WL11668: Add SHA256_MEMORY authentication mechanism

nmariz · nmariz · commit 497a21e3cafb · 2018-03-16T11:29:37.000Z
This worklog adds support for SHA256_MEMORY authentication mechanism.

A new test was added for regression.
diff --git a/lib/mysqlx/authentication.py b/lib/mysqlx/authentication.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -34,47 +34,66 @@
 from .compat import PY3, UNICODE_TYPES, hexlify
 
 
-class MySQL41AuthPlugin(object):
-    """Class implementing the MySQL Native Password authentication plugin."""
-    def __init__(self, username, password):
+def xor_string(hash1, hash2, hash_size):
+    """Encrypt/Decrypt function used for password encryption in
+    authentication, using a simple XOR.
+
+    Args:
+        hash1 (str): The first hash.
+        hash2 (str): The second hash.
+
+    Returns:
+        str: A string with the xor applied.
+    """
+    if PY3:
+        xored = [h1 ^ h2 for (h1, h2) in zip(hash1, hash2)]
+    else:
+        xored = [ord(h1) ^ ord(h2) for (h1, h2) in zip(hash1, hash2)]
+    return struct.pack("{0}B".format(hash_size), *xored)
+
+
+class BaseAuthPlugin(object):
+    """Base class for implementing the authentication plugins."""
+    def __init__(self, username=None, password=None):
         self._username = username
-        self._password = password.encode("utf-8") \
-            if isinstance(password, UNICODE_TYPES) else password
+        self._password = password
 
     def name(self):
         """Returns the plugin name.
 
         Returns:
             str: The plugin name.
         """
-        return "MySQL 4.1 Authentication Plugin"
+        raise NotImplementedError
 
     def auth_name(self):
         """Returns the authentication name.
 
         Returns:
             str: The authentication name.
         """
-        return "MYSQL41"
+        raise NotImplementedError
 
-    def xor_string(self, hash1, hash2):
-        """Encrypt/Decrypt function used for password encryption in
-        authentication, using a simple XOR.
 
-        Args:
-            hash1 (str): The first hash.
-            hash2 (str): The second hash.
+class MySQL41AuthPlugin(BaseAuthPlugin):
+    """Class implementing the MySQL Native Password authentication plugin."""
+    def name(self):
+        """Returns the plugin name.
+
+        Returns:
+            str: The plugin name.
+        """
+        return "MySQL 4.1 Authentication Plugin"
+
+    def auth_name(self):
+        """Returns the authentication name.
 
         Returns:
-            str: A string with the xor applied.
+            str: The authentication name.
         """
-        if PY3:
-            xored = [h1 ^ h2 for (h1, h2) in zip(hash1, hash2)]
-        else:
-            xored = [ord(h1) ^ ord(h2) for (h1, h2) in zip(hash1, hash2)]
-        return struct.pack("20B", *xored)
+        return "MYSQL41"
 
-    def build_authentication_response(self, data):
+    def auth_data(self, data):
         """Hashing for MySQL 4.1 authentication.
 
         Args:
@@ -84,22 +103,17 @@ def build_authentication_response(self, data):
             str: The authentication response.
         """
         if self._password:
-            hash1 = hashlib.sha1(self._password).digest()
+            password = self._password.encode("utf-8") \
+                if isinstance(self._password, UNICODE_TYPES) else self._password
+            hash1 = hashlib.sha1(password).digest()
             hash2 = hashlib.sha1(hash1).digest()
-            auth_response = self.xor_string(
-                hash1, hashlib.sha1(data + hash2).digest())
-            return "{0}\0{1}\0*{2}\0".format("", self._username,
-                                             hexlify(auth_response))
+            xored = xor_string(hash1, hashlib.sha1(data + hash2).digest(), 20)
+            return "{0}\0{1}\0*{2}\0".format("", self._username, hexlify(xored))
         return "{0}\0{1}\0".format("", self._username)
 
 
-class PlainAuthPlugin(object):
+class PlainAuthPlugin(BaseAuthPlugin):
     """Class implementing the MySQL Plain authentication plugin."""
-    def __init__(self, username, password):
-        self._username = username
-        self._password = password.encode("utf-8") \
-            if isinstance(password, UNICODE_TYPES) and not PY3 else password
-
     def name(self):
         """Returns the plugin name.
 
@@ -122,31 +136,45 @@ def auth_data(self):
         Returns:
             str: The authentication data.
         """
-        return "\0{0}\0{1}".format(self._username, self._password)
+        password = self._password.encode("utf-8") \
+            if isinstance(self._password, UNICODE_TYPES) and not PY3 \
+               else self._password
+        return "\0{0}\0{1}".format(self._username, password)
 
 
-class ExternalAuthPlugin(object):
-    """Class implementing the External authentication plugin."""
+class Sha256MemoryAuthPlugin(BaseAuthPlugin):
+    """Class implementing the SHA256_MEMORY authentication plugin."""
     def name(self):
         """Returns the plugin name.
 
         Returns:
             str: The plugin name.
         """
-        return "External Authentication Plugin"
+        return "SHA256_MEMORY Authentication Plugin"
 
     def auth_name(self):
         """Returns the authentication name.
 
