WL#15916 Support for WebauthN authentication in Shell

This patch introduces the following options to fully support
the webauthn authentication plugin:

--register-factor
--plugin-authentication-webauthn-client-preserve-privacy

Additionally deprecates the existing --fido-register-factor option
in favor of the new --register-factor option.

Change-Id: Ia0f447db87f605bdb8ee18ca98a265ff5e0d7b34

Author: rennox

mysqlshdk/include/shellcore/shell_options.h

@@ -108,7 +108,8 @@ class Shell_options final : public shcore::Options {
     std::string run_module;
 
     // Individual connection parameters
-    std::string fido_register_factor;
+    std::string register_factor;
+    std::optional<bool> webauthn_client_preserve_privacy;
     std::string oci_profile;
     std::string oci_config_file;
 

mysqlshdk/libs/db/CMakeLists.txt

@@ -48,6 +48,7 @@ set(db_SOURCE
     mysql/auth_plugins/fido.cc
     mysql/auth_plugins/oci.cc
     mysql/auth_plugins/kerberos.cc
+    mysql/auth_plugins/webauthn.cc
     mysqlx/xsession.cc
     mysqlx/xresult.cc
     mysqlx/xrow.cc

mysqlshdk/libs/db/mysql/auth_plugins/fido.cc

@@ -90,7 +90,7 @@ int plugin_messages_callback_get_uint(unsigned int *val) {
 }
 
 /**
- * Method to parse the parameter for --fido-register-factor, taken verbatim from
+ * Method to parse the parameter for --register-factor, taken verbatim from
  * the CLI code (unavailable in the client lib).
  */
 bool parse_register_factor(const char *what_factor,
@@ -159,7 +159,7 @@ void register_device(MYSQL *conn, const char *factor) {
   std::vector<unsigned int> list;
   if (!parse_register_factor(factor, &list)) {
     throw std::invalid_argument(
-        "Incorrect value specified for --fido-register-factor option. "
+        "Incorrect value specified for --register-factor option. "
         "Correct values can be '2', '3', '2,3' or '3,2'.");
   }
 

mysqlshdk/libs/db/mysql/auth_plugins/mysql_event_handler_plugin.cc

@@ -38,6 +38,7 @@
 #include "mysqlshdk/libs/db/mysql/auth_plugins/fido.h"
 #include "mysqlshdk/libs/db/mysql/auth_plugins/kerberos.h"
 #include "mysqlshdk/libs/db/mysql/auth_plugins/oci.h"
+#include "mysqlshdk/libs/db/mysql/auth_plugins/webauthn.h"
 #include "mysqlshdk/libs/utils/logger.h"
 
 namespace mysqlshdk {
@@ -124,10 +125,14 @@ int trace_event(struct st_mysql_client_plugin_TRACE * /*plugin_data*/,
     log_protocol_event("PLUGIN-EVENT: %s.%s.%s", args.plugin_name,
                        protocol_stage_str(stage), trace_event_str(ev));
 
-    if (0 == strcmp(args.plugin_name, "authentication_fido_client") ||
-        0 == strcmp(args.plugin_name, "authentication_webauthn_client")) {
+    if (0 == strcmp(args.plugin_name, "authentication_fido_client")) {
       // Instantiating the fido handler will set the print callback
       fido::register_callbacks(conn, args.plugin_name);
+    } else if (0 ==
+               strcmp(args.plugin_name, "authentication_webauthn_client")) {
+      // Instantiating the fido handler will set the print callback
+      fido::register_callbacks(conn, args.plugin_name);
+      webauthn::set_preserve_privacy(conn);
     } else if (0 == strcmp(args.plugin_name, "authentication_oci_client")) {
       // make sure that the configured OCI config file is used for
       // authentication

