Add proper DN construction (#55)

csucu · domodwyer · commit 663dfe518a3a · 2017-11-02T14:52:41.000Z
* Add proper DN construction

* Added openssl check to test

* Addressed code review comments

* Changes to RDNformatting, and test

* type/value fields to tests

* Changes to RDN formatting

* Corrected comment in getRFC2253NameString

* Corrected comment in getRFC2253NameString

* Changes to login and rdn formatting

* Changed escaping of #
diff --git a/auth_test.go b/auth_test.go
@@ -28,6 +28,7 @@ package mgo_test
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -963,6 +964,57 @@ func (s *S) TestAuthX509Cred(c *C) {
 	c.Assert(len(names) > 0, Equals, true)
 }
 
+func (s *S) TestAuthX509CredRDNConstruction(c *C) {
+	session, err := mgo.Dial("localhost:40001")
+	c.Assert(err, IsNil)
+	defer session.Close()
+	binfo, err := session.BuildInfo()
+	c.Assert(err, IsNil)
+	if binfo.OpenSSLVersion == "" {
+		c.Skip("server does not support SSL")
+	}
+
+	clientCertPEM, err := ioutil.ReadFile("harness/certs/client.pem")
+	c.Assert(err, IsNil)
+
+	clientCert, err := tls.X509KeyPair(clientCertPEM, clientCertPEM)
+	c.Assert(err, IsNil)
+
+	clientCert.Leaf, err = x509.ParseCertificate(clientCert.Certificate[0])
+	c.Assert(err, IsNil)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+		Certificates:       []tls.Certificate{clientCert},
+	}
+
+	var host = "localhost:40003"
+	c.Logf("Connecting to %s...", host)
+	session, err = mgo.DialWithInfo(&mgo.DialInfo{
+		Addrs: []string{host},
+		DialServer: func(addr *mgo.ServerAddr) (net.Conn, error) {
+			return tls.Dial("tcp", addr.String(), tlsConfig)
+		},
+	})
+	c.Assert(err, IsNil)
+	defer session.Close()
+
+	cred := &mgo.Credential{
+		Username:    "root",
+		Mechanism:   "MONGODB-X509",
+		Source:      "$external",
+		Certificate: tlsConfig.Certificates[0].Leaf,
+	}
+	err = session.Login(cred)
+	c.Assert(err, NotNil)
+
+	cred.Username = ""
+	c.Logf("Authenticating...")
+	err = session.Login(cred)
+	c.Assert(err, IsNil)
+	c.Logf("Authenticated!")
+}
+
 var (
 	plainFlag = flag.String("plain", "", "Host to test PLAIN authentication against (depends on custom environment)")
 	plainUser = "einstein"
diff --git a/session.go b/session.go
@@ -28,6 +28,9 @@ package mgo
 
 import (
 	"crypto/md5"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -825,6 +828,15 @@ type Credential struct {
 	// Mechanism defines the protocol for credential negotiation.
 	// Defaults to "MONGODB-CR".
 	Mechanism string
+
+	// Certificate defines an x509 certificate for authentication at login,
+	// for reference please see, https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/
+	// If providing a certificate:
+	// The Username field is populated from the cert and should not be set
+	// The Mechanism field should be MONGODB-X509 or not set.
+	// The Source field should be $external or not set.
+	// If not specified, the username will have to be set manually.
+	Certificate *x509.Certificate
 }
 
 // Login authenticates with MongoDB using the provided credential.  The
@@ -847,6 +859,19 @@ func (s *Session) Login(cred *Credential) error {
 	defer socket.Release()
 
