RUBY-530 Kerberos support on JRuby

Special thanks to Jeff Yemin (@jyemin) for his help and review.

RUBY-530 Support for GSSAPI in URI parser

RUBY-530 More tests - unit, replica set, threading

RUBY-530 Use the socket to get hostname

RUBY-530 Refer to config file as JAAS_LOGIN_CONFIG_FILE

RUBY-530 Update extra options name in auth module

RUBY-530 Don't require a config file in gssapi test

RUBY-530 Keep realm and host as different env variables in gssapi test

RUBY-530 Adding javadocs to GSSAPIAuthenticator

RUBY-530 Use a byte challenge instead of a string to avoid encoding

Get rid of extra whitespaces

RUBY-530 Initialize extra opts to empty hash if there are none

RUBY-530 Adding in tests for failure with wrong servicename

Fixing indentation

Fixing typo

RUBY-530 Adding in tests for extra opts

RUBY-530 Split kdc and host in tests, they are usually not the same

RUBY-530 Test for canonicalizehostname option

RUBY-530 Auth hashes now also have an extra key

RUBY-530 Rename extra opts variables and provide better error msg

RUBY-530 update uri test for new extra opts format

Author: estolfo

ext/jsasl/src/main/org/mongodb/sasl/GSSAPIAuthenticator.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2009-2014 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.mongodb.sasl;
+
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.jruby.Ruby;
+import org.jruby.RubyString;
+import org.jruby.RubyBoolean;
+
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslClient;
+import javax.security.sasl.SaslException;
+import java.net.UnknownHostException;
+import java.net.InetAddress;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * A helper class for SASL authentication using GSSAPI (Kerberos)
+ */
+public class GSSAPIAuthenticator {
+    private static final String GSSAPI_MECHANISM_NAME = "GSSAPI";
+    private static final String GSSAPI_OID = "1.2.840.113554.1.2.2";
+    public static final String CANONICALIZE_HOST_NAME_KEY = "CANONICALIZE_HOST_NAME";
+
+    private final Ruby runTime;
+    private final String userName;
+    private final String hostName;
+    private final String serviceName;
+    private final boolean canonicalizeHostName;
+
+    private final SaslClient saslClient;
+
+    /**
+     * Constructs a wrapper for a Sasl client that handles GSSAPI (Kerberos) mechanism authentication.
+     *
+     * @param runTime the Ruby run time
+     * @param userName the user name
+     * @param hostName the host name
+     * @param serviceName the service name
+     * @param canonicalizeHostName whether the hostname should be canonicalized
+     */
+    public GSSAPIAuthenticator(final Ruby runTime, final RubyString userName, final RubyString hostName, final RubyString serviceName, final RubyBoolean canonicalizeHostName) {
+        this.runTime = runTime;
+        this.userName = userName.decodeString();
+        this.hostName = hostName.decodeString();
+        this.serviceName = serviceName.decodeString();
+        this.canonicalizeHostName = (Boolean) canonicalizeHostName.toJava(Boolean.class);
+        this.saslClient = createSaslClient();
+    }
+
+    /**
+     * If the mechanism has an initial response, evaluteChallenge() is called to get the challenge. Otherwise, null is returned.
+     *
+     * @return the initial challenge to send to the server or null if the mechanism doesn't have an initial response.
+     *
+     * @throws MongoSecurityException if there is no response to the challenge.
+     */
+    public RubyString initializeChallenge() {
+        try {
+            return saslClient.hasInitialResponse() ? RubyString.newString(runTime, saslClient.evaluateChallenge(new byte[0])) : null;
+        } catch (SaslException e) {
+            throw new MongoSecurityException("SASL protocol error: no client response to challenge for credential", e);
+        }
+    }
+
+    /**
+     * Evaluate the next challenge, given the response from the server.
+     *
+     * @param rubyPayload the non-null challenge sent from the server.
+     *
+     * @return the response to the challenge
+     */
+    public RubyString evaluateChallenge(RubyString rubyPayload) {
+        try {
+            return RubyString.newString(runTime, saslClient.evaluateChallenge(rubyPayload.getBytes()));
+        } catch (SaslException e) {
+            throw new MongoSecurityException("SASL protocol error: no client response to challenge for credential", e);
+        }
+    }
+
+    private SaslClient createSaslClient() {
+        try {
+            Map<String, Object> props = new HashMap<String, Object>();
+            props.put(Sasl.CREDENTIALS, getGSSCredential(userName));
+            SaslClient saslClient = Sasl.createSaslClient(new String[]{GSSAPI_MECHANISM_NAME}, userName,
+                                                          serviceName,
+                                                          getHostName(), props, null);
+            if (saslClient == null) {
+                throw new MongoSecurityException(String.format("No platform support for %s mechanism", GSSAPI_MECHANISM_NAME));
+            }
+            return saslClient;
+        } catch (SaslException e) {
+            throw new MongoSecurityException(e);
+        } catch (GSSException e) {
+            throw new MongoSecurityException(e);
+        } catch (UnknownHostException e) {
+            throw new MongoSecurityException(e);
+        } catch (SecurityException e) {
+            throw new MongoSecurityException(e);
+        }
+    }
+
+    private GSSCredential getGSSCredential(final String userName) throws GSSException {
+        Oid krb5Mechanism = new Oid(GSSAPI_OID);
+        GSSManager manager = GSSManager.getInstance();
+        GSSName name = manager.createName(userName, GSSName.NT_USER_NAME);
+        return manager.createCredential(name, GSSCredential.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
+    }
+
+    private String getHostName() throws UnknownHostException {
+        return canonicalizeHostName ? InetAddress.getByName(hostName).getCanonicalHostName() : hostName;
+    }
+}

