MDEV-19442 server_audit plugin doesn't consider proxy users in...

MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users. Check the proxy user just as the connection user against the incl_users_list and excl_users_list.

MDEV-19442 server_audit plugin doesn't consider proxy users in...
MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users. Check the proxy user just as the connection user against the incl_users_list and excl_users_list.
78292047 · Alexey Botchkov · 5b9ee8d8 · 78292047 · 78292047 · 78292047
Commit 78292047 authored Dec 28, 2020 by Alexey Botchkov
3 changed files
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -227,6 +227,7 @@ set global server_audit_logging= on;
 disconnect cn1;
 drop user user1@localhost;
 set global server_audit_events='';
+set global server_audit_incl_users='root, plug_dest';
 CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
 CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
 connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
@@ -277,7 +278,7 @@ server_audit_file_path
 server_audit_file_rotate_now	OFF
 server_audit_file_rotate_size	1000000
 server_audit_file_rotations	9
-server_audit_incl_users	root
+server_audit_incl_users	root, plug_dest
 server_audit_logging	ON
 server_audit_mode	1
 server_audit_output_type	file
@@ -419,6 +420,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_incl_users=\'root, plug_dest\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
@@ -442,6 +444,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0
 TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0
 TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0
+TIME,HOSTNAME,plug,localhost,ID,ID,QUERY,test,'select USER(),CURRENT_USER()',0
 TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,

--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
@@ -173,6 +173,7 @@ source include/wait_until_count_sessions.inc;
 drop user user1@localhost;

 set global server_audit_events='';
+set global server_audit_incl_users='root, plug_dest';

 CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
 CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';

--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -1578,22 +1578,27 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len,



-static int do_log_user(const char *name, int take_lock)
+static int do_log_user(const char *name, int len,
+                       const char *proxy, int proxy_len, int take_lock)
 {
-  size_t len;
  int result;

  if (!name)
    return 0;
-  len= strlen(name);

  if (take_lock)
    flogger_mutex_lock(&lock_operations);

  if (incl_user_coll.n_users)
-    result= coll_search(&incl_user_coll, name, len) != 0;
+  {
+    result= coll_search(&incl_user_coll, name, len) != 0 ||
+            (proxy && coll_search(&incl_user_coll, proxy, proxy_len) != 0);
+  }
  else if (excl_user_coll.n_users)
-    result=  coll_search(&excl_user_coll, name, len) == 0;
+  {
+    result= coll_search(&excl_user_coll, name, len) == 0 &&
+            (proxy && coll_search(&excl_user_coll, proxy, proxy_len) == 0);
+  }
  else
    result= 1;

@@ -2134,7 +2139,9 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
  }

  if (event_class == MYSQL_AUDIT_GENERAL_CLASS && FILTER(EVENT_QUERY) &&
-      cn && (cn->log_always || do_log_user(cn->user, 1)))
+      cn && (cn->log_always || do_log_user(cn->user, cn->user_length,
+                                           cn->proxy, cn->proxy_length,
+                                           1)))
  {
    const struct mysql_event_general *event =
      (const struct mysql_event_general *) ev;
@@ -2154,7 +2161,8 @@ void auditing(MYSQL_THD thd, unsigned int event_class, const void *ev)
  {
    const struct mysql_event_table *event =
      (const struct mysql_event_table *) ev;
-    if (do_log_user(event->user, 1))
+    if (do_log_user(event->user, SAFE_STRLEN(event->user),
+                    cn->proxy, cn->proxy_length, 1))
    {
      switch (event->event_subclass)
      {