RUBY-1949 Add X.509 authentication integration tests (#1553)

* RUBY-1949 Add X.509 authentication integration tests

* Ensure auth source for x509 auth is always $external

* Handle x509 auth failing in x509 test when x509 auth is used globally

* Remove X509_AUTH_REQUIRED as it is no longer used

Author: p-mongo

.evergreen/config.yml

@@ -361,6 +361,16 @@ functions:
           ${PREPARE_SHELL}
           KERBEROS_REQUIRED=1 .evergreen/run-tests-with-kerberos.sh
 
+  "run tests with X.509 authentication":
+    - command: shell.exec
+      type: test
+      params:
+        shell: bash
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/run-x509-tests.sh
+
   "run tests via mlaunch":
     - command: shell.exec
       type: test
@@ -524,6 +534,9 @@ tasks:
       commands:
         - func: "bootstrap mongo-orchestration"
         - func: "run tests with kerberos"
+    - name: "x509-tests"
+      commands:
+        - func: "run tests with X.509 authentication"
 
 axes:
   - id: "mongodb-version"
@@ -930,6 +943,17 @@ buildvariants:
   tasks:
     - name: "kerberos-tests"
 
+  matrix_name: "x509-tests"
+  matrix_spec:
+    auth-and-ssl: "auth-and-ssl"
+    ruby: "ruby-2.6"
+    mongodb-version: "4.2"
+    topology: standalone
+    os: rhel70
+  display_name: "X.509 Tests"
+  tasks:
+    - name: "x509-tests"
+
 -
   matrix_name: "enterprise-auth-tests-rhel"
   matrix_spec:

.evergreen/run-local-tls-tests.sh

@@ -23,6 +23,7 @@ setup_ruby
 install_deps
 
 arch=ubuntu1404
+# Last server version built for Ubuntu 14.04 is apparently 4.0.9
 version=4.0.9
 prepare_server $arch $version
 

.evergreen/run-x509-tests.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -o xtrace   # Write all commands first to stderr
+set -o errexit  # Exit the script with error if any of the commands fail
+
+. `dirname "$0"`/functions.sh
+
+set_fcv
+set_env_vars
+
+setup_ruby
+
+install_deps
+
+arch=rhel70
+version=4.2.0
+prepare_server $arch $version
+
+install_mlaunch
+
+export dbdir="$MONGO_ORCHESTRATION_HOME"/db
+mkdir -p "$dbdir"
+mlaunch --dir "$dbdir" --binarypath "$BINDIR" --single \
+  --sslMode requireSSL \
+  --sslPEMKeyFile spec/support/certificates/server.pem \
+  --sslCAFile spec/support/certificates/ca.crt \
+  --sslClientCertificate spec/support/certificates/client.pem \
+  --auth --username bootstrap --password bootstrap \
+  --setParameter enableTestCommands=1
+
+create_user_cmd="`cat <<'EOT'
+  db.getSiblingDB("$external").runCommand(
+    {
+      createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=x509,CN=localhost",
+      roles: [
+           { role: "dbAdminAnyDatabase", db: "admin" },
+           { role: "readWriteAnyDatabase", db: "admin" },
+           { role: "userAdminAnyDatabase", db: "admin" },
+           { role: "clusterAdmin", db: "admin" },
+      ],
+      writeConcern: { w: "majority" , wtimeout: 5000 },
+    }
+  )
+EOT
+`"
+
+"$BINDIR"/mongo --tls \
+  --tlsCAFile spec/support/certificates/ca.crt \
+  --tlsCertificateKeyFile spec/support/certificates/client-x509.pem \
+  -u bootstrap -p bootstrap \
+  --eval "$create_user_cmd"
+
+export MONGODB_URI="mongodb://localhost:27017/?tls=true&"\
+"tlsCAFile=spec/support/certificates/ca.crt&"\
+"tlsCertificateKeyFile=spec/support/certificates/client-x509.pem&"\
+"authMechanism=MONGODB-X509"
+
+bundle exec rake
+
+test_status=$?
+echo "TEST STATUS"
+echo ${test_status}
+
+kill_jruby
+
+mlaunch stop --dir "$dbdir"
+
+exit ${test_status}

Rakefile

@@ -29,6 +29,7 @@ namespace :spec do
   task :prepare do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
+    require 'support/utils'
     require 'support/spec_setup'
     SpecSetup.new.run
   end
@@ -40,6 +41,7 @@ namespace :spec do
     # Since this task is usually used for troubleshooting of test suite
     # configuration, leave driver log level at the default of debug to
     # have connection diagnostics printed during handshakes and such.
+    require 'support/utils'
     require 'support/spec_config'
     require 'support/client_registry'
     SpecConfig.instance.print_summary

docs/tutorials/ruby-driver-authentication.txt

@@ -77,12 +77,11 @@ The mechanism can be explicitly set with the credentials:
                              auth_mech: :mongodb_cr )
 
 
-Client Certificate (x509)
-`````````````````````````
-*Requires MongoDB v2.6 or greater.*
+Client Certificate (X.509)
+``````````````````````````
 
 The driver presents an X.509 certificate during SSL negotiation.
-The Client Certificate (x509) mechanism authenticates a username
+The MONGODB-X509 authentication mechanism authenticates a username
 derived from the distinguished subject name of this certificate.
 
