CSHARP-2366: GSSAPI Scram Authentication starts scram conversation wrong

markbenvenuto · rstam · commit 77db6ea9dd55 · 2018-11-06T12:31:53.000-06:00
diff --git a/src/MongoDB.Driver.Core/Core/Authentication/GssapiAuthenticator.cs b/src/MongoDB.Driver.Core/Core/Authentication/GssapiAuthenticator.cs
@@ -196,7 +196,7 @@ public string Name
                 get { return MechanismName; }
             }
 
-            public ISaslStep Initialize(IConnection connection, ConnectionDescription description)
+            public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)
             {
                 Ensure.IsNotNull(connection, nameof(connection));
                 Ensure.IsNotNull(description, nameof(description));
@@ -229,17 +229,19 @@ public ISaslStep Initialize(IConnection connection, ConnectionDescription descri
                     }
                 }
 
-                return new FirstStep(_serviceName, hostName, _realm, _username, _password);
+                return new FirstStep(_serviceName, hostName, _realm, _username, _password, conversation);
             }
         }
 
         private class FirstStep : ISaslStep
         {
             private readonly string _authorizationId;
+            private byte[] _bytesToSendToServer;
+            private readonly Sspi.SecurityContext _context;
             private readonly SecureString _password;
             private readonly string _servicePrincipalName;
 
-            public FirstStep(string serviceName, string hostName, string realm, string username, SecureString password)
+            public FirstStep(string serviceName, string hostName, string realm, string username, SecureString password, SaslConversation conversation)
             {
                 _authorizationId = username;
                 _password = password;
@@ -248,20 +250,7 @@ public FirstStep(string serviceName, string hostName, string realm, string usern
                 {
                     _servicePrincipalName += "@" + realm;
                 }
-            }
-
-            public byte[] BytesToSendToServer
-            {
-                get { return new byte[0]; }
-            }
-
-            public bool IsComplete
-            {
-                get { return false; }
-            }
 
-            public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedFromServer)
-            {
                 SecurityCredential securityCredential;
                 try
                 {
@@ -273,11 +262,9 @@ public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedF
                     throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to acquire security credential.", ex);
                 }
 
-                byte[] bytesToSendToServer;
-                Sspi.SecurityContext context;
                 try
                 {
-                    context = Sspi.SecurityContext.Initialize(securityCredential, _servicePrincipalName, bytesReceivedFromServer, out bytesToSendToServer);
+                    _context = Sspi.SecurityContext.Initialize(securityCredential, _servicePrincipalName, null, out _bytesToSendToServer);
                 }
                 catch (Win32Exception ex)
                 {
@@ -290,13 +277,36 @@ public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedF
                         throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to initialize security context.", ex);
                     }
                 }
+            }
+
+            public byte[] BytesToSendToServer
+            {
+                get { return _bytesToSendToServer; }
+            }
+
+            public bool IsComplete
+            {
+                get { return false; }
+            }
+
+            public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedFromServer)
+            {
+                byte[] bytesToSendToServer;
+                try
+                {
+                    _context.Initialize(_servicePrincipalName, bytesReceivedFromServer, out bytesToSendToServer);
+                }
+                catch (Win32Exception ex)
+                {
+                    throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to initialize security context", ex);
+                }
 
-                if (!context.IsInitialized)
+                if (!_context.IsInitialized)
                 {
-                    return new InitializeStep(_servicePrincipalName, _authorizationId, context, bytesToSendToServer);
+                    return new InitializeStep(_servicePrincipalName, _authorizationId, _context, bytesToSendToServer);
                 }
 
-                return new NegotiateStep(_authorizationId, context, bytesToSendToServer);
+                return new NegotiateStep(_authorizationId, _context, bytesToSendToServer);
             }
         }
 
diff --git a/src/MongoDB.Driver.Core/Core/Authentication/PlainAuthenticator.cs b/src/MongoDB.Driver.Core/Core/Authentication/PlainAuthenticator.cs
@@ -77,7 +77,7 @@ public string Name
             }
 
