Provide ability to see in the trace log events related to missing security context

[pavel-zotov]

Following attempt of attach:

set ISC_PASSWORD=
echo quit; | C:\path\to\FB4x\isql.exe localhost:employee -q
Statement failed, SQLSTATE = 28000
Missing security context for employee

-- will not be logged in the trace.
It will be good to see such attempts.

[AlexPeshkoff]

With suggested command I get (as expected)
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

[pavel-zotov]

C:\FB\40SS>echo %ISC_USER% / %ISC_PASSWORD%
SYSDBA / masterkey

C:\FB\40SS>echo quit; | C:\FB\40SS\isql.exe localhost:employee -q -z
ISQL Version: WI-V4.0.2.2776 Firebird 4.0
Server version:
WI-V4.0.2.2776 Firebird 4.0
WI-V4.0.2.2776 Firebird 4.0/tcp (Image-PC1)/P17:C
WI-V4.0.2.2776 Firebird 4.0/tcp (Image-PC1)/P17:C
Database: localhost:employee, User: SYSDBA
SQL>
C:\FB\40SS>set ISC_PASSWORD=t0t@lly_wr0ng

C:\FB\40SS>echo quit; | C:\FB\40SS\isql.exe localhost:employee -q -z
ISQL Version: WI-V4.0.2.2776 Firebird 4.0
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
SQL>
C:\FB\40SS>set ISC_PASSWORD=masterkey

C:\FB\40SS>set ISC_USER=

C:\FB\40SS>echo quit; | C:\FB\40SS\isql.exe localhost:employee -q -z
ISQL Version: WI-V4.0.2.2776 Firebird 4.0
Statement failed, SQLSTATE = 28000
Missing security context for employee
SQL>
C:\FB\40SS>

PS.
When variable ISC_USER does exist and ISC_PASSWORD is invalid, trace will show some activity, but not about problem with establishing attachment:

Trace session ID 1 started
2022-06-14T18:08:59.7370 (8340:00000000065204C0) DETACH_DATABASE
        C:\FB\40SS\SECURITY4.FDB (ATT_19, SYSDBA:NONE, NONE, <internal>)

2022-06-14T18:09:31.9580 (8340:00000000065204C0) ATTACH_DATABASE
        C:\FB\40SS\SECURITY4.FDB (ATT_22, SYSDBA:NONE, NONE, <internal>)

2022-06-14T18:09:31.9610 (8340:00000000065204C0) EXECUTE_STATEMENT_FINISH
        C:\FB\40SS\SECURITY4.FDB (ATT_22, SYSDBA:NONE, NONE, <internal>)
                (TRA_46, READ_COMMITTED | REC_VERSION | WAIT | READ_ONLY)

Statement 74:
-------------------------------------------------------------------------------
SELECT PLG$VERIFIER, PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE

param0 = varchar(252), "SYSDBA"

0 records fetched
      0 ms, 2 read(s), 1 write(s), 4 fetch(es)

2022-06-14T18:09:31.9820 (8340:00000000065204C0) EXECUTE_STATEMENT_FINISH
        C:\FB\40SS\SECURITY4.FDB (ATT_22, SYSDBA:NONE, NONE, <internal>)
                (TRA_46, READ_COMMITTED | REC_VERSION | WAIT | READ_ONLY)

Statement 74:
-------------------------------------------------------------------------------
SELECT PLG$VERIFIER, PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE

param0 = varchar(252), "SYSDBA"

0 records fetched
      0 ms, 3 fetch(es)

2022-06-14T18:09:32.0130 (8340:0000000006520AC0) ATTACH_DATABASE
        C:\FB\40SS\SECURITY4.FDB (ATT_23, SYSDBA:NONE, NONE, <internal>)

2022-06-14T18:09:41.9830 (8340:00000000065204C0) DETACH_DATABASE
        C:\FB\40SS\SECURITY4.FDB (ATT_22, SYSDBA:NONE, NONE, <internal>)

2022-06-14T18:09:42.0160 (8340:0000000006520AC0) DETACH_DATABASE
        C:\FB\40SS\SECURITY4.FDB (ATT_23, SYSDBA:NONE, NONE, <internal>)

But when ISC_USER is undefined (i.e. if we run: "SET ISC_USER=") then trace will not show anything.
Checked on fresh FB 4.x and 5.x snapshots, Windows 10.

[AlexPeshkoff]

This improvement make it possible to get information not about only "missing security context", but also all other attach/create errors that happen after entering engine provider. There is one important restriction - to see that events user must have TRACE_ANY_ATTACHMENT privilege. One can get surprised - why can't I see my own failed attachment? The answer is simple - before successful validation of security context engine does not know for sure who tries to attach. Therefore due to security reasons attach errors are not shown to non privileged users.