line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# Copyright 2014 - present MongoDB, Inc. |
2
|
|
|
|
|
|
|
# |
3
|
|
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); |
4
|
|
|
|
|
|
|
# you may not use this file except in compliance with the License. |
5
|
|
|
|
|
|
|
# You may obtain a copy of the License at |
6
|
|
|
|
|
|
|
# |
7
|
|
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0 |
8
|
|
|
|
|
|
|
# |
9
|
|
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software |
10
|
|
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, |
11
|
|
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12
|
|
|
|
|
|
|
# See the License for the specific language governing permissions and |
13
|
|
|
|
|
|
|
# limitations under the License. |
14
|
|
|
|
|
|
|
|
15
|
59
|
|
|
59
|
|
80502
|
use strict; |
|
59
|
|
|
|
|
156
|
|
|
59
|
|
|
|
|
1759
|
|
16
|
59
|
|
|
59
|
|
305
|
use warnings; |
|
59
|
|
|
|
|
127
|
|
|
59
|
|
|
|
|
2106
|
|
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
package MongoDB::_Credential; |
19
|
|
|
|
|
|
|
|
20
|
59
|
|
|
59
|
|
647
|
use version; |
|
59
|
|
|
|
|
1646
|
|
|
59
|
|
|
|
|
360
|
|
21
|
|
|
|
|
|
|
our $VERSION = 'v2.2.0'; |
22
|
|
|
|
|
|
|
|
23
|
59
|
|
|
59
|
|
4991
|
use Moo; |
|
59
|
|
|
|
|
9177
|
|
|
59
|
|
|
|
|
391
|
|
24
|
59
|
|
|
59
|
|
21405
|
use MongoDB::Error; |
|
59
|
|
|
|
|
169
|
|
|
59
|
|
|
|
|
6262
|
|
25
|
59
|
|
|
59
|
|
815
|
use MongoDB::Op::_Command; |
|
59
|
|
|
|
|
146
|
|
|
59
|
|
|
|
|
1934
|
|
26
|
59
|
|
|
|
|
486
|
use MongoDB::_Types qw( |
27
|
|
|
|
|
|
|
AuthMechanism |
28
|
|
|
|
|
|
|
NonEmptyStr |
29
|
59
|
|
|
59
|
|
393
|
); |
|
59
|
|
|
|
|
138
|
|
30
|
|
|
|
|
|
|
|
31
|
59
|
|
|
59
|
|
65855
|
use Digest::MD5 qw/md5_hex/; |
|
59
|
|
|
|
|
144
|
|
|
59
|
|
|
|
|
3422
|
|
32
|
59
|
|
|
59
|
|
31690
|
use Encode qw/encode/; |
|
59
|
|
|
|
|
534819
|
|
|
59
|
|
|
|
|
4376
|
|
33
|
59
|
|
|
59
|
|
505
|
use MIME::Base64 qw/encode_base64 decode_base64/; |
|
59
|
|
|
|
|
140
|
|
|
59
|
|
|
|
|
3492
|
|
34
|
59
|
|
|
59
|
|
394
|
use Safe::Isa; |
|
59
|
|
|
|
|
150
|
|
|
59
|
|
|
|
|
7474
|
|
35
|
59
|
|
|
59
|
|
415
|
use Tie::IxHash; |
|
59
|
|
|
|
|
140
|
|
|
59
|
|
|
|
|
1524
|
|
36
|
59
|
|
|
|
|
475
|
use MongoDB::_Types qw( |
37
|
|
|
|
|
|
|
Boolish |
38
|
59
|
|
|
59
|
|
311
|
); |
|
59
|
|
|
|
|
133
|
|
39
|
59
|
|
|
|
|
431
|
use Types::Standard qw( |
40
|
|
|
|
|
|
|
CodeRef |
41
|
|
|
|
|
|
|
HashRef |
42
|
|
|
|
|
|
|
InstanceOf |
43
|
|
|
|
|
|
|
Maybe |
44
|
|
|
|
|
|
|
Str |
45
|
59
|
|
|
59
|
|
33427
|
); |
|
59
|
|
|
|
|
143
|
|
46
|
|
|
|
|
|
|
|
47
|
59
|
|
|
59
|
|
70030
|
use namespace::clean -except => 'meta'; |
|
59
|
|
|
|
|
156
|
|
|
59
|
|
|
|
|
486
|
|
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
# Required so we're sure it's passed explicitly, even if undef, so we don't |
50
|
|
|
|
|
|
|
# miss wiring it up. |
51
