[CDRIVER-2449] Session ID is included in authenticate command Created: 04/Jan/18  Updated: 28/Oct/23  Resolved: 04/Jan/18

Status: Closed
Project: C Driver
Component/s: auth, libmongoc
Affects Version/s: 1.9.0
Fix Version/s: 1.9.1

Type: Bug Priority: Major - P3
Reporter: Jeremy Mikola Assignee: Jeremy Mikola
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1077 Fix X509 test failures with libmongoc... Closed
Problem/Incident
causes CDRIVER-2506 getMore doesn't always use same impli... Closed
is caused by CDRIVER-2192 Implement Driver Sessions API Closed
Related
related to CDRIVER-3728 GSSAPI auth commands must not use imp... Closed

 Description   

While investigating X509 auth failures for PHPC-1077, I noticed that libmongoc appears to be appending session IDs to authenticate commands, which directly conflicts with the driver sessions specification. Consider the following trace:

[2018-01-04T15:45:01.441140+00:00]    cluster: TRACE   > ENTRY: _mongoc_cluster_auth_node():1262
[2018-01-04T15:45:01.441156+00:00]    cluster: TRACE   > TRACE: _mongoc_cluster_auth_node_x509():1024 X509: got username from URI
[2018-01-04T15:45:01.441174+00:00]     mongoc: TRACE   > ENTRY: mongoc_server_description_handle_ismaster():493
[2018-01-04T15:45:01.441191+00:00]     mongoc: TRACE   >  EXIT: mongoc_server_description_handle_ismaster():654
[2018-01-04T15:45:01.441205+00:00]     mongoc: TRACE   > ENTRY: mongoc_cmd_parts_assemble():564
[2018-01-04T15:45:01.441216+00:00]     mongoc: TRACE   > TRACE: mongoc_cmd_parts_assemble():592 Preparing 'authenticate'
[2018-01-04T15:45:01.441240+00:00]     client: TRACE   > ENTRY: mongoc_client_start_session():1150
[2018-01-04T15:45:01.441252+00:00]     mongoc: TRACE   > ENTRY: _mongoc_topology_pop_server_session():1288
[2018-01-04T15:45:01.441263+00:00]     mongoc: TRACE   > ENTRY: _mongoc_server_session_new():222
[2018-01-04T15:45:01.441289+00:00]     mongoc: TRACE   >  EXIT: _mongoc_server_session_new():240
[2018-01-04T15:45:01.441310+00:00]     mongoc: TRACE   >  EXIT: _mongoc_topology_pop_server_session():1335
[2018-01-04T15:45:01.441322+00:00]     mongoc: TRACE   > ENTRY: _mongoc_client_session_new():291
[2018-01-04T15:45:01.441330+00:00]     mongoc: TRACE   >  EXIT: _mongoc_client_session_new():308
[2018-01-04T15:45:01.441339+00:00]     client: TRACE   >  EXIT: mongoc_client_start_session():1168
[2018-01-04T15:45:01.441352+00:00]     mongoc: TRACE   >  EXIT: mongoc_cmd_parts_assemble():704
[2018-01-04T15:45:01.441369+00:00]     stream: TRACE   > ENTRY: _mongoc_stream_writev_full():502
[2018-01-04T15:45:01.441378+00:00]     stream: TRACE   > ENTRY: mongoc_stream_writev():150
[2018-01-04T15:45:01.441389+00:00]     stream: TRACE   > TRACE: mongoc_stream_writev():162 writev = 0x25ce4b0 [7]
[2018-01-04T15:45:01.441416+00:00]     stream: TRACE   > 00000:  fd 00 00 00 01 00 00 00  00 00 00 00 dd 07 00 00  . . . . . . . .  . . . . . . . .
[2018-01-04T15:45:01.441443+00:00]     stream: TRACE   > 00010:  00 00 00 00 00 e8 00 00  00 10 61 75 74 68 65 6e  . . . . . . . .  . . a u t h e n
[2018-01-04T15:45:01.441471+00:00]     stream: TRACE   > 00020:  74 69 63 61 74 65 00 01  00 00 00 02 6d 65 63 68  t i c a t e . .  . . . . m e c h
[2018-01-04T15:45:01.441499+00:00]     stream: TRACE   > 00030:  61 6e 69 73 6d 00 0d 00  00 00 4d 4f 4e 47 4f 44  a n i s m . . .  . . M O N G O D
[2018-01-04T15:45:01.441527+00:00]     stream: TRACE   > 00040:  42 2d 58 35 30 39 00 02  75 73 65 72 00 43 00 00  B - X 5 0 9 . .  u s e r . C . .
[2018-01-04T15:45:01.441555+00:00]     stream: TRACE   > 00050:  00 43 3d 55 53 2c 53 54  3d 4e 65 77 20 59 6f 72  . C = U S , S T  = N e w   Y o r
[2018-01-04T15:45:01.441583+00:00]     stream: TRACE   > 00060:  6b 2c 4c 3d 4e 65 77 20  59 6f 72 6b 20 43 69 74  k , L = N e w    Y o r k   C i t
[2018-01-04T15:45:01.441611+00:00]     stream: TRACE   > 00070:  79 2c 4f 3d 4d 6f 6e 67  6f 44 42 2c 4f 55 3d 4b  y , O = M o n g  o D B , O U = K
[2018-01-04T15:45:01.441639+00:00]     stream: TRACE   > 00080:  65 72 6e 65 6c 55 73 65  72 2c 43 4e 3d 63 6c 69  e r n e l U s e  r , C N = c l i
[2018-01-04T15:45:01.441663+00:00]     stream: TRACE   > 00090:  65 6e 74 00 02 24 64 62  00 0a 00 00 00 24 65 78  e n t . . $ d b  . . . . . $ e x
[2018-01-04T15:45:01.441691+00:00]     stream: TRACE   > 000a0:  74 65 72 6e 61 6c 00 03  24 72 65 61 64 50 72 65  t e r n a l . .  $ r e a d P r e
[2018-01-04T15:45:01.441717+00:00]     stream: TRACE   > 000b0:  66 65 72 65 6e 63 65 00  20 00 00 00 02 6d 6f 64  f e r e n c e .    . . . . m o d
[2018-01-04T15:45:01.441742+00:00]     stream: TRACE   > 000c0:  65 00 11 00 00 00 70 72  69 6d 61 72 79 50 72 65  e . . . . . p r  i m a r y P r e
[2018-01-04T15:45:01.441768+00:00]     stream: TRACE   > 000d0:  66 65 72 72 65 64 00 00  03 6c 73 69 64 00 1e 00  f e r r e d . .  . l s i d . . .
[2018-01-04T15:45:01.441790+00:00]     stream: TRACE   > 000e0:  00 00 05 69 64 00 10 00  00 00 04 29 81 0f ea 8a  . . . i d . . .  . . . ) . . . .
[2018-01-04T15:45:01.441810+00:00]     stream: TRACE   > 000f0:  b1 4c ab a4 d8 4d d0 a5  ac 13 6a 00 00           . L . . . M . .  . . j . .

