Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(NODE-2938): add service host mechanism property #3130

Merged
merged 5 commits into from Feb 10, 2022
Merged

feat(NODE-2938): add service host mechanism property #3130

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d51e903
feat(NODE-2938): add service host mechanism property
durran Feb 1, 2022
1c3932b
test(NODE-2938): minor test fixes
durran Feb 9, 2022
8870edc
test(NODE-2938): fix failure message
durran Feb 10, 2022
a52af11
test(NODE-2938): fix kerberos tests
durran Feb 10, 2022
4f111d7
test(NODE-3777): add skip reason in tests
durran Feb 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/cmap/auth/gssapi.ts
View file
Open in desktop
Expand Up @@ -16,6 +16,7 @@ type MechanismProperties = {
/** @deprecated use `CANONICALIZE_HOST_NAME` instead */
gssapiCanonicalizeHostName?: boolean;
CANONICALIZE_HOST_NAME?: boolean;
SERVICE_HOST?: string;
SERVICE_NAME?: string;
SERVICE_REALM?: string;
};
Expand Down Expand Up @@ -72,6 +73,7 @@ export class GSSAPI extends AuthProvider {
});
}
}

function makeKerberosClient(authContext: AuthContext, callback: Callback<KerberosClient>): void {
const { hostAddress } = authContext.options;
const { credentials } = authContext;
Expand Down Expand Up @@ -102,7 +104,8 @@ function makeKerberosClient(authContext: AuthContext, callback: Callback<Kerbero
Object.assign(initOptions, { user: username, password: password });
}

let spn = `${serviceName}${process.platform === 'win32' ? '/' : '@'}${host}`;
const spnHost = mechanismProperties.SERVICE_HOST ?? host;
let spn = `${serviceName}${process.platform === 'win32' ? '/' : '@'}${spnHost}`;
if ('SERVICE_REALM' in mechanismProperties) {
spn = `${spn}@${mechanismProperties.SERVICE_REALM}`;
}
Expand Down
1 change: 1 addition & 0 deletions src/cmap/auth/mongo_credentials.ts
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {

/** @public */
export interface AuthMechanismProperties extends Document {
SERVICE_HOST?: string;
SERVICE_NAME?: string;
SERVICE_REALM?: string;
CANONICALIZE_HOST_NAME?: boolean;
Expand Down
38 changes: 37 additions & 1 deletion test/manual/kerberos.test.js
View file
Open in desktop
Expand Up @@ -41,6 +41,7 @@ describe('Kerberos', function () {
return;
}
let krb5Uri = process.env.MONGODB_URI;
const parts = krb5Uri.split('@', 2);

if (!process.env.KRB5_PRINCIPAL) {
console.error('skipping Kerberos tests, KRB5_PRINCIPAL environment variable is not defined');
Expand All @@ -52,7 +53,6 @@ describe('Kerberos', function () {
if (process.env.LDAPTEST_PASSWORD == null) {
throw new Error('The env parameter LDAPTEST_PASSWORD must be set');
}
const parts = krb5Uri.split('@', 2);
krb5Uri = `${parts[0]}:${process.env.LDAPTEST_PASSWORD}@${parts[1]}`;
}

Expand Down Expand Up @@ -97,6 +97,42 @@ describe('Kerberos', function () {
});
});

context('when passing SERVICE_HOST as an auth mech option', function () {
context('when the SERVICE_HOST is invalid', function () {
const client = new MongoClient(`${krb5Uri}&maxPoolSize=1`, {
authMechanismProperties: {
SERVICE_HOST: 'example.com'
}
});

it('fails to authenticate', async function () {
let expectedError;
await client.connect().catch(e => {
expectedError = e;
});
if (!expectedError) {
expect.fail('Expected connect with invalid SERVICE_HOST to fail');
}
expect(expectedError).property('message').to.include('Authentication failed');
dariakp marked this conversation as resolved.
Show resolved Hide resolved
});
});

context('when the SERVICE_HOST is valid', function () {
const client = new MongoClient(`${krb5Uri}&maxPoolSize=1`, {
authMechanismProperties: {
SERVICE_HOST: 'ldaptest.10gen.cc'
}
});

it('authenticates', function (done) {
client.connect(function (err, client) {
expect(err).to.not.exist;
verifyKerberosAuthentication(client, done);
});
});
});
});

