mirror of
https://github.com/go-gitea/gitea
synced 2025-11-03 21:08:25 +00:00
792b4dba2c
* update github.com/blevesearch/bleve v2.0.2 -> v2.0.3 * github.com/denisenkom/go-mssqldb v0.9.0 -> v0.10.0 * github.com/editorconfig/editorconfig-core-go v2.4.1 -> v2.4.2 * github.com/go-chi/cors v1.1.1 -> v1.2.0 * github.com/go-git/go-billy v5.0.0 -> v5.1.0 * github.com/go-git/go-git v5.2.0 -> v5.3.0 * github.com/go-ldap/ldap v3.2.4 -> v3.3.0 * github.com/go-redis/redis v8.6.0 -> v8.8.2 * github.com/go-sql-driver/mysql v1.5.0 -> v1.6.0 * github.com/go-swagger/go-swagger v0.26.1 -> v0.27.0 * github.com/lib/pq v1.9.0 -> v1.10.1 * github.com/mattn/go-sqlite3 v1.14.6 -> v1.14.7 * github.com/go-testfixtures/testfixtures v3.5.0 -> v3.6.0 * github.com/issue9/identicon v1.0.1 -> v1.2.0 * github.com/klauspost/compress v1.11.8 -> v1.12.1 * github.com/mgechev/revive v1.0.3 -> v1.0.6 * github.com/microcosm-cc/bluemonday v1.0.7 -> v1.0.8 * github.com/niklasfasching/go-org v1.4.0 -> v1.5.0 * github.com/olivere/elastic v7.0.22 -> v7.0.24 * github.com/pelletier/go-toml v1.8.1 -> v1.9.0 * github.com/prometheus/client_golang v1.9.0 -> v1.10.0 * github.com/xanzy/go-gitlab v0.44.0 -> v0.48.0 * github.com/yuin/goldmark v1.3.3 -> v1.3.5 * github.com/6543/go-version v1.2.4 -> v1.3.1 * do github.com/lib/pq v1.10.0 -> v1.10.1 again ...
1233 lines
31 KiB
Go
Vendored
1233 lines
31 KiB
Go
Vendored
package mssql
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/binary"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"unicode/utf16"
|
|
"unicode/utf8"
|
|
)
|
|
|
|
func parseInstances(msg []byte) map[string]map[string]string {
|
|
results := map[string]map[string]string{}
|
|
if len(msg) > 3 && msg[0] == 5 {
|
|
out_s := string(msg[3:])
|
|
tokens := strings.Split(out_s, ";")
|
|
instdict := map[string]string{}
|
|
got_name := false
|
|
var name string
|
|
for _, token := range tokens {
|
|
if got_name {
|
|
instdict[name] = token
|
|
got_name = false
|
|
} else {
|
|
name = token
|
|
if len(name) == 0 {
|
|
if len(instdict) == 0 {
|
|
break
|
|
}
|
|
results[strings.ToUpper(instdict["InstanceName"])] = instdict
|
|
instdict = map[string]string{}
|
|
continue
|
|
}
|
|
got_name = true
|
|
}
|
|
}
|
|
}
|
|
return results
|
|
}
|
|
|
|
func getInstances(ctx context.Context, d Dialer, address string) (map[string]map[string]string, error) {
|
|
conn, err := d.DialContext(ctx, "udp", address+":1434")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer conn.Close()
|
|
deadline, _ := ctx.Deadline()
|
|
conn.SetDeadline(deadline)
|
|
_, err = conn.Write([]byte{3})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var resp = make([]byte, 16*1024-1)
|
|
read, err := conn.Read(resp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return parseInstances(resp[:read]), nil
|
|
}
|
|
|
|
// tds versions
|
|
const (
|
|
verTDS70 = 0x70000000
|
|
verTDS71 = 0x71000000
|
|
verTDS71rev1 = 0x71000001
|
|
verTDS72 = 0x72090002
|
|
verTDS73A = 0x730A0003
|
|
verTDS73 = verTDS73A
|
|
verTDS73B = 0x730B0003
|
|
verTDS74 = 0x74000004
|
|
)
|
|
|
|
// packet types
|
|
// https://msdn.microsoft.com/en-us/library/dd304214.aspx
|
|
const (
|
|
packSQLBatch packetType = 1
|
|
packRPCRequest packetType = 3
|
|
packReply packetType = 4
|
|
|
|
// 2.2.1.7 Attention: https://msdn.microsoft.com/en-us/library/dd341449.aspx
|
|
// 4.19.2 Out-of-Band Attention Signal: https://msdn.microsoft.com/en-us/library/dd305167.aspx
|
|
packAttention packetType = 6
|
|
|
|
packBulkLoadBCP packetType = 7
|
|
packFedAuthToken packetType = 8
|
|
packTransMgrReq packetType = 14
|
|
packNormal packetType = 15
|
|
packLogin7 packetType = 16
|
|
packSSPIMessage packetType = 17
|
|
packPrelogin packetType = 18
|
|
)
|
|
|
|
// prelogin fields
|
|
// http://msdn.microsoft.com/en-us/library/dd357559.aspx
|
|
const (
|
|
preloginVERSION = 0
|
|
preloginENCRYPTION = 1
|
|
preloginINSTOPT = 2
|
|
preloginTHREADID = 3
|
|
preloginMARS = 4
|
|
preloginTRACEID = 5
|
|
preloginFEDAUTHREQUIRED = 6
|
|
preloginNONCEOPT = 7
|
|
preloginTERMINATOR = 0xff
|
|
)
|
|
|
|
const (
|
|
encryptOff = 0 // Encryption is available but off.
