Search in sources :

Example 1 with AuthenticationLdapSaslClientPlugin

use of com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin in project ABC by RuiPinto96274.

the class AuthenticationTest method authLdapSaslCliPluginChallengeBadNonce.

/**
 * Test wrong 'server-first-message' due to bad server nonce.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeBadNonce() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=XXXXXXXXXXXXXXXXXXXXXXXX3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
    // ;; Bad 'r' attribute.
    NativePacketPayload badChallenge = new NativePacketPayload("r=XXXXXXXXXXXXXXXXXXXXXXXX3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".getBytes("UTF-8"));
    // Expect Exception.
    CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
    assertEquals(SaslException.class, ex.getCause().getClass());
    assertEquals("Invalid server nonce for SCRAM-SHA-1 authentication.", ex.getCause().getMessage());
}
Also used : ArrayList(java.util.ArrayList) AuthenticationLdapSaslClientPlugin(com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin) NativePacketPayload(com.mysql.cj.protocol.a.NativePacketPayload) CJException(com.mysql.cj.exceptions.CJException) Test(org.junit.jupiter.api.Test)

Example 2 with AuthenticationLdapSaslClientPlugin

use of com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin in project ABC by RuiPinto96274.

the class AuthenticationTest method authLdapSaslCliPluginChallengeBadIterations.

/**
 * Test wrong 'server-first-message' due to insufficient iterations.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeBadIterations() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=1024]
    // ;; Bad 'i' attribute.
    NativePacketPayload badChallenge = new NativePacketPayload("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=1024".getBytes("UTF-8"));
    // Expect Exception.
    CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
    assertEquals(SaslException.class, ex.getCause().getClass());
    assertEquals("Announced SCRAM-SHA-1 iteration count is too low.", ex.getCause().getMessage());
}
Also used : ArrayList(java.util.ArrayList) AuthenticationLdapSaslClientPlugin(com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin) NativePacketPayload(com.mysql.cj.protocol.a.NativePacketPayload) CJException(com.mysql.cj.exceptions.CJException) Test(org.junit.jupiter.api.Test)

Example 3 with AuthenticationLdapSaslClientPlugin

use of com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin in project ABC by RuiPinto96274.

the class AuthenticationTest method authLdapSaslCliPluginChallengeMissingProof.

/**
 * Test wrong 'server-final-message' due to missing proof.
 * Data based on test vector from <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginChallengeMissingProof() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
    challenge = new NativePacketPayload("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".getBytes("UTF-8"));
    // Expected 'client-final-message':
    // [c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=]
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertEquals("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=", data);
    // Server's 'server-final-message':
    // [x=rmF9pqV8S7suAoZWja4dJRkFsKQ=]
    // ;; Missing 'v' attribute.
    NativePacketPayload badChallenge = new NativePacketPayload("x=rmF9pqV8S7suAoZWja4dJRkFsKQ=".getBytes("UTF-8"));
    // Expected Exception.
    CJException ex = assertThrows(CJException.class, "Error while processing an authentication iteration for the authentication mechanism 'SCRAM-SHA-1'\\.", () -> authPlugin.nextAuthenticationStep(badChallenge, response));
    assertEquals(SaslException.class, ex.getCause().getClass());
    assertEquals("Missing required SCRAM attribute from server final message.", ex.getCause().getMessage());
}
Also used : ArrayList(java.util.ArrayList) AuthenticationLdapSaslClientPlugin(com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin) NativePacketPayload(com.mysql.cj.protocol.a.NativePacketPayload) CJException(com.mysql.cj.exceptions.CJException) Test(org.junit.jupiter.api.Test)

Example 4 with AuthenticationLdapSaslClientPlugin

use of com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin in project ABC by RuiPinto96274.

the class AuthenticationTest method authLdapSaslCliPluginScramSha1TestVector.

/**
 * As per <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 5802, Section 5</a>.
 * Test vector of a SCRAM-SHA-1 authentication exchange when the client doesn't support channel bindings (username 'user' and password 'pencil' are used):
 *
 * <pre>
 * C: n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL
 * S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096
 * C: c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=
 * S: v=rmF9pqV8S7suAoZWja4dJRkFsKQ=
 * </pre>
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginScramSha1TestVector() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Check plugin name.
    assertEquals("authentication_ldap_sasl_client", authPlugin.getProtocolPluginName());
    // Check confidentiality.
    assertFalse(authPlugin.requiresConfidentiality());
    // Check if plugin is reusable.
    assertFalse(authPlugin.isReusable());
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-1]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-1".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL]
    overrideSaslClientData(authPlugin, "fyko+d2lbbFgONRv9qkxdawL");
    // Server's 'server-first-message':
    // [r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096]
    challenge = new NativePacketPayload("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".getBytes("UTF-8"));
    // Expected 'client-final-message':
    // [c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=]
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertEquals("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=", data);
    // Server's 'server-final-message':
    // [v=rmF9pqV8S7suAoZWja4dJRkFsKQ=]
    challenge = new NativePacketPayload("v=rmF9pqV8S7suAoZWja4dJRkFsKQ=".getBytes("UTF-8"));
    // Expected 'nothing'.
    // ;; If server's proof is verified then no exception is thrown.
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(0, response.size());
}
Also used : ArrayList(java.util.ArrayList) AuthenticationLdapSaslClientPlugin(com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin) NativePacketPayload(com.mysql.cj.protocol.a.NativePacketPayload) Test(org.junit.jupiter.api.Test)

Example 5 with AuthenticationLdapSaslClientPlugin

use of com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin in project ABC by RuiPinto96274.

the class AuthenticationTest method authLdapSaslCliPluginScramSha256TestVector.

/**
 * As per <a href="https://tools.ietf.org/html/rfc7677#section-3">RFC 7677, Section 3</a>.
 * Test vector of a SCRAM-SHA-256 authentication exchange when the client doesn't support channel bindings. The username 'user' and password 'pencil' are
 * being used.:
 *
 * <pre>
 * C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO
 * S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
 * C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=
 * S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=
 * </pre>
 *
 * @throws Exception
 */
@Test
public void authLdapSaslCliPluginScramSha256TestVector() throws Exception {
    AuthenticationPlugin<NativePacketPayload> authPlugin = new AuthenticationLdapSaslClientPlugin();
    // Initialize plugin with some protocol (none is needed).
    authPlugin.init(null);
    // Check plugin name.
    assertEquals("authentication_ldap_sasl_client", authPlugin.getProtocolPluginName());
    // Check confidentiality.
    assertFalse(authPlugin.requiresConfidentiality());
    // Check if plugin is reusable.
    assertFalse(authPlugin.isReusable());
    // Set authentication parameters.
    authPlugin.setAuthenticationParameters("user", "pencil");
    // Initial server packet: Protocol::AuthSwitchRequest
    // [authentication_ldap_sasl_client.SCRAM-SHA-256]
    // ;; "." --> 0 byte.
    // ;; first part of the packet is already processed.
    NativePacketPayload challenge = new NativePacketPayload("SCRAM-SHA-256".getBytes("ASCII"));
    // Expected 'client-first-message':
    // [n,,n=user,r=<CNONCE>]
    // ;; <CNONCE> is generated internally and needs to be replaced by the expected value from the test vector in order to continue the test.
    List<NativePacketPayload> response = new ArrayList<>();
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    String data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertTrue(data.startsWith("n,,n=user,r="));
    assertEquals("n,,n=user,r=".length() + 32, data.length());
    // Replace the internal plugin data in order to match the expected 'client-first-message':
    // [n,,n=user,r=rOprNGfwEbeRWgbNEkqO]
    overrideSaslClientData(authPlugin, "rOprNGfwEbeRWgbNEkqO");
    // Server's 'server-first-message':
    // [r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096]
    challenge = new NativePacketPayload("r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096".getBytes("UTF-8"));
    // Expected 'client-final-message':
    // [c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=]
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(1, response.size());
    data = response.get(0).readString(StringSelfDataType.STRING_EOF, "UTF-8");
    assertEquals("c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=", data);
    // Server's 'server-final-message':
    // [v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=]
    challenge = new NativePacketPayload("v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=".getBytes("UTF-8"));
    // Expected 'nothing'.
    // ;; If server's proof is verified then no exception is thrown.
    authPlugin.nextAuthenticationStep(challenge, response);
    assertEquals(0, response.size());
}
Also used : ArrayList(java.util.ArrayList) AuthenticationLdapSaslClientPlugin(com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin) NativePacketPayload(com.mysql.cj.protocol.a.NativePacketPayload) Test(org.junit.jupiter.api.Test)

Aggregations

AuthenticationLdapSaslClientPlugin (com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin)27 NativePacketPayload (com.mysql.cj.protocol.a.NativePacketPayload)24 Test (org.junit.jupiter.api.Test)24 ArrayList (java.util.ArrayList)21 CJException (com.mysql.cj.exceptions.CJException)15 WrongArgumentException (com.mysql.cj.exceptions.WrongArgumentException)3 AuthenticationPlugin (com.mysql.cj.protocol.AuthenticationPlugin)3 AuthenticationKerberosClient (com.mysql.cj.protocol.a.authentication.AuthenticationKerberosClient)3 AuthenticationOciClient (com.mysql.cj.protocol.a.authentication.AuthenticationOciClient)3 CachingSha2PasswordPlugin (com.mysql.cj.protocol.a.authentication.CachingSha2PasswordPlugin)3 MysqlClearPasswordPlugin (com.mysql.cj.protocol.a.authentication.MysqlClearPasswordPlugin)3 MysqlNativePasswordPlugin (com.mysql.cj.protocol.a.authentication.MysqlNativePasswordPlugin)3 MysqlOldPasswordPlugin (com.mysql.cj.protocol.a.authentication.MysqlOldPasswordPlugin)3 Sha256PasswordPlugin (com.mysql.cj.protocol.a.authentication.Sha256PasswordPlugin)3 LinkedList (java.util.LinkedList)3 AwsIamAuthenticationPlugin (com.mysql.cj.protocol.a.authentication.AwsIamAuthenticationPlugin)1 AwsIamAuthenticationTokenHelper (com.mysql.cj.protocol.a.authentication.AwsIamAuthenticationTokenHelper)1 AwsIamClearAuthenticationPlugin (com.mysql.cj.protocol.a.authentication.AwsIamClearAuthenticationPlugin)1