summaryrefslogtreecommitdiffstats
path: root/include/mysql/plugin_auth.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/mysql/plugin_auth.h')
-rw-r--r--include/mysql/plugin_auth.h183
1 files changed, 183 insertions, 0 deletions
diff --git a/include/mysql/plugin_auth.h b/include/mysql/plugin_auth.h
new file mode 100644
index 00000000..3827db33
--- /dev/null
+++ b/include/mysql/plugin_auth.h
@@ -0,0 +1,183 @@
+#ifndef MYSQL_PLUGIN_AUTH_INCLUDED
+/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab
+ Copyright (c) 2010, Oracle and/or its affiliates.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
+
+/**
+ @file
+
+ Authentication Plugin API.
+
+ This file defines the API for server authentication plugins.
+*/
+
+#define MYSQL_PLUGIN_AUTH_INCLUDED
+
+#include <mysql/plugin.h>
+
+#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0202
+
+#include <mysql/plugin_auth_common.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* defines for MYSQL_SERVER_AUTH_INFO.password_used */
+
+#define PASSWORD_USED_NO 0
+#define PASSWORD_USED_YES 1
+#define PASSWORD_USED_NO_MENTION 2
+
+
+/**
+ Provides server plugin access to authentication information
+*/
+typedef struct st_mysql_server_auth_info
+{
+ /**
+ User name as sent by the client and shown in USER().
+ NULL if the client packet with the user name was not received yet.
+ */
+ const char *user_name;
+
+ /**
+ Length of user_name
+ */
+ unsigned int user_name_length;
+
+ /**
+ A corresponding column value from the mysql.user table for the
+ matching account name or the preprocessed value, if preprocess_hash
+ method is not NULL
+ */
+ const char *auth_string;
+
+ /**
+ Length of auth_string
+ */
+ unsigned long auth_string_length;
+
+ /**
+ Matching account name as found in the mysql.user table.
+ A plugin can override it with another name that will be
+ used by MySQL for authorization, and shown in CURRENT_USER()
+ */
+ char authenticated_as[MYSQL_USERNAME_LENGTH+1];
+
+
+ /**
+ The unique user name that was used by the plugin to authenticate.
+ Not used by the server.
+ Available through the @@EXTERNAL_USER variable.
+ */
+ char external_user[MYSQL_USERNAME_LENGTH+1];
+
+ /**
+ This only affects the "Authentication failed. Password used: %s"
+ error message. has the following values :
+ 0 : %s will be NO.
+ 1 : %s will be YES.
+ 2 : there will be no %s.
+ Set it as appropriate or ignore at will.
+ */
+ int password_used;
+
+ /**
+ Set to the name of the connected client host, if it can be resolved,
+ or to its IP address otherwise.
+ */
+ const char *host_or_ip;
+
+ /**
+ Length of host_or_ip
+ */
+ unsigned int host_or_ip_length;
+
+ /**
+ Current THD pointer (to use with various services)
+ */
+ MYSQL_THD thd;
+
+} MYSQL_SERVER_AUTH_INFO;
+
+/**
+ Server authentication plugin descriptor
+*/
+struct st_mysql_auth
+{
+ int interface_version; /**< version plugin uses */
+ /**
+ A plugin that a client must use for authentication with this server
+ plugin. Can be NULL to mean "any plugin".
+ */
+ const char *client_auth_plugin;
+ /**
+ Function provided by the plugin which should perform authentication (using
+ the vio functions if necessary) and return 0 if successful. The plugin can
+ also fill the info.authenticated_as field if a different username should be
+ used for authorization.
+ */
+ int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
+ /**
+ Create a password hash (or digest) out of a plain-text password
+
+ Used in SET PASSWORD, GRANT, and CREATE USER to convert user specified
+ plain-text password into a value that will be stored in mysql.user table.
+
+ @see preprocess_hash
+
+ @param password plain-text password
+ @param password_length plain-text password length
+ @param hash the digest will be stored there
+ @param hash_length in: hash buffer size
+ out: the actual length of the hash
+
+ @return 0 for ok, 1 for error
+
+ Can be NULL, in this case one will not be able to use SET PASSWORD or
+ PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
+ */
+ int (*hash_password)(const char *password, size_t password_length,
+ char *hash, size_t *hash_length);
+
+ /**
+ Prepare the password hash for authentication.
+
+ Password hash is stored in the authentication_string column of the
+ mysql.user table in a text form. If a plugin needs to preprocess the
+ value somehow before the authentication (e.g. convert from hex or base64
+ to binary), it can do it in this method. This way the conversion
+ will happen only once, not for every authentication attempt.
+
+ The value written to the out buffer will be cached and later made
+ available to the authenticate_user() method in the
+ MYSQL_SERVER_AUTH_INFO::auth_string[] buffer.
+
+ @return 0 for ok, 1 for error
+
+ Can be NULL, in this case the mysql.user.authentication_string value will
+ be given to the authenticate_user() method as is, unconverted.
+ */
+ int (*preprocess_hash)(const char *hash, size_t hash_length,
+ unsigned char *out, size_t *out_length);
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+