PYTHON-3096 Finish implementation and tests for GSSAPI options (mongodb#1985)

blink1073 · zaif-yuval · commit 4682dac91e9c · 2025-01-01T14:36:49.000+02:00
diff --git a/.evergreen/scripts/run-enterprise-auth-tests.sh b/.evergreen/scripts/run-enterprise-auth-tests.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
+set -eu
 
 # Disable xtrace for security reasons (just in case it was accidentally set).
 set +x
 # Use the default python to bootstrap secrets.
-PYTHON_BINARY="" bash "${DRIVERS_TOOLS}"/.evergreen/auth_aws/setup_secrets.sh drivers/enterprise_auth
+bash "${DRIVERS_TOOLS}"/.evergreen/secrets_handling/setup-secrets.sh drivers/enterprise_auth
 TEST_ENTERPRISE_AUTH=1 AUTH=auth bash "${PROJECT_DIRECTORY}"/.evergreen/hatch.sh test:test-eg
diff --git a/doc/contributors.rst b/doc/contributors.rst
@@ -103,3 +103,4 @@ The following is a list of people who have contributed to
 - Terry Patterson
 - Romain Morotti
 - Navjot Singh (navjots18)
+- Yuval Zaif (zaif-yuval)
diff --git a/pymongo/asynchronous/auth.py b/pymongo/asynchronous/auth.py
@@ -177,13 +177,20 @@ def _auth_key(nonce: str, username: str, password: str) -> str:
     return md5hash.hexdigest()
 
 
-def _canonicalize_hostname(hostname: str) -> str:
+def _canonicalize_hostname(hostname: str, option: str | bool) -> str:
     """Canonicalize hostname following MIT-krb5 behavior."""
     # https://github.com/krb5/krb5/blob/d406afa363554097ac48646a29249c04f498c88e/src/util/k5test.py#L505-L520
+    if option in [False, "none"]:
+        return hostname
+
     af, socktype, proto, canonname, sockaddr = socket.getaddrinfo(
         hostname, None, 0, 0, socket.IPPROTO_TCP, socket.AI_CANONNAME
     )[0]
 
+    # For forward just to resolve the cname as dns.lookup() will not return it.
+    if option == "forward":
+        return canonname.lower()
+
     try:
         name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
     except socket.gaierror:
@@ -205,9 +212,8 @@ async def _authenticate_gssapi(credentials: MongoCredential, conn: AsyncConnecti
         props = credentials.mechanism_properties
         # Starting here and continuing through the while loop below - establish
         # the security context. See RFC 4752, Section 3.1, first paragraph.
-        host = conn.address[0]
-        if props.canonicalize_host_name:
-            host = _canonicalize_hostname(host)
+        host = props.service_host or conn.address[0]
+        host = _canonicalize_hostname(host, props.canonicalize_host_name)
         service = props.service_name + "@" + host
         if props.service_realm is not None:
             service = service + "@" + props.service_realm
diff --git a/pymongo/asynchronous/pool.py b/pymongo/asynchronous/pool.py
@@ -121,6 +121,12 @@ def _set_non_inheritable_non_atomic(fd: int) -> None:  # noqa: ARG001
         """Dummy function for platforms that don't provide fcntl."""
 
 
+try:
+    from python_socks import ProxyType
+    from python_socks.sync import Proxy
+except ImportError:
+    Proxy = ProxyType = None
+
 _IS_SYNC = False
 