|
|
|
|
|
|
|
has monitoring_callback => ( |
52
|
|
|
|
|
|
|
is => 'ro', |
53
|
|
|
|
|
|
|
required => 1, |
54
|
|
|
|
|
|
|
isa => Maybe[CodeRef], |
55
|
|
|
|
|
|
|
); |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
has mechanism => ( |
58
|
|
|
|
|
|
|
is => 'ro', |
59
|
|
|
|
|
|
|
isa => AuthMechanism, |
60
|
|
|
|
|
|
|
required => 1, |
61
|
|
|
|
|
|
|
); |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
has username => ( |
64
|
|
|
|
|
|
|
is => 'ro', |
65
|
|
|
|
|
|
|
isa => Str, |
66
|
|
|
|
|
|
|
); |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
has source => ( |
69
|
|
|
|
|
|
|
is => 'lazy', |
70
|
|
|
|
|
|
|
isa => NonEmptyStr, |
71
|
|
|
|
|
|
|
builder => '_build_source', |
72
|
|
|
|
|
|
|
); |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
has db_name => ( |
75
|
|
|
|
|
|
|
is => 'ro', |
76
|
|
|
|
|
|
|
isa => Str, |
77
|
|
|
|
|
|
|
); |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
has password => ( |
80
|
|
|
|
|
|
|
is => 'ro', |
81
|
|
|
|
|
|
|
isa => Str, |
82
|
|
|
|
|
|
|
); |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
has pw_is_digest => ( |
85
|
|
|
|
|
|
|
is => 'ro', |
86
|
|
|
|
|
|
|
isa => Boolish, |
87
|
|
|
|
|
|
|
); |
88
|
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
has mechanism_properties => ( |
90
|
|
|
|
|
|
|
is => 'ro', |
91
|
|
|
|
|
|
|
isa => HashRef, |
92
|
|
|
|
|
|
|
default => sub { {} }, |
93
|
|
|
|
|
|
|
); |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
has _digested_password => ( |
96
|
|
|
|
|
|
|
is => 'lazy', |
97
|
|
|
|
|
|
|
isa => Str, |
98
|
|
|
|
|
|
|
builder => '_build__digested_password', |
99
|
|
|
|
|
|
|
); |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
has _scram_sha1_client => ( |
102
|
|
|
|
|
|
|
is => 'lazy', |
103
|
|
|
|
|
|
|
isa => InstanceOf ['Authen::SCRAM::Client'], |
104
|
|
|
|
|
|
|
builder => '_build__scram_sha1_client', |
105
|
|
|
|
|
|
|
); |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
has _scram_sha256_client => ( |
108
|
|
|
|
|
|
|
is => 'lazy', |
109
|
|
|
|
|
|
|
isa => InstanceOf ['Authen::SCRAM::Client'], |
110
|
|
|
|
|
|
|
builder => '_build__scram_sha256_client', |
111
|
|
|
|
|
|
|
); |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
sub _build__scram_sha1_client { |
114
|
0
|
|
|
0
|
|
0
|
my ($self) = @_; |
115
|
|
|
|
|
|
|
# loaded only demand as it has a long load time relative to other |
116
|
|
|
|
|
|
|
# modules |
117
|
0
|
|
|
|
|
0
|
require Authen::SCRAM::Client; |
118
|
0
|
|
|
|
|
0
|
Authen::SCRAM::Client->VERSION(0.011); |
119
|
0
|
|
|
|
|
0
|
return Authen::SCRAM::Client->new( |
120
|
|
|
|
|
|
|
username => $self->username, |
121
|
|
|
|
|
|
|
password => $self->_digested_password, |
122
|
|
|
|
|
|
|
digest => 'SHA-1', |
123
|
|
|
|
|
|
|
minimum_iteration_count => 4096, |
124
|
|
|
|
|
|
|
skip_saslprep => 1, |
125
|
|
|
|
|
|
