Conversation

julienschmidt

Description

This PR refactors the existing auth code and separates it from other code (currently the auth code is spread over driver.go, utils.go and packets.go. This refactoring also serves as a preparation for adding more auth plugins, such as sha256_password (#625) or dialog (#803) and an exported interface for adding custom auth plugins, as proposed in #552.

It further fixes many bugs: the following new tests fail when backported to the old code (see https://travis-ci.org/go-sql-driver/mysql/jobs/383270883):

--- FAIL: TestAuthFastCachingSHA256PasswordEmpty (0.00s)
	auth_test.go:118: got error: malformed packet
--- FAIL: TestAuthFastCleartextPasswordNotAllowed (0.00s)
	auth_test.go:235: expected ErrCleartextPassword, got unknown authentication plugin name 'mysql_clear_password'
--- FAIL: TestAuthFastCleartextPassword (0.00s)
	auth_test.go:251: unknown authentication plugin name 'mysql_clear_password'
--- FAIL: TestAuthFastCleartextPasswordEmpty (0.00s)
	auth_test.go:289: unknown authentication plugin name 'mysql_clear_password'
--- FAIL: TestAuthFastNativePasswordNotAllowed (0.00s)
	auth_test.go:328: expected ErrNativePassword, got <nil>
--- FAIL: TestAuthSwitchCachingSHA256PasswordCached (0.00s)
	auth_test.go:428: got error: this authentication plugin is not supported
	auth_test.go:438: got unexpected data: []
--- FAIL: TestAuthSwitchCachingSHA256PasswordEmpty (0.00s)
	auth_test.go:461: got error: this authentication plugin is not supported
	auth_test.go:466: got unexpected data: []
--- FAIL: TestAuthSwitchCachingSHA256PasswordFullRSA (0.00s)
	auth_test.go:497: got error: this authentication plugin is not supported
	auth_test.go:513: got unexpected data: []
--- FAIL: TestAuthSwitchCachingSHA256PasswordFullSecure (0.00s)
	auth_test.go:543: got error: this authentication plugin is not supported
	auth_test.go:556: got unexpected data: []

This PR is partially based on the work done in #552.

Fixes #806

Checklist

  • Code compiles correctly
  • Created tests which fail without the change (if possible)
  • All tests passing
  • Extended the README / documentation, if necessary
  • Added myself / the copyright holder to the AUTHORS file

@julienschmidt
log missing auth plugin name
d6fe90f
Updates #795
@julienschmidt
refactor auth handling
36c70eb
@julienschmidt
auth: fix AllowNativePasswords
cf52770
@julienschmidt
auth: remove plugin name print
f3b65ae
@julienschmidt
packets: attempt to fix writePublicKeyAuthPacket
eb54ab9
@julienschmidt
packets: do not NUL-terminate auth switch packets
86adb9b
@julienschmidt
move handleAuthResult to auth
ceb1236
@julienschmidt
add old_password auth tests
fa931ce
@julienschmidt
auth: add empty old_password test
66f8d59
@julienschmidt
auth: add cleartext auth tests
de51fdd
@julienschmidt
auth: add native auth tests
d0d482d
@julienschmidt
auth: add caching_sha2 tests
9be743a
@julienschmidt
rename init and auth packets to documented names
7242d1e
@julienschmidt
auth: fix plugin name for switched auth methods
d09ac83
@julienschmidt
buffer: optimize default branches
fba0ad9
@julienschmidt
auth: add tests for switch to caching sha2
f252087
@julienschmidt
auth: add tests for switch to cleartext password
a27458c
@julienschmidt
auth: add tests for switch to native password
caae030
@julienschmidtjulienschmidt added this to the v1.4.0 milestone May 24, 2018
@julienschmidtjulienschmidt requested a review from methane May 24, 2018 16:17
@julienschmidtjulienschmidt mentioned this pull request May 24, 2018
Closed
@julienschmidtjulienschmidt mentioned this pull request May 25, 2018
Merged
5 tasks
@julienschmidtjulienschmidt changed the title Auth refactoring Auth refactoring and bug fixes May 25, 2018
@julienschmidt

@arnehormann @methane I know this is a huge changeset to review, but it would be great if you would find time to do so soon. Much of it is just moved code and very similar tests anyway. This PR and the follow-up PR #808 should make the auth system much more stable and fix several currently existing bugs.
These two PRs are the only remaining planned changes before the v1.4.0 release (except the changelog itself).

julienschmidt
julienschmidt commented May 26, 2018
View reviewed changes
auth.go
return message1
}

func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, bool, error) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actual changes start here. The code above was moved from utils.go

@julienschmidtjulienschmidt mentioned this pull request May 27, 2018
Merged
2 tasks
methane
methane requested changes May 29, 2018
View reviewed changes
packets.go Outdated
return readAuthSwitch(data)
if len(data) > 1 {
pluginEndIndex := bytes.IndexByte(data, 0x00)
plugin := string(data[1:pluginEndIndex])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if pluginEndIndex < 0 {
    return nil, "", errors.New("invalid AuthSwitchRequest packet")
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL

packets.go
copy(b[:], cipher)
return b[:], pluginName, nil
copy(b[:], authData)
return b[:], plugin, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

b instead of b[:]. (While old code was same...)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

copy requires slices as parameters but b is an array and not a slice.

@arvenil

Just FYI. I've used master and this PR in one of our repos and some tests on master failed with malformed packet but this PR seems to fix the issues and now tests pass. I didn't dig what really in this PR fixed it but clearly for us it works ;) Thanks for great work.

@julienschmidtjulienschmidt merged commit affd4c9 into master May 29, 2018
@zwpaperzwpaper mentioned this pull request May 30, 2018
Closed
julienschmidt added a commit that referenced this pull request May 31, 2018
@julienschmidt
Auth refactoring and bug fixes (#807)
6780ecf
* log missing auth plugin name

* refactor auth handling

* auth: fix AllowNativePasswords

* auth: remove plugin name print

* packets: attempt to fix writePublicKeyAuthPacket

* packets: do not NUL-terminate auth switch packets

* move handleAuthResult to auth

* add old_password auth tests

* auth: add empty old_password test

* auth: add cleartext auth tests

* auth: add native auth tests

* auth: add caching_sha2 tests

* rename init and auth packets to documented names

* auth: fix plugin name for switched auth methods

* buffer: optimize default branches

* auth: add tests for switch to caching sha2

* auth: add tests for switch to cleartext password

* auth: add tests for switch to native password

* auth: sync NUL termination with official connectors

* packets: handle missing NUL bytes in AuthSwitchRequests

Updates #795
@julienschmidtjulienschmidt deleted the auth_refactoring branch October 2, 2018 18:42
This was referencedMar 8, 2019
Open
Closed
Sign up for free to join this conversation on . Already have an account? Sign in to comment

@methane methane methane approved these changes

No one assigned
bug enhancement
None yet
v1.4.0

Successfully merging this pull request may close these issues.

Missing plugin name leads to panic