Bug#31246179: USER WITH CREATE USER AND WITH ADMIN ROLE CAN GRANT ROLE TO ANONYMOUS USER AND CORRUPT DATABASE

Description: Inconsistency in representating an anonymous
             user in in-memory structures may cause issues
             while performing grant operations

Fix: Consistently handled anoynmous users in various user
     management DDLs, SHOW GRANTS and FLUSH PRIVILEGES

RB: 24367

Author: harinvadodaria

sql/auth/acl_table_user.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2018, 2020, Oracle and/or its affiliates.
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License, version 2.0,
@@ -1923,8 +1923,7 @@ void Acl_table_user_reader::read_password_require_current(ACL_USER &user) {
 bool Acl_table_user_reader::read_user_attributes(ACL_USER &user) {
   /* Read user_attributes field */
   if (m_table->s->fields > m_table_schema->user_attributes_idx()) {
-    Auth_id auth_id(user.user ? user.user : "",
-                    user.user ? strlen(user.user) : 0,
+    Auth_id auth_id(user.user ? user.user : "", user.get_username_length(),
                     user.host.get_host() ? user.host.get_host() : "",
                     user.host.get_host() ? strlen(user.host.get_host()) : 0);
     Acl_user_attributes user_attributes(&m_mem_root, true, auth_id,

sql/auth/auth_common.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2015, 2020, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -116,7 +116,7 @@ Auth_id::Auth_id(const LEX_USER *lex_user)
 Auth_id::Auth_id(const ACL_USER *acl_user) {
   if (acl_user) {
     if (acl_user->user != nullptr)  // Not an anonymous user
-      m_user.assign(acl_user->user, strlen(acl_user->user));
+      m_user.assign(acl_user->user, acl_user->get_username_length());
     m_host.assign(acl_user->host.get_host(), acl_user->host.get_host_len());
     create_key();
   }

sql/auth/sql_auth_cache.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2020, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -165,6 +165,20 @@ bool validate_user_plugins = true;
 #define IP_ADDR_STRLEN (3 + 1 + 3 + 1 + 3 + 1 + 3)
 #define ACL_KEY_LENGTH (IP_ADDR_STRLEN + 1 + NAME_LEN + 1 + USERNAME_LENGTH + 1)
 
+/** Helper: Set user name */
+static void set_username(char **user, const char *user_arg, MEM_ROOT *mem) {
+  DBUG_ASSERT(user != nullptr);
+  *user = (user_arg && *user_arg) ? strdup_root(mem, user_arg) : nullptr;
+}
+
+/** Helper: Set host name */
+static void set_hostname(ACL_HOST_AND_IP *host, const char *host_arg,
+                         MEM_ROOT *mem) {
+  DBUG_ASSERT(host != nullptr);
+  host->update_hostname((host_arg && *host_arg) ? strdup_root(mem, host_arg)
+                                                : nullptr);
+}
+
 /**
   Allocates the memory in the the global_acl_memory MEM_ROOT.
 */
@@ -420,6 +434,14 @@ ACL_USER *ACL_USER::copy(MEM_ROOT *root) {
   return dst;
 }
 
+void ACL_USER::set_user(MEM_ROOT *mem, const char *user_arg) {
+  set_username(&user, user_arg, mem);
+}
+
+void ACL_USER::set_host(MEM_ROOT *mem, const char *host_arg) {
+  set_hostname(&host, host_arg, mem);
+}
+
 void ACL_PROXY_USER::init(const char *host_arg, const char *user_arg,
                           const char *proxied_host_arg,
                           const char *proxied_user_arg, bool with_grant_arg) {
@@ -583,6 +605,22 @@ int ACL_PROXY_USER::store_data_record(TABLE *table, const LEX_CSTRING &hostname,
   return false;
 }
 
