Merge branch 'main' into RUST-1529-no-ff

Author: JamieTsai1024

.evergreen/config.yml

@@ -257,11 +257,20 @@ buildvariants:
     # Limit the test to only schedule every 14 days to reduce external resource usage.
     batchtime: 20160
 
-  - name: gssapi-auth
-    display_name: "GSSAPI Authentication"
+  - name: gssapi-auth-linux
+    display_name: "GSSAPI Authentication - Linux"
     patchable: true
     run_on:
-      - ubuntu2004-small
+      - ubuntu2204-small
+    tasks:
+      - test-gssapi-auth
+
+  - name: gssapi-auth-macos
+    display_name: "GSSAPI Authentication - macOS"
+    patchable: true
+    disable: true
+    run_on:
+      - macos-14
     tasks:
       - test-gssapi-auth
 
@@ -1389,6 +1398,9 @@ functions:
           AWS_AUTH_TYPE: web-identity
 
   "run gssapi auth test":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
     - command: subprocess.exec
       type: test
       params:
@@ -1397,6 +1409,10 @@ functions:
         args:
           - .evergreen/run-gssapi-tests.sh
         include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+          - DRIVERS_TOOLS
           - PROJECT_DIRECTORY
 
   "run x509 tests":

.evergreen/run-gssapi-tests.sh

@@ -9,10 +9,59 @@ cd ${PROJECT_DIRECTORY}
 source .evergreen/env.sh
 source .evergreen/cargo-test.sh
 
+# Source the drivers/atlas_connect secrets, where GSSAPI test values are held
+source "${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh" drivers/atlas_connect
+
 FEATURE_FLAGS+=("gssapi-auth")
 
 set +o errexit
 
+# Create a krb5 config file with relevant
+touch krb5.conf
+echo "[realms]
+  $SASL_REALM = {
+    kdc = $SASL_HOST
+    admin_server = $SASL_HOST
+  }
+
+  $SASL_REALM_CROSS = {
+    kdc = $SASL_HOST
+    admin_server = $SASL_HOST
+  }
+
+[domain_realm]
+  .$SASL_DOMAIN = $SASL_REALM
+  $SASL_DOMAIN = $SASL_REALM
+" > krb5.conf
+
+export KRB5_CONFIG=krb5.conf
+
+# Authenticate the user principal in the KDC before running the e2e test
+echo "Authenticating $PRINCIPAL"
+echo "$SASL_PASS" | kinit -p $PRINCIPAL
+klist
+
+# Run end-to-end auth tests for "$PRINCIPAL" user
+TEST_OPTIONS+=("--skip with_service_realm_and_host_options")
+cargo_test test::auth::gssapi_skip_local
+
+# Unauthenticate
+echo "Unauthenticating $PRINCIPAL"
+kdestroy
+
+# Authenticate the alternative user principal in the KDC and run other e2e test
+echo "Authenticating $PRINCIPAL_CROSS"
+echo "$SASL_PASS_CROSS" | kinit -p $PRINCIPAL_CROSS
+klist
+
+TEST_OPTIONS=()
+cargo_test test::auth::gssapi_skip_local::with_service_realm_and_host_options
+
+# Unauthenticate
+echo "Unuthenticating $PRINCIPAL_CROSS"
+kdestroy
+
+# Run remaining tests
 cargo_test spec::auth
 cargo_test uri_options
 cargo_test connection_string

Cargo.lock

@@ -1,5 +1,4 @@
 use cross_krb5::{ClientCtx, InitiateFlags, K5Ctx, PendingClientCtx, Step};
-use hickory_resolver::proto::rr::RData;
 
 use crate::{
     bson::Bson,
@@ -324,21 +323,24 @@ async fn canonicalize_hostname(
     let resolver =
         crate::runtime::AsyncResolver::new(resolver_config.map(|c| c.inner.clone())).await?;
 
-    match mode {
+    let hostname = match mode {
         CanonicalizeHostName::Forward => {
             let lookup_records = resolver.cname_lookup(hostname).await?;
 
-            if let Some(first_record) = lookup_records.records().first() {
-                if let Some(RData::CNAME(cname)) = first_record.data() {
-                    Ok(cname.to_lowercase().to_string())
-                } else {
-                    Ok(hostname.to_string())
-                }
+            if !lookup_records.records().is_empty() {
+                // As long as there is a record, we can return the original hostname.
+                // Although the spec says to return the canonical name, this is not
+                // done by any drivers in practice since the majority of them use
+                // libraries that do not follow CNAME chains. Also, we do not want to
+                // use the canonical name since it will likely differ from the input
+                // name, and the use of the input name is required for the service
+                // principal to be accepted by the GSSAPI auth flow.
+                hostname.to_lowercase().to_string()
             } else {
-                Err(Error::authentication_error(
+                return Err(Error::authentication_error(
                     GSSAPI_STR,
                     &format!("No addresses found for hostname: {hostname}"),
-                ))
+                ));
             }
         }
         CanonicalizeHostName::ForwardAndReverse => {
@@ -350,20 +352,27 @@ async fn canonicalize_hostname(
                 match resolver.reverse_lookup(first_address).await {
                     Ok(reverse_lookup) => {
                         if let Some(name) = reverse_lookup.iter().next() {
-                            Ok(name.to_lowercase().to_string())
+                            name.to_lowercase().to_string()
                         } else {
-                            Ok(hostname.to_lowercase())
+                            hostname.to_lowercase()
                         }
                     }
-                    Err(_) => Ok(hostname.to_lowercase()),
+                    Err(_) => hostname.to_lowercase(),
                 }
             } else {
-                Err(Error::authentication_error(
+                return Err(Error::authentication_error(
                     GSSAPI_STR,
                     &format!("No addresses found for hostname: {hostname}"),
-                ))
+                ));
             }
         }
         CanonicalizeHostName::None => unreachable!(),
-    }
+    };
+
+    // Sometimes reverse lookup results in a trailing "." since that is the correct
+    // way to present a FQDN. However, GSSAPI rejects the trailing "." so we remove
+    // it here manually.
+    let hostname = hostname.trim_end_matches(".");
+
+    Ok(hostname.to_string())
 }

src/client/auth/gssapi.rs

@@ -1,5 +1,8 @@
 #[cfg(feature = "aws-auth")]
 mod aws;
+#[cfg(feature = "gssapi-auth")]
+#[path = "auth/gssapi.rs"]
+mod gssapi_skip_local;
 
 use serde::Deserialize;