Auth: migrate hash string to be directly compatible with pg/pgbouncer

When I originally wrote auth I used a postgres inspired string format to
store the hashes, but didn't index on making it 1:1 compatible since we
had originally decided not to surface the hash to the user... That
didn't last.

Notion (and perhaps others) want to be able to use pgbouncer. It would
be easy enough to give instructions/a script to make the existing hash
format into the one pgbouncer wants in its config file but... we could
just not do that.

Author: DAlperin

misc/python/materialize/checks/all_checks/roles.py

@@ -139,6 +139,8 @@ def manipulate(self) -> list[Testdrive]:
                     # Test connection with correct password
                     $ postgres-connect name=user1_conn url=postgres://auth_user1:password1@${testdrive.materialize-password-sql-addr}
 
+                    $ postgres-connect name=user1_conn_sasl url=postgres://auth_user1:password1@${testdrive.materialize-sasl-sql-addr}
+
                     $ postgres-execute connection=user1_conn
                     CREATE TABLE auth_test_table1 (id INT, data TEXT);
                     INSERT INTO auth_test_table1 VALUES (1, 'test from user1');
@@ -155,12 +157,16 @@ def manipulate(self) -> list[Testdrive]:
                     # Test connection with user2
                     $ postgres-connect name=user2_conn url=postgres://auth_user2:password2@${testdrive.materialize-password-sql-addr}
 
+                    $ postgres-connect name=user2_conn_sasl url=postgres://auth_user2:password2@${testdrive.materialize-sasl-sql-addr}
+
                     $ postgres-execute connection=user2_conn
                     SELECT * FROM auth_test_table1;
 
                     # Test connection with user3
                     $ postgres-connect name=user3_conn url=postgres://auth_user3:password3@${testdrive.materialize-password-sql-addr}
 
+                    $ postgres-connect name=user3_conn_sasl url=postgres://auth_user3:password3@${testdrive.materialize-sasl-sql-addr}
+
                     $ postgres-execute connection=user3_conn
                     SELECT 1;
 
@@ -188,6 +194,8 @@ def validate(self) -> Testdrive:
                 # Test connection with user2
                 $ postgres-connect name=user2_conn url=postgres://auth_user2:password2@${testdrive.materialize-password-sql-addr}
 
+                $ postgres-connect name=user2_conn_sasl url=postgres://auth_user2:password2@${testdrive.materialize-sasl-sql-addr}
+
                 > SELECT * FROM auth_test_table1 ORDER BY id;
                 1 "test from user1"
                 """

misc/python/materialize/mzcompose/composition.py

@@ -1469,6 +1469,8 @@ def testdrive(
                 f"--materialize-url=postgres://materialize@{mz_service}:6875",
                 f"--materialize-internal-url=postgres://mz_system@{mz_service}:6877",
                 f"--persist-consensus-url=postgres://root@{mz_service}:26257?options=--search_path=consensus",
+                f"--materialize-password-sql-url=postgres://materialize@{mz_service}:6885",
+                f"--materialize-sasl-sql-url=postgres://materialize@{mz_service}:6895",
             ]
 
         if not self.is_running(service):

misc/python/materialize/mzcompose/services/testdrive.py

@@ -119,9 +119,7 @@ def __init__(
                 f"--materialize-password-sql-url={materialize_password_sql_url}"
             )
         if materialize_sasl_sql_url:
-            entrypoint.append(
-                f"--materialize-sasl-sql-url={materialize_sasl_sql_url}"
-            )
+            entrypoint.append(f"--materialize-sasl-sql-url={materialize_sasl_sql_url}")
 
         if aws_region:
             entrypoint.append(f"--aws-region={aws_region}")

misc/shlib/shlib.bash

@@ -268,6 +268,12 @@ trufflehog_jq_filter_common() {
       .Raw != "postgresql://materialize:[email protected]:5432" and
       .Raw != "d3aa325086974cdfb3912f28e5a8c168" and
       .Raw != "jdbc:postgresql://postgres:5432/postgres" and
+      .Raw != "postgres://auth_user1:password1@materialized:6885" and
+      .Raw != "postgres://auth_user2:password2@materialized:6885" and
+      .Raw != "postgres://auth_user3:password3@materialized:6885" and
+      .Raw != "postgres://auth_user1:password1@materialized:6895" and
+      .Raw != "postgres://auth_user2:password2@materialized:6895" and
+      .Raw != "postgres://auth_user3:password3@materialized:6895" and
       .Raw != "RPSsql12345" and
       .Raw != "RPSsql1234" and
       .Raw != "RPSsql123" and