+void ACL_PROXY_USER::set_user(MEM_ROOT *mem, const char *user_arg) {
+  set_username(const_cast<char **>(&user), user_arg, mem);
+}
+
+void ACL_PROXY_USER::set_host(MEM_ROOT *mem, const char *host_arg) {
+  set_hostname(&host, host_arg, mem);
+}
+
+void ACL_DB::set_user(MEM_ROOT *mem, const char *user_arg) {
+  set_username(&user, user_arg, mem);
+}
+
+void ACL_DB::set_host(MEM_ROOT *mem, const char *host_arg) {
+  set_hostname(&host, host_arg, mem);
+}
+
 /**
   Performs wildcard matching, aka globbing, on the input string with
   the given wildcard pattern, and the specified wildcard characters.
@@ -783,7 +821,7 @@ GRANT_COLUMN::GRANT_COLUMN(String &c, ulong y)
 void GRANT_NAME::set_user_details(const char *h, const char *d, const char *u,
                                   const char *t, bool is_routine) {
   /* Host given by user */
-  host.update_hostname(strdup_root(&memex, h));
+  set_hostname(&host, h, &memex);
   if (db != d) {
     db = strdup_root(&memex, d);
     if (lower_case_table_names) my_casedn_str(files_charset_info, db);
@@ -2752,10 +2790,8 @@ void acl_users_add_one(const char *user, const char *host,
   */
   acl_user.can_authenticate = true;
 
-  acl_user.user =
-      user && *user ? strdup_root(&global_acl_memory, user) : nullptr;
-  acl_user.host.update_hostname(
-      host && *host ? strdup_root(&global_acl_memory, host) : nullptr);
+  acl_user.set_user(&global_acl_memory, user);
+  acl_user.set_host(&global_acl_memory, host);
   DBUG_ASSERT(plugin.str);
   if (plugin.str[0]) {
     acl_user.plugin = plugin;
@@ -2923,9 +2959,8 @@ void acl_insert_db(const char *user, const char *host, const char *db,
                    ulong privileges) {
   ACL_DB acl_db;
   DBUG_ASSERT(assert_acl_cache_write_lock(current_thd));
-  acl_db.user = strdup_root(&global_acl_memory, user);
-  acl_db.host.update_hostname(*host ? strdup_root(&global_acl_memory, host)
-                                    : nullptr);
+  acl_db.set_user(&global_acl_memory, user);
+  acl_db.set_host(&global_acl_memory, host);
   acl_db.db = strdup_root(&global_acl_memory, db);
   acl_db.access = privileges;
   acl_db.sort = get_sort(3, acl_db.host.get_host(), acl_db.db, acl_db.user);

sql/auth/sql_auth_cache.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2020, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -200,6 +200,9 @@ class ACL_USER : public ACL_ACCESS {
   ACL_USER *copy(MEM_ROOT *root);
   ACL_USER();
 
+  void set_user(MEM_ROOT *mem, const char *user_arg);
+  void set_host(MEM_ROOT *mem, const char *host_arg);
+  size_t get_username_length() const { return user ? strlen(user) : 0; }
   class Password_locked_state {
    public:
     bool is_active() const {
@@ -241,6 +244,9 @@ class ACL_USER : public ACL_ACCESS {
 class ACL_DB : public ACL_ACCESS {
  public:
   char *user, *db;
+
+  void set_user(MEM_ROOT *mem, const char *user_arg);
+  void set_host(MEM_ROOT *mem, const char *host_arg);
 };
 
 class ACL_PROXY_USER : public ACL_ACCESS {
@@ -276,9 +282,8 @@ class ACL_PROXY_USER : public ACL_ACCESS {
   const char *get_user() { return user; }
   const char *get_proxied_user() { return proxied_user; }
   const char *get_proxied_host() { return proxied_host.get_host(); }
-  void set_user(MEM_ROOT *mem, const char *user_arg) {
-    user = user_arg && *user_arg ? strdup_root(mem, user_arg) : nullptr;
-  }
+  void set_user(MEM_ROOT *mem, const char *user_arg);
+  void set_host(MEM_ROOT *mem, const char *host_arg);
 
   bool check_validity(bool check_no_resolve);
 

