sql,sessioninit: return PROVISIONSRC role option from GetUserSessionInitInfo

This allows the PROVISIONSRC that has been configured to be used during
authentication.

Release note: None

Author: souravcrl

pkg/BUILD.bazel

@@ -338,6 +338,7 @@ ALL_TESTS = [
     "//pkg/security/certmgr:certmgr_test",
     "//pkg/security/clientcert:clientcert_test",
     "//pkg/security/password:password_test",
+    "//pkg/security/provisioning:provisioning_test",
     "//pkg/security/sessionrevival:sessionrevival_test",
     "//pkg/security/username:username_disallowed_imports_test",
     "//pkg/security/username:username_test",
@@ -1718,6 +1719,7 @@ GO_TARGETS = [
     "//pkg/security/password:password_test",
     "//pkg/security/pprompt:pprompt",
     "//pkg/security/provisioning:provisioning",
+    "//pkg/security/provisioning:provisioning_test",
     "//pkg/security/securityassets:securityassets",
     "//pkg/security/securitytest:securitytest",
     "//pkg/security/sessionrevival:sessionrevival",

pkg/ccl/serverccl/role_authentication_test.go

@@ -362,7 +362,7 @@ func TestVerifyPassword(t *testing.T) {
 		t.Run(tc.testName, func(t *testing.T) {
 			execCfg := ts.ExecutorConfig().(sql.ExecutorConfig)
 			username := username.MakeSQLUsernameFromPreNormalizedString(tc.username)
-			exists, canLoginSQL, canLoginDBConsole, canUseReplicationMode, isSuperuser, _, _, pwRetrieveFn, err := sql.GetUserSessionInitInfo(
+			exists, canLoginSQL, canLoginDBConsole, canUseReplicationMode, isSuperuser, _, _, _, pwRetrieveFn, err := sql.GetUserSessionInitInfo(
 				context.Background(), &execCfg, username, "", /* databaseName */
 			)
 

pkg/security/provisioning/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "provisioning",
@@ -7,3 +7,13 @@ go_library(
     visibility = ["//visibility:public"],
     deps = ["@com_github_cockroachdb_errors//:errors"],
 )
+
+go_test(
+    name = "provisioning_test",
+    srcs = ["provisioning_source_test.go"],
+    embed = [":provisioning"],
+    deps = [
+        "//pkg/util/leaktest",
+        "@com_github_stretchr_testify//require",
+    ],
+)

pkg/security/provisioning/provisioning_source.go

@@ -64,8 +64,18 @@ func parseAuthMethod(sourceStr string) (authMethod string, idp string, err error
 }
 
 func parseIDP(idp string) (u *url.URL, err error) {
+	if len(idp) == 0 {
+		return nil, errors.Newf("PROVISIONSRC IDP cannot be empty")
+	}
 	if u, err = url.Parse(idp); err != nil {
 		return nil, errors.Wrapf(err, "provided IDP %q in PROVISIONSRC is non parseable", idp)
 	}
+	if len(u.Port()) != 0 || u.Opaque != "" {
+		return nil, errors.Newf("unknown PROVISIONSRC IDP url format in %q", idp)
+	}
 	return
 }
+
+func (source *Source) Size() int {
+	return len(source.authMethod) + len(source.idp.String())
+}

pkg/security/provisioning/provisioning_source_test.go

@@ -0,0 +1,181 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package provisioning
+
+import (
+	"testing"
+
+	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseProvisioningSource(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	tests := []struct {
+		name           string
+		sourceStr      string
+		wantErr        bool
+		expectedMethod string
+		expectedIDP    string
+		expectedErrMsg string
+	}{
+		{
+			name:           "valid ldap source",
+			sourceStr:      "ldap:ldap.bar.com",
+			wantErr:        false,
+			expectedMethod: "ldap",
+			expectedIDP:    "ldap.bar.com",
+		},
+		{
+			name:           "valid ldap source with example.com",
+			sourceStr:      "ldap:ldap.example.com",
+			wantErr:        false,
+			expectedMethod: "ldap",
+			expectedIDP:    "ldap.example.com",
+		},
+		{
+			name:           "valid ldap source with simple hostname",
+			sourceStr:      "ldap:foo.bar",
+			wantErr:        false,
+			expectedMethod: "ldap",
+			expectedIDP:    "foo.bar",
+		},
+		{
+			name:           "missing auth method prefix",
+			sourceStr:      "ldap.example.com",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "invalid characters in IDP",
+			sourceStr:      "ldap:[]!@#%#^$&*",
+			wantErr:        true,
+			expectedErrMsg: `provided IDP "[]!@#%#^$&*" in PROVISIONSRC is non parseable`,
+		},
+		{
+			name:           "empty string",
+			sourceStr:      "",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "invalid auth method",
+			sourceStr:      "oauth:example.com",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "oauth:example.com" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "only auth method without IDP",
+			sourceStr:      "ldap:",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC IDP cannot be empty`,
+		},
+		{
+			name:           "IDP url with port",
+			sourceStr:      "ldap:example.com:389",
+			wantErr:        true,
+			expectedErrMsg: "unknown PROVISIONSRC IDP url format in \"example.com:389\"",
+		},
+		{
+			name:           "IDP url starts with double slash",
+			sourceStr:      "ldap://ldap.example.com",
+			wantErr:        false,
+			expectedMethod: "ldap",
+			expectedIDP:    "//ldap.example.com",
+		},
+		{
+			name:           "space in IDP url",
+			sourceStr:      "ldap:ldap1 ldap2",
+			wantErr:        false,
+			expectedMethod: "ldap",
+			expectedIDP:    "ldap1%20ldap2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			source, err := ParseProvisioningSource(tt.sourceStr)
+			if tt.wantErr {
+				require.Error(t, err)
+				require.Nil(t, source)
+				require.Contains(t, err.Error(), tt.expectedErrMsg)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, source)
+				require.Equal(t, tt.expectedMethod, source.authMethod)
+				require.Equal(t, tt.expectedIDP, source.idp.String())
+			}
+		})
+	}
+}
+
+func TestValidateSource(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	tests := []struct {
+		name           string
+		sourceStr      string
+		wantErr        bool
+		expectedErrMsg string
+	}{
+		{
+			name:      "valid ldap source",
+			sourceStr: "ldap:ldap.bar.com",
+			wantErr:   false,
+		},
+		{
+			name:      "valid ldap source with example.com",
+			sourceStr: "ldap:ldap.example.com",
+			wantErr:   false,
+		},
+		{
+			name:      "valid ldap source with simple hostname",
+			sourceStr: "ldap:foo.bar",
+			wantErr:   false,
+		},
+		{
+			name:           "missing auth method prefix",
+			sourceStr:      "ldap.example.com",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "invalid characters in IDP",
+			sourceStr:      "ldap:[]!@#%#^$&*",
+			wantErr:        true,
+			expectedErrMsg: `provided IDP "[]!@#%#^$&*" in PROVISIONSRC is non parseable`,
+		},
+		{
+			name:           "empty string",
+			sourceStr:      "",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "invalid auth method",
+			sourceStr:      "oauth:example.com",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC "oauth:example.com" was not prefixed with any valid auth methods ["ldap"]`,
+		},
+		{
+			name:           "only auth method without IDP",
+			sourceStr:      "ldap:",
+			wantErr:        true,
+			expectedErrMsg: `PROVISIONSRC IDP cannot be empty`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateSource(tt.sourceStr)
+			if tt.wantErr {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tt.expectedErrMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

pkg/server/authserver/authentication.go

@@ -335,7 +335,7 @@ func (s *authenticationServer) UserLoginFromSSO(
 	// without further normalization.
 	username, _ := username.MakeSQLUsernameFromUserInput(reqUsername, username.PurposeValidation)
 
-	exists, _, canLoginDBConsole, _, _, _, _, _, err := sql.GetUserSessionInitInfo(
+	exists, _, canLoginDBConsole, _, _, _, _, _, _, err := sql.GetUserSessionInitInfo(
 		ctx,
 		s.sqlServer.ExecutorConfig(),
 		username,
@@ -493,7 +493,7 @@ func (s *authenticationServer) VerifyUserSessionDBConsole(
 	pwRetrieveFn func(ctx context.Context) (expired bool, hashedPassword password.PasswordHash, err error),
 	err error,
 ) {
-	exists, _, canLoginDBConsole, _, _, _, _, pwRetrieveFn, err := sql.GetUserSessionInitInfo(
+	exists, _, canLoginDBConsole, _, _, _, _, _, pwRetrieveFn, err := sql.GetUserSessionInitInfo(
 		ctx,
 		s.sqlServer.ExecutorConfig(),
 		userName,

pkg/sql/BUILD.bazel

@@ -361,6 +361,7 @@ go_library(
         "//pkg/security",
         "//pkg/security/distinguishedname",
         "//pkg/security/password",
+        "//pkg/security/provisioning",
         "//pkg/security/sessionrevival",
         "//pkg/security/username",
         "//pkg/server/license",

pkg/sql/pgwire/auth.go

@@ -150,7 +150,7 @@ func (c *conn) handleAuthentication(
 
 	// Check that the requested user exists and retrieve the hashed
 	// password in case password authentication is needed.
-	exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, pwRetrievalFn, err :=
+	exists, canLoginSQL, _, canUseReplicationMode, isSuperuser, defaultSettings, roleSubject, _, pwRetrievalFn, err :=
 		sql.GetUserSessionInitInfo(
 			ctx,
 			execCfg,

pkg/sql/sessioninit/BUILD.bazel

@@ -11,6 +11,7 @@ go_library(
     deps = [
         "//pkg/keys",
         "//pkg/security/password",
+        "//pkg/security/provisioning",
         "//pkg/security/username",
         "//pkg/settings",
         "//pkg/settings/cluster",

pkg/sql/sessioninit/cache.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/security/password"
+	"github.com/cockroachdb/cockroach/pkg/security/provisioning"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
@@ -76,6 +77,10 @@ type AuthInfo struct {
 	// Subject is the SUBJECT role option. It is used to match the subject
 	// distinguished name in a client certificate.
 	Subject *ldap.DN
+	// ProvisioningSource is the PROVISIONSRC role option. It is used to
+	// identify the source of the user in case a user auto provisioned from an
+	// auth method integration.
+	ProvisioningSource *provisioning.Source
 }
 
 // SettingsCacheKey is the key used for the settingsCache.
@@ -261,9 +266,13 @@ func (a *Cache) maybeWriteAuthInfoBackToCache(
 			}
 		}
 	}
+	provisioningSourceSize := 0
+	if aInfo.ProvisioningSource != nil {
+		provisioningSourceSize += aInfo.ProvisioningSource.Size()
+	}
 
 	sizeOfEntry := sizeOfUsername + len(user.Normalized()) +
-		sizeOfAuthInfo + hpSize + sizeOfTimestamp + subjectSize
+		sizeOfAuthInfo + hpSize + sizeOfTimestamp + subjectSize + provisioningSourceSize
 	if err := a.boundAccount.Grow(ctx, int64(sizeOfEntry)); err != nil {
 		// If there is no memory available to cache the entry, we can still
 		// proceed with authentication so that users are not locked out of