|
|
encryptOn = 1 // Encryption is available and on.
|
|
encryptNotSup = 2 // Encryption is not available.
|
|
encryptReq = 3 // Encryption is required.
|
|
)
|
|
|
|
const (
|
|
featExtSESSIONRECOVERY byte = 0x01
|
|
featExtFEDAUTH byte = 0x02
|
|
featExtCOLUMNENCRYPTION byte = 0x04
|
|
featExtGLOBALTRANSACTIONS byte = 0x05
|
|
featExtAZURESQLSUPPORT byte = 0x08
|
|
featExtDATACLASSIFICATION byte = 0x09
|
|
featExtUTF8SUPPORT byte = 0x0A
|
|
featExtTERMINATOR byte = 0xFF
|
|
)
|
|
|
|
type tdsSession struct {
|
|
buf *tdsBuffer
|
|
loginAck loginAckStruct
|
|
database string
|
|
partner string
|
|
columns []columnStruct
|
|
tranid uint64
|
|
logFlags uint64
|
|
log optionalLogger
|
|
routedServer string
|
|
routedPort uint16
|
|
returnStatus *ReturnStatus
|
|
}
|
|
|
|
const (
|
|
logErrors = 1
|
|
logMessages = 2
|
|
logRows = 4
|
|
logSQL = 8
|
|
logParams = 16
|
|
logTransaction = 32
|
|
logDebug = 64
|
|
)
|
|
|
|
type columnStruct struct {
|
|
UserType uint32
|
|
Flags uint16
|
|
ColName string
|
|
ti typeInfo
|
|
}
|
|
|
|
type keySlice []uint8
|
|
|
|
func (p keySlice) Len() int { return len(p) }
|
|
func (p keySlice) Less(i, j int) bool { return p[i] < p[j] }
|
|
func (p keySlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
|
|
|
|
// http://msdn.microsoft.com/en-us/library/dd357559.aspx
|
|
func writePrelogin(packetType packetType, w *tdsBuffer, fields map[uint8][]byte) error {
|
|
var err error
|
|
|
|
w.BeginPacket(packetType, false)
|
|
offset := uint16(5*len(fields) + 1)
|
|
keys := make(keySlice, 0, len(fields))
|
|
for k := range fields {
|
|
keys = append(keys, k)
|
|
}
|
|
sort.Sort(keys)
|
|
// writing header
|
|
for _, k := range keys {
|
|
err = w.WriteByte(k)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = binary.Write(w, binary.BigEndian, offset)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
v := fields[k]
|
|
size := uint16(len(v))
|
|
err = binary.Write(w, binary.BigEndian, size)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
offset += size
|
|
}
|
|
err = w.WriteByte(preloginTERMINATOR)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// writing values
|
|
for _, k := range keys {
|
|
v := fields[k]
|
|
written, err := w.Write(v)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if written != len(v) {
|
|
return errors.New("Write method didn't write the whole value")
|
|
}
|
|
}
|
|
return w.FinishPacket()
|
|
}
|
|
|
|
func readPrelogin(r *tdsBuffer) (map[uint8][]byte, error) {
|
|
packet_type, err := r.BeginRead()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
struct_buf, err := ioutil.ReadAll(r)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if packet_type != packReply {
|
|
return nil, errors.New("invalid respones, expected packet type 4, PRELOGIN RESPONSE")
|
|
}
|
|
if len(struct_buf) == 0 {
|
|
return nil, errors.New("invalid empty PRELOGIN response, it must contain at least one byte")
|
|
}
|
|
offset := 0
|
|
results := map[uint8][]byte{}
|
|
for {
|
|
rec_type := struct_buf[offset]
|
|
if rec_type == preloginTERMINATOR {
|
|
break
|
|
}
|
|
|
|
rec_offset := binary.BigEndian.Uint16(struct_buf[offset+1:])
|
|
rec_len := binary.BigEndian.Uint16(struct_buf[offset+3:])
|
|
value := struct_buf[rec_offset : rec_offset+rec_len]
|
|
results[rec_type] = value
|
|
offset += 5
|
|
}
|
|
return results, nil
|
|
}
|
|
|
|
// OptionFlags2
|
|
// http://msdn.microsoft.com/en-us/library/dd304019.aspx
|
|
const (
|
|
fLanguageFatal = 1
|
|
fODBC = 2
|
|
fTransBoundary = 4
|
|
fCacheConnect = 8
|
|
fIntSecurity = 0x80
|
|
)
|
|
|
|
// OptionFlags3
|
|
// http://msdn.microsoft.com/en-us/library/dd304019.aspx
|
|
const (
|
|
fChangePassword = 1
|
|
fSendYukonBinaryXML = 2
|
|
fUserInstance = 4
|
|
fUnknownCollationHandling = 8
|
|
fExtension = 0x10
|
|
)
|
|
|
|
// TypeFlags
|
|
const (
|
|
// 4 bits for fSQLType
|
|
// 1 bit for fOLEDB
|
|
fReadOnlyIntent = 32
|
|
)
|
|
|
|
type login struct {
|
|
TDSVersion uint32
|
|
PacketSize uint32
|
|
ClientProgVer uint32
|
|
ClientPID uint32
|
|
ConnectionID uint32
|
|
OptionFlags1 uint8
|
|
OptionFlags2 uint8
|
|
TypeFlags uint8
|
|
OptionFlags3 uint8
|
|
ClientTimeZone int32
|
|
ClientLCID uint32
|
|
HostName string
|
|
UserName string
|
|
Password string
|
|
AppName string
|
|
ServerName string
|
|
CtlIntName string
|
|
Language string
|
|
Database string
|
|
ClientID [6]byte
|
|
SSPI []byte
|
|
AtchDBFile string
|
|
ChangePassword string
|
|
FeatureExt featureExts
|
|
}
|
|
|
|
type featureExts struct {
|
|
features map[byte]featureExt
|
|
}
|
|
|
|
type featureExt interface {
|
|
featureID() byte
|
|
toBytes() []byte
|
|
}
|
|
|
|
func (e *featureExts) Add(f featureExt) error {
|
|
if f == nil {
|
|
return nil
|
|
}
|
|
id := f.featureID()
|
|
if _, exists := e.features[id]; exists {
|
|
f := "login error: Feature with ID '%v' is already present in FeatureExt block"
|
|
return fmt.Errorf(f, id)
|
|
}
|
|
if e.features == nil {
|
|
e.features = make(map[byte]featureExt)
|
|
}
|
|
e.features[id] = f
|
|
return nil
|
|
}
|
|
|
|
func (e featureExts) toBytes() []byte {
|
|
if len(e.features) == 0 {
|
|
return nil
|
|
}
|
|
var d []byte
|
|
for featureID, f := range e.features {
|
|
featureData := f.toBytes()
|
|
|
|
hdr := make([]byte, 5)
|
|
hdr[0] = featureID // FedAuth feature extension BYTE
|
|
binary.LittleEndian.PutUint32(hdr[1:], uint32(len(featureData))) // FeatureDataLen DWORD
|
|
d = append(d, hdr...)
