CSHARP-3521: Redact security sensitive commands and replies.

Author: rstam

src/MongoDB.Driver.Core/Core/Connections/CommandEventHelper.cs

@@ -16,7 +16,6 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
@@ -271,7 +270,8 @@ private void ProcessCommandRequestMessage(CommandRequestMessage originalMessage,
                 var commandName = command.GetElement(0).Name;
                 var databaseName = command["$db"].AsString;
                 var databaseNamespace = new DatabaseNamespace(databaseName);
-                if (ShouldRedactMessage(commandName, command))
+                var shouldRedactCommand = ShouldRedactCommand(command);
+                if (shouldRedactCommand)
                 {
                     command = new BsonDocument();
                 }
@@ -298,7 +298,8 @@ private void ProcessCommandRequestMessage(CommandRequestMessage originalMessage,
                         OperationId = operationId,
                         Stopwatch = stopwatch,
                         QueryNamespace = new CollectionNamespace(databaseNamespace, "$cmd"),
-                        ExpectedResponseType = decodedMessage.MoreToCome ? ExpectedResponseType.None : ExpectedResponseType.Command
+                        ExpectedResponseType = decodedMessage.MoreToCome ? ExpectedResponseType.None : ExpectedResponseType.Command,
+                        ShouldRedactReply = shouldRedactCommand
                     });
                 }
             }
@@ -318,7 +319,7 @@ private void ProcessCommandResponseMessage(CommandState state, CommandResponseMe
                 return;
             }
 
-            if (ShouldRedactMessage(state.CommandName, reply))
+            if (state.ShouldRedactReply)
             {
                 reply = new BsonDocument();
             }
@@ -589,12 +590,14 @@ private void ProcessQueryMessage(QueryMessage originalMessage, ConnectionId conn
                 var isCommand = IsCommand(decodedMessage.CollectionNamespace);
                 string commandName;
                 BsonDocument command;
+                var shouldRedactCommand = false;
                 if (isCommand)
                 {
                     command = decodedMessage.Query;
                     var firstElement = command.GetElement(0);
                     commandName = firstElement.Name;
-                    if (ShouldRedactMessage(commandName, command))
+                    shouldRedactCommand = ShouldRedactCommand(command);
+                    if (shouldRedactCommand)
                     {
                         command = new BsonDocument();
                     }
@@ -631,7 +634,8 @@ private void ProcessQueryMessage(QueryMessage originalMessage, ConnectionId conn
                         OperationId = operationId,
                         Stopwatch = stopwatch,
                         QueryNamespace = decodedMessage.CollectionNamespace,
-                        ExpectedResponseType = isCommand ? ExpectedResponseType.Command : ExpectedResponseType.Query
+                        ExpectedResponseType = isCommand ? ExpectedResponseType.Command : ExpectedResponseType.Query,
+                        ShouldRedactReply = shouldRedactCommand
                     });
                 }
             }
@@ -675,7 +679,7 @@ private void ProcessReplyMessage(CommandState state, ResponseMessage message, IB
                     (state.ExpectedResponseType != ExpectedResponseType.Query && replyMessage.Documents.Count == 0))
                 {
                     var queryFailureDocument = replyMessage.QueryFailureDocument;
-                    if (ShouldRedactMessage(state.CommandName, queryFailureDocument))
+                    if (state.ShouldRedactReply)
                     {
                         queryFailureDocument = new BsonDocument();
                     }
@@ -730,7 +734,7 @@ private void ProcessCommandReplyMessage(CommandState state, ReplyMessage<RawBson
                 return;
             }
 
-            if (ShouldRedactMessage(state.CommandName, reply))
+            if (state.ShouldRedactReply)
             {
                 reply = new BsonDocument();
             }
@@ -1088,23 +1092,25 @@ private static bool IsCommand(CollectionNamespace collectionNamespace)
             return collectionNamespace.Equals(collectionNamespace.DatabaseNamespace.CommandCollection);
         }
 
-        private static bool ShouldRedactMessage(string commandName, BsonDocument command)
+        private static bool ShouldRedactCommand(BsonDocument command)
         {
+            var commandName = command.GetElement(0).Name;
             switch (commandName.ToLowerInvariant())
             {
+                // string constants MUST all be lowercase for the case-insensitive comparison to work
                 case "authenticate":
-                case "saslStart":
-                case "saslContinue":
+                case "saslstart":
+                case "saslcontinue":
                 case "getnonce":
-                case "createUser":
-                case "updateUser":
+                case "createuser":
+                case "updateuser":
                 case "copydbgetnonce":
                 case "copydbsaslstart":
                 case "copydb":
                     return true;
 
-                case "isMaster":
-                    return command.Contains("speculativeAuthenticate");
+                case "ismaster":
+                    return command.Names.Any(n => n.ToLowerInvariant() == "speculativeauthenticate");
 
                 default:
                     return false;
@@ -1129,6 +1135,7 @@ private class CommandState
             public ExpectedResponseType ExpectedResponseType;
             public BsonDocument NoResponseResponse;
             public BsonValue UpsertedId;
+            public bool ShouldRedactReply;
         }
     }
 }

tests/MongoDB.Driver.Core.Tests/Core/Connections/BinaryConnection_CommandEventTests.cs

@@ -50,21 +50,25 @@ public class BinaryConnection_CommandEventTests : IDisposable
 
         public static IEnumerable<object[]> GetPotentiallyRedactedCommandTestCases()
         {
-            var potentiallyRedactedCommands = new[]
+            return new object[][]
             {
-                "authenticate",
-                "saslStart",
-                "saslContinue",
-                "getnonce",
-                "createUser",
-                "updateUser",
-                "copydbgetnonce",
-                "copydbsaslstart",
-                "copydb",
-                "isMaster",
+                // string commandJson, bool shouldBeRedacted
+                new object[] { "{ xyz : 1 }", false },
+                new object[] { "{ authenticate : 1 }", true },
+                new object[] { "{ saslStart : 1 }", true },
+                new object[] { "{ saslContinue : 1 }", true },
+                new object[] { "{ getnonce : 1 }", true },
+                new object[] { "{ createUser : 1 }", true },
+                new object[] { "{ updateUser : 1 }", true },
+                new object[] { "{ copydbgetnonce : 1 }", true },
+                new object[] { "{ copydbsaslstart : 1 }", true },
+                new object[] { "{ copydb : 1 }", true },
+                new object[] { "{ authenticate : 1 }", true },
+                new object[] { "{ isMaster : 1 }", false },
+                new object[] { "{ isMaster : 1, speculativeAuthenticate : { } }", true },
             };
-            return potentiallyRedactedCommands.Select(c => new object[] { c });
         }
+
         public BinaryConnection_CommandEventTests()
         {
             _capturedEvents = new EventCapturer()
@@ -144,13 +148,10 @@ public void Should_process_a_command()
 
         [Theory]
         [MemberData(nameof(GetPotentiallyRedactedCommandTestCases))]
-        public void Should_process_a_redacted_command(string commandName)
+        public void Should_process_a_redacted_command(string commandJson, bool shouldBeRedacted)
         {
-            var command = BsonDocument.Parse($"{{ {commandName}: 1, extra: true }}");
-            command = ModifyMessageToTriggerConditionToRedact(commandName, command);
-
+            var command = BsonDocument.Parse(commandJson);
             var reply = BsonDocument.Parse("{ ok: 1, extra: true }");
-            reply = ModifyMessageToTriggerConditionToRedact(commandName, reply);
 
             var requestMessage = MessageHelper.BuildCommand(
                 command,
@@ -163,17 +164,11 @@ public void Should_process_a_redacted_command(string commandName)
                 responseTo: requestMessage.RequestId);
             ReceiveMessages(replyMessage);
 
-
-            var commandStartedCommandShouldBeRedacted = CommandEventHelperReflector.ShouldRedactMessage(commandName, command);
-            var commandSucceededCommandShouldBeRedacted = CommandEventHelperReflector.ShouldRedactMessage(commandName, replyMessage.Documents[0]);
-            var commandStartedCommandExpectedElementCount = commandStartedCommandShouldBeRedacted ? 0 : command.ElementCount;
-            var commandSucceededCommandExpectedElementCount = commandSucceededCommandShouldBeRedacted ? 0 : reply.ElementCount;
-
             var commandStartedEvent = (CommandStartedEvent)_capturedEvents.Next();
             var commandSucceededEvent = (CommandSucceededEvent)_capturedEvents.Next();
 
             commandStartedEvent.CommandName.Should().Be(command.GetElement(0).Name);
-            commandStartedEvent.Command.ElementCount.Should().Be(commandStartedCommandExpectedElementCount);
+            commandStartedEvent.Command.Should().Be(shouldBeRedacted ? new BsonDocument() : command);
             commandStartedEvent.ConnectionId.Should().Be(_subject.ConnectionId);
             commandStartedEvent.DatabaseNamespace.Should().Be(MessageHelper.DefaultDatabaseNamespace);
             commandStartedEvent.OperationId.Should().Be(EventContext.OperationId);
@@ -183,7 +178,7 @@ public void Should_process_a_redacted_command(string commandName)
             commandSucceededEvent.ConnectionId.Should().Be(commandStartedEvent.ConnectionId);
             commandSucceededEvent.Duration.Should().BeGreaterThan(TimeSpan.Zero);
             commandSucceededEvent.OperationId.Should().Be(commandStartedEvent.OperationId);
-            commandSucceededEvent.Reply.ElementCount.Should().Be(commandSucceededCommandExpectedElementCount);
+            commandSucceededEvent.Reply.Should().Be(shouldBeRedacted ? new BsonDocument() : reply);
             commandSucceededEvent.RequestId.Should().Be(commandStartedEvent.RequestId);
         }
 
@@ -224,13 +219,10 @@ public void Should_process_a_failed_command()
 
         [Theory]
         [MemberData(nameof(GetPotentiallyRedactedCommandTestCases))]
-        public void Should_process_a_redacted_failed_command(string commandName)
+        public void Should_process_a_redacted_failed_command(string commandJson, bool shouldBeRedacted)
         {
-            var command = BsonDocument.Parse($"{{ {commandName}: 1, extra: true }}");
-            command = ModifyMessageToTriggerConditionToRedact(commandName, command);
-
+            var command = BsonDocument.Parse(commandJson);
             var reply = BsonDocument.Parse("{ ok: 0, extra: true }");
-            reply = ModifyMessageToTriggerConditionToRedact(commandName, reply);
 
             var requestMessage = MessageHelper.BuildCommand(
                 command,
@@ -243,16 +235,11 @@ public void Should_process_a_redacted_failed_command(string commandName)
                 responseTo: requestMessage.RequestId);
             ReceiveMessages(replyMessage);
 
-            var commandStartedCommandShouldBeRedacted = CommandEventHelperReflector.ShouldRedactMessage(commandName, command);
-            var commandSucceededCommandShouldBeRedacted = CommandEventHelperReflector.ShouldRedactMessage(commandName, replyMessage.Documents[0]);
-            var commandStartedCommandExpectedElementCount = commandStartedCommandShouldBeRedacted ? 0 : command.ElementCount;
-            var commandSucceededCommandExpectedElementCount = commandSucceededCommandShouldBeRedacted ? 0 : reply.ElementCount;
-
             var commandStartedEvent = (CommandStartedEvent)_capturedEvents.Next();
             var commandFailedEvent = (CommandFailedEvent)_capturedEvents.Next();
 
             commandStartedEvent.CommandName.Should().Be(command.GetElement(0).Name);
-            commandStartedEvent.Command.ElementCount.Should().Be(commandStartedCommandExpectedElementCount);
+            commandStartedEvent.Command.Should().Be(shouldBeRedacted ? new BsonDocument() : command);
             commandStartedEvent.ConnectionId.Should().Be(_subject.ConnectionId);
             commandStartedEvent.DatabaseNamespace.Should().Be(MessageHelper.DefaultDatabaseNamespace);
             commandStartedEvent.OperationId.Should().Be(EventContext.OperationId);
@@ -265,7 +252,7 @@ public void Should_process_a_redacted_failed_command(string commandName)
             commandFailedEvent.RequestId.Should().Be(commandStartedEvent.RequestId);
             commandFailedEvent.Failure.Should().BeOfType<MongoCommandException>();
             var exception = (MongoCommandException)commandFailedEvent.Failure;
-            exception.Result.ElementCount.Should().Be(commandSucceededCommandExpectedElementCount);
+            exception.Result.Should().Be(shouldBeRedacted ? new BsonDocument() : reply);
         }
 
         [Fact]
@@ -982,24 +969,5 @@ private void ReceiveMessages(params ReplyMessage<BsonDocument>[] messages)
                 _subject.ReceiveMessageAsync(message.ResponseTo, encoderSelector, _messageEncoderSettings, CancellationToken.None).Wait();
             }
         }
-
-        private static BsonDocument ModifyMessageToTriggerConditionToRedact(string commandName, BsonDocument command)
-        {
-            switch (commandName)
-            {
-                case "isMaster":
-                    command.Add("speculativeAuthenticate", new BsonDocument("db", "authSource"));
-                    break;
-            }
-
-            return command;
-        }
-    }
-
-    internal static class CommandEventHelperReflector
-    {
-        public static bool ShouldRedactMessage(string commandName, BsonDocument command) =>
-            (bool)Reflector.InvokeStatic(typeof(CommandEventHelper), nameof(ShouldRedactMessage), commandName, command);
-
     }
 }

tests/MongoDB.Driver.Core.Tests/Core/Connections/CommandEventHelperTests.cs

@@ -0,0 +1,53 @@
+/* Copyright 2010-present MongoDB Inc.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+using FluentAssertions;
+using MongoDB.Bson;
+using MongoDB.Bson.TestHelpers;
+using Xunit;
+
+namespace MongoDB.Driver.Core.Connections
+{
+    public class CommandEventHelperTests
+    {
+        [Theory]
+        [InlineData("{ xyz : 1 }", false)]
+        [InlineData("{ aUTHENTICATE: 1 }", true)]
+        [InlineData("{ sASLSTART : 1 }", true)]
+        [InlineData("{ sASLCONTINUE : 1 }", true)]
+        [InlineData("{ gETNONCE : 1 }", true)]
+        [InlineData("{ cREATEUSER : 1 }", true)]
+        [InlineData("{ uPDATEUSER : 1, }", true)]
+        [InlineData("{ cOPYDBGETNONCE : 1 }", true)]
+        [InlineData("{ cOPYDBSASLSTART : 1 }", true)]
+        [InlineData("{ cOPYDB : 1 }", true)]
+        [InlineData("{ iSMASTER : 1 }", false)]
+        [InlineData("{ iSMASTER : 1, sPECULATIVEAUTHENTICATE : null }", true)]
+        public void ShouldRedactCommand_should_return_expected_result(string commandJson, bool expectedResult)
+        {
+            var command = BsonDocument.Parse(commandJson);
+
+            var result = CommandEventHelperReflector.ShouldRedactCommand(command);
+
+            result.Should().Be(expectedResult);
+        }
+    }
+
+    public static class CommandEventHelperReflector
+    {
+        public static bool ShouldRedactCommand(BsonDocument command) =>
+            (bool)Reflector.InvokeStatic(typeof(CommandEventHelper), nameof(ShouldRedactCommand), command);
+    }
+}