GODRIVER-3215 Fix default auth source for auth specified via ClientOptions. (#1764)

Co-authored-by: Preston Vasquez <[email protected]>
Co-authored-by: Steven Silvester <[email protected]>

Author: 3 people

mongo/client.go

@@ -212,42 +212,21 @@ func NewClient(opts ...*options.ClientOptions) (*Client, error) {
 	}
 
 	if clientOpt.Auth != nil {
-		var oidcMachineCallback auth.OIDCCallback
-		if clientOpt.Auth.OIDCMachineCallback != nil {
-			oidcMachineCallback = func(ctx context.Context, args *driver.OIDCArgs) (*driver.OIDCCredential, error) {
-				cred, err := clientOpt.Auth.OIDCMachineCallback(ctx, convertOIDCArgs(args))
-				return (*driver.OIDCCredential)(cred), err
-			}
-		}
-
-		var oidcHumanCallback auth.OIDCCallback
-		if clientOpt.Auth.OIDCHumanCallback != nil {
-			oidcHumanCallback = func(ctx context.Context, args *driver.OIDCArgs) (*driver.OIDCCredential, error) {
-				cred, err := clientOpt.Auth.OIDCHumanCallback(ctx, convertOIDCArgs(args))
-				return (*driver.OIDCCredential)(cred), err
-			}
-		}
-
-		// Create an authenticator for the client
-		client.authenticator, err = auth.CreateAuthenticator(clientOpt.Auth.AuthMechanism, &auth.Cred{
-			Source:              clientOpt.Auth.AuthSource,
-			Username:            clientOpt.Auth.Username,
-			Password:            clientOpt.Auth.Password,
-			PasswordSet:         clientOpt.Auth.PasswordSet,
-			Props:               clientOpt.Auth.AuthMechanismProperties,
-			OIDCMachineCallback: oidcMachineCallback,
-			OIDCHumanCallback:   oidcHumanCallback,
-		}, clientOpt.HTTPClient)
+		client.authenticator, err = auth.CreateAuthenticator(
+			clientOpt.Auth.AuthMechanism,
+			topology.ConvertCreds(clientOpt.Auth),
+			clientOpt.HTTPClient,
+		)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error creating authenticator: %w", err)
 		}
 	}
 
 	cfg, err := topology.NewConfigWithAuthenticator(clientOpt, client.clock, client.authenticator)
-
 	if err != nil {
 		return nil, err
 	}
+
 	client.serverAPI = topology.ServerAPIFromServerOptions(cfg.ServerOpts)
 
 	if client.deployment == nil {
@@ -266,19 +245,6 @@ func NewClient(opts ...*options.ClientOptions) (*Client, error) {
 	return client, nil
 }
 
-// convertOIDCArgs converts the internal *driver.OIDCArgs into the equivalent
-// public type *options.OIDCArgs.
-func convertOIDCArgs(args *driver.OIDCArgs) *options.OIDCArgs {
-	if args == nil {
-		return nil
-	}
-	return &options.OIDCArgs{
-		Version:      args.Version,
-		IDPInfo:      (*options.IDPInfo)(args.IDPInfo),
-		RefreshToken: args.RefreshToken,
-	}
-}
-
 // Connect initializes the Client by starting background monitoring goroutines.
 // If the Client was created using the NewClient function, this method must be called before a Client can be used.
 //

mongo/client_test.go

@@ -11,21 +11,18 @@ import (
 	"errors"
 	"math"
 	"os"
-	"reflect"
 	"testing"
 	"time"
 
