1 /*
2 * Copyright (c) 2015, 2021, Oracle and/or its affiliates.
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License, version 2.0,
6 * as published by the Free Software Foundation.
7 *
8 * This program is also distributed with certain software (including
9 * but not limited to OpenSSL) that is licensed under separate terms,
10 * as designated in a particular file or component or in included license
11 * documentation. The authors of MySQL hereby grant you an additional
12 * permission to link the program and your derivative works with the
13 * separately licensed software that they have included with MySQL.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License, version 2.0, for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * 02110-1301 USA
24 */
25
26 #include "sql_user_require.h"
27 #include "ngs_common/options.h"
28
29 using namespace xpl;
30
31 const std::string Sql_user_require::SSL_TYPE_NONE = "";
32 const std::string Sql_user_require::SSL_TYPE_SSL = "ANY";
33 const std::string Sql_user_require::SSL_TYPE_X509 = "X509";
34 const std::string Sql_user_require::SSL_TYPE_SPECIFIC = "SPECIFIED";
35
validate(ngs::IOptions_session_ptr & options) const36 ngs::Error_code Sql_user_require::validate(ngs::IOptions_session_ptr &options) const
37 {
38 if (ssl_type == SSL_TYPE_NONE)
39 return ngs::Error_code();
40 else if (ssl_type == SSL_TYPE_SSL)
41 return check_ssl(options);
42 else if (ssl_type == SSL_TYPE_X509)
43 return check_x509(options);
44 else if (ssl_type == SSL_TYPE_SPECIFIC)
45 return check_specific(options);
46
47 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Unknown SSL required option.");
48 }
49
check_ssl(ngs::IOptions_session_ptr & options) const50 ngs::Error_code Sql_user_require::check_ssl(ngs::IOptions_session_ptr &options) const
51 {
52 if (!options->active_tls())
53 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Current account requires TLS to be activate.");
54
55 return ngs::Error_code();
56 }
57
check_x509(ngs::IOptions_session_ptr & options) const58 ngs::Error_code Sql_user_require::check_x509(ngs::IOptions_session_ptr &options) const
59 {
60 ngs::Error_code error;
61
62 if ((error = check_ssl(options)))
63 return error;
64
65 if (options->ssl_get_verify_result_and_cert() != X509_V_OK)
66 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Current account requires TLS to be activate.");
67
68 return ngs::Error_code();
69 }
70
check_specific(ngs::IOptions_session_ptr & options) const71 ngs::Error_code Sql_user_require::check_specific(ngs::IOptions_session_ptr &options) const
72 {
73 ngs::Error_code error;
74
75 if ((error = check_x509(options)))
76 return error;
77
78 if (ssl_cipher.length())
79 {
80 if (ssl_cipher != options->ssl_cipher())
81 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Current user cipher isn't allowed.");
82 }
83
84 if (ssl_x509_issuer.length() && ssl_x509_issuer != options->ssl_get_peer_certificate_issuer())
85 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Current user certificate issuer is not valid.");
86
87 if (ssl_x509_subject.length() && ssl_x509_subject != options->ssl_get_peer_certificate_subject())
88 return ngs::Error_code(ER_SECURE_TRANSPORT_REQUIRED, "Current user certificate subject is not valid.");
89
90 return ngs::Error_code();
91 }
92