JAVA-2375: Make userName optional for MONGODB-X509 authentication mechanism

   As of MongoDB 3.4, the user name is optional, as the server will extract it from the distinguished subject name of the client certificate

Author: jyemin

driver-core/src/main/com/mongodb/MongoCredential.java

@@ -194,6 +194,22 @@ public static MongoCredential createMongoX509Credential(final String userName) {
         return new MongoCredential(MONGODB_X509, userName, "$external", null);
     }
 
+    /**
+     * Creates a MongoCredential instance for the MongoDB X.509 protocol where the distinguished subject name of the client certificate
+     * acts as the userName.
+     * <p>
+     *     Available on MongoDB server versions &gt;= 3.4.
+     * </p>
+     * @return the credential
+     *
+     * @since 3.4
+     * @mongodb.server.release 3.4
+     * @mongodb.driver.manual core/authentication/#x-509-certificate-authentication X-509
+     */
+    public static MongoCredential createMongoX509Credential() {
+        return new MongoCredential(MONGODB_X509, null, "$external", null);
+    }
+
     /**
      * Creates a MongoCredential instance for the PLAIN SASL mechanism.
      *
@@ -262,7 +278,7 @@ public <T> MongoCredential withMechanismProperty(final String key, final T value
      * @param password  the password
      */
     MongoCredential(final AuthenticationMechanism mechanism, final String userName, final String source, final char[] password) {
-        if (userName == null) {
+        if (mechanism != MONGODB_X509 && userName == null) {
             throw new IllegalArgumentException("username can not be null");
         }
 
@@ -279,7 +295,7 @@ public <T> MongoCredential withMechanismProperty(final String key, final T value
         }
 
         this.mechanism = mechanism;
-        this.userName = notNull("userName", userName);
+        this.userName = userName;
         this.source = notNull("source", source);
 
         this.password = password != null ? password.clone() : null;

driver-core/src/main/com/mongodb/connection/X509Authenticator.java

@@ -36,6 +36,7 @@ class X509Authenticator extends Authenticator {
     @Override
     void authenticate(final InternalConnection connection, final ConnectionDescription connectionDescription) {
         try {
+            validateUserName(connectionDescription);
             BsonDocument authCommand = getAuthCommand(getCredential().getUserName());
             executeCommand(getCredential().getSource(), authCommand, connection);
         } catch (MongoCommandException e) {
@@ -46,24 +47,31 @@ void authenticate(final InternalConnection connection, final ConnectionDescripti
     @Override
     void authenticateAsync(final InternalConnection connection, final ConnectionDescription connectionDescription,
                            final SingleResultCallback<Void> callback) {
-        executeCommandAsync(getCredential().getSource(), getAuthCommand(getCredential().getUserName()), connection,
-                            new SingleResultCallback<BsonDocument>() {
-                                @Override
-                                public void onResult(final BsonDocument nonceResult, final Throwable t) {
-                                    if (t != null) {
-                                        callback.onResult(null, translateThrowable(t));
-                                    } else {
-                                        callback.onResult(null, null);
+        try {
+            validateUserName(connectionDescription);
+            executeCommandAsync(getCredential().getSource(), getAuthCommand(getCredential().getUserName()), connection,
+                                new SingleResultCallback<BsonDocument>() {
+                                    @Override
+                                    public void onResult(final BsonDocument nonceResult, final Throwable t) {
+                                        if (t != null) {
+                                            callback.onResult(null, translateThrowable(t));
+                                        } else {
+                                            callback.onResult(null, null);
+                                        }
                                     }
-                                }
-                            });
+                                });
+        } catch (Throwable t) {
+            callback.onResult(null, t);
+        }
     }
 
     private BsonDocument getAuthCommand(final String userName) {
         BsonDocument cmd = new BsonDocument();
 
         cmd.put("authenticate", new BsonInt32(1));
-        cmd.put("user", new BsonString(userName));
+        if (userName != null) {
+            cmd.put("user", new BsonString(userName));
+        }
         cmd.put("mechanism", new BsonString(AuthenticationMechanism.MONGODB_X509.getMechanismName()));
 
         return cmd;
@@ -76,4 +84,11 @@ private Throwable translateThrowable(final Throwable t) {
             return t;
         }
     }
+
+    private void validateUserName(final ConnectionDescription connectionDescription) {
+        if (getCredential().getUserName() == null && connectionDescription.getServerVersion().compareTo(new ServerVersion(3, 4)) < 0) {
+            throw new MongoSecurityException(getCredential(), "User name is required for the MONGODB-X509 authentication mechanism "
+                                                                      + "on server versions less than 3.4");
+        }
+    }
 }

driver-core/src/test/unit/com/mongodb/MongoCredentialSpecification.groovy

@@ -179,6 +179,21 @@ class MongoCredentialSpecification extends Specification {
         MongoCredential.MONGODB_X509_MECHANISM == credential.getMechanism()
     }
 
