CSHARP-1822: Username is now optional when using X509 authentication.

Author: rstam

src/MongoDB.Driver.Core/Core/Authentication/MongoDBX509Authenticator.cs

@@ -51,7 +51,7 @@ public static string MechanismName
         /// <param name="username">The username.</param>
         public MongoDBX509Authenticator(string username)
         {
-            _username = Ensure.IsNotNullOrEmpty(username, nameof(username));
+            _username = Ensure.IsNullOrNotEmpty(username, nameof(username));
         }
 
         // properties
@@ -67,6 +67,7 @@ public void Authenticate(IConnection connection, ConnectionDescription descripti
         {
             Ensure.IsNotNull(connection, nameof(connection));
             Ensure.IsNotNull(description, nameof(description));
+            EnsureUsernameIsNotNullOrNullIsSupported(connection);
 
             try
             {
@@ -84,6 +85,7 @@ public async Task AuthenticateAsync(IConnection connection, ConnectionDescriptio
         {
             Ensure.IsNotNull(connection, nameof(connection));
             Ensure.IsNotNull(description, nameof(description));
+            EnsureUsernameIsNotNullOrNullIsSupported(connection);
 
             try
             {
@@ -103,7 +105,7 @@ private CommandWireProtocol<BsonDocument> CreateAuthenticateProtocol()
             {
                 { "authenticate", 1 },
                 { "mechanism", Name },
-                { "user", _username }
+                { "user", _username, _username != null }
             };
 
             var protocol = new CommandWireProtocol<BsonDocument>(
@@ -121,5 +123,15 @@ private MongoAuthenticationException CreateException(IConnection connection, Exc
             var message = string.Format("Unable to authenticate username '{0}' using protocol '{1}'.", _username, Name);
             return new MongoAuthenticationException(connection.ConnectionId, message, ex);
         }
+
+        private void EnsureUsernameIsNotNullOrNullIsSupported(IConnection connection)
+        {
+            var serverVersion = connection.Description.ServerVersion;
+            if (_username == null && !Feature.ServerExtractsUsernameFromX509Certificate.IsSupported(serverVersion))
+            {
+                var message = $"Username cannot be null for server version {serverVersion}.";
+                throw new MongoConnectionException(connection.ConnectionId, message);
+            }
+        }
     }
 }

src/MongoDB.Driver.Core/Core/Misc/Feature.cs

@@ -50,6 +50,7 @@ public class Feature
         private static readonly Feature __partialIndexes = new Feature("PartialIndexes", new SemanticVersion(3, 2, 0));
         private static readonly ReadConcernFeature __readConcern = new ReadConcernFeature("ReadConcern", new SemanticVersion(3, 2, 0));
         private static readonly Feature __scramSha1Authentication = new Feature("ScramSha1Authentication", new SemanticVersion(3, 0, 0));
+        private static readonly Feature __serverExtractsUsernameFromX509Certificate = new Feature("ServerExtractsUsernameFromX509Certificate", new SemanticVersion(3, 4, 0));
         private static readonly Feature __userManagementCommands = new Feature("UserManagementCommands", new SemanticVersion(2, 6, 0));
         private static readonly Feature __views = new Feature("Views", new SemanticVersion(3, 3, 11));
         private static readonly Feature __writeCommands = new Feature("WriteCommands", new SemanticVersion(2, 6, 0));
@@ -189,6 +190,11 @@ public class Feature
         /// </summary>
         public static Feature ScramSha1Authentication => __scramSha1Authentication;
 
+        /// <summary>
+        /// Gets the server extracts username from X509 certificate feature.
+        /// </summary>
+        public static Feature ServerExtractsUsernameFromX509Certificate => __serverExtractsUsernameFromX509Certificate;
+
         /// <summary>
         /// Gets the user management commands feature.
         /// </summary>

src/MongoDB.Driver.Legacy/MongoServerSettings.cs

@@ -606,11 +606,7 @@ public static MongoServerSettings FromClientSettings(MongoClientSettings clientS
         /// <returns>A MongoServerSettings.</returns>
         public static MongoServerSettings FromUrl(MongoUrl url)
         {
-            var credential = MongoCredential.FromComponents(
-                url.AuthenticationMechanism,
-                url.AuthenticationSource ?? url.DatabaseName,
-                url.Username,
-                url.Password);
+            var credential = url.GetCredential();
 
             var serverSettings = new MongoServerSettings();
             serverSettings.ApplicationName = url.ApplicationName;

src/MongoDB.Driver/MongoClientSettings.cs

@@ -542,11 +542,7 @@ public UTF8Encoding WriteEncoding
         /// <returns>A MongoClientSettings.</returns>
         public static MongoClientSettings FromUrl(MongoUrl url)
         {
-            var credential = MongoCredential.FromComponents(
-                url.AuthenticationMechanism,
-                url.AuthenticationSource ?? url.DatabaseName,
-                url.Username,
-                url.Password);
+            var credential = url.GetCredential();
 
             var clientSettings = new MongoClientSettings();
             clientSettings.ApplicationName = url.ApplicationName;

src/MongoDB.Driver/MongoCredential.cs

@@ -447,11 +447,6 @@ private void ValidatePassword(string password)
         // private static methods
         private static MongoCredential FromComponents(string mechanism, string source, string username, MongoIdentityEvidence evidence)
         {
-            if (string.IsNullOrEmpty(username))
-            {
-                return null;
-            }
-
             var defaultedMechanism = (mechanism ?? "DEFAULT").Trim().ToUpperInvariant();
             switch (defaultedMechanism)
             {
@@ -480,7 +475,7 @@ private static MongoCredential FromComponents(string mechanism, string source, s
 
                     return new MongoCredential(
                         mechanism,
-                        new MongoExternalIdentity(username),
+                        new MongoX509Identity(username),
                         evidence);
                 case "GSSAPI":
                     // always $external for GSSAPI.  

src/MongoDB.Driver/MongoDB.Driver.csproj

@@ -278,6 +278,7 @@
     <Compile Include="Linq\Translators\QueryableTranslator.cs" />
     <Compile Include="Linq\Translators\PredicateTranslator.cs" />
     <Compile Include="ExpressionTranslationOptions.cs" />
+    <Compile Include="MongoX509Identity.cs" />
     <Compile Include="OfTypeSerializer.cs" />
     <Compile Include="PipelineDefinitionBuilder.cs" />
     <Compile Include="PipelineStageDefinition.cs" />

src/MongoDB.Driver/MongoIdentity.cs

@@ -38,13 +38,14 @@ public abstract class MongoIdentity : IEquatable<MongoIdentity>
         /// </summary>
         /// <param name="source">The source.</param>
         /// <param name="username">The username.</param>
-        internal MongoIdentity(string source, string username)
+        /// <param name="allowNullUsername">Whether to allow null usernames.</param>
+        internal MongoIdentity(string source, string username, bool allowNullUsername = false)
         {
             if (source == null)
             {
                 throw new ArgumentNullException("source");
             }
-            if (username == null)
+            if (username == null && !allowNullUsername)
             {
                 throw new ArgumentNullException("username");
             }

src/MongoDB.Driver/MongoUrl.cs

@@ -203,6 +203,21 @@ public GuidRepresentation GuidRepresentation
             get { return _guidRepresentation; }
         }
 
+        /// <summary>
+        /// Gets a value indicating whether this instance has authentication settings.
+        /// </summary>
+        public bool HasAuthenticationSettings
+        {
+            get
+            {
+                return
+                    _username != null ||
+                    _password != null ||
+                    _authenticationMechanism != null ||
+                    _authenticationSource != null;
+            }              
+        }
+
         /// <summary>
         /// Gets the heartbeat interval.
         /// </summary>
@@ -498,6 +513,26 @@ public override bool Equals(object obj)
             return Equals(obj as MongoUrl); // works even if obj is null or of a different type
         }
 
+        /// <summary>
+        /// Gets the credential.
+        /// </summary>
+        /// <returns>The credential (or null if the URL has not authentication settings).</returns>
+        public MongoCredential GetCredential()
+        {
+            if (HasAuthenticationSettings)
+            {
+                return MongoCredential.FromComponents(
+                    _authenticationMechanism,
+                    _authenticationSource ?? _databaseName,
+                    _username,
+                    _password);
+            }
+            else
+            {
+                return null;
+            }
+        }
+
         /// <summary>
         /// Gets the hash code.
         /// </summary>

src/MongoDB.Driver/MongoX509Identity.cs

@@ -0,0 +1,31 @@
+/* Copyright 2010-2014 MongoDB Inc.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+namespace MongoDB.Driver
+{
+    /// <summary>
+    /// Represents an identity defined by an X509 certificate.
+    /// </summary>
+    public class MongoX509Identity : MongoIdentity
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MongoExternalIdentity" /> class.
+        /// </summary>
+        /// <param name="username">The username.</param>
+        public MongoX509Identity(string username)
+            : base("$external", username, allowNullUsername: true)
+        { }
+    }
+}

tests/MongoDB.Driver.Core.Tests/Core/Authentication/MongoDBX509AuthenticatorTests.cs

@@ -26,6 +26,7 @@
 using MongoDB.Driver.Core.Connections;
 using System.Threading.Tasks;
 using MongoDB.Bson.TestHelpers.XunitExtensions;
+using MongoDB.Driver.Core.Misc;
 
 namespace MongoDB.Driver.Core.Authentication
 {
@@ -39,9 +40,8 @@ public class MongoDBX509AuthenticatorTests
             new BuildInfoResult(new BsonDocument("version", "2.6.0")));
 
         [Theory]
-        [InlineData(null)]
         [InlineData("")]
-        public void Constructor_should_throw_an_ArgumentException_when_username_is_null_or_empty(string username)
+        public void Constructor_should_throw_an_ArgumentException_when_username_is_empty(string username)
         {
             Action act = () => new MongoDBX509Authenticator(username);
 
@@ -58,6 +58,7 @@ public void Authenticate_should_throw_an_AuthenticationException_when_authentica
 
             var reply = MessageHelper.BuildNoDocumentsReturnedReply<RawBsonDocument>();
             var connection = new MockConnection(__serverId);
+            connection.Description = CreateConnectionDescription(new SemanticVersion(3, 2, 0));
             connection.EnqueueReplyMessage(reply);
 
             Action act;
@@ -85,6 +86,7 @@ public void Authenticate_should_not_throw_when_authentication_succeeds(
                 RawBsonDocumentHelper.FromJson("{ok: 1}"));
 
             var connection = new MockConnection(__serverId);
+            connection.Description = CreateConnectionDescription(new SemanticVersion(3, 2, 0));
             connection.EnqueueReplyMessage(reply);
 
             Action act;
@@ -99,5 +101,75 @@ public void Authenticate_should_not_throw_when_authentication_succeeds(
 
             act.ShouldNotThrow();
         }
+
+        [Theory]
+        [ParameterAttributeData]
+        public void Authenticate_should_throw_when_username_is_null_and_server_does_not_support_null_username(
+            [Values(false, true)]
+            bool async)
+        {
+            var subject = new MongoDBX509Authenticator(null);
+
+            var reply = MessageHelper.BuildReply<RawBsonDocument>(
+                RawBsonDocumentHelper.FromJson("{ok: 1}"));
+
+            var connection = new MockConnection(__serverId);
+            connection.Description = CreateConnectionDescription(new SemanticVersion(3, 2, 0));
+            connection.EnqueueReplyMessage(reply);
+
+            Exception exception;
+            if (async)
+            {
+                exception = Record.Exception(() => subject.AuthenticateAsync(connection, __description, CancellationToken.None).GetAwaiter().GetResult());
+            }
+            else
+            {
+                exception = Record.Exception(() => subject.Authenticate(connection, __description, CancellationToken.None));
+            }
+
+            exception.Should().BeOfType<MongoConnectionException>();
+        }
+
+        [Theory]
+        [ParameterAttributeData]
+        public void Authenticate_should_not_throw_when_username_is_null_and_server_support_null_username(
+            [Values(false, true)]
+            bool async)
+        {
+            var subject = new MongoDBX509Authenticator(null);
+
+            var reply = MessageHelper.BuildReply<RawBsonDocument>(
+                RawBsonDocumentHelper.FromJson("{ok: 1}"));
+
+            var connection = new MockConnection(__serverId);
+            connection.Description = CreateConnectionDescription(new SemanticVersion(3, 4, 0));
+            connection.EnqueueReplyMessage(reply);
+
+            Exception exception;
+            if (async)
+            {
+                exception = Record.Exception(() => subject.AuthenticateAsync(connection, __description, CancellationToken.None).GetAwaiter().GetResult());
+            }
+            else
+            {
+                exception = Record.Exception(() => subject.Authenticate(connection, __description, CancellationToken.None));
+            }
+
+            exception.Should().BeNull();
+        }
+
+        // private methods
+        private ConnectionDescription CreateConnectionDescription(SemanticVersion serverVersion)
+        {
+            var clusterId = new ClusterId(1);
+            var serverId = new ServerId(clusterId, new DnsEndPoint("localhost", 27017));
+            var connectionId = new ConnectionId(serverId, 1);
+            var isMasterResult = new IsMasterResult(new BsonDocument());
+            var buildInfoResult = new BuildInfoResult(new BsonDocument
+            {
+                { "version", serverVersion.ToString() }
+            });
+            return new ConnectionDescription(connectionId, isMasterResult, buildInfoResult);
+        }
     }
 }