Merge branch 'master' of github.com:mongodb/mongo-python-driver

Author: blink1073

.evergreen/install-dependencies.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
-set -o xtrace   # Write all commands first to stderr
-set -o errexit  # Exit the script with error if any of the commands fail
+set -eu
 
 # Copy PyMongo's test certificates over driver-evergreen-tools'
 cp ${PROJECT_DIRECTORY}/test/certificates/* ${DRIVERS_TOOLS}/.evergreen/x509gen/
@@ -9,7 +8,7 @@ cp ${PROJECT_DIRECTORY}/test/certificates/* ${DRIVERS_TOOLS}/.evergreen/x509gen/
 cp ${PROJECT_DIRECTORY}/test/certificates/client.pem ${MONGO_ORCHESTRATION_HOME}/lib/client.pem
 
 # Ensure hatch is installed.
-bash ${PROJECT_DIRECTORY}/scripts/ensure-hatch.sh
+bash ${PROJECT_DIRECTORY}/.evergreen/scripts/ensure-hatch.sh
 
 if [ -w /etc/hosts ]; then
   SUDO=""

.evergreen/scripts/configure-env.sh

@@ -1,8 +1,10 @@
-#!/bin/bash -eux
+#!/bin/bash
+
+set -eu
 
 # Get the current unique version of this checkout
 # shellcheck disable=SC2154
-if [ "$is_patch" = "true" ]; then
+if [ "${is_patch:-}" = "true" ]; then
     # shellcheck disable=SC2154
     CURRENT_VERSION="$(git describe)-patch-$version_id"
 else
@@ -14,7 +16,7 @@ DRIVERS_TOOLS="$(dirname $PROJECT_DIRECTORY)/drivers-tools"
 CARGO_HOME=${CARGO_HOME:-${DRIVERS_TOOLS}/.cargo}
 
 # Python has cygwin path problems on Windows. Detect prospective mongo-orchestration home directory
-if [ "Windows_NT" = "$OS" ]; then # Magic variable in cygwin
+if [ "Windows_NT" = "${OS:-}" ]; then # Magic variable in cygwin
     DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS)
     PROJECT_DIRECTORY=$(cygpath -m $PROJECT_DIRECTORY)
     CARGO_HOME=$(cygpath -m $CARGO_HOME)
@@ -59,7 +61,7 @@ export CARGO_HOME="$CARGO_HOME"
 export TMPDIR="$MONGO_ORCHESTRATION_HOME/db"
 export PATH="$MONGODB_BINARIES:$PATH"
 # shellcheck disable=SC2154
-export PROJECT="$project"
+export PROJECT="${project:-mongo-python-driver}"
 export PIP_QUIET=1
 EOT
 

.evergreen/scripts/prepare-resources.sh

@@ -1,7 +1,10 @@
 #!/bin/bash
+set -eu
+
+HERE=$(dirname ${BASH_SOURCE:-$0})
+pushd $HERE
+. env.sh
 
-. src/.evergreen/scripts/env.sh
-set -o xtrace
 rm -rf $DRIVERS_TOOLS
 if [ "$PROJECT" = "drivers-tools" ]; then
     # If this was a patch build, doing a fresh clone would not actually test the patch
@@ -10,3 +13,5 @@ else
     git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS
 fi
 echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" >$MONGO_ORCHESTRATION_HOME/orchestration.config
+
+popd

.evergreen/scripts/run-enterprise-auth-tests.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
+set -eu
 
 # Disable xtrace for security reasons (just in case it was accidentally set).
 set +x
 # Use the default python to bootstrap secrets.
-PYTHON_BINARY="" bash "${DRIVERS_TOOLS}"/.evergreen/auth_aws/setup_secrets.sh drivers/enterprise_auth
+bash "${DRIVERS_TOOLS}"/.evergreen/secrets_handling/setup-secrets.sh drivers/enterprise_auth
 TEST_ENTERPRISE_AUTH=1 AUTH=auth bash "${PROJECT_DIRECTORY}"/.evergreen/hatch.sh test:test-eg

.evergreen/scripts/setup-system.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eu
+
+HERE=$(dirname ${BASH_SOURCE:-$0})
+pushd "$(dirname "$(dirname $HERE)")"
+echo "Setting up system..."
+bash .evergreen/scripts/configure-env.sh
+source .evergreen/scripts/env.sh
+bash .evergreen/scripts/prepare-resources.sh
+bash $DRIVERS_TOOLS/.evergreen/setup.sh
+bash .evergreen/scripts/install-dependencies.sh
+popd
+echo "Setting up system... done."