src/auth/src/hash.rs

@@ -114,7 +114,7 @@ pub fn hash_password_with_opts(
 
 /// Hashes a password using PBKDF2 with SHA256,
 /// and returns it in the SCRAM-SHA-256 format.
-/// The format is SCRAM-SHA-256$<iterations>:<salt>$<client_key>:<server_key>
+/// The format is SCRAM-SHA-256$<iterations>:<salt>$<stored_key>:<server_key>
 pub fn scram256_hash(password: &Password) -> Result<String, HashError> {
     let hashed_password = hash_password(password)?;
     Ok(scram256_hash_inner(hashed_password).to_string())
@@ -144,7 +144,7 @@ pub fn sasl_verify(
     proof: &str,
     auth_message: &str,
 ) -> Result<String, VerifyError> {
-    // Parse SCRAM hash: SCRAM-SHA-256$<iterations>:<salt>$<client_key>:<server_key>
+    // Parse SCRAM hash: SCRAM-SHA-256$<iterations>:<salt>$<stored_key>:<server_key>
     let parts: Vec<&str> = hashed_password.split('$').collect();
     if parts.len() != 3 {
         return Err(VerifyError::MalformedHash);
@@ -158,39 +158,35 @@ pub fn sasl_verify(
         return Err(VerifyError::MalformedHash);
     }
 
-    let client_key = BASE64_STANDARD
+    let stored_key = BASE64_STANDARD
         .decode(auth_value[0])
         .map_err(|_| VerifyError::MalformedHash)?;
     let server_key = BASE64_STANDARD
         .decode(auth_value[1])
         .map_err(|_| VerifyError::MalformedHash)?;
 
-    // Compute stored key
-    let stored_key = openssl::sha::sha256(&client_key);
-
     // Compute client signature: HMAC(stored_key, auth_message)
     let client_signature = generate_signature(&stored_key, auth_message)?;
 
-    // Compute expected client proof: client_key XOR client_signature
-    let expected_client_proof: Vec<u8> = client_key
-        .iter()
-        .zip_eq(client_signature.iter())
-        .map(|(a, b)| a ^ b)
-        .collect();
-
     // Decode provided proof
     let provided_client_proof = BASE64_STANDARD
         .decode(proof)
         .map_err(|_| VerifyError::InvalidPassword)?;
 
-    if constant_time_compare(&expected_client_proof, &provided_client_proof) {
-        // Compute server verifier: HMAC(server_key, auth_message)
-        let verifier = generate_signature(&server_key, auth_message)?;
-        let verifier = BASE64_STANDARD.encode(&verifier);
-        Ok(verifier)
-    } else {
-        Err(VerifyError::InvalidPassword)
+    // Recover client_key = proof XOR client_signature
+    let client_key: Vec<u8> = provided_client_proof
+        .iter()
+        .zip_eq(client_signature.iter())
+        .map(|(p, s)| p ^ s)
+        .collect();
+
+    if !constant_time_compare(&openssl::sha::sha256(&client_key), &stored_key) {
+        return Err(VerifyError::InvalidPassword);
     }
+
+    // Compute server verifier: HMAC(server_key, auth_message)
+    let verifier = generate_signature(&server_key, auth_message)?;
+    Ok(BASE64_STANDARD.encode(&verifier))
 }
 
 fn generate_signature(key: &[u8], message: &str) -> Result<Vec<u8>, VerifyError> {
@@ -267,7 +263,8 @@ struct ScramSha256Hash {
     /// The server key
     server_key: [u8; SHA256_OUTPUT_LEN],
     /// The client key
-    client_key: [u8; SHA256_OUTPUT_LEN],
+    // client_key: [u8; SHA256_OUTPUT_LEN],
+    stored_key: [u8; SHA256_OUTPUT_LEN],
 }
 
