fix mongodb connection issue when using TLS client + username/password authentication#30073
Conversation
|
|
|
👍 |
|
Hi there! Thanks for this. I'm going to dig a little more into the subject area since I'm not quite an expert with Mongo. I've set the tests to run, too. One thing I'd like to also understand: would this change be potentially breaking? For example, if a user in some way relied on the buggy behaviour, would they need to be made aware upon upgrade? Would it be possible to add a new test to |
|
Hello @VioletHynes :) I've added a test |
VioletHynes
left a comment
VioletHynes
left a comment
There was a problem hiding this comment.
Thanks for the unit test! This looks awesome. Going to run the tests then try and get this merged. The extreme detail in the PR helped a tonne, thank you!
|
Oh, one more thing -- |
|
Hello :) I've added the godoc. Thanks for your help ! |
|
Thanks! I've re-approved and re-ran the tests. I'd merge this now, but I need to get this approved by someone else who is a codeowner of one of the files, so expect that review/hopefully approval soon. Appreciate the patience. |
There was a problem hiding this comment.
since you have this testCase structure, I wonder if we should make this a table driven test. Even if there is only one testcase.
There was a problem hiding this comment.
Indeed, this test is based on TestGetTLSAuth, which is a table driven test (I suppose).
In fact, instead of creating a new test, I should've update the already existing test to add a new verification.
Corrected by updating the TestGetTLSAuth function to add the new verification
There was a problem hiding this comment.
It would be good if we could also check the actual error message.
There was a problem hiding this comment.
As the test is now included in TestGetTLSAuth function, the error are checked in this test
There was a problem hiding this comment.
Could we use the constant for this value from x/mongo/driver/auth instead? You will need to import go.mongodb.org/mongo-driver/x/mongo/driver/auth
| authMechanism := "MONGODB-X509" | |
| authMechanism := auth.MongoDBX509 |
There was a problem hiding this comment.
Could we use the constant for this value from x/mongo/driver/auth instead? You will need to import go.mongodb.org/mongo-driver/x/mongo/driver/auth
| authMechanism = "SCRAM-SHA-256" | |
| authMechanism := auth.SCRAMSHA256 |
There was a problem hiding this comment.
It seems odd that we are setting up the auth credentials for non-TLS auth here? Is that expected?
There was a problem hiding this comment.
These option are only added when the verification line 251 is true, so only when we have at least a TLSCertificateKeyData
There was a problem hiding this comment.
What if no AuthMechanism could be determined? It looks like that is possible here.
There was a problem hiding this comment.
I'm not sure if I understood your question correctly 😅
These option are only added when the verification line 251 is true, and the authMecanism value is filled by default with auth.MongoDBX509 on line 253
mathiastop
force-pushed
the
fix/mongodb-tls-client-with-username-password
branch
from
dd1633a to
9213cde
Compare
|
Thanks for the change @mathiastop ! This is expected to be in Vault 1.20.1 |
…d authentication (hashicorp#30073) * fix mongodb connection issue when using TLS client + username/password authentication * add changelog file * fix authMecanism more properly - add test for TLS and User/Password auth * add godoc on TestGetTLSAndUserPasswordAuth * update test to be included in TestGetTLSAuth - replace value by constant
|
Hello :) Thanks ! |
|
@mathiastop This didn't get backported to the release branch, so it won't be available until Vault 1.21. cc @hashiblaum |
|
Hey @fairclothjm, thanks for the update ! I will stay tuned 👀 |
8 participants
Description
This change aimed to fix a regression that was introduced by #9519, and fix #10985
Previously, when using a mongodb database with TLS and username/password authentication, the order in which Mongo config is merged worked in a way that the MongoDB x.509 auth mechanism will always win.
