Add support for GSSAPI ServiceHost

GODRIVER-698

Change-Id: I6888326e272ab63ea2594181d09fcf0b9d5c17aa

Author: Divjot Arora

.evergreen/config.yml

@@ -270,7 +270,6 @@ functions:
     - command: shell.exec
       type: test
       params:
-        silent: true
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
@@ -291,6 +290,30 @@ functions:
           export PATH="${GCC_PATH}:${GO_DIST}/bin:$PATH"
           MONGO_GO_DRIVER_COMPRESSOR="${MONGO_GO_DRIVER_COMPRESSOR}" make -s evg-test-auth
 
+  run-enterprise-gssapi-service-host-auth-tests:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          if [ "Windows_NT" = "$OS" ]; then
+            export GOPATH=$(cygpath -w $(dirname $(dirname $(dirname `pwd`))))
+            export MONGODB_URI="${gssapi_service_host_auth_windows_mongodb_uri}"
+          else
+            export GOPATH=$(dirname $(dirname $(dirname `pwd`)))
+            echo "${gssapi_auth_linux_keytab_base64}" > /tmp/drivers.keytab.base64
+            base64 --decode /tmp/drivers.keytab.base64 > ${PROJECT_DIRECTORY}/.evergreen/drivers.keytab
+            mkdir -p ~/.krb5
+            cat .evergreen/krb5.config | tee -a ~/.krb5/config
+            kinit -k -t ${PROJECT_DIRECTORY}/.evergreen/drivers.keytab -p "${gssapi_auth_username}"
+            export MONGODB_URI="${gssapi_service_host_auth_linux_mongodb_uri}"
+          fi;
+          export GOPATH="$GOPATH"
+          export GOROOT="${GO_DIST}"
+          export PATH="${GCC_PATH}:${GO_DIST}/bin:$PATH"
+          MONGO_GO_DRIVER_COMPRESSOR="${MONGO_GO_DRIVER_COMPRESSOR}" make -s evg-test-auth
+
 pre:
   - func: fetch-source
   - func: prepare-resources
@@ -553,6 +576,13 @@ tasks:
           vars:
             MONGO_GO_DRIVER_COMPRESSOR: "snappy"
 
+    - name: test-enterprise-auth-gssapi-service-host
+      tags: ["test", "enterprise-auth"]
+      commands:
+        - func: run-enterprise-gssapi-service-host-auth-tests
+          vars:
+            MONGO_GO_DRIVER_COMPRESSOR: "snappy"
+
     - name: go1.8-build
       tags: ["compile-check"]
       commands:

mongo/options/clientoptions.go

@@ -39,7 +39,13 @@ type ContextDialer interface {
 // Supported values include "SCRAM-SHA-256", "SCRAM-SHA-1", "MONGODB-CR", "PLAIN", "GSSAPI", and "MONGODB-X509".
 //
 // AuthMechanismProperties specifies additional configuration options which may be used by certain
-// authentication mechanisms.
+// authentication mechanisms. Supported properties are:
+// SERVICE_NAME: Specifies the name of the service. Defaults to mongodb.
+// CANONICALIZE_HOST_NAME: If true, tells the driver to canonicalize the given hostname. Defaults to false. This
+// property may not be used on Linux and Darwin systems and may not be used at the same time as SERVICE_HOST.
+// SERVICE_REALM: Specifies the realm of the service.
+// SERVICE_HOST: Specifies a hostname for GSSAPI authentication if it is different from the server's address. For
+// authentication mechanisms besides GSSAPI, this property is ignored.
 //
 // AuthSource specifies the database to authenticate against.
 //

x/mongo/driver/auth/gssapi.go

@@ -11,6 +11,8 @@ package auth
 
 import (
 	"context"
+	"fmt"
+	"net"
 
 	"go.mongodb.org/mongo-driver/x/mongo/driver/auth/internal/gssapi"
 	"go.mongodb.org/mongo-driver/x/network/description"
@@ -43,7 +45,13 @@ type GSSAPIAuthenticator struct {
 
 // Auth authenticates the connection.
 func (a *GSSAPIAuthenticator) Auth(ctx context.Context, desc description.Server, rw wiremessage.ReadWriter) error {
-	client, err := gssapi.New(desc.Addr.String(), a.Username, a.Password, a.PasswordSet, a.Props)
+	target := desc.Addr.String()
+	hostname, _, err := net.SplitHostPort(target)
+	if err != nil {
+		return newAuthError(fmt.Sprintf("invalid endpoint (%s) specified: %s", target, err), nil)
+	}
+
+	client, err := gssapi.New(hostname, a.Username, a.Password, a.PasswordSet, a.Props)
 
 	if err != nil {
 		return newAuthError("error creating gssapi", err)

x/mongo/driver/auth/gssapi_test.go

@@ -0,0 +1,43 @@
+// Copyright (C) MongoDB, Inc. 2017-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+//+build gssapi
+
+package auth
+
+import (
+	"context"
+	"testing"
+
+	"go.mongodb.org/mongo-driver/x/network/address"
+	"go.mongodb.org/mongo-driver/x/network/description"
+)
+
+func TestGSSAPIAuthenticator(t *testing.T) {
+	t.Run("PropsError", func(t *testing.T) {
+		// Cannot specify both CANONICALIZE_HOST_NAME and SERVICE_HOST
+
+		authenticator := &GSSAPIAuthenticator{
+			Username:    "foo",
+			Password:    "bar",
+			PasswordSet: true,
+			Props: map[string]string{
+				"CANONICALIZE_HOST_NAME": "true",
+				"SERVICE_HOST":           "localhost",
+			},
+		}
+		err := authenticator.Auth(context.Background(), description.Server{
+			WireVersion: &description.VersionRange{
+				Max: 6,
+			},
+			Addr: address.Address("foo:27017"),
+		}, nil)
+		if err == nil {
+			t.Fatalf("expected err, got nil")
+		}
+	})
+
+}

x/mongo/driver/auth/internal/gssapi/gss.go

@@ -19,13 +19,12 @@ package gssapi
 import "C"
 import (
 	"fmt"
-	"net"
 	"runtime"
 	"strings"
 	"unsafe"
 )
 
-// New creates a new SaslClient.
+// New creates a new SaslClient. The target parameter should be a hostname with no port.
 func New(target, username, password string, passwordSet bool, props map[string]string) (*SaslClient, error) {
 	serviceName := "mongodb"
 
@@ -37,17 +36,14 @@ func New(target, username, password string, passwordSet bool, props map[string]s
 			return nil, fmt.Errorf("SERVICE_REALM is not supported when using gssapi on %s", runtime.GOOS)
 		case "SERVICE_NAME":
 			serviceName = value
+		case "SERVICE_HOST":
+			target = value
 		default:
 			return nil, fmt.Errorf("unknown mechanism property %s", key)
 		}
 	}
 
-	hostname, _, err := net.SplitHostPort(target)
-	if err != nil {
-		return nil, fmt.Errorf("invalid endpoint (%s) specified: %s", target, err)
-	}
-
-	servicePrincipalName := fmt.Sprintf("%s@%s", serviceName, hostname)
+	servicePrincipalName := fmt.Sprintf("%s@%s", serviceName, target)
 
 	return &SaslClient{
 		servicePrincipalName: servicePrincipalName,

x/mongo/driver/auth/internal/gssapi/sspi.go

@@ -19,7 +19,7 @@ import (
 	"unsafe"
 )
 
-// New creates a new SaslClient.
+// New creates a new SaslClient. The target parameter should be a hostname with no port.
 func New(target, username, password string, passwordSet bool, props map[string]string) (*SaslClient, error) {
 	initOnce.Do(initSSPI)
 	if initError != nil {
@@ -30,6 +30,7 @@ func New(target, username, password string, passwordSet bool, props map[string]s
 	serviceName := "mongodb"
 	serviceRealm := ""
 	canonicalizeHostName := false
+	var serviceHostSet bool
 
 	for key, value := range props {
 		switch strings.ToUpper(key) {
@@ -43,25 +44,29 @@ func New(target, username, password string, passwordSet bool, props map[string]s
 			serviceRealm = value
 		case "SERVICE_NAME":
 			serviceName = value
+		case "SERVICE_HOST":
+			serviceHostSet = true
+			target = value
 		}
 	}
 
-	hostname, _, err := net.SplitHostPort(target)
-	if err != nil {
-		return nil, fmt.Errorf("invalid endpoint (%s) specified: %s", target, err)
-	}
 	if canonicalizeHostName {
-		names, err := net.LookupAddr(hostname)
+		// Should not canonicalize the SERVICE_HOST
+		if serviceHostSet {
+			return nil, fmt.Errorf("CANONICALIZE_HOST_NAME and SERVICE_HOST canonot both be specified")
+		}
+
+		names, err := net.LookupAddr(target)
 		if err != nil || len(names) == 0 {
 			return nil, fmt.Errorf("unable to canonicalize hostname: %s", err)
 		}
-		hostname = names[0]
-		if hostname[len(hostname)-1] == '.' {
-			hostname = hostname[:len(hostname)-1]
+		target = names[0]
+		if target[len(target)-1] == '.' {
+			target = target[:len(target)-1]
 		}
 	}
 
-	servicePrincipalName := fmt.Sprintf("%s/%s", serviceName, hostname)
+	servicePrincipalName := fmt.Sprintf("%s/%s", serviceName, target)
 	if serviceRealm != "" {
 		servicePrincipalName += "@" + serviceRealm
 	}