CXX-360 add support for authMechanismProperties

amidvidy · amidvidy · commit 039a078c49ea · 2014-10-14T18:05:17.000-04:00
diff --git a/src/mongo/client/connection_string_test.cpp b/src/mongo/client/connection_string_test.cpp
@@ -114,6 +114,10 @@ namespace {
         { "mongodb://user@[::1]:1234,127.0.0.2:1234/?replicaSet=replName", "user", "", kSet, "replName", 2, 1, "" },
 
         { "mongodb://[::1]:1234,[::1]:1234/dbName?foo=a&c=b&replicaSet=replName", "", "", kSet, "replName", 2, 3, "dbName"},
+
+        { "mongodb://user:pwd@[::1]/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:foobar", "user", "pwd", kMaster, "", 1, 2, "" },
+
+        { "mongodb://user:pwd@[::1]/?authMechanism=GSSAPI&gssapiServiceName=foobar", "user", "pwd", kMaster, "", 1, 2, "" }
     };
 
     const InvalidURITestCase invalidCases[] = {
diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp
@@ -19,6 +19,7 @@
 
 #include "mongo/platform/basic.h"
 
+#include "mongo/base/init.h"
 #include "mongo/bson/util/bson_extract.h"
 #include "mongo/bson/util/builder.h"
 #include "mongo/client/constants.h"
@@ -44,6 +45,7 @@
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/password_digest.h"
 
+#include <boost/algorithm/string/case_conv.hpp>
 #include <boost/algorithm/string/classification.hpp>
 #include <boost/algorithm/string/predicate.hpp>
 #include <boost/algorithm/string/split.hpp>
@@ -139,12 +141,53 @@ namespace mongo {
         _string = ss.str();
     }
 
+    namespace {
+        const char kAuthMechanismPropertiesKey[] = "mechanism_properties";
+
+        // CANONICALIZE_HOST_NAME is currently unsupported
+        const char kAuthServiceName[] = "SERVICE_NAME";
+        const char kAuthServiceRealm[] = "SERVICE_REALM";
+
+        const char* const kSupportedAuthMechanismProperties[] = {
+            kAuthServiceName,
+            kAuthServiceRealm
+        };
+
+        // bootleg std::end for c-style arrays.
+        template<class T, std::size_t N>
+        T* endOf(T (&arr)[N]) { return arr + N; }
+
+        BSONObj parseAuthMechanismProperties(const std::string& propStr) {
+            BSONObjBuilder bob;
+            std::vector<std::string> props;
+            boost::algorithm::split(props, propStr, boost::algorithm::is_any_of(",:"));
+            for (std::vector<std::string>::const_iterator it = props.begin();
+                 it != props.end(); ++it) {
+                std::string prop((boost::algorithm::to_upper_copy(*it))); // normalize case
+                uassert(ErrorCodes::FailedToParse,
+                         str::stream() << "authMechanismProperty: " << *it
+                                       << " is not supported",
+                         std::count(kSupportedAuthMechanismProperties,
+                                    endOf(kSupportedAuthMechanismProperties),
+                                    prop));
+                ++it;
+                uassert(ErrorCodes::FailedToParse,
+                         str::stream() << "authMechanismProperty: "
+                                       << prop << " must have a value",
+                         it != props.end());
+                bob.append(prop, *it);
+            }
+            return bob.obj();
+        }
+    }  // namespace
+
     BSONObj ConnectionString::_makeAuthObjFromOptions() const {
         BSONObjBuilder bob;
 
         // Add the username and optional password
         invariant(!_user.empty());
-        bob.append("user", _user);
+        std::string username(_user);  // may have to tack on service realm before we append
+
         if (!_password.empty())
             bob.append("pwd", _password);
 
@@ -156,10 +199,35 @@ namespace mongo {
         if (!elt.eoo())
             bob.appendAs(elt, "mechanism");
 
+        elt = _options.getField("authMechanismProperties");
+        if (!elt.eoo()) {
+            BSONObj parsed(parseAuthMechanismProperties(elt.String()));
+
+            bool hasNameProp = parsed.hasField(kAuthServiceName);
+            bool hasRealmProp = parsed.hasField(kAuthServiceRealm);
+
+            uassert(ErrorCodes::FailedToParse,
+                    "Cannot specify both gssapiServiceName and SERVICE_NAME",
+                    !(hasNameProp && _options.hasField("gssapiServiceName")));
+            // we append the parsed object so that mechanisms that don't accept it can assert.
+            bob.append(kAuthMechanismPropertiesKey, parsed);
+            // we still append using the old way the SASL code expects it
+            if (hasNameProp) {
+                bob.append("serviceName", parsed[kAuthServiceName].String());
+            }
+            // if we specified a realm, we just append it to the username as the SASL code
+            // expects it that way.
+            if (hasRealmProp) {
+                username.append("@").append(parsed[kAuthServiceRealm].String());
+            }
+        }
+
         elt = _options.getField("gssapiServiceName");
         if (!elt.eoo())
             bob.appendAs(elt, "serviceName");
 