|
|
|
|
d = append(d, featureData...) // FeatureData *BYTE
|
|
}
|
|
if d != nil {
|
|
d = append(d, 0xff) // Terminator
|
|
}
|
|
return d
|
|
}
|
|
|
|
// featureExtFedAuth tracks federated authentication state before and during login
|
|
type featureExtFedAuth struct {
|
|
// FedAuthLibrary is populated by the federated authentication provider.
|
|
FedAuthLibrary int
|
|
|
|
// ADALWorkflow is populated by the federated authentication provider.
|
|
ADALWorkflow byte
|
|
|
|
// FedAuthEcho is populated from the prelogin response
|
|
FedAuthEcho bool
|
|
|
|
// FedAuthToken is populated during login with the value from the provider.
|
|
FedAuthToken string
|
|
|
|
// Nonce is populated during login with the value from the provider.
|
|
Nonce []byte
|
|
|
|
// Signature is populated during login with the value from the server.
|
|
Signature []byte
|
|
}
|
|
|
|
func (e *featureExtFedAuth) featureID() byte {
|
|
return featExtFEDAUTH
|
|
}
|
|
|
|
func (e *featureExtFedAuth) toBytes() []byte {
|
|
if e == nil {
|
|
return nil
|
|
}
|
|
|
|
options := byte(e.FedAuthLibrary) << 1
|
|
if e.FedAuthEcho {
|
|
options |= 1 // fFedAuthEcho
|
|
}
|
|
|
|
// Feature extension format depends on the federated auth library.
|
|
// Options are described at
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/773a62b6-ee89-4c02-9e5e-344882630aac
|
|
var d []byte
|
|
|
|
switch e.FedAuthLibrary {
|
|
case fedAuthLibrarySecurityToken:
|
|
d = make([]byte, 5)
|
|
d[0] = options
|
|
|
|
// looks like string in
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/f88b63bb-b479-49e1-a87b-deda521da508
|
|
tokenBytes := str2ucs2(e.FedAuthToken)
|
|
binary.LittleEndian.PutUint32(d[1:], uint32(len(tokenBytes))) // Should be a signed int32, but since the length is relatively small, this should work
|
|
d = append(d, tokenBytes...)
|
|
|
|
if len(e.Nonce) == 32 {
|
|
d = append(d, e.Nonce...)
