wip

Author: DifferentialOrange

tarantool/connection.py

@@ -570,7 +570,8 @@ def __init__(self, host, port,
                  ssl_ca_file=DEFAULT_SSL_CA_FILE,
                  ssl_ciphers=DEFAULT_SSL_CIPHERS,
                  packer_factory=default_packer_factory,
-                 unpacker_factory=default_unpacker_factory):
+                 unpacker_factory=default_unpacker_factory,
+                 auth_type=DEFAULT_AUTH_TYPE):
         """
         :param host: Server hostname or IP address. Use ``None`` for
             Unix sockets.
@@ -710,6 +711,14 @@ def __init__(self, host, port,
             callable[[:obj:`~tarantool.Connection`], :obj:`~msgpack.Unpacker`],
             optional
 
+        :param auth_type: Authentication method: ``"chap-sha1"`` (supported in
+            Tarantool CE and EE) or ``"pap-sha256"`` (supported in Tarantool EE,
+            ``"ssl"`` :paramref:`~tarantool.Connection.transport` must be used).
+            If `None`, use authentication method provided by server in IPROTO_ID
+            exchange. If server does not provide an authentication method, use
+            ``"chap-sha1"``.
+        :type auth_type: :obj:`None` or :obj:`str`, optional
+
         :raise: :exc:`~tarantool.error.ConfigurationError`,
             :meth:`~tarantool.Connection.connect` exceptions
 
@@ -763,6 +772,8 @@ def __init__(self, host, port,
         }
         self._packer_factory_impl = packer_factory
         self._unpacker_factory_impl = unpacker_factory
+        self._client_auth_type = auth_type
+        self._server_auth_type = DEFAULT_AUTH_TYPE
 
         if connect_now:
             self.connect()
@@ -1335,8 +1346,11 @@ def authenticate(self, user, password):
         if not self._socket:
             return self._opt_reconnect()
 
-        request = RequestAuthenticate(self, self._salt, self.user,
-                                      self.password)
+        request = RequestAuthenticate(self,
+                                      salt=self._salt,
+                                      user=self.user,
+                                      password=self.password,
+                                      type=self._get_auth_type())
         auth_response = self._send_request_wo_reconnect(request)
         if auth_response.return_code == 0:
             self.flush_schema()
@@ -1982,11 +1996,13 @@ def _check_features(self):
             response = self._send_request(request)
             server_protocol_version = response.protocol_version
             server_features = response.features
+            server_auth_type = response.auth_type
         except DatabaseError as exc:
             ER_UNKNOWN_REQUEST_TYPE = 48
             if exc.code == ER_UNKNOWN_REQUEST_TYPE:
                 server_protocol_version = None
                 server_features = []
+                server_auth_type = None
             else:
                 raise exc
 
@@ -1999,6 +2015,8 @@ def _check_features(self):
         for val in features_list:
             self._features[val] = True
 
+        self._server_auth_type = server_auth_type
+
     def _packer_factory(self):
         return self._packer_factory_impl(self)
 
@@ -2775,3 +2793,28 @@ def crud_unflatten_rows(self, rows: list, metadata: list) -> list:
             res.append(row_res)
 
         return res
+
+    def _get_auth_type(self):
+        """
+        Get authentication method based on client and server settings.
+
+        :rtype: :obj:`str`
+
+        :raise: :exc:`~tarantool.error.DatabaseError`
+        """
+        if self._client_auth_type == AUTH_TYPE_DEFAULT:
+            if self._server_auth_type == AUTH_TYPE_DEFAULT:
+                auth_type = AUTH_TYPE_CHAP_SHA1
+            else:
+                if self._server_auth_type not in AUTH_TYPES:
+                    raise ConfigurationError(f'Unknown server authentication type {self._server_auth_type}')
+                auth_type = self._server_auth_type
+        else:
+            if self._client_auth_type not in AUTH_TYPES:
+                raise ConfigurationError(f'Unknown client authentication type {self._server_auth_type}')
+            auth_type = self._client_auth_type
+
+        if auth_type == AUTH_TYPE_PAP_SHA256 and self.transport != SSL_TRANSPORT:
+            raise ConfigurationError('Use PAP-SHA256 only with ssl transport')
+
+        return auth_type