             // methods
-            public ISaslStep Initialize(IConnection connection, ConnectionDescription description)
+            public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)
             {
                 Ensure.IsNotNull(connection, nameof(connection));
                 Ensure.IsNotNull(description, nameof(description));
diff --git a/src/MongoDB.Driver.Core/Core/Authentication/SaslAuthenticator.cs b/src/MongoDB.Driver.Core/Core/Authentication/SaslAuthenticator.cs
@@ -67,7 +67,7 @@ public void Authenticate(IConnection connection, ConnectionDescription descripti
 
             using (var conversation = new SaslConversation(description.ConnectionId))
             {
-                var currentStep = _mechanism.Initialize(connection, description);
+                var currentStep = _mechanism.Initialize( connection, conversation, description);
 
                 var command = CreateStartCommand(currentStep);
                 while (true)
@@ -102,7 +102,7 @@ public async Task AuthenticateAsync(IConnection connection, ConnectionDescriptio
 
             using (var conversation = new SaslConversation(description.ConnectionId))
             {
-                var currentStep = _mechanism.Initialize(connection, description);
+                var currentStep = _mechanism.Initialize(connection, conversation, description);
 
                 var command = CreateStartCommand(currentStep);
                 while (true)
@@ -281,9 +281,10 @@ protected interface ISaslMechanism
             /// Initializes the mechanism.
             /// </summary>
             /// <param name="connection">The connection.</param>
+            /// <param name="conversation">The SASL conversation.</param>
             /// <param name="description">The connection description.</param>
             /// <returns>The initial SASL step.</returns>
-            ISaslStep Initialize(IConnection connection, ConnectionDescription description);
+            ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description);
         }
 
         /// <summary>
diff --git a/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs b/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs
@@ -131,7 +131,7 @@ public ScramShaMechanism(
 
             public string Name => _name;
 
-            public ISaslStep Initialize(IConnection connection, ConnectionDescription description)
+            public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)
             {
                 Ensure.IsNotNull(connection, nameof(connection));
                 Ensure.IsNotNull(description, nameof(description));

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ public string Name`
`196`	`196`	`get { return MechanismName; }`
`197`	`197`	`}`
`198`	`198`
`199`		`- public ISaslStep Initialize(IConnection connection, ConnectionDescription description)`
	`199`	`+ public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)`
`200`	`200`	`{`
`201`	`201`	`Ensure.IsNotNull(connection, nameof(connection));`
`202`	`202`	`Ensure.IsNotNull(description, nameof(description));`
`@@ -229,17 +229,19 @@ public ISaslStep Initialize(IConnection connection, ConnectionDescription descri`
`229`	`229`	`}`
`230`	`230`	`}`
`231`	`231`
`232`		`- return new FirstStep(_serviceName, hostName, _realm, _username, _password);`
	`232`	`+ return new FirstStep(_serviceName, hostName, _realm, _username, _password, conversation);`
`233`	`233`	`}`
`234`	`234`	`}`
`235`	`235`
`236`	`236`	`private class FirstStep : ISaslStep`
`237`	`237`	`{`
`238`	`238`	`private readonly string _authorizationId;`
	`239`	`+ private byte[] _bytesToSendToServer;`
	`240`	`+ private readonly Sspi.SecurityContext _context;`
`239`	`241`	`private readonly SecureString _password;`
`240`	`242`	`private readonly string _servicePrincipalName;`
`241`	`243`
`242`		`- public FirstStep(string serviceName, string hostName, string realm, string username, SecureString password)`
	`244`	`+ public FirstStep(string serviceName, string hostName, string realm, string username, SecureString password, SaslConversation conversation)`
`243`	`245`	`{`
`244`	`246`	`_authorizationId = username;`
`245`	`247`	`_password = password;`
`@@ -248,20 +250,7 @@ public FirstStep(string serviceName, string hostName, string realm, string usern`
`248`	`250`	`{`
`249`	`251`	`_servicePrincipalName += "@" + realm;`
`250`	`252`	`}`
`251`		`- }`
`252`		`-`
`253`		`- public byte[] BytesToSendToServer`
`254`		`- {`
`255`		`- get { return new byte[0]; }`
`256`		`- }`
`257`		`-`
`258`		`- public bool IsComplete`
`259`		`- {`
`260`		`- get { return false; }`
`261`		`- }`
`262`	`253`
`263`		`- public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedFromServer)`
`264`		`- {`
`265`	`254`	`SecurityCredential securityCredential;`
`266`	`255`	`try`
`267`	`256`	`{`
`@@ -273,11 +262,9 @@ public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedF`
`273`	`262`	`throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to acquire security credential.", ex);`
`274`	`263`	`}`
`275`	`264`
`276`		`- byte[] bytesToSendToServer;`
`277`		`- Sspi.SecurityContext context;`
`278`	`265`	`try`
`279`	`266`	`{`
`280`		`- context = Sspi.SecurityContext.Initialize(securityCredential, _servicePrincipalName, bytesReceivedFromServer, out bytesToSendToServer);`
	`267`	`+ _context = Sspi.SecurityContext.Initialize(securityCredential, _servicePrincipalName, null, out _bytesToSendToServer);`
`281`	`268`	`}`
`282`	`269`	`catch (Win32Exception ex)`
`283`	`270`	`{`
`@@ -290,13 +277,36 @@ public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedF`
`290`	`277`	`throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to initialize security context.", ex);`
`291`	`278`	`}`
`292`	`279`	`}`
	`280`	`+ }`
	`281`	`+`
	`282`	`+ public byte[] BytesToSendToServer`
	`283`	`+ {`
	`284`	`+ get { return _bytesToSendToServer; }`
	`285`	`+ }`
	`286`	`+`
	`287`	`+ public bool IsComplete`
	`288`	`+ {`
	`289`	`+ get { return false; }`
	`290`	`+ }`
	`291`	`+`
	`292`	`+ public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedFromServer)`
	`293`	`+ {`
	`294`	`+ byte[] bytesToSendToServer;`
	`295`	`+ try`
	`296`	`+ {`
	`297`	`+ _context.Initialize(_servicePrincipalName, bytesReceivedFromServer, out bytesToSendToServer);`
	`298`	`+ }`
	`299`	`+ catch (Win32Exception ex)`
	`300`	`+ {`
	`301`	`+ throw new MongoAuthenticationException(conversation.ConnectionId, "Unable to initialize security context", ex);`
	`302`	`+ }`
`293`	`303`
`294`		`- if (!context.IsInitialized)`
	`304`	`+ if (!_context.IsInitialized)`
`295`	`305`	`{`
`296`		`- return new InitializeStep(_servicePrincipalName, _authorizationId, context, bytesToSendToServer);`
	`306`	`+ return new InitializeStep(_servicePrincipalName, _authorizationId, _context, bytesToSendToServer);`
`297`	`307`	`}`
`298`	`308`
`299`		`- return new NegotiateStep(_authorizationId, context, bytesToSendToServer);`
	`309`	`+ return new NegotiateStep(_authorizationId, _context, bytesToSendToServer);`
`300`	`310`	`}`
`301`	`311`	`}`
`302`	`312`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public string Name`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`// methods`
`80`		`- public ISaslStep Initialize(IConnection connection, ConnectionDescription description)`
	`80`	`+ public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)`
`81`	`81`	`{`
`82`	`82`	`Ensure.IsNotNull(connection, nameof(connection));`
`83`	`83`	`Ensure.IsNotNull(description, nameof(description));`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ public ScramShaMechanism(`
`131`	`131`
`132`	`132`	`public string Name => _name;`
`133`	`133`
`134`		`- public ISaslStep Initialize(IConnection connection, ConnectionDescription description)`
	`134`	`+ public ISaslStep Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)`
`135`	`135`	`{`
`136`	`136`	`Ensure.IsNotNull(connection, nameof(connection));`
`137`	`137`	`Ensure.IsNotNull(description, nameof(description));`