|
); |
126
|
|
|
|
|
|
|
} |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
sub _build__scram_sha256_client { |
129
|
0
|
|
|
0
|
|
0
|
my ($self) = @_; |
130
|
|
|
|
|
|
|
# loaded only demand as it has a long load time relative to other |
131
|
|
|
|
|
|
|
# modules |
132
|
0
|
|
|
|
|
0
|
require Authen::SCRAM::Client; |
133
|
0
|
|
|
|
|
0
|
Authen::SCRAM::Client->VERSION(0.007); |
134
|
0
|
|
|
|
|
0
|
require Authen::SASL::SASLprep; |
135
|
0
|
|
|
|
|
0
|
return Authen::SCRAM::Client->new( |
136
|
|
|
|
|
|
|
username => $self->username, |
137
|
|
|
|
|
|
|
password => Authen::SASL::SASLprep::saslprep($self->password), |
138
|
|
|
|
|
|
|
digest => 'SHA-256', |
139
|
|
|
|
|
|
|
minimum_iteration_count => 4096, |
140
|
|
|
|
|
|
|
skip_saslprep => 1, |
141
|
|
|
|
|
|
|
); |
142
|
|
|
|
|
|
|
} |
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
sub _build__digested_password { |
145
|
0
|
|
|
0
|
|
0
|
my ($self) = @_; |
146
|
0
|
0
|
|
|
|
0
|
return $self->password if $self->pw_is_digest; |
147
|
0
|
|
|
|
|
0
|
return md5_hex( encode( "UTF-8", $self->username . ":mongo:" . $self->password ) ); |
148
|
|
|
|
|
|
|
} |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
sub _build_source { |
151
|
21
|
|
|
21
|
|
274
|
my ($self) = @_; |
152
|
21
|
|
|
|
|
63
|
my $mech = $self->mechanism; |
153
|
21
|
100
|
|
|
|
78
|
if ( $mech eq 'PLAIN' ) { |
154
|
2
|
|
100
|
|
|
41
|
return $self->db_name // '$external'; |
155
|
|
|
|
|
|
|
} |
156
|
19
|
100
|
100
|
|
|
416
|
return $mech eq 'MONGODB-X509' |
|
|
|
100
|
|
|
|
|
157
|
|
|
|
|
|
|
|| $mech eq 'GSSAPI' ? '$external' : $self->db_name // 'admin'; |
158
|
|
|
|
|
|
|
} |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
#<<< No perltidy |
161
|
|
|
|
|
|
|
my %CONSTRAINTS = ( |
162
|
|
|
|
|
|
|
'MONGODB-CR' => { |
163
|
|
|
|
|
|
|
username => sub { length }, |
164
|
|
|
|
|
|
|
password => sub { defined }, |
165
|
|
|
|
|
|
|
source => sub { length }, |
166
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
167
|
|
|
|
|
|
|
}, |
168
|
|
|
|
|
|
|
'MONGODB-X509' => { |
169
|
|
|
|
|
|
|
password => sub { ! defined }, |
170
|
|
|
|
|
|
|
source => sub { $_ eq '$external' }, |
171
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
172
|
|
|
|
|
|
|
}, |
173
|
|
|
|
|
|
|
'GSSAPI' => { |
174
|
|
|
|
|
|
|
username => sub { length }, |
175
|
|
|
|
|
|
|
source => sub { $_ eq '$external' }, |
176
|
|
|
|
|
|
|
}, |
177
|
|
|
|
|
|
|
'PLAIN' => { |
178
|
|
|
|
|
|
|
username => sub { length }, |
179
|
|
|
|
|
|
|
password => sub { defined }, |
180
|
|
|
|
|
|
|
source => sub { length }, |
181
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
182
|
|
|
|
|
|
|
}, |
183
|
|
|
|
|
|
|
'SCRAM-SHA-1' => { |
184
|
|
|
|
|
|
|
username => sub { length }, |
185
|
|
|
|
|
|
|
password => sub { defined }, |
186
|
|
|
|
|
|
|
source => sub { length }, |
187
