| 1 | #include <Access/Authentication.h> |
|---|---|
| 2 | #include <Common/Exception.h> |
| 3 | #include <common/StringRef.h> |
| 4 | #include <Core/Defines.h> |
| 5 | #include <Poco/SHA1Engine.h> |
| 6 | #include <boost/algorithm/hex.hpp> |
| 7 | #include "config_core.h" |
| 8 | #if USE_SSL |
| 9 | # include <openssl/sha.h> |
| 10 | #endif |
| 11 | |
| 12 | |
| 13 | namespace DB |
| 14 | { |
| 15 | namespace ErrorCodes |
| 16 | { |
| 17 | extern const int SUPPORT_IS_DISABLED; |
| 18 | extern const int REQUIRED_PASSWORD; |
| 19 | extern const int WRONG_PASSWORD; |
| 20 | extern const int BAD_ARGUMENTS; |
| 21 | extern const int LOGICAL_ERROR; |
| 22 | } |
| 23 | |
| 24 | |
| 25 | namespace |
| 26 | { |
| 27 | using Digest = Authentication::Digest; |
| 28 | |
| 29 | Digest encodePlainText(const StringRef & text) |
| 30 | { |
| 31 | return Digest(text.data, text.data + text.size); |
| 32 | } |
| 33 | |
| 34 | Digest encodeSHA256(const StringRef & text) |
| 35 | { |
| 36 | #if USE_SSL |
| 37 | Digest hash; |
| 38 | hash.resize(32); |
| 39 | SHA256_CTX ctx; |
| 40 | SHA256_Init(&ctx); |
| 41 | SHA256_Update(&ctx, reinterpret_cast<const UInt8 *>(text.data), text.size); |
| 42 | SHA256_Final(hash.data(), &ctx); |
| 43 | return hash; |
| 44 | #else |
| 45 | UNUSED(text); |
| 46 | throw DB::Exception("SHA256 passwords support is disabled, because ClickHouse was built without SSL library", DB::ErrorCodes::SUPPORT_IS_DISABLED); |
| 47 | #endif |
| 48 | } |
| 49 | |
| 50 | Digest encodeSHA1(const StringRef & text) |
| 51 | { |
| 52 | Poco::SHA1Engine engine; |
| 53 | engine.update(text.data, text.size); |
| 54 | return engine.digest(); |
| 55 | } |
| 56 | |
| 57 | Digest encodeSHA1(const Digest & text) |
| 58 | { |
| 59 | return encodeSHA1(StringRef{reinterpret_cast<const char *>(text.data()), text.size()}); |
| 60 | } |
| 61 | |
| 62 | Digest encodeDoubleSHA1(const StringRef & text) |
| 63 | { |
| 64 | return encodeSHA1(encodeSHA1(text)); |
| 65 | } |
| 66 | } |
| 67 | |
| 68 | |
| 69 | Authentication::Authentication(Authentication::Type type_) |
| 70 | : type(type_) |
| 71 | { |
| 72 | } |
| 73 | |
| 74 | |
| 75 | void Authentication::setPassword(const String & password_) |
| 76 | { |
| 77 | switch (type) |
| 78 | { |
| 79 | case NO_PASSWORD: |
| 80 | throw Exception("Cannot specify password for the 'NO_PASSWORD' authentication type", ErrorCodes::LOGICAL_ERROR); |
| 81 | |
| 82 | case PLAINTEXT_PASSWORD: |
| 83 | setPasswordHashBinary(encodePlainText(password_)); |
| 84 | return; |
| 85 | |
| 86 | case SHA256_PASSWORD: |
| 87 | setPasswordHashBinary(encodeSHA256(password_)); |
| 88 | return; |
| 89 | |
| 90 | case DOUBLE_SHA1_PASSWORD: |
| 91 | setPasswordHashBinary(encodeDoubleSHA1(password_)); |
| 92 | return; |
| 93 | } |
| 94 | throw Exception("Unknown authentication type: "+ std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR); |
| 95 | } |
| 96 | |
| 97 | |
| 98 | String Authentication::getPassword() const |
| 99 | { |
| 100 | if (type != PLAINTEXT_PASSWORD) |
| 101 | throw Exception("Cannot decode the password", ErrorCodes::LOGICAL_ERROR); |
| 102 | return String(password_hash.data(), password_hash.data() + password_hash.size()); |
| 103 | } |
| 104 | |
| 105 | |
| 106 | void Authentication::setPasswordHashHex(const String & hash) |
| 107 | { |
| 108 | Digest digest; |
| 109 | digest.resize(hash.size() / 2); |
| 110 | boost::algorithm::unhex(hash.begin(), hash.end(), digest.data()); |
| 111 | setPasswordHashBinary(digest); |
| 112 | } |
| 113 | |
| 114 | |
| 115 | String Authentication::getPasswordHashHex() const |
| 116 | { |
| 117 | String hex; |
| 118 | hex.resize(password_hash.size() * 2); |
| 119 | boost::algorithm::hex(password_hash.begin(), password_hash.end(), hex.data()); |
| 120 | return hex; |
| 121 | } |
| 122 | |
| 123 | |
| 124 | void Authentication::setPasswordHashBinary(const Digest & hash) |
| 125 | { |
| 126 | switch (type) |
| 127 | { |
| 128 | case NO_PASSWORD: |
| 129 | throw Exception("Cannot specify password for the 'NO_PASSWORD' authentication type", ErrorCodes::LOGICAL_ERROR); |
| 130 | |
| 131 | case PLAINTEXT_PASSWORD: |
| 132 | { |
