DefaultAuthenticator now negotiates mechanism

Author: rozza

driver-core/src/main/com/mongodb/MongoCredential.java

@@ -29,6 +29,7 @@
 import static com.mongodb.AuthenticationMechanism.MONGODB_X509;
 import static com.mongodb.AuthenticationMechanism.PLAIN;
 import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_1;
+import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_256;
 import static com.mongodb.assertions.Assertions.notNull;
 
 /**
@@ -148,19 +149,20 @@ public final class MongoCredential {
 
     /**
      * Creates a MongoCredential instance with an unspecified mechanism.  The client will negotiate the best mechanism based on the
-     * version of the server that the client is authenticating to.  If the server version is 3.0 or higher,
-     * the driver will authenticate using the SCRAM-SHA-1 mechanism.  Otherwise, the driver will authenticate using the MONGODB_CR
-     * mechanism.
+     * version of the server that the client is authenticating to.
      *
+     * <p>If the server version is 4.0 or higher, the driver will negotiate with the server preferring the SCRAM-SHA-256 mechanism. 3.x
+     * servers will authenticate using SCRAM-SHA-1, older servers will authenticate using the MONGODB_CR mechanism.</p>
      *
      * @param userName the user name
      * @param database the database where the user is defined
      * @param password the user's password
      * @return the credential
      *
      * @since 2.13
-     * @mongodb.driver.manual core/authentication/#mongodb-cr-authentication MONGODB-CR
+     * @mongodb.driver.manual core/authentication/#authentication-scram-sha-256 SCRAM-SHA-256
      * @mongodb.driver.manual core/authentication/#authentication-scram-sha-1 SCRAM-SHA-1
+     * @mongodb.driver.manual core/authentication/#mongodb-cr-authentication MONGODB-CR
      */
     public static MongoCredential createCredential(final String userName, final String database, final char[] password) {
         return new MongoCredential(null, userName, database, password);
@@ -187,6 +189,23 @@ public static MongoCredential createScramSha1Credential(final String userName, f
         return new MongoCredential(SCRAM_SHA_1, userName, source, password);
     }
 
+    /**
+     * Creates a MongoCredential instance for the SCRAM-SHA-256 SASL mechanism.
+     *
+     * @param userName the non-null user name
+     * @param source the source where the user is defined.
+     * @param password the non-null user password
+     * @return the credential
+     * @see #createCredential(String, String, char[])
+     *
+     * @since 3.8
+     * @mongodb.server.release 4.0
+     * @mongodb.driver.manual core/authentication/#authentication-scram-sha-256 SCRAM-SHA-256
+     */
+    public static MongoCredential createScramSha256Credential(final String userName, final String source, final char[] password) {
+        return new MongoCredential(SCRAM_SHA_256, userName, source, password);
+    }
+
     /**
      * Creates a MongoCredential instance for the MongoDB Challenge Response protocol. Use this method only if you want to ensure that
      * the driver uses the MONGODB_CR mechanism regardless of whether the server you are connecting to supports a more secure
@@ -296,6 +315,20 @@ public <T> MongoCredential withMechanismProperty(final String key, final T value
         return new MongoCredential(this, key, value);
     }
 
+    /**
+     * Creates a new MongoCredential with the set mechanism. The existing mechanism must be null.
+     *
+     * @param mechanism the mechanism to set
+     * @return the credential
+     * @since 3.8
+     */
+    public MongoCredential withMechanism(final AuthenticationMechanism mechanism) {
+        if (this.mechanism != null) {
+            throw new IllegalArgumentException("Mechanism already set");
+        }
+        return new MongoCredential(mechanism, userName, source, password, mechanismProperties);
+    }
+
     /**
      * Constructs a new instance using the given mechanism, userName, source, and password
      *
@@ -306,6 +339,11 @@ public <T> MongoCredential withMechanismProperty(final String key, final T value
      */
     MongoCredential(@Nullable final AuthenticationMechanism mechanism, @Nullable final String userName, final String source,
                     @Nullable final char[] password) {
+        this(mechanism, userName, source, password, Collections.<String, Object>emptyMap());
+    }
+
+    MongoCredential(@Nullable final AuthenticationMechanism mechanism, @Nullable final String userName, final String source,
+                    @Nullable final char[] password, final Map<String, Object> mechanismProperties) {
         if (mechanism != MONGODB_X509 && userName == null) {
             throw new IllegalArgumentException("username can not be null");
         }
@@ -327,12 +365,13 @@ public <T> MongoCredential withMechanismProperty(final String key, final T value
         this.source = notNull("source", source);
 
         this.password = password != null ? password.clone() : null;
-        this.mechanismProperties = Collections.emptyMap();
+        this.mechanismProperties = new HashMap<String, Object>(mechanismProperties);
     }
 
     @SuppressWarnings("deprecation")
     private boolean mechanismRequiresPassword(@Nullable final AuthenticationMechanism mechanism) {
-        return mechanism == PLAIN || mechanism == MONGODB_CR || mechanism == SCRAM_SHA_1;
+        return mechanism == PLAIN || mechanism == MONGODB_CR || mechanism == SCRAM_SHA_1 || mechanism == SCRAM_SHA_256;
+
     }
 
     /**
@@ -469,12 +508,12 @@ public int hashCode() {
     @Override
     public String toString() {
         return "MongoCredential{"
-               + "mechanism=" + mechanism
-               + ", userName='" + userName + '\''
-               + ", source='" + source + '\''
-               + ", password=<hidden>"
-               + ", mechanismProperties=" + mechanismProperties
-               + '}';
+                + "mechanism=" + mechanism
+                + ", userName='" + userName + '\''
+                + ", source='" + source + '\''
+                + ", password=<hidden>"
+                + ", mechanismProperties=" + mechanismProperties
+                + '}';
     }
 }
 

driver-core/src/main/com/mongodb/connection/DefaultAuthenticator.java

@@ -16,33 +16,102 @@
 
 package com.mongodb.connection;
 
-import com.mongodb.MongoCredential;
+import com.mongodb.AuthenticationMechanism;
+import com.mongodb.MongoException;
+import com.mongodb.MongoSecurityException;
 import com.mongodb.async.SingleResultCallback;
+import org.bson.BsonArray;
+import org.bson.BsonDocument;
+import org.bson.BsonInt32;
+import org.bson.BsonString;
 
+import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_1;
+import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_256;
 import static com.mongodb.assertions.Assertions.isTrueArgument;
+import static com.mongodb.connection.CommandHelper.executeCommand;
+import static com.mongodb.connection.CommandHelper.executeCommandAsync;
+import static java.lang.String.format;
 
 class DefaultAuthenticator extends Authenticator {
+    static final int USER_NOT_FOUND_CODE = 11;
+    private static final ServerVersion FOUR_ZERO = new ServerVersion(3, 7);
+    private static final ServerVersion THREE_ZERO = new ServerVersion(3, 0);
+    private static final BsonString DEFAULT_MECHANISM_NAME = new BsonString(SCRAM_SHA_256.getMechanismName());
+
     DefaultAuthenticator(final MongoCredentialWithCache credential) {
         super(credential);
         isTrueArgument("unspecified authentication mechanism", credential.getAuthenticationMechanism() == null);
     }
 
     @Override
     void authenticate(final InternalConnection connection, final ConnectionDescription connectionDescription) {
-        createAuthenticator(connectionDescription).authenticate(connection, connectionDescription);
+        if (connectionDescription.getServerVersion().compareTo(FOUR_ZERO) < 0) {
+            getLegacyDefaultAuthenticator(connectionDescription.getServerVersion())
+                    .authenticate(connection, connectionDescription);
+        } else {
+            try {
+                BsonDocument isMasterResult = executeCommand("admin", createIsMasterCommand(), connection);
+                getAuthenticatorFromIsMasterResult(isMasterResult, connectionDescription.getServerVersion())
+                        .authenticate(connection, connectionDescription);
+            } catch (Exception e) {
+                throw wrapException(e);
+            }
+        }
     }
 
     @Override
     void authenticateAsync(final InternalConnection connection, final ConnectionDescription connectionDescription,
                            final SingleResultCallback<Void> callback) {
-        createAuthenticator(connectionDescription).authenticateAsync(connection, connectionDescription, callback);
+        if (connectionDescription.getServerVersion().compareTo(FOUR_ZERO) < 0) {
+            getLegacyDefaultAuthenticator(connectionDescription.getServerVersion())
+                    .authenticateAsync(connection, connectionDescription, callback);
+        } else {
+            executeCommandAsync("admin", createIsMasterCommand(), connection, new SingleResultCallback<BsonDocument>() {
+                @Override
+                public void onResult(final BsonDocument result, final Throwable t) {
+                    if (t != null) {
+                        callback.onResult(null, wrapException(t));
+                    } else {
+                        getAuthenticatorFromIsMasterResult(result, connectionDescription.getServerVersion())
+                                .authenticateAsync(connection, connectionDescription, callback);
+                    }
+                }
+            });
+        }
     }
 