ext/jsasl/src/main/org/mongodb/sasl/MongoSecurityException.java

@@ -0,0 +1,18 @@
+package org.mongodb.sasl;
+
+public class MongoSecurityException extends RuntimeException {
+
+    private static final long serialVersionUID = -7531399100914218967L;
+
+    public MongoSecurityException(final Throwable cause) {
+        super(cause);
+    }
+
+    public MongoSecurityException(final String message) {
+        super(message);
+    }
+
+    public MongoSecurityException(final String message, final Throwable cause) {
+        super(message, cause);
+    }
+}

ext/jsasl/target/jsasl.jar

@@ -141,6 +141,8 @@ def initialize(name, client, opts={})
     #   used to authenticate against a database when the credentials exist
     #   elsewhere.
     # @param mechanism [String] The authentication mechanism to be used.
+    # @param extra [Hash] A optional hash of extra options to be stored with
+    #   the credential set.
     #
     # @note The ability to disable the save_auth option has been deprecated.
     #   With save_auth=false specified, driver authentication behavior during
@@ -150,12 +152,12 @@ def initialize(name, client, opts={})
     #
     # @raise [AuthenticationError] Raised if authentication fails.
     # @return [Boolean] The result of the authentication operation.
-    def authenticate(username, password=nil, save_auth=nil, source=nil, mechanism=nil)
+    def authenticate(username, password=nil, save_auth=nil, source=nil, mechanism=nil, extra=nil)
       warn "[DEPRECATED] Disabling the 'save_auth' option no longer has " +
            "any effect. Please see the API documentation for more details " +
            "on this change." unless save_auth.nil?
 
-      @client.add_auth(self.name, username, password, source, mechanism)
+      @client.add_auth(self.name, username, password, source, mechanism, extra)
       true
     end
 

lib/mongo/db.rb

@@ -17,3 +17,5 @@
 require 'mongo/functional/read_preference'
 require 'mongo/functional/write_concern'
 require 'mongo/functional/uri_parser'
+
+require 'mongo/functional/sasl_java' if RUBY_PLATFORM =~ /java/

lib/mongo/functional.rb

@@ -19,6 +19,7 @@ module Authentication
 
     DEFAULT_MECHANISM = 'MONGODB-CR'
     MECHANISMS        = ['GSSAPI', 'MONGODB-CR', 'MONGODB-X509', 'PLAIN']
+    EXTRA             = { 'GSSAPI' => [:gssapi_service_name, :canonicalize_host_name] }
 