         Returns:
             str: The authentication name.
         """
-        return "EXTERNAL"
+        return "SHA256_MEMORY"
 
-    def initial_response(self):
-        """Returns the initial response.
+    def auth_data(self, data):
+        """Hashing for SHA256_MEMORY authentication.
+
+        The scramble is of the form:
+            SHA256(SHA256(SHA256(PASSWORD)),NONCE) XOR SHA256(PASSWORD)
+
+        Args:
+            data (str): The authentication data.
 
         Returns:
-            str: The initial response.
+            str: The authentication response.
         """
-        return ""
+        password = self._password.encode("utf-8") \
+            if isinstance(self._password, UNICODE_TYPES) else self._password
+        hash1 = hashlib.sha256(password).digest()
+        hash2 = hashlib.sha256(hashlib.sha256(hash1).digest() + data).digest()
+        xored = xor_string(hash2, hash1, 32)
+        return "\0{0}\0{1}".format(self._username, hexlify(xored))
diff --git a/lib/mysqlx/connection.py b/lib/mysqlx/connection.py
@@ -43,7 +43,7 @@
 from functools import wraps
 
 from .authentication import (MySQL41AuthPlugin, PlainAuthPlugin,
-                             ExternalAuthPlugin)
+                             Sha256MemoryAuthPlugin)
 from .errors import InterfaceError, OperationalError, ProgrammingError
 from .compat import PY3, STRING_TYPES, UNICODE_TYPES
 from .crud import Schema
@@ -85,7 +85,7 @@ def connect(self, params):
                 self._is_socket = True
                 self._socket.connect(params)
             except AttributeError:
-                raise InterfaceError("Unix socket unsupported.")
+                raise InterfaceError("Unix socket unsupported")
 
     def read(self, count):
         """Receive data from the socket.
@@ -142,7 +142,7 @@ def set_ssl(self, ssl_mode, ssl_ca, ssl_crl, ssl_cert, ssl_key):
         """
         if not SSL_AVAILABLE:
             self.close()
-            raise RuntimeError("Python installation has no SSL support.")
+            raise RuntimeError("Python installation has no SSL support")
 
         context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
         context.load_default_certs()
@@ -228,7 +228,7 @@ def wrapper(self, *args, **kwargs):
             return func(self, *args, **kwargs)
         except (socket.error, RuntimeError):
             self.disconnect()
-            raise InterfaceError("Cannot connect to host.")
+            raise InterfaceError("Cannot connect to host")
     return wrapper
 
 
@@ -355,7 +355,7 @@ def connect(self):
 
         if len(self._routers) <= 1:
             raise InterfaceError("Cannot connect to host: {0}".format(error))
-        raise InterfaceError("Failed to connect to any of the routers.", 4001)
+        raise InterfaceError("Failed to connect to any of the routers", 4001)
 
     def _handle_capabilities(self):
         """Handle capabilities.
@@ -377,7 +377,7 @@ def _handle_capabilities(self):
         if not (get_item_or_attr(data[0], "name").lower() == "tls"
                 if data else False):
             self.close_connection()
-            raise OperationalError("SSL not enabled at server.")
+            raise OperationalError("SSL not enabled at server")
 
         is_ol7 = False
         if platform.system() == "Linux":
@@ -392,7 +392,7 @@ def _handle_capabilities(self):
         if sys.version_info < (2, 7, 9) and not is_ol7:
             self.close_connection()
             raise RuntimeError("The support for SSL is not available for "
-                               "this Python version.")
+                               "this Python version")
 
         self.protocol.set_capabilities(tls=True)
         self.stream.set_ssl(self.settings.get("ssl-mode", SSLMode.REQUIRED),
@@ -404,34 +404,56 @@ def _handle_capabilities(self):
     def _authenticate(self):
         """Authenticate with the MySQL server."""
         auth = self.settings.get("auth")
-        if (not auth and self.stream.is_secure()) or auth == Auth.PLAIN:
+        if auth:
+            if auth == Auth.PLAIN:
+                self._authenticate_plain()
+            elif auth == Auth.SHA256_MEMORY:
+                self._authenticate_sha256_memory()
+            elif auth == Auth.MYSQL41:
+                self._authenticate_mysql41()
+        elif self.stream.is_secure():
+            # Use PLAIN if no auth provided and connection is secure
             self._authenticate_plain()
-        elif auth == Auth.EXTERNAL:
-            self._authenticate_external()
         else:
-            self._authenticate_mysql41()
+            # Use MYSQL41 if connection is not secure
+            try:
+                self._authenticate_mysql41()
+            except InterfaceError:
+                pass
+            else:
+                return
+            # Try SHA256_MEMORY if MYSQL41 fails
+            try:
+                self._authenticate_sha256_memory()
+            except InterfaceError:
+                raise InterfaceError("Authentication failed using MYSQL41 and "
+                                     "SHA256_MEMORY, check username and "
+                                     "password or try a secure connection")
 