sql/auth/sql_authorization.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2020, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -985,7 +985,7 @@ void make_global_privilege_statement(THD *thd, ulong want_access,
     }
   }
   global->append(STRING_WITH_LEN(" ON *.* TO "));
-  size_t len = acl_user->user == nullptr ? 0 : strlen(acl_user->user);
+  size_t len = acl_user->get_username_length();
   append_identifier(thd, global, acl_user->user, len);
   global->append('@');
   append_identifier(thd, global, acl_user->host.get_host(),
@@ -1042,8 +1042,7 @@ void make_database_privilege_statement(THD *thd, ACL_USER *role,
       db.append(STRING_WITH_LEN(" ON "));
       append_identifier(thd, &db, db_name.c_str(), db_name.length());
       db.append(STRING_WITH_LEN(".* TO "));
-      append_identifier(thd, &db, role->user,
-                        role->user ? strlen(role->user) : 0);
+      append_identifier(thd, &db, role->user, role->get_username_length());
       db.append('@');
       // host and lex_user->host are equal except for case
       append_identifier(thd, &db, role->host.get_host(),
@@ -1091,7 +1090,7 @@ void make_database_privilege_statement(THD *thd, ACL_USER *role,
                           rl_itr.first.length());
         db.append(STRING_WITH_LEN(".* FROM "));
         append_identifier(thd, &db, acl_user->user,
-                          acl_user->user ? strlen(acl_user->user) : 0);
+                          acl_user->get_username_length());
         db.append('@');
         // host and lex_user->host are equal except for case
         append_identifier(thd, &db, acl_user->host.get_host(),
@@ -1180,8 +1179,7 @@ void make_sp_privilege_statement(THD *thd, ACL_USER *role, Protocol *protocol,
       db.append(STRING_WITH_LEN("FUNCTION "));
     db.append(sp_name.c_str(), sp_name.length());
     db.append(STRING_WITH_LEN(" TO "));
-    append_identifier(thd, &db, role->user,
-                      role->user ? strlen(role->user) : 0);
+    append_identifier(thd, &db, role->user, role->get_username_length());
     db.append(STRING_WITH_LEN("@"));
     // host and lex_user->host are equal except for case
     append_identifier(thd, &db, role->host.get_host(),
@@ -1223,7 +1221,8 @@ void make_with_admin_privilege_statement(
   }
   if (found) {
     global.append(STRING_WITH_LEN(" TO "));
-    append_identifier(thd, &global, acl_user->user, strlen(acl_user->user));
+    append_identifier(thd, &global, acl_user->user,
+                      acl_user->get_username_length());
     global.append('@');
     append_identifier(thd, &global, acl_user->host.get_host(),
                       acl_user->host.get_host_len());
@@ -1259,7 +1258,8 @@ void make_dynamic_privilege_statement(THD *thd, ACL_USER *role,
       /* Dynamic privileges are always applied on global level */
       global.append(STRING_WITH_LEN(" ON *.* TO "));
       if (role->user != nullptr)
-        append_identifier(thd, &global, role->user, strlen(role->user));
+        append_identifier(thd, &global, role->user,
+                          role->get_username_length());
       else
         global.append(STRING_WITH_LEN("''"));
       global.append('@');
@@ -1326,8 +1326,7 @@ void make_roles_privilege_statement(THD *thd, ACL_USER *role,
   }  // end while
   if (found) {
     global.append(STRING_WITH_LEN(" TO "));
-    append_identifier(thd, &global, role->user,
-                      role->user ? strlen(role->user) : 0);
+    append_identifier(thd, &global, role->user, role->get_username_length());
     global.append('@');
     append_identifier(thd, &global, role->host.get_host(),
                       role->host.get_host_len());
@@ -1399,7 +1398,7 @@ void make_table_privilege_statement(THD *thd, ACL_USER *role,
     global.append(STRING_WITH_LEN(" ON "));
     global.append(qualified_table_name.c_str(), qualified_table_name.length());
     global.append(STRING_WITH_LEN(" TO "));
-    append_identifier(thd, &global, role->user, strlen(role->user));
+    append_identifier(thd, &global, role->user, role->get_username_length());
     global.append('@');
     // host and lex_user->host are equal except for case
     append_identifier(thd, &global, role->host.get_host(),
@@ -1589,7 +1588,7 @@ class Get_access_maps : public boost::default_bfs_visitor {
         m_with_admin_acl(with_admin_acl),
         m_dynamic_acl(dyn_acl),
         m_restrictions(restrictions),
-        m_grantee{acl_user->user, strlen(acl_user->user),
+        m_grantee{acl_user->user, acl_user->get_username_length(),
                   acl_user->host.get_host(), acl_user->host.get_host_len()} {}
   template <typename Vertex, typename Graph>
   void discover_vertex(Vertex u, const Graph &) const {
@@ -5976,7 +5975,7 @@ bool find_if_granted_role(Role_vertex_descriptor v, LEX_CSTRING role,
     ACL_USER acl_user =
         get(boost::vertex_acl_user_t(),
             *g_granted_roles)[boost::target(*ei, *g_granted_roles)];
-    if ((role.length == strlen(acl_user.user)) &&
+    if ((role.length == acl_user.get_username_length()) &&
         (role_host.length == acl_user.host.get_host_len()) &&
         !strncmp(role.str, acl_user.user, role.length) &&
         (role_host.length == 0 ||
@@ -6007,7 +6006,7 @@ void get_granted_roles(Role_vertex_descriptor &v,
     int with_admin_opt = edge_with_admin[*ei];
     LEX_CSTRING tmp_user, tmp_host;
     tmp_user.str = acl_user.user;
-    tmp_user.length = strlen(acl_user.user);
+    tmp_user.length = acl_user.get_username_length();
     tmp_host.str = acl_user.host.get_host();
     tmp_host.length = acl_user.host.get_host_len();
     Role_id id(tmp_user, tmp_host);
@@ -6518,7 +6517,7 @@ Auth_id_ref create_authid_from(const LEX_CSTRING &user,
 */
 std::string create_authid_str_from(const ACL_USER *user) {
   String tmp;
-  size_t length = user->user == nullptr ? 0 : strlen(user->user);
+  size_t length = user->get_username_length();
   append_identifier(&tmp, user->user, length);
   tmp.append("@");
   append_identifier(&tmp, user->host.get_host(), user->host.get_host_len());
@@ -6538,10 +6537,7 @@ Auth_id_ref create_authid_from(const ACL_USER *user) {
   LEX_CSTRING username;
   LEX_CSTRING host;
   username.str = user->user;
-  if (user->user != nullptr)
-    username.length = strlen(user->user);
-  else
-    username.length = 0;
+  username.length = user->get_username_length();
   host.str = user->host.get_host();
   host.length = user->host.get_host_len();
   id = std::make_pair(username, host);

sql/auth/sql_user.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2020, Oracle and/or its affiliates.
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
    as published by the Free Software Foundation.
@@ -1754,9 +1754,9 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
            */
           idx--;
         } else if (user_to) {
-          acl_user->user = strdup_root(&global_acl_memory, user_to->user.str);
-          acl_user->host.update_hostname(
-              strdup_root(&global_acl_memory, user_to->host.str));
+          acl_user->set_user(&global_acl_memory, user_to->user.str);
+          acl_user->set_host(&global_acl_memory, user_to->host.str);
+
           rebuild_cached_acl_users_for_name();
         } else {
           /* If search is requested, we do not need to search further. */
@@ -1774,9 +1774,8 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
           acl_dbs->erase(idx);
           idx--;
         } else if (user_to) {
-          acl_db->user = strdup_root(&global_acl_memory, user_to->user.str);
-          acl_db->host.update_hostname(
-              strdup_root(&global_acl_memory, user_to->host.str));
+          acl_db->set_user(&global_acl_memory, user_to->user.str);
+          acl_db->set_host(&global_acl_memory, user_to->host.str);
         } else {
           /* If search is requested, we do not need to search further. */
           break;
@@ -1826,10 +1825,7 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
           idx--;
         } else if (user_to) {
           acl_proxy_user->set_user(&global_acl_memory, user_to->user.str);
-          acl_proxy_user->host.update_hostname(
-              (user_to->host.str && *user_to->host.str)
-                  ? strdup_root(&global_acl_memory, user_to->host.str)
-                  : nullptr);
+          acl_proxy_user->set_host(&global_acl_memory, user_to->host.str);
         } else {
           /* If search is requested, we do not need to search further. */
           break;