This is an automated email from the ASF dual-hosted git repository.
yx9o pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shardingsphere.git
The following commit(s) were added to refs/heads/master by this push:
new 1a6066078f9 Split AuthorityChecker and AuthenticationChecker (#23822)
1a6066078f9 is described below
commit 1a6066078f9b39886d158de0c44289e4decb9403
Author: Liang Zhang <[email protected]>
AuthorDate: Mon Jan 30 11:52:12 2023 +0800
Split AuthorityChecker and AuthenticationChecker (#23822)
* Add UnauthorizedOperationException to decouple audit exception and
authority exception
* Add UnauthorizedOperationException to decouple audit exception and
authority exception
* Add UnauthorizedOperationException to decouple audit exception and
authority exception
* Refactor AuthorityChecker
* Refactor AuthorityChecker
* Split AuthorityChecker and AuthenticationChecker
---
.../authority/checker/AuthenticationChecker.java | 46 ++++++++++++++++++++++
.../authority/checker/AuthorityChecker.java | 12 ------
.../authentication/MySQLAuthenticationHandler.java | 6 +--
.../OpenGaussAuthenticationHandler.java | 8 ++--
.../PostgreSQLAuthenticationHandler.java | 8 ++--
5 files changed, 59 insertions(+), 21 deletions(-)
diff --git
a/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthenticationChecker.java
b/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthenticationChecker.java
new file mode 100644
index 00000000000..dcdd29f4571
--- /dev/null
+++
b/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthenticationChecker.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shardingsphere.authority.checker;
+
+import lombok.RequiredArgsConstructor;
+import org.apache.shardingsphere.authority.rule.AuthorityRule;
+import org.apache.shardingsphere.infra.metadata.user.Grantee;
+
+import java.util.function.BiPredicate;
+
+/**
+ * Authentication checker.
+ */
+@RequiredArgsConstructor
+public final class AuthenticationChecker {
+
+ private final AuthorityRule rule;
+
+ private final Grantee grantee;
+
+ /**
+ * Check Authentication with cipher.
+ *
+ * @param validator validator
+ * @param cipher cipher
+ * @return authenticated or not
+ */
+ public boolean isAuthenticated(final BiPredicate<Object, Object>
validator, final Object cipher) {
+ return rule.findUser(grantee).filter(optional ->
validator.test(optional, cipher)).isPresent();
+ }
+}
diff --git
a/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthorityChecker.java
b/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthorityChecker.java
index 81e743d5218..ac59a963eb4 100644
---
a/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthorityChecker.java
+++
b/kernel/authority/core/src/main/java/org/apache/shardingsphere/authority/checker/AuthorityChecker.java
@@ -44,7 +44,6 @@ import
org.apache.shardingsphere.sql.parser.sql.dialect.statement.mysql.dal.MySQ
import java.util.Collections;
import java.util.Optional;
-import java.util.function.BiPredicate;
/**
* Authority checker.
@@ -56,17 +55,6 @@ public final class AuthorityChecker {
private final Grantee grantee;
- /**
- * Check Authentication with cipher.
- *
- * @param validator validator
- * @param cipher cipher
- * @return authenticated or not
- */
- public boolean isAuthenticated(final BiPredicate<Object, Object>
validator, final Object cipher) {
- return rule.findUser(grantee).filter(optional ->
validator.test(optional, cipher)).isPresent();
- }
-
/**
* Check database authority.
*
diff --git
a/proxy/frontend/mysql/src/main/java/org/apache/shardingsphere/proxy/frontend/mysql/authentication/MySQLAuthenticationHandler.java
b/proxy/frontend/mysql/src/main/java/org/apache/shardingsphere/proxy/frontend/mysql/authentication/MySQLAuthenticationHandler.java
index f94554f8fa5..44ccd41a066 100644
---
a/proxy/frontend/mysql/src/main/java/org/apache/shardingsphere/proxy/frontend/mysql/authentication/MySQLAuthenticationHandler.java
+++
b/proxy/frontend/mysql/src/main/java/org/apache/shardingsphere/proxy/frontend/mysql/authentication/MySQLAuthenticationHandler.java
@@ -18,6 +18,7 @@
package org.apache.shardingsphere.proxy.frontend.mysql.authentication;
import lombok.Getter;
+import org.apache.shardingsphere.authority.checker.AuthenticationChecker;
import org.apache.shardingsphere.authority.checker.AuthorityChecker;
import org.apache.shardingsphere.authority.rule.AuthorityRule;
import
org.apache.shardingsphere.db.protocol.mysql.packet.handshake.MySQLAuthPluginData;
@@ -50,12 +51,11 @@ public final class MySQLAuthenticationHandler {
public Optional<MySQLVendorError> login(final String username, final
String hostname, final byte[] authenticationResponse, final String
databaseName) {
AuthorityRule authorityRule =
ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getSingleRule(AuthorityRule.class);
Grantee grantee = new Grantee(username, hostname);
- AuthorityChecker authorityChecker = new
AuthorityChecker(authorityRule, grantee);
MySQLAuthenticator authenticator = getAuthenticator(username,
hostname);
- if (!authorityChecker.isAuthenticated((a, b) ->
authenticator.authenticate((ShardingSphereUser) a, (byte[]) b),
authenticationResponse)) {
+ if (!new AuthenticationChecker(authorityRule,
grantee).isAuthenticated((a, b) ->
authenticator.authenticate((ShardingSphereUser) a, (byte[]) b),
authenticationResponse)) {
return Optional.of(MySQLVendorError.ER_ACCESS_DENIED_ERROR);
}
- return null == databaseName ||
authorityChecker.isAuthorized(databaseName) ? Optional.empty() :
Optional.of(MySQLVendorError.ER_DBACCESS_DENIED_ERROR);
+ return null == databaseName || new AuthorityChecker(authorityRule,
grantee).isAuthorized(databaseName) ? Optional.empty() :
Optional.of(MySQLVendorError.ER_DBACCESS_DENIED_ERROR);
}
/**
diff --git
a/proxy/frontend/opengauss/src/main/java/org/apache/shardingsphere/proxy/frontend/opengauss/authentication/OpenGaussAuthenticationHandler.java
b/proxy/frontend/opengauss/src/main/java/org/apache/shardingsphere/proxy/frontend/opengauss/authentication/OpenGaussAuthenticationHandler.java
index 13168188502..653714216b9 100644
---
a/proxy/frontend/opengauss/src/main/java/org/apache/shardingsphere/proxy/frontend/opengauss/authentication/OpenGaussAuthenticationHandler.java
+++
b/proxy/frontend/opengauss/src/main/java/org/apache/shardingsphere/proxy/frontend/opengauss/authentication/OpenGaussAuthenticationHandler.java
@@ -22,6 +22,7 @@ import com.google.common.base.Strings;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import lombok.SneakyThrows;
+import org.apache.shardingsphere.authority.checker.AuthenticationChecker;
import org.apache.shardingsphere.authority.checker.AuthorityChecker;
import org.apache.shardingsphere.authority.rule.AuthorityRule;
import
org.apache.shardingsphere.db.protocol.postgresql.packet.handshake.PostgreSQLPasswordMessagePacket;
@@ -108,11 +109,12 @@ public final class OpenGaussAuthenticationHandler {
AuthorityRule authorityRule =
ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getSingleRule(AuthorityRule.class);
Grantee grantee = new Grantee(username, "%");
ShardingSpherePreconditions.checkState(authorityRule.findUser(grantee).isPresent(),
() -> new UnknownUsernameException(username));
- AuthorityChecker authorityChecker = new
AuthorityChecker(authorityRule, grantee);
- if (!authorityChecker.isAuthenticated((a, b) ->
isPasswordRight((ShardingSphereUser) a, (Object[]) b), new
Object[]{passwordMessagePacket.getDigest(), salt, nonce, serverIteration})) {
+ if (!new AuthenticationChecker(authorityRule, grantee)
+ .isAuthenticated((a, b) ->
isPasswordRight((ShardingSphereUser) a, (Object[]) b), new
Object[]{passwordMessagePacket.getDigest(), salt, nonce, serverIteration})) {
throw new InvalidPasswordException(username);
}
- ShardingSpherePreconditions.checkState(null == databaseName ||
authorityChecker.isAuthorized(databaseName), () -> new
PrivilegeNotGrantedException(username, databaseName));
+ ShardingSpherePreconditions.checkState(null == databaseName || new
AuthorityChecker(authorityRule, grantee).isAuthorized(databaseName),
+ () -> new PrivilegeNotGrantedException(username,
databaseName));
}
private static boolean isPasswordRight(final ShardingSphereUser user,
final Object[] args) {
diff --git
a/proxy/frontend/postgresql/src/main/java/org/apache/shardingsphere/proxy/frontend/postgresql/authentication/PostgreSQLAuthenticationHandler.java
b/proxy/frontend/postgresql/src/main/java/org/apache/shardingsphere/proxy/frontend/postgresql/authentication/PostgreSQLAuthenticationHandler.java
index 333ef2f02e2..67d0c6eccec 100644
---
a/proxy/frontend/postgresql/src/main/java/org/apache/shardingsphere/proxy/frontend/postgresql/authentication/PostgreSQLAuthenticationHandler.java
+++
b/proxy/frontend/postgresql/src/main/java/org/apache/shardingsphere/proxy/frontend/postgresql/authentication/PostgreSQLAuthenticationHandler.java
@@ -18,6 +18,7 @@
package org.apache.shardingsphere.proxy.frontend.postgresql.authentication;
import com.google.common.base.Strings;
+import org.apache.shardingsphere.authority.checker.AuthenticationChecker;
import org.apache.shardingsphere.authority.checker.AuthorityChecker;
import org.apache.shardingsphere.authority.rule.AuthorityRule;
import
org.apache.shardingsphere.db.protocol.postgresql.packet.handshake.PostgreSQLPasswordMessagePacket;
@@ -50,12 +51,13 @@ public final class PostgreSQLAuthenticationHandler {
AuthorityRule authorityRule =
ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getSingleRule(AuthorityRule.class);
Grantee grantee = new Grantee(username, "%");
ShardingSpherePreconditions.checkState(authorityRule.findUser(grantee).isPresent(),
() -> new UnknownUsernameException(username));
- AuthorityChecker authorityChecker = new
AuthorityChecker(authorityRule, grantee);
PostgreSQLAuthenticator authenticator = getAuthenticator(username,
grantee.getHostname());
- if (!authorityChecker.isAuthenticated((a, b) ->
authenticator.authenticate((ShardingSphereUser) a, (Object[]) b), new
Object[]{passwordMessagePacket.getDigest(), md5Salt})) {
+ if (!new AuthenticationChecker(authorityRule, grantee)
+ .isAuthenticated((a, b) ->
authenticator.authenticate((ShardingSphereUser) a, (Object[]) b), new
Object[]{passwordMessagePacket.getDigest(), md5Salt})) {
throw new InvalidPasswordException(username);
}
- ShardingSpherePreconditions.checkState(null == databaseName ||
authorityChecker.isAuthorized(databaseName), () -> new
PrivilegeNotGrantedException(username, databaseName));
+ ShardingSpherePreconditions.checkState(null == databaseName || new
AuthorityChecker(authorityRule, grantee).isAuthorized(databaseName),
+ () -> new PrivilegeNotGrantedException(username,
databaseName));
}
/**
