WL#16435 - JDBC: OpenID authentication support

Change-Id: I55a3a65fc006372d465d9d5753e13556c68e6dc1

Author: Bogdan Degtyariov

jdbc/cppconn/connection.h

@@ -138,6 +138,7 @@
 #define OPT_AUTHENTICATION_KERBEROS_CLIENT_MODE \
   "OPT_AUTHENTICATION_KERBEROS_CLIENT_MODE"
 #define OPT_OCI_CLIENT_CONFIG_PROFILE "OPT_OCI_CLIENT_CONFIG_PROFILE"
+#define OPT_OPENID_TOKEN_FILE "OPT_OPENID_TOKEN_FILE"
 
 /*
   Telemetry options

jdbc/driver/mysql_connection.cpp

@@ -97,6 +97,7 @@
 
 
 bool oci_plugin_is_loaded = false;
+bool openid_plugin_is_loaded = false;
 
 
 #ifdef DEFAULT_PLUGIN_DIR
@@ -1313,7 +1314,25 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
             OPT_AUTHENTICATION_KERBEROS_CLIENT_MODE);
       }
 #endif  // defined(_WIN32)
+    } else if (!it->first.compare(OPT_OPENID_TOKEN_FILE)) {
+      try {
+        p_s= (it->second).get<sql::SQLString>();
+      } catch (sql::InvalidArgumentException&) {
+        throw sql::InvalidArgumentException("Wrong type passed for OPT_OPENID_TOKEN_FILE. Expected sql::SQLString.");
+      }
 
+      try {
+        proxy->plugin_option(MYSQL_CLIENT_AUTHENTICATION_PLUGIN,
+                                "authentication_openid_connect_client",
+                                "id-token-file",
+                                *p_s);
+        openid_plugin_is_loaded = true;
+      }  catch (sql::InvalidArgumentException &e) {
+        throw ::sql::SQLUnsupportedOptionException(
+          "Failed to set token file for authentication_openid_connect_client plugin",
+          OPT_OPENID_TOKEN_FILE
+        );
+      }
     } else if (!it->first.compare(OPT_PLUGIN_DIR)) {
       // Nothing to do here: this option was handeld before the loop
 
@@ -1368,6 +1387,21 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
 
   }
 
+  if (openid_plugin_is_loaded) {
+    if (properties.find(OPT_OPENID_TOKEN_FILE) == properties.end()) {
+      // If OpenID plugin is loaded, but OPT_OPENID_TOKEN_FILE is not explicitly set
+      // the option value needs resetting.
+      try {
+        proxy->plugin_option(MYSQL_CLIENT_AUTHENTICATION_PLUGIN,
+                             "authentication_openid_connect_client",
+                             "id-token-file",
+                             nullptr);
+      } catch (sql::InvalidArgumentException &) {
+        // Do nothing, the exception is expected.
+      }
+    }
+  }
+
 #undef PROCESS_CONNSTR_OPTION
 
   for(auto h : uri)

jdbc/test/unit/classes/CMakeLists.txt

@@ -205,3 +205,26 @@ IF(WIN32)
 ENDIF(WIN32)
 
 add_unit_test(variant)
+
+# Install tokens for OpenID authentication
+foreach (token
+  openid_token_correct.txt
+  openid_token_empty.txt
+  openid_token_expired.txt
+  openid_token_invalid.txt
+  openid_token_issuer2.txt
+  openid_token_key2.txt
+  openid_token_user2.txt
+)
+  # Copy tokens to build dir
+  file(COPY tokens/${token} DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+  # Install tokens
+  install(
+    FILES ${token}
+    DESTINATION tests/jdbc
+    COMPONENT JDBCTests
+    EXCLUDE_FROM_ALL
+  )
+
+endforeach()

jdbc/test/unit/classes/connection.cpp

@@ -43,6 +43,7 @@
 #include <list>
 #include <memory>
 #include <thread>
+#include <filesystem>
 
 #ifdef _WIN32
 #pragma warning (disable : 4996)
@@ -4310,5 +4311,131 @@ void connection::macro_version()
 #endif
 }
 
