Merge branch 'main' into kubernetes-probe-endpoints-4306

FerretDB · Jun 24, 2024 · 3d0f96d · 3d0f96d
2 parents b1e59af + f87a2c2
commit 3d0f96d
Show file tree

Hide file tree

Showing 9 changed files with 66 additions and 357 deletions.
diff --git a/integration/commands_administration_test.go b/integration/commands_administration_test.go
@@ -847,8 +847,8 @@ func TestGetParameterCommandAuthenticationMechanisms(t *testing.T) {
 		require.Equal(t, true, settableAtStartup)
 	})
 
-	t.Run("Plain", func(t *testing.T) {
-		setup.SkipForMongoDB(t, "PLAIN authentication mechanism is not support by MongoDB")
+	t.Run("SCRAM", func(tt *testing.T) {
+		t := setup.FailsForMongoDB(tt, "MongoDB supports more mechanisms")
 
 		var res bson.D
 		err := s.Collection.Database().RunCommand(s.Ctx, bson.D{
@@ -858,13 +858,34 @@ func TestGetParameterCommandAuthenticationMechanisms(t *testing.T) {
 		require.NoError(t, err)
 
 		expected := bson.D{
-			{"authenticationMechanisms", bson.A{"SCRAM-SHA-1", "SCRAM-SHA-256", "PLAIN"}},
+			{"authenticationMechanisms", bson.A{"SCRAM-SHA-1", "SCRAM-SHA-256"}},
 			{"ok", float64(1)},
 		}
 		require.Equal(t, expected, res)
 	})
 }
 
+func TestGetParameterCommandAuthenticationMechanismsPLAIN(tt *testing.T) {
+	tt.Parallel()
+
+	s := setup.SetupWithOpts(tt, &setup.SetupOpts{BackendOptions: &setup.BackendOpts{DisableNewAuth: true}})
+
+	t := setup.FailsForMongoDB(tt, "PLAIN authentication mechanism is not support by MongoDB")
+
+	var res bson.D
+	err := s.Collection.Database().RunCommand(s.Ctx, bson.D{
+		{"getParameter", bson.D{}},
+		{"authenticationMechanisms", 1},
+	}).Decode(&res)
+	require.NoError(t, err)
+
+	expected := bson.D{
+		{"authenticationMechanisms", bson.A{"PLAIN"}},
+		{"ok", float64(1)},
+	}
+	require.Equal(t, expected, res)
+}
+
 func TestCommandsAdministrationBuildInfo(t *testing.T) {
 	t.Parallel()
 	ctx, collection := setup.Setup(t)

diff --git a/integration/hello_command_test.go b/integration/hello_command_test.go
@@ -107,12 +107,6 @@ func TestHelloWithSupportedMechs(t *testing.T) {
 			user:  db.Name() + ".hello_user",
 			mechs: must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256")),
 		},
-		// TODO https://github.com/FerretDB/FerretDB/issues/4365
-		//"HelloUserPlain": {
-		//	user:            db.Name() + ".hello_user_plain",
-		//	mechs:           must.NotFail(types.NewArray("PLAIN")),
-		//	failsForMongoDB: "PLAIN authentication mechanism is not support by MongoDB",
-		//},
 		"HelloUserSCRAM1": {
 			user:  db.Name() + ".hello_user_scram1",
 			mechs: must.NotFail(types.NewArray("SCRAM-SHA-1")),
@@ -182,3 +176,29 @@ func TestHelloWithSupportedMechs(t *testing.T) {
 		})
 	}
 }
+
+func TestHelloWithSupportedMechsPLAIN(tt *testing.T) {
+	tt.Parallel()
+
+	s := setup.SetupWithOpts(tt, &setup.SetupOpts{BackendOptions: &setup.BackendOpts{DisableNewAuth: true}})
+
+	ctx, db := s.Ctx, s.Collection.Database()
+
+	t := setup.FailsForMongoDB(tt, "PLAIN authentication mechanism is not support by MongoDB")
+
+	var res bson.D
+
+	err := db.RunCommand(ctx, bson.D{
+		{"hello", "1"},
+		{"saslSupportedMechs", db.Name() + ".hello_user_plain"},
+	}).Decode(&res)
+	require.NoError(t, err)
+
+	actual := ConvertDocument(t, res)
+
+	v, err := actual.Get("saslSupportedMechs")
+	require.NoError(t, err)
+
+	mechanisms := v.(*types.Array)
+	require.Equal(t, must.NotFail(types.NewArray("PLAIN")), mechanisms)
+}
diff --git a/integration/users/create_user_test.go b/integration/users/create_user_test.go
@@ -155,7 +155,7 @@ func TestCreateUser(t *testing.T) {
 		},
 		"FailWithPLAIN": {
 			payload: bson.D{
-				{"createUser", "success_user_with_plain"},
+				{"createUser", "plain_user"},
 				{"roles", bson.A{}},
 				{"pwd", "password"},
 				{"mechanisms", bson.A{"PLAIN"}},
@@ -265,10 +265,6 @@ func TestCreateUser(t *testing.T) {
 			if payload.Has("mechanisms") {
 				payloadMechanisms := must.NotFail(payload.Get("mechanisms")).(*types.Array)
 
