WL#14707, Support OCI IAM authentication.

Author: fjssilva

CHANGES

@@ -3,6 +3,8 @@
 
 Version 8.0.27
 
+  - WL#14707, Support OCI IAM authentication.
+
   - WL#14660, Testsuite with support for single MySQL server instance.
 
   - Fix for Bug#103878 (32954449), CONNECTOR/J 8 : QUERY WITH 'SHOW XXX' WILL GET EXCEPTION WHEN USE CURSOR.

src/build/misc/pom.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!--
-  Copyright (c) 2006, 2020, Oracle and/or its affiliates.
+  Copyright (c) 2006, 2021, Oracle and/or its affiliates.
 
   This program is free software; you can redistribute it and/or modify it under
   the terms of the GNU General Public License, version 2.0, as published by the
@@ -63,5 +63,12 @@
       <artifactId>protobuf-java</artifactId>
       <version>3.11.4</version>
     </dependency>
+
+    <dependency>
+      <groupId>com.oracle.oci.sdk</groupId>
+      <artifactId>oci-java-sdk-common</artifactId>
+      <version>2.3.0</version>
+      <optional>true</optional>
+    </dependency>
   </dependencies>
 </project>

src/main/core-api/java/com/mysql/cj/conf/PropertyDefinitions.java

@@ -199,6 +199,9 @@ public enum DatabaseTerm {
                 new StringPropertyDefinition(PropertyKey.ldapServerHostname, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
                         Messages.getString("ConnectionProperties.ldapServerHostname"), "8.0.23", CATEGORY_AUTH, Integer.MIN_VALUE + 6),
 
+                new StringPropertyDefinition(PropertyKey.ociConfigFile, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
+                        Messages.getString("ConnectionProperties.ociConfigFile"), "8.0.27", CATEGORY_AUTH, Integer.MIN_VALUE + 7),
+
                 //
                 // CATEGORY_CONNECTION
                 //

src/main/core-api/java/com/mysql/cj/conf/PropertyKey.java

@@ -166,6 +166,7 @@ public enum PropertyKey {
     noAccessToProcedureBodies("noAccessToProcedureBodies", true), //
     noDatetimeStringSync("noDatetimeStringSync", true), //
     nullDatabaseMeansCurrent("nullDatabaseMeansCurrent", "nullCatalogMeansCurrent", true), //
+    ociConfigFile("ociConfigFile", true), //
     overrideSupportsIntegrityEnhancementFacility("overrideSupportsIntegrityEnhancementFacility", true), //
     packetDebugBufferSize("packetDebugBufferSize", true), //
     padCharsWithSpace("padCharsWithSpace", true), //

src/main/core-impl/java/com/mysql/cj/protocol/ExportControlled.java

@@ -41,6 +41,8 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidator;
@@ -53,11 +55,14 @@
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.List;
 import java.util.Properties;
@@ -676,4 +681,31 @@ public static byte[] encryptWithRSAPublicKey(byte[] source, RSAPublicKey key, St
     public static byte[] encryptWithRSAPublicKey(byte[] source, RSAPublicKey key) throws RSAException {
         return encryptWithRSAPublicKey(source, key, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
     }
+
+    public static RSAPrivateKey decodeRSAPrivateKey(String key) throws RSAException {
+        if (key == null) {
+            throw ExceptionFactory.createException(RSAException.class, "Key parameter is null");
+        }
+
+        String keyData = key.replace("-----BEGIN PRIVATE KEY-----", "").replaceAll("\\R", "").replace("-----END PRIVATE KEY-----", "");
+        byte[] decodedKeyData = Base64.getDecoder().decode(keyData);
+
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            return (RSAPrivateKey) keyFactory.generatePrivate(new PKCS8EncodedKeySpec(decodedKeyData));
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            throw ExceptionFactory.createException(RSAException.class, "Unable to decode private key", e);
+        }
+    }
+
+    public static byte[] sign(byte[] source, RSAPrivateKey privateKey) throws RSAException {
+        try {
+            Signature signature = Signature.getInstance("SHA256withRSA");
+            signature.initSign(privateKey);
+            signature.update(source);
+            return signature.sign();
+        } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
+            throw ExceptionFactory.createException(RSAException.class, e.getMessage(), e);
+        }
+    }
 }

src/main/protocol-impl/java/com/mysql/cj/protocol/a/NativeAuthenticationProvider.java

@@ -55,6 +55,7 @@
 import com.mysql.cj.protocol.a.NativeConstants.IntegerDataType;
 import com.mysql.cj.protocol.a.NativeConstants.StringLengthDataType;
 import com.mysql.cj.protocol.a.NativeConstants.StringSelfDataType;
+import com.mysql.cj.protocol.a.authentication.AuthenticationOciClient;
 import com.mysql.cj.protocol.a.authentication.AuthenticationKerberosClient;
 import com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin;
 import com.mysql.cj.protocol.a.authentication.CachingSha2PasswordPlugin;
@@ -253,6 +254,7 @@ private void loadAuthenticationPlugins() {
         pluginsToInit.add(new MysqlOldPasswordPlugin());
         pluginsToInit.add(new AuthenticationLdapSaslClientPlugin());
         pluginsToInit.add(new AuthenticationKerberosClient());
+        pluginsToInit.add(new AuthenticationOciClient());
 
         // plugins from authenticationPluginClasses connection parameter
         String authenticationPluginClasses = this.propertySet.getStringProperty(PropertyKey.authenticationPlugins).getValue();
@@ -322,7 +324,11 @@ private void loadAuthenticationPlugins() {
     private AuthenticationPlugin<NativePacketPayload> getAuthenticationPlugin(String pluginName) {
         AuthenticationPlugin<NativePacketPayload> plugin = this.authenticationPlugins.get(pluginName);
 
-        if (plugin != null && !plugin.isReusable()) {
+        if (plugin == null) {
+            return null;
+        }
+
+        if (!plugin.isReusable()) {
             try {
                 plugin = plugin.getClass().newInstance();
             } catch (Throwable t) {
@@ -490,7 +496,7 @@ private void proceedHandshakeWithPluggableAuthentication(final NativePacketPaylo
                 }
 
                 checkConfidentiality(plugin);
-                fromServer = new NativePacketPayload(StringUtils.getBytes(last_received.readString(StringSelfDataType.STRING_EOF, "ASCII")));
+                fromServer = new NativePacketPayload(last_received.readBytes(StringSelfDataType.STRING_EOF));
 
             } else {
                 // read raw packet

src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/AuthenticationKerberosClient.java

@@ -73,9 +73,9 @@ public class AuthenticationKerberosClient implements AuthenticationPlugin<Native
 
     private String sourceOfAuthData = PLUGIN_NAME;
 
-    private MysqlCallbackHandler usernameCallbackHandler;
-    private String user;
-    private String password;
+    private MysqlCallbackHandler usernameCallbackHandler = null;
+    private String user = null;
+    private String password = null;
     private String userPrincipalName = null;
 
     private Subject subject = null;
@@ -93,7 +93,7 @@ public class AuthenticationKerberosClient implements AuthenticationPlugin<Native
         }
     };
 
-    private SaslClient saslClient;
+    private SaslClient saslClient = null;
 
     @Override
     public void init(Protocol<NativePacketPayload> prot, MysqlCallbackHandler cbh) {
@@ -156,7 +156,9 @@ public void setAuthenticationParameters(String user, String password) {
                 // Fall-back to system login user.
                 this.user = System.getProperty("user.name");
             }
-            this.usernameCallbackHandler.handle(new UsernameCallback(this.user));
+            if (this.usernameCallbackHandler != null) {
+                this.usernameCallbackHandler.handle(new UsernameCallback(this.user));
+            }
         }
     }
 
@@ -170,7 +172,7 @@ public boolean nextAuthenticationStep(NativePacketPayload fromServer, List<Nativ
         toServer.clear();
 
         if (!this.sourceOfAuthData.equals(PLUGIN_NAME)) {
-            // Couldn't do anything with whatever payload comes from the server, so just skip this iteration and wait for a Protocol::AuthSwitchRequest.
+            // Cannot do anything with whatever payload comes from the server, so just skip this iteration and wait for a Protocol::AuthSwitchRequest.
             toServer.add(new NativePacketPayload(new byte[0]));
             return true;
         }

src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/AuthenticationLdapSaslClientPlugin.java

@@ -52,6 +52,8 @@
 import javax.security.sasl.SaslException;
 
 import com.mysql.cj.Messages;
+import com.mysql.cj.callback.MysqlCallbackHandler;
+import com.mysql.cj.callback.UsernameCallback;
 import com.mysql.cj.conf.PropertyKey;
 import com.mysql.cj.exceptions.CJException;
 import com.mysql.cj.exceptions.ExceptionFactory;
@@ -78,8 +80,8 @@ private enum AuthenticationMechanisms {
         SCRAM_SHA_256(ScramSha256SaslClient.IANA_MECHANISM_NAME, ScramSha256SaslClient.MECHANISM_NAME), //
         GSSAPI("GSSAPI", "GSSAPI");
 
-        private String mechName;
-        private String saslServiceName;
+        private String mechName = null;
+        private String saslServiceName = null;
 
         private AuthenticationMechanisms(String mechName, String serviceName) {
             this.mechName = mechName;
@@ -105,11 +107,12 @@ String getSaslServiceName() {
     }
 
     private Protocol<?> protocol = null;
-    private String user;
-    private String password;
+    private MysqlCallbackHandler usernameCallbackHandler = null;
+    private String user = null;
+    private String password = null;
 
-    private AuthenticationMechanisms authMech;
-    private SaslClient saslClient;
+    private AuthenticationMechanisms authMech = null;
+    private SaslClient saslClient = null;
     private Subject subject = null;
 
     private boolean firstPass = true;
@@ -135,6 +138,12 @@ public void init(Protocol<NativePacketPayload> prot) {
         Security.addProvider(new ScramShaSaslProvider());
     }
 
+    @Override
+    public void init(Protocol<NativePacketPayload> prot, MysqlCallbackHandler cbh) {
+        init(prot);
+        this.usernameCallbackHandler = cbh;
+    }
+
     @Override
     public void reset() {
         if (this.saslClient != null) {
@@ -177,6 +186,14 @@ public boolean isReusable() {
     public void setAuthenticationParameters(String user, String password) {
         this.user = user;
         this.password = password;
+
+        if (this.user == null) {
+            // Fall-back to system login user.
+            this.user = System.getProperty("user.name");
+            if (this.usernameCallbackHandler != null) {
+                this.usernameCallbackHandler.handle(new UsernameCallback(this.user));
+            }
+        }
     }
 
     @Override
@@ -192,7 +209,7 @@ public boolean nextAuthenticationStep(NativePacketPayload fromServer, List<Nativ
                 if (this.firstPass) {
                     this.firstPass = false;
                     // Payload could be a salt (auth-plugin-data) value instead of an authentication mechanism identifier.
-                    // Give it another try in the hope of receiving a AuthSwitchRequest next time.
+                    // Give it another try in the expectation of receiving an AuthSwitchRequest next time.
                     toServer.add(new NativePacketPayload(new byte[0]));
                     return true;
                 }