WL13994: Support clear text passwords

The purpose of this worklog is to make sure that the use "mysql_clear_password"
authentication plugin is only used when the connection is secure (as with SSL),
to avoid passing the password in clear text over the wired.

Author: isrgomez

lib/mysql/connector/abstracts.py

@@ -508,6 +508,10 @@ def config(self, **kwargs):
         if "ssl_disabled" in config:
             self._ssl_disabled = config.pop("ssl_disabled")
 
+        if self._ssl_disabled and self._auth_plugin == "mysql_clear_password":
+            raise errors.InterfaceError("Clear password authentication is not "
+                                        "supported over insecure channels")
+
         # Other configuration
         set_ssl_flag = False
         for key, value in config.items():

lib/mysql/connector/connection.py

@@ -159,10 +159,14 @@ def _do_handshake(self):
             handshake['server_version_original'])
 
         if not handshake['capabilities'] & ClientFlag.SSL:
-            self._client_flags &= ~ClientFlag.SSL
+            if self._auth_plugin == "mysql_clear_password":
+                err_msg = ("Clear password authentication is not supported "
+                           "over insecure channels")
+                raise errors.InterfaceError(err_msg)
             if self._ssl.get('verify_cert'):
                 raise errors.InterfaceError("SSL is required but the server "
                                             "doesn't support it", errno=2026)
+            self._client_flags &= ~ClientFlag.SSL
         elif not self._ssl_disabled:
             self._client_flags |= ClientFlag.SSL
 

tests/__init__.py

@@ -43,6 +43,7 @@
 import errno
 import traceback
 from cpydist.utils import mysql_c_api_info
+from time import sleep
 from distutils.dist import Distribution
 from imp import load_source
 from functools import wraps
@@ -113,6 +114,7 @@
 MYSQL_SERVERS_NEEDED = 1
 MYSQL_SERVERS = []
 MYSQL_VERSION = ()
+MYSQL_LICENSE = ""
 MYSQL_VERSION_TXT = ''
 MYSQL_DUMMY = None
 MYSQL_DUMMY_THREAD = None
@@ -948,6 +950,75 @@ def check_c_extension(exc=None):
         LOGGER.error("C Extension not available: %s", error_msg)
         sys.exit(1)
 
+
+def is_host_reachable(host):
+    """Attempts to reach a host, by using the ping command.
+    Returns True if success else False.
+    """
+    param_attemps = "-n" if os.name == "nt" else "-c"
+    attemps = "1"
+    command = ["ping", param_attemps, attemps, host]
+    try:
+        return subprocess.call(command) == 0
+    except OSError:
+        return False
+
+
+def is_plugin_available(plugin_name, config_vars=None, in_server=None):
+    """Checks if the plugin name is available
+
+    The given plugin must be able to be load in the server and his status must
+    be "active" be mark as available, in either result Server will be restarted
+    with the default configuration.
+
+    Returns True if plugin an success else False.
+    """
+    available = False
+    server = in_server if in_server else MYSQL_SERVERS[0]
+    plugin_config_vars = config_vars if config_vars else []
+    server_cnf = server._cnf
+    config = get_mysql_config(server.name)
+
+    ext = "dll" if os.name == "nt" else "so"
+    plugin_full_name = "{name}.{ext}".format(name=plugin_name, ext=ext)
+
+    plugin_config = {
+        "plugin-load-add": plugin_full_name,
+    }
+    plugin_config.update(plugin_config_vars)
+    cnf = "\n# is_plugin_available vars:"
+    for key in plugin_config:
+        cnf = "{}\n{}={}".format(cnf, key, plugin_config[key])
+    server_cnf += cnf
+
+    server.stop()
+    server.wait_down()
+
+    try:
+        server.start(my_cnf=server_cnf)
+        server.wait_up()
+        sleep(1)
+        from mysql.connector import MySQLConnection
+        cnx = MySQLConnection(**config)
+        cnx.cmd_query("SHOW PLUGINS")
+        res = cnx.get_rows()
+        for row in res[0]:
+            if row[0] == plugin_name:
+                if row[1] == "ACTIVE":
+                    available = True
+        cnx.cmd_query("UNINSTALL PLUGIN {}".format(plugin_name))
+        cnx.close()
+        return available
+    except:
+        pass
+    finally:
+        server.stop()
+        server.wait_down()
+        server.start(my_cnf=server_cnf)
+        server.wait_up()
+        sleep(1)
+    return available
+
 def check_tls_versions_support(tls_versions):
     """Check whether we can connect with given TLS version
 

tests/mysqld.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2018, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -169,7 +169,9 @@ def __init__(self, basedir, option_file=None, sharedir=None):
         self._process = None
         self._lc_messages_dir = None
         self._init_mysql_install()
-        self._version = self._get_version()
+        ver, lic = self._get_version()
+        self._version = ver
+        self._license = lic
 
         if option_file and os.access(option_file, 0):
             MySQLBootstrapError("Option file not accessible: {name}".format(
@@ -242,7 +244,7 @@ def _init_mysql_install(self):
                    afile == 'innodb_memcached_config.sql':
                     self._scriptdir = root
 
