diff options
Diffstat (limited to 'src/mongo/shell/db.js')
-rw-r--r-- | src/mongo/shell/db.js | 37 |
1 files changed, 30 insertions, 7 deletions
diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js index ca0048c301a..4493b2a1192 100644 --- a/src/mongo/shell/db.js +++ b/src/mongo/shell/db.js @@ -544,9 +544,10 @@ var DB; } if (!mechanism) { - mechanism = this._getDefaultAuthenticationMechanism(); + mechanism = this._getDefaultAuthenticationMechanism(username, fromdb); } - assert(mechanism == "SCRAM-SHA-1" || mechanism == "MONGODB-CR"); + assert(mechanism == "SCRAM-SHA-1" || mechanism == "SCRAM-SHA-256" || + mechanism == "MONGODB-CR"); // Check for no auth or copying from localhost if (!username || !password || fromhost == "") { @@ -554,8 +555,8 @@ var DB; {copydb: 1, fromhost: fromhost, fromdb: fromdb, todb: todb, slaveOk: slaveOk}); } - // Use the copyDatabase native helper for SCRAM-SHA-1 - if (mechanism == "SCRAM-SHA-1") { + // Use the copyDatabase native helper for SCRAM-SHA-1/256 + if (mechanism != "MONGODB-CR") { // TODO SERVER-30886: Add session support for Mongo.prototype.copyDatabaseWithSCRAM(). return this.getMongo().copyDatabaseWithSCRAM( fromdb, todb, fromhost, username, password, slaveOk); @@ -1563,7 +1564,28 @@ var DB; DB.prototype._defaultAuthenticationMechanism = null; - DB.prototype._getDefaultAuthenticationMechanism = function() { + DB.prototype._getDefaultAuthenticationMechanism = function(username, database) { + if (username !== undefined) { + const userid = database + "." + username; + const result = this.runCommand({isMaster: 1, saslSupportedMechs: userid}); + if (result.ok && (result.saslSupportedMechs !== undefined)) { + const mechs = result.saslSupportedMechs; + if (!Array.isArray(mechs)) { + throw Error("Server replied with invalid saslSupportedMechs response"); + } + // Never include PLAIN in auto-negotiation. + const priority = ["GSSAPI", "SCRAM-SHA-256", "SCRAM-SHA-1"]; + for (var i = 0; i < priority.length; ++i) { + if (mechs.includes(priority[i])) { + return priority[i]; + } + } + } + // If isMaster doesn't support saslSupportedMechs, + // or if we couldn't agree on a mechanism, + // then fallthrough to configured default or SCRAM-SHA-1. + } + // Use the default auth mechanism if set on the command line. if (this._defaultAuthenticationMechanism != null) return this._defaultAuthenticationMechanism; @@ -1586,8 +1608,9 @@ var DB; "auth expects either (username, password) or ({ user: username, pwd: password })"); } - if (params.mechanism === undefined) - params.mechanism = this._getDefaultAuthenticationMechanism(); + if (params.mechanism === undefined) { + params.mechanism = this._getDefaultAuthenticationMechanism(params.user, this.getName()); + } if (params.db !== undefined) { throw Error("Do not override db field on db.auth(). Use getMongo().auth(), instead."); |