CSHARP-2838: MONGODB-AWS Support

[MikalaiMazurenka]

Evergreen: https://evergreen.mongodb.com/version/5e728a2056234309d47a9510

Note: Mark's AWS .NET POC branch: https://github.com/markbenvenuto/mongo-csharp-driver/commits/iam_auth

[MikalaiMazurenka]

From specification (link):

Region is not a header, but simply part of the authorization header. Region by default is ‘us-east-1’ since this is the implicit region for ‘sts.amazonaws.com’. Drivers will need to derive the region to use from the endpoint. The region is the second piece of a FQDN name. While all official AWS STS endpoints start with “sts.”, there are non-AWS hosted endpoints and test endpoints that will not follow this rule.

Host              | Region
sts.amazonaws.com | us-east-1
first.second      | second
first             | us-east-1

[MikalaiMazurenka]

For composing signature details refer to specification: link
Specifically this image (it is included in specification): link

[MikalaiMazurenka]

Here is the usage of single instance HttpClient we discussed in slack.

[DmitryLukyanov]

Let's move the whole httpclient details into a helper class. Consider how it can be:
DmitryLukyanov@1b03be9#diff-ffb35b98eecd05d3c7b6133327bf13b3R375-R479

[MikalaiMazurenka]

Great job! Thanks for suggested code!
Done.

[MikalaiMazurenka]

Constant values taken from spec: link

[DmitryLukyanov]

Mostly we use the upper camelcase for constants names

[DmitryLukyanov]

Also, the constant name does tell for what reason this value will be used. I think this value may be moved into the method private byte[] GenerateRandomBytes() similar how it's done in https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L160

[MikalaiMazurenka]

It's also used in server nonce validation here: https://github.com/MikalaiMazurenka/mongo-csharp-driver/pull/22/files#diff-ffb35b98eecd05d3c7b6133327bf13b3R436
So to avoid using magic numbers in code, I leave it as is. Regarding case: I see different formats throughout the solution. E.g. pascal case: link, winapi style: link (not sure how it's called), camel case: link. Could you please link some guidelines on this?
For now I've made the name more meaningful.

[DmitryLukyanov]

The only guide is to use the most latest way, and as far as I know, in the latest code, we use the upper camelcase format. It's a good point to mention it somewhere, I think we have some document which can be used for that target. @vincentkam do you remember the document which we wanted to use for that target (I remember we discussed similar case around a year ago)?

[MikalaiMazurenka]

Regarding validation please refer to spec (link):

regardless of how Drivers obtain credentials the only valid combination of credentials is an access key ID and a secret access key or an access key ID, a secret access key and a session token.

[vincentkam]

This message about needing secret access key appears often enough that I wonder if we should have a constant that defines it?

[MikalaiMazurenka]

Those are different:

"A MONGODB-AWS must have access key id."
"A MONGODB-AWS must have secret access key."

[MikalaiMazurenka]

The conversation process is described in specification: link

[MikalaiMazurenka]

From specification (link):

Drivers SHOULD enforce a 10 second read timeout while waiting for incoming content from both the ECS and EC2 endpoints.

[MikalaiMazurenka]

As per conversation with Mark Benvenuto, for AWS auth I switched to random byte generation (with 256 possible values) instead of existing random character generation (with around 100).

[MikalaiMazurenka]

This is an inevitable requirement for using HttpClient (link).

[vincentkam]

Should we be using a PackageReference, targeting https://www.nuget.org/packages/System.Net.Http/ instead of a Reference? I feel like Reference only works if the user already has that dll/package somewhere in their path but I'm not 100% on that...

[bazile-clyde]

Does this need to be silent? This is silent in Java because the URI is echoed as part of the command that runs the test here. And the URI will be echoed again when the test run. Thus any test that passed secrets as the value to -Dorg.mongodb.test.uri= was silenced. This doesn't appear to be the case from looking at run-mongodb-aws-test.sh but I haven't looked at the output in evergreen. If evergreen doesn't echo the URI I'd consider putting this in a separate command. Looking at the POC for Node or Python might be helpful.