     # authentication module methods
     class << self
@@ -59,6 +60,15 @@ def validate_credentials(auth)
             "When using the authentication mechanism #{auth[:mechanism]} " +
             "both username and password are required."
         end
+        # if extra opts exist, validate them
+        allowed_keys = EXTRA[auth[:mechanism]]
+        if auth[:extra] && !auth[:extra].empty?
+          invalid_opts = []
+          auth[:extra].keys.each { |k| invalid_opts << k unless allowed_keys.include?(k) }
+          raise MongoArgumentError,
+            "Invalid extra option(s): #{invalid_opts} found. Please check the extra options" +
+            " passed and try again." unless invalid_opts.empty?
+        end
         auth
       end
 
@@ -95,19 +105,22 @@ def hash_password(username, password)
     #   (if different than the current database).
     # @param mechanism [String] (nil) The authentication mechanism being used
     #   (default: 'MONGODB-CR').
+    # @param extra [Hash] (nil) A optional hash of extra options to be stored with
+    #   the credential set.
     #
     # @raise [MongoArgumentError] Raised if the database has already been used
     #   for authentication. A log out is required before additional auths can
     #   be issued against a given database.
     # @raise [AuthenticationError] Raised if authentication fails.
     # @return [Hash] a hash representing the authentication just added.
-    def add_auth(db_name, username, password=nil, source=nil, mechanism=nil)
+    def add_auth(db_name, username, password=nil, source=nil, mechanism=nil, extra=nil)
       auth = Authentication.validate_credentials({
         :db_name   => db_name,
         :username  => username,
         :password  => password,
         :source    => source,
-        :mechanism => mechanism
+        :mechanism => mechanism,
+        :extra     => extra
       })
 
       if @auths.any? {|a| a[:source] == auth[:source]}
@@ -276,7 +289,9 @@ def issue_plain(auth, opts={})
     # @private
     def issue_gssapi(auth, opts={})
       raise NotImplementedError,
-        "The #{auth[:mechanism]} authentication mechanism is not yet supported."
+         "The #{auth[:mechanism]} authentication mechanism is only supported " +
+         "for JRuby." unless RUBY_PLATFORM =~ /java/
+      Mongo::Sasl::GSSAPI.authenticate(auth[:username], self, opts[:socket], auth[:extra] || {})
     end
 
     # Helper to fetch a nonce value from a given database instance.

lib/mongo/functional/authentication.rb

@@ -0,0 +1,48 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'jruby'
+
+include Java
+
+jar_dir = File.join(File.dirname(__FILE__), '../../../ext/jsasl')
+require File.join(jar_dir, 'target/jsasl.jar')
+
+module Mongo
+  module Sasl
+
+    module GSSAPI
+
+      def self.authenticate(username, client, socket, opts={})
+        db            = client.db('$external')
+        hostname      = socket.pool.host
+        servicename   = opts[:gssapi_service_name] || 'mongodb'
+        canonicalize  = opts[:canonicalize_host_name] ? opts[:canonicalize_host_name] : false
+
+        authenticator = org.mongodb.sasl.GSSAPIAuthenticator.new(JRuby.runtime, username, hostname, servicename, canonicalize)
+        token         = BSON::Binary.new(authenticator.initialize_challenge)
+        cmd           = BSON::OrderedHash['saslStart', 1, 'mechanism', 'GSSAPI', 'payload', token, 'autoAuthorize', 1]
+        response      = db.command(cmd, :check_response => false, :socket => socket)
+
+        until response['done'] do
+          token    = BSON::Binary.new(authenticator.evaluate_challenge(response['payload'].to_s))
+          cmd      = BSON::OrderedHash['saslContinue', 1, 'conversationId', response['conversationId'], 'payload', token]
+          response = db.command(cmd, :check_response => false, :socket => socket)
+        end
+        response
+      end
+    end
+
+  end
+end