Skip to content

THRIFT-5926: Fix TSaslClientTransport.open() for DIGEST-MD5#3342

Open
ShreyeshArangath wants to merge 1 commit intoapache:masterfrom
ShreyeshArangath:feat/digest-5
Open

THRIFT-5926: Fix TSaslClientTransport.open() for DIGEST-MD5#3342
ShreyeshArangath wants to merge 1 commit intoapache:masterfrom
ShreyeshArangath:feat/digest-5

Conversation

@ShreyeshArangath
Copy link

@ShreyeshArangath ShreyeshArangath commented Mar 16, 2026
edited
Loading

Summary

This PR fixes multiple critical failures in TSaslClientTransport.open() when using challenge-response SASL mechanisms (like DIGEST-MD5). These issues previously led to TypeErrors, failed mutual authentication, and protocol desynchronization.

Here are some of the problems:

  1. Mechanisms where the server speaks first like DIGEST-MD5 cause sasl.process() to return None. Passing this to send_sasl_msg triggered len(None), killing the connection instantly.
  2. The client was ignoring the final server challenge in the COMPLETE message. This prevented the client from verifying the server’s identity (rspauth) and left the SASL state machine in an incomplete state.
  3. recv_sasl_msg returned a string ("") instead of bytes (b"") for zero-length payloads, risking downstream failures in puresasl.
  • Did you create an Apache Jira ticket? (Request account here, not required for trivial changes)
  • If a ticket exists: Does your pull request title follow the pattern "THRIFT-NNNN: describe my issue"?
  • Did you squash your changes to a single commit? (not required, but preferred)
  • Did you do your best to avoid breaking changes? If one was needed, did you label the Jira ticket with "Breaking-Change"?
  • If your change does not involve any code, include [skip ci] anywhere in the commit message to free up build resources.

@ShreyeshArangath ShreyeshArangath changed the title [THRIFT-5926][Python] Fix TSaslClientTransport.open() for DIGEST-MD5 THRIFT-5926: Fix TSaslClientTransport.open() for DIGEST-MD5 Mar 16, 2026
@mergeable mergeable bot added the python label Mar 16, 2026
THRIFT-5926: Fix TSaslClientTransport.open() for DIGEST-MD5
a119915 
- Handle None initial response from sasl.process() with explicit
  is-not-None check instead of or-coercion
- Process server's final challenge on COMPLETE status (rspauth
  verification for DIGEST-MD5)
- Add None guard in send_sasl_msg to match Java TSaslTransport
- Fix recv_sasl_msg to return b"" instead of "" for zero-length payloads
- Add unit tests for SASL negotiation including error paths
@ShreyeshArangath ShreyeshArangath marked this pull request as ready for review March 22, 2026 17:49
@ShreyeshArangath ShreyeshArangath mentioned this pull request Mar 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ShreyeshArangath