diff options
| author | Adam Rayner <adam.rayner@gmail.com> | 2021-11-29 17:52:30 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-12-31 17:24:38 +0000 |
| commit | 9ec1e6e58e94d52d2f6a9bc167ff939118aa5134 (patch) | |
| tree | b297e008a674be9cc7674b5bfe369271ee2647a5 | |
| parent | dded0c98d11736c9afa7271b9021d19ed17f3118 (diff) | |
| download | mongo-9ec1e6e58e94d52d2f6a9bc167ff939118aa5134.tar.gz | |
SERVER-46399 remove SCRAM-SHA-1 as a default internal auth mech
33 files changed, 89 insertions, 90 deletions
diff --git a/buildscripts/resmokeconfig/suites/aggregation_auth.yml b/buildscripts/resmokeconfig/suites/aggregation_auth.yml index c047bce1f30..c133cd3091c 100644 --- a/buildscripts/resmokeconfig/suites/aggregation_auth.yml +++ b/buildscripts/resmokeconfig/suites/aggregation_auth.yml @@ -20,13 +20,13 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true eval: jsTest.authenticate(db.getMongo()) authenticationDatabase: local - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system hooks: diff --git a/buildscripts/resmokeconfig/suites/causally_consistent_jscore_passthrough_auth.yml b/buildscripts/resmokeconfig/suites/causally_consistent_jscore_passthrough_auth.yml index da4871c5033..0ddb9baba3d 100644 --- a/buildscripts/resmokeconfig/suites/causally_consistent_jscore_passthrough_auth.yml +++ b/buildscripts/resmokeconfig/suites/causally_consistent_jscore_passthrough_auth.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -137,7 +137,7 @@ executor: global_vars: TestData: &TestData auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/core_auth.yml b/buildscripts/resmokeconfig/suites/core_auth.yml index ea811788017..a85a88f589c 100644 --- a/buildscripts/resmokeconfig/suites/core_auth.yml +++ b/buildscripts/resmokeconfig/suites/core_auth.yml @@ -4,7 +4,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: local - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -33,7 +33,7 @@ executor: global_vars: TestData: &TestData auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/failpoints_auth.yml b/buildscripts/resmokeconfig/suites/failpoints_auth.yml index e1172f7399d..15070560a2c 100644 --- a/buildscripts/resmokeconfig/suites/failpoints_auth.yml +++ b/buildscripts/resmokeconfig/suites/failpoints_auth.yml @@ -19,7 +19,7 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml b/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml index bc34cec9b7b..b6bae6b1ab4 100644 --- a/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml +++ b/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml @@ -12,12 +12,12 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system - TestData: &TestData auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData diff --git a/buildscripts/resmokeconfig/suites/multiversion_auth.yml b/buildscripts/resmokeconfig/suites/multiversion_auth.yml index 0f4152ccf60..550da7bbe28 100644 --- a/buildscripts/resmokeconfig/suites/multiversion_auth.yml +++ b/buildscripts/resmokeconfig/suites/multiversion_auth.yml @@ -38,12 +38,12 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 +# authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData authenticationDatabase: local - authenticationMechanism: SCRAM-SHA-1 +# authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system nodb: '' diff --git a/buildscripts/resmokeconfig/suites/replica_sets_auth.yml b/buildscripts/resmokeconfig/suites/replica_sets_auth.yml index b643419455b..4f6556e1083 100644 --- a/buildscripts/resmokeconfig/suites/replica_sets_auth.yml +++ b/buildscripts/resmokeconfig/suites/replica_sets_auth.yml @@ -38,7 +38,7 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/search_auth.yml b/buildscripts/resmokeconfig/suites/search_auth.yml index 61e6d26f56a..edf79042a40 100644 --- a/buildscripts/resmokeconfig/suites/search_auth.yml +++ b/buildscripts/resmokeconfig/suites/search_auth.yml @@ -14,7 +14,7 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/search_ssl.yml b/buildscripts/resmokeconfig/suites/search_ssl.yml