describe('should use the SERVICE_NAME property', function () {
it('as an option handed to the MongoClient', function (done) {
const client = new MongoClient(`${krb5Uri}&maxPoolSize=1`, {
Expand Down
7 changes: 4 additions & 3 deletions test/spec/auth/connection-string.json
View file
Open in desktop
Expand Up @@ -80,7 +80,7 @@
},
{
"description": "should accept generic mechanism property (GSSAPI)",
"uri": "mongodb://user%40DOMAIN.COM@localhost/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true",
"uri": "mongodb://user%40DOMAIN.COM@localhost/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com",
"valid": true,
"credential": {
"username": "user@DOMAIN.COM",
Expand All @@ -89,7 +89,8 @@
"mechanism": "GSSAPI",
"mechanism_properties": {
"SERVICE_NAME": "other",
"CANONICALIZE_HOST_NAME": true
"CANONICALIZE_HOST_NAME": true,
"SERVICE_HOST": "example.com"
}
}
},
Expand Down Expand Up @@ -368,4 +369,4 @@
"valid": false
}
]
}
}
3 changes: 2 additions & 1 deletion test/spec/auth/connection-string.yml
View file
Open in desktop
Expand Up @@ -64,7 +64,7 @@ tests:
SERVICE_NAME: "mongodb"
-
description: "should accept generic mechanism property (GSSAPI)"
uri: "mongodb://user%40DOMAIN.COM@localhost/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true"
uri: "mongodb://user%40DOMAIN.COM@localhost/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com"
valid: true
credential:
username: "user@DOMAIN.COM"
Expand All @@ -74,6 +74,7 @@ tests:
mechanism_properties:
SERVICE_NAME: "other"
CANONICALIZE_HOST_NAME: true
SERVICE_HOST: "example.com"
-
description: "should accept the password (GSSAPI)"
uri: "mongodb://user%40DOMAIN.COM:password@localhost/?authMechanism=GSSAPI&authSource=$external"
Expand Down
5 changes: 3 additions & 2 deletions test/spec/connection-string/valid-auth.json
View file
Open in desktop
Expand Up @@ -263,7 +263,7 @@
},
{
"description": "Escaped username (GSSAPI)",
"uri": "mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true&authMechanism=GSSAPI",
"uri": "mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authMechanism=GSSAPI",
"valid": true,
"warning": false,
"hosts": [
Expand All @@ -282,7 +282,8 @@
"authmechanism": "GSSAPI",
"authmechanismproperties": {
"SERVICE_NAME": "other",
"CANONICALIZE_HOST_NAME": true
"CANONICALIZE_HOST_NAME": true,
"SERVICE_HOST": "example.com"
}
}
},
Expand Down
5 changes: 3 additions & 2 deletions test/spec/connection-string/valid-auth.yml
View file
Open in desktop
Expand Up @@ -206,7 +206,7 @@ tests:
authmechanism: "MONGODB-X509"
-
description: "Escaped username (GSSAPI)"
uri: "mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true&authMechanism=GSSAPI"
uri: "mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authMechanism=GSSAPI"
valid: true
warning: false
hosts:
Expand All @@ -222,7 +222,8 @@ tests:
authmechanism: "GSSAPI"
authmechanismproperties:
SERVICE_NAME: "other"
CANONICALIZE_HOST_NAME: true
CANONICALIZE_HOST_NAME: true,
SERVICE_HOST: "example.com"
-
description: "At-signs in options aren't part of the userinfo"
uri: "mongodb://alice:secret@example.com/admin?replicaset=my@replicaset"
Expand Down
5 changes: 3 additions & 2 deletions test/spec/uri-options/auth-options.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"tests": [
{
"description": "Valid auth options are parsed correctly (GSSAPI)",
"uri": "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true&authSource=$external",
"uri": "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authSource=$external",
"valid": true,
"warning": false,
"hosts": null,
Expand All @@ -11,7 +11,8 @@
"authMechanism": "GSSAPI",
"authMechanismProperties": {
"SERVICE_NAME": "other",
"CANONICALIZE_HOST_NAME": true
"CANONICALIZE_HOST_NAME": true,
"SERVICE_HOST": "example.com"
},
"authSource": "$external"
}
Expand Down
5 changes: 3 additions & 2 deletions test/spec/uri-options/auth-options.yml
View file
Open in desktop
@@ -1,7 +1,7 @@
tests:
-
description: "Valid auth options are parsed correctly (GSSAPI)"
uri: "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true&authSource=$external"
uri: "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authSource=$external"
valid: true
warning: false
hosts: ~
Expand All @@ -10,7 +10,8 @@ tests:
authMechanism: "GSSAPI"
authMechanismProperties:
SERVICE_NAME: "other"
CANONICALIZE_HOST_NAME: true
CANONICALIZE_HOST_NAME: true,
SERVICE_HOST: "example.com"
authSource: "$external"
-
description: "Valid auth options are parsed correctly (SCRAM-SHA-1)"
Expand Down
3 changes: 2 additions & 1 deletion test/unit/connection_string.test.ts
View file
Open in desktop
Expand Up @@ -77,9 +77,10 @@ describe('Connection String', function () {

it('should parse `authMechanismProperties`', function () {
const options = parseOptions(
'mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,SERVICE_REALM:blah,CANONICALIZE_HOST_NAME:true&authMechanism=GSSAPI'
'mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,SERVICE_REALM:blah,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authMechanism=GSSAPI'
);
expect(options.credentials.mechanismProperties).to.deep.include({
SERVICE_HOST: 'example.com',
SERVICE_NAME: 'other',
SERVICE_REALM: 'blah',
CANONICALIZE_HOST_NAME: true
Expand Down