Merge pull request #36 from mjgarton/further_tls_functionality

jonhoo · web-flow · commit 26a5c35ed648 · 2022-01-30T14:47:34.000-08:00
Further authentication &amp; tls functionality
diff --git a/Cargo.toml b/Cargo.toml
@@ -41,3 +41,8 @@ slab = "0.4.2"
 tokio = { version = "1.15.0", features = ["full"] }
 futures = "0.3.0"
 rcgen = "0.8.14"
+tempfile = "3.3.0"
+native-tls = "0.2.8"
+
+[target.'cfg(unix)'.dev-dependencies]
+openssl = "0.10.38"
diff --git a/src/commands.rs b/src/commands.rs
@@ -6,7 +6,7 @@ pub struct ClientHandshake<'a> {
     pub capabilities: CapabilityFlags,
     maxps: u32,
     collation: u16,
-    username: Option<&'a [u8]>,
+    pub(crate) username: Option<&'a [u8]>,
 }
 
 pub fn client_handshake(i: &[u8], after_tls: bool) -> nom::IResult<&[u8], ClientHandshake<'_>> {
diff --git a/src/lib.rs b/src/lib.rs
@@ -195,6 +195,27 @@ pub trait MysqlShim<W: Read + Write> {
     fn tls_config(&self) -> Option<std::sync::Arc<rustls::ServerConfig>> {
         None
     }
+
+    /// Called after successful authentication (including TLS if applicable) passing relevant
+    /// information to allow additional logic in the MySqlShim implementation.
+    fn after_authentication(
+        &mut self,
+        _context: &AuthenticationContext<'_>,
+    ) -> Result<(), Self::Error> {
+        Ok(())
+    }
+}
+
+/// Information about an authenticated user
+#[derive(Debug, Default, Clone, PartialEq)]
+pub struct AuthenticationContext<'a> {
+    /// The username exactly as passed by the client,
+    pub username: Option<Vec<u8>>,
+    #[cfg(feature = "tls")]
+    /// The TLS certificate chain presented by the client.
+    pub tls_client_certs: Option<&'a [rustls::Certificate]>,
+    #[cfg(not(feature = "tls"))]
+    _pd: Option<&'a std::marker::PhantomData<()>>,
 }
 
 /// A server that speaks the MySQL/MariaDB protocol, and can delegate client commands to a backend
@@ -265,6 +286,8 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
         self.rw.write_all(&b">o6^Wz!/kM}N\0"[..])?; // 4.1+ servers must extend salt
         self.rw.flush()?;
 
+        let mut auth_context = AuthenticationContext::default();
+
         {
             let (seq, handshake) = self.rw.next()?.ok_or_else(|| {
                 io::Error::new(
@@ -300,6 +323,8 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
                 })?
                 .1;
 
+            auth_context.username = handshake.username.map(|x| x.to_vec());
+
             self.rw.set_seq(seq + 1);
 
             #[cfg(not(feature = "tls"))]
@@ -328,7 +353,8 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
                         "peer terminated connection",
                     )
                 })?;
-                let _handshake = commands::client_handshake(&handshake, true)
+
+                let handshake = commands::client_handshake(&handshake, true)
                     .map_err(|e| match e {
                         nom::Err::Incomplete(_) => io::Error::new(
                             io::ErrorKind::UnexpectedEof,
@@ -356,7 +382,21 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
                     })?
                     .1;
 
+                auth_context.username = handshake.username.map(|x| x.to_vec());
+
                 self.rw.set_seq(seq + 1);
+
+                auth_context.tls_client_certs = self.rw.tls_certs();
+            }
+
+            if let Err(e) = self.shim.after_authentication(&auth_context) {
+                writers::write_err(
+                    ErrorKind::ER_ACCESS_DENIED_ERROR,
+                    "client authentication failed".as_ref(),
+                    &mut self.rw,
+                )?;
+                self.rw.flush()?;
+                return Err(e);
             }
         }
 
diff --git a/src/packet.rs b/src/packet.rs
@@ -1,6 +1,6 @@
 use byteorder::{ByteOrder, LittleEndian};
 #[cfg(feature = "tls")]
-use rustls::ServerConfig;
+use rustls::{Certificate, ServerConfig};
 use std::io;
 use std::io::prelude::*;
 
@@ -83,6 +83,14 @@ impl<W: Read + Write> PacketConn<W> {
         self.remaining = 0;
         res
     }
+
+    #[cfg(feature = "tls")]
+    pub fn tls_certs(&self) -> Option<&[Certificate]> {
+        match &self.rw.0 {
+            Some(tls::EitherConn::Tls(tls_conn)) => tls_conn.conn.peer_certificates(),
+            _ => None,
+        }
+    }
 }
 
 impl<W: Read + Write> PacketConn<W> {
diff --git a/src/tls.rs b/src/tls.rs
@@ -13,7 +13,7 @@ pub fn create_stream<T: Read + Write + Sized>(
     Ok(stream)
 }
 
-pub(crate) struct SwitchableConn<T: Read + Write>(Option<EitherConn<T>>);
+pub(crate) struct SwitchableConn<T: Read + Write>(pub(crate) Option<EitherConn<T>>);
 
 pub(crate) enum EitherConn<T: Read + Write> {
     Plain(T),
diff --git a/tests/main.rs b/tests/main.rs

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ pub struct ClientHandshake<'a> {`
`6`	`6`	`pub capabilities: CapabilityFlags,`
`7`	`7`	`maxps: u32,`
`8`	`8`	`collation: u16,`
`9`		`- username: Option<&'a [u8]>,`
	`9`	`+ pub(crate) username: Option<&'a [u8]>,`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`pub fn client_handshake(i: &[u8], after_tls: bool) -> nom::IResult<&[u8], ClientHandshake<'_>> {`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ pub fn create_stream<T: Read + Write + Sized>(`
`13`	`13`	`Ok(stream)`
`14`	`14`	`}`
`15`	`15`
`16`		`-pub(crate) struct SwitchableConn<T: Read + Write>(Option<EitherConn<T>>);`
	`16`	`+pub(crate) struct SwitchableConn<T: Read + Write>(pub(crate) Option<EitherConn<T>>);`
`17`	`17`
`18`	`18`	`pub(crate) enum EitherConn<T: Read + Write> {`
`19`	`19`	`Plain(T),`