Export auth interface to allow external implementations e.g. krb5 - V1-Candidate

appveyor.yml

@@ -57,7 +57,7 @@ install:
   - go env
   - go get -u github.com/golang-sql/civil
   - go get -u github.com/golang-sql/sqlexp
-
+  - go get -u golang.org/x/crypto/md4
 build_script:
   - go build
 

auth_unix.go

@@ -0,0 +1,15 @@
+// +build !windows
+
+package mssql
+
+import (
+	"github.com/microsoft/go-mssqldb/integratedauth"
+	// nolint importing the ntlm package causes it to be registered as an available authentication provider
+	_ "github.com/microsoft/go-mssqldb/integratedauth/ntlm"
+)
+
+func init() {
+	// we set the default authentication provider name here, rather than within each imported package,
+	// to force a known default. Go will order execution of init() calls but it is better to be explicit.
+	integratedauth.DefaultProviderName = "ntlm"
+}

auth_windows.go

@@ -0,0 +1,18 @@
+// +build windows
+
+package mssql
+
+import (
+	"github.com/microsoft/go-mssqldb/integratedauth"
+
+	// nolint importing the ntlm package causes it to be registered as an available authentication provider
+	_ "github.com/microsoft/go-mssqldb/integratedauth/ntlm"
+	// nolint importing the winsspi package causes it to be registered as an available authentication provider
+	_ "github.com/microsoft/go-mssqldb/integratedauth/winsspi"
+)
+
+func init() {
+	// we set the default authentication provider name here, rather than within each imported package,
+	// to force a known default. Go will order execution of init() calls but it is better to be explicit.
+	integratedauth.DefaultProviderName = "winsspi"
+}

azuread/configuration.go

@@ -53,7 +53,7 @@ type azureFedAuthConfig struct {
 
 // parse returns a config based on an msdsn-style connection string
 func parse(dsn string) (*azureFedAuthConfig, error) {
-	mssqlConfig, params, err := msdsn.Parse(dsn)
+	mssqlConfig, err := msdsn.Parse(dsn)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +62,7 @@ func parse(dsn string) (*azureFedAuthConfig, error) {
 		mssqlConfig:    mssqlConfig,
 	}
 
-	err = config.validateParameters(params)
+	err = config.validateParameters(mssqlConfig.Parameters)
 	if err != nil {
 		return nil, err
 	}

azuread/configuration_test.go

@@ -1,128 +1,128 @@
-//go:build go1.18
-// +build go1.18
-
-package azuread
-
-import (
-	"testing"
-
-	mssql "github.com/microsoft/go-mssqldb"
-	"github.com/microsoft/go-mssqldb/msdsn"
-)
-
-func TestValidateParameters(t *testing.T) {
-	passphrase := "somesecret"
-	certificatepath := "/user/cert/cert.pfx"
-	appid := "applicationclientid=someguid"
-	certprop := "clientcertpath=" + certificatepath
-	tests := []struct {
-		name     string
-		dsn      string
-		expected *azureFedAuthConfig
-	}{
-		{
-			name:     "no fed auth configured",
-			dsn:      "server=someserver",
-			expected: &azureFedAuthConfig{fedAuthLibrary: mssql.FedAuthLibraryReserved},
-		},
-		{
-			name: "application with cert/key",
-			dsn:  `sqlserver://service-principal-id%40tenant-id:somesecret@someserver.database.windows.net?fedauth=ActiveDirectoryApplication&` + certprop + "&" + appid,
-			expected: &azureFedAuthConfig{
-				fedAuthLibrary:      mssql.FedAuthLibraryADAL,
-				clientID:            "service-principal-id",
-				tenantID:            "tenant-id",
-				certificatePath:     certificatepath,
-				clientSecret:        passphrase,
-				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
-				fedAuthWorkflow:     ActiveDirectoryApplication,
-				applicationClientID: "someguid",
-			},
-		},
-		{
-			name: "application with cert/key missing tenant id",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryApplication;user id=service-principal-id;password=somesecret;" + certprop + ";" + appid,
-			expected: &azureFedAuthConfig{
-				fedAuthLibrary:      mssql.FedAuthLibraryADAL,
-				clientID:            "service-principal-id",
-				certificatePath:     certificatepath,
-				clientSecret:        passphrase,
-				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
-				fedAuthWorkflow:     ActiveDirectoryApplication,
-				applicationClientID: "someguid",
-			},
-		},
-		{
-			name: "application with secret",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryServicePrincipal;user id=service-principal-id@tenant-id;password=somesecret;",
-			expected: &azureFedAuthConfig{
-				clientID:        "service-principal-id",
-				tenantID:        "tenant-id",
-				clientSecret:    passphrase,
-				adalWorkflow:    mssql.FedAuthADALWorkflowPassword,
-				fedAuthWorkflow: ActiveDirectoryServicePrincipal,
-			},
-		},
-		{
-			name: "user with password",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryPassword;user id=azure-ad-user@example.com;password=somesecret;" + appid,
-			expected: &azureFedAuthConfig{
-				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
-				user:                "azure-ad-user@example.com",
-				password:            passphrase,
-				applicationClientID: "someguid",
-				fedAuthWorkflow:     ActiveDirectoryPassword,
-			},
-		},
-		{
-			name: "managed identity without client id",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryMSI",
-			expected: &azureFedAuthConfig{
-				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
-				fedAuthWorkflow: ActiveDirectoryMSI,
-			},
-		},
-		{
-			name: "managed identity with client id",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryManagedIdentity;user id=identity-client-id",
-			expected: &azureFedAuthConfig{
-				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
-				clientID:        "identity-client-id",
-				fedAuthWorkflow: ActiveDirectoryManagedIdentity,
-			},
-		},
-		{
-			name: "managed identity with resource id",
-			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryManagedIdentity;resource id=/subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}",
-			expected: &azureFedAuthConfig{
-				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
-				resourceID:      "/subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}",
-				fedAuthWorkflow: ActiveDirectoryManagedIdentity,
-			},
-		},
-	}
-	for _, tst := range tests {
-		config, err := parse(tst.dsn)
-		if tst.expected == nil {
-			if err == nil {
-				t.Errorf("No error returned when error expected in test case '%s'", tst.name)
-			}
-			continue
-		}
-		if err != nil {
-			t.Errorf("Error returned when none expected in test case '%s': %v", tst.name, err)
-			continue
-		}
-		if tst.expected.fedAuthLibrary != mssql.FedAuthLibraryReserved {
-			if tst.expected.fedAuthLibrary == 0 {
-				tst.expected.fedAuthLibrary = mssql.FedAuthLibraryADAL
-			}
-		}
-		// mssqlConfig is not idempotent due to pointers in it, plus we aren't testing its correctness here
-		config.mssqlConfig = msdsn.Config{}
-		if *config != *tst.expected {
-			t.Errorf("Captured parameters do not match in test case '%s'. Expected:%+v, Actual:%+v", tst.name, tst.expected, config)
-		}
-	}
-
-}
+//go:build go1.18
+// +build go1.18
+
+package azuread
+
+import (
+	"reflect"
+	"testing"
+
+	mssql "github.com/microsoft/go-mssqldb"
+	"github.com/microsoft/go-mssqldb/msdsn"
+)
+
+func TestValidateParameters(t *testing.T) {
+	passphrase := "somesecret"
+	certificatepath := "/user/cert/cert.pfx"
+	appid := "applicationclientid=someguid"
+	certprop := "clientcertpath=" + certificatepath
+	tests := []struct {
+		name     string
+		dsn      string
+		expected *azureFedAuthConfig
+	}{
+		{
+			name:     "no fed auth configured",
+			dsn:      "server=someserver",
+			expected: &azureFedAuthConfig{fedAuthLibrary: mssql.FedAuthLibraryReserved},
+		},
+		{
+			name: "application with cert/key",
+			dsn:  `sqlserver://service-principal-id%40tenant-id:somesecret@someserver.database.windows.net?fedauth=ActiveDirectoryApplication&` + certprop + "&" + appid,
+			expected: &azureFedAuthConfig{
+				fedAuthLibrary:      mssql.FedAuthLibraryADAL,
+				clientID:            "service-principal-id",
+				tenantID:            "tenant-id",
+				certificatePath:     certificatepath,
+				clientSecret:        passphrase,
+				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
+				fedAuthWorkflow:     ActiveDirectoryApplication,
+				applicationClientID: "someguid",
+			},
+		},
+		{
+			name: "application with cert/key missing tenant id",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryApplication;user id=service-principal-id;password=somesecret;" + certprop + ";" + appid,
+			expected: &azureFedAuthConfig{
+				fedAuthLibrary:      mssql.FedAuthLibraryADAL,
+				clientID:            "service-principal-id",
+				certificatePath:     certificatepath,
+				clientSecret:        passphrase,
+				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
+				fedAuthWorkflow:     ActiveDirectoryApplication,
+				applicationClientID: "someguid",
+			},
+		},
+		{
+			name: "application with secret",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryServicePrincipal;user id=service-principal-id@tenant-id;password=somesecret;",
+			expected: &azureFedAuthConfig{
+				clientID:        "service-principal-id",
+				tenantID:        "tenant-id",
+				clientSecret:    passphrase,
+				adalWorkflow:    mssql.FedAuthADALWorkflowPassword,
+				fedAuthWorkflow: ActiveDirectoryServicePrincipal,
+			},
+		},
+		{
+			name: "user with password",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryPassword;user id=azure-ad-user@example.com;password=somesecret;" + appid,
+			expected: &azureFedAuthConfig{
+				adalWorkflow:        mssql.FedAuthADALWorkflowPassword,
+				user:                "azure-ad-user@example.com",
+				password:            passphrase,
+				applicationClientID: "someguid",
+				fedAuthWorkflow:     ActiveDirectoryPassword,
+			},
+		},
+		{
+			name: "managed identity without client id",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryMSI",
+			expected: &azureFedAuthConfig{
+				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
+				fedAuthWorkflow: ActiveDirectoryMSI,
+			},
+		},
+		{
+			name: "managed identity with client id",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryManagedIdentity;user id=identity-client-id",
+			expected: &azureFedAuthConfig{
+				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
+				clientID:        "identity-client-id",
+				fedAuthWorkflow: ActiveDirectoryManagedIdentity,
+			},
+		},
+		{
+			name: "managed identity with resource id",
+			dsn:  "server=someserver.database.windows.net;fedauth=ActiveDirectoryManagedIdentity;resource id=/subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}",
+			expected: &azureFedAuthConfig{
+				adalWorkflow:    mssql.FedAuthADALWorkflowMSI,
+				resourceID:      "/subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}",
+				fedAuthWorkflow: ActiveDirectoryManagedIdentity,
+			},
+		},
+	}
+	for _, tst := range tests {
+		config, err := parse(tst.dsn)
+		if tst.expected == nil {
+			if err == nil {
+				t.Errorf("No error returned when error expected in test case '%s'", tst.name)
+			}
+			continue
+		}
+		if err != nil {
+			t.Errorf("Error returned when none expected in test case '%s': %v", tst.name, err)
+			continue
+		}
+		if tst.expected.fedAuthLibrary != mssql.FedAuthLibraryReserved {
+			if tst.expected.fedAuthLibrary == 0 {
+				tst.expected.fedAuthLibrary = mssql.FedAuthLibraryADAL
+			}
+		}
+		// mssqlConfig is not idempotent due to pointers in it, plus we aren't testing its correctness here
+		config.mssqlConfig = msdsn.Config{}
+		if !reflect.DeepEqual(config, tst.expected) {
+			t.Errorf("Captured parameters do not match in test case '%s'. Expected:%+v, Actual:%+v", tst.name, tst.expected, config)
+		}
+	}
+}

