Merge pull request #102 from iegomez/fix/hasher-opts-keys

Fix opts prefix for hasher.
2020-10-22 20:36:42 -03:00 · 2020-10-22 20:36:42 -03:00 · d5e0f9028d
parent 4b20bb3176 bb8acfa511
commit d5e0f9028d
2 changed files with 41 additions and 17 deletions
--- a/README.md
+++ b/README.md
@ -613,7 +613,9 @@ rw int not null);

 ### Mysql

-The `mysql` backend works almost exactly as the `postgres` one, except for a few configurations and that options start with `mysql_` instead of `pg_`. One change has to do with the connection protocol, either a Unix socket or tcp (options are unix or tcp). If `unix` socket is the selected protocol, then a socket path must be given:
+The `mysql` backend works almost exactly as the `postgres` one, except for a few configurations and that options start with `mysql_` instead of `pg_`. 
+One change has to do with the connection protocol, either a Unix socket or tcp (options are unix or tcp). If `unix` socket is the selected protocol, 
+then a socket path must be given:

 ```
 auth_opt_mysql_protocol unix
@ -622,9 +624,11 @@ auth_opt_mysql_socket /path/to/socket

 The default protocol when the option is missing will be `tcp`, even if a socket path is given.

-Another change has to do with sslmode options, with options being true, false, skip-verify or custom. When custom mode is given, sslcert, sslkey and sslrootcert paths are expected. If the option is not set or one or more required paths are missing, it will default to false.
+Another change has to do with sslmode options, with options being `true`, `false`, `skip-verify` or `custo`m. 
+When custom mode is given, `sslcert`, `sslkey` and `sslrootcert` paths are expected. 
+If the option is not set or one or more required paths are missing, it will default to false.

-Also, default host `localhost` and port 3306 will be used if none are given.  
+Also, default host `localhost` and port `3306` will be used if none are given.  

 To allow native passwords, set the option to true:

@ -632,6 +636,26 @@ To allow native passwords, set the option to true:
 auth_opt_mysql_allow_native_passwords true
 ```

+Supported options for `mysql` are:
+
+| Option         		| default           |  Mandatory  | Meaning                  |
+| -------------- 		| ----------------- | :---------: | ------------------------ |
+| mysql_host            |     localhost     |     N       | hostname/address
+| mysql_port            |       3306        |     N       | TCP port
+| mysql_user            |                   |     Y       | username
+| mysql_password        |                   |     Y       | password
+| mysql_dbname          |                   |     Y       | database name
+| mysql_userquery       |                   |     Y       | SQL for users
+| mysql_superquery      |                   |     N       | SQL for superusers
+| mysql_aclquery        |                   |     N       | SQL for ACLs
+| mysql_sslmode         |     disable       |     N       | SSL/TLS mode.
+| mysql_sslcert         |                   |     N       | SSL/TLS Client Cert.
+| mysql_sslkey          |                   |     N       | SSL/TLS Client Cert. Key
+| mysql_sslrootcert     |                   |     N       | SSL/TLS Root Cert
+| mysql_protocol        |       tcp         |     N       | Connection protocol
+| mysql_socket          |                   |     N       | Unix socket path
+
+
 Finally, placeholders for mysql differ from those of postgres, changing from $1, $2, etc., to simply ?. These are some **example** queries for `mysql`:

 User query:
--- a/go-auth.go
+++ b/go-auth.go
@ -60,18 +60,18 @@ const (
 	grpcBackend     = "grpc"
 )

-//Use a map of bools instead of empty structs so we may disable plugins easily.
-var allowedBackends = map[string]bool{
-	postgresBackend: true,
-	jwtBackend:      true,
-	redisBackend:    true,
-	httpBackend:     true,
-	filesBackend:    true,
-	mysqlBackend:    true,
-	sqliteBackend:   true,
-	mongoBackend:    true,
-	pluginBackend:   true,
-	grpcBackend:     true,
+// Serves s a check for allowed backends and a map from backend to expected opts prefix.
+var allowedBackendsOptsPrefix = map[string]string{
+	postgresBackend: "pg",
+	jwtBackend:      "jwt",
+	redisBackend:    "redis",
+	httpBackend:     "http",
+	filesBackend:    "files",
+	mysqlBackend:    "mysql",
+	sqliteBackend:   "sqlite",
+	mongoBackend:    "mongo",
+	pluginBackend:   "plugin",
+	grpcBackend:     "grpc",
 }

 var backends []string          //List of selected backends.
@ -103,7 +103,7 @@ func AuthPluginInit(keys []string, values []string, authOptsNum int) {
 			if len(backends) > 0 {
 				backendsCheck := true
 				for _, backend := range backends {
-					if _, ok := allowedBackends[backend]; !ok {
+					if _, ok := allowedBackendsOptsPrefix[backend]; !ok {
 						backendsCheck = false
 						log.Errorf("backend not allowed: %s", backend)
 					}
@ -254,7 +254,7 @@ func AuthPluginInit(keys []string, values []string, authOptsNum int) {

 			}
 		} else {
-			hasher := hashing.NewHasher(authOpts, bename)
+			hasher := hashing.NewHasher(authOpts, allowedBackendsOptsPrefix[bename])
 			switch bename {
 			case postgresBackend:
 				beIface, err = bes.NewPostgres(authOpts, authPlugin.logLevel, hasher)