feat(pam): add Oracle DB access support

.gitignore

@@ -14,5 +14,5 @@ infisical
 
 /agent-testing
 .vscode/
-# PAM CLI session artifacts (local testing only)
+.idea/
 /session/

packages/pam/handlers/oracle/ATTRIBUTION.md

@@ -0,0 +1,23 @@
+This package contains code adapted from [sijms/go-ora](https://github.com/sijms/go-ora).
+
+MIT License
+
+Copyright (c) 2020 Samy Sultan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

packages/pam/handlers/oracle/constants.go

@@ -0,0 +1,4 @@
+package oracle
+
+// Must be passed by the client; also used for O5Logon key derivation in phase 1.
+const ProxyPasswordPlaceholder = "password"

packages/pam/handlers/oracle/o5logon.go

@@ -0,0 +1,108 @@
+package oracle
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha512"
+	"encoding/hex"
+	"fmt"
+)
+
+const (
+	ORA1017InvalidCredentials = 1017
+)
+
+func PKCS5Padding(cipherText []byte, blockSize int) []byte {
+	padding := blockSize - len(cipherText)%blockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(cipherText, padtext...)
+}
+
+func generateSpeedyKey(buffer, key []byte, turns int) []byte {
+	mac := hmac.New(sha512.New, key)
+	mac.Write(append(buffer, 0, 0, 0, 1))
+	firstHash := mac.Sum(nil)
+	tempHash := make([]byte, len(firstHash))
+	copy(tempHash, firstHash)
+	for index1 := 2; index1 <= turns; index1++ {
+		mac.Reset()
+		mac.Write(tempHash)
+		tempHash = mac.Sum(nil)
+		for index2 := 0; index2 < 64; index2++ {
+			firstHash[index2] = firstHash[index2] ^ tempHash[index2]
+		}
+	}
+	return firstHash
+}
+
+func decryptSessionKey(padding bool, encKey []byte, sessionKeyHex string) ([]byte, error) {
+	result, err := hex.DecodeString(sessionKeyHex)
+	if err != nil {
+		return nil, err
+	}
+	blk, err := aes.NewCipher(encKey)
+	if err != nil {
+		return nil, err
+	}
+	dec := cipher.NewCBCDecrypter(blk, make([]byte, 16))
+	output := make([]byte, len(result))
+	dec.CryptBlocks(output, result)
+	cutLen := 0
+	if padding {
+		num := int(output[len(output)-1])
+		if num < dec.BlockSize() {
+			apply := true
+			for x := len(output) - num; x < len(output); x++ {
+				if output[x] != uint8(num) {
+					apply = false
+					break
+				}
+			}
+			if apply {
+				cutLen = int(output[len(output)-1])
+			}
+		}
+	}
+	return output[:len(output)-cutLen], nil
+}
+
+func encryptSessionKey(padding bool, encKey []byte, sessionKey []byte) (string, error) {
+	blk, err := aes.NewCipher(encKey)
+	if err != nil {
+		return "", err
+	}
+	enc := cipher.NewCBCEncrypter(blk, make([]byte, 16))
+	originalLen := len(sessionKey)
+	sessionKey = PKCS5Padding(sessionKey, blk.BlockSize())
+	output := make([]byte, len(sessionKey))
+	enc.CryptBlocks(output, sessionKey)
+	if !padding {
+		return fmt.Sprintf("%X", output[:originalLen]), nil
+	}
+	return fmt.Sprintf("%X", output), nil
+}
+
+func encryptPassword(password, key []byte, padding bool) (string, error) {
+	buff1 := make([]byte, 0x10)
+	if _, err := rand.Read(buff1); err != nil {
+		return "", err
+	}
+	buffer := append(buff1, password...)
+	return encryptSessionKey(padding, key, buffer)
+}
+
+func deriveServerKey(password string, salt []byte, vGenCount int) (key []byte, speedy []byte, err error) {
+	message := append([]byte(nil), salt...)
+	message = append(message, []byte("AUTH_PBKDF2_SPEEDY_KEY")...)
+	speedy = generateSpeedyKey(message, []byte(password), vGenCount)
+
+	buffer := append([]byte(nil), speedy...)
+	buffer = append(buffer, salt...)
+	h := sha512.New()
+	h.Write(buffer)
+	key = h.Sum(nil)[:32]
+	return
+}