[MikalaiMazurenka]

I see Python splitting this test into two parts: one which must be silenced and one not (link)
I will run a patch build to check this, but I'm mostly sure cat command should be silenced.

[MikalaiMazurenka]

Indeed silencing can be removed there.
Done.

[bazile-clyde]

Per my comment above, I don't think this needs to be silent.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Ready for review!

[bazile-clyde]

For the unit test in Java, I used the values in AWS's documentation as opposed to the values returned from the mock servers. This was to ensure that my code conformed to AWS's signature v4 process rather than the mocks rendition of it, should they differ. It might be worthwhile to the same as a cautionary measure.

[MikalaiMazurenka]

Ready for review!

[MikalaiMazurenka]

I see Python splitting this test into two parts: one which must be silenced and one not (link)
I will run a patch build to check this, but I'm mostly sure cat command should be silenced.

[DmitryLukyanov]

Partial review, mostly for the MongoAWSAuthenticator. I will continue reviewing.
Commit with suggestions: DmitryLukyanov@1b03be9

[DmitryLukyanov]

I'm not sure that this is the best way to do this work. However maybe I missed something, I need to understand what data are presented in bytes to be sure. I think we need to have a test in Core with mocked data similar to: https://github.com/mongodb/mongo-csharp-driver/blob/master/tests/MongoDB.Driver.Core.Tests/Core/Authentication/ScramSha256AuthenticatorTests.cs#L33. This will allow us to be able to run these code paths without any additional configuration

[MikalaiMazurenka]

I've added the high level mocked test.

[DmitryLukyanov]

I guess you need to change this code on the following:

       if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2)
        {
            clientSettings.GuidRepresentation = GuidRepresentation.Unspecified;
        }

[MikalaiMazurenka]

Done. Please recheck that it's what you expected.

[DmitryLukyanov]

It's better to leave the suggested code since the reason why it's left without covering via methods or some other possible refactoring, that it will be removed in the version 3.0

[DmitryLukyanov]

I don't think that tuple is a good enough variable name here. Also, please note that previously we decided to avoid using tuples in the driver code

[MikalaiMazurenka]

Refactored with out parameter.
Done.

[DmitryLukyanov]

NOTE: previously we used encoding.GetBytes for similar case https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L253 Not sure that document is better to use here. I will come back to it in my next round review.

[DmitryLukyanov]

My point that previously we didn't use BsonDocument for that target. Instead we used Utf8Encodings.Strict. See here: https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L253
But I don't think that there is anything wrong in the current implementation. I will rely on other reviewers' opinion here

[vincentkam]

My apologies if I'm misunderstanding your comment Dima, but are you saying that we shouldn't use a BsonDocument here?

If so, I think the key difference between SCRAM-SHA and MONGODB-AWS is that the payload field in SCRAM-SHA uses the "SASL map" format (https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L210), which is essentially a fancy comma separated value string, and the payload field in MONGODB-AWS uses BSON (https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#mongodb-aws). Therefore, I believe the approach of using a BsonDocument here is correct.

[rstam]

Why can't we just use:

var clientSecondMessageBytes = document.ToBson();

[DmitryLukyanov]

@vincentkam , I agree with you. Originally I thought that I saw comma separated data here, but probably i was wrong

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

it looks like this class does nothing (unless I didn't miss something)? Is it expected?

[MikalaiMazurenka]

It completes the conversation.

[DmitryLukyanov]

as far as I can see there is no real logic here, instead of this, we can just return CompletedStep. But maybe it makes sense to leave it to be consistent with the other implementations

[vincentkam]

I don't mind either way: I defer to Mikalai here :)

[DmitryLukyanov]

I'm ok with the current version

[MikalaiMazurenka]

I leave it as is unless there are other concerns.

