Merge #130979

130979: sql/pgwire: treat system identity as string, not SQLUsername r=rafiss a=rafiss The external system identity may not be a SQLUsername -- that mapping is performed at a different phase of authentication. To make this more clear, we stop using the SQLUsername type for system identity. Epic CRDB-33829 Release note: None Co-authored-by: Rafi Shamim <[email protected]>
cockroachdb · Sep 19, 2024 · 06c1f94 · 06c1f94
2 parents 9d91855 + eb67431
commit 06c1f94
Show file tree

Hide file tree

Showing 21 changed files with 177 additions and 148 deletions.
diff --git a/pkg/ccl/gssapiccl/gssapi.go b/pkg/ccl/gssapiccl/gssapi.go
@@ -57,11 +57,7 @@ func authGSS(
 
 	// Update the incoming connection with the GSS username. We'll expect
 	// to see this value come back to the mapper function below.
-	if u, err := username.MakeSQLUsernameFromUserInput(gssUser, username.PurposeValidation); err != nil {
-		return nil, err
-	} else {
-		behaviors.SetReplacementIdentity(u)
-	}
+	behaviors.SetReplacementIdentity(gssUser)
 
 	// We enforce that the "map" and/or "include_realm=0" options are set
 	// in the HBA validation function below.
@@ -84,7 +80,7 @@ func authGSS(
 	}
 
 	behaviors.SetAuthenticator(func(
-		_ context.Context, _ username.SQLUsername, _ bool, _ pgwire.PasswordRetrievalFn, _ *ldap.DN,
+		_ context.Context, _ string, _ bool, _ pgwire.PasswordRetrievalFn, _ *ldap.DN,
 	) error {
 		// Enforce krb_realm option, if any.
 		if realms := entry.GetOptions("krb_realm"); len(realms) > 0 {
@@ -142,19 +138,16 @@ func checkEntry(_ *settings.Values, entry hba.Entry) error {
 }
 
 // stripRealm removes the realm data, if any, from the provided username.
-func stripRealm(u username.SQLUsername) (username.SQLUsername, error) {
-	norm := u.Normalized()
-	if idx := strings.Index(norm, "@"); idx != -1 {
-		norm = norm[:idx]
+func stripRealm(u string) (username.SQLUsername, error) {
+	if idx := strings.Index(u, "@"); idx != -1 {
+		u = u[:idx]
 	}
-	return username.MakeSQLUsernameFromUserInput(norm, username.PurposeValidation)
+	return username.MakeSQLUsernameFromUserInput(u, username.PurposeValidation)
 }
 
 // stripRealmMapper is a pgwire.RoleMapper that just strips the trailing
 // realm information, if any, from the gssapi username.
-func stripRealmMapper(
-	_ context.Context, systemIdentity username.SQLUsername,
-) ([]username.SQLUsername, error) {
+func stripRealmMapper(_ context.Context, systemIdentity string) ([]username.SQLUsername, error) {
 	ret, err := stripRealm(systemIdentity)
 	return []username.SQLUsername{ret}, err
 }
@@ -163,12 +156,12 @@ func stripRealmMapper(
 // the incoming identity has its realm information stripped before the
 // next mapping is applied.
 func stripAndDelegateMapper(delegate pgwire.RoleMapper) pgwire.RoleMapper {
-	return func(ctx context.Context, systemIdentity username.SQLUsername) ([]username.SQLUsername, error) {
+	return func(ctx context.Context, systemIdentity string) ([]username.SQLUsername, error) {
 		next, err := stripRealm(systemIdentity)
 		if err != nil {
 			return nil, err
 		}
-		return delegate(ctx, next)
+		return delegate(ctx, next.Normalized())
 	}
 }
 

diff --git a/pkg/ccl/ldapccl/BUILD.bazel b/pkg/ccl/ldapccl/BUILD.bazel
@@ -21,6 +21,7 @@ go_library(
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
+        "//pkg/sql/lexbase",
         "//pkg/sql/pgwire",
         "//pkg/sql/pgwire/hba",
         "//pkg/sql/pgwire/identmap",

diff --git a/pkg/ccl/ldapccl/authentication_ldap.go b/pkg/ccl/ldapccl/authentication_ldap.go
@@ -17,6 +17,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
+	"github.com/cockroachdb/cockroach/pkg/sql/lexbase"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/hba"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/identmap"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
@@ -109,7 +110,7 @@ func (authManager *ldapAuthManager) FetchLDAPUserDN(
 				"cannot find provided user %s on LDAP server", user.Normalized())
 	}
 
-	retrievedUserDN, err = distinguishedname.ParseDN(userDN)
+	retrievedUserDN, err = distinguishedname.ParseDN(lexbase.NormalizeName(userDN))
 	if err != nil {
 		return nil, redact.Sprintf("error parsing user DN %s obtained from LDAP server: %v", userDN, err),
 			errors.WithDetailf(

diff --git a/pkg/security/auth.go b/pkg/security/auth.go
@@ -116,7 +116,7 @@ type CertificateUserScope struct {
 // that may have been applied to the given connection.
 type UserAuthHook func(
 	ctx context.Context,
-	systemIdentity username.SQLUsername,
+	systemIdentity string,
 	clientConnection bool,
 ) error
 
@@ -125,14 +125,12 @@ type UserAuthHook func(
 // respectively if systemIdentity conforms to one of these 2 users. It may also
 // return previously set subject option and systemIdentity is not root or node.
 // Root and Node roles cannot have subject role option set for them.
-func applyRootOrNodeDNFlag(
-	previouslySetRoleSubject *ldap.DN, systemIdentity username.SQLUsername,
-) (dn *ldap.DN) {
+func applyRootOrNodeDNFlag(previouslySetRoleSubject *ldap.DN, systemIdentity string) (dn *ldap.DN) {
 	dn = previouslySetRoleSubject
 	switch {
-	case systemIdentity.IsRootUser():
+	case systemIdentity == username.RootUser:
 		dn = rootSubjectMu.getDN()
-	case systemIdentity.IsNodeUser():
+	case systemIdentity == username.NodeUser:
 		dn = nodeSubjectMu.getDN()
 	}
 	return dn
@@ -287,13 +285,12 @@ func UserAuthCertHook(
 		}
 	}
 
-	return func(ctx context.Context, systemIdentity username.SQLUsername, clientConnection bool) error {
-		// TODO(marc): we may eventually need stricter user syntax rules.
-		if systemIdentity.Undefined() {
+	return func(ctx context.Context, systemIdentity string, clientConnection bool) error {
+		if systemIdentity == "" {
 			return errors.New("user is missing")
 		}
 
-		if !clientConnection && !systemIdentity.IsNodeUser() {
+		if !clientConnection && systemIdentity != username.NodeUser {
 			return errors.Errorf("user %q is not allowed", systemIdentity)
 		}
 
@@ -315,7 +312,7 @@ func UserAuthCertHook(
 		if subjectRequired && roleSubject == nil {
 			return errors.Newf(
 				"user %q does not have a distinguished name set which subject_required cluster setting mandates",
-				systemIdentity.Normalized(),
+				systemIdentity,
 			)
 		}
 
@@ -327,7 +324,7 @@ func UserAuthCertHook(
 			}
 		}
 
-		if ValidateUserScope(certUserScope, systemIdentity.Normalized(), tenantID, roleSubject, certSubject) {
+		if ValidateUserScope(certUserScope, systemIdentity, tenantID, roleSubject, certSubject) {
 			if certManager != nil {
 				certManager.MaybeUpsertClientExpiration(
 					ctx,
@@ -375,8 +372,12 @@ func IsTenantCertificate(cert *x509.Certificate) bool {
 func UserAuthPasswordHook(
 	insecureMode bool, passwordStr string, hashedPassword password.PasswordHash, gauge *metric.Gauge,
 ) UserAuthHook {
-	return func(ctx context.Context, systemIdentity username.SQLUsername, clientConnection bool) error {
-		if systemIdentity.Undefined() {
+	return func(ctx context.Context, systemIdentity string, clientConnection bool) error {
+		u, err := username.MakeSQLUsernameFromUserInput(systemIdentity, username.PurposeValidation)
+		if err != nil {
+			return err
+		}
+		if u.Undefined() {
 			return errors.New("user is missing")
 		}
 
@@ -390,15 +391,15 @@ func UserAuthPasswordHook(
 
 		// If the requested user has an empty password, disallow authentication.
 		if len(passwordStr) == 0 {
-			return NewErrPasswordUserAuthFailed(systemIdentity)
+			return NewErrPasswordUserAuthFailed(u)
 		}
 		ok, err := password.CompareHashAndCleartextPassword(ctx,
 			hashedPassword, passwordStr, GetExpensiveHashComputeSemWithGauge(ctx, gauge))
 		if err != nil {
 			return err
 		}
 		if !ok {
-			return NewErrPasswordUserAuthFailed(systemIdentity)
+			return NewErrPasswordUserAuthFailed(u)
 		}
 
 		return nil

diff --git a/pkg/security/auth_test.go b/pkg/security/auth_test.go
@@ -375,9 +375,9 @@ func TestAuthenticationHook(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	defer func() { _ = security.SetCertPrincipalMap(nil) }()
 
-	fooUser := username.MakeSQLUsernameFromPreNormalizedString("foo")
-	barUser := username.MakeSQLUsernameFromPreNormalizedString("bar")
-	blahUser := username.MakeSQLUsernameFromPreNormalizedString("blah")
+	fooUser := "foo"
+	barUser := "bar"
+	blahUser := "blah"
 	subjectDNString := "O=Cockroach,OU=Order Processing Team,UID=b8b40653-7f74-4f14-8a61-59f7f3b18184,CN=foo"
 	fieldMismatchSubjectDNString := "O=Cockroach,OU=Marketing Team,UID=b8b40653-7f74-4f14-8a61-59f7f3b18184,CN=foo"
 	subsetSubjectDNString := "O=Cockroach,OU=Order Processing Team,CN=foo"
@@ -388,7 +388,7 @@ func TestAuthenticationHook(t *testing.T) {
 	testCases := []struct {
 		insecure                   bool
 		tlsSpec                    string
-		username                   username.SQLUsername
+		username                   string
 		distinguishedNameString    string
 		principalMap               string
 		buildHookSuccess           bool
@@ -400,21 +400,21 @@ func TestAuthenticationHook(t *testing.T) {
 		expectedErr                string
 	}{
 		// Insecure mode, empty username.
-		{true, "", username.SQLUsername{}, "", "", true, false, false, roachpb.SystemTenantID, false, false, `user is missing`},
+		{true, "", username.EmptyRole, "", "", true, false, false, roachpb.SystemTenantID, false, false, `user is missing`},
 		// Insecure mode, non-empty username.
 		{true, "", fooUser, "", "", true, true, false, roachpb.SystemTenantID, false, false, `user "foo" is not allowed`},
 		// Secure mode, no TLS state.
-		{false, "", username.SQLUsername{}, "", "", false, false, false, roachpb.SystemTenantID, false, false, `no client certificates in request`},
+		{false, "", username.EmptyRole, "", "", false, false, false, roachpb.SystemTenantID, false, false, `no client certificates in request`},
 		// Secure mode, bad user.
-		{false, "(CN=foo)", username.NodeUserName(), "", "", true, false, false, roachpb.SystemTenantID,
+		{false, "(CN=foo)", username.NodeUser, "", "", true, false, false, roachpb.SystemTenantID,
 			false, false, `certificate authentication failed for user "node"`},
 		// Secure mode, node user.
-		{false, "(CN=node)", username.NodeUserName(), "", "", true, true, true, roachpb.SystemTenantID, false, false, ``},
+		{false, "(CN=node)", username.NodeUser, "", "", true, true, true, roachpb.SystemTenantID, false, false, ``},
 		// Secure mode, node cert and unrelated user.
 		{false, "(CN=node)", fooUser, "", "", true, false, false, roachpb.SystemTenantID,
 			false, false, `certificate authentication failed for user "foo"`},
 		// Secure mode, root user.
-		{false, "(CN=root)", username.NodeUserName(), "", "", true, false, false, roachpb.SystemTenantID,
+		{false, "(CN=root)", username.NodeUser, "", "", true, false, false, roachpb.SystemTenantID,
 			false, false, `certificate authentication failed for user "node"`},
 		// Secure mode, tenant cert, foo user.
 		{false, "(OU=Tenants,CN=foo)", fooUser, "", "", true, false, false, roachpb.SystemTenantID,
@@ -460,12 +460,12 @@ func TestAuthenticationHook(t *testing.T) {
 		// matching) having DNS as foo.
 		{false, "(" + fieldMismatchOnlyOnCommonNameString + ")dns:foo", fooUser, subjectDNString, "", true, false, false, roachpb.MustMakeTenantID(123),
 			true, false, `certificate authentication failed for user "foo"`},
-		{false, "(" + rootDNString + ")", username.RootUserName(), rootDNString, "", true, true, false, roachpb.MustMakeTenantID(123),
+		{false, "(" + rootDNString + ")", username.RootUser, rootDNString, "", true, true, false, roachpb.MustMakeTenantID(123),
 			true, false, `user "root" is not allowed`},
-		{false, "(" + nodeDNString + ")", username.NodeUserName(), nodeDNString, "", true, true, true, roachpb.MustMakeTenantID(123),
+		{false, "(" + nodeDNString + ")", username.NodeUser, nodeDNString, "", true, true, true, roachpb.MustMakeTenantID(123),
 			true, false, ""},
 		// tls cert dn matching root dn set, where CN != root
-		{false, "(" + subjectDNString + ")", username.RootUserName(), subjectDNString, "", true, true, false, roachpb.MustMakeTenantID(123),
+		{false, "(" + subjectDNString + ")", username.RootUser, subjectDNString, "", true, true, false, roachpb.MustMakeTenantID(123),
 			true, false, `user "root" is not allowed`},
 		{false, "(" + subjectDNString + ")", fooUser, "", "", true, false, false, roachpb.MustMakeTenantID(123),
 			false, true, `user "foo" does not have a distinguished name set which subject_required cluster setting mandates`},
@@ -489,12 +489,12 @@ func TestAuthenticationHook(t *testing.T) {
 			var roleSubject *ldap.DN
 			if tc.isSubjectRoleOptionOrDNSet {
 				switch tc.username {
-				case username.RootUserName():
+				case username.RootUser:
 					err = security.SetRootSubject(tc.distinguishedNameString)
 					if err != nil {
 						t.Fatalf("could not set root subject DN, err: %v", err)
 					}
-				case username.NodeUserName():
+				case username.NodeUser:
 					err = security.SetNodeSubject(tc.distinguishedNameString)
 					if err != nil {
 						t.Fatalf("could not set node subject DN, err: %v", err)