+void connection::openid_token()
+{
+  try {
+    stmt->execute("UNINSTALL PLUGIN authentication_openid_connect");
+  }  catch (...) {}
+
+  bool plugin_installed = false;
+
+  // Try every known shared lib extension. If any of them succeeds
+  // we can go with the test.
+  for (sql::SQLString extension : { ".so", ".dylib", ".sl", ".dll", "" }) {
+    try {
+      stmt->execute("INSTALL PLUGIN authentication_openid_connect "
+        "SONAME 'authentication_openid_connect" + extension + "'");
+
+      // Plugin is installed if the execution reached these lines.
+      // So, the loop can be exited.
+      plugin_installed = true;
+      break;
+    }  catch (...) { }
+  }
+
+  if (!plugin_installed)
+      SKIP("Server doesn't support auth test plugin authentication_openid_connect");
+
+  std::cout << "Plugin installed\n";
+
+  #define L1Q "\""
+  #define L2Q "\\\""
+  #define L3Q "\\\\\\\""
+
+  stmt->execute("SET GLOBAL authentication_openid_connect_configuration = "
+    L1Q "JSON://{"
+      L2Q "myissuer" L2Q ":" L2Q "{"
+        L3Q "kid"  L3Q ":" L3Q "b50071d7-e2f0-4e5e-9ae8-c71ac21d16bd" L3Q ","
+        L3Q "kty"  L3Q ":" L3Q "RSA" L3Q ","
+        L3Q "alg"  L3Q ":" L3Q "RS256" L3Q ","
+        L3Q "use"  L3Q ":" L3Q "sig" L3Q ","
+        L3Q "e"    L3Q ":" L3Q "AQAB" L3Q ","
+        L3Q "name" L3Q ":" L3Q "https://myissuer.com" L3Q ","
+        L3Q "n"    L3Q ":" L3Q "09bia-SkqQHWNDZzYoHQtOLUDESzzsjU0rqnyen9o9LG"
+          "DNLGFCFiz0XDOTQhu5ZL7XcHB_IEY9kFdewIC7Kcm8pDJOp7hkXMOeopNP3SlH_lg"
+          "nVSjf6OSWdtAdeL4oW_8zryGoCCy2IksNY53lOF_zDg3DH1qSvCl1VXK50MIwe0BW"
+          "jT71VX_tkK_iXPzMxEPXol8hKU5djWfxGRjaKDqsffDt_UJudOHIH_O81oMpT82UQ"
+          "SOzmZBCwcf6jemLAWKDDo6mBxwXAHp8is_mvbisuU9QgKKjsG6FXmIQaj-jXR4IHg"
+          "lhV-aN_jqi8Y9ab0EANpDqAqbwdBQeL9BTp9fsW32gOTY_a7_gLOwZpCIBkalrGW9"
+          "E6zA0pBiypSuA0Ag5lB8dddRE486zsxxFYIBpDhMzK_CQ9Kq-3B44yJOheBdRRHYo"
+          "EXWfuXTKIbzDoctVw_TBBD3Qh3cV5FSs9lTUAU_eFhbYdoTR9FyTXHMDCo8Axxc66"
+          "IU6EdyUk6xLV9PtyCVWGoM_mFBvEwf7-btJYo73Xqw74T3eVZeTdLAHPHTojMybc5"
+          "OYt_UhpwDlI2lDGUAEEWsn5_XBhJeXc_GEGdEOowieWdwcRYgNFERkvH6-XSbZ0ii"
+          "Zxyi_Ri4DrYK1pm-WDxrFB-RuG1evcLG7rmacIDo1LPApMtpnHkYxc" L3Q
+      "}" L2Q
+    "}" L1Q ";"
+  );
+
+  std::cout << "Server configured\n";
+
+  stmt->execute("DROP USER IF EXISTS 'MySQLUser'@'%'");
+
+  stmt->execute("CREATE USER 'MySQLUser'@'%' IDENTIFIED WITH "
+    "'authentication_openid_connect' AS "
+    "'{\"identity_provider\" : \"myissuer\", \"user\" : \"mysubj\"}'");
+
+  std::cout << "User created\n";
+
+  sql::SQLString cur_path = std::filesystem::current_path().string() +
+    std::string(1, std::filesystem::path::preferred_separator);
+
+  // If token parameter is not specified it will be given via map
+  // as a non-path (non-string parameter)
+  auto connect_func = [&cur_path, this](sql::SQLString *token, bool is_ok,
+    sql::ConnectOptionsMap map = {})
+  {
+    sql::ConnectOptionsMap opts = map;
+    opts[OPT_USERNAME] = "MySQLUser";
+    opts["hostName"] = url;
+    
+    if (getenv("PLUGIN_DIR"))
+      opts[OPT_PLUGIN_DIR] = getenv("PLUGIN_DIR");
+
+
+    if (token)
+    {
+      if (token->length()) {
+        opts[OPT_OPENID_TOKEN_FILE] = cur_path + *token;
+        std::cout << "Using token " << *token << std::endl;
+      } else {
+        std::cout << "Token not given" << std::endl;
+      }
+    } else {
+      std::cout << "Using token which is not a path" << std::endl;
+    }
+
+    try{
+      Connection con(driver->connect(opts));
+      if (!is_ok)
+        FAIL("Connection was expected to fail");
+    } catch(sql::SQLException &e) {
+      if (is_ok)
+        throw e;
+    }
+  };
+
+  sql::SQLString correct_token = "openid_token_correct.txt";
+
+  // OK with correct token
+  connect_func(&correct_token, true);
+
+  // FAIL with correct token, but disabled SSL
+  connect_func(&correct_token, false,
+    {{OPT_SSL_MODE , sql::SSL_MODE_DISABLED}});
+
+  // FAIL with token not being a path
+  connect_func(nullptr, false,
+    {{OPT_OPENID_TOKEN_FILE, 100}});
+
+  // FAIL with all token values
+  for (sql::SQLString t : { "", "non_existing", "openid_token_empty.txt",
+                  "openid_token_invalid.txt", "openid_token_user2.txt",
+                  "openid_token_key2.txt", "openid_token_issuer2.txt",
+                  "openid_token_expired.txt"}) {
+    connect_func(&t, false);
+  }
+
+}
+
 } /* namespace connection */
 } /* namespace testsuite */

