WL#16127: Remove the FIDO authentication mechanism

oscpache · oscpache · commit fdf9b38f561e · 2024-03-08T09:57:48.000-06:00
This work log removes support for
`authentication_fido`.

Change-Id: Ieda896dc02955acfaa71bb47f3babb930c6a8ef2
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -14,6 +14,7 @@ v8.4.0
 - WL#16203: GPL License Exception Update
 - WL#16173: Update allowed cipher and cipher-suite lists
 - WL#16164: Implement support for new vector data type
+- WL#16127: Remove the FIDO authentication mechanism
 - WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension
 
 v8.3.0
diff --git a/mysql-connector-python/cpydist/__init__.py b/mysql-connector-python/cpydist/__init__.py
@@ -310,7 +310,6 @@ def _copy_vendor_libraries(self):
                 ("LDAP", f"authentication_ldap_sasl_client.{plugin_ext}"),
                 ("Kerberos", f"authentication_kerberos_client.{plugin_ext}"),
                 ("OCI IAM", f"authentication_oci_client.{plugin_ext}"),
-                ("FIDO", f"authentication_fido_client.{plugin_ext}"),
                 ("WebAuthn", f"authentication_webauthn_client.{plugin_ext}"),
             ]
 
diff --git a/mysql-connector-python/lib/mysql/connector/abstracts.py b/mysql-connector-python/lib/mysql/connector/abstracts.py
@@ -34,7 +34,6 @@
 
 import os
 import re
-import warnings
 import weakref
 
 from abc import ABC, abstractmethod
@@ -203,7 +202,6 @@ def __init__(self) -> None:
         self._force_ipv6: bool = False
         self._oci_config_file: Optional[str] = None
         self._oci_config_profile: Optional[str] = None
-        self._fido_callback: Optional[Union[str, Callable[[str], None]]] = None
         self._webauthn_callback: Optional[Union[str, Callable[[str], None]]] = None
         self._krb_service_principal: Optional[str] = None
 
@@ -826,15 +824,6 @@ def config(self, **kwargs: Any) -> None:
                     KRB_SERVICE_PINCIPAL_ERROR.format(error="is incorrectly formatted")
                 )
 
-        if self._fido_callback:
-            warn_msg = (
-                "The `fido_callback` connection argument is deprecated and it will be "
-                "removed in a future release of MySQL Connector/Python. "
-                "Use `webauth_callback` instead"
-            )
-            warnings.warn(warn_msg, DeprecationWarning)
-            self._validate_callable("fido_callback", self._fido_callback, 1)
-
         if self._webauthn_callback:
             self._validate_callable("webauth_callback", self._webauthn_callback, 1)
 
diff --git a/mysql-connector-python/lib/mysql/connector/aio/abstracts.py b/mysql-connector-python/lib/mysql/connector/aio/abstracts.py
@@ -38,7 +38,6 @@
 import asyncio
 import os
 import re
-import warnings
 import weakref
 
 from abc import ABC, abstractmethod
@@ -182,7 +181,6 @@ def __init__(
         raw: bool = False,
         kerberos_auth_mode: Optional[str] = None,
         krb_service_principal: Optional[str] = None,
-        fido_callback: Optional[Union[str, Callable[[str], None]]] = None,
         webauthn_callback: Optional[Union[str, Callable[[str], None]]] = None,
         allow_local_infile: bool = DEFAULT_CONFIGURATION["allow_local_infile"],
         allow_local_infile_in_path: Optional[str] = DEFAULT_CONFIGURATION[
@@ -262,7 +260,6 @@ def __init__(
         self._in_transaction: bool = False
         self._oci_config_file: Optional[str] = None
         self._oci_config_profile: Optional[str] = None
-        self._fido_callback: Optional[Union[str, Callable[[str], None]]] = fido_callback
         self._webauthn_callback: Optional[
             Union[str, Callable[[str], None]]
         ] = webauthn_callback
@@ -418,15 +415,6 @@ def _validate_connection_options(self) -> None:
                     KRB_SERVICE_PINCIPAL_ERROR.format(error="is incorrectly formatted")
                 )
 
-        if self._fido_callback:
-            warn_msg = (
-                "The `fido_callback` connection argument is deprecated and it will be "
-                "removed in a future release of MySQL Connector/Python. "
-                "Use `webauth_callback` instead"
-            )
-            warnings.warn(warn_msg, DeprecationWarning)
-            self._validate_callable("fido_callback", self._fido_callback, 1)
-
         if self._webauthn_callback:
             self._validate_callable("webauth_callback", self._webauthn_callback, 1)
 
diff --git a/mysql-connector-python/lib/mysql/connector/aio/connection.py b/mysql-connector-python/lib/mysql/connector/aio/connection.py
@@ -341,7 +341,6 @@ async def _do_auth(self) -> None:
             oci_config_file=self._oci_config_file,
             oci_config_profile=self._oci_config_profile,
             webauthn_callback=self._webauthn_callback,
-            fido_callback=self._fido_callback,
         )
         self._handle_ok(ok_pkt)
 
diff --git a/mysql-connector-python/lib/mysql/connector/connection.py b/mysql-connector-python/lib/mysql/connector/connection.py
@@ -313,7 +313,6 @@ def _do_auth(
             oci_config_file=self._oci_config_file,
             oci_config_profile=self._oci_config_profile,
             webauthn_callback=self._webauthn_callback,
-            fido_callback=self._fido_callback,
         )
         self._handle_ok(ok_pkt)
 
@@ -1087,7 +1086,6 @@ def cmd_change_user(
             oci_config_file=self._oci_config_file,
             oci_config_profile=self._oci_config_profile,
             webauthn_callback=self._webauthn_callback,
-            fido_callback=self._fido_callback,
         )
 
         if not (self._client_flags & ClientFlag.CONNECT_WITH_DB) and database:
diff --git a/mysql-connector-python/lib/mysql/connector/connection_cext.py b/mysql-connector-python/lib/mysql/connector/connection_cext.py
@@ -259,7 +259,7 @@ def _open_connection(self) -> None:
         # pylint: enable=c-extension-no-member
         if not self.isset_client_flag(ClientFlag.CONNECT_ARGS):
             self._conn_attrs = {}
-        fido_callback = self._webauthn_callback or self._fido_callback
+
         cnx_kwargs = {
             "host": self._host,
             "user": self._user,
@@ -278,10 +278,10 @@ def _open_connection(self) -> None:
             "load_data_local_dir": self._allow_local_infile_in_path,
             "oci_config_file": self._oci_config_file,
             "oci_config_profile": self._oci_config_profile,
-            "fido_callback": (
-                import_object(fido_callback)
-                if isinstance(fido_callback, str)
-                else fido_callback
+            "webauthn_callback": (
+                import_object(self._webauthn_callback)
+                if isinstance(self._webauthn_callback, str)
+                else self._webauthn_callback
             ),
         }
 
diff --git a/mysql-connector-python/lib/mysql/connector/constants.py b/mysql-connector-python/lib/mysql/connector/constants.py
@@ -95,7 +95,6 @@
     "krb_service_principal": None,
     "oci_config_file": None,
     "oci_config_profile": None,
-    "fido_callback": None,
     "webauthn_callback": None,
     "kerberos_auth_mode": None,
     "init_command": None,
diff --git a/mysql-connector-python/src/mysql_capi.c b/mysql-connector-python/src/mysql_capi.c
@@ -78,16 +78,17 @@ MySQL_connected(MySQL *self);
 #define MYSQL_TYPE_VECTOR 242
 #endif
 
-// Python FIDO messages callback
-static PyObject *fido_callback = NULL;
+
+// Python webauthn messages callback
+static PyObject *webauthn_callback = NULL;
 
 void
-fido_messages_callback(const char *msg)
+webauthn_messages_callback(const char *msg)
 {
-    if (fido_callback && fido_callback != Py_None) {
+    if (webauthn_callback && webauthn_callback != Py_None) {
         PyGILState_STATE state = PyGILState_Ensure();
         PyObject *args = Py_BuildValue("(z)", msg);
-        PyObject *result = PyObject_Call(fido_callback, args, NULL);
+        PyObject *result = PyObject_Call(webauthn_callback, args, NULL);
         Py_DECREF(args);
         if (result) {
             Py_DECREF(result);
@@ -1159,7 +1160,7 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                              "load_data_local_dir",
                              "oci_config_file",
                              "oci_config_profile",
-                             "fido_callback",
+                             "webauthn_callback",
                              "use_kerberos_gssapi",
                              NULL};
 
@@ -1170,7 +1171,7 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
             &tls_cipher_suites, &PyBool_Type, &ssl_verify_cert, &PyBool_Type,
             &ssl_verify_identity, &PyBool_Type, &ssl_disabled, &PyBool_Type, &compress,
             &PyDict_Type, &conn_attrs, &local_infile, &load_data_local_dir, &oci_config_file,
-            &oci_config_profile, &fido_callback, &use_kerberos_gssapi)) {
+            &oci_config_profile, &webauthn_callback, &use_kerberos_gssapi)) {
         return NULL;
     }
 
@@ -1403,19 +1404,19 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
     }
 #endif
 
-    if (fido_callback && fido_callback != Py_None) {
-        /* verify if the `fido_callback` is a proper callable */
-        if (!PyCallable_Check(fido_callback)) {
-            PyErr_SetString(PyExc_TypeError, "Expected a callable for 'fido_callback'");
+    if (webauthn_callback && webauthn_callback != Py_None) {
+        /* verify if the `webauthn_callback` is a proper callable */
+        if (!PyCallable_Check(webauthn_callback)) {
+            PyErr_SetString(PyExc_TypeError, "Expected a callable for 'webauthn_callback'");
             return NULL;
         }
 
 #if MYSQL_VERSION_ID >= 80200
         /* load WebAuthn client authentication plugin if required */
-        struct st_mysql_client_plugin *fido_plugin = mysql_client_find_plugin(
+        struct st_mysql_client_plugin *webauthn_plugin = mysql_client_find_plugin(
             &self->session, "authentication_webauthn_client",
             MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
-        if (!fido_plugin) {
+        if (!webauthn_plugin) {
             raise_with_string(
                 PyUnicode_FromString(
                     "The WebAuthn authentication plugin could not be loaded"),
@@ -1424,23 +1425,9 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
         }
 
         /* register callback */
-        mysql_plugin_options(fido_plugin,
+        mysql_plugin_options(webauthn_plugin,
                              "plugin_authentication_webauthn_client_messages_callback",
-                             (const void *)(&fido_messages_callback));
-#else
-        /* load FIDO client authentication plugin if required */
-        struct st_mysql_client_plugin *fido_plugin = mysql_client_find_plugin(
-            &self->session, "authentication_fido_client", MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
-        if (!fido_plugin) {
-            raise_with_string(
-                PyUnicode_FromString("The FIDO authentication plugin could not be loaded"),
-                NULL);
-            return NULL;
-        }
-
-        /* register callback */
-        mysql_plugin_options(fido_plugin, "fido_messages_callback",
-                             (const void *)(&fido_messages_callback));
+                             (const void *)(&webauthn_messages_callback));
 #endif
     }
 
diff --git a/mysql-connector-python/tests/test_aio_authentication.py b/mysql-connector-python/tests/test_aio_authentication.py
@@ -1373,37 +1373,6 @@ async def test_user_3f(self):
         # self._test_change_user(self.cnx.__class__, permutations, self.user_2f)
 
 
-@unittest.skipIf(
-    tests.MYSQL_VERSION < (8, 0, 29), "Authentication with FIDO not supported"
-)
-@unittest.skipUnless(HAVE_CMYSQL, "C Extension not available")
-class MySQLFIDOAuthPluginTests(tests.MySQLConnectorTests):
-    """Test authentication.MySQLFIDOAuthPlugin.
-
-    Implemented by WL#14860: Support FIDO authentication (c-ext)
-    """
-
-    @foreach_cnx_aio(CMySQLConnection)
-    async def test_invalid_fido_callback(self):
-        """Test invalid 'fido_callback' option."""
-
-        def my_callback():
-            ...
-
-        test_cases = (
-            "abc",  # No callable named 'abc'
-            "abc.abc",  # module 'abc' has no attribute 'abc'
-            my_callback,  # 1 positional argument required
-        )
-        config = tests.get_mysql_config()
-        config["auth_plugin"] = "authentication_fido_client"
-        for case in test_cases:
-            config["fido_callback"] = case
-            with self.assertRaises(ProgrammingError):
-                cnx = self.cnx.__class__(**config)
-                await cnx.connect()
-
-
 @unittest.skipIf(
     tests.MYSQL_VERSION < (8, 2, 0), "Authentication with WebAuthn not supported"
 )
diff --git a/mysql-connector-python/tests/test_authentication.py b/mysql-connector-python/tests/test_authentication.py
@@ -1334,35 +1334,6 @@ def test_user_3f(self):
         # self._test_change_user(self.cnx.__class__, permutations, self.user_2f)
 
