From d21aa768ae6e84073702f0a8a70f7abbe9656818 Mon Sep 17 00:00:00 2001 From: JD Robertson <44848933+JD-Robertson@users.noreply.github.com> Date: Wed, 20 Sep 2023 10:40:57 -0500 Subject: [PATCH 1/3] Add support for LDAP authentication (#5) * Add support for LDAP authentication * Unit test for url parser changes --- lib/mongo/auth.ex | 4 ++++ lib/mongo/auth/plain.ex | 31 +++++++++++++++++++++++++++++++ lib/mongo/url_parser.ex | 1 + test/mongo/url_parser_test.exs | 20 ++++++++++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 lib/mongo/auth/plain.ex diff --git a/lib/mongo/auth.ex b/lib/mongo/auth.ex index ce6afcd3..6505f8e0 100644 --- a/lib/mongo/auth.ex +++ b/lib/mongo/auth.ex @@ -39,6 +39,10 @@ defmodule Mongo.Auth do Mongo.Auth.X509 end + defp mechanism(%{wire_version: version, auth_mechanism: :plain}) when version >= 3 do + Mongo.Auth.PLAIN + end + defp mechanism(%{wire_version: version}) when version >= 3 do Mongo.Auth.SCRAM end diff --git a/lib/mongo/auth/plain.ex b/lib/mongo/auth/plain.ex new file mode 100644 index 00000000..1702a49c --- /dev/null +++ b/lib/mongo/auth/plain.ex @@ -0,0 +1,31 @@ +defmodule Mongo.Auth.PLAIN do + @moduledoc false + alias Mongo.MongoDBConnection.Utils + + def auth({nil, nil}, _db, _s) do + :ok + end + + def auth({username, password}, _db, s) do + auth_payload = build_auth_payload(username, password) + message = [saslStart: 1, mechanism: "PLAIN", payload: auth_payload] + + case Utils.command(-3, message, s) do + {:ok, _flags, %{"ok" => ok, "done" => true}} when ok == 1 -> + :ok + + {:ok, _flags, %{"ok" => ok, "errmsg" => reason, "code" => code}} when ok == 0 -> + {:error, Mongo.Error.exception(message: "auth failed for user #{username}: #{reason}", code: code)} + + error -> + error + end + end + + defp build_auth_payload(username, password) do + # https://www.ietf.org/rfc/rfc4616.txt + # Null separate listed of authorization ID (blank), username, password. These are sent as raw UTF-8. + payload = "\0#{username}\0#{password}" + %BSON.Binary{binary: payload} + end +end diff --git a/lib/mongo/url_parser.ex b/lib/mongo/url_parser.ex index 0c3202f7..c1bcb625 100644 --- a/lib/mongo/url_parser.ex +++ b/lib/mongo/url_parser.ex @@ -111,6 +111,7 @@ defmodule Mongo.UrlParser do defp decode_percent(:username, value), do: URI.decode_www_form(value) defp decode_percent(:password, value), do: URI.decode_www_form(value) + defp decode_percent(:auth_source, value), do: URI.decode_www_form(value) defp decode_percent(_other, value), do: value defp parse_query_options(opts, %{"options" => options}) when is_binary(options) do diff --git a/test/mongo/url_parser_test.exs b/test/mongo/url_parser_test.exs index 71d7fb0a..4136bb5e 100644 --- a/test/mongo/url_parser_test.exs +++ b/test/mongo/url_parser_test.exs @@ -116,5 +116,25 @@ defmodule Mongo.UrlParserTest do username = Keyword.get(opts, :username) assert username == real_username end + + test "external auth source " do + encoded_external_auth_source = URI.encode_www_form("$external") + url = "mongodb://user:password@seed1.domain.com:27017,seed2.domain.com:27017,seed3.domain.com:27017/db_name?replicaSet=set-name&authMechanism=PLAIN&authSource=#{encoded_external_auth_source}&tls=true" + + assert UrlParser.parse_url(url: url) |> Keyword.drop([:pw_safe]) == [ + password: "*****", + username: "user", + database: "db_name", + tls: true, + auth_source: "$external", + auth_mechanism: :plain, + set_name: "set-name", + seeds: [ + "seed1.domain.com:27017", + "seed2.domain.com:27017", + "seed3.domain.com:27017" + ] + ] + end end end From d3a906271c45ac6564f84d4ce5f71215db86ae7c Mon Sep 17 00:00:00 2001 From: JD Robertson <44848933+JD-Robertson@users.noreply.github.com> Date: Fri, 3 Nov 2023 15:23:25 -0500 Subject: [PATCH 2/3] Mention PLAIN auth support in the Readme (#6) * Mention PLAIN auth support in the Readme * tweak wording --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 407a0c23..f1611542 100644 --- a/README.md +++ b/README.md @@ -705,6 +705,10 @@ separated in sub folders and module namespaces. ## Auth Mechanisms For versions of Mongo 3.0 and greater, the auth mechanism defaults to SCRAM. + +If connecting to MongoDB Enterprise Edition, the "PLAIN" auth mechanism is supported for LDAP authentication. +The "GSSAPI" auth mechanism used for Kerberos authentication is not currently supported. + If you'd like to use [MONGODB-X509](https://www.mongodb.com/docs/v6.0/tutorial/configure-x509-client-authentication/) authentication, you can specify that as a `start_link` option. From 236ab31021f2665f2cb5174d0a00445fc5d8a4c1 Mon Sep 17 00:00:00 2001 From: JD Robertson <44848933+JD-Robertson@users.noreply.github.com> Date: Mon, 6 Nov 2023 10:31:57 -0600 Subject: [PATCH 3/3] Update readme (#7) --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c38e6f9..d6baf0c7 100644 --- a/README.md +++ b/README.md @@ -706,8 +706,9 @@ separated in sub folders and module namespaces. For versions of Mongo 3.0 and greater, the auth mechanism defaults to SCRAM. -If connecting to MongoDB Enterprise Edition, the "PLAIN" auth mechanism is supported for LDAP authentication. -The "GSSAPI" auth mechanism used for Kerberos authentication is not currently supported. +If connecting to MongoDB Enterprise Edition or MongoDB Atlas, the [PLAIN](https://www.mongodb.com/docs/manual/tutorial/authenticate-nativeldap-activedirectory/) +auth mechanism is supported for LDAP authentication. The GSSAPI auth mechanism used for Kerberos authentication +is not currently supported. If you'd like to use [MONGODB-X509](https://www.mongodb.com/docs/v6.0/tutorial/configure-x509-client-authentication/) authentication, you can specify that as a `start_link` option.