jdbc/test/unit/classes/connection.h

@@ -62,6 +62,7 @@ class connection : public unit_fixture
 *   TODO: enable it when DNS+SRV works in docker
     TEST_CASE(checkDnsSrv);
     */
+    TEST_CASE(openid_token);
     TEST_CASE(getClientInfo);
     TEST_CASE(getClientOption);
     TEST_CASE(getSessionVariable);
@@ -103,7 +104,6 @@ class connection : public unit_fixture
   TEST_CASE(webauthn_test);
   TEST_CASE(normalize_ssl_options);
   TEST_CASE(macro_version);
-
   }
 
   /**
@@ -330,6 +330,12 @@ class connection : public unit_fixture
    *
    */
   void macro_version();
+
+  /*
+   * Test OPT_OPENID_TOKEN_FILE option.
+   *
+   */
+  void openid_token();
 };
 
 REGISTER_FIXTURE(connection);

jdbc/test/unit/classes/tokens/openid_token_correct.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YmoiLCJpc3MiOiJodHRwczovL215aXNzdWVyLmNvbSIsImV4cCI6MjE0MTE5OTA0OH0.giP_mwjDhr-FvcNBJzzQsSqEUOJLm3nJRWOSFRQiywZaRutap8y4vJC9DJWiM4hNngE3jtMd3SkR1ScYqTkZ6TuyOfBZE76lt5e6U-0mVHwPHjyTVaUPZ6izJMv_itITVh3BQYEPYvW42t8o0xZcMPTtE7bEr3ozFiVJSq8kQu34wThGYnT-Ro2ZRKwtowHXwcOA7rj09BeuR21Yk0YZXM5eYkL6eAGAUhWkdv4ary5tGTovWMJ3x5wmEG9RwzGd5F_DcecZFlTGKWE0UINa0p7sHE0HSfZKvW_vB7C5sEgSEQ1bOxu9Gm0UuLWOTjplTScSclJjMqUEkGQoSkYJFD3We-6JmrpvambzYY5OyGVZ71aPErb2Qv2VKUMKr0X-dmYF-kfbR4cS7Ba1PvqL4NsxidotqKivxdr0KtqOBpxTIF0cBWPewarvXbTj7ImH4i6mrKUBBRM6dYYr9x2pCdJRJ3OAwRoOmg1bFY5EJl5Ren43dVdIvfVEnLqmtrLc1MiGdrSz1jKM4ZHEhSP_PKgNcx3c2Q8fqS7KnmXZiLNPwTQ57ogEFmWR_5KTJnN3Xw6ecyhHIOmVzpjF6pYb3QTMvJHVfGkiUdaaYA6ZpU5FmAOEWmhfuqlLNYj7ZabPHyoIR0KfhB_PVB05ITIBWdTVckjh2S5qOMGl4C0UkV4

