Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2449

Session ID is included in authenticate command

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.9.1
    • Affects Version/s: 1.9.0
    • Component/s: auth, libmongoc
    • None

      While investigating X509 auth failures for PHPC-1077, I noticed that libmongoc appears to be appending session IDs to authenticate commands, which directly conflicts with the driver sessions specification. Consider the following trace:

      [2018-01-04T15:45:01.441140+00:00]    cluster: TRACE   > ENTRY: _mongoc_cluster_auth_node():1262
      [2018-01-04T15:45:01.441156+00:00]    cluster: TRACE   > TRACE: _mongoc_cluster_auth_node_x509():1024 X509: got username from URI
      [2018-01-04T15:45:01.441174+00:00]     mongoc: TRACE   > ENTRY: mongoc_server_description_handle_ismaster():493
      [2018-01-04T15:45:01.441191+00:00]     mongoc: TRACE   >  EXIT: mongoc_server_description_handle_ismaster():654
      [2018-01-04T15:45:01.441205+00:00]     mongoc: TRACE   > ENTRY: mongoc_cmd_parts_assemble():564
      [2018-01-04T15:45:01.441216+00:00]     mongoc: TRACE   > TRACE: mongoc_cmd_parts_assemble():592 Preparing 'authenticate'
      [2018-01-04T15:45:01.441240+00:00]     client: TRACE   > ENTRY: mongoc_client_start_session():1150
      [2018-01-04T15:45:01.441252+00:00]     mongoc: TRACE   > ENTRY: _mongoc_topology_pop_server_session():1288
      [2018-01-04T15:45:01.441263+00:00]     mongoc: TRACE   > ENTRY: _mongoc_server_session_new():222
      [2018-01-04T15:45:01.441289+00:00]     mongoc: TRACE   >  EXIT: _mongoc_server_session_new():240
      [2018-01-04T15:45:01.441310+00:00]     mongoc: TRACE   >  EXIT: _mongoc_topology_pop_server_session():1335
      [2018-01-04T15:45:01.441322+00:00]     mongoc: TRACE   > ENTRY: _mongoc_client_session_new():291
      [2018-01-04T15:45:01.441330+00:00]     mongoc: TRACE   >  EXIT: _mongoc_client_session_new():308
      [2018-01-04T15:45:01.441339+00:00]     client: TRACE   >  EXIT: mongoc_client_start_session():1168
      [2018-01-04T15:45:01.441352+00:00]     mongoc: TRACE   >  EXIT: mongoc_cmd_parts_assemble():704
      [2018-01-04T15:45:01.441369+00:00]     stream: TRACE   > ENTRY: _mongoc_stream_writev_full():502
      [2018-01-04T15:45:01.441378+00:00]     stream: TRACE   > ENTRY: mongoc_stream_writev():150
      [2018-01-04T15:45:01.441389+00:00]     stream: TRACE   > TRACE: mongoc_stream_writev():162 writev = 0x25ce4b0 [7]
      [2018-01-04T15:45:01.441416+00:00]     stream: TRACE   > 00000:  fd 00 00 00 01 00 00 00  00 00 00 00 dd 07 00 00  . . . . . . . .  . . . . . . . .
      [2018-01-04T15:45:01.441443+00:00]     stream: TRACE   > 00010:  00 00 00 00 00 e8 00 00  00 10 61 75 74 68 65 6e  . . . . . . . .  . . a u t h e n
      [2018-01-04T15:45:01.441471+00:00]     stream: TRACE   > 00020:  74 69 63 61 74 65 00 01  00 00 00 02 6d 65 63 68  t i c a t e . .  . . . . m e c h
      [2018-01-04T15:45:01.441499+00:00]     stream: TRACE   > 00030:  61 6e 69 73 6d 00 0d 00  00 00 4d 4f 4e 47 4f 44  a n i s m . . .  . . M O N G O D
      [2018-01-04T15:45:01.441527+00:00]     stream: TRACE   > 00040:  42 2d 58 35 30 39 00 02  75 73 65 72 00 43 00 00  B - X 5 0 9 . .  u s e r . C . .
      [2018-01-04T15:45:01.441555+00:00]     stream: TRACE   > 00050:  00 43 3d 55 53 2c 53 54  3d 4e 65 77 20 59 6f 72  . C = U S , S T  = N e w   Y o r
      [2018-01-04T15:45:01.441583+00:00]     stream: TRACE   > 00060:  6b 2c 4c 3d 4e 65 77 20  59 6f 72 6b 20 43 69 74  k , L = N e w    Y o r k   C i t
      [2018-01-04T15:45:01.441611+00:00]     stream: TRACE   > 00070:  79 2c 4f 3d 4d 6f 6e 67  6f 44 42 2c 4f 55 3d 4b  y , O = M o n g  o D B , O U = K
      [2018-01-04T15:45:01.441639+00:00]     stream: TRACE   > 00080:  65 72 6e 65 6c 55 73 65  72 2c 43 4e 3d 63 6c 69  e r n e l U s e  r , C N = c l i
      [2018-01-04T15:45:01.441663+00:00]     stream: TRACE   > 00090:  65 6e 74 00 02 24 64 62  00 0a 00 00 00 24 65 78  e n t . . $ d b  . . . . . $ e x
      [2018-01-04T15:45:01.441691+00:00]     stream: TRACE   > 000a0:  74 65 72 6e 61 6c 00 03  24 72 65 61 64 50 72 65  t e r n a l . .  $ r e a d P r e
      [2018-01-04T15:45:01.441717+00:00]     stream: TRACE   > 000b0:  66 65 72 65 6e 63 65 00  20 00 00 00 02 6d 6f 64  f e r e n c e .    . . . . m o d
      [2018-01-04T15:45:01.441742+00:00]     stream: TRACE   > 000c0:  65 00 11 00 00 00 70 72  69 6d 61 72 79 50 72 65  e . . . . . p r  i m a r y P r e
      [2018-01-04T15:45:01.441768+00:00]     stream: TRACE   > 000d0:  66 65 72 72 65 64 00 00  03 6c 73 69 64 00 1e 00  f e r r e d . .  . l s i d . . .
      [2018-01-04T15:45:01.441790+00:00]     stream: TRACE   > 000e0:  00 00 05 69 64 00 10 00  00 00 04 29 81 0f ea 8a  . . . i d . . .  . . . ) . . . .
      [2018-01-04T15:45:01.441810+00:00]     stream: TRACE   > 000f0:  b1 4c ab a4 d8 4d d0 a5  ac 13 6a 00 00           . L . . . M . .  . . j . .
      

      This causes X509 authentication to fail with a "there are no users authenticated" error message:

      [2018-01-04T15:45:01.472077+00:00]     stream: TRACE   > TRACE: mongoc_stream_readv():237 readv = 0x7ffd0d23c9c0 [1]
      [2018-01-04T15:45:01.472097+00:00]     stream: TRACE   > 00000:  4b 00 00 00 01 00 00 00  dd 07 00 00 00 00 00 00  K . . . . . . .  . . . . . . . .
      [2018-01-04T15:45:01.472117+00:00]     stream: TRACE   > 00010:  00 63 00 00 00 01 6f 6b  00 00 00 00 00 00 00 00  . c . . . . o k  . . . . . . . .
      [2018-01-04T15:45:01.472139+00:00]     stream: TRACE   > 00020:  00 02 65 72 72 6d 73 67  00 21 00 00 00 74 68 65  . . e r r m s g  . ! . . . t h e
      [2018-01-04T15:45:01.472162+00:00]     stream: TRACE   > 00030:  72 65 20 61 72 65 20 6e  6f 20 75 73 65 72 73 20  r e   a r e   n  o   u s e r s  
      [2018-01-04T15:45:01.472184+00:00]     stream: TRACE   > 00040:  61 75 74 68 65 6e 74 69  63 61 74 65 64 00 10 63  a u t h e n t i  c a t e d . . c
      [2018-01-04T15:45:01.472205+00:00]     stream: TRACE   > 00050:  6f 64 65 00 0d 00 00 00  02 63 6f 64 65 4e 61 6d  o d e . . . . .  . c o d e N a m
      [2018-01-04T15:45:01.472227+00:00]     stream: TRACE   > 00060:  65 00 0d 00 00 00 55 6e  61 75 74 68 6f 72 69 7a  e . . . . . U n  a u t h o r i z
      [2018-01-04T15:45:01.472239+00:00]     stream: TRACE   > 00070:  65 64 00 00                                       e d . .
      

      Modifying _mongoc_cluster_auth_node_x509() to prohibit addition of an lsid field does appear to solve the issue. I'm at a loss for why the problem manifests itself this way, or why other authentication mechanisms in our test suite did not appear to be affected by this issue.

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: