WL14667: Support for Multi Factor authentication (c-ext)

This worklog make it possible to connect to MySQL accounts that use
multiple authentication factors.
It adds connection options to specify passwords for the 2nd and 3rd
factor.

This feature is only available when the C extension is enabled.

Author: nmariz

lib/mysql/connector/abstracts.py

@@ -92,6 +92,9 @@ def __init__(self, **kwargs):
 
         self._user = ''
         self._password = ''
+        self._password1 = ''
+        self._password2 = ''
+        self._password3 = ''
         self._database = ''
         self._host = '127.0.0.1'
         self._port = 3306
@@ -1239,7 +1242,7 @@ def cmd_ping(self):
         raise NotImplementedError
 
     def cmd_change_user(self, username='', password='', database='',
-                        charset=45):
+                        charset=45, password1='', password2='', password3=''):
         """Change the current logged in user"""
         raise NotImplementedError
 

lib/mysql/connector/connection.py

@@ -403,6 +403,11 @@ def _open_connection(self):
 
         Raises on errors.
         """
+        if any((self._password1, self._password2, self._password3)):
+            raise errors.NotSupportedError(
+                "The Multi Factor Authentication is not supported by the "
+                "pure Python implementation"
+            )
         if self._auth_plugin == "authentication_kerberos_client":
             if os.name == "nt":
                 raise errors.ProgrammingError(
@@ -999,7 +1004,7 @@ def cmd_ping(self):
         return self._handle_ok(self._send_cmd(ServerCmd.PING))
 
     def cmd_change_user(self, username='', password='', database='',
-                        charset=45):
+                        charset=45, password1='', password2='', password3=''):
         """Change the current logged in user
 
         This method allows to change the current logged in user information.
@@ -1009,6 +1014,11 @@ def cmd_change_user(self, username='', password='', database='',
         """
         self.handle_unread_result()
 
+        if any((password1, password2, password3)):
+            raise errors.NotSupportedError(
+                "The Multi Factor Authentication is not supported by the "
+                "pure Python implementation"
+            )
         if self._compress:
             raise errors.NotSupportedError("Change user is not supported with "
                                            "compression.")
@@ -1090,7 +1100,9 @@ def reset_session(self, user_variables=None, session_variables=None):
             self.cmd_reset_connection()
         except errors.NotSupportedError:
             self.cmd_change_user(self._user, self._password,
-                                 self._database, self._charset_id)
+                                 self._database, self._charset_id,
+                                 self._password1, self._password2,
+                                 self._password3)
 
         cur = self.cursor()
         if user_variables:

lib/mysql/connector/connection_cext.py

@@ -197,6 +197,9 @@ def _open_connection(self):
             'host': self._host,
             'user': self._user,
             'password': self._password,
+            'password1': self._password1,
+            'password2': self._password2,
+            'password3': self._password3,
             'database': self._database,
             'port': self._port,
             'client_flags': self._client_flags,
@@ -691,10 +694,17 @@ def consume_results(self):
         self._cmysql.consume_result()
 
     def cmd_change_user(self, username='', password='', database='',
-                        charset=45):
+                        charset=45, password1='', password2='', password3=''):
         """Change the current logged in user"""
         try:
-            self._cmysql.change_user(username, password, database)
+            self._cmysql.change_user(
+                username,
+                password,
+                database,
+                password1,
+                password2,
+                password3,
+            )
         except MySQLInterfaceError as exc:
             raise errors.get_mysql_exception(msg=exc.msg, errno=exc.errno,
                                              sqlstate=exc.sqlstate)
@@ -810,7 +820,9 @@ def reset_session(self, user_variables=None, session_variables=None):
                     "version 5.7.2 or earlier.")
             else:
                 self.cmd_change_user(self._user, self._password,
-                                     self._database, self._charset_id)
+                                     self._database, self._charset_id,
+                                     self._password1, self._password2,
+                                     self._password3)
 
         if user_variables or session_variables:
             cur = self.cursor()

lib/mysql/connector/constants.py

@@ -46,6 +46,9 @@
     'database': None,
     'user': '',
     'password': '',
+    'password1': '',
+    'password2': '',
+    'password3': '',
     'host': '127.0.0.1',
     'port': 3306,
     'unix_socket': None,

src/mysql_capi.c

@@ -910,18 +910,49 @@ PyObject*
 MySQL_change_user(MySQL *self, PyObject *args, PyObject *kwds)
 {
 	char *user= NULL, *database= NULL;
-    char *password = NULL;
+    char *password= NULL, *password1=NULL, *password2= NULL, *password3= NULL;
+    unsigned int mfa_factor1= 1, mfa_factor2= 2, mfa_factor3= 3;
 	int res;
-	static char *kwlist[]= {"user", "password", "database", NULL};
+	static char *kwlist[]= {"user", "password", "database", "password1", "password2", "password3", NULL};
+#if MYSQL_VERSION_ID >= 80001
+    bool abool;
+#else
+    my_bool abool;
+#endif
 
     IS_CONNECTED(self);
 
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzz", kwlist,
-                                     &user, &password, &database
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzzz", kwlist,
+                                     &user, &password, &database, &password1, &password2, &password3
                                      ))
     {
         return NULL;
     }
+
+    if (strcmp(PyUnicode_AsUTF8(self->auth_plugin), "mysql_clear_password") == 0)
+    {
+        abool= 1;
+        mysql_options(&self->session, MYSQL_ENABLE_CLEARTEXT_PLUGIN, (char*)&abool);
+    }
+
+    // Multi Factor Authentication: 1-factor password
+    if (password1 && strlen(password1) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor1, password1);
+    }
+
+    // Multi Factor Authentication: 2-factor password
+    if (password2 && strlen(password2) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor2, password2);
+    }
+
+    // Multi Factor Authentication: 3-factor password
+    if (password3 && strlen(password3) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor3, password3);
+    }
+
     Py_BEGIN_ALLOW_THREADS
     res= mysql_change_user(&self->session, user, password, database);
     Py_END_ALLOW_THREADS
@@ -1132,24 +1163,36 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
     my_bool abool;
     my_bool ssl_enabled= 0;
 #endif
-    char *password = NULL;
+    char *password= NULL, *password1= NULL, *password2= NULL, *password3= NULL;
+    unsigned int mfa_factor1= 1, mfa_factor2= 2, mfa_factor3= 3;
     MYSQL *res;
 
     static char *kwlist[]=
     {
-        "host", "user", "password", "database", "port", "unix_socket",
-        "client_flags", "ssl_ca", "ssl_cert", "ssl_key", "ssl_cipher_suites",
-        "tls_versions", "tls_cipher_suites", "ssl_verify_cert",
+        "host", "user", "password", "password1", "password2", "password3", "database",
+        "port", "unix_socket", "client_flags", "ssl_ca", "ssl_cert", "ssl_key",
+        "ssl_cipher_suites", "tls_versions", "tls_cipher_suites", "ssl_verify_cert",
         "ssl_verify_identity", "ssl_disabled", "compress", "conn_attrs",
         "local_infile", "load_data_local_dir",
         NULL
     };
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzkzkzzzzzzO!O!O!O!O!iz", kwlist,
-                                     &host, &user, &password, &database,
-                                     &port, &unix_socket,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzzzzkzkzzzzzzO!O!O!O!O!iz",
+                                     kwlist,
+                                     &host,
+                                     &user,
+                                     &password,
+                                     &password1,
+                                     &password2,
+                                     &password3,
+                                     &database,
+                                     &port,
+                                     &unix_socket,
                                      &client_flags,
-                                     &ssl_ca, &ssl_cert, &ssl_key,
-                                     &ssl_cipher_suites, &tls_versions,
+                                     &ssl_ca,
+                                     &ssl_cert,
+                                     &ssl_key,
+                                     &ssl_cipher_suites,
+                                     &tls_versions,
                                      &tls_cipher_suites,
                                      &PyBool_Type, &ssl_verify_cert,
                                      &PyBool_Type, &ssl_verify_identity,
@@ -1352,6 +1395,24 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
 		}
     }
 
+    // Multi Factor Authentication: 1-factor password
+    if (password1 && strlen(password1) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor1, password1);
+    }
+
+    // Multi Factor Authentication: 2-factor password
+    if (password2 && strlen(password2) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor2, password2);
+    }
+
+    // Multi Factor Authentication: 3-factor password
+    if (password3 && strlen(password3) > 0)
+    {
+        mysql_options4(&self->session, MYSQL_OPT_USER_PASSWORD, &mfa_factor3, password3);
+    }
+
     Py_BEGIN_ALLOW_THREADS
     res= mysql_real_connect(&self->session, host, user, password, database,
                             port, unix_socket, client_flags);