Update dependency SCRAM 3 and support channel binding

Also, the scram dependency is optional and the module descriptor declares it as static, however in practice when the scram dependency is not available the client cannot be used because the ScramAuthentication is unavailable due to a classloading error. The client should be resilient to this common case and continue to work when scram is not available.

Changes:

Introduce an indirection level, the scram interactions are now handled by a ScramSession and the ScramAuthentication is a factory for sessions. When the scram dependency is not available the ScramAuthentication instance is null, the InitCommandCodec can check this field and throw an exception that will close the connection (as per the protocol requirements).

Result:

The client runs fine without the scram dependency on the class/module path.

Signed-off-by: Thomas Segismont <[email protected]>

Author: jorsol

vertx-pg-client/pom.xml

@@ -64,8 +64,8 @@
     <!-- sasl scram authentication -->
     <dependency>
       <groupId>com.ongres.scram</groupId>
-      <artifactId>client</artifactId>
-      <version>2.1</version>
+      <artifactId>scram-client</artifactId>
+      <version>3.2</version>
       <optional>true</optional>
     </dependency>
 
@@ -196,6 +196,21 @@
               </environmentVariables>
             </configuration>
           </execution>
+          <execution>
+            <id>missing-scram-test</id>
+            <goals>
+              <goal>integration-test</goal>
+            </goals>
+            <phase>integration-test</phase>
+            <configuration>
+              <includes>
+                <include>io/vertx/pgclient/it/MissingScramTest.java</include>
+              </includes>
+              <classpathDependencyExcludes>
+                <classpathDependencyExclude>com.ongres.scram:scram-client</classpathDependencyExclude>
+              </classpathDependencyExcludes>
+            </configuration>
+          </execution>
         </executions>
       </plugin>
     </plugins>

vertx-pg-client/src/main/asciidoc/index.adoc

@@ -233,29 +233,28 @@ $ PGUSER=user \
 
 === SASL SCRAM-SHA-256 authentication mechanism.
 
-To use the sasl SCRAM-SHA-256 authentication add the following dependency to the _dependencies_ section of your build descriptor:
+To use the SASL `SCRAM-SHA-256` authentication add the following dependency to the _dependencies_ section of your build descriptor:
 
 * Maven (in your `pom.xml`):
 
 [source,xml]
 ----
 <dependency>
   <groupId>com.ongres.scram</groupId>
-  <artifactId>client</artifactId>
-  <version>2.1</version>
+  <artifactId>scram-client</artifactId>
+  <version>3.1</version>
 </dependency>
 ----
 * Gradle (in your `build.gradle` file):
 
 [source,groovy]
 ----
 dependencies {
-  compile 'com.ongres.scram:client:2.1'
+  compile 'com.ongres.scram:scram-client:3.1'
 }
 ----
 
-NOTE: SCRAM-SHA-256-PLUS (added in Postgresql 11) is not supported.
-
+When the database requires a scram authentication and the scram client jar is not on the class/module path, the connection will be closed by the client.
 
 include::queries.adoc[leveloffset=1]
 

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramAuthentication.java

@@ -0,0 +1,31 @@
+package io.vertx.pgclient.impl.auth.scram;
+
+import com.ongres.scram.client.ScramClient;
+import io.vertx.core.impl.logging.Logger;
+import io.vertx.core.impl.logging.LoggerFactory;
+
+public class ScramAuthentication {
+
+  private static final Logger logger = LoggerFactory.getLogger(ScramAuthentication.class);
+
+  public static ScramAuthentication INSTANCE;
+
+  static {
+    ScramAuthentication instance;
+    try {
+      ScramClient.MechanismsBuildStage builder = ScramClient.builder();
+      logger.debug("Scram authentication is available " + builder);
+      instance = new ScramAuthentication();
+    } catch (Throwable notFound) {
+      instance = null;
+    }
+    INSTANCE = instance;
+  }
+
+  private ScramAuthentication() {
+  }
+
+  public ScramSession session(String username, char[] password) {
+    return new ScramSessionImpl(username, password);
+  }
+}

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSession.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2017 Julien Viet
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package io.vertx.pgclient.impl.auth.scram;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.vertx.pgclient.impl.codec.ScramClientInitialMessage;
+
+public interface ScramSession {
+
+  /*
+   * The client selects one of the supported mechanisms from the list,
+   *  and sends a SASLInitialResponse message to the server.
+   * The message includes the name of the selected mechanism, and
+   *  an optional Initial Client Response, if the selected mechanism uses that.
+   */
+  ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHandlerContext ctx);
+
+  /*
+   * One or more server-challenge and client-response message will follow.
+   * Each server-challenge is sent in an AuthenticationSASLContinue message,
+   *   followed by a response from client in an SASLResponse message.
+   * The particulars of the messages are mechanism specific.
+   */
+  String receiveServerFirstMessage(ByteBuf in);
+
+  /*
+   * Finally, when the authentication exchange is completed successfully,
+   *   the server sends an AuthenticationSASLFinal message, followed immediately by an AuthenticationOk message.
+   * The AuthenticationSASLFinal contains additional server-to-client data,
+   *   whose content is particular to the selected authentication mechanism.
+   * If the authentication mechanism doesn't use additional data that's sent at completion,
+   *   the AuthenticationSASLFinal message is not sent
+   */
+  void checkServerFinalMessage(ByteBuf in);
+
+}

…lient/impl/util/ScramAuthentication.java …nt/impl/auth/scram/ScramSessionImpl.javavertx-pg-client/src/main/java/io/vertx/pgclient/impl/util/ScramAuthentication.java renamed to vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java vertx-pg-client/src/main/java/io/vertx/pgclient/impl/util/ScramAuthentication.java renamed to vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSessionImpl.java

@@ -15,34 +15,36 @@
  *
  */
 
-package io.vertx.pgclient.impl.util;
-
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.List;
+package io.vertx.pgclient.impl.auth.scram;
 
 import com.ongres.scram.client.ScramClient;
-import com.ongres.scram.client.ScramSession;
-import com.ongres.scram.common.exception.ScramException;
+import com.ongres.scram.common.StringPreparation;
 import com.ongres.scram.common.exception.ScramInvalidServerSignatureException;
 import com.ongres.scram.common.exception.ScramParseException;
 import com.ongres.scram.common.exception.ScramServerErrorException;
-import com.ongres.scram.common.stringprep.StringPreparations;
-
+import com.ongres.scram.common.util.TlsServerEndpoint;
 import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.SslHandler;
 import io.vertx.pgclient.impl.codec.ScramClientInitialMessage;
+import io.vertx.pgclient.impl.util.Util;
 
-public class ScramAuthentication {
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
-  private static final String SCRAM_SHA_256 = "SCRAM-SHA-256";
+public class ScramSessionImpl implements ScramSession {
 
   private final String username;
-  private final String password;
-  private ScramSession scramSession;
-  private ScramSession.ClientFinalProcessor clientFinalProcessor;
+  private final char[] password;
+  private ScramClient scramClient;
 
-
-  public ScramAuthentication(String username, String password) {
+  public ScramSessionImpl(String username, char[] password) {
     this.username = username;
     this.password = password;
   }
@@ -53,39 +55,31 @@ public ScramAuthentication(String username, String password) {
    * The message includes the name of the selected mechanism, and
    *  an optional Initial Client Response, if the selected mechanism uses that.
    */
-  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
+  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHandlerContext ctx) {
     List<String> mechanisms = new ArrayList<>();
 
     while (0 != in.getByte(in.readerIndex())) {
-       String mechanism = Util.readCStringUTF8(in);
-         mechanisms.add(mechanism);
+      String mechanism = Util.readCStringUTF8(in);
+      mechanisms.add(mechanism);
     }
 
     if (mechanisms.isEmpty()) {
       throw new UnsupportedOperationException("SASL Authentication : the server returned no mechanism");
     }
 
-    // SCRAM-SHA-256-PLUS added in postgresql 11 is not supported
-    if (!mechanisms.contains(SCRAM_SHA_256)) {
-        throw new UnsupportedOperationException("SASL Authentication : only SCRAM-SHA-256 is currently supported, server wants " + mechanisms);
-    }
-
-
-    ScramClient scramClient = ScramClient
-          .channelBinding(ScramClient.ChannelBinding.NO)
-          .stringPreparation(StringPreparations.NO_PREPARATION)
-          .selectMechanismBasedOnServerAdvertised(mechanisms.toArray(new String[0]))
-          .setup();
-
-
-    // this user name will be ignored, the user name that was already sent in the startup message is used instead
-    // see https://www.postgresql.org/docs/11/sasl-authentication.html#SASL-SCRAM-SHA-256 §53.3.1
-    scramSession = scramClient.scramSession(this.username);
-
-    return new ScramClientInitialMessage(scramSession.clientFirstMessage(), scramClient.getScramMechanism().getName());
+    byte[] channelBindingData = extractChannelBindingData(ctx);
+    this.scramClient = ScramClient.builder()
+        .advertisedMechanisms(mechanisms)
+        .username(username) // ignored by the server, use startup message
+        .password(password)
+        .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
+        .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData)
+        .build();
+
+    return new ScramClientInitialMessage(scramClient.clientFirstMessage().toString(),
+        scramClient.getScramMechanism().getName());
   }
 
-
   /*
    * One or more server-challenge and client-response message will follow.
    * Each server-challenge is sent in an AuthenticationSASLContinue message,
@@ -95,16 +89,13 @@ public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
   public String receiveServerFirstMessage(ByteBuf in)  {
     String serverFirstMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
-    ScramSession.ServerFirstProcessor serverFirstProcessor = null;
     try {
-      serverFirstProcessor = scramSession.receiveServerFirstMessage(serverFirstMessage);
-    } catch (ScramException e) {
+      scramClient.serverFirstMessage(serverFirstMessage);
+    } catch (ScramParseException e) {
       throw new UnsupportedOperationException(e);
     }
 
