auth_gssapi - optionally pass ServerSPN.

Signed-off-by: wlad <[email protected]>

Author: wlad

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -79,6 +79,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			Keepalive = csb.Keepalive;
 			PersistSecurityInfo = csb.PersistSecurityInfo;
 			ServerRsaPublicKeyFile = csb.ServerRsaPublicKeyFile;
+			ServerSPN = csb.ServerSPN;
 			TreatTinyAsBoolean = csb.TreatTinyAsBoolean;
 			UseAffectedRows = csb.UseAffectedRows;
 			UseCompression = csb.UseCompression;
@@ -157,6 +158,7 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public uint Keepalive { get; }
 		public bool PersistSecurityInfo { get; }
 		public string ServerRsaPublicKeyFile { get; }
+		public string ServerSPN { get; }
 		public bool TreatTinyAsBoolean { get; }
 		public bool UseAffectedRows { get; }
 		public bool UseCompression { get; }

src/MySqlConnector/Core/ServerSession.cs

@@ -501,7 +501,7 @@ private async Task<PayloadData> SwitchAuthenticationAsync(ConnectionSettings cs,
 				}
 
 			case "auth_gssapi_client":
-				return await AuthGSSAPI.AuthenticateAsync(switchRequest.Data, this, ioBehavior, cancellationToken).ConfigureAwait(false);
+				return await AuthGSSAPI.AuthenticateAsync(cs, switchRequest.Data, this, ioBehavior, cancellationToken).ConfigureAwait(false);
 
 			case "mysql_old_password":
 				Log.Error("Session{0} is requesting AuthenticationMethod '{1}' which is not supported", m_logArguments);

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnectionStringBuilder.cs

@@ -261,6 +261,12 @@ public string ServerRsaPublicKeyFile
 			set => MySqlConnectionStringOption.ServerRsaPublicKeyFile.SetValue(this, value);
 		}
 
+		public string ServerSPN
+		{
+			get => MySqlConnectionStringOption.ServerSPN.GetValue(this);
+			set => MySqlConnectionStringOption.ServerSPN.SetValue(this, value);
+		}
+
 		public bool TreatTinyAsBoolean
 		{
 			get => MySqlConnectionStringOption.TreatTinyAsBoolean.GetValue(this);
@@ -371,6 +377,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<bool> OldGuids;
 		public static readonly MySqlConnectionStringOption<bool> PersistSecurityInfo;
 		public static readonly MySqlConnectionStringOption<string> ServerRsaPublicKeyFile;
+		public static readonly MySqlConnectionStringOption<string> ServerSPN;
 		public static readonly MySqlConnectionStringOption<bool> TreatTinyAsBoolean;
 		public static readonly MySqlConnectionStringOption<bool> UseAffectedRows;
 		public static readonly MySqlConnectionStringOption<bool> UseCompression;
@@ -565,6 +572,10 @@ static MySqlConnectionStringOption()
 				keys: new[] { "ServerRSAPublicKeyFile", "Server RSA Public Key File" },
 				defaultValue: null));
 
+			AddOption(ServerSPN = new MySqlConnectionStringOption<string>(
+				keys: new[] { "Server SPN", "ServerSPN" },
+				defaultValue: null));
+
 			AddOption(TreatTinyAsBoolean = new MySqlConnectionStringOption<bool>(
 				keys: new[] { "Treat Tiny As Boolean", "TreatTinyAsBoolean" },
 				defaultValue: true));

src/MySqlConnector/Protocol/Serialization/AuthGSSAPI.cs

@@ -2,6 +2,8 @@
 using System.IO;
 using System.Net;
 using System.Net.Security;
+using System.Security;
+using System.Security.Authentication;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -216,13 +218,13 @@ private static string GetServicePrincipalName(byte[] switchRequest)
 			var reader = new ByteArrayReader(switchRequest.AsSpan());
 			return Encoding.UTF8.GetString(reader.ReadNullOrEofTerminatedByteString());
 		}
-		public static async Task<PayloadData> AuthenticateAsync(byte[] switchRequestPayloadData,
+		public static async Task<PayloadData> AuthenticateAsync(ConnectionSettings cs, byte[] switchRequestPayloadData,
 			ServerSession session, IOBehavior ioBehavior, CancellationToken cancellationToken)
 		{
 			using (var innerStream = new NegotiateToMySqlConverterStream(session, ioBehavior, cancellationToken))
 			using (var negotiateStream = new NegotiateStream(innerStream))
 			{
-				var targetName = GetServicePrincipalName(switchRequestPayloadData);
+				var targetName =cs.ServerSPN ?? GetServicePrincipalName(switchRequestPayloadData);
 #if NETSTANDARD1_3
 				await negotiateStream.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, targetName).ConfigureAwait(false);
 #else
@@ -235,6 +237,13 @@ public static async Task<PayloadData> AuthenticateAsync(byte[] switchRequestPayl
 					await negotiateStream.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, targetName).ConfigureAwait(false);
 				}
 #endif
+				if (cs.ServerSPN != null && !negotiateStream.IsMutuallyAuthenticated)
+				{
+					// Negotiate used NTLM fallback, server name cannot be verified.
+					throw new AuthenticationException(String.Format(
+						"GSSAPI : Unable to verify server principal name using authentication type {0}",
+						negotiateStream.RemoteIdentity?.AuthenticationType));
+				}
 				if (innerStream.MySQLProtocolPayload.ArraySegment.Array != null)
 					// return already pre-read OK packet.
 					return innerStream.MySQLProtocolPayload;

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -58,6 +58,7 @@ public void Defaults()
 #if !BASELINE
 			Assert.Null(csb.ServerRsaPublicKeyFile);
 #endif
+			Assert.Null(csb.ServerSPN);
 #if !BASELINE
 			Assert.Equal(MySqlSslMode.Preferred, csb.SslMode);
 #else
@@ -121,6 +122,7 @@ public void ParseConnectionString()
 					"Port=1234;" +
 					"protocol=pipe;" +
 					"pwd=Pass1234;" +
+					"server spn=mariadb/[email protected];" +
 					"Treat Tiny As Boolean=false;" +
 					"ssl mode=verifyca;" +
 					"Uid=username;" +
@@ -168,6 +170,7 @@ public void ParseConnectionString()
 			Assert.False(csb.Pooling);
 			Assert.Equal(1234u, csb.Port);
 			Assert.Equal("db-server", csb.Server);
+			Assert.Equal("mariadb/[email protected]", csb.ServerSPN);
 			Assert.False(csb.TreatTinyAsBoolean);
 			Assert.Equal(MySqlSslMode.VerifyCA, csb.SslMode);
 			Assert.False(csb.UseAffectedRows);

tests/SideBySide/AppConfig.cs

@@ -38,6 +38,8 @@ public static class AppConfig
 
 		public static string GSSAPIUser => Config.GetValue<string>("Data:GSSAPIUser");
 
+		public static bool HasKerberos => Config.GetValue<bool>("Data:HasKerberos");
+
 		public static string SecondaryDatabase => Config.GetValue<string>("Data:SecondaryDatabase");
 
 		private static ServerFeatures UnsupportedFeatures => (ServerFeatures) Enum.Parse(typeof(ServerFeatures), Config.GetValue<string>("Data:UnsupportedFeatures"));

tests/SideBySide/ConfigSettings.cs

@@ -17,6 +17,7 @@ public enum ConfigSettings
 		TcpConnection = 0x200,
 		SecondaryDatabase = 0x400,
 		KnownClientCertificate = 0x800,
-		GSSAPIUser = 0x1000
+		GSSAPIUser = 0x1000,
+		HasKerberos = 0x2000
 	}
 }

tests/SideBySide/ConnectAsync.cs

@@ -2,6 +2,7 @@
 using System.Data;
 using System.Diagnostics;
 using System.IO;
+using System.Security.Authentication;
 using System.Threading.Tasks;
 using MySql.Data.MySqlClient;
 using Xunit;
@@ -320,6 +321,39 @@ public async Task AuthGSSAPI()
 				await connection.OpenAsync();
 			}
 		}
+
+		[SkippableFact(ConfigSettings.GSSAPIUser | ConfigSettings.HasKerberos)]
+		public async Task GoodServerSPN()
+		{
+			var csb = AppConfig.CreateGSSAPIConnectionStringBuilder();
+			string serverSPN;
+			// Use server's variable gssapi_principal_name as SPN
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await connection.OpenAsync();
+				using (var cmd = connection.CreateCommand())
+				{
+					cmd.CommandText = "select @@gssapi_principal_name";
+					serverSPN = (string) await cmd.ExecuteScalarAsync();
+				}
+			}
+			csb.ServerSPN = serverSPN;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await connection.OpenAsync();
+			}
+		}
+
+		[SkippableFact(ConfigSettings.GSSAPIUser)]
+		public async Task BadServerSPN()
+		{
+			var csb = AppConfig.CreateGSSAPIConnectionStringBuilder();
+			csb.ServerSPN = "BadServerSPN";
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await Assert.ThrowsAsync<AuthenticationException>(() => connection.OpenAsync());
+			}
+		}
 #if !BASELINE
 		[Fact]
 		public async Task PingNoConnection()

tests/SideBySide/TestUtilities.cs

@@ -94,6 +94,9 @@ public static string GetSkipReason(ServerFeatures serverFeatures, ConfigSettings
 			if (configSettings.HasFlag(ConfigSettings.GSSAPIUser) && string.IsNullOrWhiteSpace(AppConfig.GSSAPIUser))
 				return "Requires GSSAPIUser in config.json";
 
+			if (configSettings.HasFlag(ConfigSettings.HasKerberos) && !AppConfig.HasKerberos)
+				return "Requires HasKerberos in config.json";
+
 			if (configSettings.HasFlag(ConfigSettings.CsvFile) && string.IsNullOrWhiteSpace(AppConfig.MySqlBulkLoaderCsvFile))
 				return "Requires MySqlBulkLoaderCsvFile in config.json";