RUST-766 Gate MONGODB-AWS authentication behind the aws-auth feature flag (#436)

Author: patrickfreed

.evergreen/aws-ecs-test/Cargo.toml

@@ -9,3 +9,4 @@ tokio = "1.0.2"
 
 [dependencies.mongodb]
 path = "../.."
+features = ["aws-auth"]

.evergreen/config.yml

@@ -309,6 +309,17 @@ functions:
           ${PREPARE_SHELL}
 
           .evergreen/run-plain-tests.sh
+
+  "run connection string tests":
+    - command: shell.exec
+      type: test
+      params:
+        shell: bash
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+
+          .evergreen/run-connection-string-tests.sh
             
   "prepare resources":
     - command: shell.exec
@@ -823,6 +834,10 @@ tasks:
       - func: "run aws auth test with aws EC2 credentials"
       - func: "run aws ECS auth test"
 
+  - name: "test-connection-string"
+    commands:
+      - func: "run connection string tests"
+
   - name: "test-atlas-connectivity"
     tags: ["atlas-connect"]
     commands:
@@ -1390,6 +1405,7 @@ buildvariants:
   display_name: "Atlas Connectivity ${os} with ${async-runtime}"
   tasks:
     - ".atlas-connect"
+
 - matrix_name: "aws-auth"
   matrix_spec:
     os:
@@ -1398,6 +1414,7 @@ buildvariants:
   display_name: "${os} AWS Auth with ${async-runtime}"
   tasks:
     - ".aws-auth"
+    - "test-connection-string"
 # TODO: RUST-361 enable these tests once OCSP support is implemented
 # - matrix_name: "ocsp"
 #   matrix_spec:

.evergreen/run-aws-tests.sh

@@ -44,4 +44,4 @@ set -o errexit
 
 . ~/.cargo/env
 
-RUST_BACKTRACE=1 cargo test auth_aws::auth_aws
+RUST_BACKTRACE=1 cargo test --features aws-auth auth_aws::auth_aws

.evergreen/run-connection-string-tests.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -o errexit
+set -o xtrace
+
+. ~/.cargo/env
+
+RUST_BACKTRACE=1 cargo test --features aws-auth spec::auth
+RUST_BACKTRACE=1 cargo test --features aws-auth uri_options
+RUST_BACKTRACE=1 cargo test --features aws-auth connection_string

Cargo.toml

@@ -21,19 +21,26 @@ exclude = [
 
 [features]
 default = ["tokio-runtime"]
-tokio-runtime = ["tokio/macros", "tokio/net", "tokio/rt", "tokio/time", "reqwest", "serde_bytes"]
+tokio-runtime = ["tokio/macros", "tokio/net", "tokio/rt", "tokio/time", "serde_bytes"]
 async-std-runtime = ["async-std", "async-std/attributes", "async-std-resolver", "tokio-util/compat"]
 sync = ["async-std-runtime"]
+
 # The bson/u2i feature enables automatic conversion from unsigned to signed types during
 # serialization. This feature is intended for use when serializing data types in third-party crates
 # whose implementation cannot be changed; otherwise, it is preferred to use the helper functions
 # provided in the bson::serde_helpers module.
 bson-u2i = ["bson/u2i"]
+
 # Enable support for v0.4 of the chrono crate in the public API of the BSON library.
 bson-chrono-0_4 = ["bson/chrono-0_4"]
+
 # Enable support for v0.8 of the uuid crate in the public API of the BSON library.
 bson-uuid-0_8 = ["bson/uuid-0_8"]
 
+# Enable support for MONGODB-AWS authentication.
+# This can only be used with the tokio-runtime feature flag.
+aws-auth = ["reqwest"]
+
 [dependencies]
 async-trait = "0.1.42"
 base64 = "0.13.0"

src/client/auth/mod.rs

@@ -1,7 +1,7 @@
 //! Contains the types needed to specify the auth configuration for a
 //! [`Client`](struct.Client.html).
 
