Projects/mysqladm-rs
Projects
/
mysqladm-rs
12
2
Fork 0
Code Issues 36 Pull Requests Releases Activity

Compare commits

base: Projects:86b5b47f1ea7c02b4487e9688d5900bd6b8dee30
Branches Tags
Projects:main
Projects:dpkg-packaging
...
compare: Projects:cd0b2c3e6d6fee6ea9919821b24dc03f8b1d07b9
Branches Tags
Projects:main
Projects:dpkg-packaging

4 Commits
86b5b47f1e ... cd0b2c3e6d

Author SHA1 Message Date
Oystein Kristoffer Tveit cd0b2c3e6d
sd_notify(ready) 2024-08-19 00:13:22 +02:00
Oystein Kristoffer Tveit 93469a6e84
Add more serverside logging 2024-08-19 00:11:11 +02:00
Oystein Kristoffer Tveit e4da639d5c
Fix sqlx parse error 2024-08-19 00:09:27 +02:00
Oystein Kristoffer Tveit daa8e069d3
Fix sql statement for `show-user` 2024-08-18 22:57:01 +02:00
6 changed files with 188 additions and 48 deletions
Show Stats Expand all files Collapse all files

4
src/server/command.rs
View File

@ -50,10 +50,12 @@ async fn socket_activate(config: ServerConfig) -> anyhow::Result<()> {
// TODO: allow getting socket path from other socket activation sources
let conn = get_socket_from_systemd().await?;
let uid = conn.peer_cred()?.uid();
let unix_user = UnixUser::from_uid(uid.into())?;
let unix_user = UnixUser::from_uid(uid)?;
log::info!("Accepted connection from {}", unix_user.username);
sd_notify::notify(true, &[sd_notify::NotifyState::Ready]).ok();
handle_requests_for_single_session(conn, &unix_user, &config).await?;
Ok(())

7
src/server/config.rs
View File

@ -102,8 +102,11 @@ pub async fn create_mysql_connection_from_config(
config: &MysqlConfig,
) -> anyhow::Result<MySqlConnection> {
let mut display_config = config.clone();
display_config.password = "<REDACTED>".to_owned();
log::debug!("Connecting to MySQL server with parameters: {:#?}", display_config);
"<REDACTED>".clone_into(&mut display_config.password);
log::debug!(
"Connecting to MySQL server with parameters: {:#?}",
display_config
);
match tokio::time::timeout(
Duration::from_secs(config.timeout.unwrap_or(DEFAULT_TIMEOUT)),

4
src/server/server_loop.rs
View File

@ -57,11 +57,13 @@ pub async fn listen_for_incoming_connections(
let listener = UnixListener::bind(socket_path)?;
sd_notify::notify(true, &[sd_notify::NotifyState::Ready]).ok();
while let Ok((mut conn, _addr)) = listener.accept().await {
let uid = conn.peer_cred()?.uid();
log::trace!("Accepted connection from uid {}", uid);
let unix_user = match UnixUser::from_uid(uid.into()) {
let unix_user = match UnixUser::from_uid(uid) {
Ok(user) => user,
Err(e) => {
eprintln!("Failed to get UnixUser from uid: {}", e);

34
src/server/sql/database_operations.rs
View File

@ -26,9 +26,17 @@ pub(super) async fn unsafe_database_exists(
sqlx::query("SELECT SCHEMA_NAME FROM information_schema.SCHEMATA WHERE SCHEMA_NAME = ?")
.bind(database_name)
.fetch_optional(connection)
.await?;
.await;
Ok(result.is_some())
if let Err(err) = &result {
log::error!(
"Failed to check if database '{}' exists: {:?}",
&database_name,
err
);
}
Ok(result?.is_some())
}
pub async fn create_databases(
@ -80,6 +88,10 @@ pub async fn create_databases(
.map(|_| ())
.map_err(|err| CreateDatabaseError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to create database '{}': {:?}", &database_name, err);
}
results.insert(database_name, result);
}
@ -135,6 +147,10 @@ pub async fn drop_databases(
.map(|_| ())
.map_err(|err| DropDatabaseError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to drop database '{}': {:?}", &database_name, err);
}
results.insert(database_name, result);
}
@ -145,7 +161,7 @@ pub async fn list_databases_for_user(
unix_user: &UnixUser,
connection: &mut MySqlConnection,
) -> Result<Vec<String>, ListDatabasesError> {
sqlx::query(
let result = sqlx::query(
r#"
SELECT `SCHEMA_NAME` AS `database`
FROM `information_schema`.`SCHEMATA`
@ -161,5 +177,15 @@ pub async fn list_databases_for_user(
.map(|row| row.try_get::<String, _>("database"))
.collect::<Result<Vec<String>, sqlx::Error>>()
})
.map_err(|err| ListDatabasesError::MySqlError(err.to_string()))
.map_err(|err| ListDatabasesError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!(
"Failed to list databases for user '{}': {:?}",
unix_user.username,
err
);
}
result
}

