WL#15348: Support MIT Kerberos library on Windows

nmariz · nmariz · commit 9384136bf81c · 2022-10-12T11:14:44.000+01:00
The support for Kerberos authentication on Windows was implemented by
WL#14664 in release 8.0.27 for the C extension and WL#14665 in release
8.0.29 for pure Python. That implementation was based on Windows SSPI.

This worklog implements the GSSAPI through MIT Kerberos libraries on
Windows, just like was implemented by WL#14440 in the release 8.0.26
on Linux.

Change-Id: I5cec8bc104aedcfa183996366323e980608f22f0
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -11,6 +11,7 @@ Full release notes:
 v8.0.32
 =======
 
+- WL#15348: Support MIT Kerberos library on Windows
 - WL#15036: Support for type hints
 
 v8.0.31
diff --git a/cpydist/__init__.py b/cpydist/__init__.py
@@ -345,7 +345,10 @@ def _copy_vendor_libraries(self):
                 src = os.path.join(src_folder, filename)
                 dst = os.path.join(os.getcwd(), self.vendor_folder, dst_folder)
                 self.log.info("copying %s -> %s", src, dst)
-                self.log.info("shutil res: %s", shutil.copy(src, dst))
+                try:
+                    self.log.info("shutil res: %s", shutil.copy(src, dst))
+                except shutil.SameFileError:
+                    pass
 
         if os.name == "nt":
             self.distribution.package_data = {"mysql": ["vendor/plugin/*"]}
diff --git a/lib/mysql/connector/abstracts.py b/lib/mysql/connector/abstracts.py
@@ -190,6 +190,7 @@ def __init__(self) -> None:
 
         self._ssl_active: bool = False
         self._auth_plugin: Optional[str] = None
+        self._auth_plugin_class: Optional[str] = None
         self._pool_config_version: Any = None
         self.converter: Optional[MySQLConverter] = None
         self._converter_class: Optional[Type[MySQLConverter]] = None
@@ -711,6 +712,24 @@ def config(self, **kwargs: Any) -> None:
 
         if self._client_flags & ClientFlag.CONNECT_ARGS:
             self._add_default_conn_attrs()
+
+        if "kerberos_auth_mode" in config and config["kerberos_auth_mode"] is not None:
+            if not isinstance(config["kerberos_auth_mode"], str):
+                raise InterfaceError("'kerberos_auth_mode' must be of type str")
+            kerberos_auth_mode = config["kerberos_auth_mode"].lower()
+            if kerberos_auth_mode == "sspi":
+                if os.name != "nt":
+                    raise InterfaceError(
+                        "'kerberos_auth_mode=SSPI' is only available on Windows"
+                    )
+                self._auth_plugin_class = "MySQLSSPIKerberosAuthPlugin"
+            elif kerberos_auth_mode == "gssapi":
+                self._auth_plugin_class = "MySQLKerberosAuthPlugin"
+            else:
+                raise InterfaceError(
+                    "Invalid 'kerberos_auth_mode' mode. Please use 'SSPI' or 'GSSAPI'"
+                )
+
         if (
             "krb_service_principal" in config
             and config["krb_service_principal"] is not None
diff --git a/lib/mysql/connector/authentication.py b/lib/mysql/connector/authentication.py
@@ -32,7 +32,7 @@
 import logging
 
 from functools import lru_cache
-from typing import Type
+from typing import Optional, Type
 
 from .errors import NotSupportedError, ProgrammingError
 from .plugins import BaseAuthPlugin
@@ -47,27 +47,33 @@
 @lru_cache(maxsize=10, typed=False)
 def get_auth_plugin(
     plugin_name: str,
+    auth_plugin_class: Optional[str] = None,
 ) -> Type[BaseAuthPlugin]:  # AUTH_PLUGIN_CLASS_TYPES:
     """Return authentication class based on plugin name
 
     This function returns the class for the authentication plugin plugin_name.
     The returned class is a subclass of BaseAuthPlugin.
 
