GODRIVER-803 add AuthenticateArbiter client option to allow authenticating with arbiter

Isabella Siu · Isabella Siu · commit 0df304e41314 · 2019-02-21T13:15:25.000-05:00
Change-Id: I580d2801c0ed0e35b20650fc32a5f7ae66362d7b
diff --git a/mongo/client.go b/mongo/client.go
@@ -268,16 +268,27 @@ func (c *Client) configure(opts *options.ClientOptions) error {
 			return err
 		}
 
-		opts := &auth.HandshakeOptions{
+		handshakeOpts := &auth.HandshakeOptions{
 			AppName:       appName,
 			Authenticator: authenticator,
 			Compressors:   compressors,
 		}
 		if mechanism == "" {
 			// Required for SASL mechanism negotiation during handshake
-			opts.DBUser = cred.Source + "." + cred.Username
+			handshakeOpts.DBUser = cred.Source + "." + cred.Username
 		}
-		handshaker = auth.Handshaker(nil, opts)
+		if opts.AuthenticateArbiter != nil && *opts.AuthenticateArbiter {
+			// Authenticate arbiters
+			handshakeOpts.PerformAuthentication = func(serv description.Server) bool {
+				return serv.Kind == description.RSPrimary ||
+					serv.Kind == description.RSSecondary ||
+					serv.Kind == description.Mongos ||
+					serv.Kind == description.Standalone ||
+					serv.Kind == description.RSArbiter
+			}
+		}
+
+		handshaker = auth.Handshaker(nil, handshakeOpts)
 	}
 	connOpts = append(connOpts, connection.WithHandshaker(
 		func(connection.Handshaker) connection.Handshaker { return handshaker },
diff --git a/mongo/options/clientoptions.go b/mongo/options/clientoptions.go
@@ -61,6 +61,7 @@ type Credential struct {
 type ClientOptions struct {
 	AppName                *string
 	Auth                   *Credential
+	AuthenticateArbiter    *bool
 	ConnectTimeout         *time.Duration
 	Compressors            []string
 	Dialer                 ContextDialer
@@ -287,6 +288,13 @@ func (c *ClientOptions) SetCompressors(comps []string) *ClientOptions {
 	return c
 }
 
+// SetAuthenticateArbiter specifies whether or not the driver should authenticate arbiters. By
+// default, they are not authenticated.
+func (c *ClientOptions) SetAuthenticateArbiter(b bool) *ClientOptions {
+	c.AuthenticateArbiter = &b
+	return c
+}
+
 // SetConnectTimeout specifies the timeout for an initial connection to a server.
 // If a custom Dialer is used, this method won't be set and the user is
 // responsible for setting the ConnectTimeout for connections on the dialer
@@ -435,6 +443,9 @@ func MergeClientOptions(opts ...*ClientOptions) *ClientOptions {
 		if opt.Auth != nil {
 			c.Auth = opt.Auth
 		}
+		if opt.AuthenticateArbiter != nil {
+			c.AuthenticateArbiter = opt.AuthenticateArbiter
+		}
 		if opt.Compressors != nil {
 			c.Compressors = opt.Compressors
 		}
diff --git a/x/mongo/driver/auth/auth.go b/x/mongo/driver/auth/auth.go
@@ -95,10 +95,11 @@ func RegisterAuthenticatorFactory(name string, factory AuthenticatorFactory) {
 // function.  DBUser is optional but must be of the form <dbname.username>;
 // if non-empty, then the connection will do SASL mechanism negotiation.
 type HandshakeOptions struct {
-	AppName       string
-	Authenticator Authenticator
-	Compressors   []string
-	DBUser        string
+	AppName               string
+	Authenticator         Authenticator
+	Compressors           []string
+	DBUser                string
+	PerformAuthentication func(description.Server) bool
 }
 
 // Handshaker creates a connection handshaker for the given authenticator.
@@ -114,9 +115,21 @@ func Handshaker(h connection.Handshaker, options *HandshakeOptions) connection.H
 			return description.Server{}, newAuthError("handshake failure", err)
 		}
 
-		err = options.Authenticator.Auth(ctx, desc, rw)
-		if err != nil {
-			return description.Server{}, newAuthError("auth error", err)
+		performAuth := options.PerformAuthentication
+		if performAuth == nil {
+			performAuth = func(serv description.Server) bool {
+				return serv.Kind == description.RSPrimary ||
+					serv.Kind == description.RSSecondary ||
+					serv.Kind == description.Mongos ||
+					serv.Kind == description.Standalone
+			}
+		}
+		if performAuth(desc) && options.Authenticator != nil {
+			err = options.Authenticator.Auth(ctx, desc, rw)
+			if err != nil {
+				return description.Server{}, newAuthError("auth error", err)
+			}
+
 		}
 		if h == nil {
 			return desc, nil
diff --git a/x/mongo/driver/auth/mongodbcr.go b/x/mongo/driver/auth/mongodbcr.go
@@ -47,11 +47,6 @@ type MongoDBCRAuthenticator struct {
 // The MONGODB-CR authentication mechanism is deprecated in MongoDB 4.0.
 func (a *MongoDBCRAuthenticator) Auth(ctx context.Context, desc description.Server, rw wiremessage.ReadWriter) error {
 
-	// Arbiters cannot be authenticated
-	if desc.Kind == description.RSArbiter {
-		return nil
-	}
-
 	db := a.DB
 	if db == "" {
 		db = defaultAuthDB
diff --git a/x/mongo/driver/auth/sasl.go b/x/mongo/driver/auth/sasl.go
@@ -31,10 +31,6 @@ type SaslClientCloser interface {
 
 // ConductSaslConversation handles running a sasl conversation with MongoDB.
 func ConductSaslConversation(ctx context.Context, desc description.Server, rw wiremessage.ReadWriter, db string, client SaslClient) error {
-	// Arbiters cannot be authenticated
-	if desc.Kind == description.RSArbiter {
-		return nil
-	}
 
 	if db == "" {
 		db = defaultAuthDB
