SERVER-29915: Respect "y" in gs2-cbind-flag in SCRAM

author: Spencer Jackson <spencer.jackson@mongodb.com> 2017-06-28 21:37:04 -0400
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2017-08-03 10:51:31 -0400
commit: 07d4d94b06c6899699410312e20ef33d954ddbd1 (patch)
tree: eeb693452aa27166877723fa5611e2043cdb5337 /src/mongo/db/auth
parent: 2b3668af0fc86f1b7b210fc7ca3571b8436a0fba (diff)
download: mongo-07d4d94b06c6899699410312e20ef33d954ddbd1.tar.gz
2 files changed, 73 insertions, 2 deletions
diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
index 80b605b02ec..5ade83dc708 100644
--- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
+++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
@@ -123,7 +123,11 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_firstStep(std::vector<string>
                 << "Incorrect number of arguments for first SCRAM-SHA-1 client message, got "
                 << input.size()
                 << " expected 4");
-    } else if (input[0] != "n") {
+    } else if (str::startsWith(input[0], "p=")) {
+        return StatusWith<bool>(ErrorCodes::BadValue,
+                                mongoutils::str::stream()
+                                    << "Server does not support channel binding");
+    } else if (input[0] != "n" && input[0] != "y") {
         return StatusWith<bool>(ErrorCodes::BadValue,
                                 mongoutils::str::stream()
                                     << "Incorrect SCRAM-SHA-1 client message prefix: "
diff --git a/src/mongo/db/auth/sasl_scramsha1_test.cpp b/src/mongo/db/auth/sasl_scramsha1_test.cpp
index 49d3d6a27c0..66173c384c6 100644
--- a/src/mongo/db/auth/sasl_scramsha1_test.cpp
+++ b/src/mongo/db/auth/sasl_scramsha1_test.cpp
@@ -192,8 +192,8 @@ SCRAMStepsResult runSteps(NativeSaslAuthenticationSession* saslServerSession,
         if (result.status != Status::OK()) {
             return result;
         }
-        std::cout << result.outcome.toString() << ": " << clientOutput << std::endl;
         interposers.execute(result.outcome, clientOutput);
+        std::cout << result.outcome.toString() << ": " << clientOutput << std::endl;
         result.outcome.next();
 
         // Server step
@@ -381,6 +381,73 @@ TEST_F(SCRAMSHA1Fixture, testSCRAM) {
     ASSERT_EQ(goalState, runSteps(saslServerSession.get(), saslClientSession.get()));
 }
 
+TEST_F(SCRAMSHA1Fixture, testSCRAMWithChannelBindingSupportedByClient) {
+    authzManagerExternalState
+        ->insertPrivilegeDocument(
+            opCtx.get(), generateSCRAMUserDocument("sajack", "sajack"), BSONObj())
+        .transitional_ignore();
+
+    saslClientSession->setParameter(NativeSaslClientSession::parameterUser, "sajack");
+    saslClientSession->setParameter(NativeSaslClientSession::parameterPassword,
+                                    createPasswordDigest("sajack", "sajack"));
+
+    ASSERT_OK(saslClientSession->initialize());
+
+    SCRAMMutators mutator;
+    mutator.setMutator(SaslTestState(SaslTestState::kClient, 1), [](std::string& clientMessage) {
+        clientMessage.replace(clientMessage.begin(), clientMessage.begin() + 1, "y");
+    });
+
+    ASSERT_EQ(goalState, runSteps(saslServerSession.get(), saslClientSession.get(), mutator));
+}
+
+TEST_F(SCRAMSHA1Fixture, testSCRAMWithChannelBindingRequiredByClient) {
+    authzManagerExternalState
+        ->insertPrivilegeDocument(
+            opCtx.get(), generateSCRAMUserDocument("sajack", "sajack"), BSONObj())
+        .transitional_ignore();
+
+    saslClientSession->setParameter(NativeSaslClientSession::parameterUser, "sajack");
+    saslClientSession->setParameter(NativeSaslClientSession::parameterPassword,
+                                    createPasswordDigest("sajack", "sajack"));
+
+    ASSERT_OK(saslClientSession->initialize());
+
+    SCRAMMutators mutator;
+    mutator.setMutator(SaslTestState(SaslTestState::kClient, 1), [](std::string& clientMessage) {
+        clientMessage.replace(clientMessage.begin(), clientMessage.begin() + 1, "p=tls-unique");
+    });
+
+    ASSERT_EQ(
+        SCRAMStepsResult(SaslTestState(SaslTestState::kServer, 1),
+                         Status(ErrorCodes::BadValue, "Server does not support channel binding")),
+        runSteps(saslServerSession.get(), saslClientSession.get(), mutator));
+}
+
+TEST_F(SCRAMSHA1Fixture, testSCRAMWithInvalidChannelBinding) {
+    authzManagerExternalState
+        ->insertPrivilegeDocument(
+            opCtx.get(), generateSCRAMUserDocument("sajack", "sajack"), BSONObj())
+        .transitional_ignore();
+
+    saslClientSession->setParameter(NativeSaslClientSession::parameterUser, "sajack");
+    saslClientSession->setParameter(NativeSaslClientSession::parameterPassword,
+                                    createPasswordDigest("sajack", "sajack"));
+
+    ASSERT_OK(saslClientSession->initialize());
+
+    SCRAMMutators mutator;
+    mutator.setMutator(SaslTestState(SaslTestState::kClient, 1), [](std::string& clientMessage) {
+        clientMessage.replace(clientMessage.begin(), clientMessage.begin() + 1, "v=illegalGarbage");
+    });
+
+    ASSERT_EQ(
+        SCRAMStepsResult(SaslTestState(SaslTestState::kServer, 1),
+                         Status(ErrorCodes::BadValue,
+                                "Incorrect SCRAM-SHA-1 client message prefix: v=illegalGarbage")),
+        runSteps(saslServerSession.get(), saslClientSession.get(), mutator));
+}
+
 TEST_F(SCRAMSHA1Fixture, testNULLInPassword) {
     authzManagerExternalState
         ->insertPrivilegeDocument(
author	Spencer Jackson <spencer.jackson@mongodb.com>	2017-06-28 21:37:04 -0400
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2017-08-03 10:51:31 -0400
commit	07d4d94b06c6899699410312e20ef33d954ddbd1 (patch)
tree	eeb693452aa27166877723fa5611e2043cdb5337 /src/mongo/db/auth
parent	2b3668af0fc86f1b7b210fc7ca3571b8436a0fba (diff)
download	mongo-07d4d94b06c6899699410312e20ef33d954ddbd1.tar.gz