From 8a2e6d6c59f85292cdf6fa3631aa35fbe131a644 Mon Sep 17 00:00:00 2001
From: alexpeshkoff <alexpeshkoff@users.sourceforge.net>
Date: Sun, 19 Dec 2004 15:24:59 +0000
Subject: [PATCH] Better way for server to authenticate itself in security
 database.

---
 src/dbs/security.sql |  6 ++----
 src/jrd/jrd.cpp      | 30 ++++++++++++++++++------------
 src/jrd/jrd_proto.h  |  1 +
 src/jrd/pwd.cpp      | 12 +++++++-----
 src/jrd/scl.epp      | 11 ++++++++---
 src/jrd/scl_proto.h  |  2 +-
 6 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/src/dbs/security.sql b/src/dbs/security.sql
index 241b9936e4..124c55759d 100644
--- a/src/dbs/security.sql
+++ b/src/dbs/security.sql
@@ -47,8 +47,7 @@ CREATE TABLE USERS_BG (USER_NAME USER_NAME,
 	COMMENT 	COMMENT,
 	FIRST_NAME 	NAME_PART,
 	MIDDLE_NAME	NAME_PART,
-	LAST_NAME	NAME_PART,
-	FULL_NAME COMPUTED BY  (first_name || _UNICODE_FSS ' ' || middle_name || _UNICODE_FSS ' ' || last_name ));
+	LAST_NAME	NAME_PART);
 
 COMMIT;
 
@@ -62,8 +61,7 @@ CREATE VIEW USERS (USER_NAME, SYS_USER_NAME, GROUP_NAME, UID, GID, PASSWD,
 		PRIVILEGE, COMMENT, FIRST_NAME, MIDDLE_NAME, LAST_NAME, 
 		first_name || _UNICODE_FSS ' ' || middle_name || _UNICODE_FSS ' ' || last_name
 	FROM USERS_BG
-	WHERE CURRENT_USER = 'authenticator'
-	   OR CURRENT_USER = 'SYSDBA'
+	WHERE CURRENT_USER = 'SYSDBA'
 	   OR CURRENT_USER = USERS_BG.USER_NAME;
 
 /*	Access rights */
diff --git a/src/jrd/jrd.cpp b/src/jrd/jrd.cpp
index 9905d26023..74a63133d7 100644
--- a/src/jrd/jrd.cpp
+++ b/src/jrd/jrd.cpp
@@ -527,6 +527,22 @@ void	JRD_thread_security_disable(bool disable)
 }
 
 
+bool	JRD_get_thread_security_disabled()
+{
+/**************************************
+ *
+ *	J R D _ g e t _ t h r e a d _ s e c u r i t y _ d i s a b l e d
+ *
+ **************************************
+ *
+ * Functional description
+ *	Don't run internal handles thru the security gauntlet.
+ *
+ **************************************/
+	return TLS_GET(thread_security_disabled);
+}
+
+
 void JRD_print_pools(const char* filename) {
 	FILE *out = fopen(filename, "w");
 	ALL_print_memory_pool_info(out, databases);
@@ -930,18 +946,13 @@ ISC_STATUS GDS_ATTACH_DATABASE(ISC_STATUS*	user_status,
 
 	options.dpb_sql_dialect = 0;
 
-	// Don't run internal handles thru the security gauntlet.
-
-	const bool internal = TLS_GET(thread_security_disabled);
-
 	SCL_init(false,
 			 options.dpb_sys_user_name.nullStr(),
 			 options.dpb_user_name.nullStr(),
 			 options.dpb_password.nullStr(),
 			 options.dpb_password_enc.nullStr(),
 			 options.dpb_role_name.nullStr(),
-			 tdbb,
-			 internal);
+			 tdbb);
 
 #if defined(V4_THREADING) && !defined(SUPERSERVER) 
 	initing_security = false;
@@ -1878,18 +1889,13 @@ ISC_STATUS GDS_CREATE_DATABASE(ISC_STATUS*	user_status,
 	initing_security = true;
 #endif
 
-	// Don't run internal handles thru the security gauntlet.
-
-	const bool internal = TLS_GET(thread_security_disabled);
-
 	SCL_init(true,
 			 options.dpb_sys_user_name.nullStr(),
 			 options.dpb_user_name.nullStr(),
 			 options.dpb_password.nullStr(),
 			 options.dpb_password_enc.nullStr(),
 			 options.dpb_role_name.nullStr(),
-			 tdbb,
-			 internal);
+			 tdbb);
 