|
|
}
|
|
|
|
case fedAuthLibraryADAL:
|
|
d = []byte{options, e.ADALWorkflow}
|
|
}
|
|
|
|
return d
|
|
}
|
|
|
|
type loginHeader struct {
|
|
Length uint32
|
|
TDSVersion uint32
|
|
PacketSize uint32
|
|
ClientProgVer uint32
|
|
ClientPID uint32
|
|
ConnectionID uint32
|
|
OptionFlags1 uint8
|
|
OptionFlags2 uint8
|
|
TypeFlags uint8
|
|
OptionFlags3 uint8
|
|
ClientTimeZone int32
|
|
ClientLCID uint32
|
|
HostNameOffset uint16
|
|
HostNameLength uint16
|
|
UserNameOffset uint16
|
|
UserNameLength uint16
|
|
PasswordOffset uint16
|
|
PasswordLength uint16
|
|
AppNameOffset uint16
|
|
AppNameLength uint16
|
|
ServerNameOffset uint16
|
|
ServerNameLength uint16
|
|
ExtensionOffset uint16
|
|
ExtensionLength uint16
|
|
CtlIntNameOffset uint16
|
|
CtlIntNameLength uint16
|
|
LanguageOffset uint16
|
|
LanguageLength uint16
|
|
DatabaseOffset uint16
|
|
DatabaseLength uint16
|
|
ClientID [6]byte
|
|
SSPIOffset uint16
|
|
SSPILength uint16
|
|
AtchDBFileOffset uint16
|
|
AtchDBFileLength uint16
|
|
ChangePasswordOffset uint16
|
|
ChangePasswordLength uint16
|
|
SSPILongLength uint32
|
|
}
|
|
|
|
// convert Go string to UTF-16 encoded []byte (littleEndian)
|
|
// done manually rather than using bytes and binary packages
|
|
// for performance reasons
|
|
func str2ucs2(s string) []byte {
|
|
res := utf16.Encode([]rune(s))
|
|
ucs2 := make([]byte, 2*len(res))
|
|
for i := 0; i < len(res); i++ {
|
|
ucs2[2*i] = byte(res[i])
|
|
ucs2[2*i+1] = byte(res[i] >> 8)
|
|
}
|
|
return ucs2
|
|
}
|
|
|
|
func ucs22str(s []byte) (string, error) {
|
|
if len(s)%2 != 0 {
|
|
return "", fmt.Errorf("illegal UCS2 string length: %d", len(s))
|
|
}
|
|
buf := make([]uint16, len(s)/2)
|
|
for i := 0; i < len(s); i += 2 {
|
|
buf[i/2] = binary.LittleEndian.Uint16(s[i:])
|
|
}
|
|
return string(utf16.Decode(buf)), nil
|
|
}
|
|
|
|
func manglePassword(password string) []byte {
|
|
var ucs2password []byte = str2ucs2(password)
|
|
for i, ch := range ucs2password {
|
|
ucs2password[i] = ((ch<<4)&0xff | (ch >> 4)) ^ 0xA5
|
|
}
|
|
return ucs2password
|
|
}
|
|
|
|
// http://msdn.microsoft.com/en-us/library/dd304019.aspx
|
|
func sendLogin(w *tdsBuffer, login *login) error {
|
|
w.BeginPacket(packLogin7, false)
|
|
hostname := str2ucs2(login.HostName)
|
|
username := str2ucs2(login.UserName)
|
|
password := manglePassword(login.Password)
|
|
appname := str2ucs2(login.AppName)
|
|
servername := str2ucs2(login.ServerName)
|
|
ctlintname := str2ucs2(login.CtlIntName)
|
|
language := str2ucs2(login.Language)
|
|
database := str2ucs2(login.Database)
|
|
atchdbfile := str2ucs2(login.AtchDBFile)
|
|
changepassword := str2ucs2(login.ChangePassword)
|
|
featureExt := login.FeatureExt.toBytes()
|
|
|
|
hdr := loginHeader{
|
|
TDSVersion: login.TDSVersion,
|
|
PacketSize: login.PacketSize,
|
|
ClientProgVer: login.ClientProgVer,
|
|
ClientPID: login.ClientPID,
|
|
ConnectionID: login.ConnectionID,
|
|
OptionFlags1: login.OptionFlags1,
|
|
OptionFlags2: login.OptionFlags2,
|
|
TypeFlags: login.TypeFlags,
|
|
OptionFlags3: login.OptionFlags3,
|
|
ClientTimeZone: login.ClientTimeZone,
|
|
ClientLCID: login.ClientLCID,
|
|
HostNameLength: uint16(utf8.RuneCountInString(login.HostName)),
|
|
UserNameLength: uint16(utf8.RuneCountInString(login.UserName)),
|
|
PasswordLength: uint16(utf8.RuneCountInString(login.Password)),
|
|
AppNameLength: uint16(utf8.RuneCountInString(login.AppName)),
|
|
ServerNameLength: uint16(utf8.RuneCountInString(login.ServerName)),
|
|
CtlIntNameLength: uint16(utf8.RuneCountInString(login.CtlIntName)),
|
|
LanguageLength: uint16(utf8.RuneCountInString(login.Language)),
|
|
DatabaseLength: uint16(utf8.RuneCountInString(login.Database)),
|
|
ClientID: login.ClientID,
|
|
SSPILength: uint16(len(login.SSPI)),
|
|
AtchDBFileLength: uint16(utf8.RuneCountInString(login.AtchDBFile)),
|
|
ChangePasswordLength: uint16(utf8.RuneCountInString(login.ChangePassword)),
|
|
}
|
|
offset := uint16(binary.Size(hdr))
|
|
hdr.HostNameOffset = offset
|
|
offset += uint16(len(hostname))
|
|
hdr.UserNameOffset = offset
|
|
offset += uint16(len(username))
|
|
hdr.PasswordOffset = offset
|
|
offset += uint16(len(password))
|
|
hdr.AppNameOffset = offset
|
|
offset += uint16(len(appname))
|
|
hdr.ServerNameOffset = offset
|
|
offset += uint16(len(servername))
|
|
hdr.CtlIntNameOffset = offset
|
|
offset += uint16(len(ctlintname))
|
|
hdr.LanguageOffset = offset
|
|
offset += uint16(len(language))
|
|
hdr.DatabaseOffset = offset
|
|
offset += uint16(len(database))
|
|
hdr.SSPIOffset = offset
|
|
offset += uint16(len(login.SSPI))
|
|
hdr.AtchDBFileOffset = offset
|
|
offset += uint16(len(atchdbfile))
|
|
hdr.ChangePasswordOffset = offset
|
|
offset += uint16(len(changepassword))
|
|
|
|
featureExtOffset := uint32(0)
|
|
featureExtLen := len(featureExt)
|
|
if featureExtLen > 0 {
|
|
hdr.OptionFlags3 |= fExtension
|
|
hdr.ExtensionOffset = offset
|
|
hdr.ExtensionLength = 4
|
|
offset += hdr.ExtensionLength // DWORD
|
|
featureExtOffset = uint32(offset)
|
|
}
|
|
hdr.Length = uint32(offset) + uint32(featureExtLen)
|
|
|
|
var err error
|
|
