WL14263: Add support for SCRAM-SHA-256

isrgomez · isrgomez · commit 9f6feb31cb2d · 2020-10-09T10:42:04.000-05:00
The purpose of this Worklog is to add support for the SASL authentication
protocol using the SCRAM-SHA-256 authentication method.
diff --git a/lib/mysql/connector/authentication.py b/lib/mysql/connector/authentication.py
@@ -36,7 +36,7 @@
 from uuid import uuid4
 
 from . import errors
-from .catch23 import PY2, isstr, UNICODE_TYPES, STRING_TYPES
+from .catch23 import PY2, isstr, UNICODE_TYPES, BYTE_TYPES
 from .utils import (normalize_unicode_string as norm_ustr,
                     validate_normalized_unicode_string as valid_norm)
 
@@ -267,9 +267,9 @@ class MySQLLdapSaslPasswordAuthPlugin(BaseAuthPlugin):
 
     The MySQL's ldap sasl authentication plugin support two authentication
     methods SCRAM-SHA-1 and GSSAPI (using Kerberos). This implementation only
-    support SCRAM-SHA-1.
+    support SCRAM-SHA-1 and SCRAM-SHA-256.
 
-    SCRAM-SHA-1
+    SCRAM-SHA-1 amd SCRAM-SHA-256
         This method requires 2 messages from client and 2 responses from
         server.
 
@@ -280,6 +280,7 @@ class MySQLLdapSaslPasswordAuthPlugin(BaseAuthPlugin):
         server, the second server respond needs to be passed to auth_finalize()
         to finish the authentication process.
     """
+    sasl_mechanisms = ['SCRAM-SHA-1', 'SCRAM-SHA-256']
     requires_ssl = False
     plugin_name = 'authentication_ldap_sasl_client'
     def_digest_mode = sha1
@@ -354,14 +355,17 @@ def auth_response(self):
 
         Returns bytes to send to the server as the first message.
         """
-        # We only support SCRAM-SHA-1 authentication method.
-        _LOGGER.debug("read_method_name_from_server: %s",
-                      self._auth_data.decode())
-        if self._auth_data != b'SCRAM-SHA-1':
+        auth_mechanism = self._auth_data.decode()
+        _LOGGER.debug("read_method_name_from_server: %s", auth_mechanism)
+        if auth_mechanism not in self.sasl_mechanisms:
             raise errors.InterfaceError(
                 'The sasl authentication method "{}" requested from the server '
-                'is not supported. Only "{}" is supported'.format(
-                    self._auth_data, "SCRAM-SHA-1"))
+                'is not supported. Only "{}" and "{}" are supported'.format(
+                    auth_mechanism, '", "'.join(self.sasl_mechanisms[:-1]),
+                    self.sasl_mechanisms[-1]))
+
+        if self._auth_data == b'SCRAM-SHA-256':
+            self.def_digest_mode = sha256
 
         return self._first_message()
 
@@ -440,11 +444,12 @@ def _validate_first_reponse(self, servers_first):
         First message from the server is in the form:
             <server_salt>,i=<iterations>
         """
-        self.servers_first = servers_first
-        if not servers_first or not isinstance(servers_first, STRING_TYPES):
+        if not servers_first or not isinstance(servers_first, BYTE_TYPES):
             raise errors.InterfaceError("Unexpected server message: {}"
                                         "".format(servers_first))
         try:
+            servers_first = servers_first.decode()
+            self.servers_first = servers_first
             r_server_nonce, s_salt, i_counter = servers_first.split(",")
         except ValueError:
             raise errors.InterfaceError("Unexpected server message: {}"
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -251,7 +251,7 @@ def _auth_switch_request(self, username=None, password=None):
 
             if packet[5] == 114 and packet[6] == 61: # 'r' and '='
                 # Continue with sasl authentication
-                dec_response = packet[5:].decode()
+                dec_response = packet[5:]
                 cresponse = auth.auth_continue(dec_response)
                 self._socket.send(cresponse)
                 packet = self._socket.recv()
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -282,13 +282,15 @@ def test_auth_response(self):
 
         # verify an error is shown if server response is not well formated.
         with self.assertRaises(InterfaceError) as context:
-            auth_plugin.auth_continue("r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,w54")
+            auth_plugin.auth_continue(
+                bytearray("r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,w54".encode()))
         self.assertIn("Incomplete reponse", context.exception.msg,
                       "not the expected error {}".format(context.exception.msg))
 
         # verify an error is shown if server does not authenticate response.
         with self.assertRaises(InterfaceError) as context:
-            auth_plugin.auth_continue("r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,i=40")
+            auth_plugin.auth_continue(
+                bytearray("r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,i=40".encode()))
         self.assertIn("Unable to authenticate resp", context.exception.msg,
                       "not the expected error {}".format(context.exception.msg))
 
