mssql-auth 0.8.0

Authentication strategies for SQL Server connections
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! # mssql-auth
//!
//! Authentication strategies for SQL Server connections.
//!
//! This crate provides various authentication methods, isolated from
//! connection logic for better modularity and testing.
//!
//! ## Supported Authentication Methods
//!
//! | Method | Feature Flag | Status | Description |
//! |--------|--------------|--------|-------------|
//! | SQL Authentication | default | ✅ Implemented | Username/password |
//! | Azure AD Token | default | ✅ Implemented | Pre-obtained access token |
//! | Azure Managed Identity | `azure-identity` | ✅ Implemented | VM/container identity |
//! | Service Principal | `azure-identity` | ✅ Implemented | App credentials |
//! | Integrated (Kerberos) | `integrated-auth` | ✅ Implemented | GSSAPI/Kerberos (Linux/macOS) |
//! | Windows SSPI | `sspi-auth` | ✅ Implemented | Native Windows SSPI |
//! | Certificate | `cert-auth` | ✅ Implemented | Client certificate (mTLS) |
//!
//! ## Authentication Tiers
//!
//! Per ARCHITECTURE.md, authentication is tiered:
//!
//! ### Tier 1 (Core - Pure Rust, Default) ✅ Implemented
//!
//! - [`SqlServerAuth`] - Username/password via Login7
//! - [`AzureAdAuth`] - Pre-acquired access token
//!
//! ### Tier 2 (Azure Native - `azure-identity` feature) ✅ Implemented
//!
//! - `ManagedIdentityAuth` - Azure VM/Container identity
//! - `ServicePrincipalAuth` - Client ID + Secret
//!
//! ### Tier 3 (Enterprise - `integrated-auth` or `sspi-auth` feature) ✅ Implemented
//!
//! - `IntegratedAuth` - Kerberos (Linux/macOS via GSSAPI)
//! - `SspiAuth` - Windows SSPI (native Windows, cross-platform via sspi-rs)
//!
//! ### Tier 4 (Certificate - `cert-auth` feature) ✅ Implemented
//!
//! - `CertificateAuth` - Client certificate authentication (mTLS)
//!
//! ## Secure Credential Handling
//!
//! Enable the `zeroize` feature for secure credential handling:
//!
//! ```toml
//! mssql-auth = { version = "0.1", features = ["zeroize"] }
//! ```
//!
//! This enables secure credential handling that automatically zeroes
//! sensitive data from memory when dropped.
//!
//! ## Example
//!
//! ```rust
//! use mssql_auth::{SqlServerAuth, AzureAdAuth, AuthProvider};
//!
//! // SQL Server authentication
//! let sql_auth = SqlServerAuth::new("sa", "Password123!");
//! let auth_data = sql_auth.authenticate().unwrap();
//!
//! // Azure AD authentication with pre-acquired token
//! let azure_auth = AzureAdAuth::with_token("eyJ0eXAi...");
//! ```

#![warn(missing_docs)]
// Unsafe code is denied globally but allowed in the Windows CNG FFI module.
// See windows_certstore.rs for detailed SAFETY comments on each unsafe block.
#![deny(unsafe_code)]

pub mod azure_ad;
#[cfg(feature = "azure-identity")]
pub mod azure_identity_auth;
#[cfg(feature = "cert-auth")]
pub mod cert_auth;
pub mod credentials;
pub mod encryption;
pub mod error;
#[cfg(feature = "integrated-auth")]
pub mod integrated_auth;
#[cfg(any(feature = "integrated-auth", feature = "sspi-auth"))]
pub mod negotiator;
pub mod provider;
pub mod sql_auth;
#[cfg(feature = "sspi-auth")]
pub mod sspi_auth;

// Always Encrypted cryptography
#[cfg(feature = "always-encrypted")]
pub mod aead;
#[cfg(feature = "always-encrypted")]
pub mod key_store;
#[cfg(feature = "always-encrypted")]
pub mod key_unwrap;

// Always Encrypted key providers
#[cfg(feature = "azure-keyvault")]
pub mod azure_keyvault;
#[cfg(all(windows, feature = "windows-certstore"))]
#[allow(unsafe_code)] // Windows CNG FFI; see SAFETY comments in each unsafe block
pub mod windows_certstore;

// Core types
pub use credentials::Credentials;
pub use error::AuthError;
pub use provider::{AsyncAuthProvider, AuthData, AuthMethod, AuthProvider};

// Authentication providers
pub use azure_ad::{AzureAdAuth, FedAuthLibrary};
pub use sql_auth::SqlServerAuth;

// Secure credential types (with zeroize feature)
#[cfg(feature = "zeroize")]
pub use credentials::{SecretString, SecureCredentials};

// Azure Identity authentication (with azure-identity feature)
#[cfg(feature = "azure-identity")]
pub use azure_identity_auth::{ManagedIdentityAuth, ServicePrincipalAuth};

// Integrated authentication (Kerberos/GSSAPI - with integrated-auth feature)
#[cfg(feature = "integrated-auth")]
pub use integrated_auth::IntegratedAuth;

// Certificate authentication (Azure AD with X.509 certificate - with cert-auth feature)
#[cfg(feature = "cert-auth")]
pub use cert_auth::CertificateAuth;

// Windows SSPI authentication (with sspi-auth feature)
#[cfg(feature = "sspi-auth")]
pub use sspi_auth::SspiAuth;

// SSPI/GSSAPI negotiator trait (with integrated-auth or sspi-auth feature)
#[cfg(any(feature = "integrated-auth", feature = "sspi-auth"))]
pub use negotiator::SspiNegotiator;

// Always Encrypted infrastructure
pub use encryption::{
    CekMetadata, ColumnEncryptionConfig, ColumnEncryptionInfo, EncryptedValue, EncryptionError,
    EncryptionType, KeyStoreProvider,
};

// Always Encrypted cryptography (with always-encrypted feature)
#[cfg(feature = "always-encrypted")]
pub use aead::AeadEncryptor;
#[cfg(feature = "always-encrypted")]
pub use key_store::{CekCache, CekCacheKey, InMemoryKeyStore};
#[cfg(feature = "always-encrypted")]
pub use key_unwrap::RsaKeyUnwrapper;

// Always Encrypted key providers
#[cfg(feature = "azure-keyvault")]
pub use azure_keyvault::AzureKeyVaultProvider;
#[cfg(all(windows, feature = "windows-certstore"))]
pub use windows_certstore::WindowsCertStoreProvider;