FerretDB · henvic · Mar 7, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 23, 2024
@@ -858,7 +858,7 @@ func TestGetParameterCommandAuthenticationMechanisms(t *testing.T) {
 		require.NoError(t, err)
 
 		expected := bson.D{
-			{"authenticationMechanisms", bson.A{"PLAIN"}},
+			{"authenticationMechanisms", bson.A{"SCRAM-SHA-1", "SCRAM-SHA-256", "PLAIN"}},
 			{"ok", float64(1)},
 		}
 		require.Equal(t, expected, res)

@@ -0,0 +1,203 @@
+// Copyright 2021 FerretDB Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package integration
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+
+	"github.com/FerretDB/FerretDB/integration/setup"
+	"github.com/FerretDB/FerretDB/integration/shareddata"
+	"github.com/FerretDB/FerretDB/internal/types"
+	"github.com/FerretDB/FerretDB/internal/util/must"
+)
+
+func TestHello(t *testing.T) {
+	t.Parallel()
+
+	ctx, collection := setup.Setup(t, shareddata.Scalars, shareddata.Composites)
+	db := collection.Database()
+
+	var res bson.D
+
+	require.NoError(t, db.RunCommand(ctx, bson.D{
+		{"hello", "1"},
+	}).Decode(&res))
+
+	actual := ConvertDocument(t, res)
+
+	keys := []string{
+		"isWritablePrimary",
+		"maxBsonObjectSize",
+		"maxMessageSizeBytes",
+		"maxWriteBatchSize",
+		"localTime",
+		"connectionId",
+		"minWireVersion",
+		"maxWireVersion",
+		"readOnly",
+		"ok",
+	}
+
+	if !setup.IsMongoDB(t) {
+		assert.Equal(t, actual.Keys(), keys)
+	} else {
+		// MongoDB have additional keys,
+		// so just check if the keys exists on it.
+		for _, wantKey := range keys {
+			assert.Contains(t, actual.Keys(), wantKey)
+		}
+	}
+}
+
+func TestHelloWithSupportedMechs(t *testing.T) {
+	t.Parallel()
+
+	ctx, collection := setup.Setup(t, shareddata.Scalars, shareddata.Composites)
+	db := collection.Database()
+
+	usersPayload := []bson.D{
+		{
+			{"createUser", "hello_user"},
+			{"roles", bson.A{}},
+			{"pwd", "hello_password"},
+		},
+		{
+			{"createUser", "hello_user_scram1"},
+			{"roles", bson.A{}},
+			{"pwd", "hello_password"},
+			{"mechanisms", bson.A{"SCRAM-SHA-1"}},
+		},
+		{
+			{"createUser", "hello_user_scram256"},
+			{"roles", bson.A{}},
+			{"pwd", "hello_password"},
+			{"mechanisms", bson.A{"SCRAM-SHA-256"}},
+		},
+	}
+
+	if !setup.IsMongoDB(t) {
+		usersPayload = append(usersPayload, primitive.D{
+			{"createUser", "hello_user_plain"},
+			{"roles", bson.A{}},
+			{"pwd", "hello_password"},
+			{"mechanisms", bson.A{"PLAIN"}},
+		})
+	}
+
+	for _, u := range usersPayload {
+		require.NoError(t, db.RunCommand(ctx, u).Err())
+	}
+
+	testCases := []struct { //nolint:vet // used for test only
+		username string
+		db       string
+		mechs    *types.Array
+		err      bool
+	}{
+		{
+			username: "not_found",
+			db:       db.Name(),
+		},
+		{
+			username: "another_db",
+			db:       db.Name() + "_not_found",
+		},
+		{
+			username: "hello_user",
+			db:       db.Name(),
+			mechs:    must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256")),
+		},
+		{
+			username: "hello_user_plain",
+			db:       db.Name(),
+			mechs:    must.NotFail(types.NewArray("PLAIN")),
+		},
+		{
+			username: "hello_user_scram1",
+			db:       db.Name(),
+			mechs:    must.NotFail(types.NewArray("SCRAM-SHA-1")),
+		},
+		{
+			username: "hello_user_scram256",
+			db:       db.Name(),
+			mechs:    must.NotFail(types.NewArray("SCRAM-SHA-256")),
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+
+		t.Run(tc.username, func(t *testing.T) {
+			t.Parallel()
+
+			var res bson.D
+
+			if tc.mechs != nil && tc.mechs.Contains("PLAIN") {
+				setup.SkipForMongoDB(t, "PLAIN authentication mechanism is not support by MongoDB")
+			}
+
+			err := db.RunCommand(ctx, bson.D{
+				{"hello", "1"},
+				{"saslSupportedMechs", tc.db + "." + tc.username},
+			}).Decode(&res)
+
+			if tc.err {
+				require.Error(t, err)
+			}
+
+			actual := ConvertDocument(t, res)
+
+			keys := []string{
+				"isWritablePrimary",
+				"maxBsonObjectSize",
+				"maxMessageSizeBytes",
+				"maxWriteBatchSize",
+				"localTime",
+				"connectionId",
+				"minWireVersion",
+				"maxWireVersion",
+				"readOnly",
+			}
+
+			if tc.mechs != nil {
+				keys = append(keys, "saslSupportedMechs")
+				mechanisms := must.NotFail(actual.Get("saslSupportedMechs"))
+
+				if !setup.IsMongoDB(t) {
+					assert.Equal(t, tc.mechs, mechanisms)
+				}
+			} else {
+				assert.False(t, actual.Has("saslSupportedMechs"))
+			}
+
+			keys = append(keys, "ok")
+
+			if !setup.IsMongoDB(t) {
+				assert.Equal(t, actual.Keys(), keys)
+			} else {
+				// MongoDB have additional keys,
+				// so just check if the keys exists on it.
+				for _, wantKey := range keys {
+					assert.Contains(t, actual.Keys(), wantKey)
+				}
+			}
+		})
+	}
+}
@@ -52,7 +52,7 @@ func (h *Handler) MsgGetParameter(ctx context.Context, msg *wire.OpMsg) (*wire.O
 		//	"settableAtStartup", <bool>,
 		//)),
 		"authenticationMechanisms", must.NotFail(types.NewDocument(
-			"value", must.NotFail(types.NewArray("PLAIN")),
+			"value", must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256", "PLAIN")),
 			"settableAtRuntime", false,
 			"settableAtStartup", true,
 		)),

