Simplify the message about authentication: now the same message is used in all cases of failed authentication.

2024-11-22 07:31:57 +00:00 · 2020-02-28 22:53:18 +03:00 · 2020-02-28 22:53:18 +03:00 · 39d9c315d4
commit 39d9c315d4
parent 0f04ff0749
8 changed files with 24 additions and 46 deletions
--- a/dbms/src/Access/AccessRightsContext.cpp
+++ b/dbms/src/Access/AccessRightsContext.cpp
@ -186,20 +186,20 @@ void AccessRightsContext::setRolesInfo(const CurrentRolesInfoPtr & roles_info_)
 }


-void AccessRightsContext::checkPassword(const String & password) const
+bool AccessRightsContext::isCorrectPassword(const String & password) const
 {
    std::lock_guard lock{mutex};
    if (!user)
-        throw Exception(user_name + ": User has been dropped", ErrorCodes::UNKNOWN_USER);
-    user->authentication.checkPassword(password, user_name);
+        return false;
+    return user->authentication.isCorrectPassword(password);
 }

-void AccessRightsContext::checkHostIsAllowed() const
+bool AccessRightsContext::isClientHostAllowed() const
 {
    std::lock_guard lock{mutex};
    if (!user)
-        throw Exception(user_name + ": User has been dropped", ErrorCodes::UNKNOWN_USER);
-    user->allowed_client_hosts.checkContains(params.address, user_name);
+        return false;
+    return user->allowed_client_hosts.contains(params.address);
 }


--- a/dbms/src/Access/AccessRightsContext.h
+++ b/dbms/src/Access/AccessRightsContext.h
@ -60,8 +60,8 @@ public:
    UserPtr getUser() const;
    String getUserName() const;

-    void checkPassword(const String & password) const;
-    void checkHostIsAllowed() const;
+    bool isCorrectPassword(const String & password) const;
+    bool isClientHostAllowed() const;

    CurrentRolesInfoPtr getRolesInfo() const;
    std::vector<UUID> getCurrentRoles() const;
--- a/dbms/src/Access/AllowedClientHosts.cpp
+++ b/dbms/src/Access/AllowedClientHosts.cpp
@ -15,7 +15,6 @@ namespace DB
 namespace ErrorCodes
 {
    extern const int DNS_ERROR;
-    extern const int IP_ADDRESS_NOT_ALLOWED;
 }

 namespace
@ -367,16 +366,4 @@ bool AllowedClientHosts::contains(const IPAddress & client_address) const
    return false;
 }

-
-void AllowedClientHosts::checkContains(const IPAddress & address, const String & user_name) const
-{
-    if (!contains(address))
-    {
-        if (user_name.empty())
-            throw Exception("It's not allowed to connect from address " + address.toString(), ErrorCodes::IP_ADDRESS_NOT_ALLOWED);
-        else
-            throw Exception("User " + user_name + " is not allowed to connect from address " + address.toString(), ErrorCodes::IP_ADDRESS_NOT_ALLOWED);
-    }
-}
-
 }
--- a/dbms/src/Access/AllowedClientHosts.h
+++ b/dbms/src/Access/AllowedClientHosts.h
@ -111,10 +111,6 @@ public:
    /// Checks if the provided address is in the list. Returns false if not.
    bool contains(const IPAddress & address) const;

-    /// Checks if the provided address is in the list. Throws an exception if not.
-    /// `username` is only used for generating an error message if the address isn't in the list.
-    void checkContains(const IPAddress & address, const String & user_name = String()) const;
-
    friend bool operator ==(const AllowedClientHosts & lhs, const AllowedClientHosts & rhs);
    friend bool operator !=(const AllowedClientHosts & lhs, const AllowedClientHosts & rhs) { return !(lhs == rhs); }

--- a/dbms/src/Access/Authentication.cpp
+++ b/dbms/src/Access/Authentication.cpp
@ -9,8 +9,6 @@ namespace ErrorCodes
 {
    extern const int LOGICAL_ERROR;
    extern const int BAD_ARGUMENTS;
-    extern const int REQUIRED_PASSWORD;
-    extern const int WRONG_PASSWORD;
 }


@ -77,15 +75,4 @@ bool Authentication::isCorrectPassword(const String & password_) const
    throw Exception("Unknown authentication type: " + std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR);
 }

-
-void Authentication::checkPassword(const String & password_, const String & user_name) const
-{
-    if (isCorrectPassword(password_))
-        return;
-    auto info_about_user_name = [&user_name]() { return user_name.empty() ? String() : " for user " + user_name; };
-    if (password_.empty() && (type != NO_PASSWORD))
-        throw Exception("Password required" + info_about_user_name(), ErrorCodes::REQUIRED_PASSWORD);
-    throw Exception("Wrong password" + info_about_user_name(), ErrorCodes::WRONG_PASSWORD);
-}
-
 }
--- a/dbms/src/Access/Authentication.h
+++ b/dbms/src/Access/Authentication.h
@ -70,10 +70,6 @@ public:
    /// Checks if the provided password is correct. Returns false if not.
    bool isCorrectPassword(const String & password) const;

-    /// Checks if the provided password is correct. Throws an exception if not.
-    /// `user_name` is only used for generating an error message if the password is incorrect.
-    void checkPassword(const String & password, const String & user_name = String()) const;
-
    friend bool operator ==(const Authentication & lhs, const Authentication & rhs) { return (lhs.type == rhs.type) && (lhs.password_hash == rhs.password_hash); }
    friend bool operator !=(const Authentication & lhs, const Authentication & rhs) { return !(lhs == rhs); }

--- a/dbms/src/Common/ErrorCodes.cpp
+++ b/dbms/src/Common/ErrorCodes.cpp
@ -487,6 +487,7 @@ namespace ErrorCodes
    extern const int UNKNOWN_PART_TYPE = 513;
    extern const int ACCESS_STORAGE_FOR_INSERTION_NOT_FOUND = 514;
    extern const int INCORRECT_ACCESS_ENTITY_DEFINITION = 515;
+    extern const int AUTHENTICATION_FAILED = 516;

    extern const int KEEPER_EXCEPTION = 999;
    extern const int POCO_EXCEPTION = 1000;
--- a/dbms/src/Interpreters/Context.cpp
+++ b/dbms/src/Interpreters/Context.cpp
@ -92,6 +92,7 @@ namespace ErrorCodes
    extern const int SESSION_IS_LOCKED;
    extern const int LOGICAL_ERROR;
    extern const int UNKNOWN_SCALAR;
+    extern const int AUTHENTICATION_FAILED;
 }


@ -646,10 +647,20 @@ void Context::setUser(const String & name, const String & password, const Poco::
    if (!quota_key.empty())
        client_info.quota_key = quota_key;

-    auto new_user_id = getAccessControlManager().getID<User>(name);
-    auto new_access_rights = getAccessControlManager().getAccessRightsContext(new_user_id, {}, true, settings, current_database, client_info);
-    new_access_rights->checkHostIsAllowed();
-    new_access_rights->checkPassword(password);
+    auto new_user_id = getAccessControlManager().find<User>(name);
+    AccessRightsContextPtr new_access_rights;
+    if (new_user_id)
+    {
+        new_access_rights = getAccessControlManager().getAccessRightsContext(*new_user_id, {}, true, settings, current_database, client_info);
+        if (!new_access_rights->isClientHostAllowed() || !new_access_rights->isCorrectPassword(password))
+        {
+            new_user_id = {};
+            new_access_rights = nullptr;
+        }
+    }
+
+    if (!new_user_id || !new_access_rights)
+        throw Exception(name + ": Authentication failed: password is incorrect or there is no user with such name", ErrorCodes::AUTHENTICATION_FAILED);

    user_id = new_user_id;
    access_rights = std::move(new_access_rights);