-    Raises NotSupportedError when plugin_name is not supported.
+    Args:
+        plugin_name (str): Authentication plugin name.
+        auth_plugin_class (str): Authentication plugin class name.
 
-    Returns subclass of BaseAuthPlugin.
+    Raises:
+        NotSupportedError: When plugin_name is not supported.
+
+    Returns:
+        Subclass of `BaseAuthPlugin`.
     """
     package = DEFAULT_PLUGINS_PKG
     if plugin_name:
         try:
             _LOGGER.info("package: %s", package)
             _LOGGER.info("plugin_name: %s", plugin_name)
             plugin_module = importlib.import_module(f".{plugin_name}", package)
-            _LOGGER.info(
-                "AUTHENTICATION_PLUGIN_CLASS: %s",
-                plugin_module.AUTHENTICATION_PLUGIN_CLASS,
-            )
-            return getattr(plugin_module, plugin_module.AUTHENTICATION_PLUGIN_CLASS)
+            if not auth_plugin_class or not hasattr(plugin_module, auth_plugin_class):
+                auth_plugin_class = plugin_module.AUTHENTICATION_PLUGIN_CLASS
+            _LOGGER.info("AUTHENTICATION_PLUGIN_CLASS: %s", auth_plugin_class)
+            return getattr(plugin_module, auth_plugin_class)
         except ModuleNotFoundError as err:
             _LOGGER.warning("Requested Module was not found: %s", err)
         except ValueError as err:
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -309,6 +309,7 @@ def _do_auth(
             ssl_enabled=self._ssl_active,
             auth_plugin=self._auth_plugin,
             conn_attrs=conn_attrs,
+            auth_plugin_class=self._auth_plugin_class,
         )
         self._socket.send(packet)
         self._auth_switch_request(username, password)
@@ -344,7 +345,7 @@ def _auth_switch_request(
                 new_auth_plugin,
                 auth_data,
             ) = self._protocol.parse_auth_switch_request(packet)
-            auth = get_auth_plugin(new_auth_plugin)(
+            auth = get_auth_plugin(new_auth_plugin, self._auth_plugin_class)(
                 auth_data,
                 username=username or self._user,
                 password=password,
@@ -354,7 +355,7 @@ def _auth_switch_request(
 
         if packet[4] == 1:
             auth_data = self._protocol.parse_auth_more_data(packet)
-            auth = get_auth_plugin(new_auth_plugin)(
+            auth = get_auth_plugin(new_auth_plugin, self._auth_plugin_class)(
                 auth_data, password=password, ssl_enabled=self.is_secure
             )
             if new_auth_plugin == "caching_sha2_password":
@@ -386,7 +387,7 @@ def _handle_mfa(self, packet: bytes) -> Optional[OkPacketType]:
         _LOGGER.debug("# MFA N Factor #%d", self._mfa_nfactor)
 
         packet, auth_plugin = self._protocol.parse_auth_next_factor(packet[4:])
-        auth = get_auth_plugin(auth_plugin)(
+        auth = get_auth_plugin(auth_plugin, self._auth_plugin_class)(
             None,
             username=self._user,
             password=password,
@@ -396,7 +397,7 @@ def _handle_mfa(self, packet: bytes) -> Optional[OkPacketType]:
 
         if packet[4] == 1:
             auth_data = self._protocol.parse_auth_more_data(packet)
-            auth = get_auth_plugin(auth_plugin)(
+            auth = get_auth_plugin(auth_plugin, self._auth_plugin_class)(
                 auth_data, password=password, ssl_enabled=self.is_secure
             )
             if auth_plugin == "caching_sha2_password":
@@ -563,10 +564,9 @@ def _open_connection(self) -> None:
 
         Raises on errors.
         """
-        if self._auth_plugin == "authentication_kerberos_client" and os.name != "nt":
-            if not self._user:
-                cls = get_auth_plugin(self._auth_plugin)
-                self._user = cls.get_user_from_credentials()
+        if self._auth_plugin == "authentication_kerberos_client" and not self._user:
+            cls = get_auth_plugin(self._auth_plugin, self._auth_plugin_class)
+            self._user = cls.get_user_from_credentials()
 
         self._protocol = MySQLProtocol()
         self._socket = self._get_connection()
diff --git a/lib/mysql/connector/connection_cext.py b/lib/mysql/connector/connection_cext.py
@@ -280,6 +280,9 @@ def _open_connection(self) -> None:
                 }
             )
 
+        if os.name == "nt" and self._auth_plugin_class == "MySQLKerberosAuthPlugin":
+            cnx_kwargs["use_kerberos_gssapi"] = True
+
         try:
             self._cmysql.connect(**cnx_kwargs)
             self._cmysql.converter_str_fallback = self._converter_str_fallback
diff --git a/lib/mysql/connector/constants.py b/lib/mysql/connector/constants.py
@@ -91,6 +91,7 @@
     "krb_service_principal": None,
     "oci_config_file": None,
     "fido_callback": None,
+    "kerberos_auth_mode": None,
 }
 
 CNX_POOL_ARGS: Tuple[str, str, str] = ("pool_name", "pool_size", "pool_reset_session")
diff --git a/lib/mysql/connector/plugins/authentication_kerberos_client.py b/lib/mysql/connector/plugins/authentication_kerberos_client.py
@@ -35,6 +35,7 @@
 import os
 import struct
 
+from pathlib import Path
 from typing import Any, Optional, Tuple
 
 from .. import errors
@@ -63,7 +64,9 @@
 
 _LOGGER = logging.getLogger(__name__)
 
-AUTHENTICATION_PLUGIN_CLASS = "MySQLKerberosAuthPlugin"
+AUTHENTICATION_PLUGIN_CLASS = (
+    "MySQLSSPIKerberosAuthPlugin" if os.name == "nt" else "MySQLKerberosAuthPlugin"
+)
 
 
 # pylint: disable=c-extension-no-member,no-member
@@ -86,23 +89,59 @@ def get_user_from_credentials() -> str:
         except gssapi.raw.misc.GSSError:
             return getpass.getuser()
 
-    def _acquire_cred_with_password(self, upn: str) -> gssapi.raw.creds.Creds:
-        """Acquire credentials through provided password."""
-        _LOGGER.debug("Attempt to acquire credentials through provided password")
+    @staticmethod
+    def get_store() -> dict:
+        """Get a credentials store dictionary.
 
-        username = gssapi.raw.names.import_name(
-            upn.encode("utf-8"), name_type=gssapi.NameType.user
+        Returns:
+            dict: Credentials store dictionary with the krb5 ccache name.
+
+        Raises:
+            errors.InterfaceError: If 'KRB5CCNAME' environment variable is empty.
+        """
+        krb5ccname = os.environ.get(
+            "KRB5CCNAME",
+            f"/tmp/krb5cc_{os.getuid()}"
+            if os.name == "posix"
+            else Path("%TEMP%").joinpath("krb5cc"),
         )
+        if not krb5ccname:
+            raise errors.InterfaceError(
+                "The 'KRB5CCNAME' environment variable is set to empty"
+            )
+        _LOGGER.debug("Using krb5 ccache name: FILE:%s", krb5ccname)
+        store = {b"ccache": f"FILE:{krb5ccname}".encode("utf-8")}
+        return store
+
+    def _acquire_cred_with_password(self, upn: str) -> gssapi.raw.creds.Creds:
+        """Acquire and store credentials through provided password.
+
+        Args:
+            upn (str): User Principal Name.
+
+        Returns:
+            gssapi.raw.creds.Creds: GSSAPI credentials.
+        """
+        _LOGGER.debug("Attempt to acquire credentials through provided password")
+        user = gssapi.Name(upn, gssapi.NameType.user)
+        password = self._password.encode("utf-8")
 
         try:
             acquire_cred_result = gssapi.raw.acquire_cred_with_password(
-                username, self._password.encode("utf-8"), usage="initiate"
+                user, password, usage="initiate"
+            )
+            creds = acquire_cred_result.creds
+            gssapi.raw.store_cred_into(
+                self.get_store(),
+                creds=creds,
+                mech=gssapi.MechType.kerberos,
+                overwrite=True,
+                set_default=True,
             )
         except gssapi.raw.misc.GSSError as err:
             raise errors.ProgrammingError(
                 f"Unable to acquire credentials with the given password: {err}"
             )
-        creds = acquire_cred_result[0]
         return creds
 
