go-mysql-org
diff --git a/‎driver/driver_options_test.go‎
Lines changed: 3 additions & 3 deletions b/‎driver/driver_options_test.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎mysql/util.go‎
Lines changed: 4 additions & 3 deletions b/‎mysql/util.go‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎server/auth.go‎
Lines changed: 32 additions & 21 deletions b/‎server/auth.go‎
Lines changed: 32 additions & 21 deletions
diff --git a/‎server/auth_handler.go‎
Lines changed: 126 additions & 0 deletions b/‎server/auth_handler.go‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎server/auth_handler_test.go‎
Lines changed: 122 additions & 0 deletions b/‎server/auth_handler_test.go‎
Lines changed: 122 additions & 0 deletions
@@ -266,8 +266,8 @@ func TestDriverOptions_namedValueChecker(t *testing.T) {
 }
 
 func createMockServer(t *testing.T) *testServer {
-	inMemProvider := server.NewInMemoryProvider()
-	require.NoError(t, inMemProvider.AddUser(*testUser, *testPassword))
+	authHandler := server.NewInMemoryAuthenticationHandler()
+	require.NoError(t, authHandler.AddUser(*testUser, *testPassword))
 	defaultServer := server.NewDefaultServer()
 
 	l, err := net.Listen("tcp", "127.0.0.1:3307")
@@ -285,7 +285,7 @@ func createMockServer(t *testing.T) *testServer {
 			}
 
 			go func() {
-				co, err := s.NewCustomizedConn(conn, inMemProvider, handler)
+				co, err := s.NewCustomizedConn(conn, authHandler, handler)
 				if err != nil {
 					return
 				}
 
@@ -56,13 +56,14 @@ func CalcNativePassword(scramble, password []byte) []byte {
 	return Xor(scrambleHash, stage1)
 }
 
-// Xor modifies hash1 in-place with XOR against hash2
+// Xor returns a new slice with hash1 XOR hash2
 func Xor(hash1 []byte, hash2 []byte) []byte {
 	l := min(len(hash1), len(hash2))
+	result := make([]byte, l)
 	for i := range l {
-		hash1[i] ^= hash2[i]
+		result[i] = hash1[i] ^ hash2[i]
 	}
-	return hash1
+	return result
 }
 
 // hash_stage1 = xor(reply, sha1(public_seed, hash_stage2))
 
@@ -30,26 +30,25 @@ func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) err
 	return c.serverConf.authProvider.Authenticate(c, authPluginName, clientAuthData)
 }
 
-func (c *Conn) acquirePassword() error {
-	if c.credential.Password != "" {
+func (c *Conn) acquireCredential() error {
+	if len(c.credential.Passwords) > 0 {
 		return nil
 	}
-	credential, found, err := c.credentialProvider.GetCredential(c.user)
+	credential, found, err := c.authHandler.GetCredential(c.user)
 	if err != nil {
 		return err
 	}
-	if !found {
+	if !found || len(credential.Passwords) == 0 {
 		return mysql.NewDefaultError(mysql.ER_NO_SUCH_USER, c.user, c.RemoteAddr().String())
 	}
 	c.credential = credential
 	return nil
 }
 
 func errAccessDenied(credential Credential) error {
-	if credential.Password == "" {
+	if credential.HasEmptyPassword() {
 		return ErrAccessDeniedNoPassword
 	}
-
 	return ErrAccessDenied
 }
 
@@ -74,20 +73,26 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
-	password, err := mysql.DecodePasswordHex(c.credential.Password)
-	if err != nil {
-		return errAccessDenied(credential)
-	}
-	if mysql.CompareNativePassword(clientAuthData, password, c.salt) {
-		return nil
+	for _, password := range credential.Passwords {
+		hash, err := credential.HashPassword(password)
+		if err != nil {
+			continue
+		}
+		decoded, err := mysql.DecodePasswordHex(hash)
+		if err != nil {
+			continue
+		}
+		if mysql.CompareNativePassword(clientAuthData, decoded, c.salt) {
+			return nil
+		}
 	}
 	return errAccessDenied(credential)
 }
 
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if credential.Password == "" {
+		if credential.HasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDenied
@@ -113,20 +118,26 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 			clientAuthData = clientAuthData[:l-1]
 		}
 	}
-	check, err := mysql.Check256HashingPassword([]byte(credential.Password), string(clientAuthData))
-	if err != nil {
-		return err
-	}
-	if check {
-		return nil
+	for _, password := range credential.Passwords {
+		hash, err := credential.HashPassword(password)
+		if err != nil {
+			continue
+		}
+		check, err := mysql.Check256HashingPassword([]byte(hash), string(clientAuthData))
+		if err != nil {
+			continue
+		}
+		if check {
+			return nil
+		}
 	}
-	return ErrAccessDenied
+	return errAccessDenied(credential)
 }
 
 func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if c.credential.Password == "" {
+		if c.credential.HasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDenied
 
@@ -0,0 +1,126 @@
+package server
+
+import (
+	"sync"
+
+	"github.com/go-mysql-org/go-mysql/mysql"
+	"github.com/pingcap/errors"
+	"github.com/pingcap/tidb/pkg/parser/auth"
+)
+
+// AuthenticationHandler provides user credentials and authentication lifecycle hooks.
+//
+// # Important Note
+//
+// if the password in a third-party auth handler could be updated at runtime, we have to invalidate the caching
+// for 'caching_sha2_password' by calling 'func (s *Server)InvalidateCache(string, string)'.
+type AuthenticationHandler interface {
+	// get user credential (supports multiple valid passwords per user)
+	GetCredential(username string) (credential Credential, found bool, err error)
+
+	// OnAuthSuccess is called after successful authentication, before the OK packet.
+	// Return an error to reject the connection (error will be sent to client instead of OK).
+	// Return nil to proceed with sending the OK packet.
+	OnAuthSuccess(conn *Conn) error
+
+	// OnAuthFailure is called after authentication fails, before the error packet.
+	// This is informational only - the connection will be closed regardless.
+	OnAuthFailure(conn *Conn, err error)
+}
+
+func NewInMemoryAuthenticationHandler(defaultAuthMethod ...string) *InMemoryAuthenticationHandler {
+	d := mysql.AUTH_CACHING_SHA2_PASSWORD
+	if len(defaultAuthMethod) > 0 {
+		d = defaultAuthMethod[0]
+	}
+	return &InMemoryAuthenticationHandler{
+		userPool:          sync.Map{},
+		defaultAuthMethod: d,
+	}
+}
+
+type Credential struct {
+	Passwords      []string // raw passwords, hashed on demand during comparison
+	AuthPluginName string
+}
+
+// HashPassword computes the password hash for a given password using the credential's auth plugin.
+func (c Credential) HashPassword(password string) (string, error) {
+	if password == "" {
+		return "", nil
+	}
+
+	switch c.AuthPluginName {
+	case mysql.AUTH_NATIVE_PASSWORD:
+		return mysql.EncodePasswordHex(mysql.NativePasswordHash([]byte(password))), nil
+
+	case mysql.AUTH_CACHING_SHA2_PASSWORD:
+		return auth.NewHashPassword(password, mysql.AUTH_CACHING_SHA2_PASSWORD), nil
+
+	case mysql.AUTH_SHA256_PASSWORD:
+		return mysql.NewSha256PasswordHash(password)
+
+	case mysql.AUTH_CLEAR_PASSWORD:
+		return password, nil
+
+	default:
+		return "", errors.Errorf("unknown authentication plugin name '%s'", c.AuthPluginName)
+	}