[MikalaiMazurenka]

From spec (link):

Drivers MUST validate that the server nonce is exactly 64 bytes and the first 32 bytes are the same as the client nonce.

[DmitryLukyanov]

So, currently, my main suggestion is adding a new mocked test in Core to be able to debug this functionality without additional configuration

[DmitryLukyanov]

Can we have empty MONGODB_URI at all? And even if so, should we update the up level script to fill it? As I understand, we don't fill connection string on this level usually

[DmitryLukyanov]

if we don't want to miss a bug in the our configuration when we missed filling of MONGODB_URI, maybe it's better to trigger exception in this case?

[MikalaiMazurenka]

Good point! With addition of code here: line MONGODB_URI should always be set.
Done.

[DmitryLukyanov]

Consider:

 public static string GetRegion(string host)
    {
        string[] splitted;
        if (host == "sts.amazonaws.com" || (splitted = host.Split('.')).Length <= 1)
        {
            return "us-east-1";
        }

        return splitted[1];
    }

[MikalaiMazurenka]

I'd say that current code is a bit more readable (for me at least), but if you think suggested way is better, I'll update it.

[DmitryLukyanov]

Maybe,
I read this code as: if a host is sts.amazonaws.com or host has one or fewer parts => use us-east-1, otherwise use the first. This is exactly what I wrote. But I will rely on your and other reviewers opinion here

[DmitryLukyanov]

can you clarify this line?

[MikalaiMazurenka]

From specification (see the name/value table, closest anchor: link):

Body | Action=GetCallerIdentity&Version=2011-06-15\n

[DmitryLukyanov]

I saw this line in the doc. This is weird, but at the same time this is what the doc requires

[DmitryLukyanov]

Consider simplifying:

    [Fact]
    public void Aws_authentication_should_behave_as_expected()
    {
        using (var client = DriverTestConfiguration.CreateDisposableClient())
        {
            // test that a command that doesn't require auth completes normally
            var adminDatabase = client.GetDatabase("admin");
            var isMasterCommand = new BsonDocument("ismaster", 1);
            var isMasterResult = adminDatabase.RunCommand<BsonDocument>(isMasterCommand);

            // test that a command that does require auth completes normally
            var database = client.GetDatabase(DriverTestConfiguration.DatabaseNamespace.DatabaseName);
            var collection = database.GetCollection<BsonDocument>(DriverTestConfiguration.CollectionNamespace.CollectionName);
            var count = collection.CountDocuments(FilterDefinition<BsonDocument>.Empty);
        }
    }

[DmitryLukyanov]

Maybe it's not important, but this test will be called not only for aws tests. I think it's not problem to run this small tests in any case, but it may confuse if we check the EG log and will see aws test for the environment when it wasn't configured.

[DmitryLukyanov]

NOTE: lately we use the following test naming notation: Aws_authentication_should_behave_as_expected

[MikalaiMazurenka]

Good point.
Done.

[MikalaiMazurenka]

@rstam regarding Dmitry's comment https://github.com/MikalaiMazurenka/mongo-csharp-driver/pull/22/files#r393350233
I think it's not crucial for this test to be run only on AWS task, but if yes, I'm thinking about checking an environment variable, e.g. "AWS_TESTS_ENABLED".
Could you please suggest which way it should be done here?

[vincentkam]

Very quick comments + weighing in on the SecureString discussion: more to come!

[vincentkam]

Nit: add missing newline at the end of the file?

[MikalaiMazurenka]

Thanks, I didn't notice that!
Done.

[vincentkam]

Hm, perhaps another name for methodsList? credentialsGetters?

