Skip to content

RUST-2245 Implement GSSAPI auth support for Windows #1444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

RUST-2245 Implement GSSAPI auth support for Windows #1444

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
fe75d16
RUST-2245: Fix typo in e2e test logging
mattChiaravalloti Jul 29, 2025
9dda3b3
RUST-2245: Initial second attempt at GSSAPI on Windows
mattChiaravalloti Jul 30, 2025
4186779
RUST-2245: Refactor service_principal name creation
mattChiaravalloti Jul 30, 2025
3cf15d0
RUST-2245: Separate windows and non-windows implementations
mattChiaravalloti Jul 30, 2025
9175eb2
RUST-2245: Update windows implementation to use windows api instead o…
mattChiaravalloti Aug 5, 2025
f95788b
Merge branch 'main' into RUST-2245
mattChiaravalloti Aug 5, 2025
08ca68a
RUST-2245: Fix rustfmt
mattChiaravalloti Aug 5, 2025
0d6858b
RUST-2245: Refactor to share more common code
mattChiaravalloti Aug 5, 2025
56661ab
RUST-2245: Standardize requirement of user_principal and use better n…
mattChiaravalloti Aug 5, 2025
a32a408
RUST-2245: More clean up, refactoring, and renaming
mattChiaravalloti Aug 5, 2025
6bb9227
RUST-2245: Static analysis fixes
mattChiaravalloti Aug 5, 2025
6654548
RUST-2245: Update e2e tests to handle windows
mattChiaravalloti Aug 6, 2025
9a3ffa8
RUST-2245: Fix evergreen tasks
mattChiaravalloti Aug 6, 2025
726e9f8
RUST-2245: Add more comments
mattChiaravalloti Aug 6, 2025
51c98bc
RUST-2245: Reduce unsafe to smaller scopes, add nosemgrep comments
mattChiaravalloti Aug 8, 2025
71b3f68
RUST-2245: Refactor GssapiAuthenticator
mattChiaravalloti Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .evergreen/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,14 @@ buildvariants:
tasks:
- test-gssapi-auth

- name: gssapi-auth-windows
display_name: "GSSAPI Authentication - Windows"
patchable: true
run_on:
- windows-64-vs2017-small
tasks:
- test-gssapi-auth

- name: x509-auth
display_name: "x509 Authentication"
patchable: false
Expand Down Expand Up @@ -1405,7 +1413,7 @@ functions:
type: test
params:
binary: bash
working_dir: ${PROJECT_DIRECTORY}
working_dir: src
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using ${PROJECT_DIRECTORY} on windows-64-vs2017-small was causing "working_dir could not be found" errors. I checked the rest of config.yml and it seems like the majority of working_dir values are set to src. I only chose ${PROJECT_DIRECTORY} initially since I based this function on the aws auth functions.

args:
- .evergreen/run-gssapi-tests.sh
include_expansions_in_env:
Expand Down
78 changes: 44 additions & 34 deletions .evergreen/run-gssapi-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,50 +16,60 @@ FEATURE_FLAGS+=("gssapi-auth")

set +o errexit

# Create a krb5 config file with relevant
touch krb5.conf
echo "[realms]
$SASL_REALM = {
kdc = $SASL_HOST
admin_server = $SASL_HOST
}

$SASL_REALM_CROSS = {
kdc = $SASL_HOST
admin_server = $SASL_HOST
}

[domain_realm]
.$SASL_DOMAIN = $SASL_REALM
$SASL_DOMAIN = $SASL_REALM
" > krb5.conf

export KRB5_CONFIG=krb5.conf

# Authenticate the user principal in the KDC before running the e2e test
echo "Authenticating $PRINCIPAL"
echo "$SASL_PASS" | kinit -p $PRINCIPAL
klist
# On Windows, `kinit`/`kdestroy` and other krb5 config settings are
# not available, nor are they required steps. Windows uses SSPI which
# is similar to but distinct from (KRB5) GSSAPI. Therefore, we only
# run the following steps if we are not on Windows.
if [[ "Windows_NT" != "$OSTYPE" ]]; then
# Create a krb5 config file with relevant
touch krb5.conf
echo "[realms]
$SASL_REALM = {
kdc = $SASL_HOST
admin_server = $SASL_HOST
}

$SASL_REALM_CROSS = {
kdc = $SASL_HOST
admin_server = $SASL_HOST
}

[domain_realm]
.$SASL_DOMAIN = $SASL_REALM
$SASL_DOMAIN = $SASL_REALM
" > krb5.conf

export KRB5_CONFIG=krb5.conf

# Authenticate the user principal in the KDC before running the e2e test
echo "Authenticating $PRINCIPAL"
echo "$SASL_PASS" | kinit -p $PRINCIPAL
klist
fi

# Run end-to-end auth tests for "$PRINCIPAL" user
TEST_OPTIONS+=("--skip with_service_realm_and_host_options")
cargo_test test::auth::gssapi_skip_local

# Unauthenticate
echo "Unauthenticating $PRINCIPAL"
kdestroy
if [[ "Windows_NT" != "$OSTYPE" ]]; then
# Unauthenticate
echo "Unauthenticating $PRINCIPAL"
kdestroy

# Authenticate the alternative user principal in the KDC and run other e2e test
echo "Authenticating $PRINCIPAL_CROSS"
echo "$SASL_PASS_CROSS" | kinit -p $PRINCIPAL_CROSS
klist
# Authenticate the alternative user principal in the KDC and run other e2e test
echo "Authenticating $PRINCIPAL_CROSS"
echo "$SASL_PASS_CROSS" | kinit -p $PRINCIPAL_CROSS
klist
fi

TEST_OPTIONS=()
cargo_test test::auth::gssapi_skip_local::with_service_realm_and_host_options

# Unauthenticate
echo "Unuthenticating $PRINCIPAL_CROSS"
kdestroy
if [[ "Windows_NT" != "$OSTYPE" ]]; then
# Unauthenticate
echo "Unauthenticating $PRINCIPAL_CROSS"
kdestroy
fi

# Run remaining tests
cargo_test spec::auth
Expand Down
77 changes: 76 additions & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ gcp-oidc = ["dep:reqwest"]
gcp-kms = ["dep:reqwest"]

# Enable support for GSSAPI (Kerberos) authentication.
gssapi-auth = ["dep:cross-krb5", "dns-resolver"]
gssapi-auth = ["dep:cross-krb5", "dep:windows-sys", "dns-resolver"]

zstd-compression = ["dep:zstd"]
zlib-compression = ["dep:flate2"]
Expand All @@ -80,7 +80,6 @@ chrono = { version = "0.4.7", default-features = false, features = [
"clock",
"std",
] }
cross-krb5 = { version = "0.4.2", optional = true, default-features = false }
derive_more = "0.99.17"
derive-where = "1.2.7"
flate2 = { version = "1.0", optional = true }
Expand Down Expand Up @@ -235,6 +234,13 @@ features = ["serde", "serde_json-1"]
rustdoc-args = ["--cfg", "docsrs"]
all-features = true

# Target-specific dependencies for GSSAPI authentication
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I've never had to do this before in a Cargo.toml file so I'm not sure if this is the idiomatic way.

[target.'cfg(not(windows))'.dependencies]
cross-krb5 = { version = "0.4.2", optional = true, default-features = false }

[target.'cfg(windows)'.dependencies]
windows-sys = { version = "0.60", optional = true, features = ["Win32_Security_Authentication_Identity", "Win32_Security_Credentials", "Win32_Foundation", "Win32_System", "Win32_System_Rpc"] }

[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [
'cfg(mongodb_internal_tracking_arc)',
Expand Down
Loading