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
188
|
|
|
|
|
|
|
}, |
189
|
|
|
|
|
|
|
'SCRAM-SHA-256' => { |
190
|
|
|
|
|
|
|
username => sub { length }, |
191
|
|
|
|
|
|
|
password => sub { defined }, |
192
|
|
|
|
|
|
|
source => sub { length }, |
193
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
194
|
|
|
|
|
|
|
}, |
195
|
|
|
|
|
|
|
'DEFAULT' => { |
196
|
|
|
|
|
|
|
username => sub { length }, |
197
|
|
|
|
|
|
|
password => sub { defined }, |
198
|
|
|
|
|
|
|
source => sub { length }, |
199
|
|
|
|
|
|
|
mechanism_properties => sub { !keys %$_ }, |
200
|
|
|
|
|
|
|
}, |
201
|
|
|
|
|
|
|
); |
202
|
|
|
|
|
|
|
#>>> |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
sub BUILD { |
205
|
339
|
|
|
339
|
0
|
376227
|
my ($self) = @_; |
206
|
|
|
|
|
|
|
|
207
|
339
|
|
|
|
|
1219
|
my $mech = $self->mechanism; |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
# validate attributes for given mechanism |
210
|
339
|
|
|
|
|
681
|
for my $key ( sort keys %{ $CONSTRAINTS{$mech} } ) { |
|
339
|
|
|
|
|
1923
|
|
211
|
112
|
|
|
|
|
250
|
my $validator = $CONSTRAINTS{$mech}{$key}; |
212
|
112
|
|
|
|
|
869
|
local $_ = $self->$key; |
213
|
112
|
100
|
|
|
|
885
|
unless ( $validator->() ) { |
214
|
9
|
|
100
|
|
|
58
|
$_ //= ""; |
215
|
9
|
|
|
|
|
94
|
MongoDB::UsageError->throw("invalid field $key with value '$_' in $mech credential"); |
216
|
|
|
|
|
|
|
} |
217
|
|
|
|
|
|
|
} |
218
|
|
|
|
|
|
|
|
219
|
|
|
|
|
|
|
# fix up GSSAPI property defaults if not given |
220
|
330
|
100
|
|
|
|
1310
|
if ( $mech eq 'GSSAPI' ) { |
221
|
7
|
|
|
|
|
24
|
my $mp = $self->mechanism_properties; |
222
|
7
|
|
100
|
|
|
34
|
$mp->{SERVICE_NAME} ||= 'mongodb'; |
223
|
|
|
|
|
|
|
} |
224
|
|
|
|
|
|
|
|
225
|
330
|
|
|
|
|
2771
|
return; |
226
|
|
|
|
|
|
|
} |
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
sub authenticate { |
229
|
0
|
|
|
0
|
0
|
|
my ( $self, $server, $link, $bson_codec ) = @_; |
230
|
|
|
|
|
|
|
|
231
|
0
|
|
|
|
|
|
my $mech = $self->mechanism; |
232
|
0
|
0
|
|
|
|
|
if ( $mech eq 'DEFAULT' ) { |
233
|
0
|
|
|
|
|
|
$mech = $self->_get_default_mechanism($server, $link); |
234
|
|
|
|
|
|
|
} |
235
|
0
|
|
|
|
|
|
my $method = "_authenticate_$mech"; |
236
|
0
|
|
|
|
|
|
$method =~ s/-/_/g; |
237
|
|
|
|
|
|
|
|
238
|
0
|
|
|
|
|
|
return $self->$method( $link, $bson_codec ); |
239
|
|
|
|
|
|
|
} |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
#--------------------------------------------------------------------------# |
242
|
|
|
|
|
|
|
# authentication mechanisms |
243
|
|
|
|
|
|
|
#--------------------------------------------------------------------------# |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
sub _authenticate_NONE () { 1 } |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
sub _authenticate_MONGODB_CR { |
248
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec ) = @_; |
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
my $nonce = $self->_send_command( $link, $bson_codec, 'admin', { getnonce => 1 } ) |
251
|
0
|
|
|
|
|
|
->output->{nonce}; |
252
|
0
|
|
|
|
|
|
my $key = |
253
|
|
|
|
|
|
|
md5_hex( encode( "UTF-8", $nonce . $self->username . $self->_digested_password ) ); |
254
|
|
|
|
|
|
|
|
255
|
0
|
|
|
|
|
|
my $command = Tie::IxHash->new( |
256
|
|
|
|
|
|
|
authenticate => 1, |
257
|
|
|
|
|
|
|
user => $self->username, |
258
|
|
|
|
|
|
|
nonce => $nonce, |
259
|
|
|
|
|
|
|
key => $key |
260
|
|
|
|
|
|
|
); |
261
|
0
|
|
|
|
|
|
$self->_send_command( $link, $bson_codec, $self->source, $command ); |
262
|
|
|
|
|
|
|
|
263
|
0
|
|
|
|
|
|
return 1; |
264
|
|
|
|
|
|
|
} |
265
|
|
|
|
|
|
|
|
266
|
|
|
|
|
|
|
sub _authenticate_MONGODB_X509 { |
267
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec ) = @_; |
268
|
|
|
|
|
|
|
|
269
|
0
|
|
|
|
|
|
my $username = $self->username; |
270
|
|
|
|
|
|
|
|
271
|
0
|
0
|
0
|
|
|
|
if ( !$username && !$link->supports_x509_user_from_cert ) { |
272
|
0
|
0
|
|
|
|
|
$username = $link->client_certificate_subject |
273
|
|
|
|
|
|
|
or MongoDB::UsageError->throw( |
274
|
|
|
|
|
|
|
"Could not extract subject from client SSL certificate"); |
275
|
|
|
|
|
|
|
} |
276
|
|
|
|
|
|
|
|
277
|
0
|
0
|
|
|
|
|
my $command = Tie::IxHash->new( |
278
|
|
|
|
|
|
|
authenticate => 1, |
279
|
|
|
|
|
|
|
mechanism => "MONGODB-X509", |
280
|
|
|
|
|
|
|
( $username ? ( user => $username ) : () ), |
281
|
|
|
|
|
|
|
); |
282
|
0
|
|
|
|
|
|
$self->_send_command( $link, $bson_codec, $self->source, $command ); |
283
|
|
|
|
|
|
|
|
284
|
0
|
|
|
|
|
|
return 1; |
285
|
|
|
|
|
|
|
} |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
sub _authenticate_PLAIN { |
288
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec ) = @_; |
289
|
|
|
|
|
|
|
|
290
|
0
|
|
|
|
|
|
my $auth_bytes = |
291
|
|
|
|
|
|
|
encode( "UTF-8", "\x00" . $self->username . "\x00" . $self->password ); |
292
|
0
|
|
|
|
|
|
$self->_sasl_start( $link, $bson_codec, $auth_bytes, "PLAIN" ); |
293
|
|
|
|
|
|
|
|
294
|
0
|
|
|
|
|
|
return 1; |
295
|
|
|
|
|
|
|
} |
296
|
|
|
|
|
|
|
|
297
|
|
|
|
|
|
|
sub _authenticate_GSSAPI { |
298
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec ) = @_; |
299
|
|
|
|
|
|
|
|
300
|
0
|
0
|
|
|
|
|
eval { require Authen::SASL; 1 } |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
301
|
|
|
|
|
|
|
or MongoDB::AuthError->throw( |
302
|
|
|
|
|
|
|
"GSSAPI requires Authen::SASL and GSSAPI or Authen::SASL::XS from CPAN"); |
303
|
|
|
|
|
|
|
|
304
|
0
|
|
|
|
|
|
my ( $sasl, $client ); |
305
|
|
|
|
|
|
|
eval { |
306
|
0
|
|
|
|
|
|
$sasl = Authen::SASL->new( |
307
|
|
|
|
|
|
|
mechanism => 'GSSAPI', |
308
|
|
|
|
|
|
|
callback => { |
309
|
|
|
|
|
|
|
user => $self->username, |
310
|
|
|
|
|
|
|
authname => $self->username, |
311
|
|
|
|
|
|
|