[vincentkam]

This use of a list funcs is quite neat IMHO! :)

[MikalaiMazurenka]

Thanks! I've taken name from Dmitry's suggestions (link)

[vincentkam]

Side comment:
I was curious as to whether this could be expressed via LINQ and came up with this, which I think should work due to lazy linq evaluation:

var credentials = methodsList
    .Select(GetCredentials => GetCredentials())
    .Where(creds => creds != null)
    .FirstOrDefault(creds => return new MongoAWSMechanism(creds.Credentials, creds.SessionToken, randomByteGenerator));

if (credentials == null)
{
    throw new ArgumentException("A MONGODB-AWS must have access key ID.");
}

return credentials;

But the foreach loop is totally fine, one line shorter, and probably easier to read :) Just thought I'd share a tiny bit of fun I had.

[MikalaiMazurenka]

Thanks! I feel the foreach would be a bit more readable.

[DmitryLukyanov]

nameof(properties)?

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

Should this class really be public and even a separate non nested class?

[DmitryLukyanov]

it looks like the only logic which happens here is creating signature request

[vincentkam]

Perhaps we could make this class internal + static?

[MikalaiMazurenka]

Good point!
Done.

[DmitryLukyanov]

Idk, but this name makes me feel that some real logic happens inside, but it can be called just ToString or so

[vincentkam]

I don't mind this name as a getter can have minimal logic. Also I feel like it might be a bit odd for a static class to have a ToString() method?

[MikalaiMazurenka]

From my point of view this method improves readability, so I would like to leave it as is, unless there are other concerns.

[DmitryLukyanov]

a static class to have a ToString() method?

My point was that I don't see how changing a form from dictionary to a string can be named getting canonical headers? It sounds like just technical operation. In other words what was done in the scope of this method to call it getting canonical headers? Maybe I'm missing something. It's a minor point and I can rely on other reviewers here

[DmitryLukyanov]

I checked this link https://raw.githubusercontent.com/mongodb/specifications/master/source/auth/includes/calculating_a_signature.png and I see where this came from.
However, it's still confusing me a bit, since the dictionary before this method also was in canonical form, the only change here that we change a format of this data

[DmitryLukyanov]

similar to the above, does this name tell what happens inside this method?

[MikalaiMazurenka]

Yep, please refer to specification illustration: link
It's SignedHeaders on the picture and the method which acquires them should be called GetSignedHeaders.

[DmitryLukyanov]

As I wrote above, I will rely on the other reviewers' opinion here

[DmitryLukyanov]

CreateAuthenticateRequest?

[MikalaiMazurenka]

I would like to leave it as is. Because this method does a lot of signing and returns signed request.

[DmitryLukyanov]

Based on this name, I would say that this method signs some request which was passed to him which is not true.
CreateSignedRequest?
I will rely on your and other reviewers' opinion here

[DmitryLukyanov]

Mostly we use the upper camelcase for constants names

[DmitryLukyanov]

Also, the constant name does tell for what reason this value will be used. I think this value may be moved into the method private byte[] GenerateRandomBytes() similar how it's done in https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L160

[vincentkam]

I don't mind this name as a getter can have minimal logic. Also I feel like it might be a bit odd for a static class to have a ToString() method?

[MikalaiMazurenka]

Ready for review!

[MikalaiMazurenka]

Thanks, I didn't notice that!
Done.

[MikalaiMazurenka]

It's also used in server nonce validation here: https://github.com/MikalaiMazurenka/mongo-csharp-driver/pull/22/files#diff-ffb35b98eecd05d3c7b6133327bf13b3R436
So to avoid using magic numbers in code, I leave it as is. Regarding case: I see different formats throughout the solution. E.g. pascal case: link, winapi style: link (not sure how it's called), camel case: link. Could you please link some guidelines on this?
For now I've made the name more meaningful.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Done. Please recheck that it's what you expected.

[DmitryLukyanov]

CreateTokenRequest?

[MikalaiMazurenka]

Good notice.
Done.

