CDRIVER-2254 fix hang with "canonicalizeHostname"

The GSSAPI / Kerberos option canonicalizeHostname allows the driver to
authenticate when hosts report different hostnames than what is used in
the Kerberos database. We had used it both with Cyrus-SASL and with
Microsoft's SSPI, and it had an infinite loop.

Fix the infinite loop, and ignore the setting with SSPI, since SSPI
canonicalizes hostnames itself. The setting is only required for Cyrus.

Author: ajdavis

doc/authentication.rst

@@ -93,7 +93,7 @@ Now authenticate using the MongoDB URI. ``GSSAPI`` authenticates against the ``$
 
 The driver supports these GSSAPI properties:
 
-* ``CANONICALIZE_HOST_NAME``: This might be required when the hosts report different hostnames than what is used in the kerberos database. The default is "false".
+* ``CANONICALIZE_HOST_NAME``: This might be required with Cyrus-SASL when the hosts report different hostnames than what is used in the Kerberos database. The default is "false".
 * ``SERVICE_NAME``: Use a different service name than the default, "mongodb".
 
 Set properties in the URL:

doc/mongoc_uri_t.rst

@@ -116,7 +116,7 @@ Mechanism Properties
 ========================================== ================================= =========================================================================================================================================================================================================================
 Constant                                   Key                               Description
 ========================================== ================================= =========================================================================================================================================================================================================================
-MONGOC_URI_CANONICALIZEHOSTNAME            canonicalizehostname              Use the canonical hostname of the service, rather than configured alias.
+MONGOC_URI_CANONICALIZEHOSTNAME            canonicalizehostname              Use the canonical hostname of the service, rather than its configured alias, when authenticating with Cyrus-SASL Kerberos.
 MONGOC_URI_GSSAPISERVICENAME               gssapiservicename                 Use alternative service name. The default is ``mongodb``.
 ========================================== ================================= =========================================================================================================================================================================================================================
 

src/mongoc/mongoc-cluster-sspi.c

@@ -149,36 +149,11 @@ _mongoc_cluster_auth_node_sspi (mongoc_cluster_t *cluster,
    bson_t cmd;
    int res = MONGOC_SSPI_AUTH_GSS_CONTINUE;
    int step;
-   bool canonicalize = false;
    const bson_t *options;
-   bson_t properties;
-   char real_name[BSON_HOST_NAME_MAX + 1];
    mongoc_server_stream_t *server_stream;
 
    options = mongoc_uri_get_options (cluster->uri);
-
-   if (bson_iter_init_find_case (
-          &iter, options, MONGOC_URI_CANONICALIZEHOSTNAME) &&
-       BSON_ITER_HOLDS_UTF8 (&iter)) {
-      canonicalize = bson_iter_bool (&iter);
-   }
-
-   if (mongoc_uri_get_mechanism_properties (cluster->uri, &properties)) {
-      if (bson_iter_init_find_case (
-             &iter, &properties, "CANONICALIZE_HOST_NAME") &&
-          BSON_ITER_HOLDS_UTF8 (&iter)) {
-         canonicalize = !strcasecmp (bson_iter_utf8 (&iter, NULL), "true");
-      }
-      bson_destroy (&properties);
-   }
-
-   if (canonicalize && _mongoc_sasl_get_canonicalized_name (
-                          stream, real_name, sizeof real_name, error)) {
-      state = _mongoc_cluster_sspi_new (cluster->uri, real_name);
-   } else {
-      state = _mongoc_cluster_sspi_new (cluster->uri, sd->host.host);
-   }
-
+   state = _mongoc_cluster_sspi_new (cluster->uri, sd->host.host);
 
    if (!state) {
       bson_set_error (error,

src/mongoc/mongoc-cyrus.c

@@ -200,7 +200,7 @@ _mongoc_cyrus_new_from_cluster (mongoc_cyrus_t *sasl,
     */
    if (sasl->credentials.canonicalize_host_name &&
        _mongoc_sasl_get_canonicalized_name (
-          stream, real_name, sizeof real_name, error)) {
+          stream, real_name, sizeof real_name)) {
       _mongoc_sasl_set_service_host ((mongoc_sasl_t *) sasl, real_name);
    } else {
       _mongoc_sasl_set_service_host ((mongoc_sasl_t *) sasl, hostname);

src/mongoc/mongoc-sasl-private.h

@@ -53,8 +53,7 @@ _mongoc_sasl_set_properties (mongoc_sasl_t *sasl, const mongoc_uri_t *uri);
 bool
 _mongoc_sasl_get_canonicalized_name (mongoc_stream_t *node_stream, /* IN */
                                      char *name,                   /* OUT */
-                                     size_t namelen,               /* IN */
-                                     bson_error_t *error);         /* OUT */
+                                     size_t namelen);              /* IN */
 