-    clientFinalProcessor = serverFirstProcessor.clientFinalProcessor(password);
-
-    return clientFinalProcessor.clientFinalMessage();
+    return scramClient.clientFinalMessage().toString();
   }
 
   /*
@@ -119,9 +110,33 @@ public void checkServerFinalMessage(ByteBuf in) {
     String serverFinalMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
     try {
-      clientFinalProcessor.receiveServerFinalMessage(serverFinalMessage);
+      scramClient.serverFinalMessage(serverFinalMessage);
     } catch (ScramParseException | ScramServerErrorException | ScramInvalidServerSignatureException e) {
       throw new UnsupportedOperationException(e);
     }
   }
+
+  private byte[] extractChannelBindingData(ChannelHandlerContext ctx) {
+    SslHandler sslHandler = ctx.channel().pipeline().get(SslHandler.class);
+    if (sslHandler != null) {
+      SSLSession sslSession = sslHandler.engine().getSession();
+      if (sslSession != null && sslSession.isValid()) {
+        try {
+          // Get the certificate chain from the session
+          Certificate[] certificates = sslSession.getPeerCertificates();
+          if (certificates != null && certificates.length > 0) {
+            Certificate peerCert = certificates[0]; // First certificate is the peer's certificate
+            if (peerCert instanceof X509Certificate) {
+              X509Certificate cert = (X509Certificate) peerCert;
+              return TlsServerEndpoint.getChannelBindingData(cert);
+            }
+          }
+        } catch (CertificateEncodingException | SSLException e) {
+          // Cannot extract X509Certificate from SSL session
+          // handle as no channel binding available
+        }
+      }
+    }
+    return new byte[0]; // handle as no channel binding available
+  }
 }

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/InitCommandCodec.java

@@ -16,22 +16,24 @@
  */
 package io.vertx.pgclient.impl.codec;
 
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-
 import io.netty.buffer.ByteBuf;
+import io.vertx.core.VertxException;
 import io.vertx.pgclient.impl.PgDatabaseMetadata;
 import io.vertx.pgclient.impl.PgSocketConnection;
-import io.vertx.pgclient.impl.util.ScramAuthentication;
+import io.vertx.pgclient.impl.auth.scram.ScramAuthentication;
+import io.vertx.pgclient.impl.auth.scram.ScramSession;
 import io.vertx.sqlclient.impl.Connection;
 import io.vertx.sqlclient.impl.command.CommandResponse;
 import io.vertx.sqlclient.impl.command.InitCommand;
 
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+
 class InitCommandCodec extends PgCommandCodec<Connection, InitCommand> {
 
   private PgEncoder encoder;
   private String encoding;
-  private ScramAuthentication scramAuthentication;
+  private ScramSession scramSession;
 
   InitCommandCodec(InitCommand cmd) {
     super(cmd);
@@ -57,20 +59,26 @@ public void handleAuthenticationClearTextPassword() {
 
   @Override
   void handleAuthenticationSasl(ByteBuf in) {
-    scramAuthentication = new ScramAuthentication(cmd.username(), cmd.password());
-    encoder.writeScramClientInitialMessage(scramAuthentication.createInitialSaslMessage(in));
+    ScramAuthentication scramAuth = ScramAuthentication.INSTANCE;
+    if (scramAuth == null) {
+      // This will close the connection
+      throw new VertxException("Scram authentication not supported, missing com.ongres.scram:scram-client on the class/module path");
+    }
+    scramSession = scramAuth.session(cmd.username(), cmd.password().toCharArray());
+    encoder.writeScramClientInitialMessage(
+      scramSession.createInitialSaslMessage(in, encoder.channelHandlerContext()));
     encoder.flush();
   }
 
   @Override
   void handleAuthenticationSaslContinue(ByteBuf in) {
-    encoder.writeScramClientFinalMessage(new ScramClientFinalMessage(scramAuthentication.receiveServerFirstMessage(in)));
+    encoder.writeScramClientFinalMessage(new ScramClientFinalMessage(scramSession.receiveServerFirstMessage(in)));
     encoder.flush();
   }
 
   @Override
   void handleAuthenticationSaslFinal(ByteBuf in) {
-    scramAuthentication.checkServerFinalMessage(in);
+    scramSession.checkServerFinalMessage(in);
   }
 
   @Override

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/PgEncoder.java

@@ -30,7 +30,6 @@
 import io.vertx.sqlclient.impl.RowDesc;
 import io.vertx.sqlclient.impl.command.*;
 
-import java.util.ArrayDeque;
 import java.util.Map;
 
 import static io.vertx.pgclient.impl.util.Util.writeCString;