Fix for Bug#102188 (32526663), AccessControlException with Authentica…

…tionLdapSaslClientPlugin.

CHANGES

@@ -3,6 +3,8 @@
 
 Version 8.0.24
 
+  - Fix for Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin.
+
   - Fix for Bug#22508715, SETSESSIONMAXROWS() CALL ON CLOSED CONNECTION RESULTS IN NPE.
 
   - Fix for Bug#102131 (32338451), UPDATABLERESULTSET NPE WHEN USING DERIVED QUERIES OR VIEWS.

src/main/protocol-impl/java/com/mysql/cj/protocol/a/NativeAuthenticationProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2020, Oracle and/or its affiliates.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License, version 2.0, as published by the
@@ -268,11 +268,9 @@ private void loadAuthenticationPlugins() {
             }
         }
 
-        // initialize and add plugin instances
+        // add plugin instances
         boolean defaultFound = false;
         for (AuthenticationPlugin<NativePacketPayload> plugin : pluginsToInit) {
-            plugin.init(this.protocol, this.callbackHandler);
-
             String pluginProtocolName = plugin.getProtocolPluginName();
             String pluginClassName = plugin.getClass().getName();
             boolean disabledByProtocolName = disabledAuthenticationPlugins.contains(pluginProtocolName);
@@ -307,10 +305,9 @@ private void loadAuthenticationPlugins() {
     }
 
     /**
-     * Get authentication plugin instance from authentication plugins map by
-     * pluginName key. If such plugin is found it's {@link AuthenticationPlugin#isReusable()} method
-     * is checked, when it's false this method returns a new instance of plugin
-     * and the same instance otherwise.
+     * Get an authentication plugin instance from the authentication plugins map by pluginName key. If such plugin is found, its method
+     * {@link AuthenticationPlugin#isReusable()} is called and if the value returned is <code>false</code> then a new instance of the plugin is returned
+     * otherwise the instance that already exists is returned.
      * 
      * If plugin is not found method returns null, in such case the subsequent behavior
      * of handshake process depends on type of last packet received from server:
@@ -328,14 +325,14 @@ private AuthenticationPlugin<NativePacketPayload> getAuthenticationPlugin(String
         if (plugin != null && !plugin.isReusable()) {
             try {
                 plugin = plugin.getClass().newInstance();
-                plugin.init(this.protocol, this.callbackHandler);
             } catch (Throwable t) {
                 throw ExceptionFactory.createException(WrongArgumentException.class,
                         Messages.getString("AuthenticationProvider.BadAuthenticationPlugin", new Object[] { plugin.getClass().getName() }), t,
                         getExceptionInterceptor());
             }
         }
 
+        plugin.init(this.protocol, this.callbackHandler);
         return plugin;
     }
 

src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/AuthenticationLdapSaslClientPlugin.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License, version 2.0, as published by the
@@ -68,11 +68,6 @@
  * MySQL 'authentication_ldap_sasl_client' authentication plugin.
  */
 public class AuthenticationLdapSaslClientPlugin implements AuthenticationPlugin<NativePacketPayload> {
-    static {
-        // Register our own SCRAM-SHA SASL Client provider.
-        Security.addProvider(new ScramShaSaslProvider());
-    }
-
     public static String PLUGIN_NAME = "authentication_ldap_sasl_client";
 
     private static final String LOGIN_CONFIG_ENTRY = "MySQLConnectorJ";
@@ -135,6 +130,9 @@ String getSaslServiceName() {
     @Override
     public void init(Protocol<NativePacketPayload> prot) {
         this.protocol = prot;
+
+        // Register our own SCRAM-SHA SASL Client provider.
+        Security.addProvider(new ScramShaSaslProvider());
     }
 
