BUG27371245: Connection fails on unsupported default's auth_plugin

isrgomez · isrgomez · commit 70a8da73b75e · 2018-05-02T13:21:37.000-05:00
The connection to a server configured with an unsupported
authorization plugin fails in all cases, even if the user does not
require such plugin to authenticate himself. This is because the
connector raises an error if the server's default auth_plugin is
not recognized or unsupported.

This patch changes this behavior to fall back to a default
auth_plugin supported by the connector in the case the server's
default auth_plugin is not recognized by the connector.

Note: the "mysql_native_password" has been set the default
auth_plugin for the connector. But in case the user requires a
different one, the server will send an AuthSwitchRequest to use a
different plugin.
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -233,20 +233,17 @@ def _open_connection(self):
         """
         self._protocol = MySQLProtocol()
         self._socket = self._get_connection()
-        try:
-            self._socket.open_connection()
-            self._do_handshake()
-            self._do_auth(self._user, self._password,
-                          self._database, self._client_flags, self._charset_id,
-                          self._ssl)
-            self.set_converter_class(self._converter_class)
-            if self._client_flags & ClientFlag.COMPRESS:
-                self._socket.recv = self._socket.recv_compressed
-                self._socket.send = self._socket.send_compressed
-        except:
-            # close socket
-            self.close()
-            raise
+        self._socket.open_connection()
+        self._do_handshake()
+
+        self._do_auth(self._user, self._password,
+                      self._database, self._client_flags, self._charset_id,
+                      self._ssl)
+
+        self.set_converter_class(self._converter_class)
+        if self._client_flags & ClientFlag.COMPRESS:
+            self._socket.recv = self._socket.recv_compressed
+            self._socket.send = self._socket.send_compressed
 
     def shutdown(self):
         """Shut down connection to MySQL Server.
diff --git a/lib/mysql/connector/protocol.py b/lib/mysql/connector/protocol.py
@@ -96,10 +96,23 @@ def make_auth(self, handshake, username=None, password=None, database=None,
                              client_flags, max_allowed_packet, charset,
                              username_bytes)
 
-        packet += self._auth_response(client_flags, username, password,
-                                      database,
-                                      auth_plugin,
-                                      auth_data, ssl_enabled)
+        try:
+            packet += self._auth_response(client_flags, username, password,
+                                          database,
+                                          auth_plugin,
+                                          auth_data, ssl_enabled)
+        except errors.NotSupportedError:
+            # IF the default server authentication plugin is unsupported,
+            # fall back to default auth_plugin if default server auth plugin.
+            # In case our default auth_plugin is the one required to identify
+            # the user, the server will ask for the authentification data using
+            # this plugin, otherwise server will request the plugin used by the
+            # user and a AuthSwitchRequest will occur.
+            auth_plugin = "mysql_native_password"
+            packet += self._auth_response(client_flags, username, password,
+                                          database,
+                                          auth_plugin,
+                                          auth_data, ssl_enabled)
 
         packet += self._connect_with_db(client_flags, database)
 
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -882,6 +882,108 @@ def test_caching_sha2_password(self):
         # Check the first auth packet
         self.assertEqual(packets[1][4:], auth_pkt)
 
+    @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
+    def test_auth_plugin_is_not_supported_but_required(self):
+        """Test behavior when server's default auth_plugin is required"""
+        self.cnx._socket.sock = tests.DummySocket()
+        flags = constants.ClientFlag.get_default()
+        flags |= constants.ClientFlag.SSL
+        kwargs = {
+            'username': 'ham',
+            'password': 'spam',
+            'database': 'test',
+            'charset': 33,
+            'client_flags': flags,
+            'ssl_options': {
+                'ca': os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem'),
+                'cert': os.path.join(tests.SSL_DIR, 'tests_client_cert.pem'),
+                'key': os.path.join(tests.SSL_DIR, 'tests_client_key.pem'),
+            },
+        }
+
+        self.cnx._handshake['auth_plugin'] = 'unsupported_auth_plugin'
+        self.cnx._handshake['auth_data'] = b'abcdef!012345'
+        self.cnx._socket.switch_to_ssl = \
+            lambda ca, cert, key, verify_cert, cipher: None
+
+        # Test perform_full_authentication
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     Sorry user requires the unsupported_auth_plugin
+        # second_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x2c\x00\x00\x03\xfe\x75\x6e\x73\x75\x70\x70\x6f\x72'
+                      b'\x74\x65\x64\x5f\x61\x75\x74\x68\x5f\x70\x6c\x75\x67'
+                      b'\x69\x6e\x00\x60\x1e\x10\x78\x01\x3c\x1e\x33\x38\x6f'
+                      b'\x08\x5f\x0d\x7a\x6f\x01\x7b\x7a\x4a\x0d\x00')
+        ])
+        # Since the fictional authoritation plugin 'unsupported_auth_plugin' is
+        # not supported a NotSupportedError is raised
+        self.assertRaises(errors.NotSupportedError, self.cnx._do_auth, **kwargs)
+
+    @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
+    @unittest.skipIf(tests.MYSQL_VERSION < (8, 0, 3),
+                     "caching_sha2_password plugin not supported by server.")
+    def test_auth_plugin_fall_back_if_not_supported(self):
+        """Test Fall back to dflt auth_plugin if server's plugin is unknown"""
+        self.cnx._socket.sock = tests.DummySocket()
+        flags = constants.ClientFlag.get_default()
+        flags |= constants.ClientFlag.SSL
+        kwargs = {
+            'username': 'ham',
+            'password': 'spam',
+            'database': 'test',
+            'charset': 33,
+            'client_flags': flags,
+            'ssl_options': {
+                'ca': os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem'),
+                'cert': os.path.join(tests.SSL_DIR, 'tests_client_cert.pem'),
+                'key': os.path.join(tests.SSL_DIR, 'tests_client_key.pem'),
+            },
+        }
+
+        self.cnx._handshake['auth_plugin'] = 'unsupported_auth_plugin'
+        self.cnx._handshake['auth_data'] = b'abcdef!012345'
+        self.cnx._socket.switch_to_ssl = \
+            lambda ca, cert, key, verify_cert, cipher: None
+
+        # Test perform_full_authentication
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     auth_switch to mysql_native_password
+        # second_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x8d\xaa\x0b\x00\x00\x00'), # full_auth request
+            bytearray(b'\x00@!\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+                      b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'),
+            bytearray(b'\x07\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00') # OK
+        ])
+
+        # No exception should be raided
+        self.cnx._do_auth(**kwargs)
+
+        packets = self.cnx._socket.sock._client_sends
+
+        self.cnx._handshake['auth_plugin'] = 'mysql_native_password'
+        auth_pkt = self.cnx._protocol.make_auth(
+            self.cnx._handshake, kwargs['username'],
+            kwargs['password'], kwargs['database'],
+            charset=kwargs['charset'],
+            client_flags=kwargs['client_flags'],
+            ssl_enabled=True)
+        # Check the first_auth packet
+        self.assertEqual(packets[1][4:], auth_pkt)
+
     @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
     def test__do_auth_ssl(self):
         """Authenticate with the MySQL server using SSL"""