     def _authenticate_mysql41(self):
         """Authenticate with the MySQL server using `MySQL41AuthPlugin`."""
         plugin = MySQL41AuthPlugin(self._user, self._password)
         self.protocol.send_auth_start(plugin.auth_name())
         extra_data = self.protocol.read_auth_continue()
-        self.protocol.send_auth_continue(
-            plugin.build_authentication_response(extra_data))
+        self.protocol.send_auth_continue(plugin.auth_data(extra_data))
         self.protocol.read_auth_ok()
 
     def _authenticate_plain(self):
         """Authenticate with the MySQL server using `PlainAuthPlugin`."""
+        if not self.stream.is_secure():
+            raise InterfaceError("PLAIN authentication is not allowed via "
+                                 "unencrypted connection")
         plugin = PlainAuthPlugin(self._user, self._password)
         self.protocol.send_auth_start(plugin.auth_name(),
                                       auth_data=plugin.auth_data())
         self.protocol.read_auth_ok()
 
-    def _authenticate_external(self):
-        """Authenticate with the MySQL server using `ExternalAuthPlugin`."""
-        plugin = ExternalAuthPlugin()
-        self.protocol.send_auth_start(
-            plugin.auth_name(), initial_response=plugin.initial_response())
+    def _authenticate_sha256_memory(self):
+        """Authenticate with the MySQL server using `Sha256MemoryAuthPlugin`."""
+        plugin = Sha256MemoryAuthPlugin(self._user, self._password)
+        self.protocol.send_auth_start(plugin.auth_name())
+        extra_data = self.protocol.read_auth_continue()
+        self.protocol.send_auth_continue(plugin.auth_data(extra_data))
         self.protocol.read_auth_ok()
 
     @catch_network_exception
diff --git a/lib/mysqlx/constants.py b/lib/mysqlx/constants.py
@@ -53,8 +53,8 @@ def create_enum(name, fields, values=None):
                       ("REQUIRED", "DISABLED", "VERIFY_CA", "VERIFY_IDENTITY"),
                       ("required", "disabled", "verify_ca", "verify_identity"))
 Auth = create_enum("Auth",
-                   ("PLAIN", "EXTERNAL", "MYSQL41"),
-                   ("plain", "external", "mysql41"))
+                   ("PLAIN", "MYSQL41", "SHA256_MEMORY"),
+                   ("plain", "mysql41", "sha256_memory"))
 LockContention = create_enum("LockContention",
                              ("DEFAULT", "NOWAIT", "SKIP_LOCKED"), (0, 1, 2))
 
diff --git a/lib/mysqlx/protocol.py b/lib/mysqlx/protocol.py
@@ -325,14 +325,14 @@ def read_auth_continue(self):
                                  "authentication handshake")
         return msg["auth_data"]
 
-    def send_auth_continue(self, data):
+    def send_auth_continue(self, auth_data):
         """Send authenticate continue.
 
         Args:
-            data (str): Authentication data.
+            auth_data (str): Authentication data.
         """
         msg = Message("Mysqlx.Session.AuthenticateContinue",
-                      auth_data=data)
+                      auth_data=auth_data)
         self._writer.write_message(mysqlxpb_enum(
             "Mysqlx.ClientMessages.Type.SESS_AUTHENTICATE_CONTINUE"), msg)
 
diff --git a/tests/test_mysqlx_connection.py b/tests/test_mysqlx_connection.py
@@ -302,6 +302,40 @@ def test_auth(self):
         sess.sql("DROP USER 'sha256'@'%'").execute()
         sess.close()
 
+    @unittest.skipIf(tests.MYSQL_VERSION < (8, 0, 5),
+                     "SHA256_MEMORY authentation mechanism not available")
+    def test_auth_sha265_memory(self):
+        sess = mysqlx.get_session(self.connect_kwargs)
+        sess.sql("CREATE USER 'caching'@'%' IDENTIFIED WITH "
+                 "caching_sha2_password BY 'caching'").execute()
+        config = {
+            "user": "caching",
+            "password": "caching",
+            "host": self.connect_kwargs["host"],
+            "port": self.connect_kwargs["port"]
+        }
+
+        # Session creation is not possible with SSL disabled
+        config["ssl-mode"] = mysqlx.SSLMode.DISABLED
+        self.assertRaises(InterfaceError, mysqlx.get_session, config)
+        config["auth"] = mysqlx.Auth.SHA256_MEMORY
+        self.assertRaises(InterfaceError, mysqlx.get_session, config)
+
+        # Session creation is possible with SSL enabled
+        config["ssl-mode"] = mysqlx.SSLMode.REQUIRED
+        config["auth"] = mysqlx.Auth.PLAIN
+        mysqlx.get_session(config)
+
+        # Disable SSL
+        config["ssl-mode"] = mysqlx.SSLMode.DISABLED
+
+        # Password is in cache will, session creation is possible
+        config["auth"] = mysqlx.Auth.SHA256_MEMORY
+        mysqlx.get_session(config)
+
+        sess.sql("DROP USER 'caching'@'%'").execute()
+        sess.close()
+
     @unittest.skipIf(tests.MYSQL_VERSION < (5, 7, 15), "--mysqlx-socket option tests not available for this MySQL version")
     def test_mysqlx_socket(self):
         # Connect with unix socket
