WL#15524 Patch #5 Command authorization in MGM server

Part of WL#15524 Secure NDB Management Protocol using TLS

Run an authorization check prior to every MGM command on the server
side. The authorization check takes three inputs: a current user
auth level associated with the session, a per-command auth level,
and a per-server auth level. It returns an integer result code.

This is implemented for the whole API by providing a specialization of
Parser<T>::run() for MgmApiSession as T. The specialized method
adds a call to the authorization check before running whatever function
is registered to handle the current command.

Per-command auth flags are stored as a ParserRow user_value. The
per-session auth level is stored in MgmApiSession, and the per-server
auth flags are in MgmtSrvr.

Some unused macros are removed; the grammar does not make any use of
aliases, so the new parser routine does not support them.

Change-Id: Id8f35693ee67f559a5e30ec6005d62473f4e8492

Author: jdduncan

storage/ndb/src/mgmsrv/MgmAuth.hpp

@@ -0,0 +1,61 @@
+/*
+   Copyright (c) 2023, Oracle and/or its affiliates.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License, version 2.0,
+   as published by the Free Software Foundation.
+
+   This program is also distributed with certain software (including
+   but not limited to OpenSSL) that is licensed under separate terms,
+   as designated in a particular file or component or in included license
+   documentation.  The authors of MySQL hereby grant you an additional
+   permission to link the program and your derivative works with the
+   separately licensed software that they have included with MySQL.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License, version 2.0, for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+*/
+
+#ifndef MGM_AUTH_HPP
+#define MGM_AUTH_HPP
+
+class MgmAuth {
+public:
+
+  typedef unsigned short level;
+
+  enum {
+    serverRequiresTls = 0x001,  // Server requires TLS past bootstrap stage
+    clientHasTls      = 0x010,  // Client session is using TLS
+    clientHasCert     = 0x020,  // Client session is authenticated via cert
+    cmdIsBootstrap    = 0x100,  // Command is used to bootstrap a client
+  };
+
+  enum result {
+    Ok,
+    ServerRequiresTls,
+    END_ERRORS
+  };
+
+  static int checkAuth(int cmdAuthLevel, int serverOpt, int sessionAuthLevel);
+
+  static const char * message(int code) {
+    if(code >= 0 && code < result::END_ERRORS) return _message[code];
+    return "(MgmAuth unexpected error code)";
+  }
+
+private:
+  static constexpr const char * _message[result::END_ERRORS] =
+  {
+    "(no error)",
+    "Requires TLS",
+  };
+};
+
+#endif