}, |
312
|
|
|
|
|
|
|
); |
313
|
|
|
|
|
|
|
$client = |
314
|
0
|
|
|
|
|
|
$sasl->client_new( $self->mechanism_properties->{SERVICE_NAME}, $link->host ); |
315
|
0
|
|
|
|
|
|
1; |
316
|
0
|
0
|
|
|
|
|
} or do { |
317
|
0
|
|
0
|
|
|
|
my $error = $@ || "Unknown error"; |
318
|
0
|
|
|
|
|
|
MongoDB::AuthError->throw( |
319
|
|
|
|
|
|
|
"Failed to initialize a GSSAPI backend (did you install GSSAPI or Authen::SASL::XS?) Error was: $error" |
320
|
|
|
|
|
|
|
); |
321
|
|
|
|
|
|
|
}; |
322
|
|
|
|
|
|
|
|
323
|
|
|
|
|
|
|
eval { |
324
|
|
|
|
|
|
|
# start conversation |
325
|
0
|
|
|
|
|
|
my $step = $client->client_start; |
326
|
0
|
|
|
|
|
|
$self->_assert_gssapi( $client, |
327
|
|
|
|
|
|
|
"Could not start GSSAPI. Did you run kinit? Error was: " ); |
328
|
0
|
|
|
|
|
|
my ( $sasl_resp, $conv_id, $done ) = |
329
|
|
|
|
|
|
|
$self->_sasl_start( $link, $bson_codec, $step, 'GSSAPI' ); |
330
|
|
|
|
|
|
|
|
331
|
|
|
|
|
|
|
# iterate, but with maximum number of exchanges to prevent endless loop |
332
|
0
|
|
|
|
|
|
for my $i ( 1 .. 10 ) { |
333
|
0
|
0
|
|
|
|
|
last if $done; |
334
|
0
|
|
|
|
|
|
$step = $client->client_step($sasl_resp); |
335
|
0
|
|
|
|
|
|
$self->_assert_gssapi( $client, "GSSAPI step error: " ); |
336
|
0
|
|
|
|
|
|
( $sasl_resp, $conv_id, $done ) = |
337
|
|
|
|
|
|
|
$self->_sasl_continue( $link, $bson_codec, $step, $conv_id ); |
338
|
|
|
|
|
|
|
} |
339
|
0
|
|
|
|
|
|
1; |
340
|
0
|
0
|
|
|
|
|
} or do { |
341
|
0
|
|
0
|
|
|
|
my $error = $@ || "Unknown error"; |
342
|
0
|
0
|
|
|
|
|
my $msg = $error->$_isa("MongoDB::Error") ? $error->message : "$error"; |
343
|
0
|
|
|
|
|
|
MongoDB::AuthError->throw("GSSAPI error: $msg"); |
344
|
|
|
|
|
|
|
}; |
345
|
|
|
|
|
|
|
|
346
|
0
|
|
|
|
|
|
return 1; |
347
|
|
|
|
|
|
|
} |
348
|
|
|
|
|
|
|
|
349
|
|
|
|
|
|
|
sub _authenticate_SCRAM_SHA_1 { |
350
|
0
|
|
|
0
|
|
|
my $self = shift; |
351
|
|
|
|
|
|
|
|
352
|
0
|
|
|
|
|
|
$self->_scram_auth(@_, $self->_scram_sha1_client, 'SCRAM-SHA-1'); |
353
|
|
|
|
|
|
|
|
354
|
0
|
|
|
|
|
|
return 1; |
355
|
|
|
|
|
|
|
} |
356
|
|
|
|
|
|
|
|
357
|
|
|
|
|
|
|
sub _authenticate_SCRAM_SHA_256 { |
358
|
0
|
|
|
0
|
|
|
my $self = shift; |
359
|
|
|
|
|
|
|
|
360
|
0
|
|
|
|
|
|
$self->_scram_auth(@_, $self->_scram_sha256_client, 'SCRAM-SHA-256'); |
361
|
|
|
|
|
|
|
|
362
|
0
|
|
|
|
|
|
return 1; |
363
|
|
|
|
|
|
|
} |
364
|
|
|
|
|
|
|
|
365
|
|
|
|
|
|
|
sub _get_default_mechanism { |
366
|
0
|
|
|
0
|
|
|
my ( $self, $server, $link ) = @_; |
367
|
|
|
|
|
|
|
|
368
|
0
|
0
|
|
|
|
|
if ( my $supported = $server->is_master->{saslSupportedMechs} ) { |
369
|
0
|
0
|
|
|
|
|
if ( grep { $_ eq 'SCRAM-SHA-256' } @$supported ) { |
|
0
|
|
|
|
|
|
|
370
|
0
|
|
|
|
|
|
return 'SCRAM-SHA-256'; |
371
|
|
|
|
|
|
|
} |
372
|
0
|
|
|
|
|
|
return 'SCRAM-SHA-1'; |
373
|
|
|
|
|
|
|
} |
374
|
|
|
|
|
|
|
|
375
|
0
|
0
|
|
