CSHARP-3033: Support speculative MONGODB-X509 authentication attempts in isMaster

Author: vincentkam

src/MongoDB.Driver.Core/Core/Authentication/MongoDBX509Authenticator.cs

@@ -69,6 +69,11 @@ public void Authenticate(IConnection connection, ConnectionDescription descripti
             Ensure.IsNotNull(description, nameof(description));
             EnsureUsernameIsNotNullOrNullIsSupported(connection, description);
 
+            if (description.IsMasterResult.SpeculativeAuthenticate != null)
+            {
+                return;
+            }
+
             try
             {
                 var protocol = CreateAuthenticateProtocol();
@@ -87,6 +92,11 @@ public async Task AuthenticateAsync(IConnection connection, ConnectionDescriptio
             Ensure.IsNotNull(description, nameof(description));
             EnsureUsernameIsNotNullOrNullIsSupported(connection, description);
 
+            if (description.IsMasterResult.SpeculativeAuthenticate != null)
+            {
+                return;
+            }
+
             try
             {
                 var protocol = CreateAuthenticateProtocol();
@@ -101,18 +111,25 @@ public async Task AuthenticateAsync(IConnection connection, ConnectionDescriptio
         /// <inheritdoc/>
         public BsonDocument CustomizeInitialIsMasterCommand(BsonDocument isMasterCommand)
         {
+            isMasterCommand.Add("speculativeAuthenticate", CreateAuthenticateCommand());
             return isMasterCommand;
         }
 
         // private methods
-        private CommandWireProtocol<BsonDocument> CreateAuthenticateProtocol()
+
+        private BsonDocument CreateAuthenticateCommand()
         {
-            var command = new BsonDocument
+            return new BsonDocument
             {
                 { "authenticate", 1 },
                 { "mechanism", Name },
                 { "user", _username, _username != null }
             };
+        }
+
+        private CommandWireProtocol<BsonDocument> CreateAuthenticateProtocol()
+        {
+            var command = CreateAuthenticateCommand();
 
             var protocol = new CommandWireProtocol<BsonDocument>(
                 new DatabaseNamespace("$external"),

src/MongoDB.Driver.Core/Core/Misc/Feature.cs

@@ -89,6 +89,7 @@ public class Feature
         private static readonly Feature __serverReturnsResumableChangeStreamErrorLabel = new Feature("ServerReturnsResumableChangeStreamErrorLabel", new SemanticVersion(4, 3, 0));
         private static readonly Feature __serverReturnsRetryableWriteErrorLabel = new Feature("ServerReturnsRetryableWriteErrorLabel", new SemanticVersion(4, 3, 0));
         private static readonly Feature __shardedTransactions = new Feature("ShardedTransactions", new SemanticVersion(4, 1, 6));
+        private static readonly Feature __speculativeAuthentication = new Feature("SpeculativeAuthentication", new SemanticVersion(4, 4, 0, "rc0"));
         private static readonly Feature __tailableCursor = new Feature("TailableCursor", new SemanticVersion(3, 2, 0));
         private static readonly Feature __transactions = new Feature("Transactions", new SemanticVersion(4, 0, 0));
         private static readonly Feature __userManagementCommands = new Feature("UserManagementCommands", new SemanticVersion(2, 6, 0));
@@ -426,6 +427,11 @@ public class Feature
         /// </summary>
         public static Feature ShardedTransactions => __shardedTransactions;
 
+        /// <summary>
+        /// Gets the speculative authentication feature.
+        /// </summary>
+        public static Feature SpeculativeAuthentication => __speculativeAuthentication;
+
         /// <summary>
         /// Gets the tailable cursor feature.
         /// </summary>

tests/MongoDB.Driver.Tests/AuthenticationTests.cs

@@ -16,19 +16,15 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
-using System.Threading.Tasks;
 using FluentAssertions;
 using MongoDB.Bson;
-using MongoDB.Bson.Serialization.Serializers;
 using MongoDB.Bson.TestHelpers.XunitExtensions;
+using MongoDB.Driver.Core.Clusters.ServerSelectors;
 using MongoDB.Driver.Core.Misc;
-using MongoDB.Driver.Core.Operations;
 using MongoDB.Driver.Core.TestHelpers.XunitExtensions;
 using MongoDB.Driver.TestHelpers;
-using Moq;
 using Xunit;
 
 namespace MongoDB.Driver.Tests
@@ -144,7 +140,7 @@ public void Authentication_succeeds_when_user_has_Scram_Sha_1_Mechanism_and_mech
             settings.Credential = MongoCredential
                 .FromComponents(mechanism: null, source: null, username: userName, password: password);
 
-            AssertAuthenticationSucceeds(settings, async);
+            AssertAuthenticationSucceeds(settings, async, speculativeAuthenticatationShouldSucceedIfPossible: false);
         }
 
         [SkippableTheory]
@@ -352,10 +348,13 @@ public void Authentication_succeeds_with_MONGODB_X509_mechanism(
             settings.SslSettings = settings.SslSettings.Clone();
             settings.SslSettings.ClientCertificates = new[] { clientCertificate };
 
-            AssertAuthenticationSucceeds(settings, async);
+            AssertAuthenticationSucceeds(settings, async, speculativeAuthenticatationShouldSucceedIfPossible: true);
         }
 
-        private void AssertAuthenticationSucceeds(MongoClientSettings settings, bool async)
+        private void AssertAuthenticationSucceeds(
+            MongoClientSettings settings,
+            bool async,
+            bool speculativeAuthenticatationShouldSucceedIfPossible = true)
         {
             // If we don't use a DisposableClient, the second run of AuthenticationSucceedsWithMongoDB_X509_mechanism
             // will fail because the backing Cluster's connections will be associated with a dropped user
@@ -371,6 +370,17 @@ private void AssertAuthenticationSucceeds(MongoClientSettings settings, bool asy
                 {
                     _ = client.ListDatabaseNames().ToList();
                 }
+                if (Feature.SpeculativeAuthentication.IsSupported(CoreTestConfiguration.ServerVersion) &&
+                    speculativeAuthenticatationShouldSucceedIfPossible &&
+                    Driver.CoreTestConfiguration.Cluster.Description.Type != Core.Clusters.ClusterType.Sharded) // Until https://jira.mongodb.org/browse/SERVER-47908 is resolved
+                {
+                    var cancellationToken = CancellationToken.None;
+                    var serverSelector = new ReadPreferenceServerSelector(settings.ReadPreference);
+                    var server = client.Cluster.SelectServer(serverSelector, cancellationToken);
+                    var channel = server.GetChannel(cancellationToken);
+                    var isMasterResult = channel.ConnectionDescription.IsMasterResult;
+                    isMasterResult.SpeculativeAuthenticate.Should().NotBeNull();
+                }
             }
         }
 
@@ -453,9 +463,10 @@ private void DropDatabaseUser(MongoClient client, string database, string userNa
         private string GetRfc2253FormattedUsernameFromX509ClientCertificate(X509Certificate2 certificate)
         {
             var distinguishedName = certificate.SubjectName.Name;
-            // Authentication will fail if we don't remove the spaces, even if we add the username WITH the spaces.
-            var nameWithNoSpaces = string.Join(",", distinguishedName.Split(',').Select(s => s.Trim()));
-            return nameWithNoSpaces.Replace("S=", "ST=");
+            // Authentication will fail if we don't remove the delimiting spaces, even if we add the username WITH the
+            // delimiting spaces.
+            var nameWithoutDelimitingSpaces = string.Join(",", distinguishedName.Split(',').Select(s => s.Trim()));
+            return nameWithoutDelimitingSpaces.Replace("S=", "ST=");
         }
     }
 }