Misc.

2025-01-22 18:43:02 +01:00 · 2007-04-15 11:25:23 +00:00 · 2007-04-15 11:25:23 +00:00 · 422d659fcb
commit 422d659fcb
parent d91d57049d
5 changed files with 80 additions and 63 deletions
--- a/doc/README.trusted_authentication
+++ b/doc/README.trusted_authentication
@ -1,6 +1,11 @@
 		New way to authenticate users in firebird 2.1.

-	Firebird starting with version 2.1 can use windows security for user authentication. Current security context is passed to the server and if it's OK for that server is used to determine firebird user name. To use windows trusted authentication, do not put user and password parameters in DPB/SPB. This will automatically lead to use of trusted authentication in almost all cases (see environment below for exceptions). Suppose you have logged to the windows server SRV as user John. If you connect to server SRV with isql, not specifying firebird login and password:
+	Firebird starting with version 2.1 can use Windows security for user authentication.
+Current security context is passed to the server and if it's OK for that server is used to determine
+firebird user name. To use Windows trusted authentication, do not put user and password parameters
+in DPB/SPB. This will automatically lead to use of trusted authentication in almost all cases (see
+environment below for exceptions). Suppose you have logged to the Windows server SRV as user John.
+If you connect to server SRV with isql, not specifying Firebird login and password:

 isql srv:employee

@ -11,16 +16,30 @@ select CURRENT_USER from rdb$database;
 you will get something like:

 USER
-===============================================================================
+====================================================
 SRV\John

-Windows users may be granted rights to access database objects and roles in the same way as traditional firebird users. (This is not something new - in UNIX OS users might be granted rights virtually always).
+Windows users may be granted rights to access database objects and roles in the same way as
+traditional Firebird users. (This is not something new - in UNIX OS users might be granted rights
+virtually always).

-	If member of Domain Admins builtin group connects to firebird using trusted authentication, he will be connected as SYSDBA.
+- If member of Domain Admins builtin group connects to Firebird using trusted authentication,
+he/she will be connected as SYSDBA.

-	New parameter is added to firebird.conf - it is used to select available authentication method. Parameter is called Authentication and may have values Native, Trusted and Mixed. Default is mixed authentication. Using native method you get full compatibility with previous firebird versions, avoiding trusted authentication. In trusted-only case security database is ignored and only windows authentication is used (in some aspects this is the most secure way, i.e. it is exactly as secure as host OS). 
+- New parameter is added to firebird.conf - it is used to select available authentication method.
+Parameter is called Authentication and may have values Native, Trusted and Mixed. Default is
+mixed authentication. Using native method you get full compatibility with previous Firebird versions,
+avoiding trusted authentication. In trusted-only case security database is ignored and only Windows
+authentication is used (in some aspects this is the most secure way, i.e. it is exactly as secure as
+host OS). 

-	To keep legacy behavior when ISC_USER/ISC_PASSWORD variables are set in environment, they are picked and used instead of trusted authentication. In case when trusted authentication is needed when ISC_USER/ISC_PASSWORD are set, add new DPB parameter isc_dpb_trusted_auth to DPB. In most of firebird command line utilities switch -trusted (may be abbreviated up to utility rules) is used for it. Exceptions for today are qli (it uses single-letter switches, switch of interest is -K) and nbackup (also has single-letter switches, force of trusted authentication over environment is not implemented yet). Example:
+- To keep legacy behavior when ISC_USER/ISC_PASSWORD variables are set in environment, they
+are picked and used instead of trusted authentication. In case when trusted authentication is needed
+and ISC_USER/ISC_PASSWORD are set, add new DPB parameter isc_dpb_trusted_auth to DPB. In most
+of Firebird command line utilities switch -trusted (may be abbreviated up to utility rules) is used
+for it. Exceptions for today are qli (it uses single-letter switches, switch of interest is -K) and
+nbackup (also has single-letter switches, force of trusted authentication over environment is
+not implemented yet). Example:

 isql srv:db                -- log using trusted authentication
 set ISC_USER=user1
@ -28,4 +47,4 @@ set ISC_PASSWORD=12345
 isql srv:db                -- log as 'user1' from environment
 isql -trust srv:db         -- log using trusted authentication

-				Author: Alex Peshkov, peshkoff@mail.ru
+				Author: Alex Peshkov, <peshkoff at mail.ru>
--- a/src/dsql/gen.cpp
+++ b/src/dsql/gen.cpp
@ -2724,7 +2724,7 @@ static void gen_sys_function(dsql_req* request, const dsql_nod* node)
 	stuff_cstring(request, ((dsql_str*) node->nod_arg[e_sysfunc_name])->str_data);

 	const dsql_nod* list;
-	if ((node->nod_count == 2) && (list = node->nod_arg[e_sysfunc_args]))
+	if ((node->nod_count == e_sysfunc_args + 1) && (list = node->nod_arg[e_sysfunc_args]))
 	{
 		stuff(request, list->nod_count);
 		dsql_nod* const* ptr = list->nod_arg;
--- a/src/dsql/pass1.cpp
+++ b/src/dsql/pass1.cpp
@ -26,8 +26,6 @@
 *       "insert into tbl values(...)" sentence is issued.
 *
 * 2001.5.26: Claudio Valderrama: field names should be skimmed from trailing
- *
- * 2001.5.26: Claudio Valderrama: field names should be skimmed from trailing
 *		blanks to allow reliable comparisons in pass1_field. Same for table and
 *		and index names in plans.
 *
--- a/src/jrd/Collation.cpp
+++ b/src/jrd/Collation.cpp
@ -112,15 +112,16 @@ namespace {

 #define SLEUTH_insensitive	1

-static const UCHAR special[128] = {
+static const UCHAR special[128] =
+{
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-	0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0,	/* $%*+- (dollar, percent, star, plus, minus) */
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,	/* ?     (question) */
-	1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,	/* @     (at-sign) */
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,	/* [     (open square) */
+	0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0,	// $%*+- (dollar, percent, star, plus, minus)
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,	// ?     (question)
+	1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,	// @     (at-sign)
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,	// [     (open square)
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0,	/* ~     (tilde) */
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0	// ~     (tilde)
 };

 template <class MATCHESTYPE>
@ -321,7 +322,7 @@ ULONG SLEUTH_MERGE_NAME(Jrd::thread_db* tdbb_dummy, Jrd::TextType* obj,
 		   quote it. */

