Add NewCredential func

gdsmith · gdsmith · commit 88a5a8007d5c · 2025-05-23T11:31:17.000+01:00
encapsulate the creation of credentials to simplify downstream implementation

publicise the password and plugin so downstream implementations are able to access them
diff --git a/server/auth.go b/server/auth.go
@@ -19,8 +19,8 @@ var (
 )
 
 func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {
-	if authPluginName != c.credential.authPluginName {
-		err := c.writeAuthSwitchRequest(c.credential.authPluginName)
+	if authPluginName != c.credential.AuthPluginName {
+		err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)
 		if err != nil {
 			return err
 		}
@@ -60,7 +60,7 @@ func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) err
 }
 
 func (c *Conn) acquirePassword() error {
-	if c.credential.password != "" {
+	if c.credential.Password != "" {
 		return nil
 	}
 	credential, found, err := c.credentialProvider.GetCredential(c.user)
@@ -75,7 +75,7 @@ func (c *Conn) acquirePassword() error {
 }
 
 func errAccessDenied(credential Credential) error {
-	if credential.password == "" {
+	if credential.Password == "" {
 		return ErrAccessDeniedNoPassword
 	}
 
@@ -103,7 +103,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
-	password, err := mysql.DecodePasswordHex(c.credential.password)
+	password, err := mysql.DecodePasswordHex(c.credential.Password)
 	if err != nil {
 		return errAccessDenied(credential)
 	}
@@ -116,7 +116,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if credential.password == "" {
+		if credential.Password == "" {
 			return nil
 		}
 		return ErrAccessDenied
@@ -142,7 +142,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 			clientAuthData = clientAuthData[:l-1]
 		}
 	}
-	check, err := mysql.Check256HashingPassword([]byte(credential.password), string(clientAuthData))
+	check, err := mysql.Check256HashingPassword([]byte(credential.Password), string(clientAuthData))
 	if err != nil {
 		return err
 	}
@@ -155,7 +155,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if c.credential.password == "" {
+		if c.credential.Password == "" {
 			return nil
 		}
 		return ErrAccessDenied
diff --git a/server/auth_switch_response.go b/server/auth_switch_response.go
@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 }
 
 func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {
-	match, err := auth.CheckHashingPassword([]byte(credential.password), string(clientAuthData), mysql.AUTH_CACHING_SHA2_PASSWORD)
+	match, err := auth.CheckHashingPassword([]byte(credential.Password), string(clientAuthData), mysql.AUTH_CACHING_SHA2_PASSWORD)
 	if match && err == nil {
 		return nil
 	}
diff --git a/server/credential_provider.go b/server/credential_provider.go
@@ -34,8 +34,38 @@ func NewInMemoryProvider(defaultAuthMethod ...string) *InMemoryProvider {
 }
 
 type Credential struct {
-	password       string
-	authPluginName string
+	Password       string
+	AuthPluginName string
+}
+
+func NewCredential(password string, authPluginName string) (Credential, error) {
+	c := Credential{
+		AuthPluginName: authPluginName,
+	}
+
+	if password == "" {
+		c.Password = ""
+		return c, nil
+	}
+
+	switch c.AuthPluginName {
+	case mysql.AUTH_NATIVE_PASSWORD:
+		c.Password = mysql.EncodePasswordHex(mysql.NativePasswordHash([]byte(password)))
+
+	case mysql.AUTH_CACHING_SHA2_PASSWORD:
+		c.Password = auth.NewHashPassword(password, mysql.AUTH_CACHING_SHA2_PASSWORD)
+
+	case mysql.AUTH_SHA256_PASSWORD:
+		hash, err := mysql.NewSha256PasswordHash(password)
+		if err != nil {
+			return c, err
+		}
+		c.Password = hash
+
+	default:
+		return c, errors.Errorf("unknown authentication plugin name '%s'", c.AuthPluginName)
+	}
+	return c, nil
 }
 
 // implements an in memory credential provider
@@ -61,37 +91,17 @@ func (m *InMemoryProvider) GetCredential(username string) (credential Credential
 	return c, true, nil
 }
 
-func (m *InMemoryProvider) AddUser(username, password string, authPluginName ...string) error {
-	c := Credential{
-		authPluginName: m.defaultAuthMethod,
-	}
-	if len(authPluginName) > 0 {
-		c.authPluginName = authPluginName[0]
+func (m *InMemoryProvider) AddUser(username, password string, optionalAuthPluginName ...string) error {
+	authPluginName := m.defaultAuthMethod
+	if len(optionalAuthPluginName) > 0 {
+		authPluginName = optionalAuthPluginName[0]
 	}
 
-	if password == "" {
-		c.password = ""
-		m.userPool.Store(username, c)
-		return nil
+	c, err := NewCredential(password, authPluginName)
+	if err != nil {
+		return err
 	}
 
-	switch c.authPluginName {
-	case mysql.AUTH_NATIVE_PASSWORD:
-		c.password = mysql.EncodePasswordHex(mysql.NativePasswordHash([]byte(password)))
-
-	case mysql.AUTH_CACHING_SHA2_PASSWORD:
-		c.password = auth.NewHashPassword(password, mysql.AUTH_CACHING_SHA2_PASSWORD)
-
-	case mysql.AUTH_SHA256_PASSWORD:
-		hash, err := mysql.NewSha256PasswordHash(password)
-		if err != nil {
-			return err
-		}
-		c.password = hash
-
-	default:
-		return errors.Errorf("unknown authentication plugin name '%s'", c.authPluginName)
-	}
 	m.userPool.Store(username, c)
 	return nil
 }
diff --git a/server/handshake_resp.go b/server/handshake_resp.go
@@ -204,8 +204,8 @@ func (c *Conn) handleAuthMatch() (bool, error) {
 		return false, err
 	}
 
-	if c.authPluginName != c.credential.authPluginName {
-		if err := c.writeAuthSwitchRequest(c.credential.authPluginName); err != nil {
+	if c.authPluginName != c.credential.AuthPluginName {
+		if err := c.writeAuthSwitchRequest(c.credential.AuthPluginName); err != nil {
 			return false, err
 		}
 		// handle AuthSwitchResponse

Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ var (`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	`func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {`
`22`		`- if authPluginName != c.credential.authPluginName {`
`23`		`- err := c.writeAuthSwitchRequest(c.credential.authPluginName)`
	`22`	`+ if authPluginName != c.credential.AuthPluginName {`
	`23`	`+ err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)`
`24`	`24`	`if err != nil {`
`25`	`25`	`return err`
`26`	`26`	`}`
`@@ -60,7 +60,7 @@ func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) err`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`func (c *Conn) acquirePassword() error {`
`63`		`- if c.credential.password != "" {`
	`63`	`+ if c.credential.Password != "" {`
`64`	`64`	`return nil`
`65`	`65`	`}`
`66`	`66`	`credential, found, err := c.credentialProvider.GetCredential(c.user)`
`@@ -75,7 +75,7 @@ func (c *Conn) acquirePassword() error {`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`func errAccessDenied(credential Credential) error {`
`78`		`- if credential.password == "" {`
	`78`	`+ if credential.Password == "" {`
`79`	`79`	`return ErrAccessDeniedNoPassword`
`80`	`80`	`}`
`81`	`81`
`@@ -103,7 +103,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {`
`106`		`- password, err := mysql.DecodePasswordHex(c.credential.password)`
	`106`	`+ password, err := mysql.DecodePasswordHex(c.credential.Password)`
`107`	`107`	`if err != nil {`
`108`	`108`	`return errAccessDenied(credential)`
`109`	`109`	`}`
`@@ -116,7 +116,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C`
`116`	`116`	`func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {`
`117`	`117`	`// Empty passwords are not hashed, but sent as empty string`
`118`	`118`	`if len(clientAuthData) == 0 {`
`119`		`- if credential.password == "" {`
	`119`	`+ if credential.Password == "" {`
`120`	`120`	`return nil`
`121`	`121`	`}`
`122`	`122`	`return ErrAccessDenied`
`@@ -142,7 +142,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C`
`142`	`142`	`clientAuthData = clientAuthData[:l-1]`
`143`	`143`	`}`
`144`	`144`	`}`
`145`		`- check, err := mysql.Check256HashingPassword([]byte(credential.password), string(clientAuthData))`
	`145`	`+ check, err := mysql.Check256HashingPassword([]byte(credential.Password), string(clientAuthData))`
`146`	`146`	`if err != nil {`
`147`	`147`	`return err`
`148`	`148`	`}`
`@@ -155,7 +155,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C`
`155`	`155`	`func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {`
`156`	`156`	`// Empty passwords are not hashed, but sent as empty string`
`157`	`157`	`if len(clientAuthData) == 0 {`
`158`		`- if c.credential.password == "" {`
	`158`	`+ if c.credential.Password == "" {`
`159`	`159`	`return nil`
`160`	`160`	`}`
`161`	`161`	`return ErrAccessDenied`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {`
`74`		`- match, err := auth.CheckHashingPassword([]byte(credential.password), string(clientAuthData), mysql.AUTH_CACHING_SHA2_PASSWORD)`
	`74`	`+ match, err := auth.CheckHashingPassword([]byte(credential.Password), string(clientAuthData), mysql.AUTH_CACHING_SHA2_PASSWORD)`
`75`	`75`	`if match && err == nil {`
`76`	`76`	`return nil`
`77`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -204,8 +204,8 @@ func (c *Conn) handleAuthMatch() (bool, error) {`
`204`	`204`	`return false, err`
`205`	`205`	`}`
`206`	`206`
`207`		`- if c.authPluginName != c.credential.authPluginName {`
`208`		`- if err := c.writeAuthSwitchRequest(c.credential.authPluginName); err != nil {`
	`207`	`+ if c.authPluginName != c.credential.AuthPluginName {`
	`208`	`+ if err := c.writeAuthSwitchRequest(c.credential.AuthPluginName); err != nil {`
`209`	`209`	`return false, err`
`210`	`210`	`}`
`211`	`211`	`// handle AuthSwitchResponse`