Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement support for cleartext authentication plugin #171

Conversation

wildmaples
Copy link
Contributor

@wildmaples wildmaples commented Apr 3, 2024

Resolves: #157
Redo of: #168

The server doesn't request for cleartext plugin in the first handshake as it is not a default plugin. The client should only provide cleartext password when the server requests an auth switch to it, and the client has enable_cleartext_plugin option enabled. If the client does not have cleartext auth plugin enabled, we will raise a Trilogy::AuthPluginError.

This is the authentication flow for a server that uses the cleartext client side plugin (#168 (comment)):

Server sends handshake, with auth plugin caching_sha2_password
Client sends handshake response, still with auth plugin caching_sha2_password
Server sends auth switch request, now with auth plugin mysql_clear_password
Client sends auth switch response with just the cleartext password and nothing else
Server sends OK and we are connected

This PR introduces these changes:

  • Supports cleartext auth plugin!
  • Raises when the server auth switches to a plugin that Trilogy does not support. Note that at the moment Trilogy supports mysql_native_password, caching_sha2_password and now mysql_clear_password. This is the recommended behaviour according to mysql docs "Authentication Method Mismatch".
  • Adds a test dependency on this mysql test server plugin. It's unclear if the file will stick around in the long term but seeing that it is only a test dependency and makes our lives easier than the alternative testing options, we are inclined to just use it for the time being.

cc: @ngan @composerinteralia

In the auth switch, the server can request the
client to send the password in cleartext. The
client will only send the password in cleartext
if `enable_cleartext_plugin` flag is true. Otherwise,
raise `Trilogy::AuthPluginError`.
These tests rely on a mysql test server plugin
(https://github.com/mysql/mysql-server/blob/824e2b4064053f7daf17d7f3f84b7a3ed92e5fb4/plugin/auth/test_plugin.cc#L176-L217)

It is unclear if this test plugin will continue to exist
in the future, but it will do for now.
src/protocol.c Outdated Show resolved Hide resolved
@ngan
Copy link
Contributor

ngan commented Apr 4, 2024

I created an issue on the MySQL docker repo to see if they'd be open to building and tagging a mysql-community-test variant that we can use. If they do, we can switch to that and get the test auth plugin for free. If they don't, we can keep what we have (checked-in plugins for various mysql version), or build our own MySQL image.

docker-library/mysql#1040

Copy link
Contributor

@composerinteralia composerinteralia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me, but I'll leave it for a bit in case anybody else has feedback.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably shouldn't be committed?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be building our own MySQL image instead of committing the plugins?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can and should, but that would be quite a big detour from the original intent of this PR. I suggest we land as-is then I can spend some time refactoring the test setup.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow up sounds good to me 👍 Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been addressed here: #174

Co-authored-by: Jean byroot Boussier <jean.boussier+github@shopify.com>
Copy link
Collaborator

@adrianna-chang-shopify adrianna-chang-shopify left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this! Would you mind squashing your commits?

My preference would be for us to build our own MySQL image extending mysql-community-test over checking in those plugins, but don't feel strongly if folks would prefer to ship as is.

@@ -0,0 +1,16 @@
require "test_helper"

class AuthTest < TrilogyTest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense for the mysql_native_password and caching_sha2_password connection tests from client_test.rb to live in this test suite too?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I could only add it for native password. We don't use cache_sha2 for mysql 5 so the ruby test fails there. I'm going to revisit this after this PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we already have that test elsewhere, but we can sort it out later. We might want to move all connection-related stuff into something like ConnectionTest.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be building our own MySQL image instead of committing the plugins?

@composerinteralia
Copy link
Contributor

Would you mind squashing your commits?

I do like a clean git history, but we haven't historically been as opinionated about this as (for example) Rails.

Copy link
Collaborator

@adrianna-chang-shopify adrianna-chang-shopify left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do like a clean git history, but we haven't historically been as opinionated about this as (for example) Rails.

I'll defer to you folks, I wasn't sure if we were following Rails' stance of squash-everything-before-merge! 🙇‍♀️

@ngan ngan force-pushed the cleartext-plugin-auth-switch branch 2 times, most recently from 79e5e56 to e9a4c65 Compare April 5, 2024 15:35
@composerinteralia composerinteralia merged commit 770961e into trilogy-libraries:main Apr 5, 2024
22 checks passed
@composerinteralia
Copy link
Contributor

Thank you!

composerinteralia added a commit that referenced this pull request Apr 8, 2024
Followup to #171 (comment)

This puts the caching_sha2 and native plugin tests together with the
cleartext ones.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for cleartext password
5 participants