Allow registering custom CredentialProviders for per-conn passwords

When using a temporary credential system for MySQL, for example IAM
database authenticaiton on AWS or the Database secret backend for
Hashicorp Vault, it may not be the case that the same username and
password be used for opening every connection in a *sql.DB.

This PR adds funcionality whereby the caller can, instead of specifying
cfg.User and cfg.Passwd (in the DSN as user:pass@...), specify a
CredentialProvider= arguemnt which refers to a callback registered with
RegisterCredentialProvider.

When a new connection is to be opened, if the CredentialProvider
callback is specified, that is called to obtain a username/password pair
rather than using the values from the DSN.

Author: KJ Tsanaktsidis

AUTHORS

@@ -103,3 +103,4 @@ Multiplay Ltd.
 Percona LLC
 Pivotal Inc.
 Stripe Inc.
+Zendesk Inc.

README.md

@@ -209,6 +209,16 @@ SELECT u.id FROM users as u
 
 will return `u.id` instead of just `id` if `columnsWithAlias=true`.
 
+#### `credentialProvider`
+
+```
+Type:           string
+Valid Values:   <name>
+Default:        ""
+```
+
+If set, this must refer to a credential provider name registerd with `RegisterCredentialProvider`. When this is set, the username and password in the DSN will be ignored; instead, each time a conneciton is to be opened, the named credential provider function will be called to obtain a username/password to connect with. This is useful when using, for example, IAM database auth in Amazon AWS, where "passwords" are actually temporary tokens that expire.
+
 ##### `interpolateParams`
 
 ```

auth.go

@@ -15,13 +15,16 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 	"sync"
 )
 
 // server pub keys registry
 var (
-	serverPubKeyLock     sync.RWMutex
-	serverPubKeyRegistry map[string]*rsa.PublicKey
+	serverPubKeyLock           sync.RWMutex
+	serverPubKeyRegistry       map[string]*rsa.PublicKey
+	credentialProviderLock     sync.RWMutex
+	credentialProviderRetistry map[string]CredentialProviderFunc
 )
 
 // RegisterServerPubKey registers a server RSA public key which can be used to
@@ -81,6 +84,44 @@ func getServerPubKey(name string) (pubKey *rsa.PublicKey) {
 	return
 }
 
+// CredentialProviderFunc is a function which can be used to fetch a username/password
+// pair for use when opening a new MySQL connection. The first return value is the username
+// and the second the password.
+type CredentialProviderFunc func() (string, string, error)
+
+// RegisterCredentialProvider registers a function to be called on every connection open to
+// get the username and password to call
+func RegisterCredentialProvider(name string, providerFunc CredentialProviderFunc) {
+	credentialProviderLock.Lock()
+	if credentialProviderRetistry == nil {
+		credentialProviderRetistry = make(map[string]CredentialProviderFunc)
+	}
+	credentialProviderRetistry[name] = providerFunc
+	credentialProviderLock.Unlock()
+}
+
+// DeregisterCredentialProvider removes a function registered with RegisterCredentialProvider
+func DeregisterCredentialProvider(name string) {
+	credentialProviderLock.Lock()
+	if credentialProviderRetistry != nil {
+		delete(credentialProviderRetistry, name)
+	}
+	credentialProviderLock.Unlock()
+}
+
+func getCredentialsFromConfig(cfg *Config) (string, string, error) {
+	if cfg.CredentialProvider != "" {
+		credentialProviderLock.RLock()
+		defer credentialProviderLock.RUnlock()
+		cpFunc, ok := credentialProviderRetistry[cfg.CredentialProvider]
+		if !ok {
+			return "", "", fmt.Errorf("credential provider %s not registered", cfg.CredentialProvider)
+		}
+		return cpFunc()
+	}
+	return cfg.User, cfg.Passwd, nil
+}
+
 // Hash password using pre 4.1 (old password) method
 // https://github.com/atcurtis/mariadb/blob/master/mysys/my_rnd.c
 type myRnd struct {
@@ -237,10 +278,10 @@ func (mc *mysqlConn) sendEncryptedPassword(seed []byte, pub *rsa.PublicKey) erro
 	return mc.writeAuthSwitchPacket(enc)
 }
 
-func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
+func (mc *mysqlConn) auth(authData []byte, plugin string, password string) ([]byte, error) {
 	switch plugin {
 	case "caching_sha2_password":
-		authResp := scrambleSHA256Password(authData, mc.cfg.Passwd)
+		authResp := scrambleSHA256Password(authData, password)
 		return authResp, nil
 
 	case "mysql_old_password":
@@ -250,7 +291,7 @@ func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
 		// Note: there are edge cases where this should work but doesn't;
 		// this is currently "wontfix":
 		// https://github.com/go-sql-driver/mysql/issues/184
-		authResp := append(scrambleOldPassword(authData[:8], mc.cfg.Passwd), 0)
+		authResp := append(scrambleOldPassword(authData[:8], password), 0)
 		return authResp, nil
 
 	case "mysql_clear_password":
@@ -259,24 +300,24 @@ func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
 		}
 		// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
 		// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
-		return append([]byte(mc.cfg.Passwd), 0), nil
+		return append([]byte(password), 0), nil
 
 	case "mysql_native_password":
 		if !mc.cfg.AllowNativePasswords {
 			return nil, ErrNativePassword
 		}
 		// https://dev.mysql.com/doc/internals/en/secure-password-authentication.html
 		// Native password authentication only need and will need 20-byte challenge.
-		authResp := scramblePassword(authData[:20], mc.cfg.Passwd)
+		authResp := scramblePassword(authData[:20], password)
 		return authResp, nil
 
 	case "sha256_password":
-		if len(mc.cfg.Passwd) == 0 {
+		if len(password) == 0 {
 			return []byte{0}, nil
 		}
 		if mc.cfg.tls != nil || mc.cfg.Net == "unix" {
 			// write cleartext auth packet
-			return append([]byte(mc.cfg.Passwd), 0), nil
+			return append([]byte(password), 0), nil
 		}
 
 		pubKey := mc.cfg.pubKey
@@ -286,7 +327,7 @@ func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
 		}
 
 		// encrypted password
-		enc, err := encryptPassword(mc.cfg.Passwd, authData, pubKey)
+		enc, err := encryptPassword(password, authData, pubKey)
 		return enc, err
 
 	default:
@@ -295,7 +336,7 @@ func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
 	}
 }
 
-func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
+func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string, password string) error {
 	// Read Result Packet
 	authData, newPlugin, err := mc.readAuthResult()
 	if err != nil {
@@ -315,7 +356,7 @@ func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
 
 		plugin = newPlugin
 
-		authResp, err := mc.auth(authData, plugin)
+		authResp, err := mc.auth(authData, plugin, password)
 		if err != nil {
 			return err
 		}
@@ -352,7 +393,7 @@ func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
 			case cachingSha2PasswordPerformFullAuthentication:
 				if mc.cfg.tls != nil || mc.cfg.Net == "unix" {
 					// write cleartext auth packet
-					err = mc.writeAuthSwitchPacket(append([]byte(mc.cfg.Passwd), 0))
+					err = mc.writeAuthSwitchPacket(append([]byte(password), 0))
 					if err != nil {
 						return err
 					}