     @Override

src/test/java/testsuite/regression/ConnectionRegressionTest.java

@@ -63,6 +63,7 @@
 import java.net.SocketTimeoutException;
 import java.nio.channels.SocketChannel;
 import java.nio.charset.Charset;
+import java.security.Security;
 import java.security.cert.CertificateException;
 import java.sql.Connection;
 import java.sql.DriverManager;
@@ -11813,4 +11814,42 @@ public void testBug22508715() throws Exception {
             return null;
         });
     }
+
+    /**
+     * Tests fix for Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin.
+     * 
+     * @throws Exception
+     */
+    @Test
+    public void testBug102188() throws Exception {
+        /*
+         * Remove the provider 'MySQLScramShaSasl' that may have been loaded by other tests.
+         */
+        Security.removeProvider("MySQLScramShaSasl");
+
+        /*
+         * The provider 'MySQLScramShaSasl' should not have been loaded yet.
+         */
+        assertNull(Security.getProvider("MySQLScramShaSasl"));
+
+        /*
+         * After this fix the provider 'MySQLScramShaSasl' should not be loaded while connecting using an authentication plugin different than
+         * 'authentication_ldap_sasl_client'.
+         */
+        getConnectionWithProps("").close();
+        assertNull(Security.getProvider("MySQLScramShaSasl"));
+
+        /*
+         * Disabling the authentication plugin 'authentication_ldap_sasl_client' is another way to avoid loading the provider 'MySQLScramShaSasl'.
+         */
+        getConnectionWithProps("disabledAuthenticationPlugins=authentication_ldap_sasl_client").close();
+        assertNull(Security.getProvider("MySQLScramShaSasl"));
+
+        /*
+         * Setting 'authentication_ldap_sasl_client' as the default authentication plugin initializes it and, thus, the provider 'MySQLScramShaSasl' gets
+         * loaded.
+         */
+        getConnectionWithProps("defaultAuthenticationPlugin=authentication_ldap_sasl_client").close();
+        assertNotNull(Security.getProvider("MySQLScramShaSasl"));
+    }
 }

src/test/java/testsuite/simple/AuthenticationTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License, version 2.0, as published by the
@@ -253,6 +253,9 @@ public void authLdapSaslCliPluginChallengeMissingAttributes() throws Exception {
         for (int i = 0; i < 3; i++) {
             AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
 
+            // Initialize plugin with some protocol (none is needed).
+            authPlugin.init(null);
+
             // Set authentication parameters.
             authPlugin.setAuthenticationParameters("user", "pencil");
 
@@ -309,6 +312,9 @@ public void authLdapSaslCliPluginChallengeMissingAttributes() throws Exception {
     public void authLdapSaslCliPluginChallengeBadNonce() throws Exception {
         AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
 
+        // Initialize plugin with some protocol (none is needed).
+        authPlugin.init(null);
+
         // Set authentication parameters.
         authPlugin.setAuthenticationParameters("user", "pencil");
 
@@ -355,6 +361,9 @@ public void authLdapSaslCliPluginChallengeBadNonce() throws Exception {
     public void authLdapSaslCliPluginChallengeBadIterations() throws Exception {
         AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
 
+        // Initialize plugin with some protocol (none is needed).
+        authPlugin.init(null);
+
         // Set authentication parameters.
         authPlugin.setAuthenticationParameters("user", "pencil");
 
@@ -401,6 +410,9 @@ public void authLdapSaslCliPluginChallengeBadIterations() throws Exception {
     public void authLdapSaslCliPluginChallengeMissingProof() throws Exception {
         AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
 
+        // Initialize plugin with some protocol (none is needed).
+        authPlugin.init(null);
+
         // Set authentication parameters.
         authPlugin.setAuthenticationParameters("user", "pencil");
 
@@ -458,6 +470,9 @@ public void authLdapSaslCliPluginChallengeMissingProof() throws Exception {
     public void authLdapSaslCliPluginChallengeBadProof() throws Exception {
         AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
 
+        // Initialize plugin with some protocol (none is needed).
+        authPlugin.init(null);
+
         // Set authentication parameters.
         authPlugin.setAuthenticationParameters("user", "pencil");
 
@@ -514,6 +529,7 @@ public void authLdapSaslCliPluginChallengeBadProof() throws Exception {
     public void authLdapSaslCliPluginChallengeUnsupportedMech() throws Exception {
         assertThrows(CJException.class, "Unsupported SASL authentication mechanism 'UNKNOWN-MECH'\\.", () -> {
             AuthenticationPlugin<NativePacketPayload> ap = new AuthenticationLdapSaslClientPlugin();
+            ap.init(null);
             ap.nextAuthenticationStep(new NativePacketPayload("UNKNOWN-MECH".getBytes("ASCII")), new ArrayList<>());
             // Must do it twice because there's a chance to run the first iteration with a hashing seed instead of an authentication mechanism. 
             ap.nextAuthenticationStep(new NativePacketPayload("UNKNOWN-MECH".getBytes("ASCII")), new ArrayList<>());