Remove usage of acl_getroot() in embedded server.

Fixed compilation problem when OPENSSL was enabled.
2002-12-06 22:01:12 +02:00 · 2002-12-06 22:01:12 +02:00 · 7e312565c3
commit 7e312565c3
parent f1d35b29bc
2 changed files with 75 additions and 107 deletions
--- a/libmysqld/lib_sql.cc
+++ b/libmysqld/lib_sql.cc
@ -223,41 +223,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
    send_error(thd,ER_OUT_OF_RESOURCES);
    return 1;
  }
-  thd->master_access=acl_getroot(thd, thd->host, thd->ip, thd->user,
-				 passwd, thd->scramble, &thd->priv_user,
-				 protocol_version == 9 ||
-				 !(thd->client_capabilities &
-				   CLIENT_LONG_PASSWORD),&ur);
-  DBUG_PRINT("info",
-	     ("Capabilities: %d  packet_length: %d  Host: '%s'  User: '%s'  Using password: %s  Access: %u  db: '%s'",
-	      thd->client_capabilities, thd->max_client_packet_length,
-	      thd->host_or_ip, thd->priv_user,
-	      passwd[0] ? "yes": "no",
-	      thd->master_access, thd->db ? thd->db : "*none*"));
-  if (thd->master_access & NO_ACCESS)
-  {
-    net_printf(thd, ER_ACCESS_DENIED_ERROR,
-	       thd->user,
-	       thd->host_or_ip,
-	       passwd[0] ? ER(ER_YES) : ER(ER_NO));
-    mysql_log.write(thd,COM_CONNECT,ER(ER_ACCESS_DENIED_ERROR),
-		    thd->user,
-		    thd->host_or_ip,
-		    passwd[0] ? ER(ER_YES) : ER(ER_NO));
-    return(1);					// Error already given
-  }
-  if (check_count)
-  {
-    VOID(pthread_mutex_lock(&LOCK_thread_count));
-    bool tmp=(thread_count - delayed_insert_threads >= max_connections &&
-	      !(thd->master_access & PROCESS_ACL));
-    VOID(pthread_mutex_unlock(&LOCK_thread_count));
-    if (tmp)
-    {						// Too many connections
-      send_error(thd, ER_CON_COUNT_ERROR);
-      return(1);
-    }
-  }
+  thd->master_access= ~0L;			// No user checking
+  thd->priv_user= thd->user;
  mysql_log.write(thd,command,
 		  (thd->priv_user == thd->user ?
 		   (char*) "%s@%s on %s" :
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -578,85 +578,86 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,