 _MAX_TCP_KEEPIDLE = 120
@@ -838,7 +844,21 @@ def _create_connection(address: _Address, options: PoolOptions) -> socket.socket
             sock.settimeout(timeout)
             sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, True)
             _set_keepalive_times(sock)
-            sock.connect(sa)
+            if proxy := options.proxy:
+                if Proxy is None:
+                    raise RuntimeError(
+                        "In order to use SOCKS5 proxy, python_socks must be installed. "
+                        "This can be done by re-installing pymongo with `pip install pymongo[socks]`"
+                    )
+                proxy_host = proxy["host"]
+                proxy_port = proxy["port"] or 1080
+                sock.connect((proxy_host, proxy_port))
+                proxy = Proxy(
+                    ProxyType.SOCKS5, proxy_host, proxy_port, proxy["username"], proxy["password"]
+                )
+                proxy.connect(sa[0], dest_port=sa[1], _socket=sock)
+            else:
+                sock.connect(sa)
             return sock
         except OSError as e:
             err = e
diff --git a/pymongo/asynchronous/topology.py b/pymongo/asynchronous/topology.py
@@ -967,6 +967,7 @@ def _create_pool_for_monitor(self, address: _Address) -> Pool:
             driver=options.driver,
             pause_enabled=False,
             server_api=options.server_api,
+            proxy=options.proxy,
         )
 
         return self._settings.pool_class(
diff --git a/pymongo/client_options.py b/pymongo/client_options.py
@@ -170,6 +170,15 @@ def _parse_pool_options(
     ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options)
     load_balanced = options.get("loadbalanced")
     max_connecting = options.get("maxconnecting", common.MAX_CONNECTING)
+    if proxy_host := options.get("proxyHost"):
+        proxy = {
+            "host": proxy_host,
+            "port": options.get("proxyPort"),
+            "username": options.get("proxyUserName"),
+            "password": options.get("proxyPassword"),
+        }
+    else:
+        proxy = None
     return PoolOptions(
         max_pool_size,
         min_pool_size,
@@ -188,6 +197,7 @@ def _parse_pool_options(
         load_balanced=load_balanced,
         credentials=credentials,
         is_sync=is_sync,
+        proxy=proxy,
     )
 
 
diff --git a/pymongo/common.py b/pymongo/common.py
@@ -729,6 +729,10 @@ def validate_server_monitoring_mode(option: str, value: str) -> str:
     "srvmaxhosts": validate_non_negative_integer,
     "timeoutms": validate_timeoutms,
     "servermonitoringmode": validate_server_monitoring_mode,
+    "proxyhost": validate_string,
+    "proxyport": validate_positive_integer_or_none,
+    "proxyusername": validate_string_or_none,
+    "proxypassword": validate_string_or_none,
 }
 
 # Dictionary where keys are the names of URI options specific to pymongo,
diff --git a/pymongo/pool_options.py b/pymongo/pool_options.py
@@ -312,6 +312,7 @@ class PoolOptions:
         "__server_api",
         "__load_balanced",
         "__credentials",
+        "__proxy",
     )
 
     def __init__(
@@ -334,6 +335,7 @@ def __init__(
         load_balanced: Optional[bool] = None,
         credentials: Optional[MongoCredential] = None,
         is_sync: Optional[bool] = True,
+        proxy: Optional[dict] = None,
     ):
         self.__max_pool_size = max_pool_size
         self.__min_pool_size = min_pool_size
@@ -353,7 +355,7 @@ def __init__(
         self.__load_balanced = load_balanced
         self.__credentials = credentials
         self.__metadata = copy.deepcopy(_METADATA)
-
+        self.__proxy = copy.deepcopy(proxy)
         if appname:
             self.__metadata["application"] = {"name": appname}
 
@@ -522,3 +524,8 @@ def server_api(self) -> Optional[ServerApi]:
     def load_balanced(self) -> Optional[bool]:
         """True if this Pool is configured in load balanced mode."""
         return self.__load_balanced
+
+    @property
+    def proxy(self) -> Optional[dict]:
+        """Proxy settings, if configured"""
+        return self.__proxy
diff --git a/pymongo/synchronous/auth.py b/pymongo/synchronous/auth.py
@@ -174,13 +174,20 @@ def _auth_key(nonce: str, username: str, password: str) -> str:
     return md5hash.hexdigest()
 
