BUG#28295504: Disable SSL when using Unix socket connections

nmariz · nmariz · commit ba322544bbcb · 2022-05-27T13:30:12.000+01:00
When using Unix socket connections, the communication is secure and the
usage of the SSL overhead is unnecessary.

This patch disables the usage of SSL for Unix socket connections.
It also fixes BUG#28880051.

Tests were added/changed for regression.

Change-Id: I89c16ce87f9df8749edd98ddc48677383b4e64d3
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -20,6 +20,7 @@ v8.0.30
 - BUG#34127959: Add isolation level support in Django backend
 - BUG#33923516: Allow tuple of dictionaries as "failover" argument
 - BUG#28821983: Fix rounding errors for decimal values
+- BUG#28295504: Disable SSL when using Unix socket connections
 
 v8.0.29
 =======
diff --git a/lib/mysql/connector/abstracts.py b/lib/mysql/connector/abstracts.py
@@ -182,6 +182,13 @@ def get_self(self):
         """
         return self
 
+    @property
+    def is_secure(self):
+        """Return True if is a secure connection."""
+        return self._ssl_active or (
+            self._unix_socket is not None and os.name == "posix"
+        )
+
     @property
     def have_next_result(self):
         """Return if have next result."""
@@ -566,12 +573,6 @@ def config(self, **kwargs):
         if "ssl_disabled" in config:
             self._ssl_disabled = config.pop("ssl_disabled")
 
-        if self._ssl_disabled and self._auth_plugin == "mysql_clear_password":
-            raise InterfaceError(
-                "Clear password authentication is not "
-                "supported over insecure channels"
-            )
-
         # Other configuration
         set_ssl_flag = False
         for key, value in config.items():
@@ -593,6 +594,15 @@ def config(self, **kwargs):
                 except AttributeError:
                     setattr(self, attribute, value)
 
+        # Disable SSL for unix socket connections
+        if self._unix_socket and os.name == "posix":
+            self._ssl_disabled = True
+
+        if self._ssl_disabled and self._auth_plugin == "mysql_clear_password":
+            raise InterfaceError(
+                "Clear password authentication is not supported over insecure channels"
+            )
+
         if set_ssl_flag:
             if "verify_cert" not in self._ssl:
                 self._ssl["verify_cert"] = DEFAULT_CONFIGURATION["ssl_verify_cert"]
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -176,12 +176,11 @@ def _do_handshake(self):
         CharacterSet.set_mysql_version(self._server_version)
 
         if not handshake["capabilities"] & ClientFlag.SSL:
-            if self._auth_plugin == "mysql_clear_password":
-                err_msg = (
-                    "Clear password authentication is not supported "
-                    "over insecure channels"
+            if self._auth_plugin == "mysql_clear_password" and not self.is_secure:
+                raise InterfaceError(
+                    "Clear password authentication is not supported over "
+                    "insecure channels"
                 )
-                raise InterfaceError(err_msg)
             if self._ssl.get("verify_cert"):
                 raise InterfaceError(
                     "SSL is required but the server doesn't support it",
@@ -223,7 +222,7 @@ def _do_auth(
         reply back. Raises any error coming from MySQL.
         """
         self._ssl_active = False
-        if client_flags & ClientFlag.SSL:
+        if not self._ssl_disabled and (client_flags & ClientFlag.SSL):
             packet = self._protocol.make_auth_ssl(
                 charset=charset, client_flags=client_flags
             )
@@ -310,14 +309,14 @@ def _auth_switch_request(self, username=None, password=None):
                 auth_data,
                 username=username or self._user,
                 password=password,
-                ssl_enabled=self._ssl_active,
+                ssl_enabled=self.is_secure,
             )
             packet = self._auth_continue(auth, new_auth_plugin, auth_data)
 
         if packet[4] == 1:
             auth_data = self._protocol.parse_auth_more_data(packet)
             auth = get_auth_plugin(new_auth_plugin)(
-                auth_data, password=password, ssl_enabled=self._ssl_active
+                auth_data, password=password, ssl_enabled=self.is_secure
             )
             if new_auth_plugin == "caching_sha2_password":
                 response = auth.auth_response()
@@ -352,14 +351,14 @@ def _handle_mfa(self, packet):
             None,
             username=self._user,
             password=password,
-            ssl_enabled=self._ssl_active,
+            ssl_enabled=self.is_secure,
         )
         packet = self._auth_continue(auth, auth_plugin, packet)
 
