WL#16269 OpenID Connect (Oauth2 - JWT) Authentication Support

Implements user authentication using OpenID Connect based on the
OAuth 2.0 framework of specifications (IETF RFC 6749 and 6750).

Change-Id: I11944643d4a6098312edd16550c0160e86905063

Author: Samar Pratap Singh

client/mysql.cc

@@ -246,6 +246,7 @@ static const CHARSET_INFO *charset_info = &my_charset_latin1;
 
 static char *opt_oci_config_file = nullptr;
 static char *opt_authentication_oci_client_config_profile = nullptr;
+static char *opt_authentication_openid_connect_client_id_token_file = nullptr;
 static char *opt_register_factor = nullptr;
 
 static bool opt_tel_plugin = false;
@@ -2080,6 +2081,11 @@ static struct my_option my_long_options[] = {
      "is ~/.oci/config and %HOME/.oci/config on Windows.",
      &opt_oci_config_file, &opt_oci_config_file, nullptr, GET_STR, REQUIRED_ARG,
      0, 0, 0, nullptr, 0, nullptr},
+    {"authentication-openid-connect-client-id-token-file", 0,
+     "Specifies the location of the ID token file.",
+     &opt_authentication_openid_connect_client_id_token_file,
+     &opt_authentication_openid_connect_client_id_token_file, nullptr, GET_STR,
+     REQUIRED_ARG, 0, 0, 0, nullptr, 0, nullptr},
     {"telemetry-client", 0, "Load the telemetry_client plugin.",
      &opt_tel_plugin, &opt_tel_plugin, nullptr, GET_BOOL, NO_ARG, 0, 0, 0,
      nullptr, 0, nullptr},
@@ -5197,6 +5203,29 @@ static bool init_connection_options(MYSQL *mysql) {
     }
   }
 
+  /* set authentication_openid_connect_client ID token file option if required
+   */
+  if (opt_authentication_openid_connect_client_id_token_file != nullptr) {
+    struct st_mysql_client_plugin *openid_connect_plugin =
+        mysql_client_find_plugin(mysql, "authentication_openid_connect_client",
+                                 MYSQL_CLIENT_AUTHENTICATION_PLUGIN);
+    if (!openid_connect_plugin) {
+      put_info("Cannot load the authentication_openid_connect_client plugin.",
+               INFO_ERROR);
+      return true;
+    }
+    if (mysql_plugin_options(
+            openid_connect_plugin, "id-token-file",
+            opt_authentication_openid_connect_client_id_token_file)) {
+      put_info(
+          "Failed to set id token file for "
+          "authentication_openid_connect_client "
+          "plugin.",
+          INFO_ERROR);
+      return true;
+    }
+  }
+
   char error[256]{0};
 #if defined(_WIN32)
   if (set_authentication_kerberos_client_mode(mysql, error, 255)) {

sql-common/oci/ssl.h include/base64_encode.h

@@ -309,6 +309,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

sql-common/oci/ssl_ptr.h include/encode_ptr.h

@@ -12,6 +12,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

include/mysql.h.pp

@@ -130,6 +130,7 @@
     MYSQL_VIO_MEMORY
   } protocol;
   int socket;
+  bool is_tls_established;
 };
 enum net_async_status {
   NET_ASYNC_COMPLETE = 0,

include/mysql/client_plugin.h.pp

@@ -127,6 +127,7 @@ struct MYSQL_PLUGIN_VIO_INFO {
     MYSQL_VIO_MEMORY
   } protocol;
   int socket; /**< it's set, if the protocol is SOCKET or TCP */
+  bool is_tls_established;
 #if defined(_WIN32) && !defined(MYSQL_ABI_CHECK)
   HANDLE handle; /**< it's set, if the protocol is PIPE or MEMORY */
 #endif

include/mysql/plugin_auth.h.pp

@@ -304,6 +304,9 @@ ADD_SUBDIRECTORY(fido_client)
 # authentication mysql_native_password client plug-in
 ADD_SUBDIRECTORY(authentication_native_password)
 
+# authentication openid connect client plug-in
+ADD_SUBDIRECTORY(authentication_openid_connect_client)
+
 # Merge several convenience libraries into one big mysqlclient
 MERGE_CONVENIENCE_LIBRARIES(mysqlclient ${LIBS_TO_MERGE}
   COMPONENT Development

include/mysql/plugin_auth_common.h

@@ -41,8 +41,8 @@
 #include <iostream>
 #include <ostream>
 
+#include "include/base64_encode.h"
 #include "sql-common/oci/signing_key.h"
-#include "sql-common/oci/ssl.h"
 #include "sql-common/oci/utilities.h"
 
 static char *s_oci_config_location = nullptr;

libmysql/CMakeLists.txt

@@ -0,0 +1,64 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2.0,
+# as published by the Free Software Foundation.
+#
+# This program is designed to work with certain software (including
+# but not limited to OpenSSL) that is licensed under separate terms,
+# as designated in a particular file or component or in included license
+# documentation.  The authors of MySQL hereby grant you an additional
+# permission to link the program and your derivative works with the
+# separately licensed software that they have either included with
+# the program or referenced in the documentation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License, version 2.0, for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+
+#
+# Configuration for building OpenID Connect authentication client Plug-in (client-side)
+#
+
+# The client authentication plug-in is part of the community build.
+
+# Skip it if disabled.
+IF(NOT WITH_AUTHENTICATION_CLIENT_PLUGINS)
+  MESSAGE(STATUS "Skipping the OpenID Connect authentication client plugin.")
+  RETURN()
+ENDIF()
+
+DISABLE_MISSING_PROFILE_WARNING()
+
+MYSQL_ADD_PLUGIN(
+  authentication_openid_connect_client
+
+  # Authentication plugin main
+  authentication_openid_connect_client_plugin.cc
+
+  LINK_LIBRARIES mysys OpenSSL::SSL OpenSSL::Crypto
+
+  CLIENT_ONLY
+  MODULE_ONLY MODULE_OUTPUT_NAME "authentication_openid_connect_client"
+)
+
+IF(LINUX OR SOLARIS)
+  SET(PLUGIN_VERSION_FILE
+    ${CMAKE_CURRENT_SOURCE_DIR}/authentication_openid_connect_client.ver)
+  IF(SOLARIS)
+    TARGET_LINK_OPTIONS(authentication_openid_connect_client PRIVATE
+      LINKER:-z,gnu-version-script-compat)
+  ENDIF()
+  # hide all symbols in mysys, to avoid ODR violations.
+  # There is *one* visible symbol: _mysql_client_plugin_declaration_
+  TARGET_LINK_OPTIONS(authentication_openid_connect_client PRIVATE
+    LINKER:--version-script=${PLUGIN_VERSION_FILE}
+    )
+  SET_TARGET_PROPERTIES(authentication_openid_connect_client
+    PROPERTIES LINK_DEPENDS ${PLUGIN_VERSION_FILE})
+ENDIF()

libmysql/authentication_oci_client/authentication_oci_client_plugin.cc

@@ -0,0 +1,28 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2.0,
+# as published by the Free Software Foundation.
+#
+# This program is designed to work with certain software (including
+# but not limited to OpenSSL) that is licensed under separate terms,
+# as designated in a particular file or component or in included license
+# documentation.  The authors of MySQL hereby grant you an additional
+# permission to link the program and your derivative works with the
+# separately licensed software that they have either included with
+# the program or referenced in the documentation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License, version 2.0, for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+
+authentication_openid_connect_client
+{
+  global: _mysql_client_plugin_declaration_;
+  local: *;
+};