Fixed ActiveDirectoryMsi Authentication behavior when specified UID (#1374)

* ActiveDirectoryMsi uid-specified support
2022-03-19 06:49:32 +09:00 · 2022-03-19 06:49:32 +09:00 · a11822b154
parent ba53591cf5
commit a11822b154
2 changed files with 94 additions and 49 deletions
--- a/source/shared/core_conn.cpp
+++ b/source/shared/core_conn.cpp
@ -676,8 +676,8 @@ void build_connection_string_and_set_conn_attr( _Inout_ sqlsrv_conn* conn, _Inou

    try {
        // Since connection options access token and authentication cannot coexist, check if both of them are used.
-        // If access token is specified, check UID and PWD as well.
-        // No need to check the keyword Trusted_Connection because it is not among the acceptable options for SQLSRV drivers
+        // If access token is specified, check UID and PWD as well.
+        // No need to check the keyword Trusted_Connection because it is not among the acceptable options for SQLSRV drivers
        if (zend_hash_index_exists(options, SQLSRV_CONN_OPTION_ACCESS_TOKEN)) {
            bool invalidOptions = false;

@ -715,6 +715,19 @@ void build_connection_string_and_set_conn_attr( _Inout_ sqlsrv_conn* conn, _Inou
        // Add the server name
        common_conn_str_append_func( ODBCConnOptions::SERVER, server, strnlen_s( server ), connection_string );

+        // Check uid when Authentication is ActiveDirectoryMSI
+        // uid can be specified when using user-assigned identity
+        if (activeDirectoryMSI) {
+            if (uid != NULL && strnlen_s(uid) > 0) {
+                bool escaped = core_is_conn_opt_value_escaped(uid, strnlen_s(uid));
+                CHECK_CUSTOM_ERROR(!escaped, conn, SQLSRV_ERROR_UID_PWD_BRACES_NOT_ESCAPED) {
+                    throw core::CoreException();
+                }
+
+                common_conn_str_append_func(ODBCConnOptions::UID, uid, strnlen_s(uid), connection_string);
+            }
+        }
+
        // If uid is not present then we use trusted connection -- but not when connecting
        // using the access token or Authentication is ActiveDirectoryMSI
        if (!access_token_used && !activeDirectoryMSI) {
--- a/test/functional/pdo_sqlsrv/pdo_azure_ad_managed_identity.phpt
+++ b/test/functional/pdo_sqlsrv/pdo_azure_ad_managed_identity.phpt
@ -48,10 +48,42 @@ function connectInvalidServer()
    }
 }

+function connectInvalidServerWithUser()
+{
+    global $server, $driver, $uid, $pwd;
+    
+    try {
+        $conn = new PDO("sqlsrv:server = $server; driver=$driver;", $uid, $pwd);
+        
+        $msodbcsqlVer = $conn->getAttribute(PDO::ATTR_CLIENT_VERSION)["DriverVer"];
+        $version = explode(".", $msodbcsqlVer);
+
+        if ($version[0] < 17 || $version[1] < 3) {
+            //skip the rest of this test, which requires ODBC driver 17.3 or above
+            return;
+        }
+        unset($conn);
+
+        // Try connecting to an invalid server, should get an exception from ODBC
+        $connectionInfo = "Authentication = ActiveDirectoryMsi;";
+        $user = "user";
+        $testCase = 'invalidServer';
+        try {
+            $conn = new PDO("sqlsrv:server = invalidServer; $connectionInfo", $user, null);
+            echo $message . $testCase . PHP_EOL;
+        } catch(PDOException $e) {
+            // TODO: check the exception message here
+        }
+    } catch(PDOException $e) {
+        print_r($e->getMessage());
+    }
+}
+
 require_once('MsSetup.inc');

 // Make a connection to an invalid server
 connectInvalidServer();
+connectInvalidServerWithUser();

 echo "Done\n";
 ?>