fix(data-service): update how we set ALLOWED_HOSTS when enableUntrustedEndpoints is true COMPASS-6916 (#4523)

Author: Anemy

packages/data-service/src/connect-mongo-client.spec.ts

@@ -290,17 +290,47 @@ describe('prepareOIDCOptions', function () {
     ]);
   });
 
-  it('sets ALLOWED_HOSTS on the authMechanismProperties (non-url) to * when enableUntrustedEndpoints is true', function () {
-    const options = prepareOIDCOptions({
-      connectionString: 'mongodb://localhost:27017',
-      oidc: {
-        enableUntrustedEndpoints: true,
-      },
-    });
+  it('maps ALLOWED_HOSTS on the authMechanismProperties (non-url) when enableUntrustedEndpoints is true', function () {
+    function actual(connectionString: string) {
+      return prepareOIDCOptions({
+        connectionString,
+        oidc: {
+          enableUntrustedEndpoints: true,
+        },
+      }).authMechanismProperties;
+    }
 
-    expect(options.authMechanismProperties).to.deep.equal({
-      ALLOWED_HOSTS: ['*'],
-    });
+    function expected(ALLOWED_HOSTS: string[]) {
+      return { ALLOWED_HOSTS };
+    }
+
+    expect(actual('mongodb://localhost/')).to.deep.equal(
+      expected(['localhost'])
+    );
+    expect(actual('mongodb://localhost:27017/')).to.deep.equal(
+      expected(['localhost'])
+    );
+    expect(actual('mongodb://localhost:12345/')).to.deep.equal(
+      expected(['localhost'])
+    );
+    expect(actual('mongodb://localhost:12345,[::1]/')).to.deep.equal(
+      expected(['localhost', '::1'])
+    );
+    expect(actual('mongodb://localhost,[::1]:999/')).to.deep.equal(
+      expected(['localhost', '::1'])
+    );
+    expect(actual('mongodb://localhost,bar.foo.net/')).to.deep.equal(
+      expected(['localhost', 'bar.foo.net'])
+    );
+    expect(actual('mongodb+srv://bar.foo.net/')).to.deep.equal(
+      expected(['*.foo.net'])
+    );
+    expect(actual('mongodb://127.0.0.1:12345/')).to.deep.equal(
+      expected(['127.0.0.1'])
+    );
+    expect(actual('mongodb://2130706433:12345/')).to.deep.equal(
+      expected(['2130706433'])
+    ); // decimal IPv4
   });
 
   it('does not set ALLOWED_HOSTS on the authMechanismProperties (non-url) when enableUntrustedEndpoints is not set', function () {

packages/data-service/src/connect-mongo-client.ts

@@ -7,8 +7,10 @@ import type {
 } from '@mongodb-js/devtools-connect';
 import type SSHTunnel from '@mongodb-js/ssh-tunnel';
 import EventEmitter from 'events';
-import { redactConnectionOptions, redactConnectionString } from './redact';
+import ConnectionString from 'mongodb-connection-string-url';
 import _ from 'lodash';
+
+import { redactConnectionOptions, redactConnectionString } from './redact';
 import type { ConnectionOptions } from './connection-options';
 import {
   forceCloseTunnel,
@@ -28,6 +30,36 @@ export type CloneableMongoClient = MongoClient & {
 
 export type ReauthenticationHandler = () => PromiseLike<void> | void;
 
+// Return an ALLOWED_HOSTS value that matches the hosts listed in the connection
+// string, including possible SRV "sibling" domains.
+function matchingAllowedHosts(
+  connectionOptions: Readonly<ConnectionOptions>
+): string[] {
+  const connectionString = new ConnectionString(
+    connectionOptions.connectionString,
+    { looseValidation: true }
+  );
+  const suffixes = connectionString.hosts.map((hostStr) => {
+    // eslint-disable-next-line
+    const { host } = hostStr.match(/^(?<host>.+?)(?<port>:[^:\]\[]+)?$/)
+      ?.groups!;
+    if (host.startsWith('[') && host.endsWith(']')) {
+      return host.slice(1, -1); // IPv6
+    }
+    if (host.match(/^[0-9.]+$/)) {
+      return host; // IPv4
+    }
+    if (!host.includes('.') || !connectionString.isSRV) {
+      return host;
+    }
+    // An SRV record for foo.bar.net can resolve to any hosts that match `*.bar.net`
+    const parts = host.split('.');
+    parts[0] = '*';
+    return parts.join('.');
+  });
+  return [...new Set(suffixes)];
+}
+
 export function prepareOIDCOptions(
   connectionOptions: Readonly<ConnectionOptions>,
   signal?: AbortSignal,
@@ -51,10 +83,11 @@ export function prepareOIDCOptions(
     return allowedFlows;
   };
 
-  // Set the driver's `authMechanismProperties` (non-url)
-  // `ALLOWED_HOSTS` value to `*`.
   if (connectionOptions.oidc?.enableUntrustedEndpoints) {
-    options.authMechanismProperties.ALLOWED_HOSTS = ['*'];
+    // Set the driver's `authMechanismProperties` (non-url) `ALLOWED_HOSTS` value
+    // to match the connection string hosts, including possible SRV "sibling" domains.
+    options.authMechanismProperties.ALLOWED_HOSTS =
+      matchingAllowedHosts(connectionOptions);
   }
 
   // @ts-expect-error Will go away on @types/node update

packages/data-service/src/connection-options.ts

@@ -6,8 +6,8 @@ export type OIDCOptions = Omit<
   NonNullable<DevtoolsConnectOptions['oidc']>,
   'notifyDeviceFlow' | 'signal' | 'allowedFlows'
 > & {
-  // This sets the driver's `authMechanismProperties` (non-url)
-  // `ALLOWED_HOSTS` value to `*`.
+  // Set the driver's `authMechanismProperties` (non-url) `ALLOWED_HOSTS` value
+  // to match the connection string hosts, including possible SRV "sibling" domains.
   enableUntrustedEndpoints?: boolean;
 
   allowedFlows?: ExtractArrayEntryType<