WL10771: Add SHA256 authentication

This patch adds 2 new authentication modes: Plain and External.
The External authentication mechanism, at the time of writing, is not recognized
by the server and will not work.

The user can specify the authentication mode with the newly added option `auth`
which can take the following values:
1. plain or Auth.PLAIN
2. external or Auth.EXTERNAL
3. mysql41 or Auth.MYSQL41

`Auth` is a new enum added to `mysqlx.constants` module.

If the user does not specify the authentication mechanism, Plain authentication
is used if the connection mode is secure, or else Mysql41 is used.

Tests have been added for regression.

Author: amitab

lib/mysqlx/__init__.py

@@ -30,7 +30,7 @@
                      PasswordHandler)
 from .compat import STRING_TYPES, urlparse, unquote, parse_qsl
 from .connection import Session
-from .constants import SSLMode
+from .constants import SSLMode, Auth
 from .crud import Schema, Collection, Table, View
 from .dbdoc import DbDoc
 from .errors import (Error, Warning, InterfaceError, DatabaseError,
@@ -51,7 +51,7 @@
 _PRIORITY = re.compile(r'^\(address=(.+),priority=(\d+)\)$', re.VERBOSE)
 ssl_opts = ["ssl-cert", "ssl-ca", "ssl-key", "ssl-crl"]
 sess_opts = ssl_opts + ["user", "password", "schema", "host", "port",
-                        "routers", "socket", "ssl-mode"]
+                        "routers", "socket", "ssl-mode", "auth"]
 
 def _parse_address_list(path):
     """Parses a list of host, port pairs
@@ -174,6 +174,13 @@ def _validate_settings(settings):
         not in [SSLMode.VERIFY_IDENTITY, SSLMode.VERIFY_CA]:
         raise InterfaceError("Must verify Server if CA is provided.")
 
+    if "auth" in settings:
+        try:
+            settings["auth"] = settings["auth"].lower()
+            Auth.index(settings["auth"])
+        except (AttributeError, ValueError):
+            raise InterfaceError("Invalid Auth '{0}'".format(settings["auth"]))
+
 
 def _validate_hosts(settings):
     if "priority" in settings and settings["priority"]:

lib/mysqlx/authentication.py

@@ -63,3 +63,30 @@ def build_authentication_response(self, data):
                                              hexlify(auth_response))
         else:
             return "{0}\0{1}\0".format("", self._username)
+
+
+class PlainAuthPlugin(object):
+    def __init__(self, username, password):
+        self._username = username
+        self._password = password.encode("utf-8") \
+            if isinstance(password, UNICODE_TYPES) else password
+
+    def name(self):
+        return "Plain Authentication Plugin"
+
+    def auth_name(self):
+        return "PLAIN"
+
+    def auth_data(self):
+        return "\0{0}\0{1}".format(self._username, self._password)
+
+
+class ExternalAuthPlugin(object):
+    def name(self):
+        return "External Authentication Plugin"
+
+    def auth_name(self):
+        return "EXTERNAL"
+
+    def initial_response(self):
+        return ""

lib/mysqlx/connection.py

@@ -35,11 +35,12 @@
 
 from functools import wraps
 
-from .authentication import MySQL41AuthPlugin
+from .authentication import (MySQL41AuthPlugin, PlainAuthPlugin,
+                             ExternalAuthPlugin)
 from .errors import InterfaceError, OperationalError, ProgrammingError
 from .compat import PY3, STRING_TYPES, UNICODE_TYPES
 from .crud import Schema
-from .constants import SSLMode
+from .constants import SSLMode, Auth
 from .helpers import get_item_or_attr
 from .protocol import Protocol, MessageReaderWriter
 from .result import Result, RowResult, DocResult
@@ -54,16 +55,20 @@ class SocketStream(object):
     def __init__(self):
         self._socket = None
         self._is_ssl = False
+        self._is_socket = False
         self._host = None
 
     def connect(self, params):
-        if isinstance(params, tuple):
+        try:
+            self._socket = socket.create_connection(params)
             self._host = params[0]
-            s_type = socket.AF_INET6 if ":" in params[0] else socket.AF_INET
-        else:
-            s_type = socket.AF_UNIX
-        self._socket = socket.socket(s_type, socket.SOCK_STREAM)
-        self._socket.connect(params)
+        except ValueError:
+            try:
+                self._socket = socket.socket(socket.AF_UNIX)
+                self._is_socket = True
+                self._socket.connect(params)
+            except AttributeError:
+                raise InterfaceError("Unix socket unsupported.")
 
     def read(self, count):
         if self._socket is None:
@@ -131,6 +136,17 @@ def set_ssl(self, ssl_mode, ssl_ca, ssl_crl, ssl_cert, ssl_key):
                                      "".format(err))
         self._is_ssl = True
 
+    @property
+    def is_ssl(self):
+        return self._is_ssl
+
+    @property
+    def is_socket(self):
+        return self._is_socket
+
+    def is_secure(self):
+        return self._is_ssl or self.is_socket
+
 
 def catch_network_exception(func):
     @wraps(func)
@@ -237,7 +253,7 @@ def connect(self):
     def _handle_capabilities(self):
         if self.settings.get("ssl-mode") == SSLMode.DISABLED:
             return
-        if "socket" in self.settings:
+        if self.stream.is_socket:
             if self.settings.get("ssl-mode"):
                 _LOGGER.warning("SSL not required when using Unix socket.")
             return
@@ -261,13 +277,34 @@ def _handle_capabilities(self):
                             self.settings.get("ssl-key"))
 
     def _authenticate(self):
+        auth = self.settings.get("auth")
+        if (not auth and self.stream.is_secure()) or auth == Auth.PLAIN:
+            self._authenticate_plain()
+        elif auth == Auth.EXTERNAL:
+            self._authenticate_external()
+        else:
+            self._authenticate_mysql41()
+
+    def _authenticate_mysql41(self):
         plugin = MySQL41AuthPlugin(self._user, self._password)
         self.protocol.send_auth_start(plugin.auth_name())
         extra_data = self.protocol.read_auth_continue()
         self.protocol.send_auth_continue(
             plugin.build_authentication_response(extra_data))
         self.protocol.read_auth_ok()
 
+    def _authenticate_plain(self):
+        plugin = PlainAuthPlugin(self._user, self._password)
+        self.protocol.send_auth_start(plugin.auth_name(),
+            auth_data=plugin.auth_data())
+        self.protocol.read_auth_ok()
+
+    def _authenticate_external(self):
+        plugin = ExternalAuthPlugin()
+        self.protocol.send_auth_start(plugin.auth_name(),
+            initial_response=plugin.initial_response())
+        self.protocol.read_auth_ok()
+
     @catch_network_exception
     def send_sql(self, sql, *args):
         if not isinstance(sql, STRING_TYPES):

lib/mysqlx/constants.py

@@ -49,6 +49,7 @@ def create_enum(name, fields, values=None):
 SSLMode = create_enum("SSLMode",
     ("REQUIRED", "DISABLED", "VERIFY_CA", "VERIFY_IDENTITY"),
     ("required", "disabled", "verify_ca", "verify_identity"))
-
+Auth = create_enum("Auth", ("PLAIN", "EXTERNAL", "MYSQL41"),
+                           ("plain", "external", "mysql41"))
 
 __all__ = ["Algorithms", "Securities", "CheckOptions"]

lib/mysqlx/protocol.py

@@ -97,9 +97,13 @@ def set_capabilities(self, **kwargs):
             msg)
         return self.read_ok()
 
-    def send_auth_start(self, method):
+    def send_auth_start(self, method, auth_data=None, initial_response=None):
         msg = Message("Mysqlx.Session.AuthenticateStart")
         msg["mech_name"] = method
+        if auth_data is not None:
+            msg["auth_data"] = auth_data
+        if initial_response is not None:
+            msg["initial_response"] = initial_response
         self._writer.write_message(mysqlxpb_enum(
             "Mysqlx.ClientMessages.Type.SESS_AUTHENTICATE_START"), msg)
 

tests/test_mysqlx_connection.py

@@ -179,7 +179,7 @@ def test___init__(self):
             "username": "root",
             "password": ""
         }
-        self.assertRaises(TypeError, mysqlx.Session, bad_config)
+        self.assertRaises(InterfaceError, mysqlx.Session, bad_config)
 
         host = self.connect_kwargs["host"]
         port = self.connect_kwargs["port"]
@@ -276,6 +276,42 @@ def test___init__(self):
             if os.path.exists(sys_file):
                 os.remove(sys_file)
 
+        # SocketSteam.is_socket
+        session = mysqlx.get_session(user=user, password=password,
+                                     host=host, port=port)
+        self.assertFalse(session._connection.stream.is_socket)
+
+    def test_auth(self):
+        sess = mysqlx.get_session(self.connect_kwargs)
+        sess.sql("CREATE USER 'native'@'%' IDENTIFIED WITH "
+                 "mysql_native_password BY 'test'").execute()
+        sess.sql("CREATE USER 'sha256'@'%' IDENTIFIED WITH "
+                 "sha256_password BY 'sha256'").execute()
+
+        config = {'host': self.connect_kwargs['host'],
+                  'port': self.connect_kwargs['port']}
+
+        config['user'] = 'native'
+        config['password'] = 'test'
+        config['auth'] = 'plain'
+        mysqlx.get_session(config)
+
+        config['auth'] = 'mysql41'
+        mysqlx.get_session(config)
+
+        config['user'] = 'sha256'
+        config['password'] = 'sha256'
+        if tests.MYSQL_VERSION >= (8, 0, 1):
+            config['auth'] = 'plain'
+            mysqlx.get_session(config)
+
+        config['auth'] = 'mysql41'
+        self.assertRaises(InterfaceError, mysqlx.get_session, config)
+
+        sess.sql("DROP USER 'native'@'%'").execute()
+        sess.sql("DROP USER 'sha256'@'%'").execute()
+        sess.close()
+
     @unittest.skipIf(tests.MYSQL_VERSION < (5, 7, 15), "--mysqlx-socket option tests not available for this MySQL version")
     def test_mysqlx_socket(self):
         # Connect with unix socket