-				if payloadMechanisms.Contains("PLAIN") {
-					assertPlainCredentials(t, "PLAIN", must.NotFail(user.Get("credentials")).(*types.Document))
-				}
-
 				if payloadMechanisms.Contains("SCRAM-SHA-1") {
 					assertSCRAMSHA1Credentials(t, "SCRAM-SHA-1", must.NotFail(user.Get("credentials")).(*types.Document))
 				}
@@ -293,20 +289,6 @@ func TestCreateUser(t *testing.T) {
 	}
 }
 
-// assertPlainCredentials checks if the credential is a valid PLAIN credential.
-func assertPlainCredentials(t testtb.TB, key string, cred *types.Document) {
-	t.Helper()
-
-	require.True(t, cred.Has(key), "missing credential %q", key)
-
-	c := must.NotFail(cred.Get(key)).(*types.Document)
-
-	assert.Equal(t, must.NotFail(c.Get("algo")), "PBKDF2-HMAC-SHA256")
-	assert.NotEmpty(t, must.NotFail(c.Get("iterationCount")))
-	assert.NotEmpty(t, must.NotFail(c.Get("hash")))
-	assert.NotEmpty(t, must.NotFail(c.Get("salt")))
-}
-
 // assertSCRAMSHA1Credentials checks if the credential is a valid SCRAM-SHA-1 credential.
 func assertSCRAMSHA1Credentials(t testtb.TB, key string, cred *types.Document) {
 	t.Helper()

diff --git a/integration/users/usersinfo_test.go b/integration/users/usersinfo_test.go
@@ -117,14 +117,6 @@ func TestUsersinfo(t *testing.T) {
 		})
 
 		for _, payload := range inserted.payloads {
-			payloadDoc := integration.ConvertDocument(t, payload)
-
-			if setup.IsMongoDB(t) && payloadDoc.Has("mechanisms") {
-				mechanisms := must.NotFail(payloadDoc.Get("mechanisms")).(*types.Array)
-				if mechanisms.Contains("PLAIN") {
-					continue
-				}
-			}
 			err := db.RunCommand(ctx, payload).Err()
 			require.NoErrorf(t, err, "cannot create user on database %q: %q", dbName, payload)
 		}
@@ -574,8 +566,6 @@ func TestUsersinfo(t *testing.T) {
 
 				for _, typ := range tc.showCredentials {
 					switch typ {
-					case "PLAIN":
-						assertPlainCredentials(t, "PLAIN", cred)
 					case "SCRAM-SHA-1":
 						assertSCRAMSHA1Credentials(t, "SCRAM-SHA-1", cred)
 					case "SCRAM-SHA-256":

diff --git a/internal/backends/user.go b/internal/backends/user.go
@@ -93,8 +93,6 @@ func MakeCredentials(username string, userPassword password.Password, mechanisms
 		var hash *types.Document
 
 		switch v {
-		case "PLAIN":
-			credentials.Set("PLAIN", must.NotFail(password.PlainHash(userPassword.Password())))
 		case "SCRAM-SHA-1":
 			hash, err = password.SCRAMSHA1Hash(username, userPassword.Password())
 			if err != nil {

diff --git a/internal/handler/msg_getparameter.go b/internal/handler/msg_getparameter.go
@@ -44,6 +44,11 @@ func (h *Handler) MsgGetParameter(ctx context.Context, msg *wire.OpMsg) (*wire.O
 
 	common.Ignored(document, h.L, "comment")
 
+	mechanisms := must.NotFail(types.NewArray("PLAIN"))
+	if h.EnableNewAuth {
+		mechanisms = must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256"))
+	}
+
 	parameters := must.NotFail(types.NewDocument(
 		// to add a new parameter, fill template and place it in the alphabetical order position
 		//"<name>", must.NotFail(types.NewDocument(
@@ -52,7 +57,7 @@ func (h *Handler) MsgGetParameter(ctx context.Context, msg *wire.OpMsg) (*wire.O
 		//	"settableAtStartup", <bool>,
 		//)),
 		"authenticationMechanisms", must.NotFail(types.NewDocument(
-			"value", must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256", "PLAIN")),
+			"value", mechanisms,
 			"settableAtRuntime", false,
 			"settableAtStartup", true,
 		)),

diff --git a/internal/handler/msg_hello.go b/internal/handler/msg_hello.go
@@ -73,9 +73,15 @@ func (h *Handler) MsgHello(ctx context.Context, msg *wire.OpMsg) (*wire.OpMsg, e
 		)
 	}
 
-	mechs, err := h.getUserSupportedMechs(ctx, db, username)
-	if err != nil {
-		return nil, lazyerrors.Error(err)
+	// for the backend authentication return `PLAIN` regardless of the user existence,
+	// getting backend users is not easy
+	mechs := []string{"PLAIN"}
+
+	if h.EnableNewAuth {
+		mechs, err = h.getUserSupportedMechs(ctx, db, username)
+		if err != nil {
+			return nil, lazyerrors.Error(err)
+		}
 	}
 
 	saslSupportedMechsResp := must.NotFail(types.NewArray())

diff --git a/internal/util/password/plain.go b/internal/util/password/plain.go