This causes X509 authentication to fail with a "there are no users authenticated" error message:

[2018-01-04T15:45:01.472077+00:00]     stream: TRACE   > TRACE: mongoc_stream_readv():237 readv = 0x7ffd0d23c9c0 [1]
[2018-01-04T15:45:01.472097+00:00]     stream: TRACE   > 00000:  4b 00 00 00 01 00 00 00  dd 07 00 00 00 00 00 00  K . . . . . . .  . . . . . . . .
[2018-01-04T15:45:01.472117+00:00]     stream: TRACE   > 00010:  00 63 00 00 00 01 6f 6b  00 00 00 00 00 00 00 00  . c . . . . o k  . . . . . . . .
[2018-01-04T15:45:01.472139+00:00]     stream: TRACE   > 00020:  00 02 65 72 72 6d 73 67  00 21 00 00 00 74 68 65  . . e r r m s g  . ! . . . t h e
[2018-01-04T15:45:01.472162+00:00]     stream: TRACE   > 00030:  72 65 20 61 72 65 20 6e  6f 20 75 73 65 72 73 20  r e   a r e   n  o   u s e r s  
[2018-01-04T15:45:01.472184+00:00]     stream: TRACE   > 00040:  61 75 74 68 65 6e 74 69  63 61 74 65 64 00 10 63  a u t h e n t i  c a t e d . . c
[2018-01-04T15:45:01.472205+00:00]     stream: TRACE   > 00050:  6f 64 65 00 0d 00 00 00  02 63 6f 64 65 4e 61 6d  o d e . . . . .  . c o d e N a m
[2018-01-04T15:45:01.472227+00:00]     stream: TRACE   > 00060:  65 00 0d 00 00 00 55 6e  61 75 74 68 6f 72 69 7a  e . . . . . U n  a u t h o r i z
[2018-01-04T15:45:01.472239+00:00]     stream: TRACE   > 00070:  65 64 00 00                                       e d . .

Modifying _mongoc_cluster_auth_node_x509() to prohibit addition of an lsid field does appear to solve the issue. I'm at a loss for why the problem manifests itself this way, or why other authentication mechanisms in our test suite did not appear to be affected by this issue.



 Comments   
Comment by Githook User [ 12/Jan/18 ]

Author:

{'username': 'jmikola', 'email': 'jmikola@gmail.com', 'name': 'Jeremy Mikola'}

Message: CDRIVER-2449 omit lsid from auth and monitoring commands
Branch: debian
https://github.com/mongodb/mongo-c-driver/commit/f0e1ea8401802fec55e3ff5923807c1f317856bd

Comment by Githook User [ 12/Jan/18 ]

Author:

{'email': 'jmikola@gmail.com', 'name': 'Jeremy Mikola', 'username': 'jmikola'}

Message: CDRIVER-2449 omit lsid from auth and monitoring commands
Branch: r1.9-dfsg
https://github.com/mongodb/mongo-c-driver/commit/f0e1ea8401802fec55e3ff5923807c1f317856bd

Comment by Githook User [ 04/Jan/18 ]

Author:

{'name': 'Jeremy Mikola', 'username': 'jmikola', 'email': 'jmikola@gmail.com'}

Message: CDRIVER-2449 omit lsid from auth and monitoring commands
Branch: r1.9
https://github.com/mongodb/mongo-c-driver/commit/f0e1ea8401802fec55e3ff5923807c1f317856bd

Comment by Githook User [ 04/Jan/18 ]

Author:

{'name': 'Jeremy Mikola', 'username': 'jmikola', 'email': 'jmikola@gmail.com'}

Message: CDRIVER-2449 omit lsid from auth and monitoring commands
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e51185c62710731438227465a34181143303a9ed

Comment by Jeremy Mikola [ 04/Jan/18 ]

https://github.com/mongodb/mongo-c-driver/pull/481

Generated at Wed Feb 07 21:15:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.