feat(auth): support sha256 password

Author: Brooke-white

redshift_connector/core.py

@@ -1328,6 +1328,61 @@ def handle_AUTHENTICATION_REQUEST(self: "Connection", data: bytes, cursor: Curso
             # self._write(NULL_BYTE)
             self._flush()
 
+        elif auth_code == 13:  # AUTH_REQ_DIGEST
+            offset: int = 4
+            algo: int = i_unpack(data, offset)[0]
+            algo_names: typing.Tuple[str] = ("SHA256",)
+            offset += 4
+
+            salt_len: int = i_unpack(data, offset)[0]
+            offset += 4
+
+            salt = data[offset : offset + salt_len]
+            offset += salt_len
+
+            server_nonce_len: int = i_unpack(data, offset)[0]
+            offset += 4
+
+            server_nonce: bytes = data[offset : offset + server_nonce_len]
+            offset += server_nonce_len
+
+            ms_since_epoch: int = int((Datetime.utcnow() - Datetime.utcfromtimestamp(0)).total_seconds() * 1000.0)
+            client_nonce: bytes = str(ms_since_epoch).encode("utf-8")
+
+            _logger.debug("handle_AUTHENTICATION_REQUEST: AUTH_REQ_DIGEST")
+            _logger.debug("Algo:{}".format(algo))
+
+            if self.password is None:
+                raise InterfaceError(
+                    "The server requested password-based authentication, but no password was provided."
+                )
+
+            if algo > len(algo_names):
+                raise InterfaceError(
+                    "The server requested password-based authentication, "
+                    "but requested algorithm {} is not supported.".format(algo)
+                )
+
+            from redshift_connector.utils.extensible_digest import ExtensibleDigest
+
+            digest: bytes = ExtensibleDigest.encode(
+                client_nonce=client_nonce,
+                password=typing.cast(bytes, self.password),
+                salt=salt,
+                algo_name=algo_names[algo],
+                server_nonce=server_nonce,
+            )
+
+            _logger.debug("Password(extensible digest)")
+
+            self._write(b"d")
+            self._write(i_pack(4 + 4 + len(digest) + 4 + len(client_nonce)))
+            self._write(i_pack(len(digest)))
+            self._write(digest)
+            self._write(i_pack(len(client_nonce)))
+            self._write(client_nonce)
+            self._flush()
+
         elif auth_code in (2, 4, 6, 7, 8, 9):
             raise InterfaceError("Authentication method " + str(auth_code) + " not supported by redshift_connector.")
         else:

redshift_connector/utils/extensible_digest.py

@@ -0,0 +1,46 @@
+import typing
+from hashlib import new as hashlib_new
+
+from redshift_connector import InterfaceError
+
+if typing.TYPE_CHECKING:
+    from hashlib import _Hash
+
+
+class ExtensibleDigest:
+    """
+    Encodes user/password/salt information in the following way: SHA2(SHA2(password + user) + salt).
+    """
+
+    @staticmethod
+    def encode(client_nonce: bytes, password: bytes, salt: bytes, algo_name: str, server_nonce: bytes) -> bytes:
+        """
+        Encodes user/password/salt information in the following way: SHA2(SHA2(password + user) + salt).
+        :param client_nonce: The client nonce
+        :type client_nonce: bytes
+        :param password: The connecting user's password
+        :type password: bytes
+        :param salt: salt sent by the server
+        :type salt: bytes
+        :param algo_name: Algorithm name such as "SHA256" etc.
+        :type algo_name: str
+        :param server_nonce: random number generated by server
+        :type server_nonce: bytes
+        :return: the digest
+        :rtype: bytes
+        """
+        try:
+            hl1: "_Hash" = hashlib_new(name=algo_name)
+        except ImportError:
+            raise InterfaceError("Unable to encode password with extensible hashing: {}".format(algo_name))
+        hl1.update(password)
+        hl1.update(salt)
+        pass_digest1: bytes = hl1.digest()  # SHA2(user + password)
+
+        hl2: "_Hash" = hashlib_new(name=algo_name)
+        hl2.update(pass_digest1)
+        hl2.update(server_nonce)
+        hl2.update(client_nonce)
+        pass_digest2 = hl2.digest()  # SHA2(SHA2(password + user) + salt)
+
+        return pass_digest2