feat: auto authorisation packet switching (#105)

Author: krowinski

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes
 
+## v8.0.1 (2024-01-31)
+
+- Added: auto authorisation packet switching
+
 ## v8.0.0 (2024-01-29)
 
 - Change: drop support for < 8.2

src/MySQLReplication/BinLog/BinLogAuthPluginMode.php

@@ -4,8 +4,23 @@
 
 namespace MySQLReplication\BinLog;
 
+use MySQLReplication\Exception\MySQLReplicationException;
+
 enum BinLogAuthPluginMode: string
 {
     case MysqlNativePassword = 'mysql_native_password';
     case CachingSha2Password = 'caching_sha2_password';
+
+    public static function make(string $authPluginName): self
+    {
+        $authPlugin = self::tryFrom($authPluginName);
+        if ($authPlugin === null) {
+            throw new MySQLReplicationException(
+                MySQLReplicationException::BINLOG_AUTH_NOT_SUPPORTED,
+                MySQLReplicationException::BINLOG_AUTH_NOT_SUPPORTED_CODE
+            );
+        }
+
+        return $authPlugin;
+    }
 }

src/MySQLReplication/BinLog/BinLogServerInfo.php

@@ -17,7 +17,7 @@ public function __construct(
         public string $serverVersion,
         public int $connectionId,
         public string $salt,
-        public ?BinLogAuthPluginMode $authPlugin,
+        public BinLogAuthPluginMode $authPlugin,
         public string $versionName,
         public float $versionRevision
     ) {
@@ -94,7 +94,7 @@ public static function make(string $data, string $version): self
             $serverVersion,
             $connectionId,
             $salt,
-            BinLogAuthPluginMode::tryFrom($authPlugin),
+            BinLogAuthPluginMode::make($authPlugin),
             self::parseVersion($serverVersion),
             self::parseRevision($version)
         );

src/MySQLReplication/BinLog/BinLogSocketConnect.php

@@ -6,7 +6,6 @@
 
 use MySQLReplication\BinaryDataReader\BinaryDataReader;
 use MySQLReplication\Config\Config;
-use MySQLReplication\Exception\MySQLReplicationException;
 use MySQLReplication\Gtid\GtidCollection;
 use MySQLReplication\Repository\RepositoryInterface;
 use MySQLReplication\Socket\SocketInterface;
@@ -17,6 +16,7 @@ class BinLogSocketConnect
     private const COM_BINLOG_DUMP = 0x12;
     private const COM_REGISTER_SLAVE = 0x15;
     private const COM_BINLOG_DUMP_GTID = 0x1e;
+    private const AUTH_SWITCH_PACKET = 254;
     /**
      * https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase.html 00 FE
      */
@@ -47,7 +47,8 @@ public function __construct(
             'Server version name: ' . $this->binLogServerInfo->versionName . ', revision: ' . $this->binLogServerInfo->versionRevision
         );
 
-        $this->authenticate();
+
+        $this->authenticate($this->binLogServerInfo->authPlugin);
         $this->getBinlogStream();
     }
 
@@ -110,56 +111,60 @@ private function isWriteSuccessful(string $data): void
         }
     }
 
-    private function authenticate(): void
+    private function authenticate(BinLogAuthPluginMode $authPlugin): void
     {
-        if ($this->binLogServerInfo->authPlugin === null) {
-            throw new MySQLReplicationException(
-                MySQLReplicationException::BINLOG_AUTH_NOT_SUPPORTED,
-                MySQLReplicationException::BINLOG_AUTH_NOT_SUPPORTED_CODE
-            );
-        }
-
         $this->logger->info(
-            'Trying to authenticate user: ' . $this->config->user . ' using ' . $this->binLogServerInfo->authPlugin->value . ' plugin'
+            'Trying to authenticate user: ' . $this->config->user . ' using ' . $authPlugin->value . ' default plugin'
         );
 