mysqlshdk/libs/db/mysql/auth_plugins/webauthn.cc

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License, version 2.0,
+ * as published by the Free Software Foundation.
+ *
+ * This program is also distributed with certain software (including
+ * but not limited to OpenSSL) that is licensed under separate terms, as
+ * designated in a particular file or component or in included license
+ * documentation.  The authors of MySQL hereby grant you an additional
+ * permission to link the program and your derivative works with the
+ * separately licensed software that they have included with MySQL.
+ * This program is distributed in the hope that it will be useful,  but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License, version 2.0, for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "mysqlshdk/libs/db/mysql/auth_plugins/webauthn.h"
+
+#include <cassert>
+
+#include "mysqlshdk/libs/db/connection_options.h"
+#include "mysqlshdk/libs/db/mysql/auth_plugins/common.h"
+#include "mysqlshdk/libs/db/utils_connection.h"
+#include "mysqlshdk/libs/utils/logger.h"
+
+namespace mysqlshdk {
+namespace db {
+namespace mysql {
+namespace webauthn {
+
+void set_preserve_privacy(MYSQL *conn) {
+  auto conn_data = auth::get_connection_options_for_mysql(conn);
+  assert(conn_data != nullptr);
+
+  if (conn_data->has(mysqlshdk::db::kWebauthnClientPreservePrivacy)) {
+    auto &str_value =
+        conn_data->get(mysqlshdk::db::kWebauthnClientPreservePrivacy);
+    bool value = str_value.at(0) == '1';
+
+    const auto plugin =
+        auth::get_authentication_plugin(conn, "authentication_webauthn_client");
+
+    if (mysql_plugin_options(plugin,
+                             "authentication_webauthn_client_preserve_privacy",
+                             &value)) {
+      throw std::runtime_error(
+          "Failed to set the Preserve Privacy option on "
+          "authentication_webauthn_client plugin.");
+    } else {
+      log_debug3("Using authentication_webauthn_client_preserve_privacy =  %s",
+                 str_value.c_str());
+    }
+  }
+}
+
+}  // namespace webauthn
+}  // namespace mysql
+}  // namespace db
+}  // namespace mysqlshdk

mysqlshdk/libs/db/mysql/auth_plugins/webauthn.h

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License, version 2.0,
+ * as published by the Free Software Foundation.
+ *
+ * This program is also distributed with certain software (including
+ * but not limited to OpenSSL) that is licensed under separate terms, as
+ * designated in a particular file or component or in included license
+ * documentation.  The authors of MySQL hereby grant you an additional
+ * permission to link the program and your derivative works with the
+ * separately licensed software that they have included with MySQL.
+ * This program is distributed in the hope that it will be useful,  but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License, version 2.0, for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef MYSQLSHDK_LIBS_DB_MYSQL_AUTH_PLUGINS_WEBAUTHN_H_
+#define MYSQLSHDK_LIBS_DB_MYSQL_AUTH_PLUGINS_WEBAUTHN_H_
+
+#include <mysql.h>
+
+namespace mysqlshdk {
+namespace db {
+namespace mysql {
+namespace webauthn {
+
+void set_preserve_privacy(MYSQL *conn);
+
+}  // namespace webauthn
+}  // namespace mysql
+}  // namespace db
+}  // namespace mysqlshdk
+
+#endif  // MYSQLSHDK_LIBS_DB_MYSQL_AUTH_PLUGINS_WEBAUTHN_H_

mysqlshdk/libs/db/mysql/session.cc

@@ -424,11 +424,6 @@ void Session_impl::connect(
     throw_on_connection_fail();
   }
 
-  if (connection_options.has(mysqlshdk::db::kFidoRegisterFactor)) {
-    auto factor = connection_options.get(mysqlshdk::db::kFidoRegisterFactor);
-    fido::register_device(_mysql, factor.c_str());
-  }
-
   DBUG_LOG("sql", get_thread_id()
                       << ": CONNECTED: " << _connection_options.uri_endpoint());
   {

mysqlshdk/libs/db/mysql/session.h

@@ -216,6 +216,8 @@ class Session_impl : public std::enable_shared_from_this<Session_impl> {
 
   void setup_default_character_set();
 
+  MYSQL *get_handle() { return _mysql; }
+
   std::string _uri;
   MYSQL *_mysql = nullptr;
   std::shared_ptr<MYSQL_RES> _prev_result;
@@ -338,6 +340,8 @@ class SHCORE_PUBLIC Session : public ISession,
     return _impl->_mysql->net.fd;
   }
 