index ba443347dc5..0b82b75388d 100644 --- a/buildscripts/resmokeconfig/suites/search_ssl.yml +++ b/buildscripts/resmokeconfig/suites/search_ssl.yml @@ -14,7 +14,7 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/sharding_auth.yml b/buildscripts/resmokeconfig/suites/sharding_auth.yml index a67fa56174b..963f115fe48 100644 --- a/buildscripts/resmokeconfig/suites/sharding_auth.yml +++ b/buildscripts/resmokeconfig/suites/sharding_auth.yml @@ -43,7 +43,7 @@ executor: global_vars: TestData: auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml index 2dec2287103..81f603f2953 100644 --- a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml +++ b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml @@ -44,7 +44,7 @@ executor: TestData: auditDestination: 'console' auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_causally_consistent_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_causally_consistent_jscore_passthrough.yml index c639bbfaff2..d0c6eb768a5 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_causally_consistent_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_causally_consistent_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -203,7 +203,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_jscore_passthrough.yml index 42e71829bd0..ed869d0f400 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -135,7 +135,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_kill_primary_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_kill_primary_jscore_passthrough.yml index 7a0e7010c1d..2ff07cdc7b2 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_kill_primary_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_kill_primary_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -244,7 +244,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_multi_stmt_txn_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_multi_stmt_txn_jscore_passthrough.yml index 21b6fb2815b..96645aea009 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_multi_stmt_txn_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_multi_stmt_txn_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -371,7 +371,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_stepdown_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_stepdown_jscore_passthrough.yml index c6b1a94d9d3..0e1ccf3e1c5 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_stepdown_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_stepdown_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -234,7 +234,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/buildscripts/resmokeconfig/suites/tenant_migration_terminate_primary_jscore_passthrough.yml b/buildscripts/resmokeconfig/suites/tenant_migration_terminate_primary_jscore_passthrough.yml index 778fa24479f..d7024bae704 100644 --- a/buildscripts/resmokeconfig/suites/tenant_migration_terminate_primary_jscore_passthrough.yml +++ b/buildscripts/resmokeconfig/suites/tenant_migration_terminate_primary_jscore_passthrough.yml @@ -3,7 +3,7 @@ config_variables: - &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly - &authOptions authenticationDatabase: admin - authenticationMechanism: SCRAM-SHA-1 + authenticationMechanism: SCRAM-SHA-256 password: *keyFileData username: __system @@ -234,7 +234,7 @@ executor: TestData: &TestData tenantId: "tenantMigrationTenantId" auth: true - authMechanism: SCRAM-SHA-1 + authMechanism: SCRAM-SHA-256 keyFile: *keyFile keyFileData: *keyFileData roleGraphInvalidationIsFatal: true diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js index aa42042e0ef..b74fa531725 100644 --- a/jstests/auth/auth-counters.js +++ b/jstests/auth/auth-counters.js @@ -64,7 +64,7 @@ function assertFailure(creds, mech, db = test) { } function assertSuccessInternal() { - const mech = "SCRAM-SHA-1"; + const mech = "SCRAM-SHA-256"; // asCluster exiting cleanly indicates successful auth assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true); ++expected[mech].authenticate.received; @@ -75,8 +75,11 @@ function assertSuccessInternal() { assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin); } +// Because authutil.asCluster utilizes SCRAM-SHA-256 as a default keyfile mechanism, we will attempt +// to record this authentication with an invalid keyfile, and then verify that the # of +// successful attempts made using the fallback (SCRAM-SHA-256) has NOT been incremented function assertFailureInternal() { - const mech = "SCRAM-SHA-1"; + const mech = "SCRAM-SHA-256"; // If asCluster fails, it explodes. assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]); ++expected[mech].authenticate.received; diff --git a/jstests/auth/sasl_mechanism_discovery.js b/jstests/auth/sasl_mechanism_discovery.js index c8ca845d08b..a29af39c608 100644 --- a/jstests/auth/sasl_mechanism_discovery.js +++ b/jstests/auth/sasl_mechanism_discovery.js @@ -66,8 +66,8 @@ function runTest(conn) { checkMechs("admin.\u2168", ["SCRAM-SHA-1", "SCRAM-SHA-256"]); // __system's mechanisms can be queried on local and admin if the server is in test mode - checkMechs("local.__system", ["SCRAM-SHA-1", "SCRAM-SHA-256"]); - checkMechs("admin.__system", ["SCRAM-SHA-1", "SCRAM-SHA-256"]); + checkMechs("local.__system", ["SCRAM-SHA-256"]); + checkMechs("admin.__system", ["SCRAM-SHA-256"]); } // Test standalone. diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js index 576f567cc62..c0b8ef6c19a 100644 --- a/jstests/auth/speculative-auth-replset.js +++ b/jstests/auth/speculative-auth-replset.js @@ -47,6 +47,7 @@ rst.awaitReplication(); const admin = rst.getPrimary().getDB('admin'); admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']}); admin.auth('admin', 'pwd'); + assert.commandWorked(admin.setLogLevel(3, 'accessControl')); function getMechStats(db) { @@ -55,8 +56,13 @@ function getMechStats(db) { } // Capture statistics after a fresh instantiation of a 1-node replica set. +// initialMechStats contains stats state for the test setup (e.g. shell authentication) actions +// that will have incremented the internal counters but are not relevant to the functionality under +// test const initialMechStats = getMechStats(admin); + printjson(initialMechStats); + assert(initialMechStats['SCRAM-SHA-256'] !== undefined); // We've made no client connections for which speculation was possible, @@ -66,12 +72,6 @@ Object.keys(initialMechStats).forEach(function(mech) { const specStats = initialMechStats[mech].speculativeAuthenticate; const clusterStats = initialMechStats[mech].clusterAuthenticate; - if (mech === 'SCRAM-SHA-256') { - // It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster - // stats from being incremented during test setup. - assert.eq(clusterStats.received, 0); - } - // No speculation has occured assert.eq(specStats.received, 0); @@ -110,10 +110,19 @@ Object.keys(initialMechStats).forEach(function(mech) { assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful, initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + // Speculative and cluster auth counts should align with the authentication events in the server + // log const logCounts = countAuthInLog(admin); + assert.eq(logCounts.speculative, newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful); - assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + + // Subtract the initial mech stats for cluster authentication that were incremented + // during test setup, so we can assert on only the "real" cluster authetnication count + assert.eq(logCounts.cluster, + newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful - + initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + assert.gt(logCounts.speculativeCluster, 0, "Expected to observe at least one speculative cluster authentication attempt"); diff --git a/jstests/auth/system_auth_scram_mechs.js b/jstests/auth/system_auth_scram_mechs.js index 08934385d05..e411a6dda6b 100644 --- a/jstests/auth/system_auth_scram_mechs.js +++ b/jstests/auth/system_auth_scram_mechs.js @@ -1,6 +1,5 @@ /** - * Tests that the __system user can auth using both SCRAM-SHA-1 and SCRAM-SHA-256 - * + * Tests that the __system user can auth using SCRAM-SHA-256 * @tags: [requires_replication] */ (function() { @@ -17,8 +16,9 @@ jsTestLog("Testing scram-sha-256"); assert.eq(db.auth({mechanism: 'SCRAM-SHA-256', user: '__system', pwd: keyfileContents}), 1); db.logout(); +// Test that SCRAM-SHA-1 fails explicitly jsTestLog("Testing scram-sha-1"); -assert.eq(db.auth({mechanism: 'SCRAM-SHA-1', user: '__system', pwd: keyfileContents}), 1); +assert.eq(db.auth({mechanism: 'SCRAM-SHA-1', user: '__system', pwd: keyfileContents}), 0); rs.stopSet(); })(); diff --git a/jstests/auth/system_user_exception.js b/jstests/auth/system_user_exception.js index 67814119541..78dff98a8a9 100644 --- a/jstests/auth/system_user_exception.js +++ b/jstests/auth/system_user_exception.js @@ -7,13 +7,13 @@ var m = MongoRunner.runMongod( {keyFile: "jstests/libs/key1", setParameter: "authenticationMechanisms=PLAIN"}); -// Verify that it's possible to use SCRAM-SHA-1 to authenticate as the __system@local user +// Verify that it's possible to use SCRAM-SHA-256 to authenticate as the __system@local user assert.eq(1, - m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"})); + m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-256"})); // Verify that it is not possible to authenticate other users m.getDB("test").runCommand({createUser: "guest", pwd: "guest", roles: jsTest.readOnlyUserRoles}); -assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-1"})); +assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-256"})); MongoRunner.stopMongod(m); })(); diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index ce4143d0996..dd8990fdf64 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -69,7 +69,7 @@ function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) { let authAsKeyFileCluster = function() { const authParams = { user: '__system', - mechanism: 'SCRAM-SHA-1', + mechanism: 'SCRAM-SHA-256', pwd: cat(keyFile).replace(/[\011-\015\040]/g, '') }; diff --git a/src/mongo/client/authenticate.cpp b/src/mongo/client/authenticate.cpp index a1b3fd5a649..2c26e03953e 100644 --- a/src/mongo/client/authenticate.cpp +++ b/src/mongo/client/authenticate.cpp @@ -277,14 +277,11 @@ Future<void> authenticateInternalClient( }); } -BSONObj buildAuthParams(StringData dbname, - StringData username, - StringData passwordText, - bool digestPassword) { - return BSON(saslCommandMechanismFieldName - << "SCRAM-SHA-1" << saslCommandUserDBFieldName << dbname << saslCommandUserFieldName - << username << saslCommandPasswordFieldName << passwordText - << saslCommandDigestPasswordFieldName << digestPassword); +BSONObj buildAuthParams(StringData dbname, StringData username, StringData passwordText) { + + return BSON(saslCommandMechanismFieldName << "SCRAM-SHA-256" << saslCommandUserDBFieldName + << dbname << saslCommandUserFieldName << username + << saslCommandPasswordFieldName << passwordText); } StringData getSaslCommandUserDBFieldName() { diff --git a/src/mongo/client/authenticate.h b/src/mongo/client/authenticate.h index b5b4876c573..613fcef768e 100644 --- a/src/mongo/client/authenticate.h +++ b/src/mongo/client/authenticate.h @@ -160,12 +160,8 @@ Future<void> authenticateInternalClient( * @dbname: The database target of the auth command. * @username: The std::string name of the user to authenticate. * @passwordText: The std::string representing the user's password. - * @digestPassword: Set to true if the password is undigested. */ -BSONObj buildAuthParams(StringData dbname, - StringData username, - StringData passwordText, - bool digestPassword); +BSONObj buildAuthParams(StringData dbname, StringData username, StringData passwordText); /** * Run an isMaster exchange to negotiate a SASL mechanism for authentication. diff --git a/src/mongo/client/dbclient_base.cpp b/src/mongo/client/dbclient_base.cpp index 69bb443908b..c4b38ddb3e3 100644 --- a/src/mongo/client/dbclient_base.cpp +++ b/src/mongo/client/dbclient_base.cpp @@ -416,11 +416,9 @@ void DBClientBase::auth(const BSONObj& params) { bool DBClientBase::auth(const string& dbname, const string& username, const string& password_text, - string& errmsg, - bool digestPassword) { + string& errmsg) { try { - const auto authParams = - auth::buildAuthParams(dbname, username, password_text, digestPassword); + const auto authParams = auth::buildAuthParams(dbname, username, password_text); auth(authParams); return true; } catch (const AssertionException& ex) { diff --git a/src/mongo/client/dbclient_base.h b/src/mongo/client/dbclient_base.h index d34bffd34ed..28dda9ada30 100644 --- a/src/mongo/client/dbclient_base.h +++ b/src/mongo/client/dbclient_base.h @@ -277,12 +277,10 @@ public: * of the credential information for the user. May be "$external" if * credential information is stored outside of the mongo cluster. Mandatory. * 'pwd': The password data. - * 'digestPassword': Boolean, set to true if the "pwd" is undigested (default). * 'serviceName': The GSSAPI service name to use. Defaults to "mongodb". * 'serviceHostname': The GSSAPI hostname to use. Defaults to the name of the remote host. * * Other fields in 'params' are silently ignored. - * * Returns normally on success, and throws on error. Throws a DBException with getCode() == * ErrorCodes::AuthenticationFailed if authentication is rejected. All other exceptions are * tantamount to authentication failure, but may also indicate more serious problems. @@ -296,16 +294,12 @@ public: * number of databases on a single connection. The "admin" database is special and once * authenticated provides access to all databases on the server. * - * 'digestPassword': If password is plain text, set this to true. otherwise assumed to be - * pre-digested. - * * Returns true if successful. */ bool auth(const std::string& dbname, const std::string& username, const std::string& pwd, - std::string& errmsg, - bool digestPassword = true); + std::string& errmsg); /** * Logs out the connection for the given database. diff --git a/src/mongo/db/auth/sasl_mechanism_policies.h b/src/mongo/db/auth/sasl_mechanism_policies.h index 4e5e6d23382..abd3d4d4036 100644 --- a/src/mongo/db/auth/sasl_mechanism_policies.h +++ b/src/mongo/db/auth/sasl_mechanism_policies.h @@ -78,7 +78,7 @@ struct SCRAMSHA1Policy { return 2; } static constexpr bool isInternalAuthMech() { - return true; + return false; } }; diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index 2554dd7565e..838e8c6ce02 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -39,7 +39,6 @@ #include "mongo/base/status_with.h" #include "mongo/client/internal_auth.h" #include "mongo/crypto/mechanism_scram.h" -#include "mongo/crypto/sha1_block.h" #include "mongo/crypto/sha256_block.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/sasl_options.h" @@ -58,8 +57,7 @@ constexpr size_t kMaxKeyLength = 1024; class CredentialsGenerator { public: explicit CredentialsGenerator(StringData filename) - : _salt1(scram::Presecrets<SHA1Block>::generateSecureRandomSalt()), - _salt256(scram::Presecrets<SHA256Block>::generateSecureRandomSalt()), + : _salt256(scram::Presecrets<SHA256Block>::generateSecureRandomSalt()), _filename(filename) {} boost::optional<User::CredentialData> generate(const std::string& password) { @@ -87,11 +85,6 @@ public: (*internalSecurity.getUser())->getName().getUser(), password); User::CredentialData credentials; - if (!_copyCredentials( - credentials.scram_sha1, - scram::Secrets<SHA1Block>::generateCredentials( - _salt1, passwordDigest, saslGlobalParams.scramSHA1IterationCount.load()))) - return boost::none; if (!_copyCredentials(credentials.scram_sha256, scram::Secrets<SHA256Block>::generateCredentials( @@ -120,7 +113,6 @@ private: return true; } - const std::vector<uint8_t> _salt1; const std::vector<uint8_t> _salt256; const StringData _filename; }; diff --git a/src/mongo/db/stats/counters.cpp b/src/mongo/db/stats/counters.cpp index d1a0640315a..9bc37932381 100644 --- a/src/mongo/db/stats/counters.cpp +++ b/src/mongo/db/stats/counters.cpp @@ -226,11 +226,9 @@ void AuthCounter::initializeMechanismMap(const std::vector<std::string>& mechani // Ensure it's always included in counts. addMechanism(auth::kMechanismMongoX509.toString()); - // SERVER-46399 Use only configured SASL mechanisms for intra-cluster auth. - // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-1/256 + // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-256 // even if it's not configured to do so. - // Explicitly add these to the map for now so that they can be incremented if this happens. - addMechanism(auth::kMechanismScramSha1.toString()); + // Explicitly add this to the map for now so that they can be incremented if this happens. addMechanism(auth::kMechanismScramSha256.toString()); } diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js index b0318cfef7f..f0ceba8e5d2 100644 --- a/src/mongo/shell/db.js +++ b/src/mongo/shell/db.js @@ -5,6 +5,7 @@ var DB; (function() { var _defaultWriteConcern = {w: 'majority', wtimeout: 10 * 60 * 1000}; +const kWireVersionSupportingScramSha256Fallback = 15; if (DB === undefined) { DB = function(mongo, name) { @@ -1403,10 +1404,17 @@ DB.prototype.__pwHash = function(nonce, username, pass) { DB.prototype._defaultAuthenticationMechanism = null; +function _fallbackToScramSha256(helloResult) { + return helloResult && isNumber(helloResult.maxWireVersion) && + helloResult.maxWireVersion >= kWireVersionSupportingScramSha256Fallback; +} + DB.prototype._getDefaultAuthenticationMechanism = function(username, database) { + let result = null; if (username !== undefined) { const userid = database + "." + username; - const result = this._helloOrLegacyHello({saslSupportedMechs: userid}); + result = this._helloOrLegacyHello({saslSupportedMechs: userid}); + if (result.ok && (result.saslSupportedMechs !== undefined)) { const mechs = result.saslSupportedMechs; if (!Array.isArray(mechs)) { @@ -1428,14 +1436,18 @@ DB.prototype._getDefaultAuthenticationMechanism = function(username, database) { } // If isMaster doesn't support saslSupportedMechs, // or if we couldn't agree on a mechanism, - // then fallthrough to configured default or SCRAM-SHA-1. + // then fall through to a default mech, either + // configured or implicit based on the wire version } // Use the default auth mechanism if set on the command line. - if (this._defaultAuthenticationMechanism != null) + if (this._defaultAuthenticationMechanism != null) { return this._defaultAuthenticationMechanism; + } - return "SCRAM-SHA-1"; + // for later wire versions, we prefer (or require) SCRAM-SHA-256 + // if a fallback is required + return _fallbackToScramSha256(result) ? "SCRAM-SHA-256" : "SCRAM-SHA-1"; }; DB.prototype._defaultGssapiServiceName = null; diff --git a/src/mongo/shell/servers.js b/src/mongo/shell/servers.js index 7712e9dd30f..b40131a6425 100644 --- a/src/mongo/shell/servers.js +++ b/src/mongo/shell/servers.js @@ -1290,7 +1290,7 @@ function appendSetParameterArgs(argArray) { } } - if (jsTest.options().authMechanism && jsTest.options().authMechanism != "SCRAM-SHA-1") { + if (jsTest.options().authMechanism && jsTest.options().authMechanism != "SCRAM-SHA-256") { if (!argArrayContainsSetParameterValue('authenticationMechanisms=')) { argArray.push(...['--setParameter', "authenticationMechanisms=" + jsTest.options().authMechanism]); diff --git a/src/mongo/shell/utils_auth.js b/src/mongo/shell/utils_auth.js index 9ad340e950b..e913e0453ed 100644 --- a/src/mongo/shell/utils_auth.js +++ b/src/mongo/shell/utils_auth.js @@ -114,7 +114,7 @@ authutil.asCluster = function(conn, keyfile, action) { authutil.assertAuthenticate(conn, 'admin', { user: '__system', - mechanism: 'SCRAM-SHA-1', + mechanism: 'SCRAM-SHA-256', pwd: cat(keyfile).replace(/[\011-\015\040]/g, '') }); } else if (authMode === 'x509' || authMode === 'sendX509') { |