Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2449

Session ID is included in authenticate command

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 1.9.1
    • 1.9.0
    • auth, libmongoc
    • None

    Description

      While investigating X509 auth failures for PHPC-1077, I noticed that libmongoc appears to be appending session IDs to authenticate commands, which directly conflicts with the driver sessions specification. Consider the following trace:

      [2018-01-04T15:45:01.441140+00:00]    cluster: TRACE   > ENTRY: _mongoc_cluster_auth_node():1262
      [2018-01-04T15:45:01.441156+00:00]    cluster: TRACE   > TRACE: _mongoc_cluster_auth_node_x509():1024 X509: got username from URI
      [2018-01-04T15:45:01.441174+00:00]     mongoc: TRACE   > ENTRY: mongoc_server_description_handle_ismaster():493
      [2018-01-04T15:45:01.441191+00:00]     mongoc: TRACE   >  EXIT: mongoc_server_description_handle_ismaster():654
      [2018-01-04T15:45:01.441205+00:00]     mongoc: TRACE   > ENTRY: mongoc_cmd_parts_assemble():564
      [2018-01-04T15:45:01.441216+00:00]     mongoc: TRACE   > TRACE: mongoc_cmd_parts_assemble():592 Preparing 'authenticate'
      [2018-01-04T15:45:01.441240+00:00]     client: TRACE   > ENTRY: mongoc_client_start_session():1150
      [2018-01-04T15:45:01.441252+00:00]     mongoc: TRACE   > ENTRY: _mongoc_topology_pop_server_session():1288
      [2018-01-04T15:45:01.441263+00:00]     mongoc: TRACE   > ENTRY: _mongoc_server_session_new():222
      [2018-01-04T15:45:01.441289+00:00]     mongoc: TRACE   >  EXIT: _mongoc_server_session_new():240
      [2018-01-04T15:45:01.441310+00:00]     mongoc: TRACE   >  EXIT: _mongoc_topology_pop_server_session():1335
      [2018-01-04T15:45:01.441322+00:00]     mongoc: TRACE   > ENTRY: _mongoc_client_session_new():291
      [2018-01-04T15:45:01.441330+00:00]     mongoc: TRACE   >  EXIT: _mongoc_client_session_new():308
      [2018-01-04T15:45:01.441339+00:00]     client: TRACE   >  EXIT: mongoc_client_start_session():1168
      [2018-01-04T15:45:01.441352+00:00]     mongoc: TRACE   >  EXIT: mongoc_cmd_parts_assemble():704
      [2018-01-04T15:45:01.441369+00:00]     stream: TRACE   > ENTRY: _mongoc_stream_writev_full():502
      [2018-01-04T15:45:01.441378+00:00]     stream: TRACE   > ENTRY: mongoc_stream_writev():150
      [2018-01-04T15:45:01.441389+00:00]     stream: TRACE   > TRACE: mongoc_stream_writev():162 writev = 0x25ce4b0 [7]
      [2018-01-04T15:45:01.441416+00:00]     stream: TRACE   > 00000:  fd 00 00 00 01 00 00 00  00 00 00 00 dd 07 00 00  . . . . . . . .  . . . . . . . .
      [2018-01-04T15:45:01.441443+00:00]     stream: TRACE   > 00010:  00 00 00 00 00 e8 00 00  00 10 61 75 74 68 65 6e  . . . . . . . .  . . a u t h e n
      [2018-01-04T15:45:01.441471+00:00]     stream: TRACE   > 00020:  74 69 63 61 74 65 00 01  00 00 00 02 6d 65 63 68  t i c a t e . .  . . . . m e c h
      [2018-01-04T15:45:01.441499+00:00]     stream: TRACE   > 00030:  61 6e 69 73 6d 00 0d 00  00 00 4d 4f 4e 47 4f 44  a n i s m . . .  . . M O N G O D
      [2018-01-04T15:45:01.441527+00:00]     stream: TRACE   > 00040:  42 2d 58 35 30 39 00 02  75 73 65 72 00 43 00 00  B - X 5 0 9 . .  u s e r . C . .
      [2018-01-04T15:45:01.441555+00:00]     stream: TRACE   > 00050:  00 43 3d 55 53 2c 53 54  3d 4e 65 77 20 59 6f 72  . C = U S , S T  = N e w   Y o r
      [2018-01-04T15:45:01.441583+00:00]     stream: TRACE   > 00060:  6b 2c 4c 3d 4e 65 77 20  59 6f 72 6b 20 43 69 74  k , L = N e w    Y o r k   C i t
      [2018-01-04T15:45:01.441611+00:00]     stream: TRACE   > 00070:  79 2c 4f 3d 4d 6f 6e 67  6f 44 42 2c 4f 55 3d 4b  y , O = M o n g  o D B , O U = K
      [2018-01-04T15:45:01.441639+00:00]     stream: TRACE   > 00080:  65 72 6e 65 6c 55 73 65  72 2c 43 4e 3d 63 6c 69  e r n e l U s e  r , C N = c l i
      [2018-01-04T15:45:01.441663+00:00]     stream: TRACE   > 00090:  65 6e 74 00 02 24 64 62  00 0a 00 00 00 24 65 78  e n t . . $ d b  . . . . . $ e x
      [2018-01-04T15:45:01.441691+00:00]     stream: TRACE   > 000a0:  74 65 72 6e 61 6c 00 03  24 72 65 61 64 50 72 65  t e r n a l . .  $ r e a d P r e
      [2018-01-04T15:45:01.441717+00:00]     stream: TRACE   > 000b0:  66 65 72 65 6e 63 65 00  20 00 00 00 02 6d 6f 64  f e r e n c e .    . . . . m o d
      [2018-01-04T15:45:01.441742+00:00]     stream: TRACE   > 000c0:  65 00 11 00 00 00 70 72  69 6d 61 72 79 50 72 65  e . . . . . p r  i m a r y P r e
      [2018-01-04T15:45:01.441768+00:00]     stream: TRACE   > 000d0:  66 65 72 72 65 64 00 00  03 6c 73 69 64 00 1e 00  f e r r e d . .  . l s i d . . .
      [2018-01-04T15:45:01.441790+00:00]     stream: TRACE   > 000e0:  00 00 05 69 64 00 10 00  00 00 04 29 81 0f ea 8a  . . . i d . . .  . . . ) . . . .
      [2018-01-04T15:45:01.441810+00:00]     stream: TRACE   > 000f0:  b1 4c ab a4 d8 4d d0 a5  ac 13 6a 00 00           . L . . . M . .  . . j . .
      

