tarantool · oleg-jukovec · Dec 28, 2022 · Dec 21, 2022 · Dec 21, 2022
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -116,13 +116,16 @@ jobs:
       fail-fast: false
       matrix:
         sdk-version:
-          - '1.10.11-0-gf0b0e7ecf-r470'
-          - '2.8.3-21-g7d35cd2be-r470'
+          - 'bundle-1.10.11-0-gf0b0e7ecf-r470'
         coveralls: [false]
         fuzzing: [false]
         ssl: [false]
         include:
-          - sdk-version: '2.10.0-1-gfa775b383-r486-linux-x86_64'
+          - sdk-version: 'bundle-2.10.0-1-gfa775b383-r486-linux-x86_64'
+            coveralls: false
+            ssl: true
+          - sdk-path: 'dev/linux/x86_64/master/'
+            sdk-version: 'sdk-gc64-2.11.0-entrypoint-113-g803baaffe-r529.linux.x86_64'
             coveralls: true
             ssl: true
 
@@ -141,8 +144,8 @@ jobs:
 
       - name: Setup Tarantool ${{ matrix.sdk-version }}
         run: |
-          ARCHIVE_NAME=tarantool-enterprise-bundle-${{ matrix.sdk-version }}.tar.gz
-          curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${ARCHIVE_NAME}
+          ARCHIVE_NAME=tarantool-enterprise-${{ matrix.sdk-version }}.tar.gz
+          curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${{ matrix.sdk-path }}${ARCHIVE_NAME}
           tar -xzf ${ARCHIVE_NAME}
           rm -f ${ARCHIVE_NAME}
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - Error type support in MessagePack (#209)
 - Event subscription support (#119)
 - Session settings support (#215)
+- pap-sha256 authorization method support (Tarantool EE feature) (#243)
 
 ### Changed
 

diff --git a/auth.go b/auth.go
@@ -3,8 +3,46 @@ package tarantool
 import (
 	"crypto/sha1"
 	"encoding/base64"
+	"fmt"
 )
 
+const (
+	chapSha1  = "chap-sha1"
+	papSha256 = "pap-sha256"
+)
+
+// Auth is used as a parameter to set up an authentication method.
+type Auth int
+
+const (
+	// AutoAuth does not force any authentication method. A method will be
+	// selected automatically (a value from IPROTO_ID response or
+	// ChapSha1Auth).
+	AutoAuth Auth = iota
+	// ChapSha1Auth forces chap-sha1 authentication method. The method is
+	// available both in the Tarantool Community Edition (CE) and the
+	// Tarantool Enterprise Edition (EE)
+	ChapSha1Auth
+	// PapSha256Auth forces pap-sha256 authentication method. The method is
+	// available only for the Tarantool Enterprise Edition (EE) with
+	// SSL transport.
+	PapSha256Auth
+)
+
+// String returns a string representation of an authentication method.
+func (a Auth) String() string {
+	switch a {
+	case AutoAuth:
+		return "auto"
+	case ChapSha1Auth:
+		return chapSha1
+	case PapSha256Auth:
+		return papSha256
+	default:
+		return fmt.Sprintf("unknown auth type (code %d)", a)
+	}
+}
+
 func scramble(encodedSalt, pass string) (scramble []byte, err error) {
 	/* ==================================================================
 		According to: http://tarantool.org/doc/dev_guide/box-protocol.html

diff --git a/auth_test.go b/auth_test.go
@@ -0,0 +1,28 @@
+package tarantool_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	. "github.com/tarantool/go-tarantool"
+)
+
+func TestAuth_String(t *testing.T) {
+	unknownId := int(PapSha256Auth) + 1
+	tests := []struct {
+		auth     Auth
+		expected string
+	}{
+		{AutoAuth, "auto"},
+		{ChapSha1Auth, "chap-sha1"},
+		{PapSha256Auth, "pap-sha256"},
+		{Auth(unknownId), fmt.Sprintf("unknown auth type (code %d)", unknownId)},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.expected, func(t *testing.T) {
+			assert.Equal(t, tc.auth.String(), tc.expected)
+		})
+	}
+}
diff --git a/config.lua b/config.lua
@@ -1,6 +1,12 @@
 -- Do not set listen for now so connector won't be
 -- able to send requests until everything is configured.
+local auth_type = os.getenv("TEST_TNT_AUTH_TYPE")
+if auth_type == "auto" then
+    auth_type = nil
+end
+
 box.cfg{
+    auth_type = auth_type,
     work_dir = os.getenv("TEST_TNT_WORK_DIR"),
     memtx_use_mvcc_engine = os.getenv("TEST_TNT_MEMTX_USE_MVCC_ENGINE") == 'true' or nil,
 }
@@ -267,5 +273,6 @@ box.space.test:truncate()
 
 -- Set listen only when every other thing is configured.
 box.cfg{
+    auth_type = auth_type,
     listen = os.getenv("TEST_TNT_LISTEN"),
 }
diff --git a/connection.go b/connection.go
@@ -226,6 +226,8 @@ type Greeting struct {
 
 // Opts is a way to configure Connection
 type Opts struct {
+	// Auth is an authentication method.
+	Auth Auth
 	// Timeout for response to a particular request. The timeout is reset when
 	// push messages are received. If Timeout is zero, any request can be
 	// blocked infinitely.
@@ -546,19 +548,40 @@ func (conn *Connection) dial() (err error) {
 
 	// Auth.
 	if opts.User != "" {
-		scr, err := scramble(conn.Greeting.auth, opts.Pass)
-		if err != nil {
-			err = errors.New("auth: scrambling failure " + err.Error())
+		auth := opts.Auth
+		if opts.Auth == AutoAuth {
+			if conn.serverProtocolInfo.Auth != AutoAuth {
+				auth = conn.serverProtocolInfo.Auth
+			} else {
+				auth = ChapSha1Auth
+			}
+		}
+
+		var req Request
+		if auth == ChapSha1Auth {
+			salt := conn.Greeting.auth
+			req, err = newChapSha1AuthRequest(conn.opts.User, salt, opts.Pass)
+			if err != nil {
+				return fmt.Errorf("auth: %w", err)
+			}
+		} else if auth == PapSha256Auth {
+			if opts.Transport != connTransportSsl {
+				return errors.New("auth: forbidden to use " + auth.String() +
+					" unless SSL is enabled for the connection")
+			}
+			req = newPapSha256AuthRequest(conn.opts.User, opts.Pass)
+		} else {
 			connection.Close()
-			return err
+			return errors.New("auth: " + auth.String())
 		}
-		if err = conn.writeAuthRequest(w, scr); err != nil {
+
+		if err = conn.writeRequest(w, req); err != nil {
 			connection.Close()
-			return err
+			return fmt.Errorf("auth: %w", err)
 		}
-		if err = conn.readAuthResponse(r); err != nil {
+		if _, err = conn.readResponse(r); err != nil {
 			connection.Close()
-			return err
+			return fmt.Errorf("auth: %w", err)
 		}
 	}
 
@@ -662,28 +685,6 @@ func (conn *Connection) writeRequest(w *bufio.Writer, req Request) error {
 	return err
 }
 
-func (conn *Connection) writeAuthRequest(w *bufio.Writer, scramble []byte) error {
-	req := newAuthRequest(conn.opts.User, string(scramble))
-
-	err := conn.writeRequest(w, req)
-	if err != nil {
-		return fmt.Errorf("auth: %w", err)
-	}
-
-	return nil
-}
-
-func (conn *Connection) writeIdRequest(w *bufio.Writer, protocolInfo ProtocolInfo) error {
-	req := NewIdRequest(protocolInfo)
-
-	err := conn.writeRequest(w, req)
-	if err != nil {
-		return fmt.Errorf("identify: %w", err)
-	}
-
-	return nil
-}
-
 func (conn *Connection) readResponse(r io.Reader) (Response, error) {
 	respBytes, err := conn.read(r)
 	if err != nil {
@@ -707,24 +708,6 @@ func (conn *Connection) readResponse(r io.Reader) (Response, error) {
 	return resp, nil
 }
 
-func (conn *Connection) readAuthResponse(r io.Reader) error {
-	_, err := conn.readResponse(r)
-	if err != nil {
-		return fmt.Errorf("auth: %w", err)
-	}
-
-	return nil
-}
-
-func (conn *Connection) readIdResponse(r io.Reader) (Response, error) {
-	resp, err := conn.readResponse(r)
-	if err != nil {
-		return resp, fmt.Errorf("identify: %w", err)
-	}
-
-	return resp, nil
-}
-
 func (conn *Connection) createConnection(reconnect bool) (err error) {
 	var reconnects uint
 	for conn.c == nil && conn.state == connDisconnected {
@@ -1625,19 +1608,20 @@ func checkProtocolInfo(expected ProtocolInfo, actual ProtocolInfo) error {
 func (conn *Connection) identify(w *bufio.Writer, r *bufio.Reader) error {
 	var ok bool
 
-	werr := conn.writeIdRequest(w, clientProtocolInfo)
+	req := NewIdRequest(clientProtocolInfo)
+	werr := conn.writeRequest(w, req)
 	if werr != nil {
-		return werr
+		return fmt.Errorf("identify: %w", werr)
 	}
 
-	resp, rerr := conn.readIdResponse(r)
+	resp, rerr := conn.readResponse(r)
 	if rerr != nil {
 		if resp.Code == ErrUnknownRequestType {
 			// IPROTO_ID requests are not supported by server.
 			return nil
 		}
 
-		return rerr
+		return fmt.Errorf("identify: %w", rerr)
 	}
 
 	if len(resp.Data) == 0 {
@@ -1664,5 +1648,7 @@ func (conn *Connection) ServerProtocolInfo() ProtocolInfo {
 // supported by Go connection client.
 // Since 1.10.0
 func (conn *Connection) ClientProtocolInfo() ProtocolInfo {
-	return clientProtocolInfo.Clone()
+	info := clientProtocolInfo.Clone()
+	info.Auth = conn.opts.Auth
+	return info
 }
diff --git a/connection_pool/watcher.go b/connection_pool/watcher.go
@@ -26,22 +26,24 @@ func (c *watcherContainer) add(watcher *poolWatcher) {
 }
 
 // remove removes a watcher from the container.
-func (c *watcherContainer) remove(watcher *poolWatcher) {
+func (c *watcherContainer) remove(watcher *poolWatcher) bool {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
 
 	if watcher == c.head {
 		c.head = watcher.next
+		return true
 	} else {
 		cur := c.head
 		for cur.next != nil {
 			if cur.next == watcher {
 				cur.next = watcher.next
-				break
+				return true
 			}
 			cur = cur.next
 		}
 	}
+	return false
 }
 
 // foreach iterates over the container to the end or until the call returns
@@ -83,15 +85,13 @@ type poolWatcher struct {
 
 // Unregister unregisters the pool watcher.
 func (w *poolWatcher) Unregister() {
-	w.mutex.Lock()
-	defer w.mutex.Unlock()
-
-	if !w.unregistered {
-		w.container.remove(w)
+	if !w.unregistered && w.container.remove(w) {
+		w.mutex.Lock()
 		w.unregistered = true
 		for _, watcher := range w.watchers {
 			watcher.Unregister()
 		}
+		w.mutex.Unlock()
 	}
 }
 

diff --git a/const.go b/const.go
@@ -51,6 +51,7 @@ const (
 	KeyEvent        = 0x57
 	KeyEventData    = 0x58
 	KeyTxnIsolation = 0x59
+	KeyAuthType     = 0x5b
 
 	KeyFieldName               = 0x00
 	KeyFieldType               = 0x01

diff --git a/protocol.go b/protocol.go
@@ -13,6 +13,8 @@ type ProtocolFeature uint64
 
 // ProtocolInfo type aggregates Tarantool protocol version and features info.
 type ProtocolInfo struct {
+	// Auth is an authentication method.
+	Auth Auth
 	// Version is the supported protocol version.
 	Version ProtocolVersion
 	// Features are supported protocol features.

diff --git a/request.go b/request.go
@@ -3,6 +3,7 @@ package tarantool
 import (
 	"context"
 	"errors"
+	"fmt"
 	"reflect"
 	"strings"
 	"sync"
@@ -591,22 +592,38 @@ func (req *spaceIndexRequest) setIndex(index interface{}) {
 
 type authRequest struct {
 	baseRequest
-	user, scramble string
+	auth       Auth
+	user, pass string
 }
 
-func newAuthRequest(user, scramble string) *authRequest {
+func newChapSha1AuthRequest(user, salt, password string) (*authRequest, error) {
+	scr, err := scramble(salt, password)
+	if err != nil {
+		return nil, fmt.Errorf("scrambling failure: %w", err)
+	}
+
+	req := new(authRequest)
+	req.requestCode = AuthRequestCode
+	req.auth = ChapSha1Auth
+	req.user = user
+	req.pass = string(scr)
+	return req, nil
+}
+
+func newPapSha256AuthRequest(user, password string) *authRequest {
 	req := new(authRequest)
 	req.requestCode = AuthRequestCode
+	req.auth = PapSha256Auth
 	req.user = user
-	req.scramble = scramble
+	req.pass = password
 	return req
 }
 
 // Body fills an encoder with the auth request body.
 func (req *authRequest) Body(res SchemaResolver, enc *encoder) error {
 	return enc.Encode(map[uint32]interface{}{
 		KeyUserName: req.user,
-		KeyTuple:    []interface{}{string("chap-sha1"), string(req.scramble)},
+		KeyTuple:    []interface{}{req.auth.String(), req.pass},
 	})
 }