-        version = self._get_version()
+        version = self._get_version()[0]
         if not self._lc_messages_dir or (version < (8, 0, 13) and
                                          not self._scriptdir):
             raise MySQLBootstrapError(
@@ -296,8 +298,10 @@ def _get_version(self):
         """Get the MySQL server version
 
         This method executes mysqld with the --version argument. It parses
-        the output looking for the version number and returns it as a
-        tuple with integer values: (major,minor,patch)
+        the output looking for the version number and license, returns it as a
+        tuple with version number as fisrt element as a tuple with integer
+        values and a string as second element indicating the version in the
+        form:  ((major,minor,patch), "license as shown by mysqld")
 
         Returns a tuple.
         """
@@ -308,9 +312,13 @@ def _get_version(self):
 
         prc = subprocess.Popen(cmd, stdout=subprocess.PIPE)
         verstr = str(prc.communicate()[0])
-        matches = re.match(r'.*Ver (\d)\.(\d).(\d{1,2}).*', verstr)
+        matches = re.match(r'.*Ver (\d)\.(\d).(\d{1,2})-*(\S*).*', verstr)
         if matches:
-            return tuple([int(v) for v in matches.groups()])
+            matches_groups = matches.groups()
+            ver = tuple([int(v) for v in matches_groups[0:-1]])
+            lic = matches_groups[-1]
+            LOGGER.debug("MySQL version: %s license: %s", ver, lic)
+            return (ver, lic)
         else:
             raise MySQLServerError(
                 'Failed reading version from mysqld --version')
@@ -323,6 +331,14 @@ def version(self):
         """
         return self._version
 
+    @property
+    def license(self):
+        """Returns the MySQL server license type
+
+        Returns a tuple.
+        """
+        return self._license
+
     def _start_server(self):
         """Start the MySQL server"""
         try:
@@ -632,16 +648,18 @@ def update_config(self, **kwargs):
             'ssl': 1,
         }
 
+        cnf = kwargs.pop("my_cnf", self._cnf)
         for arg in self._extra_args:
             if self._version < arg["version"]:
                 options.update(dict([(key, '') for key in
                                      arg["options"].keys()]))
             else:
                 options.update(arg["options"])
         options.update(**kwargs)
+
         try:
             fp = open(self._option_file, 'w')
-            fp.write(self._cnf.format(**options))
+            fp.write(cnf.format(**options))
             fp.close()
         except Exception as ex:
             LOGGER.error("Failed to write config file {0}".format(ex))

tests/test_connection.py

@@ -40,6 +40,7 @@
 import socket
 import subprocess
 import sys
+from time import sleep
 
 import tests
 from . import check_tls_versions_support
@@ -57,7 +58,7 @@
 from mysql.connector import (connect, connection, network, errors,
                              constants, cursor, abstracts, catch23,
                              HAVE_DNSPYTHON)
-from mysql.connector.errors import InterfaceError
+from mysql.connector.errors import InterfaceError, ProgrammingError
 from mysql.connector.optionfiles import read_option_files
 from mysql.connector.network import TLS_V1_3_SUPPORTED
 from mysql.connector.utils import linux_distribution
@@ -2531,6 +2532,170 @@ def test_connect_with_can_handle_expired_pw_flag(self):
         _ = self.cnx.__class__(**cnx_config)
 