[DmitryLukyanov]

The only guide is to use the most latest way, and as far as I know, in the latest code, we use the upper camelcase format. It's a good point to mention it somewhere, I think we have some document which can be used for that target. @vincentkam do you remember the document which we wanted to use for that target (I remember we discussed similar case around a year ago)?

[DmitryLukyanov]

I think this method should be responsible only for the creation of Aws credentials. The whole validation can be moved in one place where we iterate the created credentials.
It will also allow us to avoid code duplication in the ValidateCredentials methods. The only reason why we have two methods now with fully the same idea is because we have passwords in two forms (string and SecurePassword), after this method, we will have only one variant of the password.

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

I'm not sure that we need to have this logic here. We already have the same method in UsernamePasswordCredential. I think we can create a helper for that target or move this method to BsonUtils. Thoughts?
I will be ok with any solution here.

[MikalaiMazurenka]

As you can see UsernamePasswordCredential.ConvertPasswordToSecureString is private: link
And I wouldn't like to touch existing code, unless there's a crucial necessity. Moreover, my updated ToSecureString wouldn't throw on null input. So I would like to leave this method, unless you insist.

[DmitryLukyanov]

this code will trigger an exception in case if AccessKeyId is not presented in the document, you need to specify the default value:

var username = parsedReponse.GetValue("AccessKeyId", null)?.AsString;

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

I'm not sure why you want to specify the relative path for that case in the top level, but the value latest/meta-data/iam/security-credentials/ for ec2 at the lowest level. I would say we need to specify both of them at the same level

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

copied from outdated: #22 (comment)

[DmitryLukyanov]

as far as I can see there is no real logic here, instead of this, we can just return CompletedStep. But maybe it makes sense to leave it to be consistent with the other implementations

[DmitryLukyanov]

I'm not sure that SignRequest method name really tells about what happens inside. As I understand, we just create an authenticateHeader

[MikalaiMazurenka]

This name is perfectly fine.

[DmitryLukyanov]

as far as I know, mostly we don't use the short names in the driver code

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

My point that previously we didn't use BsonDocument for that target. Instead we used Utf8Encodings.Strict. See here: https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/ScramShaAuthenticator.cs#L253
But I don't think that there is anything wrong in the current implementation. I will rely on other reviewers' opinion here

[DmitryLukyanov]

Note: it's not really necessary to check evidence != null

[MikalaiMazurenka]

It is done in other places: link and link
So I am doing this as in existing implementation.

[DmitryLukyanov]

I'm not sure about this exception. I will rely on @rstam opinion here

[vincentkam]

Ditto above: should this "A MONGODB-AWS credential must have an access key ID."? Perhaps we should use a constant?

[MikalaiMazurenka]

I am implementing this according to existing code: here, here and here.

[MikalaiMazurenka]

Ready for review!

[MikalaiMazurenka]

Good notice.
Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

As you can see UsernamePasswordCredential.ConvertPasswordToSecureString is private: link
And I wouldn't like to touch existing code, unless there's a crucial necessity. Moreover, my updated ToSecureString wouldn't throw on null input. So I would like to leave this method, unless you insist.

[vincentkam]

Hm, now I'm slightly confused: According to this, HttpClient is available for the following platforms

.NET Framework
4.8 4.7.2 4.7.1 4.7 4.6.2 4.6.1 4.6 4.5.2 4.5.1 4.5
.NET Standard
2.1 2.0 1.6 1.4 1.3 1.2 1.1

It seems weird for it to be available .Net Standard 1.4 and 1.6 but not 1.5, so this feels like a documentation error to me to be honest. I've confirmed via local testing that the current Driver.Core project builds when targeting .Net Standard 1.5 and 2.0, and fails to build when targeting .NET Framework 4.5.2 when I remove line 102 <Reference Include="System.Net.Http" />

My (other) question is: should we err on the side of safety and use a NuGet package reference instead of a regular reference? i.e.
<PackageReference Include="System.Net.Http" Version="4.3.4" /> (i.e. including https://www.nuget.org/packages/System.Net.Http/).

@DmitryLukyanov @rstam

[rstam]

I'll defer to you all on this one.

[vincentkam]

I think it may be safer to use the PackageReference. I believe by using Reference, the application will need to have the dll in its path somewhere: for our developer machines and the evergren machines, that wouldn't be a problem because we have the DLL from later versions of .NET. By using a PackageReference, I think that it'd allow a machine to not have the DLL on its path at all, as it'll simply download the package from Nuget as needed. What do you think Mikalai?

[vincentkam]

A random side nit for this and other bash scripts:
My loose understanding is that using
#!/usr/bin/env bash
increases the portability of the script (as bash may not always be in /bin/bash). Probably not an issue in this case since our scripts were tailored for Cygwin, where bash does indeed exist at /bin/bash all the time (AFAIK). So again, as this is merely a nit, feel free to ignore :)

[MikalaiMazurenka]

Thanks for suggestion!
Done.

[vincentkam]

Ah interesting hm... perhaps we should mock ServerVersion as well.

[vincentkam]

Hm I wonder if this pattern was meant for "live" connections instead of "mocked" connections. We can keep it, or we can change it to use +1: I defer to Mikalai.

[vincentkam]

Just an FYI: An alternative style to multiline bsondocuments, but feel free to simply resolve this after reading this, I just wanted to share another option :) :

mongo-csharp-driver/tests/MongoDB.Driver.Core.Tests/Core/Authentication/ScramSha256AuthenticatorTests.cs

Line 251 in 8925eae

@"{opcode: ""query""," +

[rstam]

nit: use var

[MikalaiMazurenka]

Done.

[rstam]

nit: sort and remove unused namespaces

[MikalaiMazurenka]

Done.

[rstam]

nit: name parameter "clock"

[MikalaiMazurenka]

Done.

[rstam]

nit: name parameter "clock"

[MikalaiMazurenka]

Done.

[rstam]

nit: name parameter "clock"

[MikalaiMazurenka]

Done.

[rstam]

Same as above regarding formatting.

[MikalaiMazurenka]

Done.

[rstam]

I think this method is not needed. Callers can just use:

var bytes = document.ToBson();

[MikalaiMazurenka]

Done.

[rstam]

I agree that ArgumentException is questionable. ArgumentException is usually reserved for problems with the arguments of the method itself.

Not sure InvalidDataException is right either (there is no data...).

Normally I think we would throw an InvalidOperationException here.

[rstam]

Regarding the error message, make sure every message is a grammatically correct sentence that clearly identifies the object that is involved. So "MONGODB-AWS" doesn't seem correct (i.e. what is a "MONGODB-AWS").

Seems like the correct object is either a AwsCredential or a MongoAwsAuthenticator depending on where the error check is.

[rstam]

I'll defer to you all on this one.

[DmitryLukyanov]

GssapiAuthenticator

[MikalaiMazurenka]

Good point.
Done.

[DmitryLukyanov]

The same as above

[MikalaiMazurenka]

Done.

[DmitryLukyanov]

I think it was my suggestion to have debugging a bit simpler. But I like Robert's idea too.

[DmitryLukyanov]

Should we add an exception in this case? If only one or two required fields were added?

[DmitryLukyanov]

Should we add an exception in case if only one or two required fields were received?

[DmitryLukyanov]

I like Robert's suggestion

[DmitryLukyanov]

@vincentkam , I agree with you. Originally I thought that I saw comma separated data here, but probably i was wrong

[DmitryLukyanov]

I'm ok with the current version

[MikalaiMazurenka]

Ready for review!

[MikalaiMazurenka]

Thanks for suggestion!
Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

In my opinion this name correlates to specification. Moreover Java uses the same name for method with same functionality and semantics: link
I prefer to leave it as is, unless there are other concerns besides naming.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Good point.
Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Done.

[MikalaiMazurenka]

Done.