Add support for specifying allowed auth methods (npgsql#6036)

Closes npgsql#6035

Author: vonzshik

src/Npgsql/Internal/NpgsqlConnector.Auth.cs

@@ -18,30 +18,43 @@ partial class NpgsqlConnector
 {
     async Task Authenticate(string username, NpgsqlTimeout timeout, bool async, CancellationToken cancellationToken)
     {
+        var requiredAuthModes = Settings.RequireAuthModes;
+        if (requiredAuthModes == default)
+            requiredAuthModes = NpgsqlConnectionStringBuilder.ParseAuthMode(PostgresEnvironment.RequireAuth);
+
+        var authenticated = false;
+
         while (true)
         {
             timeout.CheckAndApply(this);
             var msg = ExpectAny<AuthenticationRequestMessage>(await ReadMessage(async).ConfigureAwait(false), this);
             switch (msg.AuthRequestType)
             {
             case AuthenticationRequestType.Ok:
+                // If we didn't complete authentication, check whether it's allowed
+                if (!authenticated)
+                    ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.None);
                 return;
 
             case AuthenticationRequestType.CleartextPassword:
+                ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.Password);
                 await AuthenticateCleartext(username, async, cancellationToken).ConfigureAwait(false);
                 break;
 
             case AuthenticationRequestType.MD5Password:
+                ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.MD5);
                 await AuthenticateMD5(username, ((AuthenticationMD5PasswordMessage)msg).Salt, async, cancellationToken).ConfigureAwait(false);
                 break;
 
             case AuthenticationRequestType.SASL:
+                ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.ScramSHA256);
                 await AuthenticateSASL(((AuthenticationSASLMessage)msg).Mechanisms, username, async,
                     cancellationToken).ConfigureAwait(false);
                 break;
 
             case AuthenticationRequestType.GSS:
             case AuthenticationRequestType.SSPI:
+                ThrowIfNotAllowed(requiredAuthModes, msg.AuthRequestType == AuthenticationRequestType.GSS ? RequireAuthMode.GSS : RequireAuthMode.SSPI);
                 await DataSource.IntegratedSecurityHandler.NegotiateAuthentication(async, this).ConfigureAwait(false);
                 return;
 
@@ -51,6 +64,14 @@ await AuthenticateSASL(((AuthenticationSASLMessage)msg).Mechanisms, username, as
             default:
                 throw new NotSupportedException($"Authentication method not supported (Received: {msg.AuthRequestType})");
             }
+
+            authenticated = true;
+        }
+
+        static void ThrowIfNotAllowed(RequireAuthMode requiredAuthModes, RequireAuthMode requestedAuthMode)
+        {
+            if (!requiredAuthModes.HasFlag(requestedAuthMode))
+                throw new NpgsqlException($"\"{requestedAuthMode}\" authentication method is not allowed. Allowed methods: {requiredAuthModes}");
         }
     }
 

src/Npgsql/NpgsqlConnectionStringBuilder.cs

@@ -683,6 +683,70 @@ public ChannelBinding ChannelBinding
     }
     ChannelBinding _channelBinding;
 
+    /// <summary>
+    /// Controls the available authentication methods.
+    /// </summary>
+    [Category("Security")]
+    [Description("Controls the available authentication methods.")]
+    [DisplayName("Require Auth")]
+    [NpgsqlConnectionStringProperty]
+    public string? RequireAuth
+    {
+        get => _requireAuth;
+        set
+        {
+            RequireAuthModes = ParseAuthMode(value);
+            _requireAuth = value;
+            SetValue(nameof(RequireAuth), value);
+        }
+    }
+    string? _requireAuth;
+
+    internal RequireAuthMode RequireAuthModes { get; private set; }
+
+    internal static RequireAuthMode ParseAuthMode(string? value)
+    {
+        var modes = value?.Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries);
+        if (modes is not { Length: > 0 })
+            return RequireAuthMode.All;
+
+        var isNegative = false;
+        RequireAuthMode parsedModes = default;
+        for (var i = 0; i < modes.Length; i++)
+        {
+            var mode = modes[i];
+            var modeToParse = mode.AsSpan();
+            if (mode.StartsWith('!'))
+            {
+                if (i > 0 && !isNegative)
+                    throw new ArgumentException("Mixing both positive and negative authentication methods is not supported");
+
+                modeToParse = modeToParse.Slice(1);
+                isNegative = true;
+            }
+            else
+            {
+                if (i > 0 && isNegative)
+                    throw new ArgumentException("Mixing both positive and negative authentication methods is not supported");
+            }
+
+            // Explicitly disallow 'All' as libpq doesn't have it
+            if (!Enum.TryParse<RequireAuthMode>(modeToParse, out var parsedMode) || parsedMode == RequireAuthMode.All)
+                throw new ArgumentException($"Unable to parse authentication method \"{modeToParse}\"");
+
+            parsedModes |= parsedMode;
+        }
+
+        var allowedModes = isNegative
+            ? (RequireAuthMode)(RequireAuthMode.All - parsedModes)
+            : parsedModes;
+
+        if (allowedModes == default)
+            throw new ArgumentException($"No authentication method is allowed. Check \"{nameof(RequireAuth)}\" in connection string.");
+
+        return allowedModes;
+    }
+
     #endregion
 