  /* OK. User found and password checked continue validation */

-
 #ifdef HAVE_OPENSSL
-  Vio *vio=thd->net.vio;
-  /*
-    In this point we know that user is allowed to connect
-    from given host by given username/password pair. Now
-    we check if SSL is required, if user is using SSL and
-    if X509 certificate attributes are OK
-  */
-  switch (acl_user->ssl_type) {
-  case SSL_TYPE_NOT_SPECIFIED:		// Impossible
-  case SSL_TYPE_NONE: /* SSL is not required to connect */
-    user_access=acl_user->access;
-    break;
-  case SSL_TYPE_ANY: /* Any kind of SSL is good enough */
-    if (vio_type(vio) == VIO_TYPE_SSL)
-    user_access=acl_user->access;
-    break;
-  case SSL_TYPE_X509: /* Client should have any valid certificate. */
-  /*
-    Connections with non-valid certificates are dropped already
-    in sslaccept() anyway, so we do not check validity here.
-  */
-    if (SSL_get_peer_certificate(vio->ssl_))
+  {
+    Vio *vio=thd->net.vio;
+    /*
+      In this point we know that user is allowed to connect
+      from given host by given username/password pair. Now
+      we check if SSL is required, if user is using SSL and
+      if X509 certificate attributes are OK
+    */
+    switch (acl_user->ssl_type) {
+    case SSL_TYPE_NOT_SPECIFIED:		// Impossible
+    case SSL_TYPE_NONE: /* SSL is not required to connect */
      user_access=acl_user->access;
-    break;
-  case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
-  /*
-    We do not check for absence of SSL because without SSL it does
-    not pass all checks here anyway.
-    If cipher name is specified, we compare it to actual cipher in
-    use.
-  */
-    if (acl_user->ssl_cipher)
-    {
-      DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
-        	 acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)));
-      if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
-        user_access=acl_user->access;
-      else
+      break;
+    case SSL_TYPE_ANY: /* Any kind of SSL is good enough */
+      if (vio_type(vio) == VIO_TYPE_SSL)
+	user_access=acl_user->access;
+      break;
+    case SSL_TYPE_X509: /* Client should have any valid certificate. */
+      /*
+	Connections with non-valid certificates are dropped already
+	in sslaccept() anyway, so we do not check validity here.
+      */
+      if (SSL_get_peer_certificate(vio->ssl_))
+	user_access=acl_user->access;
+      break;
+    case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
+      /*
+	We do not check for absence of SSL because without SSL it does
+	not pass all checks here anyway.
+	If cipher name is specified, we compare it to actual cipher in
+	use.
+      */
+      if (acl_user->ssl_cipher)
      {
-        user_access=NO_ACCESS;
-        break;
+	DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
+			   acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)));
+	if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
+	  user_access=acl_user->access;
+	else
+	{
+	  user_access=NO_ACCESS;
+	  break;
+	}
      }
-    }
-    /* Prepare certificate (if exists) */
-    DBUG_PRINT("info",("checkpoint 1"));
-    X509* cert=SSL_get_peer_certificate(vio->ssl_);
-    DBUG_PRINT("info",("checkpoint 2"));
-    /* If X509 issuer is speified, we check it... */
-    if (acl_user->x509_issuer)
-    {
-      DBUG_PRINT("info",("checkpoint 3"));
-      char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
-      DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
-    		 acl_user->x509_issuer, ptr));
-      if (strcmp(acl_user->x509_issuer, ptr))
+      /* Prepare certificate (if exists) */
+      DBUG_PRINT("info",("checkpoint 1"));
+      X509* cert=SSL_get_peer_certificate(vio->ssl_);
+      DBUG_PRINT("info",("checkpoint 2"));
+      /* If X509 issuer is speified, we check it... */
+      if (acl_user->x509_issuer)
      {
-        user_access=NO_ACCESS;
-        free(ptr);
-        break;
+	DBUG_PRINT("info",("checkpoint 3"));
+	char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+	DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
+			   acl_user->x509_issuer, ptr));
+	if (strcmp(acl_user->x509_issuer, ptr))
+	{
+	  user_access=NO_ACCESS;
+	  free(ptr);
+	  break;
+	}
+	user_access=acl_user->access;
+	free(ptr);
      }
-      user_access=acl_user->access;
-      free(ptr);
+      DBUG_PRINT("info",("checkpoint 4"));
+      /* X509 subject is specified, we check it .. */
+      if (acl_user->x509_subject)
+      {
+	char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
+	DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
+			   acl_user->x509_subject, ptr));
+	if (strcmp(acl_user->x509_subject,ptr))
+	  user_access=NO_ACCESS;
+	else
+	  user_access=acl_user->access;
+	free(ptr);
+      }
+      break;
    }
-    DBUG_PRINT("info",("checkpoint 4"));
-    /* X509 subject is specified, we check it .. */
-    if (acl_user->x509_subject)
-    {
-      char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
-      DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
-		 acl_user->x509_subject, ptr));
-      if (strcmp(acl_user->x509_subject,ptr))
-        user_access=NO_ACCESS;
-      else
-        user_access=acl_user->access;
-      free(ptr);
-    }
-    break;
  }
 #else  /* HAVE_OPENSSL */
  user_access=acl_user->access;