 		else {
-			if ((((size_t) c) < sizeof(special)) && special[c] &&
+			if ((((size_t) c) < FB_NELEM(special)) && special[c] &&
 				comb > combined && comb[-1] != *(SLEUTHTYPE*)obj->getGdmlQuoteCanonic())
 			{
 				*comb++ = *(SLEUTHTYPE*)obj->getGdmlQuoteCanonic();
@ -370,7 +371,7 @@ static bool SLEUTH_AUX(
 	while (match < end_match) {
 		SLEUTHTYPE c = *match++;
 		if ((c == *(SLEUTHTYPE*)obj->getGdmlQuoteCanonic() && (c = *match++)) ||
-			((((size_t) c) < sizeof(special)) && !special[c]))
+			((((size_t) c) < FB_NELEM(special)) && !special[c]))
 		{
 			if (match >= end_match || *match != *(SLEUTHTYPE*)obj->getGdmlMatchAnyCanonic()) {
 				if (search >= end_search)
@ -382,79 +383,82 @@ static bool SLEUTH_AUX(
 			else {
 				++match;
 				for (;;)
-					if (SLEUTH_AUX
-						(obj, flags, search, end_search, match, end_match))
-					{
+				{
+					if (SLEUTH_AUX(obj, flags, search, end_search, match, end_match))
 						return true;
-					}
-					else if (search < end_search) {
+						
+					if (search < end_search)
+					{
 						const SLEUTHTYPE d = *search++;
 						if (c != d)
 							return false;
 					}
 					else
 						return false;
+				}
 			}
 		}
 		else if (c == *(SLEUTHTYPE*)obj->getGdmlMatchOneCanonic())
-			if (match >= end_match || *match != *(SLEUTHTYPE*)obj->getGdmlMatchAnyCanonic()) {
+		{
+			if (match >= end_match || *match != *(SLEUTHTYPE*)obj->getGdmlMatchAnyCanonic())
+			{
 				if (search >= end_search)
 					return false;
+					
 				search++;
 			}
 			else {
 				if (++match >= end_match)
 					return true;
+					
 				for (;;)
-					if (SLEUTH_AUX
-						(obj, flags, search, end_search, match,
-						 end_match))
-					{
+				{
+					if (SLEUTH_AUX(obj, flags, search, end_search, match, end_match))
 						return true;
-					}
-					else if (++search >= end_search)
+						
+					if (++search >= end_search)
 						return false;
+				}
 			}
-		else if (c == *(SLEUTHTYPE*)obj->getGdmlClassStartCanonic()) {
+		}
+		else if (c == *(SLEUTHTYPE*)obj->getGdmlClassStartCanonic())
+		{
 			const SLEUTHTYPE* const char_class = match;
 			while (*match++ != *(SLEUTHTYPE*)obj->getGdmlClassEndCanonic()) {
 				if (match >= end_match)
 					return false;
 			}
 			const SLEUTHTYPE* const end_class = match - 1;
-			if (match >= end_match || *match != *(SLEUTHTYPE*)obj->getGdmlMatchAnyCanonic()) {
-				if (!SLEUTH_CLASS_NAME
-					(obj, flags, char_class, end_class, *search++))
-				{
+			if (match >= end_match || *match != *(SLEUTHTYPE*)obj->getGdmlMatchAnyCanonic())
+			{
+				if (!SLEUTH_CLASS_NAME(obj, flags, char_class, end_class, *search++))
 					return false;
-				}
 			}
 			else {
 				++match;
 				for (;;)
-					if (SLEUTH_AUX
-						(obj, flags, search, end_search, match,
-						 end_match))
-					{
+				{
+					if (SLEUTH_AUX(obj, flags, search, end_search, match, end_match))
 						return true;
-					}
-					else if (search < end_search) {
-						if (!SLEUTH_CLASS_NAME
-							(obj, flags, char_class, end_class, *search++))
-						{
+						
+					if (search < end_search)
+					{
+						if (!SLEUTH_CLASS_NAME(obj, flags, char_class, end_class, *search++))
 							return false;
-						}
 					}
 					else
 						return false;
+				}
 			}
 		}
-		else if (c == *(SLEUTHTYPE*)obj->getGdmlFlagSetCanonic()) {
+		else if (c == *(SLEUTHTYPE*)obj->getGdmlFlagSetCanonic())
+		{
 			c = *match++;
 			if (c == *(SLEUTHTYPE*)obj->getGdmlLowerSCanonic() || c == *(SLEUTHTYPE*)obj->getGdmlUpperSCanonic())
 				flags &= ~SLEUTH_insensitive;
 		}
-		else if (c == *(SLEUTHTYPE*)obj->getGdmlFlagClearCanonic()) {
+		else if (c == *(SLEUTHTYPE*)obj->getGdmlFlagClearCanonic())
+		{
 			c = *match++;
 			if (c == *(SLEUTHTYPE*)obj->getGdmlLowerSCanonic() || c == *(SLEUTHTYPE*)obj->getGdmlUpperSCanonic())
 				flags |= SLEUTH_insensitive;
@ -816,11 +820,9 @@ Collation* Collation::createInstance(MemoryPool& pool, TTYPE_ID id, texttype* tt
 				return FB_NEW(pool) CollationImpl<uchar_contains_direct, uchar_like_canonical,
 					uchar_matches_canonical, uchar_sleuth_canonical>(id, tt, cs);
 			}
-			else
-			{
-				return FB_NEW(pool) CollationImpl<uchar_contains_canonical, uchar_like_canonical,
-					uchar_matches_canonical, uchar_sleuth_canonical>(id, tt, cs);
-			}
+
+			return FB_NEW(pool) CollationImpl<uchar_contains_canonical, uchar_like_canonical,
+				uchar_matches_canonical, uchar_sleuth_canonical>(id, tt, cs);
 			break;

 		case 2:
@ -829,11 +831,9 @@ Collation* Collation::createInstance(MemoryPool& pool, TTYPE_ID id, texttype* tt
 				return FB_NEW(pool) CollationImpl<uchar_contains_direct, ushort_like_canonical,
 					ushort_matches_canonical, ushort_sleuth_canonical>(id, tt, cs);
 			}
-			else
-			{
-				return FB_NEW(pool) CollationImpl<ushort_contains_canonical, ushort_like_canonical,
-					ushort_matches_canonical, ushort_sleuth_canonical>(id, tt, cs);
-			}
+
+			return FB_NEW(pool) CollationImpl<ushort_contains_canonical, ushort_like_canonical,
+				ushort_matches_canonical, ushort_sleuth_canonical>(id, tt, cs);
 			break;

 		case 4:
@ -842,11 +842,9 @@ Collation* Collation::createInstance(MemoryPool& pool, TTYPE_ID id, texttype* tt
 				return FB_NEW(pool) CollationImpl<uchar_contains_direct, ulong_like_canonical,
 					ulong_matches_canonical, ulong_sleuth_canonical>(id, tt, cs);
 			}
-			else
-			{
-				return FB_NEW(pool) CollationImpl<ulong_contains_canonical, ulong_like_canonical,
-					ulong_matches_canonical, ulong_sleuth_canonical>(id, tt, cs);
-			}
+
+			return FB_NEW(pool) CollationImpl<ulong_contains_canonical, ulong_like_canonical,
+				ulong_matches_canonical, ulong_sleuth_canonical>(id, tt, cs);
 			break;
 	}

--- a/src/misc/blrtable.cpp
+++ b/src/misc/blrtable.cpp
@ -193,6 +193,7 @@ static const VERB verbs[] =
 	PAIR(nod_navigational, blr_navigational, 1, 1, ACCESS_TYPE, VALUE),
 	PAIR(nod_indices, blr_indices, 1, 0, ACCESS_TYPE, VALUE),
 	PAIR(nod_retrieve, blr_retrieve, 2, 0, ACCESS_TYPE, VALUE),
+
 	PAIR(nod_relation, blr_relation2, 0, 0, RELATION, OTHER),
 	PAIR(nod_relation, blr_rid2, 0, 0, RELATION, OTHER),
 	PAIR2(nod_set_generator, blr_set_generator, e_gen_length, 1, STATEMENT, VALUE),
@ -209,6 +210,7 @@ static const VERB verbs[] =
 	PAIR(nod_current_time, blr_current_time2, e_current_time_length, 0, VALUE, OTHER),
 	PAIR(nod_current_timestamp, blr_current_timestamp, e_current_timestamp_length, 0, VALUE, OTHER),
 	PAIR(nod_current_timestamp, blr_current_timestamp2, e_current_timestamp_length, 0, VALUE, OTHER),
+
 	PAIR(nod_current_role, blr_current_role, 1, 0, VALUE, VALUE),
 	PAIR(nod_dcl_cursor, blr_dcl_cursor, e_dcl_cursor_length, 2, STATEMENT, OTHER),
 	PAIR(nod_cursor_stmt, blr_cursor_stmt, e_cursor_stmt_length, 0, STATEMENT, OTHER),