 
+@unittest.skipIf(tests.MYSQL_VERSION < (5, 7),
+                 "Authentication with ldap_simple not supported")
+@unittest.skipIf(not tests.is_plugin_available("authentication_ldap_simple"),
+                 "Plugin authentication_ldap_simple not available")
+#Skip if remote ldap server is not reachable.
+@unittest.skipIf(not tests.is_host_reachable("100.103.18.98"),
+                 "ldap server is not reachable")
+class WL13994(tests.MySQLConnectorTests):
+    """WL#13994: Support clear text passwords
+    """
+    def setUp(self):
+        self.server = tests.MYSQL_SERVERS[0]
+        self.server_cnf = self.server._cnf
+        self.config = tests.get_mysql_config()
+        self.config.pop("unix_socket", None)
+        self.user = "[email protected]"
+        self.host = "%"
+
+        cnx = connection.MySQLConnection(**self.config)
+        ext = "dll" if os.name == "nt" else "so"
+        plugin_name = "authentication_ldap_simple.{}".format(ext)
+
+        ldap_simple_config = {
+            "plugin-load-add": plugin_name,
+            "authentication_ldap_simple_auth_method_name": "simple",
+            "authentication_ldap_simple_bind_base_dn": '"dc=MYSQL,dc=local"',
+            "authentication_ldap_simple_init_pool_size": 1,
+            "authentication_ldap_simple_bind_root_dn": "",
+            "authentication_ldap_simple_bind_root_pwd": "",
+            "authentication_ldap_simple_ca_path": '""',
+            "authentication_ldap_simple_log_status": 6,
+            "authentication_ldap_simple_server_host": "100.103.18.98",
+            "authentication_ldap_simple_user_search_attr": "cn",
+            "authentication_ldap_simple_group_search_attr": "cn",
+        }
+        cnf = "\n# ldap_simple"
+        for key in ldap_simple_config:
+            cnf = "{}\n{}={}".format(cnf, key, ldap_simple_config[key])
+        self.server_cnf += cnf
+
+        cnx.close()
+        self.server.stop()
+        self.server.wait_down()
+
+        self.server.start(my_cnf=self.server_cnf)
+        self.server.wait_up()
+        sleep(1)
+
+        cnx = connection.MySQLConnection(**self.config)
+
+        identified_by = "CN=test1,CN=Users,DC=mysql,DC=local"
+
+        cnx.cmd_query("CREATE USER '{}'@'{}' IDENTIFIED "
+                      "WITH authentication_ldap_simple AS"
+                      "'{}'".format(self.user, self.host, identified_by))
+        cnx.cmd_query("GRANT ALL ON *.* TO '{}'@'{}'"
+                      "".format(self.user, self.host))
+        cnx.cmd_query("FLUSH PRIVILEGES")
+        cnx.close()
+
+    def tearDown(self):
+        cnx = connection.MySQLConnection(**self.config)
+        try:
+            cnx.cmd_query("DROP USER '{}'@'{}'".format(self.user, self.host))
+        except:
+            pass
+        cnx.cmd_query("UNINSTALL PLUGIN authentication_ldap_simple")
+        cnx.cmd_query('show variables like "have_ssl"')
+        res = cnx.get_rows()[0][0]
+        cnx.close()
+        if res == ('have_ssl', 'DISABLED'):
+            self._enable_ssl()
+
+    def _disable_ssl(self):
+        self.server.stop()
+        self.server.wait_down()
+
+        self.server.start(ssl_ca='', ssl_cert='', ssl_key='', ssl=0,
+                          my_cnf=self.server_cnf)
+        self.server.wait_up()
+        sleep(1)
+        cnx = connection.MySQLConnection(**self.config)
+        cnx.cmd_query('show variables like "have_ssl"')
+        res = cnx.get_rows()[0][0]
+        self.assertEqual(res, ('have_ssl', 'DISABLED'),
+                         "can not dissable ssl: {}".format(res))
+
+    def _enable_ssl(self):
+        self.server.stop()
+        self.server.wait_down()
+        self.server.start()
+        self.server.wait_up()
+        sleep(1)
+
+    @tests.foreach_cnx()
+    def test_clear_text_pass(self):
+        """test_clear_text_passwords_without_secure_connection"""
+        conn_args = {
+            "user": "[email protected]",
+            "host": self.config["host"],
+            "port": self.config["port"],
+            "password": "Testpw1",
+            "auth_plugin": "mysql_clear_password",
+        }
+
+        # Atempt connection with wrong password
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["password"] = "wrong_password"
+        with self.assertRaises(ProgrammingError) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("Access denied for user", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        # connect using mysql clear password and ldap simple auth method
+        cnx = self.cnx.__class__(**conn_args)
+        cnx.cmd_query('SELECT USER()')
+        res = cnx.get_rows()[0][0][0]
+        self.assertIn(self.user, res, "not the expected user {}".format(res))
+        cnx.close()
+
+        # Disabling ssl must raise an error.
+        conn_args["ssl_disabled"] = True
+        with self.assertRaises(InterfaceError) as context:
+            _ = self.cnx.__class__(**conn_args)
+        self.assertEqual("Clear password authentication is not supported over "
+                         "insecure channels", context.exception.msg,
+                         "Unexpected exception message found: {}"
+                         "".format(context.exception.msg))
+
+        # Unix socket is used in unix by default if not popped or set to None
+        conn_args["unix_socket"] = tests.get_mysql_config().get("unix_socket", None)
+        with self.assertRaises(InterfaceError) as context:
+            _ = self.cnx.__class__(**conn_args)
+        self.assertEqual("Clear password authentication is not supported over "
+                         "insecure channels", context.exception.msg,
+                         "Unexpected exception message found: {}"
+                         "".format(context.exception.msg))
+
+        # Attempt connection with verify certificate set to True
+        conn_args.pop("ssl_disabled")
+        conn_args.pop("unix_socket")
+        conn_args.update({
+            'ssl_ca': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem')),
+            'ssl_cert': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_client_cert.pem')),
+            'ssl_key': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_client_key.pem')),
+        })
+        conn_args["ssl_verify_cert"] = True
+        cnx = self.cnx.__class__(**conn_args)
+        cnx.cmd_query('SELECT USER()')
+        res = cnx.get_rows()[0][0][0]
+        self.assertIn(self.user, res, "not the expected user {}".format(res))
+        cnx.close()
+
+        if CMySQLConnection is not None and isinstance(cnx, CMySQLConnection):
+            # Not testing cext without ssl
+            return
+        self._disable_ssl()
+        # Error must be raised to avoid send the password insecurely
+        self.assertRaises(InterfaceError, self.cnx.__class__, **conn_args)
+
+
 class WL13334(tests.MySQLConnectorTests):
     """WL#13334: Failover and multihost
     """