Merge pull request #589 from skoef/errAccessDenied

lance6716 · web-flow · commit ba73da28df82 · 2021-06-18T14:17:20.000+08:00
Improved access denied error messages
diff --git a/server/auth.go b/server/auth.go
@@ -13,7 +13,10 @@ import (
 	"github.com/pingcap/errors"
 )
 
-var ErrAccessDenied = errors.New("access denied")
+var (
+	ErrAccessDenied           = errors.New("access denied")
+	ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)
+)
 
 func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {
 	switch authPluginName {
@@ -62,6 +65,14 @@ func (c *Conn) acquirePassword() error {
 	return nil
 }
 
+func errAccessDenied(password string) error {
+	if password == "" {
+		return ErrAccessDeniedNoPassword
+	}
+
+	return ErrAccessDenied
+}
+
 func scrambleValidation(cached, nonce, scramble []byte) bool {
 	// SHA256(SHA256(SHA256(STORED_PASSWORD)), NONCE)
 	crypt := sha256.New()
@@ -83,10 +94,10 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, password string) error {
-	if bytes.Equal(CalcPassword(c.salt, []byte(c.password)), clientAuthData) {
+	if bytes.Equal(CalcPassword(c.salt, []byte(password)), clientAuthData) {
 		return nil
 	}
-	return ErrAccessDenied
+	return errAccessDenied(password)
 }
 
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password string) error {
@@ -109,7 +120,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password str
 		if bytes.Equal(clientAuthData, []byte(password)) {
 			return nil
 		}
-		return ErrAccessDenied
+		return errAccessDenied(password)
 	} else {
 		// client should send encrypted password
 		// decrypt
@@ -126,7 +137,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password str
 		if bytes.Equal(plain, dbytes) {
 			return nil
 		}
-		return ErrAccessDenied
+		return errAccessDenied(password)
 	}
 }
 
@@ -153,7 +164,8 @@ func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 			// 'fast' auth: write "More data" packet (first byte == 0x01) with the second byte = 0x03
 			return c.writeAuthMoreDataFastAuth()
 		}
-		return ErrAccessDenied
+
+		return errAccessDenied(c.password)
 	}
 	// other type of credential provider, we use the cache
 	cached, ok := c.serverConf.cacheShaPassword.Load(fmt.Sprintf("%s@%s", c.user, c.Conn.LocalAddr()))
@@ -163,7 +175,8 @@ func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 			// 'fast' auth: write "More data" packet (first byte == 0x01) with the second byte = 0x03
 			return c.writeAuthMoreDataFastAuth()
 		}
-		return ErrAccessDenied
+
+		return errAccessDenied(c.password)
 	}
 	// cache miss, do full auth
 	if err := c.writeAuthMoreDataFullAuth(); err != nil {
diff --git a/server/auth_switch_response.go b/server/auth_switch_response.go
@@ -25,7 +25,7 @@ func (c *Conn) handleAuthSwitchResponse() error {
 			return err
 		}
 		if !bytes.Equal(CalcPassword(c.salt, []byte(c.password)), authData) {
-			return ErrAccessDenied
+			return errAccessDenied(c.password)
 		}
 		return nil
 
@@ -82,7 +82,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 		if bytes.Equal(authData, []byte(c.password)) {
 			return nil
 		}
-		return ErrAccessDenied
+		return errAccessDenied(c.password)
 	} else {
 		// client either request for the public key or send the encrypted password
 		if len(authData) == 1 && authData[0] == 0x02 {
@@ -111,7 +111,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 		if bytes.Equal(plain, dbytes) {
 			return nil
 		}
-		return ErrAccessDenied
+		return errAccessDenied(c.password)
 	}
 }
 
diff --git a/server/conn.go b/server/conn.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"errors"
 	"net"
 	"sync/atomic"
 
@@ -105,8 +106,12 @@ func (c *Conn) handshake() error {
 	}
 
 	if err := c.readHandshakeResponse(); err != nil {
-		if err == ErrAccessDenied {
-			err = NewDefaultError(ER_ACCESS_DENIED_ERROR, c.user, c.LocalAddr().String(), "Yes")
+		if errors.Is(err, ErrAccessDenied) {
+			usingPasswd := ER_YES
+			if errors.Is(err, ErrAccessDeniedNoPassword) {
+				usingPasswd = ER_NO
+			}
+			err = NewDefaultError(ER_ACCESS_DENIED_ERROR, c.user, c.RemoteAddr().String(), usingPasswd)
 		}
 		_ = c.writeError(err)
 		return err
diff --git a/server/handshake_resp.go b/server/handshake_resp.go
@@ -148,7 +148,7 @@ func (c *Conn) readAuthData(data []byte, pos int) (auth []byte, authLen int, new
 		}
 		if isNULL {
 			// no auth length and no auth data, just \NUL, considered invalid auth data, and reject connection as MySQL does
-			return nil, 0, 0, NewDefaultError(ER_ACCESS_DENIED_ERROR, c.LocalAddr().String(), c.user, "Yes")
+			return nil, 0, 0, NewDefaultError(ER_ACCESS_DENIED_ERROR, c.RemoteAddr().String(), c.user, ER_NO)
 		}
 		auth = authData
 		authLen = readBytes

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,10 @@ import (`
`13`	`13`	`"github.com/pingcap/errors"`
`14`	`14`	`)`
`15`	`15`
`16`		`-var ErrAccessDenied = errors.New("access denied")`
	`16`	`+var (`
	`17`	`+ ErrAccessDenied = errors.New("access denied")`
	`18`	`+ ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)`
	`19`	`+)`
`17`	`20`
`18`	`21`	`func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {`
`19`	`22`	`switch authPluginName {`
`@@ -62,6 +65,14 @@ func (c *Conn) acquirePassword() error {`
`62`	`65`	`return nil`
`63`	`66`	`}`
`64`	`67`
	`68`	`+func errAccessDenied(password string) error {`
	`69`	`+ if password == "" {`
	`70`	`+ return ErrAccessDeniedNoPassword`
	`71`	`+ }`
	`72`	`+`
	`73`	`+ return ErrAccessDenied`
	`74`	`+}`
	`75`	`+`
`65`	`76`	`func scrambleValidation(cached, nonce, scramble []byte) bool {`
`66`	`77`	`// SHA256(SHA256(SHA256(STORED_PASSWORD)), NONCE)`
`67`	`78`	`crypt := sha256.New()`
`@@ -83,10 +94,10 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {`
`83`	`94`	`}`
`84`	`95`
`85`	`96`	`func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, password string) error {`
`86`		`- if bytes.Equal(CalcPassword(c.salt, []byte(c.password)), clientAuthData) {`
	`97`	`+ if bytes.Equal(CalcPassword(c.salt, []byte(password)), clientAuthData) {`
`87`	`98`	`return nil`
`88`	`99`	`}`
`89`		`- return ErrAccessDenied`
	`100`	`+ return errAccessDenied(password)`
`90`	`101`	`}`
`91`	`102`
`92`	`103`	`func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password string) error {`
`@@ -109,7 +120,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password str`
`109`	`120`	`if bytes.Equal(clientAuthData, []byte(password)) {`
`110`	`121`	`return nil`
`111`	`122`	`}`
`112`		`- return ErrAccessDenied`
	`123`	`+ return errAccessDenied(password)`
`113`	`124`	`} else {`
`114`	`125`	`// client should send encrypted password`
`115`	`126`	`// decrypt`
`@@ -126,7 +137,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, password str`
`126`	`137`	`if bytes.Equal(plain, dbytes) {`
`127`	`138`	`return nil`
`128`	`139`	`}`
`129`		`- return ErrAccessDenied`
	`140`	`+ return errAccessDenied(password)`
`130`	`141`	`}`
`131`	`142`	`}`
`132`	`143`
`@@ -153,7 +164,8 @@ func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {`
`153`	`164`	`// 'fast' auth: write "More data" packet (first byte == 0x01) with the second byte = 0x03`
`154`	`165`	`return c.writeAuthMoreDataFastAuth()`
`155`	`166`	`}`
`156`		`- return ErrAccessDenied`
	`167`	`+`
	`168`	`+ return errAccessDenied(c.password)`
`157`	`169`	`}`
`158`	`170`	`// other type of credential provider, we use the cache`
`159`	`171`	`cached, ok := c.serverConf.cacheShaPassword.Load(fmt.Sprintf("%s@%s", c.user, c.Conn.LocalAddr()))`
`@@ -163,7 +175,8 @@ func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {`
`163`	`175`	`// 'fast' auth: write "More data" packet (first byte == 0x01) with the second byte = 0x03`
`164`	`176`	`return c.writeAuthMoreDataFastAuth()`
`165`	`177`	`}`
`166`		`- return ErrAccessDenied`
	`178`	`+`
	`179`	`+ return errAccessDenied(c.password)`
`167`	`180`	`}`
`168`	`181`	`// cache miss, do full auth`
`169`	`182`	`if err := c.writeAuthMoreDataFullAuth(); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func (c *Conn) handleAuthSwitchResponse() error {`
`25`	`25`	`return err`
`26`	`26`	`}`
`27`	`27`	`if !bytes.Equal(CalcPassword(c.salt, []byte(c.password)), authData) {`
`28`		`- return ErrAccessDenied`
	`28`	`+ return errAccessDenied(c.password)`
`29`	`29`	`}`
`30`	`30`	`return nil`
`31`	`31`
`@@ -82,7 +82,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {`
`82`	`82`	`if bytes.Equal(authData, []byte(c.password)) {`
`83`	`83`	`return nil`
`84`	`84`	`}`
`85`		`- return ErrAccessDenied`
	`85`	`+ return errAccessDenied(c.password)`
`86`	`86`	`} else {`
`87`	`87`	`// client either request for the public key or send the encrypted password`
`88`	`88`	`if len(authData) == 1 && authData[0] == 0x02 {`
`@@ -111,7 +111,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {`
`111`	`111`	`if bytes.Equal(plain, dbytes) {`
`112`	`112`	`return nil`
`113`	`113`	`}`
`114`		`- return ErrAccessDenied`
	`114`	`+ return errAccessDenied(c.password)`
`115`	`115`	`}`
`116`	`116`	`}`
`117`	`117`
Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ func (c *Conn) readAuthData(data []byte, pos int) (auth []byte, authLen int, new`
`148`	`148`	`}`
`149`	`149`	`if isNULL {`
`150`	`150`	`// no auth length and no auth data, just \NUL, considered invalid auth data, and reject connection as MySQL does`
`151`		`- return nil, 0, 0, NewDefaultError(ER_ACCESS_DENIED_ERROR, c.LocalAddr().String(), c.user, "Yes")`
	`151`	`+ return nil, 0, 0, NewDefaultError(ER_ACCESS_DENIED_ERROR, c.RemoteAddr().String(), c.user, ER_NO)`
`152`	`152`	`}`
`153`	`153`	`auth = authData`
`154`	`154`	`authLen = readBytes`