err = binary.Write(w, binary.LittleEndian, &hdr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(hostname)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(username)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(appname)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(servername)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(ctlintname)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(language)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(database)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(login.SSPI)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(atchdbfile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(changepassword)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if featureExtOffset > 0 {
|
|
err = binary.Write(w, binary.LittleEndian, featureExtOffset)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(featureExt)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return w.FinishPacket()
|
|
}
|
|
|
|
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/827d9632-2957-4d54-b9ea-384530ae79d0
|
|
func sendFedAuthInfo(w *tdsBuffer, fedAuth *featureExtFedAuth) (err error) {
|
|
fedauthtoken := str2ucs2(fedAuth.FedAuthToken)
|
|
tokenlen := len(fedauthtoken)
|
|
datalen := 4 + tokenlen + len(fedAuth.Nonce)
|
|
|
|
w.BeginPacket(packFedAuthToken, false)
|
|
err = binary.Write(w, binary.LittleEndian, uint32(datalen))
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
err = binary.Write(w, binary.LittleEndian, uint32(tokenlen))
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
_, err = w.Write(fedauthtoken)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
_, err = w.Write(fedAuth.Nonce)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
return w.FinishPacket()
|
|
}
|
|
|
|
func readUcs2(r io.Reader, numchars int) (res string, err error) {
|
|
buf := make([]byte, numchars*2)
|
|
_, err = io.ReadFull(r, buf)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return ucs22str(buf)
|
|
}
|
|
|
|
func readUsVarChar(r io.Reader) (res string, err error) {
|
|
numchars, err := readUshort(r)
|
|
if err != nil {
|
|
return
|
|
}
|
|
return readUcs2(r, int(numchars))
|
|
}
|
|
|
|
func writeUsVarChar(w io.Writer, s string) (err error) {
|
|
buf := str2ucs2(s)
|
|
var numchars int = len(buf) / 2
|
|
if numchars > 0xffff {
|
|
panic("invalid size for US_VARCHAR")
|
|
}
|
|
err = binary.Write(w, binary.LittleEndian, uint16(numchars))
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, err = w.Write(buf)
|
|
return
|
|
}
|
|
|
|
func readBVarChar(r io.Reader) (res string, err error) {
|
|
numchars, err := readByte(r)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// A zero length could be returned, return an empty string
|
|
if numchars == 0 {
|
|
return "", nil
|
|
}
|
|
return readUcs2(r, int(numchars))
|
|
}
|
|
|
|
func writeBVarChar(w io.Writer, s string) (err error) {
|
|
buf := str2ucs2(s)
|
|
var numchars int = len(buf) / 2
|
|
if numchars > 0xff {
|
|
panic("invalid size for B_VARCHAR")
|
|
}
|
|
err = binary.Write(w, binary.LittleEndian, uint8(numchars))
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, err = w.Write(buf)
|
|
return
|
|
}
|
|
|
|
func readBVarByte(r io.Reader) (res []byte, err error) {
|
|
length, err := readByte(r)
|
|
if err != nil {
|
|
return
|
|
}
|
|
res = make([]byte, length)
|
|
_, err = io.ReadFull(r, res)
|
|
return
|
|
}
|
|
|
|
func readUshort(r io.Reader) (res uint16, err error) {
|
|
err = binary.Read(r, binary.LittleEndian, &res)
|
|
return
|
|
}
|
|
|
|
func readByte(r io.Reader) (res byte, err error) {
|
|
var b [1]byte
|
|
_, err = r.Read(b[:])
|
|
res = b[0]
|
|
return
|
|
}
|
|
|
|
// Packet Data Stream Headers
|
|
// http://msdn.microsoft.com/en-us/library/dd304953.aspx
|
|
type headerStruct struct {
|
|
hdrtype uint16
|
|
data []byte
|
|
}
|
|
|
|
const (
|
|
dataStmHdrQueryNotif = 1 // query notifications
|
|
dataStmHdrTransDescr = 2 // MARS transaction descriptor (required)
|
|
dataStmHdrTraceActivity = 3
|
|
)
|
|
|
|
// Query Notifications Header
|
|
// http://msdn.microsoft.com/en-us/library/dd304949.aspx
|
|
type queryNotifHdr struct {
|
|
notifyId string
|
|
ssbDeployment string
|
|
notifyTimeout uint32
|
|
}
|
|
|
|
func (hdr queryNotifHdr) pack() (res []byte) {
|
|
notifyId := str2ucs2(hdr.notifyId)
|
|
ssbDeployment := str2ucs2(hdr.ssbDeployment)
|
|
|
|
res = make([]byte, 2+len(notifyId)+2+len(ssbDeployment)+4)
|
|
b := res
|
|
|
|
binary.LittleEndian.PutUint16(b, uint16(len(notifyId)))
|
|
b = b[2:]
|
|
copy(b, notifyId)
|
|
b = b[len(notifyId):]
|
|
|
|
binary.LittleEndian.PutUint16(b, uint16(len(ssbDeployment)))
|
|
b = b[2:]
|
|
copy(b, ssbDeployment)
|
|
b = b[len(ssbDeployment):]
|
|
|
|
binary.LittleEndian.PutUint32(b, hdr.notifyTimeout)
|
|
|
|
return res
|
|
}
|
|
|
|
// MARS Transaction Descriptor Header
|
|
// http://msdn.microsoft.com/en-us/library/dd340515.aspx
|
|
type transDescrHdr struct {
|
|
transDescr uint64 // transaction descriptor returned from ENVCHANGE
|
|
outstandingReqCnt uint32 // outstanding request count
|
|
}
|
|
|
|
func (hdr transDescrHdr) pack() (res []byte) {
|
|
res = make([]byte, 8+4)
|
|
binary.LittleEndian.PutUint64(res, hdr.transDescr)
|
|
binary.LittleEndian.PutUint32(res[8:], hdr.outstandingReqCnt)
|
|
return res
|
|
}
|
|
|
|
func writeAllHeaders(w io.Writer, headers []headerStruct) (err error) {
|
|
// Calculating total length.