 impl Display for ScramSha256Hash {
@@ -277,7 +274,7 @@ impl Display for ScramSha256Hash {
             "SCRAM-SHA-256${}:{}${}:{}",
             self.iterations,
             BASE64_STANDARD.encode(&self.salt),
-            BASE64_STANDARD.encode(&self.client_key),
+            BASE64_STANDARD.encode(&self.stored_key),
             BASE64_STANDARD.encode(&self.server_key)
         )
     }
@@ -289,16 +286,18 @@ fn scram256_hash_inner(hashed_password: PasswordHash) -> ScramSha256Hash {
         openssl::sign::Signer::new(openssl::hash::MessageDigest::sha256(), &signing_key).unwrap();
     signer.update(b"Client Key").unwrap();
     let client_key = signer.sign_to_vec().unwrap();
+    let stored_key = openssl::sha::sha256(&client_key);
     let mut signer =
         openssl::sign::Signer::new(openssl::hash::MessageDigest::sha256(), &signing_key).unwrap();
     signer.update(b"Server Key").unwrap();
-    let server_key = signer.sign_to_vec().unwrap();
+    let mut server_key: [u8; SHA256_OUTPUT_LEN] = [0; SHA256_OUTPUT_LEN];
+    signer.sign(server_key.as_mut()).unwrap();
 
     ScramSha256Hash {
         iterations: hashed_password.iterations,
         salt: hashed_password.salt,
-        server_key: server_key.try_into().unwrap(),
-        client_key: client_key.try_into().unwrap(),
+        server_key,
+        stored_key,
     }
 }
 
@@ -378,29 +377,41 @@ mod tests {
         let auth_message = "n=user,r=clientnonce,s=somesalt"; // arbitrary auth message
 
         // Parse client_key and server_key from the SCRAM hash
-        // Format: SCRAM-SHA-256$<iterations>:<salt>$<client_key>:<server_key>
+        // Format: SCRAM-SHA-256$<iterations>:<salt>$<stored_key>:<server_key>
         let parts: Vec<&str> = hashed_password.split('$').collect();
         assert_eq!(parts.len(), 3);
         let key_parts: Vec<&str> = parts[2].split(':').collect();
         assert_eq!(key_parts.len(), 2);
-        let client_key = BASE64_STANDARD
+        let stored_key = BASE64_STANDARD
             .decode(key_parts[0])
             .expect("decode client key");
         let server_key = BASE64_STANDARD
             .decode(key_parts[1])
             .expect("decode server key");
 
-        // stored_key = SHA256(client_key)
-        let stored_key = openssl::sha::sha256(&client_key);
-        // client_signature = HMAC(stored_key, auth_message)
-        let client_signature =
-            generate_signature(&stored_key, auth_message).expect("client signature");
-        // client_proof = client_key XOR client_signature
-        let client_proof: Vec<u8> = client_key
-            .iter()
-            .zip_eq(client_signature.iter())
-            .map(|(a, b)| a ^ b)
-            .collect();
+        // Simulate client generating a proof
+        let client_proof: Vec<u8> = {
+            // client_key = HMAC(salted_password, "Client Key")
+            let opts = scram256_parse_opts(&hashed_password).expect("parse opts");
+            let salted_password = hash_password_with_opts(&opts, &password)
+                .expect("hash password")
+                .hash;
+            let signing_key = openssl::pkey::PKey::hmac(&salted_password).expect("signing key");
+            let mut signer =
+                openssl::sign::Signer::new(openssl::hash::MessageDigest::sha256(), &signing_key)
+                    .expect("signer");
+            signer.update(b"Client Key").expect("update");
+            let client_key = signer.sign_to_vec().expect("client key");
+            // client_proof = client_key XOR client_signature
+            let client_signature =
+                generate_signature(&stored_key, auth_message).expect("client signature");
+            client_key
+                .iter()
+                .zip_eq(client_signature.iter())
+                .map(|(c, s)| c ^ s)
+                .collect::<Vec<u8>>()
+        };
+
         let client_proof_b64 = BASE64_STANDARD.encode(&client_proof);
 
         let verifier = sasl_verify(&hashed_password, &client_proof_b64, auth_message)

src/catalog-protos/src/lib.rs

@@ -24,7 +24,7 @@ pub mod serialization;
 /// We will initialize new `Catalog`s with this version, and migrate existing `Catalog`s to this
 /// version. Whenever the `Catalog` changes, e.g. the protobufs we serialize in the `Catalog`
 /// change, we need to bump this version.
-pub const CATALOG_VERSION: u64 = 77;
+pub const CATALOG_VERSION: u64 = 78;
 
