WL#14860: Support FIDO authentication (c-ext)

nmariz · nmariz · commit 9cebcd2c6e25 · 2022-01-14T09:36:34.000Z
This worklog implements the FIDO U2F authentication, which is available
since MySQL 8.0.27.

It allows users to create password-less single or multi-factor
authentication accounts that can connect to a MySQL server without using
a password for the corresponding authenticator factor.

This functionality is only available in the C extension implementation.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -11,6 +11,7 @@ Full release notes:
 v8.0.29
 =======
 
+- WL#14860: Support FIDO authentication (c-ext)
 - WL#14824: Remove Python 3.6 support
 - WL#14679: Allow custom class for data type conversion in Django backend
 - BUG#33729842: Character set 'utf8mb3' support
diff --git a/cpydist/__init__.py b/cpydist/__init__.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2020, 2021, Oracle and/or its affiliates.
+# Copyright (c) 2020, 2022, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -249,42 +249,34 @@ def _copy_vendor_libraries(self):
         if self.with_mysql_capi:
             plugin_ext = "dll" if os.name == "nt" else "so"
             plugin_path = os.path.join(self.with_mysql_capi, "lib", "plugin")
-
-            # authentication_ldap_sasl_client
-            plugin_name = (
-                "authentication_ldap_sasl_client.{}".format(plugin_ext)
-            )
-            plugin_full_path = os.path.join(plugin_path, plugin_name)
-            self.log.debug("ldap plugin_path: '%s'", plugin_full_path)
-            if os.path.exists(plugin_full_path):
-                bundle_plugin_libs = True
-                vendor_libs.append(
-                    (plugin_path, [os.path.join("plugin", plugin_name)])
-                )
-
-            # authentication_kerberos_client
-            plugin_name = (
-                "authentication_kerberos_client.{}".format(plugin_ext)
-            )
-            plugin_full_path = os.path.join(plugin_path, plugin_name)
-            self.log.debug("kerberos plugin_path: '%s'", plugin_full_path)
-            if os.path.exists(plugin_full_path):
-                bundle_plugin_libs = True
-                vendor_libs.append(
-                    (plugin_path, [os.path.join("plugin", plugin_name)])
-                )
-
-            # authentication_oci_client
-            plugin_name = (
-                "authentication_oci_client.{}".format(plugin_ext)
-            )
-            plugin_full_path = os.path.join(plugin_path, plugin_name)
-            self.log.debug("OCI IAM plugin_path: '%s'", plugin_full_path)
-            if os.path.exists(plugin_full_path):
-                bundle_plugin_libs = True
-                vendor_libs.append(
-                    (plugin_path, [os.path.join("plugin", plugin_name)])
+            plugin_list = [
+                (
+                    "LDAP",
+                    "authentication_ldap_sasl_client.{}".format(plugin_ext),
+                ),
+                (
+                    "Kerberos",
+                    "authentication_kerberos_client.{}".format(plugin_ext),
+                ),
+                (
+                    "OCI IAM",
+                    "authentication_oci_client.{}".format(plugin_ext),
+                ),
+                (
+                    "FIDO",
+                    "authentication_fido_client.{}".format(plugin_ext),
+                ),
+            ]
+            for plugin_name, plugin_file in plugin_list:
+                plugin_full_path = os.path.join(plugin_path, plugin_file)
+                self.log.debug(
+                    "%s plugin_path: '%s'", plugin_name, plugin_full_path,
                 )
+                if os.path.exists(plugin_full_path):
+                    bundle_plugin_libs = True
+                    vendor_libs.append(
+                        (plugin_path, [os.path.join("plugin", plugin_file)])
+                    )
 
             # vendor libraries
             if bundle_plugin_libs and os.name == "nt":
@@ -365,7 +357,9 @@ def _copy_vendor_libraries(self):
             sasl_plugin_libs_w = [
                 "libsasl2.*.*", "libgssapi_krb5.*.*", "libgssapi_krb5.*.*",
                 "libkrb5.*.*", "libk5crypto.*.*", "libkrb5support.*.*",
-                "libcrypto.*.*.*", "libssl.*.*.*", "libcom_err.*.*"]
+                "libcrypto.*.*.*", "libssl.*.*.*", "libcom_err.*.*",
+                "libfido2.*.*",
+            ]
             sasl_plugin_libs = []
             for sasl_lib in sasl_plugin_libs_w:
                 lib_path_entries = glob(os.path.join(
diff --git a/lib/mysql/connector/abstracts.py b/lib/mysql/connector/abstracts.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2014, 2021, Oracle and/or its affiliates.
+# Copyright (c) 2014, 2022, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -32,6 +32,8 @@
 from decimal import Decimal
 from time import sleep
 from datetime import date, datetime, time, timedelta
+from inspect import signature
+import importlib
 import os
 import re
 import weakref
@@ -108,6 +110,7 @@ def __init__(self, **kwargs):
         self._ssl_disabled = DEFAULT_CONFIGURATION["ssl_disabled"]
         self._force_ipv6 = False
         self._oci_config_file = None
+        self._fido_callback = None
 
         self._use_unicode = True
         self._get_warnings = False
@@ -651,6 +654,33 @@ def config(self, **kwargs):
                 raise errors.InterfaceError(KRB_SERVICE_PINCIPAL_ERROR.format(
                     error="is incorrectly formatted"))
 
+        if self._fido_callback:
+            # Import the callable if it's a str
+            if isinstance(self._fido_callback, str):
+                try:
+                    module, callback = self._fido_callback.rsplit(".", 1)
+                except ValueError:
+                    raise errors.ProgrammingError(
+                        f"No callable named '{self._fido_callback}'"
+                    )
+                try:
+                    module = importlib.import_module(module)
+                    self._fido_callback = getattr(module, callback)
+                except (AttributeError, ModuleNotFoundError) as err:
+                    raise errors.ProgrammingError(f"{err}")
+            # Check if it's a callable
+            if not callable(self._fido_callback):
+                raise errors.ProgrammingError(
+                    "Expected a callable for 'fido_callback'"
+                )
+            # Check the callable signature if has only 1 positional argument
+            params = len(signature(self._fido_callback).parameters)
+            if params != 1:
+                raise errors.ProgrammingError(
+                    "'fido_callback' requires 1 positional argument, but the "
+                    f"callback provided has {params}"
+                )
+
     def _add_default_conn_attrs(self):
         """Add the default connection attributes."""
         pass
diff --git a/lib/mysql/connector/connection_cext.py b/lib/mysql/connector/connection_cext.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2014, 2021, Oracle and/or its affiliates.
+# Copyright (c) 2014, 2022, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -212,6 +212,7 @@ def _open_connection(self):
             "local_infile": self._allow_local_infile,
             "load_data_local_dir": self._allow_local_infile_in_path,
             "oci_config_file": self._oci_config_file,
+            "fido_callback": self._fido_callback,
         }
 
         tls_versions = self._ssl.get('tls_versions')
diff --git a/lib/mysql/connector/constants.py b/lib/mysql/connector/constants.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -89,7 +89,8 @@
     'dns_srv': False,
     'use_pure': False,
     'krb_service_principal': None,
-    'oci_config_file': None
+    'oci_config_file': None,
+    'fido_callback': None,
 }
 
 CNX_POOL_ARGS = ('pool_name', 'pool_size', 'pool_reset_session')
diff --git a/src/mysql_capi.c b/src/mysql_capi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2014, 2022, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2.0, as
@@ -68,6 +68,29 @@ PyObject* MySQL_connected(MySQL *self);
 #define VERSION_OFFSET_MAJOR 10000
 #define VERSION_OFFSET_MINOR 100
 
+// Python FIDO messages callback
+static PyObject *fido_callback = NULL;
+
+void
+fido_messages_callback(const char *msg) {
+    if (fido_callback && fido_callback != Py_None)
+    {
+        PyGILState_STATE state = PyGILState_Ensure();
+        PyObject *args = Py_BuildValue("(z)", msg);
+        PyObject *result = PyObject_Call(fido_callback, args, NULL);
+        Py_DECREF(args);
+        if (result)
+        {
+            Py_DECREF(result);
+        }
+        PyGILState_Release(state);
+    }
+    else
+    {
+        printf("%s", msg);
+    }
+}
+
 /**
   Helper function printing a string as hexadecimal.
 */
@@ -1204,11 +1227,11 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
         "port", "unix_socket", "client_flags", "ssl_ca", "ssl_cert", "ssl_key",
         "ssl_cipher_suites", "tls_versions", "tls_cipher_suites", "ssl_verify_cert",
         "ssl_verify_identity", "ssl_disabled", "compress", "conn_attrs",
-        "local_infile", "load_data_local_dir", "oci_config_file",
+        "local_infile", "load_data_local_dir", "oci_config_file", "fido_callback",
         NULL
     };
 
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzzzzkzkzzzzzzO!O!O!O!O!izz",
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzzzzkzkzzzzzzO!O!O!O!O!izzO",
                                      kwlist,
                                      &host,
                                      &user,
@@ -1233,7 +1256,8 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                                      &PyDict_Type, &conn_attrs,
                                      &local_infile,
                                      &load_data_local_dir,
-                                     &oci_config_file))
+                                     &oci_config_file,
+                                     &fido_callback))
     {
         return NULL;
     }
@@ -1468,6 +1492,34 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
         }
     }
 
+    if (fido_callback && fido_callback != Py_None) {
+        /* load FIDO client authentication plugin if required */
+        struct st_mysql_client_plugin *fido_plugin =
+          mysql_client_find_plugin(&self->session, "authentication_fido_client",
+                                   MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
+        if (!fido_plugin)
+        {
+            raise_with_string(
+                PyUnicode_FromString(
+                    "The FIDO authentication plugin could not be loaded"), NULL
+                );
+            return NULL;
+        }
+
+        /* verify if the `fido_callback` is a proper callable */
+        if (!PyCallable_Check(fido_callback))
+        {
+            PyErr_SetString(
+                PyExc_TypeError, "Expected a callable for 'fido_callback'"
+            );
+            return NULL;
+        }
+
+        /* register callback */
+        mysql_plugin_options(fido_plugin, "fido_messages_callback",
+                             (const void *)(&fido_messages_callback));
+    }
+
     Py_BEGIN_ALLOW_THREADS
     res= mysql_real_connect(&self->session, host, user, password, database,
                             port, unix_socket, client_flags);
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, 2021, Oracle and/or its affiliates.
+# Copyright (c) 2014, 2022, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -1190,3 +1190,31 @@ def test_OCI_SDK_not_installed_error(self):
             ProgrammingError,
             auth_plugin.auth_response
         )
+
+
+@unittest.skipIf(
+    tests.MYSQL_VERSION < (8, 0, 29),
+    "Authentication with FIDO not supported"
+)
+class MySQLFIDOAuthPluginTests(tests.MySQLConnectorTests):
+    """Test authentication.MySQLFIDOAuthPlugin.
+
+    Implemented by WL#14860: Support FIDO authentication (c-ext)
+    """
+
+    @tests.foreach_cnx(CMySQLConnection)
+    def test_invalid_fido_callback(self):
+        """Test invalid 'fido_callback' option."""
+        def my_callback():
+            ...
+
+        test_cases = (
+            "abc",  # No callable named 'abc'
+            "abc.abc",  # module 'abc' has no attribute 'abc'
+            my_callback,  # 1 positional argument required
+        )
+        config = tests.get_mysql_config()
+        config["auth_plugin"] = "authentication_fido_client"
+        for case in test_cases:
+            config["fido_callback"] = case
+            self.assertRaises(ProgrammingError, self.cnx.__class__, **config)

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Copyright (c) 2014, 2021, Oracle and/or its affiliates.`
	`1`	`+# Copyright (c) 2014, 2022, Oracle and/or its affiliates.`
`2`	`2`	`#`
`3`	`3`	`# This program is free software; you can redistribute it and/or modify`
`4`	`4`	`# it under the terms of the GNU General Public License, version 2.0, as`
`@@ -212,6 +212,7 @@ def _open_connection(self):`
`212`	`212`	`"local_infile": self._allow_local_infile,`
`213`	`213`	`"load_data_local_dir": self._allow_local_infile_in_path,`
`214`	`214`	`"oci_config_file": self._oci_config_file,`
	`215`	`+ "fido_callback": self._fido_callback,`
`215`	`216`	`}`
`216`	`217`
`217`	`218`	`tls_versions = self._ssl.get('tls_versions')`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.`
	`1`	`+# Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved.`
`2`	`2`	`#`
`3`	`3`	`# This program is free software; you can redistribute it and/or modify`
`4`	`4`	`# it under the terms of the GNU General Public License, version 2.0, as`
`@@ -89,7 +89,8 @@`
`89`	`89`	`'dns_srv': False,`
`90`	`90`	`'use_pure': False,`
`91`	`91`	`'krb_service_principal': None,`
`92`		`- 'oci_config_file': None`
	`92`	`+ 'oci_config_file': None,`
	`93`	`+ 'fido_callback': None,`
`93`	`94`	`}`
`94`	`95`
`95`	`96`	`CNX_POOL_ARGS = ('pool_name', 'pool_size', 'pool_reset_session')`