| 133 | password_hash = hash; |
| 134 | return; |
| 135 | } |
| 136 | |
| 137 | case SHA256_PASSWORD: |
| 138 | { |
| 139 | if (hash.size() != 32) |
| 140 | throw Exception( |
| 141 | "Password hash for the 'SHA256_PASSWORD' authentication type has length "+ std::to_string(hash.size()) |
| 142 | + " but must be exactly 32 bytes.", |
| 143 | ErrorCodes::BAD_ARGUMENTS); |
| 144 | password_hash = hash; |
| 145 | return; |
| 146 | } |
| 147 | |
| 148 | case DOUBLE_SHA1_PASSWORD: |
| 149 | { |
| 150 | if (hash.size() != 20) |
| 151 | throw Exception( |
| 152 | "Password hash for the 'DOUBLE_SHA1_PASSWORD' authentication type has length "+ std::to_string(hash.size()) |
| 153 | + " but must be exactly 20 bytes.", |
| 154 | ErrorCodes::BAD_ARGUMENTS); |
| 155 | password_hash = hash; |
| 156 | return; |
| 157 | } |
| 158 | } |
| 159 | throw Exception("Unknown authentication type: "+ std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR); |
| 160 | } |
| 161 | |
| 162 | |
| 163 | Digest Authentication::getPasswordDoubleSHA1() const |
| 164 | { |
| 165 | switch (type) |
| 166 | { |
| 167 | case NO_PASSWORD: |
| 168 | { |
| 169 | Poco::SHA1Engine engine; |
| 170 | return engine.digest(); |
| 171 | } |
| 172 | |
| 173 | case PLAINTEXT_PASSWORD: |
| 174 | { |
| 175 | Poco::SHA1Engine engine; |
| 176 | engine.update(getPassword()); |
| 177 | const Digest & first_sha1 = engine.digest(); |
| 178 | engine.update(first_sha1.data(), first_sha1.size()); |
| 179 | return engine.digest(); |
| 180 | } |
| 181 | |
| 182 | case SHA256_PASSWORD: |
| 183 | throw Exception("Cannot get password double SHA1 for user with 'SHA256_PASSWORD' authentication.", ErrorCodes::BAD_ARGUMENTS); |
| 184 | |
| 185 | case DOUBLE_SHA1_PASSWORD: |
| 186 | return password_hash; |
| 187 | } |
| 188 | throw Exception("Unknown authentication type: "+ std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR); |
| 189 | } |
| 190 | |
| 191 | |
| 192 | bool Authentication::isCorrectPassword(const String & password_) const |
| 193 | { |
| 194 | switch (type) |
| 195 | { |
| 196 | case NO_PASSWORD: |
| 197 | return true; |
| 198 | |
| 199 | case PLAINTEXT_PASSWORD: |
| 200 | { |
| 201 | if (password_ == StringRef{reinterpret_cast<const char *>(password_hash.data()), password_hash.size()}) |
| 202 | return true; |
| 203 | |
| 204 | // For compatibility with MySQL clients which support only native authentication plugin, SHA1 can be passed instead of password. |
| 205 | auto password_sha1 = encodeSHA1(password_hash); |
| 206 | return password_ == StringRef{reinterpret_cast<const char *>(password_sha1.data()), password_sha1.size()}; |
| 207 | } |
| 208 | |
| 209 | case SHA256_PASSWORD: |
| 210 | return encodeSHA256(password_) == password_hash; |
| 211 | |
| 212 | case DOUBLE_SHA1_PASSWORD: |
| 213 | { |
| 214 | auto first_sha1 = encodeSHA1(password_); |
| 215 | |
| 216 | /// If it was MySQL compatibility server, then first_sha1 already contains double SHA1. |
| 217 | if (first_sha1 == password_hash) |
| 218 | return true; |
| 219 | |
| 220 | return encodeSHA1(first_sha1) == password_hash; |
| 221 | } |
| 222 | } |
| 223 | throw Exception("Unknown authentication type: "+ std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR); |
| 224 | } |
| 225 | |
| 226 | |
| 227 | void Authentication::checkPassword(const String & password_, const String & user_name) const |
| 228 | { |
| 229 | if (isCorrectPassword(password_)) |
| 230 | return; |
| 231 | auto info_about_user_name = [&user_name]() { return user_name.empty() ? String() : " for user "+ user_name; }; |
| 232 | if (password_.empty() && (type != NO_PASSWORD)) |
| 233 | throw Exception("Password required"+ info_about_user_name(), ErrorCodes::REQUIRED_PASSWORD); |
| 234 | throw Exception("Wrong password"+ info_about_user_name(), ErrorCodes::WRONG_PASSWORD); |
| 235 | } |
| 236 | |
| 237 | |
| 238 | bool operator ==(const Authentication & lhs, const Authentication & rhs) |
| 239 | { |
| 240 | return (lhs.type == rhs.type) && (lhs.password_hash == rhs.password_hash); |
| 241 | } |
| 242 | } |
| 243 | |
| 244 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.