After hash pin

Author: Yashwant Sahu

libmysql/authentication_ldap/CMakeLists.txt

@@ -0,0 +1,31 @@
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+INCLUDE(CheckIncludeFiles)
+
+IF (NOT CMAKE_SYSTEM_NAME MATCHES "Win")
+  CHECK_INCLUDE_FILES(sasl/sasl.h HAVE_SASL_H)
+  CHECK_INCLUDE_FILES(lber.h HAVE_LBER_H)
+  IF(HAVE_SASL_H)
+    SET(CMAKE_EXTRA_INCLUDE_FILES sasl/sasl.h)
+  ENDIF()
+  IF(HAVE_LBER_H)
+    SET(CMAKE_EXTRA_INCLUDE_FILES lber.h)
+  ENDIF()
+  IF(NOT HAVE_SASL_H)
+    MESSAGE(STATUS "Required SASL library is missing. Skipping the LDAP authentication plugin.")
+    RETURN()
+  ENDIF()
+  IF(NOT HAVE_LBER_H)
+    MESSAGE(STATUS "Required LBER library is missing. Skipping the LDAP authentication plugin.")
+    RETURN()
+  ENDIF()
+ENDIF()
+
+# LDAP authentication SASL client will not build on windows, as windows don't have cyrus sasl.
+# IF someone like can build the cyrus sasl library on windows and build LDAP authentication sasl client as well.
+IF (NOT CMAKE_SYSTEM_NAME MATCHES "Win")
+  SET(HEADERS_CLIENT auth_ldap_sasl_client.h log.h)
+  SET(PLUGIN_CLIENT_SOURCES auth_ldap_sasl_client.cc log.cc)
+
+  ADD_CONVENIENCE_LIBRARY(authentication_ldap_sasl_client ${PLUGIN_CLIENT_SOURCES} ${HEADERS_CLIENT})
+  TARGET_LINK_LIBRARIES(authentication_ldap_sasl_client sasl2)
+ENDIF()

libmysql/authentication_ldap/auth_ldap_sasl_client.cc

@@ -0,0 +1,256 @@
+/* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. */
+
+#include "auth_ldap_sasl_client.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#ifndef _WIN32
+#include <lber.h>
+#include <sasl/sasl.h>
+#endif
+#include <mysql/client_plugin.h>
+#include <mysql.h>
+
+#define LDAP_LOG_INTO_FILE // Will add compile time option for this varaible
+#ifdef LDAP_LOG_INTO_FILE
+// Log into external log file
+Logger<Log_writer_file> g_logger("ldap_log_client.txt");
+#else
+// This will be redirect to error stream
+Logger<Log_writer_error> g_logger("");  
+#endif
+
+void Sasl_client::Interact(sasl_interact_t *ilist) {
+  while(ilist->id != SASL_CB_LIST_END) {
+    switch(ilist->id) {
+    case SASL_CB_USER: 
+      ilist->result = strdup(m_user_name);
+      ilist->len = strlen((const char*)ilist->result);
+      break;
+    case SASL_CB_AUTHNAME:			
+      ilist->result = strdup(m_user_name);
+      ilist->len = strlen((const char*)ilist->result);
+      break;
+    case SASL_CB_PASS:			
+      ilist->result = strdup(m_user_pwd);
+      ilist->len = strlen((const char*)ilist->result);
+      break;
+    default:
+      ilist->result =  NULL;
+      ilist->len = 0;
+    }
+    ilist++;
+  }
+}
+
+void Sasl_client::SetPluginInfo(MYSQL_PLUGIN_VIO *vio,  MYSQL *mysql) {
+  m_vio = vio;
+  m_mysql = mysql;
+}
+
+/*
+  SASL method is send from the Mysql server, and this is set by the client.
+  SASL client and sasl server may support many sasl authentication methods and can negotiate in anyone.
+  We want to inforce the SASL authentication set by the client.
+*/
+int Sasl_client::ReadMethodNameFromServer() {
+  int rc_server_read = CR_ERROR;
+  unsigned char* packet = NULL;
+  std::stringstream log_stream;
+
+  if(m_vio == NULL) {
+    return rc_server_read;
+  }
+  // Get authentication method from the server
+  rc_server_read = m_vio->read_packet(m_vio, (unsigned char**)&packet);
+  strncpy(m_mechanism, (const char*)packet, sizeof(m_mechanism));
+  log_stream << "Method name : " << m_mechanism;
+  log_info(log_stream.str());
+  return rc_server_read;
+}
+
+ Sasl_client::Sasl_client() {
+  m_connection =  NULL;
+}
+
+int Sasl_client::Initilize() {
+  int rc_sasl = SASL_FAIL;
+
+  strncpy(m_service_name, SASL_SERVICE_NAME, sizeof(m_service_name));
+
+  // Initialize client-side of SASL
+  rc_sasl = sasl_client_init(NULL);
+  if(rc_sasl != SASL_OK) 
+    goto EXIT;
+
+  // Creating sasl connection
+  rc_sasl = sasl_client_new(m_service_name, NULL, NULL, NULL, callbacks,
+                            0, &m_connection);
+  if(rc_sasl != SASL_OK) 
+    goto EXIT;
+
+  // Set security peoperties
+  sasl_setprop(m_connection, SASL_SEC_PROPS, &security_properties);
+  rc_sasl= SASL_OK;
+EXIT:
+  return rc_sasl;
+}
+
+int Sasl_client::UnInitilize() {
+  int rc_sasl = SASL_FAIL;
+  if (m_connection) {
+    sasl_dispose(&m_connection);
+    m_connection =  NULL;
+    sasl_client_done();
+  }
+  return rc_sasl;
+}
+
+int Sasl_client::SendSaslRequestToServer(const unsigned char *request, int request_len, unsigned char** response, int* response_len) {
+  int rc_server = CR_ERROR;
+  std::stringstream log_stream;
+
+  if(m_vio == NULL) {
+    goto EXIT;
+  }
+  // Send the request to the MySQL server
+  log_stream << "Sasl_client::SendSaslRequestToServer request:" << request;
+  log_info(log_stream.str());
+  rc_server = m_vio->write_packet(m_vio, request, request_len);
+  if(rc_server) {
+    log_error("Sasl_client::SendSaslRequestToServer: sasl request write failed");
+    goto EXIT;
+  }
+
+  // Get the sasl reponse from the MySQL server
+  *response_len = m_vio->read_packet(m_vio, response);
+  if((*response_len) < 0 || (*response == NULL)) {
+    log_error("Sasl_client::SendSaslRequestToServer: sasl reponse read failed");
+    goto EXIT;
+  }
+  log_stream.str("");
+  log_stream << "Sasl_client::SendSaslRequestToServer response:" << *response;
+EXIT:
+  return rc_server;
+}
+
+int Sasl_client::SaslStart(char **client_output, int* client_output_length) {
+  int rc_sasl = SASL_FAIL;
+  const char *mechanisum = NULL;
+  char* sasl_client_output = NULL;
+  sasl_interact_t *interactions = NULL;
+  std::stringstream log_stream;
+
+  if(m_connection == NULL) {
+    log_error("Sasl_client::SaslStart: sasl connection is null");
+    return rc_sasl;
+  }
+  do {
+     rc_sasl = sasl_client_start(m_connection, m_mechanism, &interactions,
+                                 (const char**)&sasl_client_output,  (unsigned int *)client_output_length, 
+                                 &mechanisum);
+
+     if(rc_sasl == SASL_INTERACT) Interact(interactions);
+  }
+  while(rc_sasl == SASL_INTERACT);
+
+  if(client_output != NULL) {
+    *client_output = sasl_client_output;
+    log_stream << "Sasl_client::SaslStart sasl output: " << sasl_client_output;
+    log_info(log_stream.str());
+  }
+  return rc_sasl;
+}
+
+int Sasl_client::SaslStep(char* server_in, int server_in_length, char** client_out, int* client_out_length)
+{
+  int rc_sasl = SASL_FAIL;
+  sasl_interact_t *interactions = NULL;
+
+  if(m_connection == NULL) {
+    return rc_sasl;
+  }
+  do {
+     rc_sasl = sasl_client_step(m_connection,
+                                server_in, server_in_length,
+                                &interactions,
+                                (const char**)client_out, (unsigned int *)client_out_length);
+     if(rc_sasl == SASL_INTERACT) Sasl_client::Interact(interactions);
+  } 
+  while(rc_sasl == SASL_INTERACT);
+
+  return rc_sasl;
+}
+
+void Sasl_client::SetUserInfo(std::string name, std::string pwd) {
+  strncpy(m_user_name, name.c_str(), sizeof(m_user_name));
+  strncpy(m_user_pwd, pwd.c_str(), sizeof(m_user_pwd));
+}
+
+static int sasl_authenticate(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) {
+  int rc_sasl = SASL_FAIL;
+  int rc_auth = CR_ERROR;
+  unsigned char* server_packet = NULL;
+  int server_packet_len = 0;
+  char *sasl_client_output = NULL;
+  int sasl_client_output_len = 0;
+  std::stringstream log_stream;
+
+  Sasl_client sasl_client;
+  sasl_client.SetUserInfo(mysql->user, mysql->passwd);
+  sasl_client.SetPluginInfo(vio, mysql);
+  server_packet_len = sasl_client.ReadMethodNameFromServer();
+  if(server_packet_len < 0) {
+    log_error("sasl_authenticate: method name read from server side plugin failed");
+    goto EXIT;
+  }
+
+  rc_sasl = sasl_client.Initilize();
+  if(rc_sasl != SASL_OK) {
+    log_error("sasl_authenticate: initilize failed");
+    goto EXIT;
+  }
+
+  rc_sasl = sasl_client.SaslStart(&sasl_client_output, &sasl_client_output_len);
+  if((rc_sasl != SASL_OK) && (rc_sasl != SASL_CONTINUE)) {
+    log_error("sasl_authenticate: SaslStart failed");
+    goto EXIT;
+  }
+
+  // Running SASL authentication step till authentication process is concluded
+  // MySQL server plugin working as proxy for SASL / LDAP server.
+  do {
+    rc_auth = sasl_client.SendSaslRequestToServer((const unsigned char *)sasl_client_output,sasl_client_output_len,&server_packet,&server_packet_len);
+    if(rc_auth < 0) {
+      goto EXIT;
+    }
+
+    server_packet_len = strlen((const char*)server_packet);  // To be remove
+    rc_sasl = sasl_client.SaslStep((char*)server_packet,server_packet_len,&sasl_client_output,&sasl_client_output_len);
+  } while (rc_sasl == SASL_CONTINUE );
+
+  if(rc_sasl == SASL_OK) {
+    rc_auth = CR_OK;
+    log_info("sasl_authenticate authentication successful");
+  }
+  else {
+    log_error("sasl_authenticate client failed");
+  }
+
+EXIT:
+  rc_sasl = sasl_client.UnInitilize();
+  return rc_auth;
+}
+
+mysql_declare_client_plugin(AUTHENTICATION)
+  "authentication_ldap_sasl_client",
+  "Oracle",
+  "LDAP SASL Client Authentication Plugin",
+  {0,1,0},
+  "PROPRIETARY",
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  sasl_authenticate
+mysql_end_client_plugin;

libmysql/authentication_ldap/auth_ldap_sasl_client.h

@@ -0,0 +1,63 @@
+/* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. */
+
+#ifndef AUTH_LDAP_SASL_CLIENT_H_
+#define AUTH_LDAP_SASL_CLIENT_H_
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sasl/sasl.h>
+#include <mysql/client_plugin.h>
+#include <mysql/plugin.h>
+#include <mysql/plugin_auth_common.h>
+#include <mysql.h>
+#include "log.h"
+
+#define SASL_MAX_STR_SIZE 1024
+#define SASL_BUFFER_SIZE 9000
+#define SASL_SERVICE_NAME "ldap"
+
+static const sasl_callback_t callbacks[] = {
+#ifdef SASL_CB_GETREALM
+  {SASL_CB_GETREALM, NULL, NULL},
+#endif
+  {SASL_CB_USER, NULL, NULL},
+  {SASL_CB_AUTHNAME, NULL, NULL},
+  {SASL_CB_PASS, NULL, NULL},
+  {SASL_CB_ECHOPROMPT, NULL, NULL},
+  {SASL_CB_NOECHOPROMPT, NULL, NULL},
+  {SASL_CB_LIST_END, NULL, NULL}
+};
+
+sasl_security_properties_t security_properties = {
+  0,
+  1,
+  0,
+  0,
+  NULL,
+  NULL,
+};
+
+class Sasl_client {
+public:
+  Sasl_client();
+  int Initilize();
+  int UnInitilize();
+  void SetPluginInfo(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql);
+  void Interact(sasl_interact_t *ilist);
+  int ReadMethodNameFromServer();
+  int SaslStart(char **client_output, int* client_output_length);
+  int SaslStep(char* server_in, int server_in_length, char** client_out, int* client_out_length);
+  int SendSaslRequestToServer(const unsigned char *request, int request_len, unsigned char** reponse, int* response_len);
+  void SetUserInfo(std::string name, std::string pwd);
+protected:
+  char m_user_name[SASL_MAX_STR_SIZE];
+  char m_user_pwd[SASL_MAX_STR_SIZE];
+  char m_mechanism[SASL_MAX_STR_SIZE];
+  char m_service_name[SASL_MAX_STR_SIZE];
+  sasl_conn_t *m_connection;
+  MYSQL_PLUGIN_VIO *m_vio;
+  MYSQL *m_mysql;
+};
+
+#endif //AUTH_LDAP_SASL_CLIENT_H_