         if packet[4] == 1:
             auth_data = self._protocol.parse_auth_more_data(packet)
             auth = get_auth_plugin(auth_plugin)(
-                auth_data, password=password, ssl_enabled=self._ssl_active
+                auth_data, password=password, ssl_enabled=self.is_secure
             )
             if auth_plugin == "caching_sha2_password":
                 response = auth.auth_response()
@@ -504,7 +503,7 @@ def _get_connection(self):
         Returns subclass of MySQLBaseSocket.
         """
         conn = None
-        if self.unix_socket and os.name != "nt":
+        if self._unix_socket and os.name == "posix":
             conn = MySQLUnixSocket(unix_socket=self.unix_socket)
         else:
             conn = MySQLTCPSocket(
diff --git a/lib/mysql/connector/network.py b/lib/mysql/connector/network.py
@@ -32,6 +32,7 @@
 import os
 import socket
 import struct
+import warnings
 import zlib
 
 from collections import deque
@@ -504,6 +505,13 @@ def open_connection(self):
         except Exception as err:
             raise InterfaceError(str(err)) from err
 
+    def switch_to_ssl(self, *args, **kwargs):  # pylint: disable=unused-argument
+        """Switch the socket to use SSL."""
+        warnings.warn(
+            "SSL is disabled when using unix socket connections",
+            Warning,
+        )
+
 
 class MySQLTCPSocket(BaseMySQLSocket):
     """MySQL socket class using TCP/IP
diff --git a/lib/mysql/connector/plugins/__init__.py b/lib/mysql/connector/plugins/__init__.py
@@ -28,16 +28,10 @@
 
 """Base Authentication Plugin class."""
 
-import logging
-
 from abc import ABC
 
 from .. import errors
 
-logging.getLogger(__name__).addHandler(logging.NullHandler())
-
-_LOGGER = logging.getLogger(__name__)
-
 
 class BaseAuthPlugin(ABC):
     """Base class for authentication plugins
diff --git a/lib/mysql/connector/plugins/caching_sha2_password.py b/lib/mysql/connector/plugins/caching_sha2_password.py
@@ -77,7 +77,6 @@ def _scramble(self):
         hash2 = hash2.digest()
         xored = [h1 ^ h2 for (h1, h2) in zip(hash1, hash2)]
         hash3 = struct.pack("32B", *xored)
-
         return hash3
 
     def _full_authentication(self):
diff --git a/tests/test_bugs.py b/tests/test_bugs.py
@@ -5073,6 +5073,8 @@ def try_connect(self, tls_version, expected_ssl_version):
         config = tests.get_mysql_config().copy()
         config["tls_versions"] = tls_version
         config["ssl_ca"] = ""
+        if "unix_socket" in config:
+            del config["unix_socket"]
         cnx = connection.MySQLConnection(**config)
         query = "SHOW STATUS LIKE 'ssl_version%'"
         cur = cnx.cursor()
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -74,7 +74,7 @@
 )
 from mysql.connector.conversion import MySQLConverter, MySQLConverterBase
 from mysql.connector.errors import InterfaceError, NotSupportedError, ProgrammingError
-from mysql.connector.network import TLS_V1_3_SUPPORTED
+from mysql.connector.network import TLS_V1_3_SUPPORTED, MySQLTCPSocket, MySQLUnixSocket
 from mysql.connector.optionfiles import read_option_files
 from mysql.connector.pooling import HAVE_DNSPYTHON
 from mysql.connector.utils import linux_distribution
@@ -163,6 +163,8 @@ def test_DEFAULT_CONFIGURATION(self):
 class MySQLConnectionTests(tests.MySQLConnectorTests):
     def setUp(self):
         config = tests.get_mysql_config()
+        if "unix_socket" in config:
+            del config["unix_socket"]
         self.cnx = connection.MySQLConnection(**config)
 
     def tearDown(self):
@@ -1240,7 +1242,7 @@ class TestConverterWrong:
     )
     def test__get_connection(self):
         """Get connection based on configuration"""
-        if os.name != "nt":
+        if os.name == "posix" and self.cnx.unix_socket:
             res = self.cnx._get_connection()
             self.assertTrue(isinstance(res, network.MySQLUnixSocket))
 
@@ -1292,6 +1294,53 @@ def test_connect(self):
         config["host"] = tests.fake_hostname()
         self.assertRaises(errors.InterfaceError, cnx.connect, **config)
 