 This authentication method requires the use of SSL connections with

docs/tutorials/ruby-driver-create-client.txt

@@ -741,7 +741,7 @@ by concatenating them after the leaf server and client certificates, respectivel
 ``:ssl_cert_object`` Ruby option, which takes an instance of
 ``OpenSSL::X509::Certificate``, does not support certificate chains.
 
-The Ruby driver performs strict X509 certificate verification, which requires
+The Ruby driver performs strict X.509 certificate verification, which requires
 that both of the following fields are set in the intermediate certificate(s):
 
 - X509v3 Basic Constraints: CA: TRUE -- Can sign certificates

lib/mongo/auth.rb

@@ -123,7 +123,12 @@ def initialize(user, used_mechanism: nil, message: nil)
         else
           ''
         end
-        msg = "User #{user.name}#{specified_mechanism} is not authorized to access #{user.database} (auth source: #{user.auth_source})#{used_mechanism}"
+        used_user = if user.mechanism == :mongodb_x509
+          'Client certificate'
+        else
+          "User #{user.name}"
+        end
+        msg = "#{used_user}#{specified_mechanism} is not authorized to access #{user.database} (auth source: #{user.auth_source})#{used_mechanism}"
         if message
           msg += ': ' + message
         end

lib/mongo/auth/user.rb

@@ -159,7 +159,7 @@ def sasl_prepped_password
       # @since 2.0.0
       def initialize(options)
         @database = options[:database] || Database::ADMIN
-        @auth_source = options[:auth_source] || @database
+        @auth_source = options[:auth_source] || self.class.default_auth_source(options)
         @name = options[:user]
         @password = options[:password] || options[:pwd]
         @mechanism = options[:auth_mech]
@@ -205,6 +205,20 @@ def spec
       #
       # @return [ String ] The client key for the user.
       attr_reader :client_key
+
+      # Generate default auth source based on the URI and options
+      #
+      # @api private
+      def self.default_auth_source(options)
+        case options[:auth_mech]
+        when :gssapi, :mongodb_x509
+          '$external'
+        when :plain
+          options[:database] || '$external'
+        else
+          options[:database] || Database::ADMIN
+        end
+      end
     end
   end
 end

lib/mongo/auth/x509.rb

@@ -17,7 +17,7 @@
 module Mongo
   module Auth
 
-    # Defines behavior for x.509 authentication.
+    # Defines behavior for X.509 authentication.
     #
     # @since 2.0.0
     class X509
@@ -39,6 +39,16 @@ class X509
       #
       # @since 2.0.0
       def initialize(user)
+        # The only valid database for X.509 authentication is $external.
+        if user.auth_source != '$external'
+          user_name_msg = if user.name
+            " #{user.name}"
+          else
+            ''
+          end
+          raise Auth::InvalidConfiguration, "User#{user_name_msg} specifies auth source '#{user.auth_source}', but the only valid auth source for X.509 is '$external'"
+        end
+
         @user = user
       end
 

lib/mongo/auth/x509/conversation.rb

@@ -16,7 +16,7 @@ module Mongo
   module Auth
     class X509
 
-      # Defines behavior around a single x.509 conversation between the
+      # Defines behavior around a single X.509 conversation between the
       # client and server.
       #
       # @since 2.0.0
@@ -34,7 +34,7 @@ class Conversation
         # @return [ User ] user The user for the conversation.
         attr_reader :user
 
-        # Finalize the x.509 conversation. This is meant to be iterated until
+        # Finalize the X.509 conversation. This is meant to be iterated until
         # the provided reply indicates the conversation is finished.
         #
         # @example Finalize the conversation.
@@ -50,23 +50,32 @@ def finalize(reply)
           validate!(reply)
         end
 
-        # Start the x.509 conversation. This returns the first message that
+        # Start the X.509 conversation. This returns the first message that
         # needs to be sent to the server.
         #
         # @example Start the conversation.
         #   conversation.start
         #
         # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
         #
-        # @return [ Protocol::Query ] The first x.509 conversation message.
+        # @return [ Protocol::Query ] The first X.509 conversation message.
         #
         # @since 2.0.0
         def start(connection = nil)
           login = LOGIN.merge(mechanism: X509::MECHANISM)
           login[:user] = user.name if user.name
           if connection && connection.features.op_msg_enabled?
             selector = login
-            selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
+            # The only valid database for X.509 authentication is $external.
+            if user.auth_source != '$external'
+              user_name_msg = if user.name
+                " #{user.name}"
+              else
+                ''
+              end
+              raise Auth::InvalidConfiguration, "User#{user_name_msg} specifies auth source '#{user.auth_source}', but the only valid auth source for X.509 is '$external'"
+            end
+            selector[Protocol::Msg::DATABASE_IDENTIFIER] = '$external'
             cluster_time = connection.mongos? && connection.cluster_time
             selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
             Protocol::Msg.new([], {}, selector)