Ginter/krb5 (#24)

ginter · web-flow · commit 1e82db2cbad5 · 2022-12-08T11:44:32.000-08:00
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -10,6 +10,8 @@ jobs:
         python-version: ["3.7", "3.8", "3.9", "3.10"]
     steps:
     - uses: actions/checkout@v2
+    - name: Set up Kerberos
+      run: sudo apt-get install -y libkrb5-dev krb5-kdc krb5-admin-server
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with:
@@ -37,6 +39,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: Set up Kerberos
+      run: sudo apt-get install -y libkrb5-dev krb5-kdc krb5-admin-server
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.pylintrc b/.pylintrc
@@ -1,6 +1,7 @@
 [MESSAGES CONTROL]
 
 disable=
+    import-outside-toplevel,
     invalid-name,
     missing-class-docstring,
     missing-function-docstring,
diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ if __name__ == "__main__":
     asyncio.run(server.serve_forever())
 ```
 
-Using [sqlglot](https://github.com/tobymao/sqlglot), the abstract `Session` class handles queries to metadata, variables, etc. that many MySQL clients expect. 
+Using [sqlglot](https://github.com/tobymao/sqlglot), the abstract `Session` class handles queries to metadata, variables, etc. that many MySQL clients expect.
 
 To bypass this default behavior, you can implement the [`mysql_mimic.session.BaseSession`](mysql_mimic/session.py) interface.
 
@@ -63,7 +63,10 @@ MySQL-mimic has built in support for several standard MySQL authentication plugi
   - This is typically used as the client plugin for a custom server plugin. As such, MySQL-mimic provides an abstract class, [`mysql_mimic.auth.AbstractClearPasswordAuthPlugin`](mysql_mimic/auth.py), which can be extended.
   - [example](examples/auth_clear_password.py)
 - [mysql_no_login](https://dev.mysql.com/doc/refman/8.0/en/no-login-pluggable-authentication.html)
-  - The server prevents clients from directly authenticating as an account. See the documentation for relevant use cases. 
+  - The server prevents clients from directly authenticating as an account. See the documentation for relevant use cases.
+- [authentication_kerberos](https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/kerberos-pluggable-authentication.html)
+  - Kerberos uses tickets together with symmetric-key cryptography, enabling authentication without sending passwords over the network. Kerberos authentication supports userless and passwordless scenarios.
+
 
 By default, a session naively accepts whatever username the client provides.
 
@@ -73,15 +76,15 @@ Custom plugins can be created by extending [`mysql_mimic.auth.AuthPlugin`](mysql
 
 ## Development
 
-You can install dependencies with `make deps`. 
+You can install dependencies with `make deps`.
 
-You can format your code with `make format`. 
+You can format your code with `make format`.
 
-You can lint with `make lint`. 
+You can lint with `make lint`.
 
 You can check type annotations with `make types`.
 
-You can run tests with `make test`. This will build a coverage report in `./htmlcov/index.html`. 
+You can run tests with `make test`. This will build a coverage report in `./htmlcov/index.html`.
 
 You can run all the checks with `make check`.
 
diff --git a/integration/mysql-connector-j/Makefile b/integration/mysql-connector-j/Makefile
@@ -2,3 +2,6 @@
 
 test:
 	mvn test
+
+test-debug:
+	mvn -X test
diff --git a/integration/mysql-connector-j/src/test/java/com/mysql_mimic/integration/IntegrationTest.java b/integration/mysql-connector-j/src/test/java/com/mysql_mimic/integration/IntegrationTest.java
@@ -6,6 +6,7 @@
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.Statement;
+import java.sql.SQLException;
 import java.sql.ResultSet;
 import java.util.ArrayList;
 import java.util.List;
@@ -36,4 +37,51 @@ public void test() throws Exception {
 
         assertEquals(expected, result);
     }
+
+    @Test
+    public void testKrb5() throws Exception {
+        // System.setProperty("sun.security.krb5.debug", "True");
+        // System.setProperty("sun.security.jgss.debug", "True");
+        System.setProperty("java.security.krb5.conf", System.getenv("KRB5_CONFIG"));
+        System.setProperty("java.security.auth.login.config", System.getenv("JAAS_CONFIG"));
+
+        Class.forName("com.mysql.cj.jdbc.Driver").newInstance();
+
+        String port = System.getenv("PORT");
+        String url = String.format("jdbc:mysql://127.0.0.1:%s/?defaultAuthenticationPlugin=authentication_kerberos_client", port);
+
+        Connection conn = DriverManager.getConnection(url);
+
+        Statement stmt = conn.createStatement();
+        ResultSet rs = stmt.executeQuery("SELECT a FROM x ORDER BY a");
+
+        List<Integer> result = new ArrayList<>();
+        while (rs.next()) {
+            result.add(rs.getInt("a"));
+        }
+
+        List<Integer> expected = new ArrayList<>();
+        expected.add(1);
+        expected.add(2);
+        expected.add(3);
+
+        assertEquals(expected, result);
+    }
+
+    @Test(expected = SQLException.class)
+    public void testKrb5IncorrectUser() throws Exception {
+        System.setProperty("java.security.krb5.conf", System.getenv("KRB5_CONFIG"));
+        System.setProperty("java.security.auth.login.config", System.getenv("JAAS_CONFIG"));
+
+        Class.forName("com.mysql.cj.jdbc.Driver").newInstance();
+
+        String user = "incorrect_user";
+        String port = System.getenv("PORT");
+        String url = String.format("jdbc:mysql://%s@127.0.0.1:%s/?defaultAuthenticationPlugin=authentication_kerberos_client", user, port);
+
+        Connection conn = DriverManager.getConnection(url);
+
+        Statement stmt = conn.createStatement();
+        stmt.executeQuery("SELECT a FROM x ORDER BY a");
+    }
 }
diff --git a/integration/run.py b/integration/run.py
@@ -3,8 +3,10 @@
 import asyncio
 import os
 import sys
+import tempfile
 import time
 
+import k5test
 from sqlglot.executor import execute
 
 from mysql_mimic import (
@@ -14,6 +16,7 @@
     User,
     Session,
 )
+from mysql_mimic.auth import KerberosAuthPlugin
 
 logger = logging.getLogger(__name__)
 
@@ -46,22 +49,36 @@ async def schema(self):
 
 
 class CustomIdentityProvider(IdentityProvider):
-    def __init__(self):
-        self.passwords = {"user": "password"}
+    def __init__(self, krb5_service, krb5_realm):
+        self.users = {
+            "user": {"auth_plugin": "mysql_native_password", "password": "password"},
+            "krb5_user": {"auth_plugin": "authentication_kerberos"},
+        }
+        self.krb5_service = krb5_service
+        self.krb5_realm = krb5_realm
 
     def get_plugins(self):
-        return [NativePasswordAuthPlugin()]
+        return [
+            NativePasswordAuthPlugin(),
+            KerberosAuthPlugin(service=self.krb5_service, realm=self.krb5_realm),
+        ]
 
     async def get_user(self, username):
-        password = self.passwords.get(username)
-        if password is not None:
-            return User(
-                name=username,
-                auth_string=NativePasswordAuthPlugin.create_auth_string(password)
-                if password
-                else None,
-                auth_plugin=NativePasswordAuthPlugin.name,
-            )
+        user = self.users.get(username)
+        if user is not None:
+            auth_plugin = user["auth_plugin"]
+
+            if auth_plugin == "mysql_native_password":
+                password = user.get("password")
+                return User(
+                    name=username,
+                    auth_string=NativePasswordAuthPlugin.create_auth_string(password)
+                    if password
+                    else None,
+                    auth_plugin=NativePasswordAuthPlugin.name,
+                )
+            elif auth_plugin == "authentication_kerberos":
+                return User(name=username, auth_plugin=KerberosAuthPlugin.name)
         return None
 
 
@@ -77,26 +94,73 @@ async def wait_for_port(port, host="localhost", timeout=5.0):
                 raise TimeoutError()
 
 
+def setup_krb5(krb5_user):
+    realm = k5test.K5Realm()
+    krb5_user_princ = f"{krb5_user}@{realm.realm}"
+    realm.addprinc(krb5_user_princ, realm.password(krb5_user))
+    realm.kinit(krb5_user_princ, realm.password(krb5_user))
+    return realm
+
+
+def write_jaas_conf(realm, debug=False):
+    conf = f"""
+MySQLConnectorJ {{
+     com.sun.security.auth.module.Krb5LoginModule
+     required
+     debug={str(debug).lower()}
+     useTicketCache=true
+     ticketCache="{realm.env["KRB5CCNAME"]}";
+}};
+    """
+    path = tempfile.mktemp()
+    with open(path, "w") as f:
+        f.write(conf)
+
+    return path
+
+
 async def main():
     parser = argparse.ArgumentParser()
     parser.add_argument("test_dir")
     parser.add_argument("-p", "--port", type=int, default=3308)
     args = parser.parse_args()
 
     logging.basicConfig(level=logging.DEBUG)
-    identity_provider = CustomIdentityProvider()
-    server = MysqlServer(identity_provider=identity_provider, session_factory=MySession)
-    await server.start_server(port=args.port)
-    await wait_for_port(port=args.port)
-    process = await asyncio.create_subprocess_shell(
-        "make test",
-        env={**os.environ, "PORT": str(args.port)},
-        cwd=args.test_dir,
-    )
-    return_code = await process.wait()
-    server.close()
-    await server.wait_closed()
-    return return_code
+    realm = None
+    jaas_conf = None
+
+    try:
+        realm = setup_krb5(krb5_user="krb5_user")
+        os.environ.update(realm.env)
+
+        jaas_conf = write_jaas_conf(realm)
+        os.environ["JAAS_CONFIG"] = jaas_conf
+
+        krb5_service = realm.host_princ[: realm.host_princ.index("@")]
+        identity_provider = CustomIdentityProvider(
+            krb5_service=krb5_service, krb5_realm=realm.realm
+        )
+        server = MysqlServer(
+            identity_provider=identity_provider, session_factory=MySession
+        )
+
+        await server.start_server(port=args.port)
+        await wait_for_port(port=args.port)
+        process = await asyncio.create_subprocess_shell(
+            "make test",
+            env={**os.environ, "PORT": str(args.port)},
+            cwd=args.test_dir,
+        )
+        return_code = await process.wait()
+
+        server.close()
+        await server.wait_closed()
+        return return_code
+    finally:
+        if realm:
+            realm.stop()
+        if jaas_conf:
+            os.remove(jaas_conf)
 
 
 if __name__ == "__main__":
diff --git a/mysql_mimic/auth.py b/mysql_mimic/auth.py
@@ -175,6 +175,53 @@ def create_auth_string(cls, password: str) -> str:
         return sha1(sha1(password.encode("utf-8")).digest()).hexdigest()
 
 
+class KerberosAuthPlugin(AuthPlugin):
+    """
+    This plugin implements the Generic Security Service Application Program Interface (GSS-API) by way of the Kerberos
+    mechanism as described in RFC1964(https://www.rfc-editor.org/rfc/rfc1964.html).
+    """
+
+    name = "authentication_kerberos"
+    client_plugin_name = "authentication_kerberos_client"
+
+    def __init__(self, service: str, realm: str) -> None:
+        self.service = service
+        self.realm = realm
+
+    async def auth(self, auth_info: Optional[AuthInfo] = None) -> AuthState:
+        import gssapi
+
+        # Fast authentication not supported
+        if not auth_info:
+            yield b""
+
+        auth_info = (
+            yield len(self.service).to_bytes(2, "little")
+            + self.service.encode("utf-8")
+            + len(self.realm).to_bytes(2, "little")
+            + self.realm.encode("utf-8")
+        )
+
+        server_creds = gssapi.Credentials(
+            usage="accept", name=gssapi.Name(f"{self.service}@{self.realm}")
+        )
+        server_ctx = gssapi.SecurityContext(usage="accept", creds=server_creds)
+
+        client_name = gssapi.Name(f"{auth_info.username}@{self.realm}").canonicalize(
+            gssapi.MechType.kerberos
+        )
+        client_token = auth_info.data
+
+        server_token = server_ctx.step(client_token)
+
+        if server_ctx.initiator_name == client_name:
+            if gssapi.RequirementFlag.mutual_authentication in server_ctx.actual_flags:
+                auth_info = yield server_token
+            yield Success(auth_info.username)
+        else:
+            yield Forbidden()
+
+
 class NoLoginAuthPlugin(AuthPlugin):
     """
     Standard plugin that prevents all clients from direct login.
diff --git a/setup.py b/setup.py
@@ -23,6 +23,8 @@
             "mysql-connector-python",
             "black",
             "coverage",
+            "gssapi",
+            "k5test",
             "pylint",
             "pytest",
             "pytest-asyncio",
@@ -31,6 +33,7 @@
             "twine",
             "wheel",
         ],
+        "krb5": ["gssapi"],
     },
     classifiers=[
         "Development Status :: 3 - Alpha",
