Examples with NativePacketPayload com.mysql.cj.protocol.a.NativePacketPayload used on opensource projects

Example 16 with NativePacketPayload

use of com.mysql.cj.protocol.a.NativePacketPayload in project aws-mysql-jdbc by awslabs.

the class AuthenticationTest method authLdapSaslCliPluginChallengeMissingAttributes.

/**
 * Test wrong 'server-first-message' due to missing attributes.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeMissingAttributes() throws Exception {
    // Server's 'server-first-message' attributes:
    String ar = "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j";
    String as = "s=QSXCR+Q6sek8bf92";
    String ai = "i=4096";
    for (int i = 0; i < 3; i++) {
        AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
        // Initialize plugin with some protocol (none is needed).
        authPlugin.init(null);
        // Set authentication parameters.
        authPlugin.setAuthenticationParameters("user", "pencil");
        // Initial server packet: Protocol::AuthSwitchRequest
        // [authentication_ldap_sasl_client.SCRAM-SHA-1]
        // ;; "." --> 0 byte.
        // ;; first part of the packet is already processed.
        NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
        // Expected 'client-first-message':
        // [n,,n=user,r=<CNONCE>]
        // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
        List<NativePacketPayload> response = new ArrayList<>();
        authPlugin.nextAuthenticationStep(challenge, response);
        assertEquals(1, response.size());
        String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
        assertTrue(data.startsWith("n,,n=user,r="));
        assertEquals("n,,n=user,r=".length() + 32, data.length());
        // Server's 'server-first-message':
        // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
        // ;; But skip one of the attributes at a time.
        String sfm = null;
        switch(i) {
            case 0:
                sfm = String.join(",", as, ai);
                break;
            case 1:
                sfm = String.join(",", ar, ai);
                break;
            case 2:
                sfm = String.join(",", ar, as);
                break;
        }
        NativePacketPayload badChallenge = new NativePacketPayload(sfm.getBytes("UTF-8"));
        // Expect Exception.
        CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
        assertEquals(SaslException.class, ex.getCause().getClass());
        assertEquals("Missing required SCRAM attribute from server first message.", ex.getCause().getMessage());
    }
}

Example 17 with NativePacketPayload

use of com.mysql.cj.protocol.a.NativePacketPayload in project aws-mysql-jdbc by awslabs.

the class AuthenticationTest method authLdapSaslCliPluginChallengeBadIterations.

/**
 * Test wrong 'server-first-message' due to insufficient iterations.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeBadIterations() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=1024]
    // ;; Bad 'i' attribute.
    NativePacketPayload badChallenge = new NativePacketPayload("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=1024".getBytes("UTF-8"));
    // Expect Exception.
    CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
    assertEquals(SaslException.class, ex.getCause().getClass());
    assertEquals("Announced SCRAM-SHA-1 iteration count is too low.", ex.getCause().getMessage());
}

Example 18 with NativePacketPayload

use of com.mysql.cj.protocol.a.NativePacketPayload in project aws-mysql-jdbc by awslabs.

the class AuthenticationTest method authLdapSaslCliPluginChallengeBadNonce.

/**
 * Test wrong 'server-first-message' due to bad server nonce.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeBadNonce() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=XXXXXXXXXXXXXXXXXXXXXXXX3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
    // ;; Bad 'r' attribute.
    NativePacketPayload badChallenge = new NativePacketPayload("r=XXXXXXXXXXXXXXXXXXXXXXXX3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".getBytes("UTF-8"));
    // Expect Exception.
    CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
    assertEquals(SaslException.class, ex.getCause().getClass());
    assertEquals("Invalid server nonce for SCRAM-SHA-1 authentication.", ex.getCause().getMessage());
}

Example 19 with NativePacketPayload

use of com.mysql.cj.protocol.a.NativePacketPayload in project aws-mysql-jdbc by awslabs.

the class AuthenticationTest method authLdapSaslCliPluginScramSha1TestVector.

/**
 * As per <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 * Test vector of a SCRAM-SHA-1 authentication exchange when the client doesn't support channel bindings (username 'user' and password 'pencil' are used):
 *
 * <pre>
 * C: n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL
 * S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096
 * C: c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=
 * S: v=rmF9pqV8S7suAoZWja4dJRkFsKQ=
 * </pre>
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginScramSha1TestVector() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Check plugin name.
    assertEquals("authentication_ldap_sasl_client", authPlugin.getProtocolPluginName());
    // Check confidentiality.
    assertFalse(authPlugin.requiresConfidentiality());
    // Check if plugin is reusable.
    assertFalse(authPlugin.isReusable());
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
    challenge = new NativePacketPayload("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".getBytes("UTF-8"));
    // Expected 'client-final-message':
    // [c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=]
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertEquals("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=", data);
    // Server's 'server-final-message':
    // [v=rmF9pqV8S7suAoZWja4dJRkFsKQ=]
    challenge = new NativePacketPayload("v=rmF9pqV8S7suAoZWja4dJRkFsKQ=".getBytes("UTF-8"));
    // Expected 'nothing'.
    // ;; If server's proof is verified then no exception is thrown.
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(0, response.size());
}

Example 20 with NativePacketPayload

use of com.mysql.cj.protocol.a.NativePacketPayload in project aws-mysql-jdbc by awslabs.

the class AuthenticationTest method authLdapSaslCliPluginScramSha256TestVector.

/**
 * As per <a href="https://tools.ietf.org/html/rfc7677#section-3">RFC 7677, Section 3</a>.
 * Test vector of a SCRAM-SHA-256 authentication exchange when the client doesn't support channel bindings. The username 'user' and password 'pencil' are
 * being used.:
 *
 * <pre>
 * C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO
 * S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
 * C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=
 * S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=
 * </pre>
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginScramSha256TestVector() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Check plugin name.
    assertEquals("authentication_ldap_sasl_client", authPlugin.getProtocolPluginName());
    // Check confidentiality.
    assertFalse(authPlugin.requiresConfidentiality());
    // Check if plugin is reusable.
    assertFalse(authPlugin.isReusable());
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-256]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-256".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=rOprNGfwEbeRWgbNEkqO]
    overrideSaslClientData(authPlugin, "rOprNGfwEbeRWgbNEkqO");
    // Server's 'server-first-message':
    // [r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096]
    challenge = new NativePacketPayload("r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096".getBytes("UTF-8"));
    // Expected 'client-final-message':
    // [c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=]
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertEquals("c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=", data);
    // Server's 'server-final-message':
    // [v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=]
    challenge = new NativePacketPayload("v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=".getBytes("UTF-8"));
    // Expected 'nothing'.
    // ;; If server's proof is verified then no exception is thrown.
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(0, response.size());
}