integratedauth/auth.go

@@ -0,0 +1,73 @@
+package integratedauth
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/microsoft/go-mssqldb/msdsn"
+)
+
+var (
+	providers           map[string]Provider
+	DefaultProviderName string
+
+	ErrProviderCannotBeNil         = errors.New("provider cannot be nil")
+	ErrProviderNameMustBePopulated = errors.New("provider name must be populated")
+)
+
+func init() {
+	providers = make(map[string]Provider)
+}
+
+// GetIntegratedAuthenticator calls the authProvider specified in the 'authenticator' connection string parameter, if supplied.
+// Otherwise fails back to the DefaultProviderName implementation for the platform.
+func GetIntegratedAuthenticator(config msdsn.Config) (IntegratedAuthenticator, error) {
+	authenticatorName, ok := config.Parameters["authenticator"]
+	if !ok {
+		provider, err := getProvider(DefaultProviderName)
+		if err != nil {
+			return nil, err
+		}
+
+		p, err := provider.GetIntegratedAuthenticator(config)
+		// we ignore the error in this case to force a fallback to sqlserver authentication.
+		// this preserves the original behaviour
+		if err != nil {
+			return nil, nil
+		}
+
+		return p, nil
+	}
+
+	provider, err := getProvider(authenticatorName)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider.GetIntegratedAuthenticator(config)
+}
+
+func getProvider(name string) (Provider, error) {
+	provider, ok := providers[name]
+
+	if !ok {
+		return nil, fmt.Errorf("provider %v not found", name)
+	}
+
+	return provider, nil
+}
+
+// SetIntegratedAuthenticationProvider stores a named authentication provider. It should be called before any connections are created.
+func SetIntegratedAuthenticationProvider(providerName string, p Provider) error {
+	if p == nil {
+		return ErrProviderCannotBeNil
+	}
+
+	if providerName == "" {
+		return ErrProviderNameMustBePopulated
+	}
+
+	providers[providerName] = p
+
+	return nil
+}