         $data = pack('L', self::getCapabilities());
         $data .= pack('L', $this->binaryDataMaxLength);
         $data .= chr(33);
         $data .= str_repeat(chr(0), 23);
         $data .= $this->config->user . chr(0);
-
-        $auth = '';
-        if ($this->binLogServerInfo->authPlugin === BinLogAuthPluginMode::MysqlNativePassword) {
-            $auth = $this->authenticateMysqlNativePasswordPlugin();
-        } elseif ($this->binLogServerInfo->authPlugin === BinLogAuthPluginMode::CachingSha2Password) {
-            $auth = $this->authenticateCachingSha2PasswordPlugin();
-        }
-
+        $auth = $this->getAuthData($authPlugin, $this->binLogServerInfo->salt);
         $data .= chr(strlen($auth)) . $auth;
-        $data .= $this->binLogServerInfo->authPlugin->value . chr(0);
+        $data .= $authPlugin->value . chr(0);
         $str = pack('L', strlen($data));
         $s = $str[0] . $str[1] . $str[2];
         $data = $s . chr(1) . $data;
 
         $this->socket->writeToSocket($data);
-        $this->getResponse();
+        $response = $this->getResponse();
+
+        // Check for AUTH_SWITCH_PACKET
+        if (isset($response[0]) && ord($response[0]) === self::AUTH_SWITCH_PACKET) {
+            $this->switchAuth($response);
+        }
 
         $this->logger->info('User authenticated');
     }
 
-    private function authenticateCachingSha2PasswordPlugin(): string
+    private function getAuthData(?BinLogAuthPluginMode $authPlugin, string $salt): string
+    {
+        if ($authPlugin === BinLogAuthPluginMode::MysqlNativePassword) {
+            return $this->authenticateMysqlNativePasswordPlugin($salt);
+        }
+
+        if ($authPlugin === BinLogAuthPluginMode::CachingSha2Password) {
+            return $this->authenticateCachingSha2PasswordPlugin($salt);
+        }
+
+        return '';
+    }
+
+    private function authenticateCachingSha2PasswordPlugin(string $salt): string
     {
         $hash1 = hash('sha256', $this->config->password, true);
         $hash2 = hash('sha256', $hash1, true);
-        $hash3 = hash('sha256', $hash2 . $this->binLogServerInfo->salt, true);
+        $hash3 = hash('sha256', $hash2 . $salt, true);
         return $hash1 ^ $hash3;
     }
 
-    private function authenticateMysqlNativePasswordPlugin(): string
+    private function authenticateMysqlNativePasswordPlugin(string $salt): string
     {
         $hash1 = sha1($this->config->password, true);
-        $hash2 = sha1($this->binLogServerInfo->salt . sha1(sha1($this->config->password, true), true), true);
+        $hash2 = sha1($salt . sha1(sha1($this->config->password, true), true), true);
         return $hash1 ^ $hash2;
     }
 
@@ -316,4 +321,17 @@ private function setBinLogDump(): void
 
         $this->logger->info('Set binlog to start from: ' . $binFileName . ':' . $binFilePos);
     }
+
+    private function switchAuth(string $response): void
+    {
+        // skip AUTH_SWITCH_PACKET byte
+        $offset = 1;
+        $authPluginSwitched = BinLogAuthPluginMode::make(BinaryDataReader::decodeNullLength($response, $offset));
+        $salt = BinaryDataReader::decodeNullLength($response, $offset);
+        $auth = $this->getAuthData($authPluginSwitched, $salt);
+
+        $this->logger->info('Auth switch packet received, switching to ' . $authPluginSwitched->value);
+
+        $this->socket->writeToSocket(pack('L', (strlen($auth)) | (3 << 24)) . $auth);
+    }
 }

src/MySQLReplication/BinaryDataReader/BinaryDataReader.php

@@ -325,4 +325,18 @@ public static function unpack(string $format, string $string): array
         }
         return [];
     }
+
+    public static function decodeNullLength(string $data, int &$offset = 0): string
+    {
+        $length = strpos($data, chr(0), $offset);
+        if ($length === false) {
+            return '';
+        }
+
+        $length -= $offset;
+        $result = substr($data, $offset, $length);
+        $offset += $length + 1;
+
+        return $result;
+    }
 }