      This causes X509 authentication to fail with a "there are no users authenticated" error message:

      [2018-01-04T15:45:01.472077+00:00]     stream: TRACE   > TRACE: mongoc_stream_readv():237 readv = 0x7ffd0d23c9c0 [1]
      [2018-01-04T15:45:01.472097+00:00]     stream: TRACE   > 00000:  4b 00 00 00 01 00 00 00  dd 07 00 00 00 00 00 00  K . . . . . . .  . . . . . . . .
      [2018-01-04T15:45:01.472117+00:00]     stream: TRACE   > 00010:  00 63 00 00 00 01 6f 6b  00 00 00 00 00 00 00 00  . c . . . . o k  . . . . . . . .
      [2018-01-04T15:45:01.472139+00:00]     stream: TRACE   > 00020:  00 02 65 72 72 6d 73 67  00 21 00 00 00 74 68 65  . . e r r m s g  . ! . . . t h e
      [2018-01-04T15:45:01.472162+00:00]     stream: TRACE   > 00030:  72 65 20 61 72 65 20 6e  6f 20 75 73 65 72 73 20  r e   a r e   n  o   u s e r s  
      [2018-01-04T15:45:01.472184+00:00]     stream: TRACE   > 00040:  61 75 74 68 65 6e 74 69  63 61 74 65 64 00 10 63  a u t h e n t i  c a t e d . . c
      [2018-01-04T15:45:01.472205+00:00]     stream: TRACE   > 00050:  6f 64 65 00 0d 00 00 00  02 63 6f 64 65 4e 61 6d  o d e . . . . .  . c o d e N a m
      [2018-01-04T15:45:01.472227+00:00]     stream: TRACE   > 00060:  65 00 0d 00 00 00 55 6e  61 75 74 68 6f 72 69 7a  e . . . . . U n  a u t h o r i z
      [2018-01-04T15:45:01.472239+00:00]     stream: TRACE   > 00070:  65 64 00 00                                       e d . .
      

      Modifying _mongoc_cluster_auth_node_x509() to prohibit addition of an lsid field does appear to solve the issue. I'm at a loss for why the problem manifests itself this way, or why other authentication mechanisms in our test suite did not appear to be affected by this issue.

      Attachments

        Activity

          People

            jmikola@mongodb.com Jeremy Mikola
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: