SASL / SCRAM-SHA-256 Authentication #6
Conversation
|
It would be worth to consider to extract the SASL and related logic into a separate library that could be used by multiple packages. Maybe @vadimtsushko or @giorgio would be interested in that? |
|
I did write that part a while back and used test cases from the RFC IIRC, that test case was also used in the JS mongo implementation |
|
Thanks a lot for the fast review. Sounds like a nice idea with the separate library, although I would propose the mongo-dart team to host the library, as they wrote the code, if they agree. @isoos I think you mean @giorgiofran I'll have a look at these tests, if a separate lib isn't an option :) @Pacane thank you for your feedback on this! |
|
A separate lib could be interesting. Please, consider that I have inherited this part, so I should analyze it before doing such a job. It would be nice if @Pacane could cooperate in this effort but I do not know if he has the time to do it. |
|
I tested it and it works nice! Without it, I wasn't able to run some integration tests for sanity because we are in the middle of a migration to flutter 2 :) Thank you, you saved my life, +1 to merge |
|
So, any takers for a separate library? @Pacane @giorgiofran @Gustl22? |
|
I currently do not have enough time to create a separate package for this, however I can give some insight of how I'd implement it. As for the tests in mongo we just have an end-to-end test for this part. If we were to extract this into a separate package I'd probably try to make the algorithm generic enough so that one could pass a generic connection to the SaslAuthenticator/Conversation. The same effect could also be achieved by using closures in those classes to provide the mechanisms to talk to the DB/parse the results in order for the SaslAuthenticator to continue the SASL conversation. Any thoughts? |
|
I can attempt to create a new lib and test it for postgres. But I would be glad, if someone (mongo-dart?) can host and maintain it then. |
|
A new lib can be hosted on mongo-dart. I have not so much time to prepare a new repository, If you can prepare it, we will publish it. |
|
Hey there, I now published a repo with the lib (and kept the git log from the related mongo_dart files). @Pacane I would be happy if you write your opinion on the implementation. I was not quite sure how to achieve it with I also uploaded my own tests and it worked e.g. with this config from node-postgres (see here). At xdg-go are more test cases available. @giorgiofran if you're happy with the repo, you could reupload the git repo without forking, then I'll delete my repo and we can improve the lib at Of course you can take your time and may also migrate / test for the mongo_dart lib. |
|
I created the new repo: sasl_scram:
git:
url: "https://github.com/mongo-dart/sasl_scram.git"
ref: mainI simply uploaded your work. To use the new package I needed to adapt the mongo_dart sources. I did some work this weekend, but I had no time to test neither the changes nor the new package. Maybe next w.e. I will find some time. |
|
I think this looks great, many thanks for everyone who got involved and helped to make this new package happen! :) Once it gets published I'll be happy to merge and publish this too. @Gustl22: Could you please also update the |
|
Sure, I'll update the log, when as soon as lib is ready :) @giorgiofran Note that I've disabled the password digest, which may needs another param in the authenticator in order to work in mongo-dart project. |
|
@Gustl22 I have published the package. String username;
if (specifyUsername) {
username = 'n=${prepUsername(credential.username!)}';
} else {
username = 'n=*';
}I had to set a new parameter (optional, default 2nd client_first.dart String passwordDigest;
if (passwordDigestResolver != null) {
passwordDigest = passwordDigestResolver(credential);
} else {
passwordDigest = Saslprep.saslprep(credential.password!);
}Here again I use a specific function to calculate the password digest. The default is null, so for you almost nothing is changed. |
|
@giorgiofran Thank you VERY much for attending and publishing the library! @isoos I've updated the Changelog, so this may gets into the next release together with the other open PRs ;D |
|
All-in-all, I'm really happy about this change, but I want to do a quick final review tomorrow. |
lib/src/connection.dart
Outdated
| @@ -72,6 +74,9 @@ class PostgreSQLConnection extends Object | |||
| /// Password for authenticating this connection. | |||
| final String? password; | |||
|
|
|||
| /// AuthenticationScheme for authenticating this connection. | |||
| AuthenticationScheme authenticationScheme = AuthenticationScheme.SCRAM_SHA_256; | |||
There was a problem hiding this comment.
I think there is no reason to make this mutable on the public API, and maybe, there is no need to expose it at all.
- Let's make this private:
AuthenticationScheme _authenticationScheme = AuthenticationScheme.SCRAM_SHA_256; - Let's pass this as an additional parameter to
createAuthenticator, the only caller point will have access to the private field.
There was a problem hiding this comment.
I think it depends: I don't know if there are actually auth mechanisms, where the user can decide which to use (e.g. md5 vs. plain text (?)). If not, then the authenticationScheme variable can be ditched totally and only work as param as the server communicates with the client which auth mechanism to choose.
You're always welcomed to change the code in my PRs, no need to ask if you're sure about something :)
|
This is a great PR, thanks @Gustl22 for seeing it through, @giorgiofran and others to help with the SASL library! |
Closes stablekernel/postgresql-dart#145
I used the code base from the mongo-dart project.
There are a few TODOs, but only to ensure the correctness of the code.