Step to reproduce:
vault secrets enable databaseoutput
mongodb logs
{"t":{"$date":"2025-03-28T11:23:28.061+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:36924","uuid":{"uuid":{"$uuid":"65a2d442-0fad-46af-a13c-1c390ee12ad8"}},"connectionId":11748,"connectionCount":8}} {"t":{"$date":"2025-03-28T11:23:28.071+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11748","msg":"Ingress TLS handshake complete","attr":{"durationMillis":9}} {"t":{"$date":"2025-03-28T11:23:28.071+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11748","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cb0mongo1.sarbacane.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:23:28.071+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11748","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:23:28.072+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11748","msg":"client metadata","attr":{"remote":"192.168.16.191:36924","client":"conn11748","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:23:28.080+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:36936","uuid":{"uuid":{"$uuid":"7ddeb17e-556f-412b-9976-83c53c829610"}},"connectionId":11749,"connectionCount":9}} {"t":{"$date":"2025-03-28T11:23:28.080+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:36952","uuid":{"uuid":{"$uuid":"773f78ff-baf9-40f0-a093-ce5edd2dec0f"}},"connectionId":11750,"connectionCount":10}} {"t":{"$date":"2025-03-28T11:23:28.091+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11749","msg":"Ingress TLS handshake complete","attr":{"durationMillis":10}} {"t":{"$date":"2025-03-28T11:23:28.091+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11749","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cb0mongo1.sarbacane.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:23:28.091+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11749","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:23:28.091+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11749","msg":"client metadata","attr":{"remote":"192.168.16.191:36936","client":"conn11749","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:23:28.091+01:00"},"s":"I", "c":"ACCESS", "id":5286307, "ctx":"conn11749","msg":"Failed to authenticate","attr":{"client":"192.168.16.191:36936","isSpeculative":true,"isClusterMember":false,"mechanism":"MONGODB-X509","user":"CN=cb0mongo1.sarbacane.local","db":"$external","error":"UserNotFound: Could not find user \"CN=cluster.mongo.local\" for db \"$external\"","result":11,"metrics":{"conversation_duration":{"micros":539,"summary":{}}},"extraInfo":{}}} {"t":{"$date":"2025-03-28T11:23:28.096+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11750","msg":"Ingress TLS handshake complete","attr":{"durationMillis":15}} {"t":{"$date":"2025-03-28T11:23:28.096+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11750","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cb0mongo1.sarbacane.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:23:28.096+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11750","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:23:28.096+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11750","msg":"client metadata","attr":{"remote":"192.168.16.191:36952","client":"conn11750","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:23:28.099+01:00"},"s":"I", "c":"ACCESS", "id":5286307, "ctx":"conn11749","msg":"Failed to authenticate","attr":{"client":"192.168.16.191:36936","isSpeculative":false,"isClusterMember":false,"mechanism":"MONGODB-X509","user":"CN=cb0mongo1.sarbacane.local","db":"$external","error":"UserNotFound: Could not find user \"CN=cb0mongo1.sarbacane.local\" for db \"$external\"","result":11,"metrics":{"conversation_duration":{"micros":382,"summary":{}}},"extraInfo":{}}} {"t":{"$date":"2025-03-28T11:23:28.101+01:00"},"s":"I", "c":"-", "id":20883, "ctx":"conn11748","msg":"Interrupted operation as its client disconnected","attr":{"opId":16261121}} {"t":{"$date":"2025-03-28T11:23:28.101+01:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn11749","msg":"Connection ended","attr":{"remote":"192.168.16.191:36936","uuid":{"uuid":{"$uuid":"7ddeb17e-556f-412b-9976-83c53c829610"}},"connectionId":11749,"connectionCount":9}} {"t":{"$date":"2025-03-28T11:23:28.101+01:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn11748","msg":"Connection ended","attr":{"remote":"192.168.16.191:36924","uuid":{"uuid":{"$uuid":"65a2d442-0fad-46af-a13c-1c390ee12ad8"}},"connectionId":11748,"connectionCount":8}} {"t":{"$date":"2025-03-28T11:23:28.102+01:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn11750","msg":"Connection ended","attr":{"remote":"192.168.16.191:36952","uuid":{"uuid":{"$uuid":"773f78ff-baf9-40f0-a093-ce5edd2dec0f"}},"connectionId":11750,"connectionCount":7}}with the fix:
output
mongodb logs
{"t":{"$date":"2025-03-28T11:27:40.482+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:54140","uuid":{"uuid":{"$uuid":"4ba110a3-ba4a-4879-873e-eaa1e99e49cf"}},"connectionId":11757,"connectionCount":8}} {"t":{"$date":"2025-03-28T11:27:40.489+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11757","msg":"Ingress TLS handshake complete","attr":{"durationMillis":6}} {"t":{"$date":"2025-03-28T11:27:40.489+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11757","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cb0mongo1.sarbacane.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:27:40.489+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11757","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:27:40.490+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11757","msg":"client metadata","attr":{"remote":"192.168.16.191:54140","client":"conn11757","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:27:40.497+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:54148","uuid":{"uuid":{"$uuid":"725b6069-9782-48fa-9f09-c616e174afd0"}},"connectionId":11758,"connectionCount":9}} {"t":{"$date":"2025-03-28T11:27:40.498+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.16.191:54152","uuid":{"uuid":{"$uuid":"241c5737-f66f-4684-986f-3022f90f4ec7"}},"connectionId":11759,"connectionCount":10}} {"t":{"$date":"2025-03-28T11:27:40.510+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11758","msg":"Ingress TLS handshake complete","attr":{"durationMillis":10}} {"t":{"$date":"2025-03-28T11:27:40.510+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11758","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cb0mongo1.sarbacane.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:27:40.510+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11758","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:27:40.511+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11758","msg":"client metadata","attr":{"remote":"192.168.16.191:54148","client":"conn11758","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:27:40.517+01:00"},"s":"I", "c":"NETWORK", "id":6723804, "ctx":"conn11759","msg":"Ingress TLS handshake complete","attr":{"durationMillis":17}} {"t":{"$date":"2025-03-28T11:27:40.518+01:00"},"s":"I", "c":"NETWORK", "id":6723801, "ctx":"conn11759","msg":"Accepted TLS connection from peer","attr":{"peerSubject":"CN=cluster.mongodb.local","cipher":"TLS_AES_128_GCM_SHA256"}} {"t":{"$date":"2025-03-28T11:27:40.518+01:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11759","msg":"Client connecting with server's own TLS certificate"} {"t":{"$date":"2025-03-28T11:27:40.518+01:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn11759","msg":"client metadata","attr":{"remote":"192.168.16.191:54152","client":"conn11759","negotiatedCompressors":[],"doc":{"driver":{"name":"mongo-go-driver","version":"1.17.3"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.23.6"}}} {"t":{"$date":"2025-03-28T11:27:40.518+01:00"},"s":"I", "c":"ACCESS", "id":6788604, "ctx":"conn11759","msg":"Auth metrics report","attr":{"metric":"acquireUser","micros":0}} {"t":{"$date":"2025-03-28T11:27:40.528+01:00"},"s":"I", "c":"ACCESS", "id":5286306, "ctx":"conn11759","msg":"Successfully authenticated","attr":{"client":"192.168.16.191:54152","isSpeculative":true,"isClusterMember":false,"mechanism":"SCRAM-SHA-256","user":"exemple-user","db":"admin","result":0,"metrics":{"conversation_duration":{"micros":9878,"summary":{"0":{"step":1,"step_total":2,"duration_micros":256},"1":{"step":2,"step_total":2,"duration_micros":18}}}},"extraInfo":{}}} {"t":{"$date":"2025-03-28T11:27:40.530+01:00"},"s":"I", "c":"NETWORK", "id":6788700, "ctx":"conn11759","msg":"Received first command on ingress connection since session start or auth handshake","attr":{"elapsedMillis":2}}