47
src/server/sql/database_privilege_operations.rs
View File

@ -136,7 +136,7 @@ async fn unsafe_get_database_privileges(
database_name: &str,
connection: &mut MySqlConnection,
) -> Result<Vec<DatabasePrivilegeRow>, sqlx::Error> {
sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
let result = sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
"SELECT {} FROM `db` WHERE `db` = ?",
DATABASE_PRIVILEGE_FIELDS
.iter()
@ -145,7 +145,17 @@ async fn unsafe_get_database_privileges(
))
.bind(database_name)
.fetch_all(connection)
.await
.await;
if let Err(e) = &result {
log::error!(
"Failed to get database privileges for '{}': {}",
&database_name,
e
);
}
result
}
// NOTE: this function is unsafe because it does no input validation.
@ -155,7 +165,7 @@ pub async fn unsafe_get_database_privileges_for_db_user_pair(
user_name: &str,
connection: &mut MySqlConnection,
) -> Result<Option<DatabasePrivilegeRow>, sqlx::Error> {
sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
let result = sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
"SELECT {} FROM `db` WHERE `db` = ? AND `user` = ?",
DATABASE_PRIVILEGE_FIELDS
.iter()
@ -165,7 +175,18 @@ pub async fn unsafe_get_database_privileges_for_db_user_pair(
.bind(database_name)
.bind(user_name)
.fetch_optional(connection)
.await
.await;
if let Err(e) = &result {
log::error!(
"Failed to get database privileges for '{}.{}': {}",
&database_name,
&user_name,
e
);
}
result
}
pub async fn get_databases_privilege_data(
@ -220,7 +241,7 @@ pub async fn get_all_database_privileges(
unix_user: &UnixUser,
connection: &mut MySqlConnection,
) -> GetAllDatabasesPrivilegeData {
sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
let result = sqlx::query_as::<_, DatabasePrivilegeRow>(&format!(
indoc! {r#"
SELECT {} FROM `db` WHERE `db` IN
(SELECT DISTINCT `SCHEMA_NAME` AS `database`
@ -236,14 +257,20 @@ pub async fn get_all_database_privileges(
.bind(create_user_group_matching_regex(unix_user))
.fetch_all(connection)
.await
.map_err(|e| GetAllDatabasesPrivilegeDataError::MySqlError(e.to_string()))
.map_err(|e| GetAllDatabasesPrivilegeDataError::MySqlError(e.to_string()));
if let Err(e) = &result {
log::error!("Failed to get all database privileges: {:?}", e);
}
result
}
async fn unsafe_apply_privilege_diff(
database_privilege_diff: &DatabasePrivilegesDiff,
connection: &mut MySqlConnection,
) -> Result<(), sqlx::Error> {
match database_privilege_diff {
let result = match database_privilege_diff {
DatabasePrivilegesDiff::New(p) => {
let tables = DATABASE_PRIVILEGE_FIELDS
.iter()
@ -305,7 +332,13 @@ async fn unsafe_apply_privilege_diff(
.await
.map(|_| ())
}
};
if let Err(e) = &result {
log::error!("Failed to apply database privilege diff: {}", e);
}
result
}
async fn validate_diff(

