WL#14665:SSPI Kerberos authentication for Windows (pure-python)

isrgomez · isrgomez · commit 5b1f433e5fcb · 2022-01-14T18:20:41.000-06:00
The purpose of this Worklog is to provide alternative implementation for Kerberos
authentication, based on SSPI infrastructure provided natively by Windows OS.

This implementation requires win32api python module.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -15,6 +15,7 @@ v8.0.29
 - WL#14852: Align TLS option checking across connectors
 - WL#14824: Remove Python 3.6 support
 - WL#14679: Allow custom class for data type conversion in Django backend
+- WL#14665: SSPI Kerberos authentication for Windows (pure-python)
 - BUG#33729842: Character set 'utf8mb3' support
 
 v8.0.28
diff --git a/lib/mysql/connector/authentication.py b/lib/mysql/connector/authentication.py
@@ -50,9 +50,18 @@
 
 try:
     import gssapi
-except:
+except ImportError:
     gssapi = None
 
+try:
+    import sspi
+    import sspicon
+    import win32api
+except ImportError:
+    sspi = None
+    sspicon = None
+    win32api = None
+
 from . import errors
 from .utils import (normalize_unicode_string as norm_ustr,
                     validate_normalized_unicode_string as valid_norm)
@@ -1017,6 +1026,125 @@ def auth_response(self, oci_path=None):
         return auth_response.encode()
 
 
+class MySQLSSPIKerberosAuthPlugin(BaseAuthPlugin):
+    """Implement the MySQL Kerberos authentication plugin with Windows SSPI"""
+
+    plugin_name = "authentication_kerberos_client"
+    requires_ssl = False
+    context = None
+
+    def _parse_auth_data(self, packet):
+        """Parse authentication data.
+
+        Get the SPN and REALM from the authentication data packet.
+
+        Format:
+            SPN string length two bytes <B1> <B2> +
+            SPN string +
+            UPN realm string length two bytes <B1> <B2> +
+            UPN realm string
+
+        Returns:
+            tuple: With 'spn' and 'realm'.
+        """
+        spn_len = struct.unpack("<H", packet[:2])[0]
+        packet = packet[2:]
+
+        spn = struct.unpack(f"<{spn_len}s", packet[:spn_len])[0]
+        packet = packet[spn_len:]
+
+        realm_len = struct.unpack("<H", packet[:2])[0]
+        realm = struct.unpack(f"<{realm_len}s", packet[2:])[0]
+
+        return spn.decode(), realm.decode()
+
+    def auth_response(self, auth_data=None):
+        """Prepare the first message to the server."""
+        _LOGGER.debug("auth_response for sspi")
+        spn = None
+        realm = None
+
+        if auth_data:
+            try:
+                spn, realm = self._parse_auth_data(auth_data)
+            except struct.error as err:
+                raise InterruptedError(f"Invalid authentication data: {err}")
+
+        _LOGGER.debug("Service Principal: %s", spn)
+        _LOGGER.debug("Realm: %s", realm)
+        _LOGGER.debug("Username: %s", self._username)
+
+        if sspicon is None or sspi is None:
+            raise errors.ProgrammingError(
+                'Package "pywin32" (Python for Win32 (pywin32) extensions)'
+                ' is not installed.')
+
+        flags = (
+            sspicon.ISC_REQ_MUTUAL_AUTH,
+            sspicon.ISC_REQ_DELEGATE
+        )
+
+        if self._username and self._password:
+            _auth_info = (self._username, realm, self._password)
+        else:
+            _auth_info = None
+
+        targetspn = spn
+        _LOGGER.debug("targetspn: %s", targetspn)
+        _LOGGER.debug("_auth_info is None: %s", _auth_info is None)
+
+        self.clientauth = sspi.ClientAuth(
+            'Kerberos', targetspn=targetspn, auth_info=_auth_info,
+            scflags=sum(flags), datarep=sspicon.SECURITY_NETWORK_DREP)
+
+        try:
+            data = None
+            err, out_buf = self.clientauth.authorize(data)
+            _LOGGER.debug("Context step err: %s", err)
+            _LOGGER.debug("Context step out_buf: %s", out_buf)
+            _LOGGER.debug("Context completed?: %s", self.clientauth.authenticated)
+            initial_client_token = out_buf[0].Buffer
+            _LOGGER.debug("pkg_info: %s", self.clientauth.pkg_info)
+        except Exception as err:
+            raise errors.InterfaceError(
+                f"Unable to initiate security context: {err}"
+            )
+
+        _LOGGER.debug("Initial client token: %s", initial_client_token)
+        return initial_client_token
+
+    def auth_continue(self, tgt_auth_challenge):
+        """Continue with the Kerberos TGT service request.
+
+        With the TGT authentication service given response generate a TGT
+        service request. This method must be invoked sequentially (in a loop)
+        until the security context is completed and an empty response needs to
+        be send to acknowledge the server.
+
+        Args:
+            tgt_auth_challenge: the challenge for the negotiation.
+
+        Returns:
+            tuple (bytearray TGS service request,
+            bool True if context is completed otherwise False).
+        """
+        _LOGGER.debug("tgt_auth challenge: %s", tgt_auth_challenge)
+
+        err, out_buf = self.clientauth.authorize(tgt_auth_challenge)
+
+        _LOGGER.debug("Context step err: %s", err)
+        _LOGGER.debug("Context step out_buf: %s", out_buf)
+        resp = out_buf[0].Buffer
+        _LOGGER.debug("Context step resp: %s", resp)
+        _LOGGER.debug("Context completed?: %s", self.clientauth.authenticated)
+
+        return resp, self.clientauth.authenticated
+
+
+if os.name == 'nt':
+    MySQLKerberosAuthPlugin = MySQLSSPIKerberosAuthPlugin
+
+
 def get_auth_plugin(plugin_name):
     """Return authentication class based on plugin name
 
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -58,6 +58,7 @@
 from .utils import int1store, int4store, lc_int, get_platform
 from .abstracts import MySQLConnectionAbstract
 
+
 logging.getLogger(__name__).addHandler(logging.NullHandler())
 
 _LOGGER = logging.getLogger(__name__)
@@ -219,11 +220,16 @@ def _do_auth(self, username=None, password=None, database=None,
                 "# _do_auth(): user: %s", username)
         _LOGGER.debug(
                 "# _do_auth(): self._auth_plugin: %s", self._auth_plugin)
-        if self._auth_plugin.startswith("authentication_oci") and not username:
+        if (self._auth_plugin.startswith("authentication_oci") or
+            (self._auth_plugin.startswith("authentication_kerberos") and
+             os.name == 'nt')) and not username:
             username = getpass.getuser()
             _LOGGER.debug(
-                "MySQL user is empty, OS user: %s will be used for "
-                "authentication_oci_client", username)
+                "MySQL user is empty, OS user: %s will be used for %s",
+                username, self._auth_plugin)
+
+        _LOGGER.debug("# _do_auth(): user: %s", username)
+        _LOGGER.debug("# _do_auth(): password: %s", password)
 
         packet = self._protocol.make_auth(
             handshake=self._handshake,
@@ -477,11 +483,7 @@ def _open_connection(self):
 
         Raises on errors.
         """
-        if self._auth_plugin == "authentication_kerberos_client":
-            if os.name == "nt":
-                raise errors.ProgrammingError(
-                    "The Kerberos authentication is not available on Windows"
-                )
+        if self._auth_plugin == "authentication_kerberos_client" and os.name != 'nt':
             if not self._user:
                 cls = get_auth_plugin(self._auth_plugin)
                 self._user = cls.get_user_from_credentials()
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -89,7 +89,7 @@ def test_get_auth_plugin(self):
         plugin_classes = {}
         for name, obj in inspect.getmembers(authentication):
             if inspect.isclass(obj) and hasattr(obj, 'plugin_name'):
-                if obj.plugin_name:
+                if obj.plugin_name and name != "MySQLSSPIKerberosAuthPlugin":
                     plugin_classes[obj.plugin_name] = obj
         for plugin_name in _STANDARD_PLUGINS:
             self.assertEqual(plugin_classes[plugin_name],
