PYTHON-1201 - Test GSSAPI and PLAIN authentication

Author: behackett

.evergreen/config.yml

@@ -336,6 +336,16 @@ functions:
  ${PREPARE_SHELL}
  PYTHON_BINARY=${PYTHON_BINARY} C_EXTENSIONS=${C_EXTENSIONS} AUTH=${AUTH} SSL=${SSL} MONGODB_URI="${MONGODB_URI}" sh ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
 
+ "run enterprise auth tests":
+ - command: shell.exec
+ type: test
+ params:
+ silent: true
+ working_dir: "src"
+ script: |
+ # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+ PYTHON_BINARY=${PYTHON_BINARY} SASL_HOST=${sasl_host} SASL_PORT=${sasl_port} SASL_USER=${sasl_user} SASL_PASS=${sasl_pass} SASL_DB=${sasl_db} PRINCIPAL=${principal} GSSAPI_DB=${gssapi_db} KEYTAB_BASE64=${keytab_base64} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-enterprise-auth-tests.sh
+
  "cleanup":
  - command: shell.exec
  params:
@@ -603,6 +613,15 @@ tasks:
  TOPOLOGY: "sharded_cluster"
  - func: "run tests"
 
+ - name: "test-enterprise-auth"
+ tags: ["enterprise-auth"]
+ commands:
+ - func: "bootstrap mongo-orchestration"
+ vars:
+ VERSION: "latest"
+ TOPOLOGY: "server"
+ - func: "run enterprise auth tests"
+
 # }}}
 
 
@@ -1160,6 +1179,13 @@ buildvariants:
  add_tasks:
  - "test-3.0-standalone"
 
+- matrix_name: "test-linux-enterprise-auth"
+ matrix_spec: {"python-version": "*", auth: "auth"}
+ display_name: "Enterprise Auth Linux ${python-version}"
+ run_on: ubuntu1604-test
+ tasks:
+ - name: "test-enterprise-auth"
+
  # Platform notes
  # i386 builds of OpenSSL or Cyrus SASL are not available
  # Ubuntu14.04 only supports 2.6+ with SSL

.evergreen/run-enterprise-auth-tests.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Don't trace to avoid secrets showing up in the logs
+set -o errexit
+
+echo "Running enterprise authentication tests"
+
+PYTHON_VERSION=$(${PYTHON_BINARY} -c 'import sys; sys.stdout.write(str(sys.version_info[0]))')
+PLATFORM="$(${PYTHON_BINARY} -c 'import platform; print(platform.system())')"
+
+export DB_USER="bob"
+export DB_PASSWORD="pwd123"
+
+# There is no kerberos package for Jython, but we do want to test PLAIN.
+if [ ${PLATFORM} != "Java" ]; then
+ # PyMongo 2.x doesn't support GSSAPI on Windows.
+ if [ "Windows_NT" != "$OS" ]; then
+ echo "Writing keytab"
+ echo ${KEYTAB_BASE64} | base64 -d > ${PROJECT_DIRECTORY}/.evergreen/drivers.keytab
+ echo "Running kinit"
+ kinit -k -t ${PROJECT_DIRECTORY}/.evergreen/drivers.keytab -p ${PRINCIPAL}
+ echo "Setting GSSAPI variables"
+ export GSSAPI_HOST=${SASL_HOST}
+ export GSSAPI_PORT=${SASL_PORT}
+ export GSSAPI_PRINCIPAL=${PRINCIPAL}
+ fi
+ EXTRA_ARGS=""
+else
+ # Keep Jython 2.5 from running out of memory.
+ EXTRA_ARGS="-J-XX:-UseGCOverheadLimit -J-Xmx4096m"
+fi
+
+# Set verbose test output flag.
+if [ "$PYTHON_VERSION" = "3" ]; then
+ # With Python 3, the tests do not accept a "--verbosity=2" flag.
+ TEST_VERBOSITY="-v"
+else
+ # With Python 2, the tests accepts a "-v" flag but only "--verbosity=2"
+ # causes the verbose output we want.
+ TEST_VERBOSITY="--verbosity=2"
+fi
+
+echo "Running tests"
+${PYTHON_BINARY} setup.py clean
+${PYTHON_BINARY} $EXTRA_ARGS setup.py nosetests $TEST_VERBOSITY

test/test_auth.py

@@ -42,7 +42,8 @@
 from test.test_pooling_base import get_pool
 from test.test_replica_set_client import TestReplicaSetClientBase
 from test.test_threads import AutoAuthenticateThreads
-from test.utils import (is_mongos,
+from test.utils import (delay,
+ is_mongos,
  remove_all_users,
  assertRaisesExactly,
  one,
@@ -54,13 +55,14 @@
 # YOU MUST RUN KINIT BEFORE RUNNING GSSAPI TESTS.
 GSSAPI_HOST = os.environ.get('GSSAPI_HOST')
 GSSAPI_PORT = int(os.environ.get('GSSAPI_PORT', '27017'))
-PRINCIPAL = os.environ.get('PRINCIPAL')
+GSSAPI_PRINCIPAL = os.environ.get('GSSAPI_PRINCIPAL')
+GSSAPI_DB = os.environ.get('GSSAPI_DB', 'test')
 
 SASL_HOST = os.environ.get('SASL_HOST')
 SASL_PORT = int(os.environ.get('SASL_PORT', '27017'))
 SASL_USER = os.environ.get('SASL_USER')
 SASL_PASS = os.environ.get('SASL_PASS')
-SASL_DB  = os.environ.get('SASL_DB', '$external')
+SASL_DB = os.environ.get('SASL_DB', '$external')
 
 
 def setUpModule():
@@ -81,99 +83,123 @@ class AutoAuthenticateThread(threading.Thread):
  """Used in testing threaded authentication.
  """
 
- def __init__(self, database):
+ def __init__(self, collection):
  super(AutoAuthenticateThread, self).__init__()
- self.database = database
- self.success = True
+ self.collection = collection
+ self.success = False
 
  def run(self):
- try:
- self.database.command('dbstats')
- except OperationFailure:
- self.success = False
+ assert self.collection.find_one({'$where': delay(1)}) is not None
+ self.success = True
 
 
 class TestGSSAPI(unittest.TestCase):
 
  def setUp(self):
  if not HAVE_KERBEROS:
  raise SkipTest('Kerberos module not available.')
- if not GSSAPI_HOST or not PRINCIPAL:
- raise SkipTest('Must set GSSAPI_HOST and PRINCIPAL to test GSSAPI')
+ if not GSSAPI_HOST or not GSSAPI_PRINCIPAL:
+ raise SkipTest(
+ 'Must set GSSAPI_HOST and GSSAPI_PRINCIPAL to test GSSAPI')
 
  def test_gssapi_simple(self):
 
  client = MongoClient(GSSAPI_HOST, GSSAPI_PORT)
+ db = client[GSSAPI_DB]
  # Without gssapiServiceName
- self.assertTrue(client.test.authenticate(PRINCIPAL,
- mechanism='GSSAPI'))
- client.database_names()
+ self.assertTrue(db.authenticate(GSSAPI_PRINCIPAL, mechanism='GSSAPI'))
+ db.collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism='
- 'GSSAPI' % (quote_plus(PRINCIPAL), GSSAPI_HOST, GSSAPI_PORT))
+ 'GSSAPI' % (
+ quote_plus(GSSAPI_PRINCIPAL), GSSAPI_HOST, GSSAPI_PORT))
  client = MongoClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
 
  # With gssapiServiceName
- self.assertTrue(client.test.authenticate(PRINCIPAL,
- mechanism='GSSAPI',
- gssapiServiceName='mongodb'))
- client.database_names()
+ client = MongoClient(GSSAPI_HOST, GSSAPI_PORT)
+ db = client[GSSAPI_DB]
+ self.assertTrue(db.authenticate(GSSAPI_PRINCIPAL,
+ mechanism='GSSAPI',
+ gssapiServiceName='mongodb'))
+ db.collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism='
- 'GSSAPI;gssapiServiceName=mongodb' % (quote_plus(PRINCIPAL),
-   GSSAPI_HOST, GSSAPI_PORT))
+ 'GSSAPI;gssapiServiceName=mongodb' % (
+ quote_plus(GSSAPI_PRINCIPAL), GSSAPI_HOST, GSSAPI_PORT))
  client = MongoClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism='
  'GSSAPI;authMechanismProperties=SERVICE_NAME:mongodb' % (
- quote_plus(PRINCIPAL), GSSAPI_HOST, GSSAPI_PORT))
+  quote_plus(GSSAPI_PRINCIPAL), GSSAPI_HOST, GSSAPI_PORT))
  client = MongoClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
 
  set_name = client.admin.command('ismaster').get('setName')
  if set_name:
  client = MongoReplicaSetClient(GSSAPI_HOST,
  port=GSSAPI_PORT,
  replicaSet=set_name)
+ db = client[GSSAPI_DB]
  # Without gssapiServiceName
- self.assertTrue(client.test.authenticate(PRINCIPAL,
-  mechanism='GSSAPI'))
- client.database_names()
+ self.assertTrue(db.authenticate(GSSAPI_PRINCIPAL,
+ mechanism='GSSAPI'))
+ db.collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism=GSSAPI;replicaSet'
- '=%s' % (quote_plus(PRINCIPAL),
+ '=%s' % (quote_plus(GSSAPI_PRINCIPAL),
  GSSAPI_HOST, GSSAPI_PORT, str(set_name)))
  client = MongoReplicaSetClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
 
  # With gssapiServiceName
- self.assertTrue(client.test.authenticate(PRINCIPAL,
- mechanism='GSSAPI',
- gssapiServiceName='mongodb'))
- client.database_names()
+ client = MongoReplicaSetClient(GSSAPI_HOST,
+ port=GSSAPI_PORT,
+ replicaSet=set_name)
+ db = client[GSSAPI_DB]
+ self.assertTrue(db.authenticate(
+ GSSAPI_PRINCIPAL,
+ mechanism='GSSAPI',
+ gssapiServiceName='mongodb'))
+ db.collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism=GSSAPI;replicaSet'
- '=%s;gssapiServiceName=mongodb' % (quote_plus(PRINCIPAL),
- GSSAPI_HOST,
- GSSAPI_PORT,
- str(set_name)))
+ '=%s;gssapiServiceName=mongodb' % (
+ quote_plus(GSSAPI_PRINCIPAL),
+ GSSAPI_HOST,
+ GSSAPI_PORT,
+ str(set_name)))
  client = MongoReplicaSetClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
  uri = ('mongodb://%s@%s:%d/?authMechanism=GSSAPI;replicaSet=%s;'
  'authMechanismProperties=SERVICE_NAME:mongodb' % (
- quote_plus(PRINCIPAL),
- GSSAPI_HOST, GSSAPI_PORT, str(set_name)))
+ quote_plus(GSSAPI_PRINCIPAL),
+ GSSAPI_HOST,
+ GSSAPI_PORT,
+ str(set_name)))
  client = MongoReplicaSetClient(uri)
- client.database_names()
+ client[GSSAPI_DB].collection.find_one()
 
  def test_gssapi_threaded(self):
 
  # Use auto_start_request=True to make sure each thread
  # uses a different socket.
  client = MongoClient(GSSAPI_HOST, auto_start_request=True)
- self.assertTrue(client.test.authenticate(PRINCIPAL,
- mechanism='GSSAPI'))
+ db = client[GSSAPI_DB]
+ self.assertTrue(db.authenticate(GSSAPI_PRINCIPAL,
+ mechanism='GSSAPI'))
+
+ # Need one document in the collection. AutoAuthenticateThread does
+ # collection.find_one with a 1-second delay, forcing it to check out
+ # multiple sockets from the pool concurrently, proving that
+ # auto-authentication works with GSSAPI.
+ collection = db.test
+ if collection.count() == 0:
+ try:
+ collection.drop()
+ collection.insert_one({'_id': 1})
+ except OperationFailure:
+ raise SkipTest("User must be able to write.")
 
  threads = []
  for _ in xrange(4):
- threads.append(AutoAuthenticateThread(client.foo))
+ threads.append(AutoAuthenticateThread(collection))
  for thread in threads:
  thread.start()
  for thread in threads:
@@ -186,13 +212,15 @@ def test_gssapi_threaded(self):
  client = MongoReplicaSetClient(GSSAPI_HOST,
  replicaSet=set_name,
  read_preference=preference)
- self.assertTrue(client.test.authenticate(PRINCIPAL,
- mechanism='GSSAPI'))
- self.assertTrue(client.foo.command('dbstats'))
+ db = client[GSSAPI_DB]
+ self.assertTrue(db.authenticate(GSSAPI_PRINCIPAL,
+ mechanism='GSSAPI'))
+ collection = db.test
+ collection.find_one()
 
  threads = []
  for _ in xrange(4):
- threads.append(AutoAuthenticateThread(client.foo))
+ threads.append(AutoAuthenticateThread(collection))
  for thread in threads:
  thread.start()
  for thread in threads: