106+
CREATE USER 'usr'@'%' IDENTIFIED BY 'password';
107+
USER() CURRENT_USER()
108+
usr@localhost [email protected]
109+
USER() CURRENT_USER()
110+
usr@localhost usr@%
111+
SET @audit_filter_log_name = audit_log_rotate();
112+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
113+
###
114+
### 3.3 Only wildcard user, wildcard audit log rule
115+
###
116+
DROP USER 'usr'@'127.0.0.1';
117+
USER() CURRENT_USER()
118+
usr@localhost usr@%
119+
USER() CURRENT_USER()
120+
usr@localhost usr@%
121+
SET @audit_filter_log_name = audit_log_rotate();
122+
SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
123+
SELECT audit_log_filter_remove_user('usr@%');
124+
audit_log_filter_remove_user('usr@%')
125+
OK
126+
DROP USER 'usr'@'%';

plugin/audit_log_filter/tests/mtr/r/udf_audit_log_filter_set_user.result

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,16 +35,17 @@ ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argume
3535
SELECT audit_log_filter_set_user('aaaaaa', 'filter_1');
3636
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: wrong user_name format, it should be in user_name@host_name format, or '%' to represent the default account
3737
#
38-
# Wildcards are not allowed in user or host name
38+
# [*|%] characters are not allowed in user name
39+
# [*|] characters are not allowed in host name
3940
SELECT audit_log_filter_set_user('user%@localhost', 'filter_1');
4041
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad user name format
4142
SELECT audit_log_filter_set_user('user*@localhost', 'filter_1');
4243
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad user name format
43-
SELECT audit_log_filter_set_user('user@host%', 'filter_1');
44+
SELECT audit_log_filter_set_user('user@host|', 'filter_1');
4445
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
4546
SELECT audit_log_filter_set_user('user@host*', 'filter_1');
4647
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
47-
SELECT audit_log_filter_set_user('user@%', 'filter_1');
48+
SELECT audit_log_filter_set_user('user@|', 'filter_1');
4849
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
4950
SELECT audit_log_filter_set_user('user@*', 'filter_1');
5051
ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format

plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_wildcard_host-master.opt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
--audit_log_filter_format=JSON

0 commit comments

Comments
 (0)