+    def 'creating an X.509 Credential without a username should populate the correct fields'() {
+        given:
+        AuthenticationMechanism mechanism = AuthenticationMechanism.MONGODB_X509
+
+        when:
+        MongoCredential credential = MongoCredential.createMongoX509Credential()
+
+        then:
+        null == credential.getUserName()
+        '$external' == credential.getSource()
+        null == credential.getPassword()
+        mechanism == credential.getAuthenticationMechanism()
+        MongoCredential.MONGODB_X509_MECHANISM == credential.getMechanism()
+    }
+
     def 'should get default value of mechanism property when there is no mapping'() {
         when:
         def credential = MongoCredential.createGSSAPICredential('user')

driver-core/src/test/unit/com/mongodb/connection/X509AuthenticatorNoUserNameTest.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright 2016 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package com.mongodb.connection;
+
+import com.mongodb.MongoCredential;
+import com.mongodb.MongoSecurityException;
+import com.mongodb.ServerAddress;
+import com.mongodb.async.FutureResultCallback;
+import org.bson.io.BsonInput;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import static com.mongodb.connection.MessageHelper.buildSuccessfulReply;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+public class X509AuthenticatorNoUserNameTest {
+    private TestInternalConnection connection;
+    private ConnectionDescription connectionDescriptionThreeTwo;
+    private ConnectionDescription connectionDescriptionThreeFour;
+    private MongoCredential credential;
+    private X509Authenticator subject;
+
+    @Before
+    public void before() {
+        connection = new TestInternalConnection(new ServerId(new ClusterId(), new ServerAddress("localhost", 27017)));
+        connectionDescriptionThreeTwo = new ConnectionDescription(new ConnectionId(new ServerId(new ClusterId(), new ServerAddress())),
+                                                                         new ServerVersion(3, 2), ServerType.STANDALONE, 1000, 16000,
+                                                                         48000);
+        connectionDescriptionThreeFour = new ConnectionDescription(new ConnectionId(new ServerId(new ClusterId(), new ServerAddress())),
+                                                                          new ServerVersion(3, 4), ServerType.STANDALONE, 1000, 16000,
+                                                                          48000);
+        credential = MongoCredential.createMongoX509Credential(
+                "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US");
+        subject = new X509Authenticator(this.credential);
+    }
+
+    @Test
+    public void testSuccessfulAuthentication() {
+        enqueueSuccessfulAuthenticationReply();
+
+        new X509Authenticator(MongoCredential.createMongoX509Credential()).authenticate(connection, connectionDescriptionThreeFour);
+
+        validateMessages();
+    }
+
+    @Test
+    public void testUnsuccessfulAuthenticationWhenServerVersionLessThanThreeFour() {
+        try {
+            new X509Authenticator(MongoCredential.createMongoX509Credential()).authenticate(connection,
+                    connectionDescriptionThreeTwo);
+            fail();
+        } catch (MongoSecurityException e) {
+            assertEquals("User name is required for the MONGODB-X509 authentication mechanism on server versions less than 3.4",
+                    e.getMessage());
+        }
+    }
+
+    @Test
+    public void testSuccessfulAuthenticationAsync() throws ExecutionException, InterruptedException {
+        enqueueSuccessfulAuthenticationReply();
+
+        FutureResultCallback<Void> futureCallback = new FutureResultCallback<Void>();
+        new X509Authenticator(MongoCredential.createMongoX509Credential())
+                .authenticateAsync(connection, connectionDescriptionThreeFour, futureCallback);
+
+        futureCallback.get();
+
+        validateMessages();
+    }
+
+    @Test
+    public void testUnsuccessfulAuthenticationWhenServerVersionLessThanThreeFourAsync() throws ExecutionException, InterruptedException {
+        FutureResultCallback<Void> futureCallback = new FutureResultCallback<Void>();
+        new X509Authenticator(MongoCredential.createMongoX509Credential()).authenticateAsync(connection,
+                connectionDescriptionThreeTwo, futureCallback);
+
+        try {
+            futureCallback.get();
+        } catch (MongoSecurityException e) {
+            assertEquals("User name is required for the MONGODB-X509 authentication mechanism on server versions less than 3.4",
+                    e.getMessage());
+        }
+    }
+
+    private void enqueueSuccessfulAuthenticationReply() {
+        connection.enqueueReply(buildSuccessfulReply("{ok: 1}"));
+    }
+
+    private void validateMessages() {
+        List<BsonInput> sent = connection.getSent();
+        String command = MessageHelper.decodeCommandAsJson(sent.get(0));
+        assertEquals("{ \"authenticate\" : 1, \"mechanism\" : \"MONGODB-X509\" }", command);
+    }
+
+}