api: add pap-sha256 auth support

The authentication method works only with Tarantool EE [1].

1. tarantool/enterprise_doc#206

Closes #243

Author: oleg-jukovec

.github/workflows/testing.yml

@@ -116,13 +116,16 @@ jobs:
       fail-fast: false
       matrix:
         sdk-version:
-          - '1.10.11-0-gf0b0e7ecf-r470'
-          - '2.8.3-21-g7d35cd2be-r470'
+          - 'bundle-1.10.11-0-gf0b0e7ecf-r470'
         coveralls: [false]
         fuzzing: [false]
         ssl: [false]
         include:
-          - sdk-version: '2.10.0-1-gfa775b383-r486-linux-x86_64'
+          - sdk-version: 'bundle-2.10.0-1-gfa775b383-r486-linux-x86_64'
+            coveralls: false
+            ssl: true
+          - sdk-path: 'dev/linux/x86_64/master/'
+            sdk-version: 'sdk-gc64-2.11.0-entrypoint-113-g803baaffe-r529.linux.x86_64'
             coveralls: true
             ssl: true
 
@@ -141,8 +144,8 @@ jobs:
 
       - name: Setup Tarantool ${{ matrix.sdk-version }}
         run: |
-          ARCHIVE_NAME=tarantool-enterprise-bundle-${{ matrix.sdk-version }}.tar.gz
-          curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${ARCHIVE_NAME}
+          ARCHIVE_NAME=tarantool-enterprise-${{ matrix.sdk-version }}.tar.gz
+          curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${{ matrix.sdk-path }}${ARCHIVE_NAME}
           tar -xzf ${ARCHIVE_NAME}
           rm -f ${ARCHIVE_NAME}
 

CHANGELOG.md

@@ -15,6 +15,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - Error type support in MessagePack (#209)
 - Event subscription support (#119)
 - Session settings support (#215)
+- pap-sha256 authorization method support (Tarantool EE feature) (#243)
 
 ### Changed
 

auth.go

@@ -3,8 +3,46 @@ package tarantool
 import (
 	"crypto/sha1"
 	"encoding/base64"
+	"fmt"
 )
 
+const (
+	chapSha1  = "chap-sha1"
+	papSha256 = "pap-sha256"
+)
+
+// Auth is used as a parameter to set up an authentication method.
+type Auth int
+
+const (
+	// AutoAuth does not force any authentication method. A method will be
+	// selected automatically (a value from IPROTO_ID response or
+	// ChapSha1Auth).
+	AutoAuth Auth = iota
+	// ChapSha1Auth forces chap-sha1 authentication method. The method is
+	// available both in the Tarantool Community Edition (CE) and the
+	// Tarantool Enterprise Edition (EE)
+	ChapSha1Auth
+	// PapSha256Auth forces pap-sha256 authentication method. The method is
+	// available only for the Tarantool Enterprise Edition (EE) with
+	// SSL transport.
+	PapSha256Auth
+)
+
+// String returns a string representation of an authentication method.
+func (a Auth) String() string {
+	switch a {
+	case AutoAuth:
+		return "auto"
+	case ChapSha1Auth:
+		return chapSha1
+	case PapSha256Auth:
+		return papSha256
+	default:
+		return fmt.Sprintf("unknown auth type (code %d)", a)
+	}
+}
+
 func scramble(encodedSalt, pass string) (scramble []byte, err error) {
 	/* ==================================================================
 		According to: http://tarantool.org/doc/dev_guide/box-protocol.html

auth_test.go

@@ -0,0 +1,28 @@
+package tarantool_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	. "github.com/tarantool/go-tarantool"
+)
+
+func TestAuth_String(t *testing.T) {
+	unknownId := int(PapSha256Auth) + 1
+	tests := []struct {
+		auth     Auth
+		expected string
+	}{
+		{AutoAuth, "auto"},
+		{ChapSha1Auth, "chap-sha1"},
+		{PapSha256Auth, "pap-sha256"},
+		{Auth(unknownId), fmt.Sprintf("unknown auth type (code %d)", unknownId)},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.expected, func(t *testing.T) {
+			assert.Equal(t, tc.auth.String(), tc.expected)
+		})
+	}
+}

config.lua

@@ -1,6 +1,12 @@
 -- Do not set listen for now so connector won't be
 -- able to send requests until everything is configured.
+local auth_type = os.getenv("TEST_TNT_AUTH_TYPE")
+if auth_type == "auto" then
+    auth_type = nil
+end
+
 box.cfg{
+    auth_type = auth_type,
     work_dir = os.getenv("TEST_TNT_WORK_DIR"),
     memtx_use_mvcc_engine = os.getenv("TEST_TNT_MEMTX_USE_MVCC_ENGINE") == 'true' or nil,
 }
@@ -267,5 +273,6 @@ box.space.test:truncate()
 
 -- Set listen only when every other thing is configured.
 box.cfg{
+    auth_type = auth_type,
     listen = os.getenv("TEST_TNT_LISTEN"),
 }

connection.go

@@ -226,6 +226,8 @@ type Greeting struct {
 
 // Opts is a way to configure Connection
 type Opts struct {
+	// Auth is an authentication method.
+	Auth Auth
 	// Timeout for response to a particular request. The timeout is reset when
 	// push messages are received. If Timeout is zero, any request can be
 	// blocked infinitely.
@@ -546,19 +548,40 @@ func (conn *Connection) dial() (err error) {
 
 	// Auth.
 	if opts.User != "" {
-		scr, err := scramble(conn.Greeting.auth, opts.Pass)
-		if err != nil {
-			err = errors.New("auth: scrambling failure " + err.Error())
+		auth := opts.Auth
+		if opts.Auth == AutoAuth {
+			if conn.serverProtocolInfo.Auth != AutoAuth {
+				auth = conn.serverProtocolInfo.Auth
+			} else {
+				auth = ChapSha1Auth
+			}
+		}
+
+		var req Request
+		if auth == ChapSha1Auth {
+			salt := conn.Greeting.auth
+			req, err = newChapSha1AuthRequest(conn.opts.User, salt, opts.Pass)
+			if err != nil {
+				return fmt.Errorf("auth: %w", err)
+			}
+		} else if auth == PapSha256Auth {
+			if opts.Transport != connTransportSsl {
+				return errors.New("auth: forbidden to use " + auth.String() +
+					" unless SSL is enabled for the connection")
+			}
+			req = newPapSha256AuthRequest(conn.opts.User, opts.Pass)
+		} else {
 			connection.Close()
-			return err
+			return errors.New("auth: " + auth.String())
 		}
-		if err = conn.writeAuthRequest(w, scr); err != nil {
+
+		if err = conn.writeRequest(w, req); err != nil {
 			connection.Close()
-			return err
+			return fmt.Errorf("auth: %w", err)
 		}
-		if err = conn.readAuthResponse(r); err != nil {
+		if _, err = conn.readResponse(r); err != nil {
 			connection.Close()
-			return err
+			return fmt.Errorf("auth: %w", err)
 		}
 	}
 
@@ -662,28 +685,6 @@ func (conn *Connection) writeRequest(w *bufio.Writer, req Request) error {
 	return err
 }
 
-func (conn *Connection) writeAuthRequest(w *bufio.Writer, scramble []byte) error {
-	req := newAuthRequest(conn.opts.User, string(scramble))
-
-	err := conn.writeRequest(w, req)
-	if err != nil {
-		return fmt.Errorf("auth: %w", err)
-	}
-
-	return nil
-}
-
-func (conn *Connection) writeIdRequest(w *bufio.Writer, protocolInfo ProtocolInfo) error {
-	req := NewIdRequest(protocolInfo)
-
-	err := conn.writeRequest(w, req)
-	if err != nil {
-		return fmt.Errorf("identify: %w", err)
-	}
-
-	return nil
-}
-
 func (conn *Connection) readResponse(r io.Reader) (Response, error) {
 	respBytes, err := conn.read(r)
 	if err != nil {
@@ -707,24 +708,6 @@ func (conn *Connection) readResponse(r io.Reader) (Response, error) {
 	return resp, nil
 }
 
-func (conn *Connection) readAuthResponse(r io.Reader) error {
-	_, err := conn.readResponse(r)
-	if err != nil {
-		return fmt.Errorf("auth: %w", err)
-	}
-
-	return nil
-}
-
-func (conn *Connection) readIdResponse(r io.Reader) (Response, error) {
-	resp, err := conn.readResponse(r)
-	if err != nil {
-		return resp, fmt.Errorf("identify: %w", err)
-	}
-
-	return resp, nil
-}
-
 func (conn *Connection) createConnection(reconnect bool) (err error) {
 	var reconnects uint
 	for conn.c == nil && conn.state == connDisconnected {
@@ -1625,19 +1608,20 @@ func checkProtocolInfo(expected ProtocolInfo, actual ProtocolInfo) error {
 func (conn *Connection) identify(w *bufio.Writer, r *bufio.Reader) error {
 	var ok bool
 
-	werr := conn.writeIdRequest(w, clientProtocolInfo)
+	req := NewIdRequest(clientProtocolInfo)
+	werr := conn.writeRequest(w, req)
 	if werr != nil {
-		return werr
+		return fmt.Errorf("identify: %w", werr)
 	}
 
-	resp, rerr := conn.readIdResponse(r)
+	resp, rerr := conn.readResponse(r)
 	if rerr != nil {
 		if resp.Code == ErrUnknownRequestType {
 			// IPROTO_ID requests are not supported by server.
 			return nil
 		}
 
-		return rerr
+		return fmt.Errorf("identify: %w", rerr)
 	}
 
 	if len(resp.Data) == 0 {
@@ -1664,5 +1648,7 @@ func (conn *Connection) ServerProtocolInfo() ProtocolInfo {
 // supported by Go connection client.
 // Since 1.10.0
 func (conn *Connection) ClientProtocolInfo() ProtocolInfo {
-	return clientProtocolInfo.Clone()
+	info := clientProtocolInfo.Clone()
+	info.Auth = conn.opts.Auth
+	return info
 }

const.go

@@ -51,6 +51,7 @@ const (
 	KeyEvent        = 0x57
 	KeyEventData    = 0x58
 	KeyTxnIsolation = 0x59
+	KeyAuthType     = 0x5b
 
 	KeyFieldName               = 0x00
 	KeyFieldType               = 0x01

protocol.go

@@ -13,6 +13,8 @@ type ProtocolFeature uint64
 
 // ProtocolInfo type aggregates Tarantool protocol version and features info.
 type ProtocolInfo struct {
+	// Auth is an authentication method.
+	Auth Auth
 	// Version is the supported protocol version.
 	Version ProtocolVersion
 	// Features are supported protocol features.

request.go

@@ -3,6 +3,7 @@ package tarantool
 import (
 	"context"
 	"errors"
+	"fmt"
 	"reflect"
 	"strings"
 	"sync"
@@ -591,22 +592,38 @@ func (req *spaceIndexRequest) setIndex(index interface{}) {
 
 type authRequest struct {
 	baseRequest
-	user, scramble string
+	auth       Auth
+	user, pass string
 }
 
-func newAuthRequest(user, scramble string) *authRequest {
+func newChapSha1AuthRequest(user, salt, password string) (*authRequest, error) {
+	scr, err := scramble(salt, password)
+	if err != nil {
+		return nil, fmt.Errorf("scrambling failure: %w", err)
+	}
+
+	req := new(authRequest)
+	req.requestCode = AuthRequestCode
+	req.auth = ChapSha1Auth
+	req.user = user
+	req.pass = string(scr)
+	return req, nil
+}
+
+func newPapSha256AuthRequest(user, password string) *authRequest {
 	req := new(authRequest)
 	req.requestCode = AuthRequestCode
+	req.auth = PapSha256Auth
 	req.user = user
-	req.scramble = scramble
+	req.pass = password
 	return req
 }
 
 // Body fills an encoder with the auth request body.
 func (req *authRequest) Body(res SchemaResolver, enc *encoder) error {
 	return enc.Encode(map[uint32]interface{}{
 		KeyUserName: req.user,
-		KeyTuple:    []interface{}{string("chap-sha1"), string(req.scramble)},
+		KeyTuple:    []interface{}{req.auth.String(), req.pass},
 	})
 }
 

response.go

@@ -213,6 +213,21 @@ func (resp *Response) decodeBody() (err error) {
 					}
 					serverProtocolInfo.Features[i] = feature
 				}
+			case KeyAuthType:
+				var auth string
+				if auth, err = d.DecodeString(); err != nil {
+					return err
+				}
+				found := false
+				for _, a := range [...]Auth{ChapSha1Auth, PapSha256Auth} {
+					if auth == a.String() {
+						serverProtocolInfo.Auth = a
+						found = true
+					}
+				}
+				if !found {
+					return fmt.Errorf("unknown auth type %s", auth)
+				}
 			default:
 				if err = d.Skip(); err != nil {
 					return err