try to run

Author: DifferentialOrange

tarantool/connection.py

@@ -68,6 +68,10 @@
     IPROTO_FEATURE_ERROR_EXTENSION,
     IPROTO_FEATURE_WATCHERS,
     IPROTO_CHUNK,
+    DEFAULT_AUTH_TYPE,
+    AUTH_TYPE_CHAP_SHA1,
+    AUTH_TYPE_PAP_SHA256,
+    AUTH_TYPES,
 )
 from tarantool.error import (
     Error,
@@ -2802,8 +2806,8 @@ def _get_auth_type(self):
 
         :raise: :exc:`~tarantool.error.DatabaseError`
         """
-        if self._client_auth_type == AUTH_TYPE_DEFAULT:
-            if self._server_auth_type == AUTH_TYPE_DEFAULT:
+        if self._client_auth_type == DEFAULT_AUTH_TYPE:
+            if self._server_auth_type == DEFAULT_AUTH_TYPE:
                 auth_type = AUTH_TYPE_CHAP_SHA1
             else:
                 if self._server_auth_type not in AUTH_TYPES:

tarantool/request.py

@@ -51,6 +51,8 @@
     REQUEST_TYPE_JOIN,
     REQUEST_TYPE_SUBSCRIBE,
     REQUEST_TYPE_ID,
+    AUTH_TYPE_CHAP_SHA1,
+    AUTH_TYPE_PAP_SHA256,
 )
 from tarantool.response import (
     Response,
@@ -265,7 +267,7 @@ def __init__(self, conn, salt, user, password, auth_type):
             hash2 = _hash(sha, (hash1,))
             prescramble = _hash(sha, (salt, hash2))
             scramble = strxor(hash1, prescramble)
-        elif auth_type == AUTH_TYPE_CHAP_SHA1:
+        elif auth_type == AUTH_TYPE_PAP_SHA256:
             scramble = password
         else:
             raise ValueError(f'Unexpected auth_type {auth_type}')

test/suites/test_ssl.py

@@ -7,7 +7,9 @@
 )
 from tarantool.const import (
     DEFAULT_TRANSPORT,
-    SSL_TRANSPORT
+    SSL_TRANSPORT,
+    AUTH_TYPE_CHAP_SHA1,
+    AUTH_TYPE_PAP_SHA256,
 )
 import tarantool
 from .lib.tarantool_server import TarantoolServer
@@ -60,26 +62,34 @@ class SslTestCase:
             def __init__(self,
                          name="",
                          ok=False,
+                         expected_error=tarantool.error.SslError,
                          server_transport=SSL_TRANSPORT,
                          server_key_file=None,
                          server_cert_file=None,
                          server_ca_file=None,
                          server_ciphers=None,
+                         server_auth_type=None,
+                         client_transport=SSL_TRANSPORT,
                          client_cert_file=None,
                          client_key_file=None,
                          client_ca_file=None,
-                         client_ciphers=None):
+                         client_ciphers=None,
+                         client_auth_type=None):
                 self.name = name
                 self.ok = ok
+                self.expected_error = expected_error
                 self.server_transport = server_transport
                 self.server_key_file = server_key_file
                 self.server_cert_file = server_cert_file
                 self.server_ca_file = server_ca_file
                 self.server_ciphers = server_ciphers
+                self.server_auth_type = server_auth_type
+                self.client_transport = client_transport
                 self.client_cert_file = client_cert_file
                 self.client_key_file = client_key_file
                 self.client_ca_file = client_ca_file
                 self.client_ciphers = client_ciphers
+                self.client_auth_type = client_auth_type
 
         # Requirements from Tarantool Enterprise Edition manual:
         # https://www.tarantool.io/en/enterprise_doc/security/#configuration
@@ -239,6 +249,35 @@ def __init__(self,
                 client_cert_file=self.cert_file,
                 client_ca_file=self.ca_file,
                 client_ciphers="TLS_AES_128_GCM_SHA256"),
+            SslTestCase(
+                name="pap-sha256_auth_no_ssl",
+                ok=False,
+                expected_error=tarantool.error.ConfigurationError,
+                client_auth_type=AUTH_TYPE_PAP_SHA256,
+                client_transport=DEFAULT_TRANSPORT),
+            SslTestCase(
+                name="pap-sha256_auth_client_mismatch",
+                ok=True,
+                expected_error=tarantool.error.DatabaseError,
+                client_auth_type=AUTH_TYPE_CHAP_SHA1,
+                server_key_file=self.key_file,
+                server_cert_file=self.cert_file,
+                server_auth_type=AUTH_TYPE_PAP_SHA256),
+            SslTestCase(
+                name="pap-sha256_auth_server_mismatch",
+                ok=True,
+                expected_error=tarantool.error.DatabaseError,
+                client_auth_type=AUTH_TYPE_PAP_SHA256,
+                server_key_file=self.key_file,
+                server_cert_file=self.cert_file,
+                server_auth_type=AUTH_TYPE_CHAP_SHA1),
+            SslTestCase(
+                name="pap-sha256_auth",
+                ok=True,
+                client_auth_type=AUTH_TYPE_PAP_SHA256,
+                server_key_file=self.key_file,
+                server_cert_file=self.cert_file,
+                server_auth_type=AUTH_TYPE_PAP_SHA256),
         ]
         for t in testcases:
             with self.subTest(msg=t.name):
@@ -250,7 +289,8 @@ def __init__(self,
                         ssl_key_file=t.server_key_file,
                         ssl_cert_file=t.server_cert_file,
                         ssl_ca_file=t.server_ca_file,
-                        ssl_ciphers=t.server_ciphers)
+                        ssl_ciphers=t.server_ciphers,
+                        auth_type=t.server_auth_type)
                     srv.script = 'test/suites/box.lua'
                     srv.start()
                     srv.admin("box.schema.create_space('space_1')")
@@ -271,18 +311,19 @@ def __init__(self,
                         srv.host, srv.args['primary'],
                         user="test",
                         password="test",
-                        transport="ssl",
+                        transport=t.client_transport,
                         ssl_key_file=t.client_key_file,
                         ssl_cert_file=t.client_cert_file,
                         ssl_ca_file=t.client_ca_file,
                         ssl_ciphers=t.client_ciphers,
+                        auth_type=t.client_auth_type,
                         connection_timeout=0.5,
                         socket_timeout=0.5)
 
                     self.assertEqual(con.insert('space_1', [1])[0], [1])
                     self.assertEqual(len(con.select('space_1')), 1)
                     self.assertTrue(t.ok)
-                except tarantool.error.SslError:
+                except t.expected_error:
                     self.assertFalse(t.ok)
                 finally:
                     self.stop_srv(srv)
@@ -375,3 +416,14 @@ def test_mesh(self):
                     servers[i].stop()
         finally:
             self.stop_mesh(con)
+
+    def test_sha_256_client_setting():
+        srv = TarantoolServer(
+            transport=t.server_transport,
+            ssl_key_file=t.server_key_file,
+            ssl_cert_file=t.server_cert_file,
+            ssl_ca_file=t.server_ca_file,
+            ssl_ciphers=t.server_ciphers,
+            auth_type="pap-sha256")
+        srv.script = 'test/suites/box.lua'
+        srv.start()