.evergreen/setup-spawn-host.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eu
+
+if [ -z "$1" ]
+  then
+    echo "Must supply a spawn host URL!"
+fi
+
+target=$1
+
+echo "Copying files to $target..."
+rsync -az -e ssh --exclude '.git' --filter=':- .gitignore' -r . $target:/home/ec2-user/mongo-python-driver
+echo "Copying files to $target... done"
+
+ssh $target /home/ec2-user/mongo-python-driver/.evergreen/scripts/setup-system.sh

.evergreen/sync-spawn-host.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ -z "$1" ]
+  then
+    echo "Must supply a spawn host URL!"
+fi
+
+target=$1
+
+echo "Syncing files to $target..."
+# shellcheck disable=SC2034
+fswatch -o . | while read f; do rsync -hazv -e ssh --exclude '.git' --filter=':- .gitignore' -r . $target:/home/ec2-user/mongo-python-driver; done
+echo "Syncing files to $target... done."

pymongo/asynchronous/auth.py

@@ -177,13 +177,20 @@ def _auth_key(nonce: str, username: str, password: str) -> str:
     return md5hash.hexdigest()
 
 
-def _canonicalize_hostname(hostname: str) -> str:
+def _canonicalize_hostname(hostname: str, option: str | bool) -> str:
     """Canonicalize hostname following MIT-krb5 behavior."""
     # https://github.com/krb5/krb5/blob/d406afa363554097ac48646a29249c04f498c88e/src/util/k5test.py#L505-L520
+    if option in [False, "none"]:
+        return hostname
+
     af, socktype, proto, canonname, sockaddr = socket.getaddrinfo(
         hostname, None, 0, 0, socket.IPPROTO_TCP, socket.AI_CANONNAME
     )[0]
 
+    # For forward just to resolve the cname as dns.lookup() will not return it.
+    if option == "forward":
+        return canonname.lower()
+
     try:
         name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
     except socket.gaierror:
@@ -205,9 +212,8 @@ async def _authenticate_gssapi(credentials: MongoCredential, conn: AsyncConnecti
         props = credentials.mechanism_properties
         # Starting here and continuing through the while loop below - establish
         # the security context. See RFC 4752, Section 3.1, first paragraph.
-        host = conn.address[0]
-        if props.canonicalize_host_name:
-            host = _canonicalize_hostname(host)
+        host = props.service_host or conn.address[0]
+        host = _canonicalize_hostname(host, props.canonicalize_host_name)
         service = props.service_name + "@" + host
         if props.service_realm is not None:
             service = service + "@" + props.service_realm

pymongo/synchronous/auth.py

@@ -174,13 +174,20 @@ def _auth_key(nonce: str, username: str, password: str) -> str:
     return md5hash.hexdigest()
 
 
-def _canonicalize_hostname(hostname: str) -> str:
+def _canonicalize_hostname(hostname: str, option: str | bool) -> str:
     """Canonicalize hostname following MIT-krb5 behavior."""
     # https://github.com/krb5/krb5/blob/d406afa363554097ac48646a29249c04f498c88e/src/util/k5test.py#L505-L520
+    if option in [False, "none"]:
+        return hostname
+
     af, socktype, proto, canonname, sockaddr = socket.getaddrinfo(
         hostname, None, 0, 0, socket.IPPROTO_TCP, socket.AI_CANONNAME
     )[0]
 
+    # For forward just to resolve the cname as dns.lookup() will not return it.
+    if option == "forward":
+        return canonname.lower()
+
     try:
         name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
     except socket.gaierror:
@@ -202,9 +209,8 @@ def _authenticate_gssapi(credentials: MongoCredential, conn: Connection) -> None
         props = credentials.mechanism_properties
         # Starting here and continuing through the while loop below - establish
         # the security context. See RFC 4752, Section 3.1, first paragraph.
-        host = conn.address[0]
-        if props.canonicalize_host_name:
-            host = _canonicalize_hostname(host)
+        host = props.service_host or conn.address[0]
+        host = _canonicalize_hostname(host, props.canonicalize_host_name)
         service = props.service_name + "@" + host
         if props.service_realm is not None:
             service = service + "@" + props.service_realm

test/asynchronous/test_auth.py

@@ -35,7 +35,7 @@
 import pytest
 
 from pymongo import AsyncMongoClient, monitoring
-from pymongo.asynchronous.auth import HAVE_KERBEROS
+from pymongo.asynchronous.auth import HAVE_KERBEROS, _canonicalize_hostname
 from pymongo.auth_shared import _build_credentials_tuple
 from pymongo.errors import OperationFailure
 from pymongo.hello import HelloCompat
@@ -96,10 +96,11 @@ def setUpClass(cls):
         cls.service_realm_required = (
             GSSAPI_SERVICE_REALM is not None and GSSAPI_SERVICE_REALM not in GSSAPI_PRINCIPAL
         )
-        mech_properties = f"SERVICE_NAME:{GSSAPI_SERVICE_NAME}"
-        mech_properties += f",CANONICALIZE_HOST_NAME:{GSSAPI_CANONICALIZE}"
+        mech_properties = dict(
+            SERVICE_NAME=GSSAPI_SERVICE_NAME, CANONICALIZE_HOST_NAME=GSSAPI_CANONICALIZE
+        )
         if GSSAPI_SERVICE_REALM is not None:
-            mech_properties += f",SERVICE_REALM:{GSSAPI_SERVICE_REALM}"
+            mech_properties["SERVICE_REALM"] = GSSAPI_SERVICE_REALM
         cls.mech_properties = mech_properties
 
     async def test_credentials_hashing(self):
@@ -167,7 +168,10 @@ async def test_gssapi_simple(self):
         await client[GSSAPI_DB].collection.find_one()
 
         # Log in using URI, with authMechanismProperties.
-        mech_uri = uri + f"&authMechanismProperties={self.mech_properties}"
+        mech_properties_str = ""
+        for key, value in self.mech_properties.items():
+            mech_properties_str += f"{key}:{value},"
+        mech_uri = uri + f"&authMechanismProperties={mech_properties_str[:-1]}"
         client = self.simple_client(mech_uri)
         await client[GSSAPI_DB].collection.find_one()
 
@@ -268,6 +272,58 @@ async def test_gssapi_threaded(self):
                 thread.join()
                 self.assertTrue(thread.success)
 
+    async def test_gssapi_canonicalize_host_name(self):
+        # Test the low level method.
+        assert GSSAPI_HOST is not None
+        result = _canonicalize_hostname(GSSAPI_HOST, "forward")
+        if "compute-1.amazonaws.com" not in result:
+            self.assertEqual(result, GSSAPI_HOST)
+        result = _canonicalize_hostname(GSSAPI_HOST, "forwardAndReverse")
+        self.assertEqual(result, GSSAPI_HOST)
+
+        # Use the equivalent named CANONICALIZE_HOST_NAME.
+        props = self.mech_properties.copy()
+        if props["CANONICALIZE_HOST_NAME"] == "true":
+            props["CANONICALIZE_HOST_NAME"] = "forwardAndReverse"
+        else:
+            props["CANONICALIZE_HOST_NAME"] = "none"
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=props,
+        )
+        await client.server_info()
+
+    async def test_gssapi_host_name(self):
+        props = self.mech_properties
+        props["SERVICE_HOST"] = "example.com"
+
+        # Authenticate with authMechanismProperties.
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=self.mech_properties,
+        )
+        with self.assertRaises(OperationFailure):
+            await client.server_info()
+
+        props["SERVICE_HOST"] = GSSAPI_HOST
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=self.mech_properties,
+        )
+        await client.server_info()
+
 
 class TestSASLPlain(AsyncPyMongoTestCase):
     @classmethod