jdbc/test/unit/classes/tokens/openid_token_empty.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YmoiLCJpc3MiOiJodHRwczovL215aXNzdWVyLmNvbSIsImV4cCI6MTcyMTE5OTEzMH0.QabeeIDGvIoWPzHO8lXi6vzeR0Appq0RVQXNHQBDjMvTfcwyaPjr7cA1JTO36aNZkAO0fdHxKRkG76gteudSKhkg-jGq5C5rkyLjQ-Uau3ZQPt2cgYTYVR13eIMkXGwDrK-Pq6n7P_GtdWs5pgT3cVSJu5QjKby5DFt1MSVTGqr35ZijGcDuBU_E9MV7ypligU8tp9-dzbqtJy8W_0F_LBQstEIZsWTDedEpuoYVPopyReB229t-OGxrWe16q1oOXxKGWDe248-ztXSDnM_89dp_j26w0WXA-lE4uIbx6xVR0EpP9orSjz4ue0m2vvBdyqdGygUJHkoHcM60JPVkl6k2nuZWfJlxTB6ynzqgQfGOaFsOh3VPQ7ONT9H0vr0zAD7psTdK834Oz3aL6fnfbyVH4k8Kk6GQUbOsxcpRxptFCk6D2KmSPnN0U9PX6PKFSyJMLSq_pwA8BuE7lLZUaffwxUPvve0X_0FwMCLo3bJMJewPVoJHe0cEK9PaUWjixj4F0LDD8BpW_et7WO-fozZT0IgDI6J6UdEVNFwiKFrKGMDZ48Gbanve761zfEFEG6ZpPYpgTXC2WYk59_joo1MJlddyh5SUlJd2L-z9YBgv5p2bGB2H7MDCxV14aJBTnxeGbwNfsRYmwxQA6WtFtj58b4EBUK_S9t0Rf2z366w

jdbc/test/unit/classes/tokens/openid_token_expired.txt

@@ -0,0 +1 @@
+hjkGHTJRHNGBFAHJ$^&EHRTGBSDHGMJ#$^%WHGBSNDHGFBVFHGJEHNSFBGHMG

jdbc/test/unit/classes/tokens/openid_token_invalid.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YmoiLCJpc3MiOiJodHRwczovL215aXNzdWVyMi5jb20iLCJleHAiOjIxNDExOTkyODl9.X6xCRzw_FDC4NJ6PEb11JJdsyb7bpkqsXBvOUkjvLfKzDtuFpZ5gGETUz_65pOraXsZAlwD_r645_AczL0MJgA880JtHmWqzzEORT-rNIwlHdZ2BZH4A6BCj-xslWwDKgzkETKe2AEQ5X8aHFO0fF1QwwyPxUUGR0TFaGyOrzL7e02Q0bsu8zvpusx1-WcJSxBRfLDUJN3M-eJo-daU2YZSelj8OxSLZ6FpedJPPrBBWLHwj_jxITp5OkJLsvdivPyuVMdu2acN5gB97P9a3A0Wr0G-uyPNyUj7N2ru0C0bC_B4wUqbPLdrT9U3bFPVA3OCFnt3PzlubU5JYVQUHIXQpZinIpkQQs5zia-e82YghW7Q6GLtWkWTbxOQ3Zgc2jYM_qbTuN8iL4sgmagFgZNV1Zd7rCew2cbTRaL1McdI8H4swkh5i5gfV55bj_t7X9Ow93LmMdayMnm-fQMs8qrp7PXMS2D1YImkg01443wxqAnpdqXHNLxXE_EyfnxbSNTG7y15_-B3CPfbX8srBJQVO9OdrwfLEmP4N6uon2EuNt29kyJtbA7QrEUVT7fNjcdl4FL-Arcc5N9uViPC6W4WerrgkUgHIsgOjfGICr4OY0P9pIX62n7GUrse2HmHpTFcMIwOuqs3nEW_c6JEtfUuDpXwKCMI_Xu7I1k4oAQg