-    Authenticator createAuthenticator(final ConnectionDescription connectionDescription) {
-        if (connectionDescription.getServerVersion().compareTo(new ServerVersion(2, 7)) >= 0) {
-            return new ScramShaAuthenticator(getMongoCredentialWithCache());
+    Authenticator getAuthenticatorFromIsMasterResult(final BsonDocument isMasterResult, final ServerVersion serverVersion) {
+        if (isMasterResult.containsKey("saslSupportedMechs")) {
+            BsonArray saslSupportedMechs = isMasterResult.getArray("saslSupportedMechs");
+            AuthenticationMechanism mechanism = saslSupportedMechs.contains(DEFAULT_MECHANISM_NAME) ? SCRAM_SHA_256 : SCRAM_SHA_1;
+            return new ScramShaAuthenticator(getMongoCredentialWithCache().withMechanism(mechanism));
+        } else {
+            return getLegacyDefaultAuthenticator(serverVersion);
+        }
+    }
+
+    private Authenticator getLegacyDefaultAuthenticator(final ServerVersion serverVersion) {
+        if (serverVersion.compareTo(THREE_ZERO) >= 0) {
+            return new ScramShaAuthenticator(getMongoCredentialWithCache().withMechanism(SCRAM_SHA_1));
         } else {
             return new NativeAuthenticator(getMongoCredentialWithCache());
         }
     }
+
+    private BsonDocument createIsMasterCommand() {
+        BsonDocument isMasterCommandDocument = new BsonDocument("ismaster", new BsonInt32(1));
+        isMasterCommandDocument.append("saslSupportedMechs",
+                new BsonString(format("%s.%s", getMongoCredential().getSource(), getMongoCredential().getUserName())));
+        return isMasterCommandDocument;
+    }
+
+    private MongoException wrapException(final Throwable t) {
+        if (t instanceof MongoSecurityException) {
+            return (MongoSecurityException) t;
+        } else if (t instanceof MongoException && ((MongoException) t).getCode() == USER_NOT_FOUND_CODE) {
+            return new MongoSecurityException(getMongoCredential(), format("Exception authenticating %s", getMongoCredential()), t);
+        } else {
+            return MongoException.fromThrowable(t);
+        }
+    }
 }

driver-core/src/main/com/mongodb/connection/InternalStreamConnectionInitializer.java

@@ -17,31 +17,40 @@
 package com.mongodb.connection;
 
 import com.mongodb.MongoCompressor;
+import com.mongodb.MongoCredential;
+import com.mongodb.MongoException;
+import com.mongodb.MongoSecurityException;
 import com.mongodb.async.SingleResultCallback;
 import org.bson.BsonArray;
 import org.bson.BsonDocument;
 import org.bson.BsonInt32;
 import org.bson.BsonString;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
 import static com.mongodb.assertions.Assertions.notNull;
 import static com.mongodb.connection.CommandHelper.executeCommand;
 import static com.mongodb.connection.CommandHelper.executeCommandAsync;
 import static com.mongodb.connection.CommandHelper.executeCommandWithoutCheckingForFailure;
+import static com.mongodb.connection.DefaultAuthenticator.USER_NOT_FOUND_CODE;
 import static com.mongodb.connection.DescriptionHelper.createConnectionDescription;
+import static com.mongodb.connection.DescriptionHelper.getVersion;
+import static java.lang.String.format;
 
 class InternalStreamConnectionInitializer implements InternalConnectionInitializer {
     private final List<Authenticator> authenticators;
     private final BsonDocument clientMetadataDocument;
     private final List<MongoCompressor> requestedCompressors;
+    private final boolean checkSaslSupportedMechs;
 
     InternalStreamConnectionInitializer(final List<Authenticator> authenticators, final BsonDocument clientMetadataDocument,
                                         final List<MongoCompressor> requestedCompressors) {
-        this.authenticators = notNull("authenticators", authenticators);
+        this.authenticators = new ArrayList<Authenticator>(notNull("authenticators", authenticators));
         this.clientMetadataDocument = clientMetadataDocument;
         this.requestedCompressors = notNull("requestedCompressors", requestedCompressors);
+        this.checkSaslSupportedMechs = this.authenticators.size() > 0 && this.authenticators.get(0) instanceof DefaultAuthenticator;
     }
 
     @Override
@@ -50,7 +59,6 @@ public ConnectionDescription initialize(final InternalConnection internalConnect
 
         ConnectionDescription connectionDescription = initializeConnectionDescription(internalConnection);
         authenticateAll(internalConnection, connectionDescription);
-
         return completeConnectionDescriptionInitialization(internalConnection, connectionDescription);
     }
 