     #region Properties - Pooling
@@ -1735,4 +1799,40 @@ enum ReplicationMode
     Logical
 }
 
+/// <summary>
+/// Specifies which authentication methods are supported.
+/// </summary>
+[Flags]
+enum RequireAuthMode
+{
+    /// <summary>
+    /// Plaintext password.
+    /// </summary>
+    Password = 1,
+    /// <summary>
+    /// MD5 hashed password.
+    /// </summary>
+    MD5 = 2,
+    /// <summary>
+    /// Kerberos.
+    /// </summary>
+    GSS = 4,
+    /// <summary>
+    /// Windows SSPI.
+    /// </summary>
+    SSPI = 8,
+    /// <summary>
+    /// SASL.
+    /// </summary>
+    ScramSHA256 = 16,
+    /// <summary>
+    /// No authentication exchange.
+    /// </summary>
+    None = 32,
+    /// <summary>
+    /// All authentication methods. For internal use.
+    /// </summary>
+    All = Password | MD5 | GSS | SSPI | ScramSHA256 | None
+}
+
 #endregion

src/Npgsql/PostgresEnvironment.cs

@@ -50,6 +50,8 @@ internal static string? SslCertRootDefault
 
     internal static string? SslNegotiation => Environment.GetEnvironmentVariable("PGSSLNEGOTIATION");
 
+    internal static string? RequireAuth => Environment.GetEnvironmentVariable("PGREQUIREAUTH");
+
     static string? GetHomeDir()
         => Environment.GetEnvironmentVariable(RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "APPDATA" : "HOME");
 

src/Npgsql/PublicAPI.Unshipped.txt

@@ -3,6 +3,8 @@ abstract Npgsql.NpgsqlDataSource.Clear() -> void
 Npgsql.NpgsqlConnection.CloneWithAsync(string! connectionString, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask<Npgsql.NpgsqlConnection!>
 Npgsql.NpgsqlConnection.SslClientAuthenticationOptionsCallback.get -> System.Action<System.Net.Security.SslClientAuthenticationOptions!>?
 Npgsql.NpgsqlConnection.SslClientAuthenticationOptionsCallback.set -> void
+Npgsql.NpgsqlConnectionStringBuilder.RequireAuth.get -> string?
+Npgsql.NpgsqlConnectionStringBuilder.RequireAuth.set -> void
 Npgsql.NpgsqlConnectionStringBuilder.SslNegotiation.get -> Npgsql.SslNegotiation
 Npgsql.NpgsqlConnectionStringBuilder.SslNegotiation.set -> void
 Npgsql.NpgsqlDataSourceBuilder.ConfigureTypeLoading(System.Action<Npgsql.NpgsqlTypeLoadingOptionsBuilder!>! configureAction) -> Npgsql.NpgsqlDataSourceBuilder!

test/Npgsql.Tests/ConnectionTests.cs

@@ -1679,6 +1679,139 @@ public async Task PhysicalConnectionInitializer_disposes_connection()
 
     #endregion Physical connection initialization
 
+    #region Require auth
+
+    [Test]
+    public async Task Connect_with_any_auth()
+    {
+        await using var dataSource = CreateDataSource(csb =>
+        {
+            csb.RequireAuth = $"{RequireAuthMode.Password},{RequireAuthMode.MD5},{RequireAuthMode.GSS},{RequireAuthMode.SSPI},{RequireAuthMode.ScramSHA256},{RequireAuthMode.None}";
+        });
+        await using var conn = await dataSource.OpenConnectionAsync();
+    }
+
+    [Test]
+    [NonParallelizable] // Sets environment variable
+    public async Task Connect_with_any_auth_env()
+    {
+        using var _ = SetEnvironmentVariable("PGREQUIREAUTH", $"{RequireAuthMode.Password},{RequireAuthMode.MD5},{RequireAuthMode.GSS},{RequireAuthMode.SSPI},{RequireAuthMode.ScramSHA256},{RequireAuthMode.None}");
+        await using var dataSource = CreateDataSource();
+        await using var conn = await dataSource.OpenConnectionAsync();
+    }
+
+    [Test]
+    public async Task Connect_with_any_except_none_auth()
+    {
+        await using var dataSource = CreateDataSource(csb =>
+        {
+            csb.RequireAuth = $"!{RequireAuthMode.None}";
+        });
+        await using var conn = await dataSource.OpenConnectionAsync();
+    }
+
+    [Test]
+    [NonParallelizable] // Sets environment variable
+    public async Task Connect_with_any_except_none_auth_env()
+    {
+        using var _ = SetEnvironmentVariable("PGREQUIREAUTH", $"!{RequireAuthMode.None}");
+        await using var dataSource = CreateDataSource();
+        await using var conn = await dataSource.OpenConnectionAsync();
+    }
+
+    [Test]
+    public async Task Fail_connect_with_none_auth()
+    {
+        await using var dataSource = CreateDataSource(csb =>
+        {
+            csb.RequireAuth = $"{RequireAuthMode.None}";
+        });
+        var ex = Assert.ThrowsAsync<NpgsqlException>(async () => await dataSource.OpenConnectionAsync())!;
+        Assert.That(ex.Message, Does.Contain("authentication method is not allowed"));
+    }
+
+    [Test]
+    [NonParallelizable] // Sets environment variable
+    public async Task Fail_connect_with_none_auth_env()
+    {
+        using var _ = SetEnvironmentVariable("PGREQUIREAUTH", $"{RequireAuthMode.None}");
+        await using var dataSource = CreateDataSource();
+        var ex = Assert.ThrowsAsync<NpgsqlException>(async () => await dataSource.OpenConnectionAsync())!;
+        Assert.That(ex.Message, Does.Contain("authentication method is not allowed"));
+    }
+
+    [Test]
+    public async Task Connect_with_md5_auth()
+    {
+        await using var dataSource = CreateDataSource(csb =>
+        {
+            csb.RequireAuth = $"{RequireAuthMode.MD5}";
+        });
+        try
+        {
+            await using var conn = await dataSource.OpenConnectionAsync();
+        }
+        catch (Exception e) when (!IsOnBuildServer)
+        {
+            Console.WriteLine(e);
+            Assert.Ignore("MD5 authentication doesn't seem to be set up");
+        }
+    }
+
+    [Test]
+    [NonParallelizable] // Sets environment variable
+    public async Task Connect_with_md5_auth_env()
+    {
+        using var _ = SetEnvironmentVariable("PGREQUIREAUTH", $"{RequireAuthMode.MD5}");
+        await using var dataSource = CreateDataSource();
+        try
+        {
+            await using var conn = await dataSource.OpenConnectionAsync();
+        }
+        catch (Exception e) when (!IsOnBuildServer)
+        {
+            Console.WriteLine(e);
+            Assert.Ignore("MD5 authentication doesn't seem to be set up");
+        }
+    }
+
+    [Test]
+    public void Mixed_auth_methods_not_supported([Values(
+            $"{nameof(RequireAuthMode.ScramSHA256)},!{nameof(RequireAuthMode.None)}",
+            $"!{nameof(RequireAuthMode.ScramSHA256)},{nameof(RequireAuthMode.None)}")]
+            string authMethods)
+    {
+        var csb = new NpgsqlConnectionStringBuilder();
+        Assert.Throws<ArgumentException>(() => csb.RequireAuth = authMethods);
+    }
+
+    [Test]
+    public void Remove_all_auth_methods_throws()
+    {
+        var csb = new NpgsqlConnectionStringBuilder();
+        Assert.Throws<ArgumentException>(() =>
+            csb.RequireAuth = $"!{RequireAuthMode.Password},!{RequireAuthMode.MD5},!{RequireAuthMode.GSS},!{RequireAuthMode.SSPI},!{RequireAuthMode.ScramSHA256},!{RequireAuthMode.None}");
+    }
+
+    [Test]
+    public void Unknown_auth_method_throws()
+    {
+        var csb = new NpgsqlConnectionStringBuilder();
+        Assert.Throws<ArgumentException>(() => csb.RequireAuth = "SuperSecure");
+    }
+
+    [Test]
+    public void Auth_methods_are_trimmed()
+    {
+        var csb = new NpgsqlConnectionStringBuilder
+        {
+            RequireAuth = $"{RequireAuthMode.Password} , {RequireAuthMode.MD5}"
+        };
+        Assert.That(csb.RequireAuthModes, Is.EqualTo(RequireAuthMode.Password | RequireAuthMode.MD5));
+    }
+
+    #endregion Require auth
+
     [Test]
     [NonParallelizable] // Modifies global database info factories
     [IssueLink("https://github.com/npgsql/npgsql/issues/4425")]

test/Npgsql.Tests/SecurityTests.cs

@@ -13,27 +13,27 @@ namespace Npgsql.Tests;
 public class SecurityTests : TestBase
 {
     [Test, Description("Establishes an SSL connection, assuming a self-signed server certificate")]
-    public void Basic_ssl()
+    public async Task Basic_ssl()
     {
-        using var dataSource = CreateDataSource(csb =>
+        await using var dataSource = CreateDataSource(csb =>
         {
             csb.SslMode = SslMode.Require;
         });
-        using var conn = dataSource.OpenConnection();
+        await using var conn = await dataSource.OpenConnectionAsync();
         Assert.That(conn.IsSecure, Is.True);
     }
 
     [Test, Description("Default user must run with md5 password encryption")]
-    public void Default_user_uses_md5_password()
+    public async Task Default_user_uses_md5_password()
     {
         if (!IsOnBuildServer)
             Assert.Ignore("Only executed in CI");
 
-        using var dataSource = CreateDataSource(csb =>
+        await using var dataSource = CreateDataSource(csb =>
         {
             csb.SslMode = SslMode.Require;
         });
-        using var conn = dataSource.OpenConnection();
+        await using var conn = await dataSource.OpenConnectionAsync();
         Assert.That(conn.IsScram, Is.False);
         Assert.That(conn.IsScramPlus, Is.False);
     }