packages/pam/handlers/oracle/o5logon_server.go

@@ -0,0 +1,163 @@
+package oracle
+
+import (
+	"fmt"
+	"net"
+)
+
+const (
+	TTCMsgAuthRequest = 0x03
+	TTCMsgError       = 0x04
+)
+
+const (
+	AuthSubOpPhaseOne = 0x76
+	AuthSubOpPhaseTwo = 0x73
+)
+
+type AuthPhaseTwo struct {
+	EClientSessKey string
+	EPassword      string
+}
+
+func readDataPayload(conn net.Conn, use32BitLen bool) ([]byte, error) {
+	raw, err := ReadFullPacket(conn, use32BitLen)
+	if err != nil {
+		return nil, err
+	}
+	if PacketTypeOf(raw) == PacketTypeMarker {
+		return readDataPayload(conn, use32BitLen)
+	}
+	if PacketTypeOf(raw) != PacketTypeData {
+		return nil, fmt.Errorf("expected DATA packet, got type=%d", raw[4])
+	}
+	pkt, err := ParseDataPacket(raw, use32BitLen)
+	if err != nil {
+		return nil, err
+	}
+	return pkt.Payload, nil
+}
+
+func writeDataPayload(conn net.Conn, payload []byte, use32BitLen bool) error {
+	d := &DataPacket{Payload: payload}
+	_, err := conn.Write(d.Bytes(use32BitLen))
+	return err
+}
+
+func ParseAuthPhaseTwo(payload []byte) (*AuthPhaseTwo, error) {
+	r := NewTTCReader(payload)
+	op, err := r.GetByte()
+	if err != nil {
+		return nil, err
+	}
+	if op != TTCMsgAuthRequest {
+		return nil, fmt.Errorf("phase2 unexpected opcode 0x%02X", op)
+	}
+	sub, err := r.GetByte()
+	if err != nil {
+		return nil, err
+	}
+	if sub != AuthSubOpPhaseTwo {
+		return nil, fmt.Errorf("phase2 unexpected sub-op 0x%02X", sub)
+	}
+	if _, err := r.GetByte(); err != nil {
+		return nil, err
+	}
+
+	out := &AuthPhaseTwo{}
+
+	hasUser, err := r.GetByte()
+	if err != nil {
+		return nil, err
+	}
+	var userLen int
+	if hasUser == 1 {
+		userLen, err = r.GetInt(4, true, true)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if _, err := r.GetByte(); err != nil {
+			return nil, err
+		}
+	}
+
+	if _, err := r.GetInt(4, true, true); err != nil {
+		return nil, err
+	}
+	if _, err := r.GetByte(); err != nil {
+		return nil, err
+	}
+	count, err := r.GetInt(4, true, true)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := r.GetByte(); err != nil {
+		return nil, err
+	}
+	if _, err := r.GetByte(); err != nil {
+		return nil, err
+	}
+	if hasUser == 1 && userLen > 0 {
+		// go-ora prefixes username with CLR length byte; JDBC thin sends it raw.
+		peek, perr := r.PeekByte()
+		if perr != nil {
+			return nil, fmt.Errorf("peek phase2 username: %w", perr)
+		}
+		if int(peek) == userLen && peek < 0x20 {
+			if _, err := r.GetByte(); err != nil {
+				return nil, fmt.Errorf("consume phase2 username length prefix: %w", err)
+			}
+		}
+		if _, err := r.GetBytes(userLen); err != nil {
+			return nil, fmt.Errorf("read phase2 username bytes: %w", err)
+		}
+	}
+
+	for i := 0; i < count; i++ {
+		k, v, _, err := r.GetKeyVal()
+		if err != nil {
+			return nil, fmt.Errorf("phase2 KVP #%d: %w", i, err)
+		}
+		switch string(k) {
+		case "AUTH_SESSKEY":
+			out.EClientSessKey = string(v)
+		case "AUTH_PASSWORD":
+			out.EPassword = string(v)
+		}
+	}
+	return out, nil
+}
+
+func BuildErrorPacket(oraCode int, message string) []byte {
+	b := NewTTCBuilder()
+	b.PutBytes(TTCMsgError)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(int64(oraCode), 4, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 1, true, true)
+	b.PutInt(0, 1, true, true)
+	b.PutInt(0, 1, true, true)
+	b.PutInt(0, 1, true, true)
+	b.PutInt(0, 1, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 4, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutInt(0, 2, true, true)
+	b.PutString(message)
+	b.PutInt(0, 2, true, true)
+	return b.Bytes()
+}
+
+func WriteErrorToClient(conn net.Conn, oraCode int, message string, use32BitLen bool) error {
+	return writeDataPayload(conn, BuildErrorPacket(oraCode, message), use32BitLen)
+}

packages/pam/handlers/oracle/proxy.go

@@ -0,0 +1,64 @@
+package oracle
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+
+	"github.com/Infisical/infisical-merge/packages/pam/session"
+)
+
+type OracleProxyConfig struct {
+	TargetAddr     string
+	InjectUsername string
+	InjectPassword string
+	InjectDatabase string
+	EnableTLS      bool
+	TLSConfig      *tls.Config
+	SessionID      string
+	SessionLogger  session.SessionLogger
+}
+
+type OracleProxy struct {
+	config OracleProxyConfig
+}
+
+func NewOracleProxy(config OracleProxyConfig) *OracleProxy {
+	return &OracleProxy{config: config}
+}
+
+func (p *OracleProxy) HandleConnection(ctx context.Context, clientConn net.Conn) error {
+	return p.handleConnectionProxied(ctx, clientConn)
+}
+
+func relayWithTap(src, dst net.Conn, tap *QueryExtractor, errCh chan<- error) {
+	buf := make([]byte, 32*1024)
+	for {
+		n, err := src.Read(buf)
+		if n > 0 {
+			if _, werr := dst.Write(buf[:n]); werr != nil {
+				errCh <- werr
+				return
+			}
+			tap.Feed(buf[:n])
+		}
+		if err != nil {
+			errCh <- err
+			return
+		}
+	}
+}
+
+func splitHostPort(addr string) (string, int, error) {
+	host, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return "", 0, err
+	}
+	var port int
+	_, err = fmt.Sscanf(portStr, "%d", &port)
+	if err != nil {
+		return "", 0, fmt.Errorf("bad port %q: %w", portStr, err)
+	}
+	return host, port, nil
+}