tarantool/const.py

@@ -40,6 +40,7 @@
 #
 IPROTO_VERSION = 0x54
 IPROTO_FEATURES = 0x55
+IPROTO_AUTH_TYPE = 0x5b
 IPROTO_CHUNK = 0x80
 
 IPROTO_GREETING_SIZE = 128
@@ -127,6 +128,14 @@
 # Default delay between attempts to reconnect (seconds)
 POOL_INSTANCE_RECONNECT_DELAY = 0
 
+# Default authentication method
+DEFAULT_AUTH_TYPE = None
+# Authenticate with CHAP-SHA1 (Tarantool CE and EE)
+AUTH_TYPE_CHAP_SHA1 = "chap-sha1"
+# Authenticate with PAP-SHA256 (Tarantool EE)
+AUTH_TYPE_PAP_SHA256 = "pap-sha256"
+AUTH_TYPES = [AUTH_TYPE_CHAP_SHA1, AUTH_TYPE_PAP_SHA256]
+
 # Tarantool master 948e5cdc (possible 2.11) protocol version is 4
 CONNECTOR_IPROTO_VERSION = 4
 # List of connector-supported features

tarantool/request.py

@@ -224,14 +224,23 @@ def __init__(self, conn, space_no, values):
         self._body = request_body
 
 
+def _hash(sha, values):
+    for i in values:
+        if i is not None:
+            if isinstance(i, bytes):
+                sha.update(i)
+            else:
+                sha.update(i.encode())
+    return sha.digest()
+
 class RequestAuthenticate(Request):
     """
     Represents AUTHENTICATE request.
     """
 
     request_type = REQUEST_TYPE_AUTHENTICATE
 
-    def __init__(self, conn, salt, user, password):
+    def __init__(self, conn, salt, user, password, auth_type):
         """
         :param conn: Request sender.
         :type conn: :class:`~tarantool.Connection`
@@ -250,23 +259,19 @@ def __init__(self, conn, salt, user, password):
 
         super(RequestAuthenticate, self).__init__(conn)
 
-        def sha1(values):
+        if auth_type == AUTH_TYPE_CHAP_SHA1:
             sha = hashlib.sha1()
-            for i in values:
-                if i is not None:
-                    if isinstance(i, bytes):
-                        sha.update(i)
-                    else:
-                        sha.update(i.encode())
-            return sha.digest()
-
-        hash1 = sha1((password,))
-        hash2 = sha1((hash1,))
-        scramble = sha1((salt, hash2))
-        scramble = strxor(hash1, scramble)
-        request_body = self._dumps({IPROTO_USER_NAME: user,
-                                    IPROTO_TUPLE: ("chap-sha1", scramble)})
-        self._body = request_body
+            hash1 = _hash(sha, password,)
+            hash2 = _hash(sha, (hash1,))
+            prescramble = _hash(sha, (salt, hash2))
+            scramble = strxor(hash1, prescramble)
+        elif auth_type == AUTH_TYPE_CHAP_SHA1:
+            scramble = password
+        else:
+            raise ValueError(f'Unexpected auth_type {auth_type}')
+
+        self._body = self._dumps({IPROTO_USER_NAME: user,
+                                  IPROTO_TUPLE: (auth_type, scramble)})
 
     def header(self, length):
         """

tarantool/response.py

@@ -386,3 +386,15 @@ def features(self):
             return []
         return self._body.get(IPROTO_FEATURES)
 
+    @property
+    def auth_type(self):
+        """
+        Server expected authentication method.
+
+        :rtype: :obj:`str` or :obj:`None`
+        """
+
+        if self._return_code != 0:
+            return DEFAULT_AUTH_TYPE
+        return self._body.get(IPROTO_AUTH_TYPE)
+