corrected issue with SSPI utilizing cached credentials. It is now required to specify the username for GSSAPI credentials.

craiggwilson · craiggwilson · commit 0b930fd4faba · 2013-02-11T08:28:41.000-06:00
diff --git a/MongoDB.Driver/Communication/Security/Mechanisms/GssapiMechanism.cs b/MongoDB.Driver/Communication/Security/Mechanisms/GssapiMechanism.cs
@@ -26,9 +26,9 @@ namespace MongoDB.Driver.Communication.Security.Mechanisms
     /// </summary>
     internal class GssapiMechanism : ISaslMechanism
     {
-        // private static methods
+        // private static fields
         private static bool __useGsasl = !Environment.OSVersion.Platform.ToString().Contains("Win");
-		
+
         // public properties
         /// <summary>
         /// Gets the name of the mechanism.
@@ -49,11 +49,11 @@ public string Name
         /// <exception cref="System.NotImplementedException"></exception>
         public bool CanUse(MongoCredential credential)
         {
-            if(credential.Mechanism != MongoAuthenticationMechanism.GSSAPI || !(credential.Identity is MongoExternalIdentity))
+            if (credential.Mechanism != MongoAuthenticationMechanism.Gssapi || !(credential.Identity is MongoExternalIdentity))
             {
-                return false;	
+                return false;
             }
-            if(__useGsasl)
+            if (__useGsasl)
             {
                 // GSASL relies on kinit to work properly and hence, the evidence is external.
                 return credential.Evidence is ExternalEvidence;
diff --git a/MongoDB.Driver/Communication/Security/MongoCRAuthenticationProtocol.cs b/MongoDB.Driver/Communication/Security/MongoCRAuthenticationProtocol.cs
@@ -77,7 +77,7 @@ public void Authenticate(MongoConnection connection, MongoCredential credential)
         /// </returns>
         public bool CanUse(MongoCredential credential)
         {
-            return credential.Mechanism == MongoAuthenticationMechanism.MONGO_CR &&
+            return credential.Mechanism == MongoAuthenticationMechanism.MongoCR &&
                 credential.Evidence is PasswordEvidence;
         }
     }
diff --git a/MongoDB.Driver/ExternalEvidence.cs b/MongoDB.Driver/ExternalEvidence.cs
@@ -21,7 +21,8 @@
 namespace MongoDB.Driver
 {
     /// <summary>
-    /// Evidence of a MongoIdentity via the currently executing process.
+    /// Evidence of a MongoIdentity via an external mechanism.  For example, on windows this may 
+    /// be the current process' user or, on linux, via kinit.
     /// </summary>
     public sealed class ExternalEvidence : MongoIdentityEvidence
     {
diff --git a/MongoDB.Driver/MongoAuthenticationMechanism.cs b/MongoDB.Driver/MongoAuthenticationMechanism.cs
@@ -23,10 +23,10 @@ public enum MongoAuthenticationMechanism
         /// <summary>
         /// Authenticate to the server using the Mongo Challenge Response (MONGO-CR) protocol.
         /// </summary>
-        MONGO_CR,
+        MongoCR,
         /// <summary>
         /// Authenticate to the server using GSSAPI.
         /// </summary>
-        GSSAPI
+        Gssapi
     }
 }
diff --git a/MongoDB.Driver/MongoConnectionStringBuilder.cs b/MongoDB.Driver/MongoConnectionStringBuilder.cs
@@ -675,7 +675,7 @@ public override object this[string keyword]
                     case "authmechanism":
                         if (value is string)
                         {
-                            string mechanism = value.ToString().Replace("-", "_");
+                            string mechanism = ((string)value).Replace("-", "_");
                             AuthenticationMechanism = (MongoAuthenticationMechanism)Enum.Parse(typeof(MongoAuthenticationMechanism), mechanism, true);
                         }
                         else
@@ -965,7 +965,7 @@ private IEnumerable<MongoServerAddress> ParseServersString(string value)
         private void ResetValues()
         {
             // set fields and not properties so base class items aren't set
-            _authenticationMechanism = MongoAuthenticationMechanism.MONGO_CR;
+            _authenticationMechanism = MongoAuthenticationMechanism.MongoCR;
             _authenticationSource = null;
             _connectionMode = ConnectionMode.Automatic;
             _connectTimeout = MongoDefaults.ConnectTimeout;
diff --git a/MongoDB.Driver/MongoCredential.cs b/MongoDB.Driver/MongoCredential.cs
@@ -137,18 +137,6 @@ public string Username
         }
 
