1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
//! # mssql-auth
//!
//! Authentication strategies for SQL Server connections.
//!
//! This crate provides various authentication methods, isolated from
//! connection logic for better modularity and testing.
//!
//! ## Supported Authentication Methods
//!
//! | Method | Feature Flag | Status | Description |
//! |--------|--------------|--------|-------------|
//! | SQL Authentication | default | ✅ Implemented | Username/password |
//! | Azure AD Token | default | ⚠️ Token handling only¹ | Pre-obtained access token |
//! | Azure Managed Identity | `azure-identity` | ⚠️ Token acquisition only¹ | VM/container identity |
//! | Service Principal | `azure-identity` | ⚠️ Token acquisition only¹ | App credentials |
//! | Integrated (Kerberos) | `integrated-auth` | ✅ Implemented | GSSAPI/Kerberos (Linux/macOS) |
//! | Windows SSPI | `sspi-auth` | ✅ Implemented | Native Windows SSPI |
//! | Certificate | `cert-auth` | ⚠️ Token acquisition only¹ | Client certificate (mTLS) |
//!
//! ¹ These providers acquire tokens, but the LOGIN7 FEDAUTH feature
//! extension is not yet implemented in `mssql-client`, so they cannot
//! complete a login end-to-end. `Client::connect` rejects these credential
//! types with a clear error. Tracked in
//! [#155](https://github.com/praxiomlabs/rust-mssql-driver/issues/155).
//!
//! ## Authentication Tiers
//!
//! Per ARCHITECTURE.md, authentication is tiered:
//!
//! ### Tier 1 (Core - Pure Rust, Default)
//!
//! - [`SqlServerAuth`] - Username/password via Login7 ✅ Implemented
//! - [`AzureAdAuth`] - Pre-acquired access token ⚠️ FEDAUTH login wiring pending (#155)
//!
//! ### Tier 2 (Azure Native - `azure-identity` feature) ⚠️ FEDAUTH login wiring pending (#155)
//!
//! - `ManagedIdentityAuth` - Azure VM/Container identity
//! - `ServicePrincipalAuth` - Client ID + Secret
//!
//! ### Tier 3 (Enterprise - `integrated-auth` or `sspi-auth` feature) ✅ Implemented
//!
//! - `IntegratedAuth` - Kerberos (Linux/macOS via GSSAPI)
//! - `SspiAuth` - Windows SSPI (native Windows, cross-platform via sspi-rs)
//!
//! ### Tier 4 (Certificate - `cert-auth` feature) ⚠️ FEDAUTH login wiring pending (#155)
//!
//! - `CertificateAuth` - Client certificate authentication (mTLS)
//!
//! ## Secure Credential Handling
//!
//! Enable the `zeroize` feature for secure credential handling:
//!
//! ```toml
//! mssql-auth = { version = "0.1", features = ["zeroize"] }
//! ```
//!
//! This enables secure credential handling that automatically zeroes
//! sensitive data from memory when dropped.
//!
//! ## Example
//!
//! ```rust
//! use mssql_auth::{SqlServerAuth, AzureAdAuth, AuthProvider};
//!
//! // SQL Server authentication
//! let sql_auth = SqlServerAuth::new("sa", "Password123!");
//! let auth_data = sql_auth.authenticate().unwrap();
//!
//! // Azure AD authentication with pre-acquired token
//! let azure_auth = AzureAdAuth::with_token("eyJ0eXAi...");
//! ```
// Unsafe code is denied globally but allowed in the Windows CNG FFI module.
// See windows_certstore.rs for detailed SAFETY comments on each unsafe block.
// Windows SSPI FFI; see SAFETY comments in each unsafe block
// Always Encrypted cryptography
// Always Encrypted key providers
// Windows CNG FFI; see SAFETY comments in each unsafe block
// Core types
pub use Credentials;
pub use AuthError;
pub use ;
// Authentication providers
pub use ;
pub use SqlServerAuth;
// Secure credential types (with zeroize feature)
pub use ;
// Azure Identity authentication (with azure-identity feature)
pub use ;
// Integrated authentication (Kerberos/GSSAPI - with integrated-auth feature)
pub use IntegratedAuth;
// Certificate authentication (Azure AD with X.509 certificate - with cert-auth feature)
pub use CertificateAuth;
// Native Windows SSPI authentication (with sspi-auth feature, Windows only)
pub use NativeSspiAuth;
// Windows SSPI authentication via sspi-rs (with sspi-auth feature)
pub use SspiAuth;
// SSPI/GSSAPI negotiator trait (with integrated-auth or sspi-auth feature)
pub use SspiNegotiator;
// Always Encrypted infrastructure
pub use ;
// Always Encrypted cryptography (with always-encrypted feature)
pub use AeadEncryptor;
pub use ;
pub use RsaKeyUnwrapper;
// Always Encrypted key providers
pub use AzureKeyVaultProvider;
pub use WindowsCertStoreProvider;