|
|
|
if ( $link->supports_scram_sha1 ) { |
376
|
0
|
|
|
|
|
|
return 'SCRAM-SHA-1'; |
377
|
|
|
|
|
|
|
} |
378
|
|
|
|
|
|
|
|
379
|
0
|
|
|
|
|
|
return 'MONGODB-CR'; |
380
|
|
|
|
|
|
|
} |
381
|
|
|
|
|
|
|
|
382
|
|
|
|
|
|
|
#--------------------------------------------------------------------------# |
383
|
|
|
|
|
|
|
# GSSAPI/SASL methods |
384
|
|
|
|
|
|
|
#--------------------------------------------------------------------------# |
385
|
|
|
|
|
|
|
|
386
|
|
|
|
|
|
|
# GSSAPI backends report status/errors differently |
387
|
|
|
|
|
|
|
sub _assert_gssapi { |
388
|
0
|
|
|
0
|
|
|
my ( $self, $client, $prefix ) = @_; |
389
|
0
|
|
|
|
|
|
my $type = ref $client; |
390
|
|
|
|
|
|
|
|
391
|
0
|
0
|
|
|
|
|
if ( $type =~ m{^Authen::SASL::(?:XS|Cyrus)$} ) { |
392
|
0
|
|
|
|
|
|
my $code = $client->code; |
393
|
0
|
0
|
0
|
|
|
|
if ( $code != 0 && $code != 1 ) { # not OK or CONTINUE |
394
|
0
|
|
|
|
|
|
my $error = join( "; ", $client->error ); |
395
|
0
|
|
|
|
|
|
MongoDB::AuthError->throw("$prefix$error"); |
396
|
|
|
|
|
|
|
} |
397
|
|
|
|
|
|
|
} |
398
|
|
|
|
|
|
|
else { |
399
|
|
|
|
|
|
|
# Authen::SASL::Perl::GSSAPI or some unknown backend |
400
|
0
|
0
|
|
|
|
|
if ( my $error = $client->error ) { |
401
|
0
|
|
|
|
|
|
MongoDB::AuthError->throw("$prefix$error"); |
402
|
|
|
|
|
|
|
} |
403
|
|
|
|
|
|
|
} |
404
|
|
|
|
|
|
|
|
405
|
0
|
|
|
|
|
|
return 1; |
406
|
|
|
|
|
|
|
} |
407
|
|
|
|
|
|
|
|
408
|
|
|
|
|
|
|
# PERL-801: GSSAPI broke in some cases after switching to binary |
409
|
|
|
|
|
|
|
# payloads, so fall back to base64 encoding for that mechanism. |
410
|
|
|
|
|
|
|
sub _sasl_encode_payload { |
411
|
0
|
|
|
0
|
|
|
my ( $self, $payload ) = @_; |
412
|
0
|
0
|
|
|
|
|
$payload = "" unless defined $payload; |
413
|
0
|
0
|
|
|
|
|
return encode_base64( $payload, "" ) if $self->mechanism eq 'GSSAPI'; |
414
|
0
|
|
|
|
|
|
$payload = encode( "UTF-8", $payload ); |
415
|
0
|
|
|
|
|
|
return \$payload; |
416
|
|
|
|
|
|
|
} |
417
|
|
|
|
|
|
|
|
418
|
|
|
|
|
|
|
sub _sasl_decode_payload { |
419
|
0
|
|
|
0
|
|
|
my ( $self, $payload ) = @_; |
420
|
0
|
0
|
0
|
|
|
|
return "" unless defined $payload && length $payload; |
421
|
0
|
0
|
|
|
|
|
return $payload->data if ref $payload; |
422
|
0
|
|
|
|
|
|
return decode_base64($payload); |
423
|
|
|
|
|
|
|
} |
424
|
|
|
|
|
|
|
|
425
|
|
|
|
|
|
|
sub _sasl_start { |
426
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec, $payload, $mechanism ) = @_; |
427
|
|
|
|
|
|
|
|
428
|
0
|
|
|
|
|
|
my $command = Tie::IxHash->new( |
429
|
|
|
|
|
|
|
saslStart => 1, |
430
|
|
|
|
|
|
|
mechanism => $mechanism, |
431
|
|
|
|
|
|
|
payload => $self->_sasl_encode_payload($payload), |
432
|
|
|
|
|
|
|
autoAuthorize => 1, |
433
|
|
|
|
|
|
|
); |
434
|
|
|
|
|
|
|
|
435
|
0
|
|
|
|
|
|
return $self->_sasl_send( $link, $bson_codec, $command ); |
436
|
|
|
|
|
|