 	credCopy := *cred
+	if cred.Certificate != nil && cred.Username != "" {
+		return errors.New("failed to login, both certificate and credentials are given")
+	}
+
+	if cred.Certificate != nil {
+		credCopy.Username, err = getRFC2253NameStringFromCert(cred.Certificate)
+		if err != nil {
+			return err
+		}
+		credCopy.Mechanism = "MONGODB-X509"
+		credCopy.Source = "$external"
+	}
+
 	if cred.Source == "" {
 		if cred.Mechanism == "GSSAPI" {
 			credCopy.Source = "$external"
@@ -5212,3 +5237,73 @@ func hasErrMsg(d []byte) bool {
 	}
 	return false
 }
+
+// getRFC2253NameStringFromCert converts from an ASN.1 structured representation of the certificate
+// to a UTF-8 string representation(RDN) and returns it.
+func getRFC2253NameStringFromCert(certificate *x509.Certificate) (string, error) {
+	var RDNElements = pkix.RDNSequence{}
+	_, err := asn1.Unmarshal(certificate.RawSubject, &RDNElements)
+	return getRFC2253NameString(&RDNElements), err
+}
+
+// getRFC2253NameString converts from an ASN.1 structured representation of the RDNSequence
+// from the certificate to a UTF-8 string representation(RDN) and returns it.
+func getRFC2253NameString(RDNElements *pkix.RDNSequence) string {
+	var RDNElementsString = []string{}
+	var replacer = strings.NewReplacer(",", "\\,", "=", "\\=", "+", "\\+", "<", "\\<", ">", "\\>", ";", "\\;")
+	//The elements in the sequence needs to be reversed when converting them
+	for i := len(*RDNElements) - 1; i >= 0; i-- {
+		var nameAndValueList = make([]string,len((*RDNElements)[i]))
+		for j, attribute := range (*RDNElements)[i] {
+			var shortAttributeName = rdnOIDToShortName(attribute.Type)
+			if len(shortAttributeName) <= 0 {
+				nameAndValueList[j] = fmt.Sprintf("%s=%X", attribute.Type.String(), attribute.Value.([]byte))
+				continue
+			}
+			var attributeValueString = attribute.Value.(string)
+			// escape leading space or #
+			if strings.HasPrefix(attributeValueString, " ") || strings.HasPrefix(attributeValueString, "#") {
+				attributeValueString = "\\" + attributeValueString
+			}
+			// escape trailing space, unless it's already escaped
+			if strings.HasSuffix(attributeValueString, " ") && !strings.HasSuffix(attributeValueString, "\\ ") {
+				attributeValueString = attributeValueString[:len(attributeValueString)-1] + "\\ "
+			}
+
+			// escape , = + < > # ;
+			attributeValueString = replacer.Replace(attributeValueString)
+			nameAndValueList[j] = fmt.Sprintf("%s=%s", shortAttributeName, attributeValueString)
+		}
+
+		RDNElementsString = append(RDNElementsString, strings.Join(nameAndValueList, "+"))
+	}
+
+	return strings.Join(RDNElementsString, ",")
+}
+
+var oidsToShortNames = []struct {
+	oid       asn1.ObjectIdentifier
+	shortName string
+}{
+	{asn1.ObjectIdentifier{2, 5, 4, 3}, "CN"},
+	{asn1.ObjectIdentifier{2, 5, 4, 6}, "C"},
+	{asn1.ObjectIdentifier{2, 5, 4, 7}, "L"},
+	{asn1.ObjectIdentifier{2, 5, 4, 8}, "ST"},
+	{asn1.ObjectIdentifier{2, 5, 4, 10}, "O"},
+	{asn1.ObjectIdentifier{2, 5, 4, 11}, "OU"},
+	{asn1.ObjectIdentifier{2, 5, 4, 9}, "STREET"},
+	{asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, "DC"},
+	{asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 1}, "UID"},
+}
+
+// rdnOIDToShortName returns an short name of the given RDN OID. If the OID does not have a short
+// name, the function returns an empty string
+func rdnOIDToShortName(oid asn1.ObjectIdentifier) string {
+	for i := range oidsToShortNames {
+		if oidsToShortNames[i].oid.Equal(oid) {
+			return oidsToShortNames[i].shortName
+		}
+	}
+
+	return ""
+}
diff --git a/session_internal_test.go b/session_internal_test.go
@@ -1,11 +1,17 @@
 package mgo
 
 import (
-	"testing"
-
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"github.com/globalsign/mgo/bson"
+	. "gopkg.in/check.v1"
+	"testing"
 )
 
+type S struct{}
+
+var _ = Suite(&S{})
+
 // This file is for testing functions that are not exported outside the mgo
 // package - avoid doing so if at all possible.
 
@@ -22,3 +28,37 @@ func TestIndexedInt64FieldsBug(t *testing.T) {
 
 	_ = simpleIndexKey(input)
 }
+
+func (s *S) TestGetRFC2253NameStringSingleValued(c *C) {
+	var RDNElements = pkix.RDNSequence{
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "GO"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 8}, Value: "MGO"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 7}, Value: "MGO"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "MGO"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Client"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "localhost"}},
+	}
+
+	c.Assert(getRFC2253NameString(&RDNElements), Equals, "CN=localhost,OU=Client,O=MGO,L=MGO,ST=MGO,C=GO")
+}
+
+func (s *S) TestGetRFC2253NameStringEscapeChars(c *C) {
+	var RDNElements = pkix.RDNSequence{
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "GB"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 8}, Value: "MGO "}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Sue, Grabbit and Runn < > ;"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "L. Eagle"}},
+	}
+
+	c.Assert(getRFC2253NameString(&RDNElements), Equals, "CN=L. Eagle,O=Sue\\, Grabbit and Runn \\< \\> \\;,ST=MGO\\ ,C=GB")
+}
+
+func (s *S) TestGetRFC2253NameStringMultiValued(c *C) {
+	var RDNElements = pkix.RDNSequence{
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "US"}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Widget Inc."}},
+		{{Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Sales"}, {Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "J. Smith"}},
+	}
+
+	c.Assert(getRFC2253NameString(&RDNElements), Equals, "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US")
+}
