whatyouhide
Full support of custom auth methods
Hi there!
It seems that Xandra does not fully support custom authentication mechanisms.
Specifically, it is not possible to connect to AWS Keyspaces when using temporary credentials (documentation).
The expected authentication flow in Keyspaces is:
- After receiving
AUTHENTICATE, the client replies with anAUTH_RESPONSEcontaining the string"SigV4\00\00", indicating that temporary credentials will be used. - Keyspaces responds with an
AUTH_CHALLENGEcarrying a random nonce. - The client signs this nonce cryptographically and sends the result in a second
AUTH_RESPONSE. - Keyspaces validates the signature and replies with either
AUTH_SUCCESSorERROR.
Currently, Xandra does not appear to implement any handling of AUTH_CHALLENGE messages, which makes this authentication flow unsupported.
A possible solution is to change the Authenticator behavior like this:
defmodule Xandra.Authenticator do
@doc """
Returns an iodata that's used as the response body to Cassandra's AUTHENTICATE message.
"""
@callback initial_response_body(options :: keyword) :: iodata
@doc """
Returns an iodata that's used as the response body to Cassandra's auth challenge.
"""
@callback challenge_response_body(challenge :: iodata, options :: keyword) :: iodata
end
Change the message processing logic so that:
-
In response to an AUTHENTICATE message, the reply is generated using the result of the initial_response_body function.
-
In response to an AUTH_CHALLENGE message, the reply is generated using the result of the challenge_response_body function.
I think we should add challenge_response_body and not change the existing callback, so that we can make the behavior backwards compatible. We can make the new callback optional, and if it's there, call it when receiving the challenge. Thoughts? Want to send a PR?