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/event"
 	"go.mongodb.org/mongo-driver/internal/assert"
 	"go.mongodb.org/mongo-driver/internal/integtest"
-	"go.mongodb.org/mongo-driver/internal/require"
 	"go.mongodb.org/mongo-driver/mongo/options"
 	"go.mongodb.org/mongo-driver/mongo/readconcern"
 	"go.mongodb.org/mongo-driver/mongo/readpref"
 	"go.mongodb.org/mongo-driver/mongo/writeconcern"
 	"go.mongodb.org/mongo-driver/tag"
-	"go.mongodb.org/mongo-driver/x/mongo/driver"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/mongocrypt"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/session"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/topology"
@@ -505,76 +502,3 @@ func TestClient(t *testing.T) {
 		}
 	})
 }
-
-// Test that convertOIDCArgs exhaustively copies all fields of a driver.OIDCArgs
-// into an options.OIDCArgs.
-func TestConvertOIDCArgs(t *testing.T) {
-	refreshToken := "test refresh token"
-
-	testCases := []struct {
-		desc string
-		args *driver.OIDCArgs
-	}{
-		{
-			desc: "populated args",
-			args: &driver.OIDCArgs{
-				Version: 9,
-				IDPInfo: &driver.IDPInfo{
-					Issuer:        "test issuer",
-					ClientID:      "test client ID",
-					RequestScopes: []string{"test scope 1", "test scope 2"},
-				},
-				RefreshToken: &refreshToken,
-			},
-		},
-		{
-			desc: "nil",
-			args: nil,
-		},
-		{
-			desc: "nil IDPInfo and RefreshToken",
-			args: &driver.OIDCArgs{
-				Version:      9,
-				IDPInfo:      nil,
-				RefreshToken: nil,
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		tc := tc // Capture range variable.
-
-		t.Run(tc.desc, func(t *testing.T) {
-			t.Parallel()
-
-			got := convertOIDCArgs(tc.args)
-
-			if tc.args == nil {
-				assert.Nil(t, got, "expected nil when input is nil")
-				return
-			}
-
-			require.Equal(t,
-				3,
-				reflect.ValueOf(*tc.args).NumField(),
-				"expected the driver.OIDCArgs struct to have exactly 3 fields")
-			require.Equal(t,
-				3,
-				reflect.ValueOf(*got).NumField(),
-				"expected the options.OIDCArgs struct to have exactly 3 fields")
-
-			assert.Equal(t,
-				tc.args.Version,
-				got.Version,
-				"expected Version field to be equal")
-			assert.EqualValues(t,
-				tc.args.IDPInfo,
-				got.IDPInfo,
-				"expected IDPInfo field to be convertible to equal values")
-			assert.Equal(t,
-				tc.args.RefreshToken,
-				got.RefreshToken,
-				"expected RefreshToken field to be equal")
-		})
-	}
-}

mongo/options/clientoptions.go

@@ -90,9 +90,9 @@ type ContextDialer interface {
 // The SERVICE_HOST and CANONICALIZE_HOST_NAME properties must not be used at the same time on Linux and Darwin
 // systems.
 //
-// AuthSource: the name of the database to use for authentication. This defaults to "$external" for MONGODB-X509,
-// GSSAPI, and PLAIN and "admin" for all other mechanisms. This can also be set through the "authSource" URI option
-// (e.g. "authSource=otherDb").
+// AuthSource: the name of the database to use for authentication. This defaults to "$external" for MONGODB-AWS,
+// MONGODB-OIDC, MONGODB-X509, GSSAPI, and PLAIN. It defaults to  "admin" for all other auth mechanisms. This can
+// also be set through the "authSource" URI option (e.g. "authSource=otherDb").
 //
 // Username: the username for authentication. This can also be set through the URI as a username:password pair before
 // the first @ character. For example, a URI for user "user", password "pwd", and host "localhost:27017" would be

x/mongo/driver/auth/auth.go

@@ -19,6 +19,8 @@ import (
 	"go.mongodb.org/mongo-driver/x/mongo/driver/session"
 )
 
+const sourceExternal = "$external"
+
 // Config contains the configuration for an Authenticator.
 type Config = driver.AuthConfig
 

x/mongo/driver/auth/gssapi.go

@@ -24,7 +24,7 @@ import (
 const GSSAPI = "GSSAPI"
 
 func newGSSAPIAuthenticator(cred *Cred, _ *http.Client) (Authenticator, error) {
-	if cred.Source != "" && cred.Source != "$external" {
+	if cred.Source != "" && cred.Source != sourceExternal {
 		return nil, newAuthError("GSSAPI source must be empty or $external", nil)
 	}
 
@@ -57,7 +57,7 @@ func (a *GSSAPIAuthenticator) Auth(ctx context.Context, cfg *Config) error {
 	if err != nil {
 		return newAuthError("error creating gssapi", err)
 	}
-	return ConductSaslConversation(ctx, cfg, "$external", client)
+	return ConductSaslConversation(ctx, cfg, sourceExternal, client)
 }
 
 // Reauth reauthenticates the connection.

x/mongo/driver/auth/mongodbaws.go

@@ -21,17 +21,15 @@ import (
 const MongoDBAWS = "MONGODB-AWS"
 
 func newMongoDBAWSAuthenticator(cred *Cred, httpClient *http.Client) (Authenticator, error) {
-	if cred.Source != "" && cred.Source != "$external" {
+	if cred.Source != "" && cred.Source != sourceExternal {
 		return nil, newAuthError("MONGODB-AWS source must be empty or $external", nil)
 	}
 	if httpClient == nil {
 		return nil, errors.New("httpClient must not be nil")
 	}
 	return &MongoDBAWSAuthenticator{
-		source: cred.Source,
 		credentials: &credproviders.StaticProvider{
 			Value: credentials.Value{
-				ProviderName:    cred.Source,
 				AccessKeyID:     cred.Username,
 				SecretAccessKey: cred.Password,
 				SessionToken:    cred.Props["AWS_SESSION_TOKEN"],
@@ -43,7 +41,6 @@ func newMongoDBAWSAuthenticator(cred *Cred, httpClient *http.Client) (Authentica
 
 // MongoDBAWSAuthenticator uses AWS-IAM credentials over SASL to authenticate a connection.
 type MongoDBAWSAuthenticator struct {
-	source      string
 	credentials *credproviders.StaticProvider
 	httpClient  *http.Client
 }
@@ -56,7 +53,7 @@ func (a *MongoDBAWSAuthenticator) Auth(ctx context.Context, cfg *Config) error {
 			credentials: providers.Cred,
 		},
 	}
-	err := ConductSaslConversation(ctx, cfg, a.source, adapter)
+	err := ConductSaslConversation(ctx, cfg, sourceExternal, adapter)
 	if err != nil {
 		return newAuthError("sasl conversation error", err)
 	}

x/mongo/driver/auth/mongodbcr.go

@@ -30,8 +30,12 @@ import (
 const MONGODBCR = "MONGODB-CR"
 
 func newMongoDBCRAuthenticator(cred *Cred, _ *http.Client) (Authenticator, error) {
+	source := cred.Source
+	if source == "" {
+		source = "admin"
+	}
 	return &MongoDBCRAuthenticator{
-		DB:       cred.Source,
+		DB:       source,
 		Username: cred.Username,
 		Password: cred.Password,
 	}, nil

x/mongo/driver/auth/oidc.go

@@ -109,6 +109,9 @@ func (oa *OIDCAuthenticator) SetAccessToken(accessToken string) {
 }
 
 func newOIDCAuthenticator(cred *Cred, httpClient *http.Client) (Authenticator, error) {
+	if cred.Source != "" && cred.Source != sourceExternal {
+		return nil, newAuthError("MONGODB-OIDC source must be empty or $external", nil)
+	}
 	if cred.Password != "" {
 		return nil, fmt.Errorf("password cannot be specified for %q", MongoDBOIDC)
 	}
@@ -445,7 +448,7 @@ func (oa *OIDCAuthenticator) Auth(ctx context.Context, cfg *Config) error {
 	oa.mu.Unlock()
 
 	if cachedAccessToken != "" {
-		err = ConductSaslConversation(ctx, cfg, "$external", &oidcOneStep{
+		err = ConductSaslConversation(ctx, cfg, sourceExternal, &oidcOneStep{
 			userName:    oa.userName,
 			accessToken: cachedAccessToken,
 		})
@@ -505,7 +508,7 @@ func (oa *OIDCAuthenticator) doAuthHuman(ctx context.Context, cfg *Config, human
 		return ConductSaslConversation(
 			subCtx,
 			cfg,
-			"$external",
+			sourceExternal,
 			&oidcOneStep{accessToken: accessToken},
 		)
 	}
@@ -514,7 +517,7 @@ func (oa *OIDCAuthenticator) doAuthHuman(ctx context.Context, cfg *Config, human
 		conn: cfg.Connection,
 		oa:   oa,
 	}
-	return ConductSaslConversation(subCtx, cfg, "$external", ots)
+	return ConductSaslConversation(subCtx, cfg, sourceExternal, ots)
 }
 