         // public static methods
-        /// <summary>
-        /// Creates a GSSAPI credential.
-        /// </summary>
-        /// <returns>A credential for GSSAPI.</returns>
-        public static MongoCredential CreateGssapiCredential()
-        {
-            return FromComponents(MongoAuthenticationMechanism.GSSAPI,
-                "$external",
-                null,
-                (PasswordEvidence)null);
-        }
-        
         /// <summary>
         /// Creates a GSSAPI credential.
         /// </summary>
@@ -157,7 +145,7 @@ public static MongoCredential CreateGssapiCredential()
         /// <remarks>This overload is used primarily on linux.</remarks>
         public static MongoCredential CreateGssapiCredential(string username)
         {
-            return FromComponents(MongoAuthenticationMechanism.GSSAPI,
+            return FromComponents(MongoAuthenticationMechanism.Gssapi,
                 "$external",
                 username,
                 (PasswordEvidence)null);
@@ -171,7 +159,7 @@ public static MongoCredential CreateGssapiCredential(string username)
         /// <returns>A credential for GSSAPI.</returns>
         public static MongoCredential CreateGssapiCredential(string username, string password)
         {
-            return FromComponents(MongoAuthenticationMechanism.GSSAPI,
+            return FromComponents(MongoAuthenticationMechanism.Gssapi,
                 "$external",
                 username,
                 new PasswordEvidence(password));
@@ -185,7 +173,7 @@ public static MongoCredential CreateGssapiCredential(string username, string pas
         /// <returns>A credential for GSSAPI.</returns>
         public static MongoCredential CreateGssapiCredential(string username, SecureString password)
         {
-            return FromComponents(MongoAuthenticationMechanism.GSSAPI,
+            return FromComponents(MongoAuthenticationMechanism.Gssapi,
                 "$external",
                 username,
                 new PasswordEvidence(password));
@@ -200,7 +188,7 @@ public static MongoCredential CreateGssapiCredential(string username, SecureStri
         /// <returns></returns>
         public static MongoCredential CreateMongoCRCredential(string databaseName, string username, string password)
         {
-            return FromComponents(MongoAuthenticationMechanism.MONGO_CR,
+            return FromComponents(MongoAuthenticationMechanism.MongoCR,
                 databaseName,
                 username,
                 new PasswordEvidence(password));
@@ -215,7 +203,7 @@ public static MongoCredential CreateMongoCRCredential(string databaseName, strin
         /// <returns></returns>
         public static MongoCredential CreateMongoCRCredential(string databaseName, string username, SecureString password)
         {
-            return FromComponents(MongoAuthenticationMechanism.MONGO_CR,
+            return FromComponents(MongoAuthenticationMechanism.MongoCR,
                 databaseName,
                 username,
                 new PasswordEvidence(password));
@@ -289,15 +277,16 @@ private void ValidatePassword(string password)
         // private static methods
         private static MongoCredential FromComponents(MongoAuthenticationMechanism mechanism, string source, string username, MongoIdentityEvidence evidence)
         {
+            if (string.IsNullOrEmpty(username))
+            {
+                return null;
+            }
+
             switch (mechanism)
             {
-                case MongoAuthenticationMechanism.MONGO_CR:
+                case MongoAuthenticationMechanism.MongoCR:
                     // it is allowed for a password to be an empty string, but not a username
                     source = source ?? "admin";
-                    if (string.IsNullOrEmpty(username))
-                    {
-                        return null;
-                    }
                     if (evidence == null || !(evidence is PasswordEvidence))
                     {
                         throw new ArgumentException(string.Format("A {0} credential must have a password.", mechanism));
@@ -307,25 +296,15 @@ private static MongoCredential FromComponents(MongoAuthenticationMechanism mecha
                         mechanism,
                         new MongoInternalIdentity(source, username),
                         evidence);
-                case MongoAuthenticationMechanism.GSSAPI:
+                case MongoAuthenticationMechanism.Gssapi:
                     source = source ?? "$external";
                     if (source != "$external")
                     {
                         throw new ArgumentException("The source for GSSAPI must be $external.");
                     }
 
-                    if (string.IsNullOrEmpty(username))
-                    {
-                        username = Environment.UserName;
-                        if (!string.IsNullOrEmpty(Environment.UserDomainName))
-                        {
-                            // DOMAIN\username
-                            username = Environment.UserDomainName + "\\" + username;
-                        }
-                    }
-
                     return new MongoCredential(
-                        MongoAuthenticationMechanism.GSSAPI,
+                        MongoAuthenticationMechanism.Gssapi,
                         new MongoExternalIdentity(source, username),
                         evidence);
                 default:
diff --git a/MongoDB.Driver/MongoUrlBuilder.cs b/MongoDB.Driver/MongoUrlBuilder.cs
@@ -66,7 +66,7 @@ public class MongoUrlBuilder
         /// </summary>
         public MongoUrlBuilder()
         {
-            _authenticationMechanism = MongoAuthenticationMechanism.MONGO_CR;
+            _authenticationMechanism = MongoAuthenticationMechanism.MongoCR;
             _authenticationSource = null;
             _connectionMode = ConnectionMode.Automatic;
             _connectTimeout = MongoDefaults.ConnectTimeout;
@@ -1014,7 +1014,7 @@ public override string ToString()
                 url.Append(_databaseName);
             }
             var query = new StringBuilder();
-            if (_authenticationMechanism != MongoAuthenticationMechanism.MONGO_CR)
+            if (_authenticationMechanism != MongoAuthenticationMechanism.MongoCR)
             {
                 string mechanismName = _authenticationMechanism
                     .ToString()
diff --git a/MongoDB.DriverUnitTests/MongoConnectionStringBuilderTests.cs b/MongoDB.DriverUnitTests/MongoConnectionStringBuilderTests.cs
@@ -37,7 +37,7 @@ public void TestAll()
             };
             var built = new MongoConnectionStringBuilder()
             {
-                AuthenticationMechanism = MongoAuthenticationMechanism.GSSAPI,
+                AuthenticationMechanism = MongoAuthenticationMechanism.Gssapi,
                 AuthenticationSource = "db",
                 ConnectionMode = ConnectionMode.ReplicaSet,
                 ConnectTimeout = TimeSpan.FromSeconds(1),
@@ -96,7 +96,7 @@ public void TestAll()
 
             foreach (var builder in EnumerateBuiltAndParsedBuilders(built, connectionString))
             {
-                Assert.AreEqual(MongoAuthenticationMechanism.GSSAPI, builder.AuthenticationMechanism);
+                Assert.AreEqual(MongoAuthenticationMechanism.Gssapi, builder.AuthenticationMechanism);
                 Assert.AreEqual("db", builder.AuthenticationSource);
                 Assert.AreEqual(123, builder.ComputedWaitQueueSize);
                 Assert.AreEqual(ConnectionMode.ReplicaSet, builder.ConnectionMode);
@@ -135,8 +135,8 @@ public void TestAll()
         }
 
         [Test]
-        [TestCase(MongoAuthenticationMechanism.MONGO_CR, "server=localhost;authMechanism=MONGO-CR")]
-        [TestCase(MongoAuthenticationMechanism.GSSAPI, "server=localhost;authMechanism=GSSAPI")]
+        [TestCase(MongoAuthenticationMechanism.MongoCR, "server=localhost;authMechanism=MONGO-CR")]
+        [TestCase(MongoAuthenticationMechanism.Gssapi, "server=localhost;authMechanism=GSSAPI")]
         public void TestAuthMechanism(MongoAuthenticationMechanism mechanism, string connectionString)
         {
             var built = new MongoConnectionStringBuilder { Server = _localhost, AuthenticationMechanism = mechanism };
diff --git a/MongoDB.DriverUnitTests/MongoUrlBuilderTests.cs b/MongoDB.DriverUnitTests/MongoUrlBuilderTests.cs
@@ -37,7 +37,7 @@ public void TestAll()
             };
             var built = new MongoUrlBuilder()
             {
-                AuthenticationMechanism = MongoAuthenticationMechanism.GSSAPI,
+                AuthenticationMechanism = MongoAuthenticationMechanism.Gssapi,
                 AuthenticationSource = "db",
                 ConnectionMode = ConnectionMode.ReplicaSet,
                 ConnectTimeout = TimeSpan.FromSeconds(1),
@@ -92,7 +92,7 @@ public void TestAll()
 
             foreach (var builder in EnumerateBuiltAndParsedBuilders(built, connectionString))
             {
-                Assert.AreEqual(MongoAuthenticationMechanism.GSSAPI, builder.AuthenticationMechanism);
+                Assert.AreEqual(MongoAuthenticationMechanism.Gssapi, builder.AuthenticationMechanism);
                 Assert.AreEqual("db", builder.AuthenticationSource);
                 Assert.AreEqual(123, builder.ComputedWaitQueueSize);
                 Assert.AreEqual(ConnectionMode.ReplicaSet, builder.ConnectionMode);
@@ -131,8 +131,8 @@ public void TestAll()
         }
 
         [Test]
-        [TestCase(MongoAuthenticationMechanism.MONGO_CR, "mongodb://localhost")]
-        [TestCase(MongoAuthenticationMechanism.GSSAPI, "mongodb://localhost/?authMechanism=GSSAPI")]
+        [TestCase(MongoAuthenticationMechanism.MongoCR, "mongodb://localhost")]
+        [TestCase(MongoAuthenticationMechanism.Gssapi, "mongodb://localhost/?authMechanism=GSSAPI")]
         public void TestAuthMechanism(MongoAuthenticationMechanism mechanism, string connectionString)
         {
             var built = new MongoUrlBuilder { Server = _localhost, AuthenticationMechanism = mechanism };
@@ -279,7 +279,7 @@ public void TestDefaults()
 
             foreach (var builder in EnumerateBuiltAndParsedBuilders(built, connectionString))
             {
-                Assert.AreEqual(MongoAuthenticationMechanism.MONGO_CR, builder.AuthenticationMechanism);
+                Assert.AreEqual(MongoAuthenticationMechanism.MongoCR, builder.AuthenticationMechanism);
                 Assert.AreEqual(null, builder.AuthenticationSource);
                 Assert.AreEqual(MongoDefaults.ComputedWaitQueueSize, builder.ComputedWaitQueueSize);
                 Assert.AreEqual(ConnectionMode.Automatic, builder.ConnectionMode);
diff --git a/MongoDB.DriverUnitTests/MongoUrlTests.cs b/MongoDB.DriverUnitTests/MongoUrlTests.cs
@@ -37,7 +37,7 @@ public void TestAll()
             };
             var built = new MongoUrlBuilder()
             {
-                AuthenticationMechanism = MongoAuthenticationMechanism.GSSAPI,
+                AuthenticationMechanism = MongoAuthenticationMechanism.Gssapi,
                 AuthenticationSource = "db",
                 ConnectionMode = ConnectionMode.ReplicaSet,
                 ConnectTimeout = TimeSpan.FromSeconds(1),
@@ -92,7 +92,7 @@ public void TestAll()
 
             foreach (var url in EnumerateBuiltAndParsedUrls(built, connectionString))
             {
-                Assert.AreEqual(MongoAuthenticationMechanism.GSSAPI, url.AuthenticationMechanism);
+                Assert.AreEqual(MongoAuthenticationMechanism.Gssapi, url.AuthenticationMechanism);
                 Assert.AreEqual("db", url.AuthenticationSource);
                 Assert.AreEqual(123, url.ComputedWaitQueueSize);
                 Assert.AreEqual(ConnectionMode.ReplicaSet, url.ConnectionMode);

Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,9 @@ namespace MongoDB.Driver.Communication.Security.Mechanisms`
`26`	`26`	`/// </summary>`
`27`	`27`	`internal class GssapiMechanism : ISaslMechanism`
`28`	`28`	`{`
`29`		`- // private static methods`
	`29`	`+ // private static fields`
`30`	`30`	`private static bool __useGsasl = !Environment.OSVersion.Platform.ToString().Contains("Win");`
`31`		`-`
	`31`	`+`
`32`	`32`	`// public properties`
`33`	`33`	`/// <summary>`
`34`	`34`	`/// Gets the name of the mechanism.`
`@@ -49,11 +49,11 @@ public string Name`
`49`	`49`	`/// <exception cref="System.NotImplementedException"></exception>`
`50`	`50`	`public bool CanUse(MongoCredential credential)`
`51`	`51`	`{`
`52`		`- if(credential.Mechanism != MongoAuthenticationMechanism.GSSAPI \|\| !(credential.Identity is MongoExternalIdentity))`
	`52`	`+ if (credential.Mechanism != MongoAuthenticationMechanism.Gssapi \|\| !(credential.Identity is MongoExternalIdentity))`
`53`	`53`	`{`
`54`		`- return false;`
	`54`	`+ return false;`
`55`	`55`	`}`
`56`		`- if(__useGsasl)`
	`56`	`+ if (__useGsasl)`
`57`	`57`	`{`
`58`	`58`	`// GSASL relies on kinit to work properly and hence, the evidence is external.`
`59`	`59`	`return credential.Evidence is ExternalEvidence;`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public void Authenticate(MongoConnection connection, MongoCredential credential)`
`77`	`77`	`/// </returns>`
`78`	`78`	`public bool CanUse(MongoCredential credential)`
`79`	`79`	`{`
`80`		`- return credential.Mechanism == MongoAuthenticationMechanism.MONGO_CR &&`
	`80`	`+ return credential.Mechanism == MongoAuthenticationMechanism.MongoCR &&`
`81`	`81`	`credential.Evidence is PasswordEvidence;`
`82`	`82`	`}`
`83`	`83`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@`
`21`	`21`	`namespace MongoDB.Driver`
`22`	`22`	`{`
`23`	`23`	`/// <summary>`
`24`		`- /// Evidence of a MongoIdentity via the currently executing process.`
	`24`	`+ /// Evidence of a MongoIdentity via an external mechanism. For example, on windows this may`
	`25`	`+ /// be the current process' user or, on linux, via kinit.`
`25`	`26`	`/// </summary>`
`26`	`27`	`public sealed class ExternalEvidence : MongoIdentityEvidence`
`27`	`28`	`{`
Original file line number	Diff line number	Diff line change
`@@ -23,10 +23,10 @@ public enum MongoAuthenticationMechanism`
`23`	`23`	`/// <summary>`
`24`	`24`	`/// Authenticate to the server using the Mongo Challenge Response (MONGO-CR) protocol.`
`25`	`25`	`/// </summary>`
`26`		`- MONGO_CR,`
	`26`	`+ MongoCR,`
`27`	`27`	`/// <summary>`
`28`	`28`	`/// Authenticate to the server using GSSAPI.`
`29`	`29`	`/// </summary>`
`30`		`- GSSAPI`
	`30`	`+ Gssapi`
`31`	`31`	`}`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -675,7 +675,7 @@ public override object this[string keyword]`
`675`	`675`	`case "authmechanism":`
`676`	`676`	`if (value is string)`
`677`	`677`	`{`
`678`		`- string mechanism = value.ToString().Replace("-", "_");`
	`678`	`+ string mechanism = ((string)value).Replace("-", "_");`
`679`	`679`	`AuthenticationMechanism = (MongoAuthenticationMechanism)Enum.Parse(typeof(MongoAuthenticationMechanism), mechanism, true);`
`680`	`680`	`}`
`681`	`681`	`else`
`@@ -965,7 +965,7 @@ private IEnumerable<MongoServerAddress> ParseServersString(string value)`
`965`	`965`	`private void ResetValues()`
`966`	`966`	`{`
`967`	`967`	`// set fields and not properties so base class items aren't set`
`968`		`- _authenticationMechanism = MongoAuthenticationMechanism.MONGO_CR;`
	`968`	`+ _authenticationMechanism = MongoAuthenticationMechanism.MongoCR;`
`969`	`969`	`_authenticationSource = null;`
`970`	`970`	`_connectionMode = ConnectionMode.Automatic;`
`971`	`971`	`_connectTimeout = MongoDefaults.ConnectTimeout;`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ public class MongoUrlBuilder`
`66`	`66`	`/// </summary>`
`67`	`67`	`public MongoUrlBuilder()`
`68`	`68`	`{`
`69`		`- _authenticationMechanism = MongoAuthenticationMechanism.MONGO_CR;`
	`69`	`+ _authenticationMechanism = MongoAuthenticationMechanism.MongoCR;`
`70`	`70`	`_authenticationSource = null;`
`71`	`71`	`_connectionMode = ConnectionMode.Automatic;`
`72`	`72`	`_connectTimeout = MongoDefaults.ConnectTimeout;`
`@@ -1014,7 +1014,7 @@ public override string ToString()`
`1014`	`1014`	`url.Append(_databaseName);`
`1015`	`1015`	`}`
`1016`	`1016`	`var query = new StringBuilder();`
`1017`		`- if (_authenticationMechanism != MongoAuthenticationMechanism.MONGO_CR)`
	`1017`	`+ if (_authenticationMechanism != MongoAuthenticationMechanism.MongoCR)`
`1018`	`1018`	`{`
`1019`	`1019`	`string mechanismName = _authenticationMechanism`
`1020`	`1020`	`.ToString()`