-
Notifications
You must be signed in to change notification settings - Fork 533
/
Copy pathauth.rb
199 lines (175 loc) · 5.81 KB
/
auth.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# frozen_string_literal: true
# rubocop:todo all
# Copyright (C) 2014-2020 MongoDB Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'mongo/auth/credential_cache'
require 'mongo/auth/stringprep'
require 'mongo/auth/conversation_base'
require 'mongo/auth/sasl_conversation_base'
require 'mongo/auth/scram_conversation_base'
require 'mongo/auth/user'
require 'mongo/auth/roles'
require 'mongo/auth/base'
require 'mongo/auth/aws'
require 'mongo/auth/cr'
require 'mongo/auth/gssapi'
require 'mongo/auth/ldap'
require 'mongo/auth/oidc'
require 'mongo/auth/scram'
require 'mongo/auth/scram256'
require 'mongo/auth/x509'
require 'mongo/error/read_write_retryable'
require 'mongo/error/labelable'
module Mongo
# This namespace contains all authentication related behavior.
#
# @since 2.0.0
module Auth
extend self
# The external database name.
#
# @since 2.0.0
# @api private
EXTERNAL = '$external'.freeze
# Constant for the nonce command.
#
# @since 2.0.0
# @api private
GET_NONCE = { getnonce: 1 }.freeze
# Constant for the nonce field.
#
# @since 2.0.0
# @api private
NONCE = 'nonce'.freeze
# Map the symbols parsed from the URI connection string to strategies.
#
# @note This map is not frozen because when mongo_kerberos is loaded,
# it mutates this map by adding the Kerberos authenticator.
#
# @since 2.0.0
SOURCES = {
aws: Aws,
gssapi: Gssapi,
mongodb_cr: CR,
mongodb_oidc: Oidc,
mongodb_x509: X509,
plain: LDAP,
scram: Scram,
scram256: Scram256,
}
# Get an authenticator for the provided user to authenticate over the
# provided connection.
#
# @param [ Auth::User ] user The user to authenticate.
# @param [ Mongo::Connection ] connection The connection to authenticate over.
#
# @option opts [ String | nil ] speculative_auth_client_nonce The client
# nonce used in speculative auth on the specified connection that
# produced the specified speculative auth result.
# @option opts [ BSON::Document | nil ] speculative_auth_result The
# value of speculativeAuthenticate field of hello response of
# the handshake on the specified connection.
#
# @return [ Auth::Aws | Auth::CR | Auth::Gssapi | Auth::LDAP | Auth::Oidc
# Auth::Scram | Auth::Scram256 | Auth::X509 ] The authenticator.
#
# @since 2.0.0
# @api private
def get(user, connection, **opts)
mechanism = user.mechanism
raise InvalidMechanism.new(mechanism) if !SOURCES.has_key?(mechanism)
SOURCES[mechanism].new(user, connection, **opts)
end
# Raised when trying to authorize with an invalid configuration
#
# @since 2.11.0
class InvalidConfiguration < Mongo::Error::AuthError; end
# Raised when trying to get an invalid authorization mechanism.
#
# @since 2.0.0
class InvalidMechanism < InvalidConfiguration
# Instantiate the new error.
#
# @example Instantiate the error.
# Mongo::Auth::InvalidMechanism.new(:test)
#
# @param [ Symbol ] mechanism The provided mechanism.
#
# @since 2.0.0
def initialize(mechanism)
known_mechanisms = SOURCES.keys.sort.map do |key|
key.inspect
end.join(', ')
super("#{mechanism.inspect} is invalid, please use one of the following mechanisms: #{known_mechanisms}")
end
end
# Raised when a user is not authorized on a database.
#
# @since 2.0.0
class Unauthorized < Mongo::Error::AuthError
include Error::ReadWriteRetryable
include Error::Labelable
# @return [ Integer ] The error code.
attr_reader :code
# Instantiate the new error.
#
# @example Instantiate the error.
# Mongo::Auth::Unauthorized.new(user)
#
# @param [ Mongo::Auth::User ] user The unauthorized user.
# @param [ String ] used_mechanism Auth mechanism actually used for
# authentication. This is a full string like SCRAM-SHA-256.
# @param [ String ] message The error message returned by the server.
# @param [ Server ] server The server instance that authentication
# was attempted against.
# @param [ Integer ] The error code.
#
# @since 2.0.0
def initialize(user, used_mechanism: nil, message: nil,
server: nil, code: nil
)
@code = code
configured_bits = []
used_bits = [
"auth source: #{user.auth_source}",
]
if user.mechanism
configured_bits << "mechanism: #{user.mechanism}"
end
if used_mechanism
used_bits << "used mechanism: #{used_mechanism}"
end
if server
used_bits << "used server: #{server.address} (#{server.status})"
end
used_user = if user.mechanism == :mongodb_x509
'Client certificate'
else
"User #{user.name}"
end
if configured_bits.empty?
configured_bits = ''
else
configured_bits = " (#{configured_bits.join(', ')})"
end
used_bits = " (#{used_bits.join(', ')})"
msg = "#{used_user}#{configured_bits} is not authorized to access #{user.database}#{used_bits}"
if message
msg += ': ' + message
end
super(msg)
end
end
end
end