jdbc/test/unit/classes/tokens/openid_token_issuer2.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YmoiLCJpc3MiOiJodHRwczovL215aXNzdWVyLmNvbSIsImV4cCI6MjE0MTE5OTQxOH0.IZtN1cTBTN2gWf7OjUwNwWe0C1E2zgcTh-3E27CIG2NXofk1KgoqhVEs2lqmcHfl8vnYLKOBpxNWuS6sXgsO-HaGVksbDv-N-XeuM4_EJXq5Dx4QxQkDMS2d99yR7o-xTlKf8IS5iRvw6Lgh5U35fOIQeeRWfWwPIz2EQ2Bpwr8IPttkUPy0-n6uFLIhsO8nhZopXGZdWW5WIL96qsPDgnw-P-ogdPAwOMPXwxIkMsngNkE_1dApwnkfwW4e-woox_OpIglt8vTHZGYjJZtFJEJFL0KFlmzRwjZ4gnxyluaiG9dn4F2FoiuPcLwJcEQn0U7m31Cj-dYSIGdPlBxQt229usXXO1Cw7Ls6sEz4sIpyPqZu_UIU-SHwHDIp5duJJakvzy97WicF8hd3iaVbepXKo3B41SWC8zqXfE8J1OZUnwS9JIi1Sfa9T8307q94DM6j76QJ3IhJYwFVmCI9gYoRuxlvmYyS7Y_4lBHRX1_bCaVZPKJyW7IK1GNOTR7SXbGh9ZXotL24ATtCQXploAxjK7JZzqLnI1_aIZbCTK90m9Ty90AW2SU-LkEYhqTToxSCUxC5uBWJvM6gFscfp_bx0fH8uBmXg5hejoMsZjQtPHs2LfaYpTwHOW2uG_zfik2D95Nc5J_Y6hZiCaZW6H1Mps6oyv9nZgK3TIY7_N4

jdbc/test/unit/classes/tokens/openid_token_key2.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YmoyIiwiaXNzIjoiaHR0cHM6Ly9teWlzc3Vlci5jb20iLCJleHAiOjIxNDExOTkzMzl9.PIeiYp0eS3dO2QBh2UAqq48zAxZ5C-snBQmXw1n4zvgc90ZnAfJnJWUeOQxkjU7uQoNA84QuMLH7UV0VXNefscx5YIimOygIh9vwC4stxqUu9sdd3uUiZ-TBABKINz5Li18rRpDpSxWaOYTQ3gkg71BCJ8W1ndUQPtBgP_Yq1d0Fe83ypMF0ukorunAXhqX494wufrxqHjmmf82NpkPoGr4PGm6VwRUHMD46_-sisuxkleYkKYa7KSACjx6YhZRzeWh3iC6j40aMiKETKqVTjPhYskV59PjYjoAykpVegj7HYTx-wBclA0NHyyOVceeSNQ6yMdZAHrJO3axZzD_fQPBNmoIkeem2FSYlV1qZ0t5nIhZqdnSWewkj_tB3AbVHkJyZLPHCfmc3Cye8TQX49tgOwV-slI4xbRGhOXC5dj1vPEmuYYaClzFdsna0wN0spVsCj2v1NS4hGfIC9v8mDBAfBV6k3XGtgwnCU9GtGLWrBWHm5INbbKAid7RNbMECj-nmuUQG9jm59ukVgW_OaX8C0wF8M0-itlW71o0kQASw1CEDK64j0QeFLCGbDiHm3wo5rS-DVVINyNvARpdfZ9u4HorV2eod8cs6b_RN-tYVcR_KdPNYHJjVoleHYO6yQlC0yshP7v55TowL5AwKL0iWafafHq082Ad7KQtwd4A