123456789_123456789_123456789_123456789_123456789_

Class: Mongo::Auth::Aws::Conversation Private

Do not use. This class is for internal use only.
Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ::Mongo::Auth::SaslConversationBase, ::Mongo::Auth::ConversationBase
Instance Chain:
self, ::Mongo::Auth::SaslConversationBase, ::Mongo::Auth::ConversationBase
Inherits: Mongo::Auth::SaslConversationBase
Defined in: lib/mongo/auth/aws/conversation.rb

Overview

Defines behavior around a single MONGODB-AWS conversation between the client and server.

See Also:

Since:

  • 2.0.0

Constant Summary

::Mongo::Auth::SaslConversationBase - Inherited

CLIENT_CONTINUE_MESSAGE, CLIENT_FIRST_MESSAGE

Class Method Summary

::Mongo::Auth::ConversationBase - Inherited

.new

Create the new conversation.

Instance Attribute Summary

::Mongo::Auth::ConversationBase - Inherited

#connection, #user

Instance Method Summary

::Mongo::Auth::SaslConversationBase - Inherited

#start

Start the SASL conversation.
#auth_mechanism_name

Gets the auth mechanism name for the conversation class.
#client_first_document, #client_first_message_options,
#validate_server_nonce!

Helper method to validate that server nonce starts with the client nonce.

::Mongo::Auth::ConversationBase - Inherited

#build_message,
#speculative_auth_document

Returns the hash to provide to the server in the handshake as value of the speculativeAuthenticate key.
#validate_external_auth_source

Instance Attribute Details

#conversation_idInteger (readonly, private)

Get the id of the conversation.

Returns:

  • (Integer)

    The conversation id.

Since:

  • 2.0.0

[ GitHub ] 

  


# File 'lib/mongo/auth/aws/conversation.rb', line 66



attr_reader :conversation_id


  








  

    #server_nonceString  (readonly, private)
  



  

    
  





  
Returns:


    
  
  • 
    (String)
    

    The server nonce.
    

    
  
    • 



Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 61



attr_reader :server_nonce


  







Instance Method Details



  

    #client_final_payload   (private)
  



  

    
  





  
Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 87



def client_final_payload
  credentials = CredentialsRetriever.new(user).credentials
  request = Request.new(
    access_key_id: credentials.access_key_id,
    secret_access_key: credentials.secret_access_key,
    session_token: credentials.session_token,
    host: @sts_host,
    server_nonce: server_nonce,
  )

  # Uncomment this line to validate obtained credentials on the
  # client side prior to sending them to the server.
  # This generally produces informative diagnostics as to why
  # the credentials are not valid (e.g., they could be expired)
  # whereas the server normally does not elaborate on why
  # authentication failed (but the reason usually is logged into
  # the server logs).
  #
  # Note that credential validation requires that the client is
  # able to access AWS STS. If this is not permitted by firewall
  # rules, validation will fail but credentials may be perfectly OK
  # and the server may be able to authenticate using them just fine
  # (provided the server is allowed to communicate with STS).
  #request.validate!

  payload = {
    a: request.authorization,
    d: request.formatted_time,
  }
  if credentials.session_token
    payload[:t] = credentials.session_token
  end
  payload.to_bson.to_s
end


  








  

    #client_first_data   (private)
  



  

    
  





  
Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 68



def client_first_data
  {
    r: BSON::Binary.new(client_nonce),
    p: 110,
  }
end


  








  

    #client_first_payload   (private)
  



  

    
  





  
Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 75



def client_first_payload
  client_first_data.to_bson.to_s
end


  








  

    #client_nonce   (private)
  



  

    
  





  
Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 83



def client_nonce
  @client_nonce ||= SecureRandom.random_bytes(32)
end


  








  

    #continue(reply_document, connection)  ⇒ Protocol::Message 
  



  

    

Continue the AWS conversation. This sends the client final message to the server after setting the reply from the previous server communication.


  





  
Parameters:


    
  
  • 
    reply_document
    (BSON::Document)
    

    The reply document of the previous message.
    

    
  
    • 
  
  • 
    connection
    (Server::Connection)
    

    The connection being authenticated.
    

    
  
    • 



Returns:



Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 40



def continue(reply_document, connection)
  @conversation_id = reply_document[:conversationId]
  payload = reply_document[:payload].data
  payload = BSON::Document.from_bson(BSON::ByteBuffer.new(payload))
  @server_nonce = payload[:s].data
  validate_server_nonce!
  @sts_host = payload[:h]
  unless (1..255).include?(@sts_host.bytesize)
    raise Error::InvalidServerAuthConfiguration, "STS host name length is not in 1..255 bytes range: #{@sts_host}"
  end

  selector = CLIENT_CONTINUE_MESSAGE.merge(
    payload: BSON::Binary.new(client_final_payload),
    conversationId: conversation_id,
  )
  build_message(connection, user.auth_source, selector)
end


  








  

    #wrap_data(data)   (private)
  



  

    
  





  
Since:


    
  
  • 
    
    

    2.0.0
    

    
  
    • 





  [ GitHub ]


  

  


# File 'lib/mongo/auth/aws/conversation.rb', line 79



def wrap_data(data)
  BSON::Binary.new(data.to_bson.to_s)
end