diff --git a/README.md b/README.md index cba10f40..d6baf0c7 100644 --- a/README.md +++ b/README.md @@ -705,6 +705,11 @@ separated in sub folders and module namespaces. ## Auth Mechanisms For versions of Mongo 3.0 and greater, the auth mechanism defaults to SCRAM. + +If connecting to MongoDB Enterprise Edition or MongoDB Atlas, the [PLAIN](https://www.mongodb.com/docs/manual/tutorial/authenticate-nativeldap-activedirectory/) +auth mechanism is supported for LDAP authentication. The GSSAPI auth mechanism used for Kerberos authentication +is not currently supported. + If you'd like to use [MONGODB-X509](https://www.mongodb.com/docs/v6.0/tutorial/configure-x509-client-authentication/) authentication, you can specify that as a `start_link` option. diff --git a/lib/mongo/auth.ex b/lib/mongo/auth.ex index ce6afcd3..6505f8e0 100644 --- a/lib/mongo/auth.ex +++ b/lib/mongo/auth.ex @@ -39,6 +39,10 @@ defmodule Mongo.Auth do Mongo.Auth.X509 end + defp mechanism(%{wire_version: version, auth_mechanism: :plain}) when version >= 3 do + Mongo.Auth.PLAIN + end + defp mechanism(%{wire_version: version}) when version >= 3 do Mongo.Auth.SCRAM end diff --git a/lib/mongo/auth/plain.ex b/lib/mongo/auth/plain.ex new file mode 100644 index 00000000..1702a49c --- /dev/null +++ b/lib/mongo/auth/plain.ex @@ -0,0 +1,31 @@ +defmodule Mongo.Auth.PLAIN do + @moduledoc false + alias Mongo.MongoDBConnection.Utils + + def auth({nil, nil}, _db, _s) do + :ok + end + + def auth({username, password}, _db, s) do + auth_payload = build_auth_payload(username, password) + message = [saslStart: 1, mechanism: "PLAIN", payload: auth_payload] + + case Utils.command(-3, message, s) do + {:ok, _flags, %{"ok" => ok, "done" => true}} when ok == 1 -> + :ok + + {:ok, _flags, %{"ok" => ok, "errmsg" => reason, "code" => code}} when ok == 0 -> + {:error, Mongo.Error.exception(message: "auth failed for user #{username}: #{reason}", code: code)} + + error -> + error + end + end + + defp build_auth_payload(username, password) do + # https://www.ietf.org/rfc/rfc4616.txt + # Null separate listed of authorization ID (blank), username, password. These are sent as raw UTF-8. + payload = "\0#{username}\0#{password}" + %BSON.Binary{binary: payload} + end +end diff --git a/lib/mongo/url_parser.ex b/lib/mongo/url_parser.ex index 02208b25..0fe9a5e6 100644 --- a/lib/mongo/url_parser.ex +++ b/lib/mongo/url_parser.ex @@ -113,6 +113,7 @@ defmodule Mongo.UrlParser do defp decode_percent(:username, value), do: URI.decode_www_form(value) defp decode_percent(:password, value), do: URI.decode_www_form(value) + defp decode_percent(:auth_source, value), do: URI.decode_www_form(value) defp decode_percent(_other, value), do: value defp parse_query_options(opts, %{"options" => options}) when is_binary(options) do diff --git a/test/mongo/url_parser_test.exs b/test/mongo/url_parser_test.exs index 36c1a911..b6115285 100644 --- a/test/mongo/url_parser_test.exs +++ b/test/mongo/url_parser_test.exs @@ -199,5 +199,25 @@ defmodule Mongo.UrlParserTest do username = Keyword.get(opts, :username) assert username == real_username end + + test "external auth source " do + encoded_external_auth_source = URI.encode_www_form("$external") + url = "mongodb://user:password@seed1.domain.com:27017,seed2.domain.com:27017,seed3.domain.com:27017/db_name?replicaSet=set-name&authMechanism=PLAIN&authSource=#{encoded_external_auth_source}&tls=true" + + assert UrlParser.parse_url(url: url) |> Keyword.drop([:pw_safe]) == [ + password: "*****", + username: "user", + database: "db_name", + tls: true, + auth_source: "$external", + auth_mechanism: :plain, + set_name: "set-name", + seeds: [ + "seed1.domain.com:27017", + "seed2.domain.com:27017", + "seed3.domain.com:27017" + ] + ] + end end end