140
src/server/sql/user_operations.rs
View File

@ -1,6 +1,6 @@
use indoc::formatdoc;
use itertools::Itertools;
use std::collections::BTreeMap;
use indoc::formatdoc;
use serde::{Deserialize, Serialize};
@ -29,7 +29,7 @@ async fn unsafe_user_exists(
db_user: &str,
connection: &mut MySqlConnection,
) -> Result<bool, sqlx::Error> {
sqlx::query(
let result = sqlx::query(
r#"
SELECT EXISTS(
SELECT 1
@ -41,7 +41,13 @@ async fn unsafe_user_exists(
.bind(db_user)
.fetch_one(connection)
.await
.map(|row| row.get::<bool, _>(0))
.map(|row| row.get::<bool, _>(0));
if let Err(err) = &result {
log::error!("Failed to check if database user exists: {:?}", err);
}
result
}
pub async fn create_database_users(
@ -80,6 +86,10 @@ pub async fn create_database_users(
.map(|_| ())
.map_err(|err| CreateUserError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to create database user '{}': {:?}", &db_user, err);
}
results.insert(db_user, result);
}
@ -122,6 +132,10 @@ pub async fn drop_database_users(
.map(|_| ())
.map_err(|err| DropUserError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to drop database user '{}': {:?}", &db_user, err);
}
results.insert(db_user, result);
}
@ -148,7 +162,7 @@ pub async fn set_password_for_database_user(
_ => {}
}
sqlx::query(
let result = sqlx::query(
format!(
"ALTER USER {}@'%' IDENTIFIED BY {}",
quote_literal(db_user),
@ -159,7 +173,17 @@ pub async fn set_password_for_database_user(
.execute(&mut *connection)
.await
.map(|_| ())
.map_err(|err| SetPasswordError::MySqlError(err.to_string()))
.map_err(|err| SetPasswordError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!(
"Failed to set password for database user '{}': {:?}",
&db_user,
err
);
}
result
}
// NOTE: this function is unsafe because it does no input validation.
@ -167,7 +191,7 @@ async fn database_user_is_locked_unsafe(
db_user: &str,
connection: &mut MySqlConnection,
) -> Result<bool, sqlx::Error> {
sqlx::query(
let result = sqlx::query(
r#"
SELECT COALESCE(
JSON_EXTRACT(`mysql`.`global_priv`.`priv`, "$.account_locked"),
@ -181,7 +205,17 @@ async fn database_user_is_locked_unsafe(
.bind(db_user)
.fetch_one(connection)
.await
.map(|row| row.get::<bool, _>(0))
.map(|row| row.get::<bool, _>(0));
if let Err(err) = &result {
log::error!(
"Failed to check if database user is locked '{}': {:?}",
&db_user,
err
);
}
result
}
pub async fn lock_database_users(
@ -234,6 +268,10 @@ pub async fn lock_database_users(
.map(|_| ())
.map_err(|err| LockUserError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to lock database user '{}': {:?}", &db_user, err);
}
results.insert(db_user, result);
}
@ -290,6 +328,10 @@ pub async fn unlock_database_users(
.map(|_| ())
.map_err(|err| UnlockUserError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to unlock database user '{}': {:?}", &db_user, err);
}
results.insert(db_user, result);
}
@ -298,39 +340,55 @@ pub async fn unlock_database_users(
/// This struct contains information about a database user.
/// This can be extended if we need more information in the future.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize, FromRow)]
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct DatabaseUser {
#[sqlx(rename = "User")]
pub user: String,
#[allow(dead_code)]
#[serde(skip)]
#[sqlx(rename = "Host")]
pub host: String,
#[sqlx(rename = "has_password")]
pub has_password: bool,
#[sqlx(rename = "is_locked")]
pub is_locked: bool,
#[sqlx(skip)]
pub databases: Vec<String>,
}
/// Some mysql versions with some collations mark some columns as binary fields,
/// which in the current version of sqlx is not parsable as string.
/// See: https://github.com/launchbadge/sqlx/issues/3387
#[inline]
fn try_get_with_binary_fallback(
row: &sqlx::mysql::MySqlRow,
column: &str,
) -> Result<String, sqlx::Error> {
row.try_get(column).or_else(|_| {
row.try_get::<Vec<u8>, _>(column)
.map(|v| String::from_utf8_lossy(&v).to_string())
})
}
impl FromRow<'_, sqlx::mysql::MySqlRow> for DatabaseUser {
fn from_row(row: &sqlx::mysql::MySqlRow) -> Result<Self, sqlx::Error> {
Ok(Self {
user: try_get_with_binary_fallback(row, "User")?,
host: try_get_with_binary_fallback(row, "Host")?,
has_password: row.try_get("has_password")?,
is_locked: row.try_get("is_locked")?,
databases: Vec::new(),
})
}
}
const DB_USER_SELECT_STATEMENT: &str = r#"
SELECT
`mysql`.`user`.`User`,
`mysql`.`user`.`Host`,
`mysql`.`user`.`Password` != '' OR `mysql`.`user`.`authentication_string` != '' AS `has_password`,
`user`.`User`,
`user`.`Host`,
`user`.`Password` != '' OR `user`.`authentication_string` != '' AS `has_password`,
COALESCE(
JSON_EXTRACT(`mysql`.`global_priv`.`priv`, "$.account_locked"),
JSON_EXTRACT(`global_priv`.`priv`, "$.account_locked"),
'false'
) != 'false' AS `is_locked`
FROM `mysql`.`user`
JOIN `mysql`.`global_priv` ON
`mysql`.`user`.`User` = `mysql`.`global_priv`.`User`
AND `mysql`.`user`.`Host` = `mysql`.`global_priv`.`Host`
FROM `user`
JOIN `global_priv` ON
`user`.`User` = `global_priv`.`User`
AND `user`.`Host` = `global_priv`.`Host`
"#;
pub async fn list_database_users(
@ -358,6 +416,10 @@ pub async fn list_database_users(
.fetch_optional(&mut *connection)
.await;
if let Err(err) = &result {
log::error!("Failed to list database user '{}': {:?}", &db_user, err);
}
if let Ok(Some(user)) = result.as_mut() {
append_databases_where_user_has_privileges(user, &mut *connection).await;
}
@ -377,13 +439,17 @@ pub async fn list_all_database_users_for_unix_user(
connection: &mut MySqlConnection,
) -> ListAllUsersOutput {
let mut result = sqlx::query_as::<_, DatabaseUser>(
&(DB_USER_SELECT_STATEMENT.to_string() + "WHERE `mysql`.`user`.`User` REGEXP ?"),
&(DB_USER_SELECT_STATEMENT.to_string() + "WHERE `user`.`User` REGEXP ?"),
)
.bind(create_user_group_matching_regex(unix_user))
.fetch_all(&mut *connection)
.await
.map_err(|err| ListAllUsersError::MySqlError(err.to_string()));
if let Err(err) = &result {
log::error!("Failed to list all database users: {:?}", err);
}
if let Ok(users) = result.as_mut() {
for user in users {
append_databases_where_user_has_privileges(user, &mut *connection).await;
@ -394,15 +460,15 @@ pub async fn list_all_database_users_for_unix_user(
}
pub async fn append_databases_where_user_has_privileges(
database_user: &mut DatabaseUser,
db_user: &mut DatabaseUser,
connection: &mut MySqlConnection,
) {
let database_list = sqlx::query(
formatdoc!(
r#"
SELECT `db` AS `database`
SELECT `Db` AS `database`
FROM `db`
WHERE `user` = ? AND ({})
WHERE `User` = ? AND ({})
"#,
DATABASE_PRIVILEGE_FIELDS
.iter()
@ -411,14 +477,22 @@ pub async fn append_databases_where_user_has_privileges(
)
.as_str(),
)
.bind(database_user.user.clone())
.bind(db_user.user.clone())
.fetch_all(&mut *connection)
.await;
database_user.databases = database_list
if let Err(err) = &database_list {
log::error!(
"Failed to list databases for user '{}': {:?}",
&db_user.user,
err
);
}
db_user.databases = database_list
.map(|rows| {
rows.into_iter()
.map(|row| row.get::<String, _>("database"))
.map(|row| try_get_with_binary_fallback(&row, "database").unwrap())
.collect()
})
.unwrap_or_default();