@@ -16,10 +16,14 @@
 
 import (
 	"context"
+	"errors"
+	"strings"
 	"time"
 
 	"github.com/FerretDB/FerretDB/internal/handler/common"
+	"github.com/FerretDB/FerretDB/internal/handler/handlererrors"
 	"github.com/FerretDB/FerretDB/internal/types"
+	"github.com/FerretDB/FerretDB/internal/util/iterator"
 	"github.com/FerretDB/FerretDB/internal/util/lazyerrors"
 	"github.com/FerretDB/FerretDB/internal/util/must"
 	"github.com/FerretDB/FerretDB/internal/wire"
@@ -36,21 +40,115 @@
 		return nil, lazyerrors.Error(err)
 	}
 
+	saslSupportedMechs, err := common.GetOptionalParam(doc, "saslSupportedMechs", "")
+	if err != nil {
+		return nil, lazyerrors.Error(err)
+	}
+
+	var saslSupportedMechsResp *types.Array
+
+	if saslSupportedMechs != "" {
+		db, username, ok := strings.Cut(saslSupportedMechs, ".")
+		if !ok {
+			return nil, handlererrors.NewCommandErrorMsg(
+				handlererrors.ErrBadValue,
+				"UserName must contain a '.' separated database.user pair",
+			)
+		}
+		// If username is empty, MongoDB doesn't send back a saslSupportedMechs property but
+		// still sends the response normally.
+		if username != "" {
+			mechs, err := h.getUserSupportedMechs(ctx, db, username)
+			if err != nil {
+				return nil, lazyerrors.Error(err)
+			}
+
+			if len(mechs) > 0 {
+				saslSupportedMechsResp = must.NotFail(types.NewArray())
+				for _, k := range mechs {
+					saslSupportedMechsResp.Append(k)
+				}
+			}
+		}
+	}
+
+	resp := must.NotFail(types.NewDocument(
+		"isWritablePrimary", true,
+		"maxBsonObjectSize", int32(types.MaxDocumentLen),
+		"maxMessageSizeBytes", int32(wire.MaxMsgLen),
+		"maxWriteBatchSize", int32(100000),
+		"localTime", time.Now(),
+		"connectionId", int32(42),
+		"minWireVersion", common.MinWireVersion,
+		"maxWireVersion", common.MaxWireVersion,
+		"readOnly", false,
+	))
+
+	if saslSupportedMechsResp != nil {
+		resp.Set("saslSupportedMechs", saslSupportedMechsResp)
+	}
+
+	resp.Set("ok", float64(1))
+
 	var reply wire.OpMsg
-	must.NoError(reply.SetSections(wire.MakeOpMsgSection(
-		must.NotFail(types.NewDocument(
-			"isWritablePrimary", true,
-			"maxBsonObjectSize", int32(types.MaxDocumentLen),
-			"maxMessageSizeBytes", int32(wire.MaxMsgLen),
-			"maxWriteBatchSize", int32(100000),
-			"localTime", time.Now(),
-			"connectionId", int32(42),
-			"minWireVersion", common.MinWireVersion,
-			"maxWireVersion", common.MaxWireVersion,
-			"readOnly", false,
-			"ok", float64(1),
-		)),
-	)))
+	must.NoError(reply.SetSections(wire.MakeOpMsgSection(resp)))
 
 	return &reply, nil
 }
+
+// getUserSupportedMechs for a given user.
+func (h *Handler) getUserSupportedMechs(ctx context.Context, db, username string) ([]string, error) {
+	adminDB, err := h.b.Database("admin")
+	if err != nil {
+		return nil, lazyerrors.Error(err)
+	}
+
+	usersCol, err := adminDB.Collection("system.users")
+	if err != nil {
+		return nil, lazyerrors.Error(err)
+	}
+
+	filter, err := usersInfoFilter(false, false, db, []usersInfoPair{
+		{username: username, db: db},
+	})
+	if err != nil {
+		return nil, lazyerrors.Error(err)
+	}
+
+	// Filter isn't being passed to the query as we are filtering after retrieving all data
+	// from the database due to limitations of the internal/backends filters.
+	qr, err := usersCol.Query(ctx, nil)
+	if err != nil {
+		return nil, lazyerrors.Error(err)
+	}
+
+	defer qr.Iter.Close()
+
+	for {
+		_, v, err := qr.Iter.Next()
+
+		if errors.Is(err, iterator.ErrIteratorDone) {
+			break
+		}
+
+		if err != nil {
+			return nil, lazyerrors.Error(err)
+		}
+
+		matches, err := common.FilterDocument(v, filter)
+		if err != nil {
+			return nil, lazyerrors.Error(err)
+		}
+
+		if !matches {
+			continue
+		}
+
+		if v.Has("credentials") {
+			credentials := must.NotFail(v.Get("credentials")).(*types.Document)
+			return credentials.Keys(), nil
+		}
+	}
+
+	return nil, nil
+}
@@ -59,7 +59,7 @@ func (h *Handler) MsgUsersInfo(ctx context.Context, msg *wire.OpMsg) (*wire.OpMs
 
 	common.Ignored(
 		document, h.L,
-		"showCredentials", "showCustomData", "showPrivileges",
+		"showCustomData", "showPrivileges",
 		"showAuthenticationRestrictions", "comment", "filter",
 	)