@@ -306,3 +308,99 @@ def test_auth_response(self):
                 bytearray(b"v=5H6b+IApa7ZwqQ/ZT33fXoR/BTM="))
         self.assertIn("Unable to proof server identity", context.exception.msg,
                       "not the expected error {}".format(context.exception.msg))
+
+    def test_auth_response256(self):
+        # Test unsupported mechanism error message
+        auth_data = b'UNKOWN-METHOD'
+        auth_plugin = self.plugin_class(auth_data, username="user",
+                                        password="spam")
+        with self.assertRaises(InterfaceError) as context:
+            auth_plugin.auth_response()
+        self.assertIn('sasl authentication method "UNKOWN-METHOD"',
+                      context.exception.msg, "not the expected error {}"
+                      "".format(context.exception.msg))
+        self.assertIn("is not supported", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+        with self.assertRaises(NotImplementedError) as context:
+            auth_plugin.prepare_password()
+
+        # Test SCRAM-SHA-256 mechanism is accepted
+        auth_data = b'SCRAM-SHA-256'
+
+        auth_plugin = self.plugin_class(auth_data, username="", password="")
+
+        # Verify the format of the first message from client.
+        exp = b'n,a=,n=,r='
+        client_first_nsg = auth_plugin.auth_response()
+        self.assertTrue(client_first_nsg.startswith(exp),
+                        "got header: {}".format(auth_plugin.auth_response()))
+
+        auth_plugin = self.plugin_class(auth_data, username="user",
+                                        password="spam")
+
+        # Verify the length of the client's nonce in r=
+        cnonce = client_first_nsg[(len(b'n,a=,n=,r=')):]
+        r_len = len(cnonce)
+        self.assertEqual(32, r_len, "Unexpected legth {}".format(len(cnonce)))
+
+        # Verify the format of the first message from client.
+        exp = b'n,a=user,n=user,r='
+        client_first_nsg = auth_plugin.auth_response()
+        self.assertTrue(client_first_nsg.startswith(exp),
+                        "got header: {}".format(auth_plugin.auth_response()))
+
+        # Verify the length of the client's nonce in r=
+        cnonce = client_first_nsg[(len(exp)):]
+        r_len = len(cnonce)
+        self.assertEqual(32, r_len, "Unexpected cnonce legth {}, response {}"
+                         "".format(len(cnonce), client_first_nsg))
+
+        # Verify that a user name that requires character mapping is mapped
+        auth_plugin = self.plugin_class(auth_data, username=u"u\u1680ser",
+                                        password="spam")
+        exp = b'n,a=u ser,n=u ser,r='
+        client_first_nsg = auth_plugin.auth_response()
+        self.assertTrue(client_first_nsg.startswith(exp),
+                        "got header: {}".format(auth_plugin.auth_response()))
+
+        # Verify the length of the client's nonce in r=
+        cnonce = client_first_nsg[(len(exp)):]
+        r_len = len(cnonce)
+        self.assertEqual(32, r_len, "Unexpected legth {}".format(len(cnonce)))
+
+        bad_responses = [None, "", "v=5H6b+IApa7ZwqQ/ZT33fXoR/BTM=", b"", 123]
+        for bad_res in bad_responses:
+            # verify an error is shown if server response is not as expected.
+            with self.assertRaises(InterfaceError) as context:
+                auth_plugin.auth_continue(bad_res)
+            self.assertIn("Unexpected server message", context.exception.msg,
+                          "not the expected: {}".format(context.exception.msg))
+
+        # verify an error is shown if server response is not well formated.
+        with self.assertRaises(InterfaceError) as context:
+            auth_plugin.auth_continue(
+                bytearray(b"r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,w54"))
+        self.assertIn("Incomplete reponse", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        # verify an error is shown if server does not authenticate response.
+        with self.assertRaises(InterfaceError) as context:
+            auth_plugin.auth_continue(
+                bytearray(b"r=/ZT33fXoR/BZT,s=IApa7ZwqQ/ZT,i=40"))
+        self.assertIn("Unable to authenticate resp", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        bad_proofs = [None, "", b"5H6b+IApa7ZwqQ/ZT33fXoR/BTM=", b"", 123]
+        for bad_proof in bad_proofs:
+            # verify an error is shown if server proof is not well formated.
+            with self.assertRaises(InterfaceError) as context:
+                auth_plugin.auth_finalize(bad_proof)
+            self.assertIn("proof is not well formated.", context.exception.msg,
+                          "not the expected: {}".format(context.exception.msg))
+
+        # verify an error is shown it the server can not prove it self.
+        with self.assertRaises(InterfaceError) as context:
+            auth_plugin.auth_finalize(
+                bytearray(b"v=5H6b+IApa7ZwqQ/ZT33fXoR/BTM="))
+        self.assertIn("Unable to proof server identity", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -2832,6 +2832,134 @@ def test_clear_text_pass(self):
         self.assertRaises(InterfaceError, self.cnx.__class__, **conn_args)
 