+  MYSQL *get_handle() { return _impl->get_handle(); }
+
   ~Session() override { close(); }
 
  protected:

mysqlshdk/libs/db/utils_connection.h

@@ -100,7 +100,8 @@ inline constexpr const char kLocalInfile[] = "local-infile";
 inline constexpr const char kNetBufferLength[] = "net-buffer-length";
 inline constexpr const char kMaxAllowedPacket[] = "max-allowed-packet";
 inline constexpr const char kMysqlPluginDir[] = "mysql-plugin-dir";
-inline constexpr const char kFidoRegisterFactor[] = "fido-register-factor";
+inline constexpr const char kWebauthnClientPreservePrivacy[] =
+    "plugin-authentication-webauthn-client-preserve-privacy";
 inline constexpr const char kConnectionAttributes[] = "connection-attributes";
 inline constexpr const char kUri[] = "uri";
 inline constexpr const char kSsh[] = "ssh";

mysqlshdk/shellcore/shell_options.cc

@@ -106,9 +106,10 @@ mysqlshdk::db::Connection_options Shell_options::Storage::connection_options()
     target_server.set_scheme("mysql");
   }
 
-  if (!fido_register_factor.empty()) {
-    target_server.set_unchecked(mysqlshdk::db::kFidoRegisterFactor,
-                                fido_register_factor.c_str());
+  if (webauthn_client_preserve_privacy.has_value()) {
+    target_server.set_unchecked(
+        mysqlshdk::db::kWebauthnClientPreservePrivacy,
+        (*webauthn_client_preserve_privacy) ? "1" : "0");
   }
 
   return target_server;
@@ -472,10 +473,25 @@ Shell_options::Shell_options(
       [this](const std::string&, const char* value) {
           storage.connection_data.set_schema(value);
         })
-    (&storage.fido_register_factor, "",
-        cmdline("--fido-register-factor=<name>"),
+    (cmdline("--fido-register-factor=<name>"),deprecated(m_on_warning, "--register-factor",
+      [this](const std::string& , const char* value){
+          storage.register_factor.assign(value);
+        }))
+    (&storage.register_factor, "",
+        cmdline("--register-factor=<name>"),
         "Specifies authentication factor, for which registration needs to be "
         "done.")
+    (cmdline("--plugin-authentication-webauthn-client-preserve-privacy[=<value>]"),
+        "Allows selection of discoverable credential to be used for signing "
+        "challenge. If not enabled, challenge is signed by all credentials for "
+        "given relying party.", [this](const std::string &, const char *value){
+          if (value == nullptr) {
+            storage.webauthn_client_preserve_privacy=true;
+          } else {
+            storage.webauthn_client_preserve_privacy = shcore::opts::convert<bool>(value,
+              shcore::opts::Source::Command_line);
+          }
+        })
     (cmdline("--recreate-schema"), "Drop and recreate the specified schema. "
         "Schema will be deleted if it exists!", deprecated(m_on_warning, nullptr, [this](const std::string&, const char* ) {
           storage.recreate_database = true;
@@ -1445,16 +1461,43 @@ void Shell_options::check_import_options() {
 }
 
 void Shell_options::check_connection_options() {
-  if (!storage.fido_register_factor.empty()) {
-    if (!storage.connection_data.has_data()) {
+  std::vector<std::string> connection_dependent_options;
+  if (!storage.register_factor.empty()) {
+    connection_dependent_options.push_back("--register-factor");
+  }
+  if (storage.webauthn_client_preserve_privacy.has_value()) {
+    connection_dependent_options.push_back(
+        "--plugin-authentication-webauthn-client-preserve-privacy");
+  }
+
+  if (!connection_dependent_options.empty() &&
+      !storage.connection_data.has_data()) {
+    if (connection_dependent_options.size() == 1) {
       m_on_warning(
-          "WARNING: --fido-register-factor was specified without "
-          "connection data, the option will be ignored.");
-    } else if (storage.connection_data.has_scheme() &&
-               storage.connection_data.get_scheme() == "mysqlx") {
+          shcore::str_format("WARNING: %s was specified without "
+                             "connection data, the option will be ignored.",
+                             connection_dependent_options.at(0).c_str()));
+    } else {
+      shcore::str_format(
+          "WARNING: The following options were specified without "
+          "connection data, they will be ignored: %s.",
+          shcore::str_join(connection_dependent_options, ", ").c_str());
+    }
+  }
+
+  if (!connection_dependent_options.empty() &&
+      storage.connection_data.has_scheme() &&
+      storage.connection_data.get_scheme() == "mysqlx") {
+    if (connection_dependent_options.size() == 1) {
       throw std::runtime_error(
-          "Option --fido-register-factor is only available for MySQL protocol "
-          "connections.");
+          shcore::str_format("Option %s is only available for MySQL protocol "
+                             "connections.",
+                             connection_dependent_options.at(0).c_str()));
+    } else {
+      throw std::runtime_error(shcore::str_format(
+          "The following options are only available for MySQL protocol "
+          "connections: %s",
+          shcore::str_join(connection_dependent_options, ", ").c_str()));
     }
   }
 