 func (oa *OIDCAuthenticator) doAuthMachine(ctx context.Context, cfg *Config, machineCallback OIDCCallback) error {
@@ -535,7 +538,7 @@ func (oa *OIDCAuthenticator) doAuthMachine(ctx context.Context, cfg *Config, mac
 	return ConductSaslConversation(
 		ctx,
 		cfg,
-		"$external",
+		sourceExternal,
 		&oidcOneStep{accessToken: accessToken},
 	)
 }
@@ -549,5 +552,5 @@ func (oa *OIDCAuthenticator) CreateSpeculativeConversation() (SpeculativeConvers
 		return nil, nil // Skip speculative auth.
 	}
 
-	return newSaslConversation(&oidcOneStep{accessToken: accessToken}, "$external", true), nil
+	return newSaslConversation(&oidcOneStep{accessToken: accessToken}, sourceExternal, true), nil
 }

x/mongo/driver/auth/plain.go

@@ -17,6 +17,21 @@ import (
 const PLAIN = "PLAIN"
 
 func newPlainAuthenticator(cred *Cred, _ *http.Client) (Authenticator, error) {
+	// TODO(GODRIVER-3317): The PLAIN specification says about auth source:
+	//
+	// "MUST be specified. Defaults to the database name if supplied on the
+	// connection string or $external."
+	//
+	// We should actually pass through the auth source, not always pass
+	// $external. If it's empty, we should default to $external.
+	//
+	// For example:
+	//
+	//  source := cred.Source
+	//  if source == "" {
+	//      source = "$external"
+	//  }
+	//
 	return &PlainAuthenticator{
 		Username: cred.Username,
 		Password: cred.Password,
@@ -31,7 +46,7 @@ type PlainAuthenticator struct {
 
 // Auth authenticates the connection.
 func (a *PlainAuthenticator) Auth(ctx context.Context, cfg *Config) error {
-	return ConductSaslConversation(ctx, cfg, "$external", &plainSaslClient{
+	return ConductSaslConversation(ctx, cfg, sourceExternal, &plainSaslClient{
 		username: a.Username,
 		password: a.Password,
 	})

x/mongo/driver/auth/plain_test.go

@@ -8,11 +8,10 @@ package auth_test
 
 import (
 	"context"
+	"encoding/base64"
 	"strings"
 	"testing"
 
-	"encoding/base64"
-
 	"go.mongodb.org/mongo-driver/internal/require"
 	"go.mongodb.org/mongo-driver/mongo/description"
 	"go.mongodb.org/mongo-driver/x/bsonx/bsoncore"

x/mongo/driver/auth/scram.go

@@ -38,6 +38,10 @@ var (
 )
 
 func newScramSHA1Authenticator(cred *Cred, _ *http.Client) (Authenticator, error) {
+	source := cred.Source
+	if source == "" {
+		source = "admin"
+	}
 	passdigest := mongoPasswordDigest(cred.Username, cred.Password)
 	client, err := scram.SHA1.NewClientUnprepped(cred.Username, passdigest, "")
 	if err != nil {
@@ -46,12 +50,16 @@ func newScramSHA1Authenticator(cred *Cred, _ *http.Client) (Authenticator, error
 	client.WithMinIterations(4096)
 	return &ScramAuthenticator{
 		mechanism: SCRAMSHA1,
-		source:    cred.Source,
+		source:    source,
 		client:    client,
 	}, nil
 }
 
 func newScramSHA256Authenticator(cred *Cred, _ *http.Client) (Authenticator, error) {
+	source := cred.Source
+	if source == "" {
+		source = "admin"
+	}
 	passprep, err := stringprep.SASLprep.Prepare(cred.Password)
 	if err != nil {
 		return nil, newAuthError("error SASLprepping password", err)
@@ -63,7 +71,7 @@ func newScramSHA256Authenticator(cred *Cred, _ *http.Client) (Authenticator, err
 	client.WithMinIterations(4096)
 	return &ScramAuthenticator{
 		mechanism: SCRAMSHA256,
-		source:    cred.Source,
+		source:    source,
 		client:    client,
 	}, nil
 }