-#[cfg(feature = "tokio-runtime")]
+#[cfg(feature = "aws-auth")]
 mod aws;
 mod plain;
 mod sasl;
@@ -82,7 +82,7 @@ pub enum AuthMechanism {
     ///
     /// Note: Only server versions 4.4+ support AWS authentication. Additionally, the driver only
     /// supports AWS authentication with the tokio runtime.
-    #[cfg(feature = "tokio-runtime")]
+    #[cfg(feature = "aws-auth")]
     MongoDbAws,
 }
 
@@ -164,7 +164,7 @@ impl AuthMechanism {
 
                 Ok(())
             }
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => {
                 if credential.username.is_some() && credential.password.is_none() {
                     return Err(ErrorKind::InvalidArgument {
@@ -190,7 +190,7 @@ impl AuthMechanism {
             AuthMechanism::MongoDbX509 => MONGODB_X509_STR,
             AuthMechanism::Gssapi => GSSAPI_STR,
             AuthMechanism::Plain => PLAIN_STR,
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => MONGODB_AWS_STR,
         }
     }
@@ -205,7 +205,7 @@ impl AuthMechanism {
             }
             AuthMechanism::MongoDbX509 => "$external",
             AuthMechanism::Plain => "$external",
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => "$external",
             _ => "",
         }
@@ -233,7 +233,7 @@ impl AuthMechanism {
                 x509::build_speculative_client_first(credential),
             )))),
             Self::Plain => Ok(None),
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => Ok(None),
             AuthMechanism::MongoDbCr => Err(ErrorKind::Authentication {
                 message: "MONGODB-CR is deprecated and not supported by this driver. Use SCRAM \
@@ -253,7 +253,7 @@ impl AuthMechanism {
         stream: &mut Connection,
         credential: &Credential,
         server_api: Option<&ServerApi>,
-        #[cfg_attr(not(feature = "tokio-runtime"), allow(unused))] http_client: &HttpClient,
+        #[cfg_attr(not(feature = "aws-auth"), allow(unused))] http_client: &HttpClient,
     ) -> Result<()> {
         self.validate_credential(credential)?;
 
@@ -274,7 +274,7 @@ impl AuthMechanism {
             AuthMechanism::Plain => {
                 plain::authenticate_stream(stream, credential, server_api).await
             }
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => {
                 aws::authenticate_stream(stream, credential, server_api, http_client).await
             }
@@ -304,11 +304,13 @@ impl FromStr for AuthMechanism {
             GSSAPI_STR => Ok(AuthMechanism::Gssapi),
             PLAIN_STR => Ok(AuthMechanism::Plain),
 
-            #[cfg(feature = "tokio-runtime")]
+            #[cfg(feature = "aws-auth")]
             MONGODB_AWS_STR => Ok(AuthMechanism::MongoDbAws),
-            #[cfg(not(feature = "tokio-runtime"))]
+            #[cfg(not(feature = "aws-auth"))]
             MONGODB_AWS_STR => Err(ErrorKind::InvalidArgument {
-                message: "MONGODB-AWS auth is only supported with the tokio runtime".into(),
+                message: "MONGODB-AWS auth is only supported with the aws-auth feature flag and \
+                          the tokio runtime"
+                    .into(),
             }
             .into()),
 

src/lib.rs

@@ -84,6 +84,14 @@
 #![cfg_attr(test, type_length_limit = "80000000")]
 #![doc(html_root_url = "https://docs.rs/mongodb/2.0.0-beta.3")]
 
+#[cfg(all(
+    feature = "aws-auth",
+    feature = "async-std-runtime"
+))]
+compile_error!(
+    "The `aws-auth` feature flag is only supported on the tokio runtime."
+);
+
 macro_rules! define_if_single_runtime_enabled {
     ( $( $def:item )+ ) => {
         $(

src/runtime/http.rs

@@ -1,15 +1,15 @@
-#[cfg(feature = "tokio-runtime")]
+#[cfg(feature = "aws-auth")]
 use reqwest::{Method, Response};
-#[cfg(feature = "tokio-runtime")]
+#[cfg(feature = "aws-auth")]
 use serde::Deserialize;
 
 #[derive(Clone, Debug, Default)]
 pub(crate) struct HttpClient {
-    #[cfg(feature = "tokio-runtime")]
+    #[cfg(feature = "aws-auth")]
     inner: reqwest::Client,
 }
 
-#[cfg(feature = "tokio-runtime")]
+#[cfg(feature = "aws-auth")]
 impl HttpClient {
     /// Executes an HTTP GET request and deserializes the JSON response.
     pub(crate) async fn get_and_deserialize_json<'a, T>(

src/test/spec/auth.rs

@@ -54,12 +54,12 @@ async fn run_auth_test(test_file: TestFile) {
             "GSSAPI",
             "PLAIN",
             "MONGODB-CR",
-            #[cfg(not(feature = "tokio-runtime"))]
+            #[cfg(not(feature = "aws-auth"))]
             "MONGODB-AWS",
         ];
 
         // TODO: GSSAPI (RUST-196)
-        // TODO: PLAIN (RUST-197)
+        // TODO: PLAIN (RUST-992)
         if skipped_mechanisms
             .iter()
             .any(|mech| test_case.description.contains(mech))