MySQL 连接器/NET 开发人员指南  / 第 5 章连接器/NET 编程  /  5.8 编写自定义身份验证插件

5.8 编写自定义身份验证插件

具有特殊安全要求的高级用户可以为 MySQL Connector/NET 应用程序创建自己的身份验证插件。您可以扩展握手协议,添加自定义逻辑。有关 MySQL 身份验证插件的背景和使用信息,请参阅 身份验证插件编写身份验证插件

要编写自定义身份验证插件,您需要引用程序集MySql.Data.dll。命名空间中提供了与编写身份验证插件相关的类 MySql.Data.MySqlClient.Authentication

自定义身份验证插件的工作原理

在握手期间的某个时刻,内部方法

void Authenticate(bool reset)

MySqlAuthenticationPlugin被称为。该方法依次调用当前插件的几个可覆盖方法。

创建身份验证插件类

您将身份验证插件逻辑放在派生自 MySql.Data.MySqlClient.Authentication.MySqlAuthenticationPlugin. 以下方法可被覆盖:

protected virtual void CheckConstraints()
protected virtual void AuthenticationFailed(Exception ex)
protected virtual void AuthenticationSuccessful()
protected virtual byte[] MoreData(byte[] data)
protected virtual void AuthenticationChange()
public abstract string PluginName { get; }
public virtual string GetUsername()
public virtual object GetPassword()
protected byte[] AuthData;

以下是对每一项的简要说明:

/// <summary>
/// This method must check authentication method specific constraints in the
environment and throw an Exception
/// if the conditions are not met. The default implementation does nothing.
/// </summary>
protected virtual void CheckConstraints()

/// <summary>
/// This method, called when the authentication failed, provides a chance to
plugins to manage the error
/// the way they consider decide (either showing a message, logging it, etc.).
/// The default implementation wraps the original exception in a MySqlException
with an standard message and rethrows it.
/// </summary>
/// <param name="ex">The exception with extra information on the error.</param>
protected virtual void AuthenticationFailed(Exception ex)

/// <summary>
/// This method is invoked when the authentication phase was successful accepted
by the server.
/// Derived classes must override this if they want to be notified of such
condition.
/// </summary>
/// <remarks>The default implementation does nothing.</remarks>
protected virtual void AuthenticationSuccessful()

/// <summary>
/// This method provides a chance for the plugin to send more data when the
server requests so during the
/// authentication phase. This method will be called at least once, and more
than one depending upon whether the
/// server response packets have the 0x01 prefix.
/// </summary>
/// <param name="data">The response data from the server, during the
authentication phase the first time is called is null, in
subsequent calls contains the server response.</param>
/// <returns>The data generated by the plugin for server consumption.</returns>
/// <remarks>The default implementation always returns null.</remarks>
protected virtual byte[] MoreData(byte[] data)

/// <summary>
/// The plugin name.
/// </summary>
public abstract string PluginName { get; }

/// <summary>
/// Gets the user name to send to the server in the authentication phase.
/// </summary>
/// <returns>An string with the user name</returns>
/// <remarks>Default implementation returns the UserId passed from the
connection string.</remarks>
public virtual string GetUsername()

/// <summary>
/// Gets the password to send to the server in the authentication phase. This
can be a string or a
/// </summary>
/// <returns>An object, can be byte[], string or null, with the password.
</returns>
/// <remarks>Default implementation returns null.</remarks>
public virtual object GetPassword()

/// <summary>
/// The authentication data passed when creating the plugin.
/// For example in mysql_native_password this is the seed to encrypt the
password.
/// </summary>
protected byte[] AuthData;

身份验证插件示例

此示例显示如何创建身份验证插件,然后通过配置文件启用它。

  1. 创建一个控制台应用程序,添加对 MySql.Data.dll.

  2. 设计主C#程序如下:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using MySql.Data.MySqlClient;
    
    namespace AuthPluginTest
    {
      class Program
      {
        static void Main(string[] args)
        {
          // Customize the connection string as necessary.
          MySqlConnection con = new MySqlConnection("server=localhost;
          database=test; user id=myuser; password=mypass");
          con.Open();
          con.Close();
        }
      }
    }
  3. 创建你的插件类。在此示例中,我们通过使用与原始插件相同的代码来添加本机密码插件的 替代实现。我们命名我们的班级 MySqlNativePasswordPlugin2

    using System.IO;
    using System;
    using System.Text;
    using System.Security.Cryptography;
    using MySql.Data.MySqlClient.Authentication;
    using System.Diagnostics;
    
    namespace AuthPluginTest
    {
      public class MySqlNativePasswordPlugin2 : MySqlAuthenticationPlugin
      {
        public override string PluginName
        {
          get { return "mysql_native_password"; }
        }
    
        public override object GetPassword()
        {
          Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword");
          return Get411Password(Settings.Password, AuthData);
        }
    
        /// <summary>
        /// Returns a byte array containing the proper encryption of the
        /// given password/seed according to the new 4.1.1 authentication scheme.
        /// </summary>
        /// <param name="password"></param>
        /// <param name="seed"></param>
        /// <returns></returns>
        private byte[] Get411Password(string password, byte[] seedBytes)
        {
          // if we have no password, then we just return 1 zero byte
          if (password.Length == 0) return new byte[1];
    
          SHA1 sha = new SHA1CryptoServiceProvider();
    
          byte[] firstHash = sha.ComputeHash(Encoding.Default.GetBytes(password));
          byte[] secondHash = sha.ComputeHash(firstHash);
    
          byte[] input = new byte[seedBytes.Length + secondHash.Length];
          Array.Copy(seedBytes, 0, input, 0, seedBytes.Length);
          Array.Copy(secondHash, 0, input, seedBytes.Length, secondHash.Length);
          byte[] thirdHash = sha.ComputeHash(input);
    
          byte[] finalHash = new byte[thirdHash.Length + 1];
          finalHash[0] = 0x14;
          Array.Copy(thirdHash, 0, finalHash, 1, thirdHash.Length);
    
          for (int i = 1; i < finalHash.Length; i++)
            finalHash[i] = (byte)(finalHash[i] ^ firstHash[i - 1]);
          return finalHash;
        }
      }
    }

    请注意,插件实现只是覆盖 GetPassword, 并提供了使用 4.1 协议加密密码的实现。在正文中添加以下行GetPassword以确认插件已被有效使用。

    Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword");
    小费

    您也可以在该方法上放置一个断点。

  4. 在配置文件中启用新插件:

    <?xml version="1.0"?>
    <configuration>
      <configSections>
        <section name="MySQL" type="MySql.Data.MySqlClient.MySqlConfiguration,
    MySql.Data"/>
      </configSections>
      <MySQL>
        <AuthenticationPlugins>
          <add name="mysql_native_password"
    type="AuthPluginTest.MySqlNativePasswordPlugin2, AuthPluginTest"></add>
        </AuthenticationPlugins>  
      </MySQL>
    <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
    </startup></configuration>
  5. 运行应用程序。在 Visual Studio 中,您将Calling MySqlNativePasswordPlugin2.GetPassword在调试窗口中看到该消息。

继续增强身份验证逻辑,如果需要,覆盖更多方法。