 BSON_END_DECLS
 

src/mongoc/mongoc-sasl.c

@@ -21,6 +21,7 @@
 #include "mongoc-util-private.h"
 
 #include "mongoc-trace-private.h"
+#include "mongoc-change-stream-private.h"
 
 #undef MONGOC_LOG_DOMAIN
 #define MONGOC_LOG_DOMAIN "SASL"
@@ -149,11 +150,9 @@ _mongoc_sasl_set_properties (mongoc_sasl_t *sasl, const mongoc_uri_t *uri)
 bool
 _mongoc_sasl_get_canonicalized_name (mongoc_stream_t *node_stream, /* IN */
                                      char *name,                   /* OUT */
-                                     size_t namelen,               /* IN */
-                                     bson_error_t *error)          /* OUT */
+                                     size_t namelen)               /* OUT */
 {
    mongoc_stream_t *stream;
-   mongoc_stream_t *tmp;
    mongoc_socket_t *sock = NULL;
    char *canonicalized;
 
@@ -162,17 +161,7 @@ _mongoc_sasl_get_canonicalized_name (mongoc_stream_t *node_stream, /* IN */
    BSON_ASSERT (node_stream);
    BSON_ASSERT (name);
 
-   /*
-    * Find the underlying socket used in the stream chain.
-    */
-   for (stream = node_stream; stream;) {
-      if ((tmp = mongoc_stream_get_base_stream (stream))) {
-         stream = tmp;
-         continue;
-      }
-      break;
-   }
-
+   stream = mongoc_stream_get_root_stream (node_stream);
    BSON_ASSERT (stream);
 
    if (stream->type == MONGOC_STREAM_SOCKET) {

src/mongoc/mongoc-stream-private.h

@@ -44,6 +44,8 @@ _mongoc_stream_writev_full (mongoc_stream_t *stream,
                             int32_t timeout_msec,
                             bson_error_t *error);
 
+mongoc_stream_t *
+mongoc_stream_get_root_stream (mongoc_stream_t *stream);
 
 BSON_END_DECLS
 

src/mongoc/mongoc-stream.c

@@ -312,9 +312,8 @@ mongoc_stream_get_base_stream (mongoc_stream_t *stream) /* IN */
 }
 
 
-static mongoc_stream_t *
+mongoc_stream_t *
 mongoc_stream_get_root_stream (mongoc_stream_t *stream)
-
 {
    BSON_ASSERT (stream);
 

tests/test-mongoc-cyrus.c

@@ -18,6 +18,8 @@
 #include <mongoc-thread-private.h>
 #ifdef MONGOC_ENABLE_SASL_CYRUS
 #include <mongoc-cyrus-private.h>
+#include <mongoc-client-private.h>
+
 #endif
 
 #include "TestSuite.h"
@@ -179,6 +181,28 @@ test_sasl_properties (void)
    _mongoc_cyrus_destroy (&sasl);
    mongoc_uri_destroy (uri);
 }
+
+
+static void
+test_sasl_canonicalize_hostname (void *ctx)
+{
+   mongoc_client_t *client;
+   mongoc_server_stream_t *ss;
+   char real_name[BSON_HOST_NAME_MAX + 1] = {'\0'};
+   bson_error_t error;
+
+   client = test_framework_client_new ();
+   ss = mongoc_cluster_stream_for_reads (&client->cluster, NULL, &error);
+   ASSERT_OR_PRINT (ss, error);
+
+   BSON_ASSERT (_mongoc_sasl_get_canonicalized_name (
+      ss->stream, real_name, sizeof real_name));
+
+   ASSERT_CMPSIZE_T (strlen (real_name), >, (size_t) 0);
+
+   mongoc_server_stream_cleanup (ss);
+   mongoc_client_destroy (client);
+}
 #endif
 
 
@@ -192,6 +216,13 @@ test_sasl_install (TestSuite *suite)
                       NULL,
                       should_run_gssapi_kerberos);
 #ifdef MONGOC_ENABLE_SASL_CYRUS
+   TestSuite_AddFull (suite,
+                      "/SASL/canonicalize",
+                      test_sasl_canonicalize_hostname,
+                      NULL,
+                      NULL,
+                      TestSuite_CheckLive,
+                      test_framework_skip_if_offline);
    TestSuite_Add (suite, "/SASL/properties", test_sasl_properties);
 #endif
 }