 #if defined(V4_THREADING) && !defined(SUPERSERVER) 
 	initing_security = false;
diff --git a/src/jrd/jrd_proto.h b/src/jrd/jrd_proto.h
index ad0e78a05d..a5e2d2c8b4 100644
--- a/src/jrd/jrd_proto.h
+++ b/src/jrd/jrd_proto.h
@@ -160,6 +160,7 @@ void	JRD_unblock(Jrd::BlockingThread**);
 void	JRD_wlck_lock(struct mutx_t *);
 void	JRD_wlck_unlock(struct mutx_t *);
 void	JRD_thread_security_disable(bool disable);
+bool	JRD_get_thread_security_disabled();
 
 // Call this function from the debugger if desired
 void	JRD_print_pools(const char* filename);
diff --git a/src/jrd/pwd.cpp b/src/jrd/pwd.cpp
index e7e7d5385a..cf987c23e2 100644
--- a/src/jrd/pwd.cpp
+++ b/src/jrd/pwd.cpp
@@ -53,7 +53,7 @@ const bool SecurityDatabase::is_cached = false;
 
 // BLR to search database for user name record
 
-const UCHAR SecurityDatabase::PWD_REQUEST[256] = {
+const UCHAR SecurityDatabase::PWD_REQUEST[] = {
 	blr_version5,
 	blr_begin,
 	blr_message, 1, 4, 0,
@@ -67,7 +67,7 @@ const UCHAR SecurityDatabase::PWD_REQUEST[256] = {
 	blr_begin,
 	blr_for,
 	blr_rse, 1,
-	blr_relation, 5, 'U', 'S', 'E', 'R', 'S', 0,
+	blr_relation, 8, 'U', 'S', 'E', 'R', 'S', '_', 'B', 'G', 0,
 	blr_first,
 	blr_literal, blr_short, 0, 1, 0,
 	blr_boolean,
@@ -275,7 +275,9 @@ bool SecurityDatabase::lookup_user(TEXT * user_name, int *uid, int *gid, TEXT *
 	{
 		if (lookup_db)
 		{
-			isc_detach_database(status, &lookup_db);
+			isc_db_handle tmp = lookup_db;
+			lookup_db = 0;
+			isc_detach_database(status, &tmp);
 		}
 		THREAD_ENTER();
 		ERR_post(isc_psw_attach, 0);
@@ -362,11 +364,11 @@ bool SecurityDatabase::prepare()
 		dpb.getBufferLength(), 
 		reinterpret_cast<const char*>(dpb.getBuffer()));
 	
-	JRD_thread_security_disable(false);
-
 	isc_compile_request(status, &lookup_db, &lookup_req, sizeof(PWD_REQUEST),
 						reinterpret_cast<const char*>(PWD_REQUEST));
 
+	JRD_thread_security_disable(false);
+
 	if (status[1])
 	{
 		return false;
diff --git a/src/jrd/scl.epp b/src/jrd/scl.epp
index 4e8a6531d2..5309d87059 100644
--- a/src/jrd/scl.epp
+++ b/src/jrd/scl.epp
@@ -153,6 +153,12 @@ void SCL_check_access(const SecurityClass* s_class,
 				 0);
 	}
 
+	// Don't run internal handles thru the security gauntlet.
+	if (JRD_get_thread_security_disabled())
+	{
+		return;
+	}
+
 	Attachment* attachment = tdbb->tdbb_attachment;
 
 	const SecurityClass* att_class = attachment->att_security_class;
@@ -567,8 +573,7 @@ void SCL_init(bool create,
 			  const TEXT* password,
 			  const TEXT* password_enc,
 			  const TEXT* sql_role,
-			  thread_db* tdbb,
-			  const bool internal)
+			  thread_db* tdbb)
 {
 /**************************************
  *
@@ -622,7 +627,7 @@ void SCL_init(bool create,
 			ERR_post(isc_login, 0);
 		}
 
-		if (!internal)
+		if (!JRD_get_thread_security_disabled())
 		{
 			SecurityDatabase::verifyUser(name, user_name, password, password_enc,
 										 &id, &group, &node_id);
diff --git a/src/jrd/scl_proto.h b/src/jrd/scl_proto.h
index 645820ce7e..e465422f3e 100644
--- a/src/jrd/scl_proto.h
+++ b/src/jrd/scl_proto.h
@@ -41,7 +41,7 @@ void SCL_check_relation(const dsc*, Jrd::SecurityClass::flags_t);
 Jrd::SecurityClass* SCL_get_class(const TEXT*);
 Jrd::SecurityClass::flags_t SCL_get_mask(const TEXT*, const TEXT*);
 void SCL_init(bool, const TEXT*, const TEXT*, const TEXT*, const TEXT*,
-	const TEXT*, Jrd::thread_db*, const bool);
+	const TEXT*, Jrd::thread_db*);
 void SCL_move_priv(UCHAR**, Jrd::SecurityClass::flags_t, UCharBuffer&, ULONG*);
 Jrd::SecurityClass* SCL_recompute_class(Jrd::thread_db*, const TEXT*);
 void SCL_release(Jrd::SecurityClass*);