@@ -88,8 +96,21 @@ public void onResult(final Void result, final Throwable t) {
     }
 
     private ConnectionDescription initializeConnectionDescription(final InternalConnection internalConnection) {
-        BsonDocument isMasterResult = executeCommand("admin", createIsMasterCommand(), internalConnection);
+        BsonDocument isMasterResult;
+        BsonDocument isMasterCommandDocument = createIsMasterCommand();
+
+        try {
+            isMasterResult = executeCommand("admin", isMasterCommandDocument, internalConnection);
+        } catch (MongoException e) {
+            if (checkSaslSupportedMechs && e.getCode() == USER_NOT_FOUND_CODE) {
+                MongoCredential credential = authenticators.get(0).getMongoCredential();
+                throw new MongoSecurityException(credential, format("Exception authenticating %s", credential), e);
+            }
+            throw e;
+        }
         BsonDocument buildInfoResult = executeCommand("admin", new BsonDocument("buildinfo", new BsonInt32(1)), internalConnection);
+
+        setFirstAuthenticator(isMasterResult, buildInfoResult);
         return createConnectionDescription(internalConnection.getDescription().getConnectionId(), isMasterResult, buildInfoResult);
     }
 
@@ -105,6 +126,11 @@ private BsonDocument createIsMasterCommand() {
             }
             isMasterCommandDocument.append("compression", compressors);
         }
+        if (checkSaslSupportedMechs) {
+            MongoCredential credential = authenticators.get(0).getMongoCredential();
+            isMasterCommandDocument.append("saslSupportedMechs",
+                    new BsonString(credential.getSource() + "." + credential.getUserName()));
+        }
         return isMasterCommandDocument;
     }
 
@@ -131,7 +157,14 @@ private void initializeConnectionDescriptionAsync(final InternalConnection inter
                                 @Override
                                 public void onResult(final BsonDocument isMasterResult, final Throwable t) {
                                     if (t != null) {
-                                        callback.onResult(null, t);
+                                        if (checkSaslSupportedMechs && t instanceof MongoException
+                                                && ((MongoException) t).getCode() == USER_NOT_FOUND_CODE) {
+                                            MongoCredential credential = authenticators.get(0).getMongoCredential();
+                                            callback.onResult(null,  new MongoSecurityException(credential,
+                                                    format("Exception authenticating %s", credential), t));
+                                        } else {
+                                            callback.onResult(null, t);
+                                        }
                                     } else {
                                         executeCommandAsync("admin", new BsonDocument("buildinfo", new BsonInt32(1)), internalConnection,
                                                             new SingleResultCallback<BsonDocument>() {
@@ -143,6 +176,7 @@ public void onResult(final BsonDocument buildInfoResult,
                                                                     } else {
                                                                         ConnectionId connectionId = internalConnection.getDescription()
                                                                                                                       .getConnectionId();
+                                                                        setFirstAuthenticator(isMasterResult, buildInfoResult);
                                                                         callback.onResult(createConnectionDescription(connectionId,
                                                                                                                       isMasterResult,
                                                                                                                       buildInfoResult),
@@ -155,6 +189,14 @@ public void onResult(final BsonDocument buildInfoResult,
                             });
     }
 
+    @SuppressWarnings("unchecked")
+    private void setFirstAuthenticator(final BsonDocument isMasterResult, final BsonDocument buildInfoResult) {
+        if (checkSaslSupportedMechs) {
+            authenticators.set(0, ((DefaultAuthenticator) authenticators.get(0))
+                    .getAuthenticatorFromIsMasterResult(isMasterResult, getVersion(buildInfoResult)));
+        }
+    }
+
     private void completeConnectionDescriptionInitializationAsync(final InternalConnection internalConnection,
                                                                   final ConnectionDescription connectionDescription,
                                                                   final SingleResultCallback<ConnectionDescription> callback) {

driver-core/src/test/functional/com/mongodb/operation/UserOperationsSpecification.groovy

@@ -139,6 +139,24 @@ class UserOperationsSpecification extends OperationFunctionalSpecification {
         executeAsync(new DropUserOperation(databaseName, credential.userName))
     }
 
+    def 'should handle user not found'() {
+        given:
+        def credential = createCredential('user', databaseName, 'pencil' as char[])
+        def cluster = getCluster(credential, ClusterSettings.builder().serverSelectionTimeout(1, TimeUnit.SECONDS))
+
+        when:
+        cluster.selectServer(new WritableServerSelector())
+
+        then:
+        thrown(MongoTimeoutException)
+
+        cleanup:
+        cluster?.close()
+
+        where:
+        async << [true, false]
+    }
+
     @Category(Slow)
     def 'a removed user should not authenticate'() {
         given: