Add gssapi support

kesmit13 · kesmit13 · commit 01a0ec6d845c · 2023-05-17T10:53:29.000-05:00
diff --git a/setup.cfg b/setup.cfg
@@ -50,8 +50,12 @@ dbt =
     dbt-singlestore
 ed22519 =
     PyNaCl>=1.4.0
+gssapi =
+    gssapi
 ibis =
     ibis-singlestoredb
+kerberos =
+    gssapi
 rsa =
     cryptography
 sqlalchemy =
diff --git a/singlestoredb/mysql/_auth.py b/singlestoredb/mysql/_auth.py
@@ -2,8 +2,9 @@
 """
 Implements auth methods
 """
-from .err import OperationalError
+import getpass
 
+from .err import OperationalError
 
 try:
     from cryptography.hazmat.backends import default_backend
@@ -273,3 +274,28 @@ def caching_sha2_password_auth(conn, pkt):
 
     data = sha2_rsa_encrypt(conn.password, conn.salt, conn.server_public_key)
     pkt = _roundtrip(conn, data)
+
+
+def gssapi_auth(user):
+    try:
+        import gssapi.raw
+    except ImportError:
+        raise ImportError(
+            'The `gssapi` package must be '
+            'installed for Kerberos authentication',
+        )
+
+    if not user:
+        user = getpass.getuser()
+
+    ctx = None
+    try:
+        ctx = gssapi.raw.init_sec_context(
+            gssapi.raw.import_name(user, gssapi.raw.NameType.user),
+            flags=[0], lifetime=0,
+        )
+        return ctx.token
+
+    finally:
+        if ctx is not None:
+            gssapi.raw.delete_sec_context(ctx.context)
diff --git a/singlestoredb/mysql/connection.py b/singlestoredb/mysql/connection.py
@@ -1111,6 +1111,9 @@ def _request_authentication(self):  # noqa: C901
                 authresp = b'\1'  # request public key
             else:
                 authresp = b'\0'  # empty password
+        elif self._auth_plugin_name == b'auth_gssapi_client':
+            plugin_name = b'auth_gssapi_client'
+            authresp = _auth.gssapi_auth(self.user)
 
         if self.server_capabilities & CLIENT.PLUGIN_AUTH_LENENC_CLIENT_DATA:
             data += _lenenc_int(len(authresp)) + authresp
@@ -1199,6 +1202,8 @@ def _process_auth(self, plugin_name, auth_packet):
         elif plugin_name == b'mysql_clear_password':
             # https://dev.mysql.com/doc/internals/en/clear-text-authentication.html
             data = self.password + b'\0'
+        elif plugin_name == b'auth_gssapi_client':
+            data = _auth.gssapi_auth(self.user)
         elif plugin_name == b'dialog':
             pkt = auth_packet
             while True:
