1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
# frozen_string_literal: true
# rubocop:todo all
require 'lite_spec_helper'
require 'support/shared/scram_conversation'
describe Mongo::Auth::Scram::Conversation do
# Test uses global assertions
clean_slate_for_all_if_possible
include_context 'scram conversation context'
let(:conversation) do
described_class.new(user, double('connection'))
end
it_behaves_like 'scram conversation'
let(:user) do
Mongo::Auth::User.new(
database: Mongo::Database::ADMIN,
user: 'user',
password: 'pencil',
# We specify SCRAM-SHA-1 so that we don't accidentally use
# SCRAM-SHA-256 on newer server versions.
auth_mech: :scram,
)
end
let(:mechanism) do
:scram
end
describe '#start' do
let(:msg) do
conversation.start(connection)
end
before do
expect(SecureRandom).to receive(:base64).once.and_return('NDA2NzU3MDY3MDYwMTgy')
end
let(:command) do
msg.payload['command']
end
it 'sets the sasl start flag' do
expect(command[:saslStart]).to eq(1)
end
it 'sets the auto authorize flag' do
expect(command[:autoAuthorize]).to eq(1)
end
it 'sets the mechanism' do
expect(command[:mechanism]).to eq('SCRAM-SHA-1')
end
it 'sets the command' do
expect(command[:payload].data).to eq('n,,n=user,r=NDA2NzU3MDY3MDYwMTgy')
end
end
describe '#continue' do
include_context 'scram continue and finalize replies'
before do
expect(SecureRandom).to receive(:base64).once.and_return('NDA2NzU3MDY3MDYwMTgy')
end
context 'when the server rnonce starts with the nonce' do
let(:continue_payload) do
BSON::Binary.new(
'r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
)
end
let(:msg) do
conversation.continue(continue_document, connection)
end
let(:command) do
msg.payload['command']
end
it 'sets the conversation id' do
expect(command[:conversationId]).to eq(1)
end
it 'sets the command' do
expect(command[:payload].data).to eq(
'c=biws,r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,p=qYUYNy6SQ9Jucq9rFA9nVgXQdbM='
)
end
it 'sets the continue flag' do
expect(command[:saslContinue]).to eq(1)
end
end
context 'when the server nonce does not start with the nonce' do
let(:continue_payload) do
BSON::Binary.new(
'r=NDA2NzU4MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
)
end
it 'raises an error' do
expect {
conversation.continue(continue_document, connection)
}.to raise_error(Mongo::Error::InvalidNonce)
end
end
end
describe '#finalize' do
include_context 'scram continue and finalize replies'
let(:continue_payload) do
BSON::Binary.new(
'r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
)
end
before do
expect(SecureRandom).to receive(:base64).once.and_return('NDA2NzU3MDY3MDYwMTgy')
end
context 'when the verifier matches the server signature' do
let(:finalize_payload) do
BSON::Binary.new('v=gwo9E8+uifshm7ixj441GvIfuUY=')
end
let(:msg) do
conversation.continue(continue_document, connection)
conversation.process_continue_response(finalize_document)
conversation.finalize(connection)
end
let(:command) do
msg.payload['command']
end
it 'sets the conversation id' do
expect(command[:conversationId]).to eq(1)
end
it 'sets the empty command' do
expect(command[:payload].data).to eq('')
end
it 'sets the continue flag' do
expect(command[:saslContinue]).to eq(1)
end
end
context 'when the verifier does not match the server signature' do
let(:finalize_payload) do
BSON::Binary.new('v=LQ+8yhQeVL2a3Dh+TDJ7xHz4Srk=')
end
it 'raises an error' do
expect {
conversation.continue(continue_document, connection)
conversation.process_continue_response(finalize_document)
conversation.finalize(connection)
}.to raise_error(Mongo::Error::InvalidSignature)
end
end
context 'when server signature is empty' do
let(:finalize_payload) do
BSON::Binary.new('v=')
end
it 'raises an error' do
expect {
conversation.continue(continue_document, connection)
conversation.process_continue_response(finalize_document)
conversation.finalize(connection)
}.to raise_error(Mongo::Error::InvalidSignature)
end
end
context 'when server signature is not provided' do
let(:finalize_payload) do
BSON::Binary.new('ok=absolutely')
end
it 'succeeds but does not mark conversation server verified' do
conversation.continue(continue_document, connection)
conversation.process_continue_response(finalize_document)
conversation.finalize(connection)
conversation.server_verified?.should be false
end
end
end
end
|
