CDRIVER-737: Improve SCRAM-SHA-1 failure message

Author: bjori

build/autotools/CheckSSL.m4

@@ -1,6 +1,6 @@
 AC_ARG_ENABLE([ssl],
               [AS_HELP_STRING([--enable-ssl=@<:@auto/yes/no@:>@],
-                              [Use OpenSSL for TLS connections.])],
+                              [Use OpenSSL for TLS connections and SCRAM-SHA-1 authentication. NOTE: OpenSSL is required for authenticating to MongoDB 3.0 and later])],
               [],
               [enable_ssl=auto])
 

doc/installing.page

@@ -66,6 +66,15 @@
 
     <p>Minimal dependencies are needed to build the MongoDB C driver. Optionally, if you want Kerberos (GSSAPI) or SSL support, you need to install <code>libsasl2</code> and <code>OpenSSL</code> libraries and development headers respectively.</p>
 
+    <note>
+      <p>
+      In MongoDB 3.0 and later the default authentication mechanism is SCRAM-SHA-1.
+      The MongoDB C Driver must be built with OpenSSL to use SCRAM-SHA-1 authentication,
+      since the driver uses hash algorithms from the OpenSSL library to implement SCRAM-SHA-1,
+      even if it connects to MongoDB over a non-SSL connection.
+      </p>
+    </note>
+
     <p>Make sure you have access to a <link xref="installing#supported-platforms">supported toolchain</link> such as GCC, Clang, SolarisStudio, or MinGW. Optionally, <code>pkg-config</code> can be used if your system supports it to simplify locating proper compiler and linker arguments when compiling your program.</p>
 
     <p>The following will configure for a typical 64-bit Linux system such as RedHat Enterprise Linux 6 or CentOS 6. Note that not all systems place 64-bit libraries in <code>/usr/lib64</code>. Check your system to see what the convention is if you are building 64-bit versions of the library.</p>

src/mongoc/mongoc-cluster.c

@@ -998,23 +998,43 @@ _mongoc_cluster_auth_node (mongoc_cluster_t *cluster,
 
    if (0 == strcasecmp (mechanism, "MONGODB-CR")) {
       ret = _mongoc_cluster_auth_node_cr (cluster, stream, error);
-#ifdef MONGOC_ENABLE_SSL
    } else if (0 == strcasecmp (mechanism, "MONGODB-X509")) {
+#ifdef MONGOC_ENABLE_SSL
       ret = _mongoc_cluster_auth_node_x509 (cluster, stream, error);
+#else
+      bson_set_error (error,
+                      MONGOC_ERROR_CLIENT,
+                      MONGOC_ERROR_CLIENT_AUTHENTICATE,
+                      "The \"%s\" authentication mechanism requires libmongoc built with --enable-ssl",
+                      mechanism);
+#endif
    } else if (0 == strcasecmp (mechanism, "SCRAM-SHA-1")) {
+#ifdef MONGOC_ENABLE_SSL
       ret = _mongoc_cluster_auth_node_scram (cluster, stream, error);
+#else
+      bson_set_error (error,
+                      MONGOC_ERROR_CLIENT,
+                      MONGOC_ERROR_CLIENT_AUTHENTICATE,
+                      "The \"%s\" authentication mechanism requires libmongoc built with --enable-ssl",
+                      mechanism);
 #endif
-#ifdef MONGOC_ENABLE_SASL
    } else if (0 == strcasecmp (mechanism, "GSSAPI")) {
+#ifdef MONGOC_ENABLE_SASL
       ret = _mongoc_cluster_auth_node_sasl (cluster, stream, hostname, error);
+#else
+      bson_set_error (error,
+                      MONGOC_ERROR_CLIENT,
+                      MONGOC_ERROR_CLIENT_AUTHENTICATE,
+                      "The \"%s\" authentication mechanism requires libmongoc built with --enable-sasl",
+                      mechanism);
 #endif
    } else if (0 == strcasecmp (mechanism, "PLAIN")) {
       ret = _mongoc_cluster_auth_node_plain (cluster, stream, error);
    } else {
       bson_set_error (error,
                       MONGOC_ERROR_CLIENT,
                       MONGOC_ERROR_CLIENT_AUTHENTICATE,
-                      "The authentication mechanism \"%s\" is not supported.",
+                      "Unknown authentication mechanism \"%s\".",
                       mechanism);
    }
 

tests/test-libmongoc.c

@@ -390,6 +390,14 @@ test_framework_get_uri_str (const char *uri_str)
       abort ();
    }
 
+#ifndef MONGOC_ENABLE_SSL
+   if (user && password) {
+      fprintf (stderr, "You need to configure with --enable-ssl"
+                       " when providing user+password (for SCRAM-SHA-1)\n");
+      abort ();
+   }
+#endif
+
    /* add "ssl=true" if needed */
    if (test_framework_get_ssl () && !mongoc_uri_get_ssl (uri_parsed)) {
       test_uri_str = bson_strdup_printf (

tests/test-mongoc-client.c

@@ -57,7 +57,7 @@ gen_good_uri (const char *username,
 
 
 static void
-test_mongoc_client_authenticate (void)
+test_mongoc_client_authenticate (void *context)
 {
    mongoc_client_t *admin_client;
    char *username;
@@ -127,8 +127,22 @@ test_mongoc_client_authenticate (void)
 }
 
 
+int should_run_auth_tests (void)
+{
+#ifndef MONGOC_ENABLE_SSL
+   mongoc_client_t *client = test_framework_client_new (NULL);
+   uint32_t server_id = mongoc_cluster_preselect(&client->cluster, MONGOC_OPCODE_QUERY, NULL, NULL);
+
+   if (mongoc_cluster_node_max_wire_version (&client->cluster, server_id) > 2) {
+      mongoc_client_destroy (client);
+      return 0;
+   }
+#endif
+
+   return 1;
+}
 static void
-test_mongoc_client_authenticate_failure (void)
+test_mongoc_client_authenticate_failure (void *context)
 {
    mongoc_collection_t *collection;
    mongoc_cursor_t *cursor;
@@ -151,6 +165,7 @@ test_mongoc_client_authenticate_failure (void)
     */
    bson_init(&q);
    client = test_framework_client_new (bad_uri_str);
+
    collection = mongoc_client_get_collection(client, "test", "test");
    suppress_one_message ();
    cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 1, 0,
@@ -675,8 +690,8 @@ test_client_install (TestSuite *suite)
    }
 
    TestSuite_Add (suite, "/Client/read_prefs", test_mongoc_client_read_prefs);
-   TestSuite_Add (suite, "/Client/authenticate", test_mongoc_client_authenticate);
-   TestSuite_Add (suite, "/Client/authenticate_failure", test_mongoc_client_authenticate_failure);
+   TestSuite_AddFull (suite, "/Client/authenticate", test_mongoc_client_authenticate, NULL, NULL, should_run_auth_tests);
+   TestSuite_AddFull (suite, "/Client/authenticate_failure", test_mongoc_client_authenticate_failure, NULL, NULL, should_run_auth_tests);
    TestSuite_Add (suite, "/Client/command", test_mongoc_client_command);
    TestSuite_Add (suite, "/Client/command_secondary", test_mongoc_client_command_secondary);
    TestSuite_Add (suite, "/Client/preselect", test_mongoc_client_preselect);