|
} |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
sub _sasl_continue { |
439
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec, $payload, $conv_id ) = @_; |
440
|
|
|
|
|
|
|
|
441
|
0
|
|
|
|
|
|
my $command = Tie::IxHash->new( |
442
|
|
|
|
|
|
|
saslContinue => 1, |
443
|
|
|
|
|
|
|
conversationId => $conv_id, |
444
|
|
|
|
|
|
|
payload => $self->_sasl_encode_payload($payload), |
445
|
|
|
|
|
|
|
); |
446
|
|
|
|
|
|
|
|
447
|
0
|
|
|
|
|
|
return $self->_sasl_send( $link, $bson_codec, $command ); |
448
|
|
|
|
|
|
|
} |
449
|
|
|
|
|
|
|
|
450
|
|
|
|
|
|
|
sub _sasl_send { |
451
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec, $command ) = @_; |
452
|
0
|
|
|
|
|
|
my $output = |
453
|
|
|
|
|
|
|
$self->_send_command( $link, $bson_codec, $self->source, $command )->output; |
454
|
|
|
|
|
|
|
|
455
|
|
|
|
|
|
|
return ( |
456
|
|
|
|
|
|
|
$self->_sasl_decode_payload( $output->{payload} ), |
457
|
|
|
|
|
|
|
$output->{conversationId}, |
458
|
|
|
|
|
|
|
$output->{done} |
459
|
0
|
|
|
|
|
|
); |
460
|
|
|
|
|
|
|
} |
461
|
|
|
|
|
|
|
|
462
|
|
|
|
|
|
|
sub _scram_auth { |
463
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec, $client, $mech ) = @_; |
464
|
|
|
|
|
|
|
|
465
|
0
|
|
|
|
|
|
my ( $msg, $sasl_resp, $conv_id, $done ); |
466
|
|
|
|
|
|
|
eval { |
467
|
0
|
|
|
|
|
|
$msg = $client->first_msg; |
468
|
0
|
|
|
|
|
|
( $sasl_resp, $conv_id, $done ) = |
469
|
|
|
|
|
|
|
$self->_sasl_start( $link, $bson_codec, $msg, $mech ); |
470
|
0
|
|
|
|
|
|
$msg = $client->final_msg($sasl_resp); |
471
|
0
|
|
|
|
|
|
( $sasl_resp, $conv_id, $done ) = |
472
|
|
|
|
|
|
|
$self->_sasl_continue( $link, $bson_codec, $msg, $conv_id ); |
473
|
0
|
|
|
|
|
|
$client->validate($sasl_resp); |
474
|
|
|
|
|
|
|
# might require an empty payload to complete SASL conversation |
475
|
0
|
0
|
|
|
|
|
$self->_sasl_continue( $link, $bson_codec, "", $conv_id ) if !$done; |
476
|
0
|
|
|
|
|
|
1; |
477
|
0
|
0
|
|
|
|
|
} or do { |
478
|
0
|
|
0
|
|
|
|
my $error = $@ || "Unknown error"; |
479
|
0
|
0
|
|
|
|
|
my $msg = $error->$_isa("MongoDB::Error") ? $error->message : "$error"; |
480
|
0
|
|
|
|
|
|
MongoDB::AuthError->throw("$mech error: $msg"); |
481
|
|
|
|
|
|
|
}; |
482
|
|
|
|
|
|
|
} |
483
|
|
|
|
|
|
|
|
484
|
|
|
|
|
|
|
sub _send_command { |
485
|
0
|
|
|
0
|
|
|
my ( $self, $link, $bson_codec, $db_name, $command ) = @_; |
486
|
|
|
|
|
|
|
|
487
|
0
|
|
|
|
|
|
my $op = MongoDB::Op::_Command->_new( |
488
|
|
|
|
|
|
|
db_name => $db_name, |
489
|
|
|
|
|
|
|
query => $command, |
490
|
|
|
|
|
|
|
query_flags => {}, |
491
|
|
|
|
|
|
|
bson_codec => $bson_codec, |
492
|
|
|
|
|
|
|
monitoring_callback => $self->monitoring_callback, |
493
|
|
|
|
|
|
|
); |
494
|
0
|
|
|
|
|
|
my $res = $op->execute($link); |
495
|
0
|
|
|
|
|
|
return $res; |
496
|
|
|
|
|
|
|
} |
497
|
|
|
|
|
|
|
|
498
|
|
|
|
|
|
|
1; |