 
+@unittest.skipIf(tests.MYSQL_VERSION < (5, 7),
+                 "Authentication with ldap_simple not supported")
+#Skip if remote ldap server is not reachable.
+@unittest.skipIf(not tests.is_host_reachable("100.103.19.5"),
+                 "ldap server is not reachable")
+@unittest.skipIf(not tests.is_plugin_available("authentication_ldap_sasl"),
+                 "Plugin authentication_ldap_simple not available")
+class WL14263(tests.MySQLConnectorTests):
+    """WL#14110: Add support for SCRAM-SHA-256
+    """
+    def setUp(self):
+        self.server = tests.MYSQL_SERVERS[0]
+        self.server_cnf = self.server._cnf
+        self.config = tests.get_mysql_config()
+        self.config.pop("unix_socket", None)
+        self.user = "sadmin"
+        self.host = "%"
+
+        cnx = connection.MySQLConnection(**self.config)
+        ext = "dll" if os.name == "nt" else "so"
+        plugin_name = "authentication_ldap_sasl.{}".format(ext)
+
+        ldap_sasl_config = {
+            "plugin-load-add": plugin_name,
+            "authentication_ldap_sasl_auth_method_name": "SCRAM-SHA-256",
+            "authentication_ldap_sasl_bind_base_dn": '"dc=my-domain,dc=com"',
+            "authentication_ldap_sasl_log_status": 5,
+            "authentication_ldap_sasl_server_host": "100.103.19.5", #ldap-mtr.no.oracle.com
+            "authentication_ldap_sasl_group_search_attr": "",
+            "authentication_ldap_sasl_user_search_attr": "cn",
+        }
+        cnf = "\n# ldap_sasl"
+        for key in ldap_sasl_config:
+            cnf = "{}\n{}={}".format(cnf, key, ldap_sasl_config[key])
+        self.server_cnf += cnf
+
+        cnx.close()
+        self.server.stop()
+        self.server.wait_down()
+
+        self.server.start(my_cnf=self.server_cnf)
+        self.server.wait_up()
+        sleep(1)
+
+        cnx = connection.MySQLConnection(**self.config)
+
+        try:
+            cnx.cmd_query("DROP USER '{}'@'{}'".format(self.user, self.host))
+            cnx.cmd_query("DROP USER '{}'@'{}'".format("common", self.host))
+        except:
+            pass
+
+        cnx.cmd_query("CREATE USER '{}'@'{}' IDENTIFIED "
+                      "WITH authentication_ldap_sasl"
+                      "".format(self.user, self.host))
+
+        cnx.cmd_query("CREATE USER '{}'@'{}'"
+                      "".format("common", self.host))
+        cnx.cmd_query("GRANT ALL ON *.* TO '{}'@'{}'"
+                      "".format("common", self.host))
+
+        cnx.close()
+
+    def tearDown(self):
+        return
+        cnx = connection.MySQLConnection(**self.config)
+        try:
+            cnx.cmd_query("DROP USER '{}'@'{}'".format(self.user, self.host))
+            cnx.cmd_query("DROP USER '{}'@'{}'".format("common", self.host))
+        except:
+            pass
+        cnx.cmd_query("UNINSTALL PLUGIN authentication_ldap_sasl")
+        cnx.close()
+
+    @tests.foreach_cnx()
+    def test_authentication_ldap_sasl_client(self):
+        """test_authentication_ldap_sasl_client_with_SCRAM-SHA-1"""
+        # Not running with c-ext if plugin libraries are not setup
+        if self.cnx.__class__ == CMySQLConnection and \
+           os.getenv('TEST_AUTHENTICATION_LDAP_SASL_CLIENT_CEXT', None) is None:
+            return
+        conn_args = {
+            "user": "sadmin",
+            "host": self.config["host"],
+            "port": self.config["port"],
+            "password": "perola",
+        }
+
+        # Atempt connection with wrong password
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["password"] = "wrong_password"
+        with self.assertRaises(ProgrammingError) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("Access denied for user", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        # Atempt connection with correct password
+        cnx = self.cnx.__class__(**conn_args)
+        cnx.cmd_query('SELECT USER()')
+        res = cnx.get_rows()[0][0][0]
+        self.assertIn(self.user, res, "not the expected user {}".format(res))
+        cnx.close()
+
+        # Force unix_socket to None
+        conn_args["unix_socket"] = None
+        cnx = self.cnx.__class__(**conn_args)
+        cnx.cmd_query('SELECT USER()')
+        res = cnx.get_rows()[0][0][0]
+        self.assertIn(self.user, res, "not the expected user {}".format(res))
+        cnx.close()
+
+        # Attempt connection with verify certificate set to True
+        conn_args.update({
+            'ssl_ca': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem')),
+            'ssl_cert': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_client_cert.pem')),
+            'ssl_key': os.path.abspath(
+                os.path.join(tests.SSL_DIR, 'tests_client_key.pem')),
+        })
+        conn_args["ssl_verify_cert"] = True
+        cnx = self.cnx.__class__(**conn_args)
+        cnx.cmd_query('SELECT USER()')
+        res = cnx.get_rows()[0][0][0]
+        self.assertIn(self.user, res, "not the expected user {}".format(res))
+        cnx.close()
+
+
 class WL13334(tests.MySQLConnectorTests):
     """WL#13334: Failover and multihost
     """