 
-@unittest.skipIf(
-    tests.MYSQL_VERSION < (8, 0, 29), "Authentication with FIDO not supported"
-)
-@unittest.skipUnless(HAVE_CMYSQL, "C Extension not available")
-class MySQLFIDOAuthPluginTests(tests.MySQLConnectorTests):
-    """Test authentication.MySQLFIDOAuthPlugin.
-
-    Implemented by WL#14860: Support FIDO authentication (c-ext)
-    """
-
-    @tests.foreach_cnx(CMySQLConnection)
-    def test_invalid_fido_callback(self):
-        """Test invalid 'fido_callback' option."""
-
-        def my_callback():
-            ...
-
-        test_cases = (
-            "abc",  # No callable named 'abc'
-            "abc.abc",  # module 'abc' has no attribute 'abc'
-            my_callback,  # 1 positional argument required
-        )
-        config = tests.get_mysql_config()
-        config["auth_plugin"] = "authentication_fido_client"
-        for case in test_cases:
-            config["fido_callback"] = case
-            self.assertRaises(ProgrammingError, self.cnx.__class__, **config)
-
-
 @unittest.skipIf(
     tests.MYSQL_VERSION < (8, 2, 0), "Authentication with WebAuthn not supported"
 )

Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,6 @@ def _copy_vendor_libraries(self):`
`310`	`310`	`("LDAP", f"authentication_ldap_sasl_client.{plugin_ext}"),`
`311`	`311`	`("Kerberos", f"authentication_kerberos_client.{plugin_ext}"),`
`312`	`312`	`("OCI IAM", f"authentication_oci_client.{plugin_ext}"),`
`313`		`- ("FIDO", f"authentication_fido_client.{plugin_ext}"),`
`314`	`313`	`("WebAuthn", f"authentication_webauthn_client.{plugin_ext}"),`
`315`	`314`	`]`
`316`	`315`
Original file line number	Diff line number	Diff line change
`@@ -341,7 +341,6 @@ async def _do_auth(self) -> None:`
`341`	`341`	`oci_config_file=self._oci_config_file,`
`342`	`342`	`oci_config_profile=self._oci_config_profile,`
`343`	`343`	`webauthn_callback=self._webauthn_callback,`
`344`		`- fido_callback=self._fido_callback,`
`345`	`344`	`)`
`346`	`345`	`self._handle_ok(ok_pkt)`
`347`	`346`
Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,6 @@ def _do_auth(`
`313`	`313`	`oci_config_file=self._oci_config_file,`
`314`	`314`	`oci_config_profile=self._oci_config_profile,`
`315`	`315`	`webauthn_callback=self._webauthn_callback,`
`316`		`- fido_callback=self._fido_callback,`
`317`	`316`	`)`
`318`	`317`	`self._handle_ok(ok_pkt)`
`319`	`318`
`@@ -1087,7 +1086,6 @@ def cmd_change_user(`
`1087`	`1086`	`oci_config_file=self._oci_config_file,`
`1088`	`1087`	`oci_config_profile=self._oci_config_profile,`
`1089`	`1088`	`webauthn_callback=self._webauthn_callback,`
`1090`		`- fido_callback=self._fido_callback,`
`1091`	`1089`	`)`
`1092`	`1090`
`1093`	`1091`	`if not (self._client_flags & ClientFlag.CONNECT_WITH_DB) and database:`