     @staticmethod
@@ -152,7 +191,7 @@ def auth_response(self, auth_data: Optional[bytes] = None) -> Optional[bytes]:
         _LOGGER.debug("Username: %s", self._username)
 
         try:
-            # Attempt to retrieve credentials from default cache file
+            # Attempt to retrieve credentials from cache file
             creds: Any = gssapi.Credentials(usage="initiate")
             creds_upn = str(creds.name)
 
@@ -410,10 +449,3 @@ def auth_continue(
         _LOGGER.debug("Context completed?: %s", self.clientauth.authenticated)
 
         return resp, self.clientauth.authenticated
-
-
-# pylint: enable=c-extension-no-member,no-member
-
-
-if os.name == "nt":
-    MySQLKerberosAuthPlugin = MySQLSSPIKerberosAuthPlugin  # type: ignore[assignment]
diff --git a/lib/mysql/connector/protocol.py b/lib/mysql/connector/protocol.py
@@ -82,6 +82,7 @@ def _auth_response(
         username: Optional[StrOrBytes],
         password: Optional[str],
         database: Optional[str],
+        auth_plugin_class: str,
         auth_plugin: str,
         auth_data: Optional[bytes],
         ssl_enabled: bool,
@@ -91,7 +92,7 @@ def _auth_response(
             return b"\x00"
 
         try:
-            auth = get_auth_plugin(auth_plugin)(
+            auth = get_auth_plugin(auth_plugin, auth_plugin_class)(
                 auth_data,
                 username=username,
                 password=password,
@@ -124,6 +125,7 @@ def make_auth(
         ssl_enabled: bool = False,
         auth_plugin: Optional[str] = None,
         conn_attrs: Optional[ConnAttrsType] = None,
+        auth_plugin_class: Optional[str] = None,
     ) -> bytes:
         """Make a MySQL Authentication packet"""
         if handshake is None:
@@ -160,6 +162,7 @@ def make_auth(
             username,
             password,
             database,
+            auth_plugin_class,
             auth_plugin,
             auth_data,
             ssl_enabled,
@@ -231,6 +234,7 @@ def make_change_user(
         ssl_enabled: bool = False,
         auth_plugin: Optional[str] = None,
         conn_attrs: Optional[ConnAttrsType] = None,
+        auth_plugin_class: Optional[str] = None,
     ) -> bytes:
         """Make a MySQL packet with the Change User command"""
 
@@ -262,6 +266,7 @@ def make_change_user(
             username,
             password,
             database,
+            auth_plugin_class,
             auth_plugin,
             auth_data,
             ssl_enabled,
diff --git a/pyproject.toml b/pyproject.toml
@@ -43,7 +43,7 @@ skip_glob = [
     'lib/mysql/connector/locales/eng',
     'lib/mysqlx/locales/eng',
     'lib/mysqlx/protobuf',
-    'venv/*'
+    'venv/*',
 ]
 
 [tool.black]
diff --git a/src/mysql_capi.c b/src/mysql_capi.c
@@ -1098,7 +1098,7 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
          *tls_versions = NULL, *tls_cipher_suites = NULL;
     PyObject *charset_name = NULL, *compress = NULL, *ssl_verify_cert = NULL,
              *ssl_verify_identity = NULL, *ssl_disabled = NULL, *conn_attrs = NULL,
-             *key = NULL, *value = NULL;
+             *key = NULL, *value = NULL, *use_kerberos_gssapi = Py_False;
     const char *auth_plugin, *plugin_dir;
     unsigned long client_flags = 0;
     unsigned int port = 3306, tmp_uint;
@@ -1144,16 +1144,17 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                              "load_data_local_dir",
                              "oci_config_file",
                              "fido_callback",
+                             "use_kerberos_gssapi",
                              NULL};
 
     if (!PyArg_ParseTupleAndKeywords(
-            args, kwds, "|zzzzzzzkzkzzzzzzO!O!O!O!O!izzO", kwlist, &host, &user, &password,
+            args, kwds, "|zzzzzzzkzkzzzzzzO!O!O!O!O!izzOO", kwlist, &host, &user, &password,
             &password1, &password2, &password3, &database, &port, &unix_socket, &client_flags,
             &ssl_ca, &ssl_cert, &ssl_key, &ssl_cipher_suites, &tls_versions,
             &tls_cipher_suites, &PyBool_Type, &ssl_verify_cert, &PyBool_Type,
             &ssl_verify_identity, &PyBool_Type, &ssl_disabled, &PyBool_Type, &compress,
             &PyDict_Type, &conn_attrs, &local_infile, &load_data_local_dir, &oci_config_file,
-            &fido_callback)) {
+            &fido_callback, &use_kerberos_gssapi)) {
         return NULL;
     }
 
@@ -1381,6 +1382,23 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                              (const void *)(&fido_messages_callback));
     }
 
+#ifdef MS_WINDOWS
+    if (use_kerberos_gssapi == Py_True) {
+        struct st_mysql_client_plugin *kerberos_plugin = \
+            mysql_client_find_plugin(&self->session,
+                "authentication_kerberos_client", MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
+        if (!kerberos_plugin) {
+            raise_with_string(
+                PyUnicode_FromString("The Kerberos authentication plugin could not be loaded"),
+                NULL);
+            return NULL;
+        }
+
+        mysql_plugin_options(kerberos_plugin,
+            "plugin_authentication_kerberos_client_mode", "GSSAPI");
+    }
+#endif
+
     Py_BEGIN_ALLOW_THREADS
     res = mysql_real_connect(&self->session, host, user, password,
                              database, port, unix_socket, client_flags);
diff --git a/tests/__init__.py b/tests/__init__.py
diff --git a/tests/data/kerberos/users.keytab b/tests/data/kerberos/users.keytab
diff --git a/tests/test_authentication.py b/tests/test_authentication.py

Original file line number	Diff line number	Diff line change
`@@ -280,6 +280,9 @@ def _open_connection(self) -> None:`
`280`	`280`	`}`
`281`	`281`	`)`
`282`	`282`
	`283`	`+ if os.name == "nt" and self._auth_plugin_class == "MySQLKerberosAuthPlugin":`
	`284`	`+ cnx_kwargs["use_kerberos_gssapi"] = True`
	`285`	`+`
`283`	`286`	`try:`
`284`	`287`	`self._cmysql.connect(**cnx_kwargs)`
`285`	`288`	`self._cmysql.converter_str_fallback = self._converter_str_fallback`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@`
`91`	`91`	`"krb_service_principal": None,`
`92`	`92`	`"oci_config_file": None,`
`93`	`93`	`"fido_callback": None,`
	`94`	`+ "kerberos_auth_mode": None,`
`94`	`95`	`}`
`95`	`96`
`96`	`97`	`CNX_POOL_ARGS: Tuple[str, str, str] = ("pool_name", "pool_size", "pool_reset_session")`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ skip_glob = [`
`43`	`43`	`'lib/mysql/connector/locales/eng',`
`44`	`44`	`'lib/mysqlx/locales/eng',`
`45`	`45`	`'lib/mysqlx/protobuf',`
`46`		`- 'venv/*'`
	`46`	`+ 'venv/*',`
`47`	`47`	`]`
`48`	`48`
`49`	`49`	`[tool.black]`