+}
+
+// HasEmptyPassword returns true if any password in the credential is empty.
+func (c Credential) HasEmptyPassword() bool {
+	for _, p := range c.Passwords {
+		if p == "" {
+			return true
+		}
+	}
+	return false
+}
+
+// InMemoryAuthenticationHandler implements AuthenticationHandler with in-memory credential storage.
+type InMemoryAuthenticationHandler struct {
+	userPool          sync.Map // username -> Credential
+	defaultAuthMethod string
+}
+
+func (h *InMemoryAuthenticationHandler) CheckUsername(username string) (found bool, err error) {
+	_, ok := h.userPool.Load(username)
+	return ok, nil
+}
+
+func (h *InMemoryAuthenticationHandler) GetCredential(username string) (credential Credential, found bool, err error) {
+	v, ok := h.userPool.Load(username)
+	if !ok {
+		return Credential{}, false, nil
+	}
+	c, valid := v.(Credential)
+	if !valid {
+		return Credential{}, true, errors.Errorf("invalid credential")
+	}
+	return c, true, nil
+}
+
+func (h *InMemoryAuthenticationHandler) AddUser(username, password string, optionalAuthPluginName ...string) error {
+	authPluginName := h.defaultAuthMethod
+	if len(optionalAuthPluginName) > 0 {
+		authPluginName = optionalAuthPluginName[0]
+	}
+
+	if !isAuthMethodSupported(authPluginName) {
+		return errors.Errorf("unknown authentication plugin name '%s'", authPluginName)
+	}
+
+	h.userPool.Store(username, Credential{
+		Passwords:      []string{password},
+		AuthPluginName: authPluginName,
+	})
+	return nil
+}
+
+func (h *InMemoryAuthenticationHandler) OnAuthSuccess(conn *Conn) error {
+	return nil
+}
+
+func (h *InMemoryAuthenticationHandler) OnAuthFailure(conn *Conn, err error) {
+}
@@ -0,0 +1,122 @@
+package server
+
+import (
+	"database/sql"
+	"net"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/go-mysql-org/go-mysql/mysql"
+	"github.com/pingcap/errors"
+	"github.com/stretchr/testify/require"
+)
+
+type hookTrackingAuthenticationHandler struct {
+	*InMemoryAuthenticationHandler
+	onSuccessCalled atomic.Int32
+	onFailureCalled atomic.Int32
+	rejectOnSuccess bool
+}
+
+func (h *hookTrackingAuthenticationHandler) OnAuthSuccess(conn *Conn) error {
+	h.onSuccessCalled.Add(1)
+	if h.rejectOnSuccess {
+		return errors.New("connection rejected by policy")
+	}
+	return nil
+}
+
+func (h *hookTrackingAuthenticationHandler) OnAuthFailure(conn *Conn, err error) {
+	h.onFailureCalled.Add(1)
+}
+
+func TestOnAuthSuccessCalled(t *testing.T) {
+	handler := &hookTrackingAuthenticationHandler{
+		InMemoryAuthenticationHandler: NewInMemoryAuthenticationHandler(mysql.AUTH_NATIVE_PASSWORD),
+	}
+	require.NoError(t, handler.AddUser("testuser", "testpass"))
+
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer l.Close()
+
+	go func() {
+		conn, _ := l.Accept()
+		co, _ := NewDefaultServer().NewCustomizedConn(conn, handler, &EmptyHandler{})
+		if co != nil {
+			for co.HandleCommand() == nil {
+			}
+		}
+	}()
+
+	db, err := sql.Open("mysql", "testuser:testpass@tcp("+l.Addr().String()+")/test")
+	require.NoError(t, err)
+	defer db.Close()
+	db.SetConnMaxLifetime(time.Second)
+
+	require.NoError(t, db.Ping())
+	require.Equal(t, int32(1), handler.onSuccessCalled.Load())
+	require.Equal(t, int32(0), handler.onFailureCalled.Load())
+}
+
+func TestOnAuthSuccessCanReject(t *testing.T) {
+	handler := &hookTrackingAuthenticationHandler{
+		InMemoryAuthenticationHandler: NewInMemoryAuthenticationHandler(mysql.AUTH_NATIVE_PASSWORD),
+		rejectOnSuccess:     true,
+	}
+	require.NoError(t, handler.AddUser("testuser", "testpass"))
+
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer l.Close()
+
+	go func() {
+		conn, _ := l.Accept()
+		co, _ := NewDefaultServer().NewCustomizedConn(conn, handler, &EmptyHandler{})
+		if co != nil {
+			for co.HandleCommand() == nil {
+			}
+		}
+	}()
+
+	db, err := sql.Open("mysql", "testuser:testpass@tcp("+l.Addr().String()+")/test")
+	require.NoError(t, err)
+	defer db.Close()
+	db.SetConnMaxLifetime(time.Second)
+
+	err = db.Ping()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "connection rejected by policy")
+	require.Equal(t, int32(1), handler.onSuccessCalled.Load())
+}
+
+func TestOnAuthFailureCalled(t *testing.T) {
+	handler := &hookTrackingAuthenticationHandler{
+		InMemoryAuthenticationHandler: NewInMemoryAuthenticationHandler(mysql.AUTH_NATIVE_PASSWORD),
+	}
+	require.NoError(t, handler.AddUser("testuser", "testpass"))
+
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer l.Close()
+
+	go func() {
+		conn, _ := l.Accept()
+		co, _ := NewDefaultServer().NewCustomizedConn(conn, handler, &EmptyHandler{})
+		if co != nil {
+			for co.HandleCommand() == nil {
+			}
+		}
+	}()
+
+	db, err := sql.Open("mysql", "testuser:wrongpass@tcp("+l.Addr().String()+")/test")
+	require.NoError(t, err)
+	defer db.Close()
+	db.SetConnMaxLifetime(time.Second)
+
+	require.Error(t, db.Ping())
+	require.Equal(t, int32(0), handler.onSuccessCalled.Load())
+	require.Equal(t, int32(1), handler.onFailureCalled.Load())
+}
Original file line number	Diff line number	Diff line change
`@@ -266,8 +266,8 @@ func TestDriverOptions_namedValueChecker(t *testing.T) {`
`266`	`266`	`}`
`267`	`267`
`268`	`268`	`func createMockServer(t testing.T) testServer {`
`269`		`- inMemProvider := server.NewInMemoryProvider()`
`270`		`- require.NoError(t, inMemProvider.AddUser(testUser, testPassword))`
	`269`	`+ authHandler := server.NewInMemoryAuthenticationHandler()`
	`270`	`+ require.NoError(t, authHandler.AddUser(testUser, testPassword))`
`271`	`271`	`defaultServer := server.NewDefaultServer()`
`272`	`272`
`273`	`273`	`l, err := net.Listen("tcp", "127.0.0.1:3307")`
`@@ -285,7 +285,7 @@ func createMockServer(t testing.T) testServer {`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`go func() {`
`288`		`- co, err := s.NewCustomizedConn(conn, inMemProvider, handler)`
	`288`	`+ co, err := s.NewCustomizedConn(conn, authHandler, handler)`
`289`	`289`	`if err != nil {`
`290`	`290`	`return`
`291`	`291`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,13 +56,14 @@ func CalcNativePassword(scramble, password []byte) []byte {`
`56`	`56`	`return Xor(scrambleHash, stage1)`
`57`	`57`	`}`
`58`	`58`
`59`		`-// Xor modifies hash1 in-place with XOR against hash2`
	`59`	`+// Xor returns a new slice with hash1 XOR hash2`
`60`	`60`	`func Xor(hash1 []byte, hash2 []byte) []byte {`
`61`	`61`	`l := min(len(hash1), len(hash2))`
	`62`	`+ result := make([]byte, l)`
`62`	`63`	`for i := range l {`
`63`		`- hash1[i] ^= hash2[i]`
	`64`	`+ result[i] = hash1[i] ^ hash2[i]`
`64`	`65`	`}`
`65`		`- return hash1`
	`66`	`+ return result`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`// hash_stage1 = xor(reply, sha1(public_seed, hash_stage2))`