|
|
var totallen uint32 = 4
|
|
for _, hdr := range headers {
|
|
totallen += 4 + 2 + uint32(len(hdr.data))
|
|
}
|
|
// writing
|
|
err = binary.Write(w, binary.LittleEndian, totallen)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, hdr := range headers {
|
|
var headerlen uint32 = 4 + 2 + uint32(len(hdr.data))
|
|
err = binary.Write(w, binary.LittleEndian, headerlen)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = binary.Write(w, binary.LittleEndian, hdr.hdrtype)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = w.Write(hdr.data)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func sendSqlBatch72(buf *tdsBuffer, sqltext string, headers []headerStruct, resetSession bool) (err error) {
|
|
buf.BeginPacket(packSQLBatch, resetSession)
|
|
|
|
if err = writeAllHeaders(buf, headers); err != nil {
|
|
return
|
|
}
|
|
|
|
_, err = buf.Write(str2ucs2(sqltext))
|
|
if err != nil {
|
|
return
|
|
}
|
|
return buf.FinishPacket()
|
|
}
|
|
|
|
// 2.2.1.7 Attention: https://msdn.microsoft.com/en-us/library/dd341449.aspx
|
|
// 4.19.2 Out-of-Band Attention Signal: https://msdn.microsoft.com/en-us/library/dd305167.aspx
|
|
func sendAttention(buf *tdsBuffer) error {
|
|
buf.BeginPacket(packAttention, false)
|
|
return buf.FinishPacket()
|
|
}
|
|
|
|
type auth interface {
|
|
InitialBytes() ([]byte, error)
|
|
NextBytes([]byte) ([]byte, error)
|
|
Free()
|
|
}
|
|
|
|
// SQL Server AlwaysOn Availability Group Listeners are bound by DNS to a
|
|
// list of IP addresses. So if there is more than one, try them all and
|
|
// use the first one that allows a connection.
|
|
func dialConnection(ctx context.Context, c *Connector, p connectParams) (conn net.Conn, err error) {
|
|
var ips []net.IP
|
|
ip := net.ParseIP(p.host)
|
|
if ip == nil {
|
|
ips, err = net.LookupIP(p.host)
|
|
if err != nil {
|
|
return
|
|
}
|
|
} else {
|
|
ips = []net.IP{ip}
|
|
}
|
|
if len(ips) == 1 {
|
|
d := c.getDialer(&p)
|
|
addr := net.JoinHostPort(ips[0].String(), strconv.Itoa(int(resolveServerPort(p.port))))
|
|
conn, err = d.DialContext(ctx, "tcp", addr)
|
|
|
|
} else {
|
|
//Try Dials in parallel to avoid waiting for timeouts.
|
|
connChan := make(chan net.Conn, len(ips))
|
|
errChan := make(chan error, len(ips))
|
|
portStr := strconv.Itoa(int(resolveServerPort(p.port)))
|
|
for _, ip := range ips {
|
|
go func(ip net.IP) {
|
|
d := c.getDialer(&p)
|
|
addr := net.JoinHostPort(ip.String(), portStr)
|
|
conn, err := d.DialContext(ctx, "tcp", addr)
|
|
if err == nil {
|
|
connChan <- conn
|
|
} else {
|
|
errChan <- err
|
|
}
|
|
}(ip)
|
|
}
|
|
// Wait for either the *first* successful connection, or all the errors
|
|
wait_loop:
|
|
for i := range ips {
|
|
select {
|
|
case conn = <-connChan:
|
|
// Got a connection to use, close any others
|
|
go func(n int) {
|
|
for i := 0; i < n; i++ {
|
|
select {
|
|
case conn := <-connChan:
|
|
conn.Close()
|
|
case <-errChan:
|
|
}
|
|
}
|
|
}(len(ips) - i - 1)
|
|
// Remove any earlier errors we may have collected
|
|
err = nil
|
|
break wait_loop
|
|
case err = <-errChan:
|
|
}
|
|
}
|
|
}
|
|
// Can't do the usual err != nil check, as it is possible to have gotten an error before a successful connection
|
|
if conn == nil {
|
|
f := "unable to open tcp connection with host '%v:%v': %v"
|
|
return nil, fmt.Errorf(f, p.host, resolveServerPort(p.port), err.Error())
|
|
}
|
|
return conn, err
|
|
}
|
|
|
|
func preparePreloginFields(p connectParams, fe *featureExtFedAuth) map[uint8][]byte {
|
|
instance_buf := []byte(p.instance)
|
|
instance_buf = append(instance_buf, 0) // zero terminate instance name
|
|
|
|
var encrypt byte
|
|
if p.disableEncryption {
|
|
encrypt = encryptNotSup
|
|
} else if p.encrypt {
|
|
encrypt = encryptOn
|
|
} else {
|
|
encrypt = encryptOff
|
|
}
|
|
|
|
fields := map[uint8][]byte{
|
|
preloginVERSION: {0, 0, 0, 0, 0, 0},
|
|
preloginENCRYPTION: {encrypt},
|
|
preloginINSTOPT: instance_buf,
|
|
preloginTHREADID: {0, 0, 0, 0},
|
|
preloginMARS: {0}, // MARS disabled
|
|
}
|
|
|
|
if fe.FedAuthLibrary != fedAuthLibraryReserved {
|
|
fields[preloginFEDAUTHREQUIRED] = []byte{1}
|
|
}
|
|
|
|
return fields
|
|
}
|
|
|
|
func interpretPreloginResponse(p connectParams, fe *featureExtFedAuth, fields map[uint8][]byte) (encrypt byte, err error) {
|
|
// If the server returns the preloginFEDAUTHREQUIRED field, then federated authentication
|
|
// is supported. The actual value may be 0 or 1, where 0 means either SSPI or federated
|
|
// authentication is allowed, while 1 means only federated authentication is allowed.
