JAVA-871, JAVA-976: Support for MONGODB-X509 authentication mechanism

jyemin · jyemin · commit 64addf20f28b · 2013-09-30T17:24:50.000-04:00
diff --git a/examples/X509CredentialsExample.java b/examples/X509CredentialsExample.java
@@ -0,0 +1,32 @@
+import com.mongodb.BasicDBObject;
+import com.mongodb.DB;
+import com.mongodb.MongoClient;
+import com.mongodb.MongoClientOptions;
+import com.mongodb.MongoCredential;
+import com.mongodb.ServerAddress;
+
+import javax.net.ssl.SSLSocketFactory;
+import java.net.UnknownHostException;
+import java.util.Arrays;
+
+public class X509CredentialsExample {
+    public static void main(String[] args) throws UnknownHostException {
+        String server = args[0];
+        String user = "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US";
+
+        System.out.println("server: " + server);
+        System.out.println("user: " + user);
+
+        System.out.println();
+
+        MongoClient mongoClient = new MongoClient(new ServerAddress(server),
+                                                  Arrays.asList(MongoCredential.createMongoX509Credential(user)),
+                                                  new MongoClientOptions.Builder().socketFactory(SSLSocketFactory.getDefault()).build());
+        DB testDB = mongoClient.getDB("test");
+
+        System.out.println("Count: " + testDB.getCollection("test").count());
+
+        System.out.println("Insert result: " + testDB.getCollection("test").insert(new BasicDBObject()));
+
+    }
+}
diff --git a/src/main/com/mongodb/DBPort.java b/src/main/com/mongodb/DBPort.java
@@ -319,6 +319,8 @@ CommandResult authenticate(Mongo mongo, final MongoCredential credentials) {
             authenticator = new GSSAPIAuthenticator(mongo, credentials);
         } else if (credentials.getMechanism().equals(MongoCredential.PLAIN_MECHANISM)) {
             authenticator = new PlainAuthenticator(mongo, credentials);
+        } else if (credentials.getMechanism().equals(MongoCredential.MONGODB_X509_MECHANISM)) {
+            authenticator = new X509Authenticator(mongo, credentials);
         } else {
             throw new IllegalArgumentException("Unsupported authentication protocol: " + credentials.getMechanism());
         }
@@ -519,6 +521,30 @@ private CommandResult sendSaslContinue(final int conversationId, final byte[] ou
         public abstract String getMechanismName();
     }
 
+    class X509Authenticator extends Authenticator {
+        X509Authenticator(final Mongo mongo, final MongoCredential credential) {
+            super(mongo, credential);
+        }
+
+        @Override
+        CommandResult authenticate() {
+            try {
+                DB db = mongo.getDB(credential.getSource());
+                CommandResult res = runCommand(db, getAuthCommand());
+                res.throwOnError();
+                return res;
+            } catch (IOException e) {
+                throw new MongoException.Network("IOException authenticating the connection", e);
+            }
+        }
+
+        private DBObject getAuthCommand() {
+            return new BasicDBObject("authenticate", 1)
+                   .append("user", credential.getUserName())
+                   .append("mechanism", MongoCredential.MONGODB_X509_MECHANISM);
+        }
+    }
+
     class NativeAuthenticator extends Authenticator {
         NativeAuthenticator(Mongo mongo, MongoCredential credentials) {
             super(mongo, credentials);
diff --git a/src/main/com/mongodb/MongoClientURI.java b/src/main/com/mongodb/MongoClientURI.java
@@ -128,9 +128,9 @@
  * </ul>
  * <p>Authentication configuration:</p>
  * <ul>
- * <li>{@code authMechanism=MONGO-CR|GSSAPI|PLAIN}: The authentication mechanism to use if a credential was supplied.
- * The default is MONGODB-CR, which is the native MongoDB Challenge Response mechanism.  For the GSSAPI mechanism, no password is accepted,
- * only the username.
+ * <li>{@code authMechanism=MONGO-CR|GSSAPI|PLAIN|MONGODB-X509}: The authentication mechanism to use if a credential was supplied.
+ * The default is MONGODB-CR, which is the native MongoDB Challenge Response mechanism.  For the GSSAPI and MONGODB-X509 mechanisms,
+ * no password is accepted, only the username.
  * </li>
  * <li>{@code authSource=string}: The source of the authentication credentials.  This is typically the database that
  * the credentials have been created.  The value defaults to the database specified in the path portion of the URI.
@@ -440,6 +440,9 @@ else if (mechanism.equals(MongoCredential.PLAIN_MECHANISM)) {
         else if (mechanism.equals(MongoCredential.MONGODB_CR_MECHANISM)) {
             return MongoCredential.createMongoCRCredential(userName, authSource, password);
         }
+        else if (mechanism.equals(MongoCredential.MONGODB_X509_MECHANISM)) {
+            return MongoCredential.createMongoX509Credential(userName);
+        }
         else {
              throw new IllegalArgumentException("Unsupported authMechanism: " + mechanism);
         }
diff --git a/src/main/com/mongodb/MongoCredential.java b/src/main/com/mongodb/MongoCredential.java
@@ -48,6 +48,10 @@ public final class MongoCredential {
      */
     public static final String MONGODB_CR_MECHANISM = "MONGODB-CR";
 