src/mysqlsh/main.cc

@@ -28,6 +28,7 @@
 #include "mysqlshdk/include/shellcore/base_session.h"
 #include "mysqlshdk/include/shellcore/interrupt_helper.h"
 #include "mysqlshdk/include/shellcore/shell_init.h"
+#include "mysqlshdk/libs/db/mysql/auth_plugins/fido.h"
 #include "mysqlshdk/libs/textui/textui.h"
 #include "mysqlshdk/libs/utils/debug.h"
 #include "mysqlshdk/libs/utils/document_parser.h"
@@ -848,8 +849,27 @@ int main(int argc, char **argv) {
                 "insecure.");
           }
 
+          std::function<void(std::shared_ptr<mysqlshdk::db::ISession>)>
+              extra_init;
+
+          if (!options.register_factor.empty()) {
+            extra_init =
+                [&options](std::shared_ptr<mysqlshdk::db::ISession> session) {
+                  auto mysql_session =
+                      std::dynamic_pointer_cast<mysqlshdk::db::mysql::Session>(
+                          session);
+
+                  if (mysql_session) {
+                    mysqlshdk::db::mysql::fido::register_device(
+                        mysql_session->get_handle(),
+                        options.register_factor.c_str());
+                  }
+                };
+          }
+
           // Connect to the requested instance
-          shell->connect(target, options.recreate_database);
+          shell->connect(target, options.recreate_database, true,
+                         std::move(extra_init));
 
           // If redirect is requested, then reconnect to the right instance
           handle_redirect(shell, options.redirect_session);

src/mysqlsh/mysql_shell.cc

@@ -992,7 +992,8 @@ void Mysql_shell::print_connection_message(
 
 std::shared_ptr<mysqlsh::ShellBaseSession> Mysql_shell::connect(
     const mysqlshdk::db::Connection_options &connection_options_,
-    bool recreate_schema, bool shell_global_session) {
+    bool recreate_schema, bool shell_global_session,
+    std::function<void(std::shared_ptr<mysqlshdk::db::ISession>)> extra_init) {
   FI_SUPPRESS(mysql);
   FI_SUPPRESS(mysqlx);
 
@@ -1033,6 +1034,10 @@ std::shared_ptr<mysqlsh::ShellBaseSession> Mysql_shell::connect(
 
     toggle_print();
     isession = establish_session(connection_options, options().wizards);
+
+    if (extra_init) {
+      extra_init(isession);
+    }
   }
 
   auto new_session = ShellBaseSession::wrap_session(isession);

src/mysqlsh/mysql_shell.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2022, Oracle and/or its affiliates.
+ * Copyright (c) 2017, 2023, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2.0,
@@ -51,7 +51,9 @@ class Mysql_shell : public mysqlsh::Base_shell {
 
   virtual std::shared_ptr<mysqlsh::ShellBaseSession> connect(
       const mysqlshdk::db::Connection_options &args,
-      bool recreate_schema = false, bool shell_global_session = true);
+      bool recreate_schema = false, bool shell_global_session = true,
+      std::function<void(std::shared_ptr<mysqlshdk::db::ISession>)> extra_init =
+          nullptr);
 
   bool redirect_session_if_needed(
       bool secondary, const Connection_options &opts = Connection_options());