|
|
if fedAuthSupport, ok := fields[preloginFEDAUTHREQUIRED]; ok {
|
|
if len(fedAuthSupport) != 1 {
|
|
return 0, fmt.Errorf("Federated authentication flag length should be 1: is %d", len(fedAuthSupport))
|
|
}
|
|
|
|
// We need to be able to echo the value back to the server
|
|
fe.FedAuthEcho = fedAuthSupport[0] != 0
|
|
} else if fe.FedAuthLibrary != fedAuthLibraryReserved {
|
|
return 0, fmt.Errorf("Federated authentication is not supported by the server")
|
|
}
|
|
|
|
encryptBytes, ok := fields[preloginENCRYPTION]
|
|
if !ok {
|
|
return 0, fmt.Errorf("encrypt negotiation failed")
|
|
}
|
|
encrypt = encryptBytes[0]
|
|
if p.encrypt && (encrypt == encryptNotSup || encrypt == encryptOff) {
|
|
return 0, fmt.Errorf("server does not support encryption")
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func prepareLogin(ctx context.Context, c *Connector, p connectParams, log optionalLogger, auth auth, fe *featureExtFedAuth, packetSize uint32) (l *login, err error) {
|
|
l = &login{
|
|
TDSVersion: verTDS74,
|
|
PacketSize: packetSize,
|
|
Database: p.database,
|
|
OptionFlags2: fODBC, // to get unlimited TEXTSIZE
|
|
HostName: p.workstation,
|
|
ServerName: p.host,
|
|
AppName: p.appname,
|
|
TypeFlags: p.typeFlags,
|
|
}
|
|
switch {
|
|
case fe.FedAuthLibrary == fedAuthLibrarySecurityToken:
|
|
if p.logFlags&logDebug != 0 {
|
|
log.Println("Starting federated authentication using security token")
|
|
}
|
|
|
|
fe.FedAuthToken, err = c.securityTokenProvider(ctx)
|
|
if err != nil {
|
|
if p.logFlags&logDebug != 0 {
|
|
log.Printf("Failed to retrieve service principal token for federated authentication security token library: %v", err)
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
l.FeatureExt.Add(fe)
|
|
|
|
case fe.FedAuthLibrary == fedAuthLibraryADAL:
|
|
if p.logFlags&logDebug != 0 {
|
|
log.Println("Starting federated authentication using ADAL")
|
|
}
|
|
|
|
l.FeatureExt.Add(fe)
|
|
|
|
case auth != nil:
|
|
if p.logFlags&logDebug != 0 {
|
|
log.Println("Starting SSPI login")
|
|
}
|
|
|
|
l.SSPI, err = auth.InitialBytes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
l.OptionFlags2 |= fIntSecurity
|
|
return l, nil
|
|
|
|
default:
|
|
// Default to SQL server authentication with user and password
|
|
l.UserName = p.user
|
|
l.Password = p.password
|
|
}
|
|
|
|
return l, nil
|
|
}
|
|
|
|
func connect(ctx context.Context, c *Connector, log optionalLogger, p connectParams) (res *tdsSession, err error) {
|
|
dialCtx := ctx
|
|
if p.dial_timeout > 0 {
|
|
var cancel func()
|
|
dialCtx, cancel = context.WithTimeout(ctx, p.dial_timeout)
|
|
defer cancel()
|
|
}
|
|
// if instance is specified use instance resolution service
|
|
if p.instance != "" && p.port != 0 {
|
|
// both instance name and port specified
|
|
// when port is specified instance name is not used
|
|
// you should not provide instance name when you provide port
|
|
log.Println("WARN: You specified both instance name and port in the connection string, port will be used and instance name will be ignored")
|
|
}
|
|
if p.instance != "" && p.port == 0 {
|
|
p.instance = strings.ToUpper(p.instance)
|
|
d := c.getDialer(&p)
|
|
instances, err := getInstances(dialCtx, d, p.host)
|
|
if err != nil {
|
|
f := "unable to get instances from Sql Server Browser on host %v: %v"
|
|
return nil, fmt.Errorf(f, p.host, err.Error())
|
|
}
|
|
strport, ok := instances[p.instance]["tcp"]
|
|
if !ok {
|
|
f := "no instance matching '%v' returned from host '%v'"
|
|
return nil, fmt.Errorf(f, p.instance, p.host)
|
|
}
|
|
port, err := strconv.ParseUint(strport, 0, 16)
|
|
if err != nil {
|
|
f := "invalid tcp port returned from Sql Server Browser '%v': %v"
|
|
return nil, fmt.Errorf(f, strport, err.Error())
|
|
}
|
|
p.port = port
|
|
}
|
|
|
|
initiate_connection:
|
|
conn, err := dialConnection(dialCtx, c, p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
toconn := newTimeoutConn(conn, p.conn_timeout)
|
|
|
|
outbuf := newTdsBuffer(p.packetSize, toconn)
|
|
sess := tdsSession{
|
|
buf: outbuf,
|
|
log: log,
|
|
logFlags: p.logFlags,
|
|
}
|
|
|
|
fedAuth := &featureExtFedAuth{
|
|
FedAuthLibrary: p.fedAuthLibrary,
|
|
ADALWorkflow: p.fedAuthADALWorkflow,
|
|
}
|
|
|
|
fields := preparePreloginFields(p, fedAuth)
|
|
|
|
err = writePrelogin(packPrelogin, outbuf, fields)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
fields, err = readPrelogin(outbuf)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
encrypt, err := interpretPreloginResponse(p, fedAuth, fields)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if encrypt != encryptNotSup {
|
|
var config tls.Config
|
|
if p.certificate != "" {
|
|
pem, err := ioutil.ReadFile(p.certificate)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("cannot read certificate %q: %v", p.certificate, err)
|
|
}
|
|
certs := x509.NewCertPool()
|
|
certs.AppendCertsFromPEM(pem)
|
|
config.RootCAs = certs
|
|
}
|
|
if p.trustServerCertificate {
|
|
config.InsecureSkipVerify = true
|
|
}
|
|
config.ServerName = p.hostInCertificate
|
|
// fix for https://github.com/denisenkom/go-mssqldb/issues/166
|
|
// Go implementation of TLS payload size heuristic algorithm splits single TDS package to multiple TCP segments,
|
|
// while SQL Server seems to expect one TCP segment per encrypted TDS package.
|
|
// Setting DynamicRecordSizingDisabled to true disables that algorithm and uses 16384 bytes per TLS package
|
|
config.DynamicRecordSizingDisabled = true
|
|
// setting up connection handler which will allow wrapping of TLS handshake packets inside TDS stream
|
|
handshakeConn := tlsHandshakeConn{buf: outbuf}
|
|
passthrough := passthroughConn{c: &handshakeConn}
|
|
tlsConn := tls.Client(&passthrough, &config)
|
|
err = tlsConn.Handshake()
|
|
passthrough.c = toconn
|
|
outbuf.transport = tlsConn
|
|
if err != nil {
|
|
return nil, fmt.Errorf("TLS Handshake failed: %v", err)
|
|
}
|
|
if encrypt == encryptOff {
|
|
outbuf.afterFirst = func() {
|
|
outbuf.transport = toconn
|
|
}
|
|
}
|
|
}
|
|
|
|
auth, authOk := getAuth(p.user, p.password, p.serverSPN, p.workstation)
|
|
if authOk {
|
|
defer auth.Free()
|
|
} else {
|
|
auth = nil
|
|
}
|
|
|
|
login, err := prepareLogin(ctx, c, p, log, auth, fedAuth, uint32(outbuf.PackageSize()))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = sendLogin(outbuf, login)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Loop until a packet containing a login acknowledgement is received.
|
|
// SSPI and federated authentication scenarios may require multiple
|
|
// packet exchanges to complete the login sequence.
|
|
for loginAck := false; !loginAck; {
|
|
reader := startReading(&sess, ctx, nil)
|
|
|
|
for {
|
|
tok, err := reader.nextToken()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if tok == nil {
|
|
break
|
|
}
|
|
|
|
switch token := tok.(type) {
|
|
case sspiMsg:
|
|
sspi_msg, err := auth.NextBytes(token)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(sspi_msg) > 0 {
|
|
outbuf.BeginPacket(packSSPIMessage, false)
|
|
_, err = outbuf.Write(sspi_msg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = outbuf.FinishPacket()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sspi_msg = nil
|
|
}
|
|
// TODO: for Live ID authentication it may be necessary to
|
|
// compare fedAuth.Nonce == token.Nonce and keep track of signature
|
|
//case fedAuthAckStruct:
|
|
//fedAuth.Signature = token.Signature
|
|
case fedAuthInfoStruct:
|
|
// For ADAL workflows this contains the STS URL and server SPN.
|
|
// If received outside of an ADAL workflow, ignore.
|
|
if c == nil || c.adalTokenProvider == nil {
|
|
continue
|
|
}
|
|
|
|
// Request the AD token given the server SPN and STS URL
|
|
fedAuth.FedAuthToken, err = c.adalTokenProvider(ctx, token.ServerSPN, token.STSURL)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Now need to send the token as a FEDINFO packet
|
|
err = sendFedAuthInfo(outbuf, fedAuth)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
case loginAckStruct:
|
|
sess.loginAck = token
|
|
loginAck = true
|
|
case doneStruct:
|
|
if token.isError() {
|
|
return nil, fmt.Errorf("login error: %s", token.getError())
|
|
}
|
|
case error:
|
|
return nil, fmt.Errorf("login error: %s", token.Error())
|
|
}
|
|
}
|
|
}
|
|
|
|
if sess.routedServer != "" {
|
|
toconn.Close()
|
|
p.host = sess.routedServer
|
|
p.port = uint64(sess.routedPort)
|
|
if !p.hostInCertificateProvided {
|
|
p.hostInCertificate = sess.routedServer
|
|
}
|
|
goto initiate_connection
|
|
}
|
|
return &sess, nil
|
|
}
|
|
|
|
func (sess *tdsSession) setReturnStatus(status ReturnStatus) {
|
|
if sess.returnStatus != nil {
|
|
*sess.returnStatus = status
|
|
}
|
|
}
|