+    @unittest.skipUnless(os.name == "posix", "Platform does not support unix sockets")
+    @unittest.skipUnless(tests.SSL_AVAILABLE, "Python has no SSL support")
+    def test_connect_with_unix_socket(self):
+        """Test connect with unix_socket and SSL connection options."""
+        config = tests.get_mysql_config()
+        if tests.MYSQL_EXTERNAL_SERVER:
+            if config.get("unix_socket") is None:
+                self.skipTest(
+                    "The 'unix_socket' is not present in the external server "
+                    "connection arguments"
+                )
+                return
+        else:
+            config.update(
+                {
+                    "ssl_ca": os.path.abspath(
+                        os.path.join(tests.SSL_DIR, "tests_CA_cert.pem")
+                    ),
+                    "ssl_cert": os.path.abspath(
+                        os.path.join(tests.SSL_DIR, "tests_client_cert.pem")
+                    ),
+                    "ssl_key": os.path.abspath(
+                        os.path.join(tests.SSL_DIR, "tests_client_key.pem")
+                    ),
+                }
+            )
+            config["unix_socket"] = tests.MYSQL_SERVERS[0].unix_socket
+
+        cnx_classes = [MySQLConnection]
+        if CMySQLConnection:
+            cnx_classes.append(CMySQLConnection)
+
+        # SSL should be disabled when using unix socket
+        for cls in cnx_classes:
+            with cls(**config) as cnx:
+                self.assertTrue(cnx._ssl_disabled)
+                if isinstance(cnx, MySQLConnection):
+                    self.assertIsInstance(cnx._socket, MySQLUnixSocket)
+        del config["unix_socket"]
+
+        # SSL should be enabled when unix socket is not being used
+        for cls in cnx_classes:
+            with cls(**config) as cnx:
+                self.assertFalse(cnx._ssl_disabled)
+                if isinstance(cnx, MySQLConnection):
+                    self.assertIsInstance(cnx._socket, MySQLTCPSocket)
+
     def test_reconnect(self):
         """Reconnecting to the MySQL Server"""
         supported_arguments = {
diff --git a/tests/test_network.py b/tests/test_network.py
@@ -321,31 +321,6 @@ def test_open_connection(self):
             except errors.Error as err:
                 self.fail(str(err))
 
-    @unittest.skipIf(
-        tests.MYSQL_EXTERNAL_SERVER,
-        "Test not available for external MySQL servers",
-    )
-    @unittest.skipIf(
-        not tests.SSL_AVAILABLE,
-        "Could not test switch to SSL. Make sure Python supports SSL.",
-    )
-    def test_switch_to_ssl(self):
-        """Switch the socket to use SSL"""
-        args = {
-            "ca": os.path.join(tests.SSL_DIR, "tests_CA_cert.pem"),
-            "cert": os.path.join(tests.SSL_DIR, "tests_client_cert.pem"),
-            "key": os.path.join(tests.SSL_DIR, "tests_client_key.pem"),
-            "cipher_suites": "AES256-SHA",
-        }
-        self.assertRaises(errors.InterfaceError, self.cnx.switch_to_ssl, **args)
-
-        # Handshake failure
-        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-        sock.settimeout(4)
-        sock.connect(self._unix_socket)
-        self.cnx.sock = sock
-        self.assertRaises(errors.InterfaceError, self.cnx.switch_to_ssl, **args)
-
 
 class MySQLTCPSocketTests(tests.MySQLConnectorTests):
 
diff --git a/unittests.py b/unittests.py
@@ -373,7 +373,8 @@
     ("", "--unix-socket"): {
         "dest": "unix_socket_folder",
         "metavar": "NAME",
-        "help": "Folder where UNIX Sockets will be created",
+        "help": "Folder where UNIX Sockets will be created or the unix socket "
+        "to be used with an external server.",
     },
     ("", "--ipv6"): {
         "dest": "ipv6",
@@ -953,12 +954,11 @@ def main():
         mysql_server.client_config = {
             "host": options.host,
             "port": options.port,
-            "unix_socket": mysql_server.unix_socket,
             "user": options.user,
             "password": options.password,
             "database": "myconnpy",
             "connection_timeout": 60,
-            "unix_socket": None,
+            "unix_socket": options.unix_socket_folder,
         }
 
         mysql_server.xplugin_config = {
@@ -967,7 +967,7 @@ def main():
             "user": options.user,
             "password": options.password,
             "schema": "myconnpy",
-            "socket": None,
+            "socket": options.unix_socket_folder,
         }
 
         tests.MYSQL_SERVERS.append(mysql_server)