 /// The minimum `Catalog` version number that we support migrating from.
 ///

src/catalog/src/durable/upgrade.rs

@@ -210,6 +210,7 @@ mod v73_to_v74;
 mod v74_to_v75;
 mod v75_to_v76;
 mod v76_to_v77;
+mod v77_to_v78;
 
 /// Describes a single action to take during a migration from `V1` to `V2`.
 #[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
@@ -382,6 +383,15 @@ async fn run_upgrade(
             )
             .await
         }
+        77 => {
+            run_versioned_upgrade(
+                unopened_catalog_state,
+                version,
+                commit_ts,
+                v77_to_v78::upgrade,
+            )
+            .await
+        }
 
         // Up-to-date, no migration needed!
         CATALOG_VERSION => Ok((CATALOG_VERSION, commit_ts)),

src/catalog/src/durable/upgrade/v77_to_v78.rs

@@ -0,0 +1,85 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+use crate::durable::upgrade::MigrationAction;
+use crate::durable::upgrade::objects_v77 as v77;
+use base64::prelude::*;
+use mz_ore::now::SYSTEM_TIME;
+
+// Old: SCRAM-SHA-256$<iters>:<salt>$<client_key>:<server_key>
+// New: SCRAM-SHA-256$<iters>:<salt>$<stored_key>:<server_key>, where stored_key = SHA256(client_key)
+fn migrate_scram_client_to_stored(hash_old: &str) -> Option<String> {
+    let parts: Vec<&str> = hash_old.split('$').collect();
+    if parts.len() != 3 || parts[0] != "SCRAM-SHA-256" {
+        return None;
+    }
+    let iters_salt = parts[1];
+    let key_parts: Vec<&str> = parts[2].split(':').collect();
+    if key_parts.len() != 2 {
+        return None;
+    }
+    let first_key_b64 = key_parts[0];
+    let server_key_b64 = key_parts[1];
+
+    let Ok(first_key) = BASE64_STANDARD.decode(first_key_b64) else {
+        return None;
+    };
+    if first_key.len() != 32 {
+        return None;
+    }
+
+    let stored_key = openssl::sha::sha256(&first_key);
+    let stored_key_b64 = BASE64_STANDARD.encode(stored_key);
+
+    Some(format!(
+        "SCRAM-SHA-256${}${}:{}",
+        iters_salt, stored_key_b64, server_key_b64
+    ))
+}
+
+pub fn upgrade(
+    snapshot: Vec<v77::StateUpdateKind>,
+) -> Vec<MigrationAction<v77::StateUpdateKind, v77::StateUpdateKind>> {
+    let mut migrations = Vec::new();
+    for update in snapshot {
+        match update.kind {
+            Some(v77::state_update_kind::Kind::RoleAuth(old_role_auth)) => {
+                let Some(ref value) = old_role_auth.value else {
+                    continue;
+                };
+                let Some(ref hashed_password) = value.password_hash else {
+                    continue;
+                };
+                let Some(new_hash) = migrate_scram_client_to_stored(hashed_password) else {
+                    continue;
+                };
+
+                let new_role_auth = v77::state_update_kind::RoleAuth {
+                    key: old_role_auth.key.clone(),
+                    value: Some(v77::RoleAuthValue {
+                        password_hash: Some(new_hash),
+                        updated_at: Some(v77::EpochMillis {
+                            millis: SYSTEM_TIME(),
+                        }),
+                    }),
+                };
+                let old_role_auth = v77::StateUpdateKind {
+                    kind: Some(v77::state_update_kind::Kind::RoleAuth(old_role_auth)),
+                };
+                let new_role_auth = v77::StateUpdateKind {
+                    kind: Some(v77::state_update_kind::Kind::RoleAuth(new_role_auth)),
+                };
+                let migration = MigrationAction::Update(old_role_auth, new_role_auth);
+                migrations.push(migration);
+            }
+            _ => {}
+        }
+    }
+    migrations
+}

src/materialized/ci/listener_configs/mixed_auth.json

@@ -12,6 +12,12 @@
       "allowed_roles": "Normal",
       "enable_tls": false
     },
+    "external_sasl": {
+      "addr": "0.0.0.0:6895",
+      "authenticator_kind": "Sasl",
+      "allowed_roles": "Normal",
+      "enable_tls": false
+    },
     "internal": {
       "addr": "0.0.0.0:6877",
       "authenticator_kind": "None",