 
-def _canonicalize_hostname(hostname: str) -> str:
+def _canonicalize_hostname(hostname: str, option: str | bool) -> str:
     """Canonicalize hostname following MIT-krb5 behavior."""
     # https://github.com/krb5/krb5/blob/d406afa363554097ac48646a29249c04f498c88e/src/util/k5test.py#L505-L520
+    if option in [False, "none"]:
+        return hostname
+
     af, socktype, proto, canonname, sockaddr = socket.getaddrinfo(
         hostname, None, 0, 0, socket.IPPROTO_TCP, socket.AI_CANONNAME
     )[0]
 
+    # For forward just to resolve the cname as dns.lookup() will not return it.
+    if option == "forward":
+        return canonname.lower()
+
     try:
         name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
     except socket.gaierror:
@@ -202,9 +209,8 @@ def _authenticate_gssapi(credentials: MongoCredential, conn: Connection) -> None
         props = credentials.mechanism_properties
         # Starting here and continuing through the while loop below - establish
         # the security context. See RFC 4752, Section 3.1, first paragraph.
-        host = conn.address[0]
-        if props.canonicalize_host_name:
-            host = _canonicalize_hostname(host)
+        host = props.service_host or conn.address[0]
+        host = _canonicalize_hostname(host, props.canonicalize_host_name)
         service = props.service_name + "@" + host
         if props.service_realm is not None:
             service = service + "@" + props.service_realm
diff --git a/pymongo/synchronous/pool.py b/pymongo/synchronous/pool.py
@@ -121,6 +121,12 @@ def _set_non_inheritable_non_atomic(fd: int) -> None:  # noqa: ARG001
         """Dummy function for platforms that don't provide fcntl."""
 
 
+try:
+    from python_socks import ProxyType
+    from python_socks.sync import Proxy
+except ImportError:
+    Proxy = ProxyType = None
+
 _IS_SYNC = True
 
 _MAX_TCP_KEEPIDLE = 120
@@ -836,7 +842,21 @@ def _create_connection(address: _Address, options: PoolOptions) -> socket.socket
             sock.settimeout(timeout)
             sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, True)
             _set_keepalive_times(sock)
-            sock.connect(sa)
+            if proxy := options.proxy:
+                if Proxy is None:
+                    raise RuntimeError(
+                        "In order to use SOCKS5 proxy, python_socks must be installed. "
+                        "This can be done by re-installing pymongo with `pip install pymongo[socks]`"
+                    )
+                proxy_host = proxy["host"]
+                proxy_port = proxy["port"] or 1080
+                sock.connect((proxy_host, proxy_port))
+                proxy = Proxy(
+                    ProxyType.SOCKS5, proxy_host, proxy_port, proxy["username"], proxy["password"]
+                )
+                proxy.connect(sa[0], dest_port=sa[1], _socket=sock)
+            else:
+                sock.connect(sa)
             return sock
         except OSError as e:
             err = e
diff --git a/pymongo/synchronous/topology.py b/pymongo/synchronous/topology.py
@@ -965,6 +965,7 @@ def _create_pool_for_monitor(self, address: _Address) -> Pool:
             driver=options.driver,
             pause_enabled=False,
             server_api=options.server_api,
+            proxy=options.proxy,
         )
 
         return self._settings.pool_class(
diff --git a/pyproject.toml b/pyproject.toml
@@ -67,6 +67,7 @@ ocsp = ["requirements/ocsp.txt"]
 snappy = ["requirements/snappy.txt"]
 test = ["requirements/test.txt"]
 zstd = ["requirements/zstd.txt"]
+socks = ["requirements/socks.txt"]
 
 [tool.pytest.ini_options]
 minversion = "7"
diff --git a/requirements/socks.txt b/requirements/socks.txt
@@ -0,0 +1 @@
+python-socks[asyncio]
diff --git a/test/asynchronous/test_auth.py b/test/asynchronous/test_auth.py
@@ -35,7 +35,7 @@
 import pytest
 
 from pymongo import AsyncMongoClient, monitoring
-from pymongo.asynchronous.auth import HAVE_KERBEROS
+from pymongo.asynchronous.auth import HAVE_KERBEROS, _canonicalize_hostname
 from pymongo.auth_shared import _build_credentials_tuple
 from pymongo.errors import OperationFailure
 from pymongo.hello import HelloCompat
@@ -96,10 +96,11 @@ def setUpClass(cls):
         cls.service_realm_required = (
             GSSAPI_SERVICE_REALM is not None and GSSAPI_SERVICE_REALM not in GSSAPI_PRINCIPAL
         )
-        mech_properties = f"SERVICE_NAME:{GSSAPI_SERVICE_NAME}"
-        mech_properties += f",CANONICALIZE_HOST_NAME:{GSSAPI_CANONICALIZE}"
+        mech_properties = dict(
+            SERVICE_NAME=GSSAPI_SERVICE_NAME, CANONICALIZE_HOST_NAME=GSSAPI_CANONICALIZE
+        )
         if GSSAPI_SERVICE_REALM is not None:
-            mech_properties += f",SERVICE_REALM:{GSSAPI_SERVICE_REALM}"
+            mech_properties["SERVICE_REALM"] = GSSAPI_SERVICE_REALM
         cls.mech_properties = mech_properties
 
     async def test_credentials_hashing(self):
@@ -167,7 +168,10 @@ async def test_gssapi_simple(self):
         await client[GSSAPI_DB].collection.find_one()
 
         # Log in using URI, with authMechanismProperties.
-        mech_uri = uri + f"&authMechanismProperties={self.mech_properties}"
+        mech_properties_str = ""
+        for key, value in self.mech_properties.items():
+            mech_properties_str += f"{key}:{value},"
+        mech_uri = uri + f"&authMechanismProperties={mech_properties_str[:-1]}"
         client = self.simple_client(mech_uri)
         await client[GSSAPI_DB].collection.find_one()
 
@@ -268,6 +272,58 @@ async def test_gssapi_threaded(self):
                 thread.join()
                 self.assertTrue(thread.success)
 
+    async def test_gssapi_canonicalize_host_name(self):
+        # Test the low level method.
+        assert GSSAPI_HOST is not None
+        result = _canonicalize_hostname(GSSAPI_HOST, "forward")
+        if "compute-1.amazonaws.com" not in result:
+            self.assertEqual(result, GSSAPI_HOST)
+        result = _canonicalize_hostname(GSSAPI_HOST, "forwardAndReverse")
+        self.assertEqual(result, GSSAPI_HOST)
+
+        # Use the equivalent named CANONICALIZE_HOST_NAME.
+        props = self.mech_properties.copy()
+        if props["CANONICALIZE_HOST_NAME"] == "true":
+            props["CANONICALIZE_HOST_NAME"] = "forwardAndReverse"
+        else:
+            props["CANONICALIZE_HOST_NAME"] = "none"
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=props,
+        )
+        await client.server_info()
+
+    async def test_gssapi_host_name(self):
+        props = self.mech_properties
+        props["SERVICE_HOST"] = "example.com"
+
+        # Authenticate with authMechanismProperties.
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=self.mech_properties,
+        )
+        with self.assertRaises(OperationFailure):
+            await client.server_info()
+
+        props["SERVICE_HOST"] = GSSAPI_HOST
+        client = self.simple_client(
+            GSSAPI_HOST,
+            GSSAPI_PORT,
+            username=GSSAPI_PRINCIPAL,
+            password=GSSAPI_PASS,
+            authMechanism="GSSAPI",
+            authMechanismProperties=self.mech_properties,
+        )
+        await client.server_info()
+
 
 class TestSASLPlain(AsyncPyMongoTestCase):
     @classmethod
diff --git a/test/test_auth.py b/test/test_auth.py

Original file line number	Diff line number	Diff line change
`@@ -967,6 +967,7 @@ def _create_pool_for_monitor(self, address: _Address) -> Pool:`
`967`	`967`	`driver=options.driver,`
`968`	`968`	`pause_enabled=False,`
`969`	`969`	`server_api=options.server_api,`
	`970`	`+ proxy=options.proxy,`
`970`	`971`	`)`
`971`	`972`
`972`	`973`	`return self._settings.pool_class(`