-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement support for cleartext authentication plugin #171
Implement support for cleartext authentication plugin #171
Conversation
In the auth switch, the server can request the client to send the password in cleartext. The client will only send the password in cleartext if `enable_cleartext_plugin` flag is true. Otherwise, raise `Trilogy::AuthPluginError`.
These tests rely on a mysql test server plugin (https://github.com/mysql/mysql-server/blob/824e2b4064053f7daf17d7f3f84b7a3ed92e5fb4/plugin/auth/test_plugin.cc#L176-L217) It is unclear if this test plugin will continue to exist in the future, but it will do for now.
Co-authored-by: Daniel Colson <composerinteralia@github.com>
I created an issue on the MySQL docker repo to see if they'd be open to building and tagging a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great to me, but I'll leave it for a bit in case anybody else has feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably shouldn't be committed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we be building our own MySQL image instead of committing the plugins?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can and should, but that would be quite a big detour from the original intent of this PR. I suggest we land as-is then I can spend some time refactoring the test setup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Follow up sounds good to me 👍 Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been addressed here: #174
Co-authored-by: Jean byroot Boussier <jean.boussier+github@shopify.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this! Would you mind squashing your commits?
My preference would be for us to build our own MySQL image extending mysql-community-test
over checking in those plugins, but don't feel strongly if folks would prefer to ship as is.
@@ -0,0 +1,16 @@ | |||
require "test_helper" | |||
|
|||
class AuthTest < TrilogyTest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense for the mysql_native_password
and caching_sha2_password
connection tests from client_test.rb
to live in this test suite too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I could only add it for native password. We don't use cache_sha2 for mysql 5 so the ruby test fails there. I'm going to revisit this after this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we already have that test elsewhere, but we can sort it out later. We might want to move all connection-related stuff into something like ConnectionTest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we be building our own MySQL image instead of committing the plugins?
I do like a clean git history, but we haven't historically been as opinionated about this as (for example) Rails. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do like a clean git history, but we haven't historically been as opinionated about this as (for example) Rails.
I'll defer to you folks, I wasn't sure if we were following Rails' stance of squash-everything-before-merge! 🙇♀️
79e5e56
to
e9a4c65
Compare
Thank you! |
Followup to #171 (comment) This puts the caching_sha2 and native plugin tests together with the cleartext ones.
Resolves: #157
Redo of: #168
The server doesn't request for cleartext plugin in the first handshake as it is not a default plugin. The client should only provide cleartext password when the server requests an auth switch to it, and the client has
enable_cleartext_plugin
option enabled. If the client does not have cleartext auth plugin enabled, we will raise aTrilogy::AuthPluginError
.This is the authentication flow for a server that uses the cleartext client side plugin (#168 (comment)):
This PR introduces these changes:
cc: @ngan @composerinteralia