+    /**
+     * The MongoDB X.509
+     */
+    public static final String MONGODB_X509_MECHANISM = "MONGODB-X509";
 
     private final String mechanism;
     private final String userName;
@@ -67,6 +71,16 @@ public static MongoCredential createMongoCRCredential(String userName, String da
         return new MongoCredential(MONGODB_CR_MECHANISM, userName, database, password);
     }
 
+    /**
+     * Creates a MongoCredential instance for the MongoDB X.509 protocol.
+     *
+     * @param userName the user name
+     * @return the credential
+     */
+    public static MongoCredential createMongoX509Credential(String userName) {
+        return new MongoCredential(MONGODB_X509_MECHANISM, userName, "$external", null);
+    }
+
     /**
      * Creates a MongoCredential instance for the PLAIN SASL mechanism.
      *
diff --git a/src/test/com/mongodb/MongoClientURITest.java b/src/test/com/mongodb/MongoClientURITest.java
@@ -107,6 +107,9 @@ public void testUserPass() {
         u = new MongoClientURI("mongodb://user:pass@host/?authMechanism=MONGODB-CR");
         assertEquals(MongoCredential.createMongoCRCredential(userName, "admin", password), u.getCredentials());
 
+        u = new MongoClientURI("mongodb://user@host/?authMechanism=MONGODB-X509");
+        assertEquals(MongoCredential.createMongoX509Credential(userName), u.getCredentials());
+
         u = new MongoClientURI("mongodb://bob:pwd@localhost/?authMechanism=PLAIN&authSource=db1");
         assertEquals(MongoCredential.createPlainCredential("bob", "db1", "pwd".toCharArray()), u.getCredentials());
 
diff --git a/src/test/com/mongodb/MongoCredentialTest.java b/src/test/com/mongodb/MongoCredentialTest.java
@@ -143,4 +143,18 @@ public void testPlainMechanism() {
         assertEquals("$external", credential.getSource());
         assertArrayEquals(password, credential.getPassword());
     }
+
+    @Test
+    public void testX509Mechanism() {
+        MongoCredential credential;
+
+        final String mechanism = MongoCredential.MONGODB_X509_MECHANISM;
+        final String userName = "user";
+        credential = MongoCredential.createMongoX509Credential(userName);
+
+        assertEquals(mechanism, credential.getMechanism());
+        assertEquals(userName, credential.getUserName());
+        assertEquals("$external", credential.getSource());
+        assertArrayEquals(null, credential.getPassword());
+    }
 }
