[CDRIVER-4635] Speculative authentication state is incorrectly kept Created: 04/May/23  Updated: 28/Oct/23  Resolved: 05/May/23

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.23.3
Fix Version/s: 1.23.4

Type: Bug Priority: Major - P3
Reporter: Andreas Braun Assignee: Andreas Braun
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-2218 Speculative authentication state is i... Closed
Related
Case:

 Description   

The topology scanner does not correctly reset authentication status when using speculative authentication. This affects single-threaded mode only, where authentication is done on the monitoring connection, which is also used for data. When resetting auth state, the previous result of a speculative authentication is not cleared. On subsequent handshakes, the previous authentication result is re-used. For SCRAM authentication, the conversation will be continued and will fail due to an outdated result. For X.509 however, the stale result means that the client will incorrectly assume the connection to be authenticated, while the server rejects any commands due to missing authentication.

The fix should be backported to 1.23 to allow the PHP team to fix this in the current stable release.



 Comments   
Comment by Githook User [ 09/May/23 ]

Author:

{'name': 'Jeremy Mikola', 'email': 'jmikola@gmail.com', 'username': 'jmikola'}

Message: PHPC-2218: Update libmongoc to 1.23.4 (#1419)

Includes CDRIVER-4635, which fixes tracking of speculative auth state
Branch: master
https://github.com/mongodb/mongo-php-driver/commit/0dd7a669409abc07480d3c265eb6bc3fa1ffa72d

Comment by Githook User [ 05/May/23 ]

Author:

{'name': 'Andreas Braun', 'email': 'alcaeus@users.noreply.github.com', 'username': 'alcaeus'}

Message: CDRIVER-4635 Reset speculative_auth_response when resetting auth state (#1258)

  • reset authentication state before creating stream
  • remove unnecessary state reset in `mongoc_topology_scanner_node_disconnect`

`mongoc_topology_scanner_node_disconnect` sets `stream` to NULL. That will result in the stream being recreated and state being reset in `mongoc_topology_scanner_node_setup`

  • skip `/Client/authenticate_cached/client` when using speculativeAuthentication

This previously passed because SCRAM would fail speculativeAuthentication and restart the authentication steps. The restart would use the SCRAM cache.

Now speculativeAuthentication succeeds. speculativeAuthentication in the topology scanner does not use the SCRAM cache (refer: CDRIVER-3642). This does not result in the expected error.

  • Reset scram step along with speculative authentication

---------

Co-authored-by: Kevin Albertson <kevin.albertson@mongodb.com>
Branch: r1.23
https://github.com/mongodb/mongo-c-driver/commit/42a818429d6d586a6abf22367ac6fea1e9ce3f2c

Comment by Githook User [ 05/May/23 ]

Author:

{'name': 'Andreas Braun', 'email': 'alcaeus@users.noreply.github.com', 'username': 'alcaeus'}

Message: CDRIVER-4635 Reset speculative_auth_response when resetting auth state (#1258)

  • reset authentication state before creating stream
  • remove unnecessary state reset in `mongoc_topology_scanner_node_disconnect`

`mongoc_topology_scanner_node_disconnect` sets `stream` to NULL. That will result in the stream being recreated and state being reset in `mongoc_topology_scanner_node_setup`

  • skip `/Client/authenticate_cached/client` when using speculativeAuthentication

This previously passed because SCRAM would fail speculativeAuthentication and restart the authentication steps. The restart would use the SCRAM cache.

Now speculativeAuthentication succeeds. speculativeAuthentication in the topology scanner does not use the SCRAM cache (refer: CDRIVER-3642). This does not result in the expected error.

  • Reset scram step along with speculative authentication

---------

Co-authored-by: Kevin Albertson <kevin.albertson@mongodb.com>
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/b2afc3d01940b133df1beb05b24c8970c9099df6

Comment by Andreas Braun [ 04/May/23 ]

https://github.com/mongodb/mongo-c-driver/pull/1258

Generated at Wed Feb 07 21:21:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.