Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2676

mongoc_database_add_user must not send hashed password

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.11.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible

      The function mongoc_database_add_user is a C driver helper to construct a createUser command. Currently it does not send the correct form of the pwd field for MongoDB 4.0.

      The createUser command allows two ways to specify the password:

      The field pwd can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):

      db.runCommand ( {createUser: "username", pwd: "plaintext_password", roles: [ { role: "root", db: "admin" } ] })
      

      Or pwd can be the result of an MD5 hash of the form:

      md5(username + ":mongo:" + password)
      

      and digestPassword must be set to false.

      In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error.

      Unfortunately, the mongoc_database_add_user does send pwd using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the digestPassword field.

      Then, update the docs page for mongoc_database_add_user to warn the user to only call this method if the driver is using TLS.

      Then, update places in our tests which should be using mongoc_database_add_user but aren't: here and here.

            Assignee:
            evgeni.dobranov@mongodb.com Evgeni Dobranov
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: