WL14213: Added option for krb service principal

Author: isrgomez

lib/mysql/connector/abstracts.py

@@ -62,6 +62,12 @@
 TLS_VER_NO_SUPPORTED = ("No supported TLS protocol version found in the "
                         "'tls-versions' list '{}'. ")
 
+KRB_SERVICE_PINCIPAL_ERROR = (
+    'Option "krb_service_principal" {error}, must be a string in the form '
+    '"primary/instance@realm" e.g "ldap/[email protected]" where "@realm" '
+    'is optional and if it is not given will be assumed to belong to the '
+    'default realm, as configured in the krb5.conf file.')
+
 
 @make_abc(ABCMeta)
 class MySQLConnectionAbstract(object):
@@ -607,6 +613,18 @@ def config(self, **kwargs):
 
         if self._client_flags & ClientFlag.CONNECT_ARGS:
             self._add_default_conn_attrs()
+        if "krb_service_principal" in config and \
+            config["krb_service_principal"] is not None:
+            self._krb_service_principal = config["krb_service_principal"]
+            if not isinstance(self._krb_service_principal, STRING_TYPES):
+                raise errors.InterfaceError(KRB_SERVICE_PINCIPAL_ERROR.format(
+                    error="is not a string"))
+            if self._krb_service_principal == "":
+                raise errors.InterfaceError(KRB_SERVICE_PINCIPAL_ERROR.format(
+                    error="can not be an empty string"))
+            if "/" not in self._krb_service_principal:
+                raise errors.InterfaceError(KRB_SERVICE_PINCIPAL_ERROR.format(
+                    error="is incorrectly formatted"))
 
     def _add_default_conn_attrs(self):
         """Add the default connection attributes."""

lib/mysql/connector/authentication.py

@@ -69,7 +69,7 @@ class BaseAuthPlugin(object):
     plugin_name = ''
 
     def __init__(self, auth_data, username=None, password=None, database=None,
-                 ssl_enabled=False):
+                 ssl_enabled=False, instance=None):
         """Initialization"""
         self._auth_data = auth_data
         self._username = username
@@ -295,6 +295,7 @@ class MySQLLdapSaslPasswordAuthPlugin(BaseAuthPlugin):
     client_nonce = None
     client_salt = None
     server_salt = None
+    krb_service_principal = None
     iterations = 0
     server_auth_var = None
 
@@ -404,7 +405,10 @@ def _first_message_krb(self):
                    gssapi.RequirementFlag.delegate_to_peer
         )
 
-        service_principal = "ldap/ldapauth"
+        if self.krb_service_principal:
+            service_principal = self.krb_service_principal
+        else:
+            service_principal = "ldap/ldapauth"
         _LOGGER.debug("# service principal: %s", service_principal)
         servk = gssapi.Name(service_principal, name_type=gssapi.NameType.kerberos_principal)
         self.target_name = servk
@@ -496,12 +500,13 @@ def auth_accept_close_handshake(self, message):
 
         return wraped.message
 
-    def auth_response(self):
+    def auth_response(self, krb_service_principal=None):
         """This method will prepare the fist message to the server.
 
         Returns bytes to send to the server as the first message.
         """
         auth_mechanism = self._auth_data.decode()
+        self.krb_service_principal = krb_service_principal
         _LOGGER.debug("read_method_name_from_server: %s", auth_mechanism)
         if auth_mechanism not in self.sasl_mechanisms:
             raise errors.InterfaceError(

lib/mysql/connector/connection.py

@@ -98,6 +98,7 @@ def __init__(self, *args, **kwargs):
 
         self._ssl_active = False
         self._auth_plugin = None
+        self._krb_service_principal = None
         self._pool_config_version = None
 
         self._columns_desc = []
@@ -245,11 +246,15 @@ def _auth_switch_request(self, username=None, password=None):
             auth = get_auth_plugin(new_auth_plugin)(auth_data,
                  username=self._user, password=password,
                  ssl_enabled=self._ssl_active)
-            response = auth.auth_response()
-            _LOGGER.debug("# request size: %s", len(response))
+            if new_auth_plugin == "authentication_ldap_sasl_client":
+                _LOGGER.debug("# auth_data: %s", auth_data)
+                response = auth.auth_response(self._krb_service_principal)
+            else:
+                response = auth.auth_response()
+            _LOGGER.debug("# request: %s size: %s", response, len(response))
             self._socket.send(response)
             packet = self._socket.recv()
-            _LOGGER.debug("server response packet: %s", packet)
+            _LOGGER.debug("# server response packet: %s", packet)
             if new_auth_plugin == "authentication_ldap_sasl_client" \
                and len(packet) >= 6 and packet[5] == 114 and packet[6] == 61: # 'r' and '='
                 # Continue with sasl authentication
@@ -261,7 +266,8 @@ def _auth_switch_request(self, username=None, password=None):
                     if auth.auth_finalize(packet[5:]):
                         # receive packed OK
                         packet = self._socket.recv()
-            elif new_auth_plugin == "authentication_ldap_sasl_client":
+            elif new_auth_plugin == "authentication_ldap_sasl_client" and \
+               auth_data == b'GSSAPI' and packet[4] != 255:
                 rcode_size = 5  # header size for the response status code.
                 _LOGGER.debug("# Continue with sasl GSSAPI authentication")
                 _LOGGER.debug("# response header: %s", packet[:rcode_size+1])

lib/mysql/connector/constants.py

@@ -79,7 +79,8 @@
     'consume_results': False,
     'conn_attrs': None,
     'dns_srv': False,
-    'use_pure': False
+    'use_pure': False,
+    'krb_service_principal': None
 }
 
 CNX_POOL_ARGS = ('pool_name', 'pool_size', 'pool_reset_session')

tests/test_connection.py

@@ -2548,7 +2548,7 @@ def test_connect_with_can_handle_expired_pw_flag(self):
 @unittest.skipIf(tests.MYSQL_VERSION < (5, 7),
                  "Authentication with ldap_simple not supported")
 #Skip if remote ldap server is not reachable.
-@unittest.skipIf(not tests.is_host_reachable("100.103.18.98"),
+@unittest.skipIf(not tests.is_host_reachable("10.172.166.126"),
                  "ldap server is not reachable")
 @unittest.skipIf(not tests.is_plugin_available("authentication_ldap_sasl"),
                  "Plugin authentication_ldap_sasl not available")
@@ -2915,7 +2915,7 @@ def tearDown(self):
 
     @tests.foreach_cnx()
     def test_authentication_ldap_sasl_client(self):
-        """test_authentication_ldap_sasl_client_with_SCRAM-SHA-1"""
+        """test_authentication_ldap_sasl_client_with_SCRAM-SHA-256"""
         # Not running with c-ext if plugin libraries are not setup
         if self.cnx.__class__ == CMySQLConnection and \
            os.getenv('TEST_AUTHENTICATION_LDAP_SASL_CLIENT_CEXT', None) is None:
@@ -3152,6 +3152,7 @@ def test_authentication_ldap_sasl_krb(self):
             "host": self.config["host"],
             "port": self.config["port"],
             "password": "Testpw1",
+            "krb_service_principal": "ldap/[email protected]"
         }
 
         # Attempt connection with wrong password
@@ -3168,6 +3169,38 @@ def test_authentication_ldap_sasl_krb(self):
                           "password", context.exception.msg, "not the expected "
                           "error {}".format(context.exception.msg))
 
+        # Attempt connection with empty krb_service_principal
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["krb_service_principal"] = ""
+        with self.assertRaises((ProgrammingError, InterfaceError)) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("can not be an empty string", context.exception.msg,
+                      "not the expected  error {}".format(context.exception.msg))
+
+        # Attempt connection with an incorrectly formatted krb_service_principal
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["krb_service_principal"] = "service_principal123"
+        with self.assertRaises((ProgrammingError, InterfaceError)) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("incorrectly formatted", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        # Attempt connection with an incorrectly formatted krb_service_principal
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["krb_service_principal"] = 3308
+        with self.assertRaises((ProgrammingError, InterfaceError)) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("not a string", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
+        # Attempt connection with a false krb_service_principal
+        bad_pass_args = conn_args.copy()
+        bad_pass_args["krb_service_principal"] = "principal/instance@realm"
+        with self.assertRaises((ProgrammingError, InterfaceError)) as context:
+            _ = self.cnx.__class__(**bad_pass_args)
+        self.assertIn("Unable to initiate security context", context.exception.msg,
+                      "not the expected error {}".format(context.exception.msg))
+
         # Attempt connection with correct password
         cnx = self.cnx.__class__(**conn_args)
         cnx.cmd_query('SELECT USER()')