diff --git a/pkg/security/certificate_manager.go b/pkg/security/certificate_manager.go
@@ -207,11 +207,11 @@ func (cm *CertificateManager) RegisterExpirationCache(cache *ClientCertExpiratio
 // given client certificate. An update is contingent on whether the old
 // expiration is after the new expiration.
 func (cm *CertificateManager) MaybeUpsertClientExpiration(
-	ctx context.Context, identity username.SQLUsername, expiration int64,
+	ctx context.Context, identity string, expiration int64,
 ) {
 	if cache := cm.clientCertExpirationCache; cache != nil {
 		cache.MaybeUpsert(ctx,
-			identity.Normalized(),
+			identity,
 			expiration,
 			cm.certMetrics.ClientExpiration,
 			cm.certMetrics.ClientTTL,

diff --git a/pkg/sql/conn_executor.go b/pkg/sql/conn_executor.go
@@ -983,7 +983,7 @@ func newSessionData(args SessionArgs) *sessiondata.SessionData {
 		LocalOnlySessionData: sessiondatapb.LocalOnlySessionData{
 			ResultsBufferSize:   args.ConnResultsBufferSize,
 			IsSuperuser:         args.IsSuperuser,
-			SystemIdentityProto: args.SystemIdentity.EncodeProto(),
+			SystemIdentityProto: args.SystemIdentity,
 		},
 	}
 	if len(args.CustomOptionSessionDefaults) > 0 {

diff --git a/pkg/sql/exec_util.go b/pkg/sql/exec_util.go
@@ -2266,7 +2266,7 @@ type SessionArgs struct {
 	IsSuperuser                 bool
 	IsSSL                       bool
 	ReplicationMode             sessiondatapb.ReplicationMode
-	SystemIdentity              username.SQLUsername
+	SystemIdentity              string
 	SessionDefaults             SessionDefaults
 	CustomOptionSessionDefaults SessionDefaults
 	// RemoteAddr is the client's address. This is nil iff this is an internal

diff --git a/pkg/sql/pgwire/BUILD.bazel b/pkg/sql/pgwire/BUILD.bazel
@@ -42,6 +42,7 @@ go_library(
         "//pkg/sql/catalog/colinfo",
         "//pkg/sql/clusterunique",
         "//pkg/sql/lex",
+        "//pkg/sql/lexbase",
         "//pkg/sql/parser",
         "//pkg/sql/parser/statements",
         "//pkg/sql/pgrepl/pgreplparser",