WL#16192 remove sha256_password

sha256_password is deprecated by MySQL Server 5.7.

Change
======

- removed support for sha256_password in the authentication and
  change_user.
- removed tests that check the sha256_password support.
- added support to the mock-server to require a authentication
  "method_name".
- in mock-server, aligned parameter name of handshake()
- added mysql_server_mock_spawner() to component-tests

Change-Id: Ic7edc368c34d87ba9feca346b2236ae3864eddb2

Author: weigon

router/src/mock_server/src/authentication.cc

@@ -39,7 +39,7 @@ namespace impl {
  * - mysql_native_password
  *   - message-digest: SHA1
  *   - inner message-digest-order: nonce + double_hashed_password
- * - caching_sha256_password
+ * - caching_sha2_password
  *   - message-digest: SHA256
  *   - inner message-digest-order: double_hashed_password + nonce
  *

router/src/mock_server/src/classic_mock_session.cc

@@ -254,6 +254,65 @@ void MySQLServerMockSessionClassic::client_greeting() {
     protocol_.auth_method_name(MySQLNativePassword::name);
   }
 
+  auto handshake_data_res =
+      json_reader_->handshake(false /* not is_greeting */);
+  if (!handshake_data_res) {
+    protocol_.encode_error(handshake_data_res.error());
+
+    send_response_then_disconnect();
+
+    return;
+  }
+
+  handshake_data_ = *handshake_data_res;
+
+  if (handshake_data_->username.has_value()) {
+    if (handshake_data_->username.value() != protocol_.username()) {
+      protocol_.encode_error(
+          {ER_ACCESS_DENIED_ERROR,  // 1045
+           "Access Denied for user '" + protocol_.username() + "'@'localhost'",
+           "28000"});
+
+      send_response_then_disconnect();
+
+      return;
+    }
+  }
+
+  if (handshake_data_->auth_method_name.has_value()) {
+    if (protocol_.auth_method_name() != *handshake_data_->auth_method_name) {
+      protocol_.auth_method_name(*handshake_data_->auth_method_name);
+
+      // auth_response() should be empty
+      //
+      // ask for the real full authentication
+      protocol_.auth_method_data(std::string(20, 'a'));
+
+      protocol_.encode_auth_switch_message(
+          {protocol_.auth_method_name(),
+           protocol_.auth_method_data() + std::string(1, '\0')});
+
+      protocol_.async_send([this, to_send = protocol_.send_buffer().size()](
+                               std::error_code ec, size_t transferred) {
+        if (ec) {
+          if (ec != std::errc::operation_canceled) {
+            log_warning("send auto result failed: %s", ec.message().c_str());
+          }
+
+          disconnect();
+          return;
+        }
+
+        if (to_send < transferred) {
+          std::terminate();
+        } else {
+          auth_switched();
+        }
+      });
+      return;
+    }
+  }
+
   if (protocol_.auth_method_name() == CachingSha2Password::name) {
     // auth_response() should be empty
     //
@@ -691,25 +750,17 @@ stdx::expected<std::string, std::error_code> cert_get_issuer_name(X509 *cert) {
 
 stdx::expected<void, ErrorResponse> MySQLServerMockSessionClassic::authenticate(
     const std::vector<uint8_t> &client_auth_method_data) {
-  auto handshake_data_res =
-      json_reader_->handshake(false /* not is_greeting */);
-  if (!handshake_data_res) {
-    return stdx::unexpected(handshake_data_res.error());
+  if (!handshake_data_) {
+    return stdx::unexpected(ErrorResponse{
+        ER_ACCESS_DENIED_ERROR,  // 1045
+        "Access Denied for user '" + protocol_.username() + "'@'localhost'",
+        "28000"});
   }
 
-  auto handshake = handshake_data_res.value();
-
-  if (handshake.username.has_value()) {
-    if (handshake.username.value() != protocol_.username()) {
-      return stdx::unexpected(ErrorResponse{
-          ER_ACCESS_DENIED_ERROR,  // 1045
-          "Access Denied for user '" + protocol_.username() + "'@'localhost'",
-          "28000"});
-    }
-  }
+  const auto &handshake = *handshake_data_;
 
   if (handshake.password.has_value()) {
-    if (!protocol_.authenticate(
+    if (!ProtocolBase::authenticate(
             protocol_.auth_method_name(), protocol_.auth_method_data(),
             handshake.password.value(), client_auth_method_data)) {
       return stdx::unexpected(ErrorResponse{
@@ -720,7 +771,7 @@ stdx::expected<void, ErrorResponse> MySQLServerMockSessionClassic::authenticate(
   }
 
   if (handshake.cert_required) {
-    auto *ssl = protocol_.ssl();
+    const auto *ssl = protocol_.ssl();
 
     std::unique_ptr<X509, decltype(&X509_free)> client_cert{
         SSL_get_peer_certificate(ssl), &X509_free};

router/src/mock_server/src/classic_mock_session.h

@@ -124,6 +124,8 @@ class MySQLServerMockSessionClassic : public MySQLServerMockSession {
   MySQLClassicProtocol protocol_;
 
   bool with_tls_{false};
+
+  std::optional<StatementReaderBase::handshake_data> handshake_data_;
 };
 
 }  // namespace server_mock

router/src/mock_server/src/duktape_statement_reader.cc

@@ -1084,6 +1084,7 @@ DuktapeStatementReader::handshake(bool is_greeting) {
   stdx::expected<classic_protocol::message::server::Greeting, std::error_code>
       server_greeting_res = default_server_greeting();
   std::chrono::microseconds exec_time{};
+  std::optional<std::string> auth_method_name;
   std::error_code ec{};
 
   duk_get_prop_string(ctx, -1, "handshake");
@@ -1160,6 +1161,15 @@ DuktapeStatementReader::handshake(bool is_greeting) {
         duk_pop(ctx);
       }
       duk_pop(ctx);
+
+      duk_get_prop_literal(ctx, -1, "method_name");
+      if (duk_is_string(ctx, -1)) {
+        auth_method_name = std::string(duk_to_string(ctx, -1));
+      } else if (!duk_is_undefined(ctx, -1)) {
+        ec = make_error_code(std::errc::invalid_argument);
+      }
+      duk_pop(ctx);
+
     } else if (!duk_is_undefined(ctx, -1)) {
       ec = make_error_code(std::errc::invalid_argument);
     }
@@ -1181,8 +1191,10 @@ DuktapeStatementReader::handshake(bool is_greeting) {
   }
 
   return handshake_data{
-      *server_greeting_res, username,    password, cert_required,
-      cert_subject,         cert_issuer, exec_time};
+      *server_greeting_res, username,     password,
+      auth_method_name,     std::nullopt, cert_required,
+      cert_subject,         cert_issuer,  exec_time,
+  };
 }
 
 // @pre on the stack is an object

router/src/mock_server/src/duktape_statement_reader.h

@@ -112,7 +112,7 @@ class DuktapeStatementReader : public StatementReaderBase {
   std::vector<AsyncNotice> get_async_notices() override;
 
   stdx::expected<handshake_data, ErrorResponse> handshake(
-      bool with_tls) override;
+      bool is_greeting) override;
 
  private:
   stdx::expected<classic_protocol::message::server::Greeting, std::error_code>

router/src/mock_server/src/protocol_base.cc

@@ -97,7 +97,7 @@ bool ProtocolBase::authenticate(const std::string &auth_method_name,
   } else {
     // there is also
     // - old_password (3.23, 4.0)
-    // - sha256_password (5.6, ...)
+    // - sha256_password (5.6, 8.3)
     // - windows_authentication (5.6, ...)
     return false;
   }

router/src/mock_server/src/statement_reader.h

@@ -358,6 +358,8 @@ class StatementReaderBase {
 
     std::optional<std::string> username;
     std::optional<std::string> password;
+    std::optional<std::string> auth_method_name;
+    std::optional<std::string> auth_method_data;
     bool cert_required{false};
     std::optional<std::string> cert_subject;
     std::optional<std::string> cert_issuer;

router/src/router/tests/test_log_filter.cc

@@ -108,7 +108,8 @@ TEST_F(LogFilterTest, IsPasswordHiddenWhenPatternSameAsReplacement) {
 
 TEST_F(LogFilterTest, IsMoreThenOneGroupHidden) {
   const std::string statement =
-      "ALTER USER \'jeffrey\'@\'localhost\' IDENTIFIED WITH sha256_password BY "
+      "ALTER USER \'jeffrey\'@\'localhost\' IDENTIFIED WITH "
+      "mysql_native_password BY "
       "\'new_password\' PASSWORD EXPIRE INTERVAL 180 DAY";
   const std::string expected_result =
       "ALTER USER \'jeffrey\'@\'localhost\' IDENTIFIED WITH *** BY *** "

router/src/routing/src/CMakeLists.txt

@@ -64,7 +64,6 @@ ADD_LIBRARY(routing SHARED
   classic_auth_cleartext.cc
   classic_auth_caching_sha2.cc
   classic_auth_native.cc
-  classic_auth_sha256_password.cc
   classic_command.cc
   classic_connect.cc
   classic_flow.cc
@@ -76,7 +75,6 @@ ADD_LIBRARY(routing SHARED
   classic_auth_caching_sha2_forwarder.cc
   classic_auth_forwarder.cc
   classic_auth_native_forwarder.cc
-  classic_auth_sha256_password_forwarder.cc
   classic_binlog_dump_forwarder.cc
   classic_change_user_forwarder.cc
   classic_clone_forwarder.cc
@@ -103,7 +101,6 @@ ADD_LIBRARY(routing SHARED
   classic_auth_cleartext_sender.cc
   classic_auth_caching_sha2_sender.cc
   classic_auth_native_sender.cc
-  classic_auth_sha256_password_sender.cc
   classic_change_user_sender.cc
   # classic_greeting_sender.cc
   classic_init_schema_sender.cc

router/src/routing/src/classic_auth_forwarder.cc

@@ -38,8 +38,6 @@
 #include "classic_auth_cleartext_sender.h"
 #include "classic_auth_native_forwarder.h"
 #include "classic_auth_native_sender.h"
-#include "classic_auth_sha256_password_forwarder.h"
-#include "classic_auth_sha256_password_sender.h"
 #include "classic_frame.h"
 #include "harness_assert.h"
 #include "hexify.h"
@@ -244,6 +242,8 @@ AuthGenericForwarder::error() {
   return Result::Again;
 }
 
+// AuthForwarder
+
 stdx::expected<Processor::Result, std::error_code> AuthForwarder::process() {
   switch (stage()) {
     case Stage::Init:
@@ -299,10 +299,7 @@ stdx::expected<Processor::Result, std::error_code> AuthForwarder::init() {
         Tracer::Event().stage("auth::forwarder::direct: " + auth_method_name));
   }
 
-  if (auth_method_name == AuthSha256Password::kName) {
-    connection()->push_processor(std::make_unique<AuthSha256Forwarder>(
-        connection(), initial_auth_method_data, true));
-  } else if (auth_method_name == AuthCachingSha2Password::kName) {
+  if (auth_method_name == AuthCachingSha2Password::kName) {
     connection()->push_processor(std::make_unique<AuthCachingSha2Forwarder>(
         connection(), initial_auth_method_data, true,
         client_requested_full_auth_));
@@ -313,8 +310,17 @@ stdx::expected<Processor::Result, std::error_code> AuthForwarder::init() {
     connection()->push_processor(std::make_unique<AuthCleartextForwarder>(
         connection(), initial_auth_method_data, true));
   } else {
-    connection()->push_processor(std::make_unique<AuthGenericForwarder>(
-        connection(), auth_method_name, initial_auth_method_data, true));
+    // an unknown auth-method.
+    auto send_res = ClassicFrame::send_msg<
+        classic_protocol::borrowed::message::server::Error>(
+        dst_conn, {2059,  // CR_AUTH_PLUGIN_CANNOT_LOAD
+                   "Authentication plugin '" + auth_method_name +
+                       "' cannot be loaded: not supported by router",
+                   "28000"});
+    if (!send_res) return send_client_failed(send_res.error());
+
+    stage(Stage::Done);
+    return Result::SendToClient;
   }
 
   stage(Stage::Response);
@@ -350,18 +356,7 @@ AuthForwarder::auth_method_switch() {
   // invalidates 'msg'
   discard_current_msg(src_conn);
 
-  if (auth_method_name == AuthSha256Password::kName) {
-    dst_protocol.auth_method_name(auth_method_name);
-    dst_protocol.auth_method_data(auth_method_data);
-
-    if (dst_protocol.password().has_value()) {
-      connection()->push_processor(std::make_unique<AuthSha256Sender>(
-          connection(), auth_method_data, dst_protocol.password().value()));
-    } else {
-      connection()->push_processor(std::make_unique<AuthSha256Forwarder>(
-          connection(), auth_method_data, false));
-    }
-  } else if (auth_method_name == AuthCachingSha2Password::kName) {
+  if (auth_method_name == AuthCachingSha2Password::kName) {
     dst_protocol.auth_method_name(auth_method_name);
     dst_protocol.auth_method_data(auth_method_data);
 
@@ -399,8 +394,16 @@ AuthForwarder::auth_method_switch() {
     dst_protocol.auth_method_name(auth_method_name);
     dst_protocol.auth_method_data(auth_method_data);
 
-    connection()->push_processor(std::make_unique<AuthGenericForwarder>(
-        connection(), auth_method_name, auth_method_data));
+    auto send_res = ClassicFrame::send_msg<
+        classic_protocol::borrowed::message::server::Error>(
+        dst_conn, {2059,  // CR_AUTH_PLUGIN_CANNOT_LOAD
+                   "Authentication plugin '" + auth_method_name +
+                       "' cannot be loaded: not supported by router",
+                   "28000"});
+    if (!send_res) return send_client_failed(send_res.error());
+
+    stage(Stage::Done);
+    return Result::SendToClient;
   }
 
   stage(Stage::Response);