+        bob.append("user", username);
+
         return bob.obj();
     }
 
@@ -794,6 +862,10 @@ namespace mongo {
                                                                saslCommandDigestPasswordFieldName,
                                                                true,
                                                                &digestPassword));
+            uassert(ErrorCodes::AuthenticationFailed,
+                    "Cannot set mechanism_properties when using MONGODB_CR",
+                    !params.hasField(kAuthMechanismPropertiesKey));
+
             BSONObj result;
             uassert(result["code"].Int(),
                     result.toString(),
@@ -828,6 +900,10 @@ namespace mongo {
                     getSSLManager()->getClientSubjectName() + "\"",
                     user ==  getSSLManager()->getClientSubjectName());
 
+            uassert(ErrorCodes::AuthenticationFailed,
+                    "Cannot set mechanism_properties when using MONGODB_X509",
+                    !params.hasField(kAuthMechanismPropertiesKey));
+
             BSONObj result;
             uassert(result["code"].Int(),
                     result.toString(),
diff --git a/src/mongo/unittest/sasl_test.cpp b/src/mongo/unittest/sasl_test.cpp
@@ -15,7 +15,10 @@
 
 #include "mongo/platform/basic.h"
 
+#include <boost/scoped_ptr.hpp>
+
 #include "mongo/unittest/integration_test.h"
+#include "mongo/util/mongoutils/str.h"
 #include "mongo/client/dbclient.h"
 
 using namespace mongo;
@@ -67,4 +70,62 @@ namespace {
         ASSERT_TRUE(result["kerberos"].trueValue());
         ASSERT_EQUALS(result["authenticated"].str(), "yeah");
     }
+
+    TEST(SASLAuthentication, DISABLED_KerberosProperties) {
+        // You must run kinit -p drivers@LDAPTEST.10GEN.CC before this test
+        std::string connStr = str::stream()
+            << "mongodb://drivers@ldaptest.10gen.cc/?"
+            << "authMechanism=GSSAPI" << "&"
+            << "authMechanismProperties="
+                << "SERVICE_NAME:mongodb" << ","
+                << "SERVICE_REALM:LDAPTEST.10GEN.CC";
+
+        std::string errmsg;
+        ConnectionString parsed(ConnectionString::parse(connStr, errmsg));
+        std::cout << errmsg << std::endl;
+        boost::scoped_ptr<DBClientConnection> conn;
+
+        ASSERT_NO_THROW(conn.reset(dynamic_cast<DBClientConnection*>(parsed.connect(errmsg, 0))));
+
+        BSONObj result = conn->findOne("kerberos.test", Query("{}"));
+        ASSERT_TRUE(result["kerberos"].trueValue());
+        ASSERT_EQUALS(result["authenticated"].str(), "yeah");
+    }
+
+    TEST(SASLAuthentication, DISABLED_KerberosPropertiesInvalid) {
+        // You must run kinit -p drivers@LDAPTEST.10GEN.CC before this test
+        std::string connStr = str::stream()
+            << "mongodb://drivers@ldaptest.10gen.cc/?"
+            << "authMechanism=GSSAPI" << "&"
+            << "authMechanismProperties="
+                << "SERVICE_NAME:mongodb" << ","
+                << "SERVICE_REALM:LDAPTEST.10GEN.CC" << ","
+                << "I_AM_NOT_VALID:meow";
+
+        std::string errmsg;
+        ConnectionString parsed(ConnectionString::parse(connStr, errmsg));
+        std::cout << errmsg << std::endl;
+        boost::scoped_ptr<DBClientConnection> conn;
+        ASSERT_THROW(conn.reset(dynamic_cast<DBClientConnection*>(parsed.connect(errmsg, 0))),
+                     UserException);
+    }
+
+    TEST(SASLAuthentication, DISABLED_KerberosPropertiesRedundant) {
+        // You must run kinit -p drivers@LDAPTEST.10GEN.CC before this test
+        std::string connStr = str::stream()
+            << "mongodb://drivers@ldaptest.10gen.cc/?"
+            << "gssapiServiceName=thisshouldnotwork" << "&"  // can't set this and SERVICE_NAME
+            << "authMechanism=GSSAPI" << "&"
+            << "authMechanismProperties="
+                << "SERVICE_NAME:mongodb" << ","
+                << "SERVICE_REALM:LDAPTEST.10GEN.CC";
+
+        std::string errmsg;
+        ConnectionString parsed(ConnectionString::parse(connStr, errmsg));
+        std::cout << errmsg << std::endl;
+        boost::scoped_ptr<DBClientConnection> conn;
+        ASSERT_THROW(conn.reset(dynamic_cast<DBClientConnection*>(parsed.connect(errmsg, 0))),
+                     UserException);
+    }
+
 } // namespace
