在cl-mongo中实施MongoDB SASL身份验证 [英] Implementing MongoDB SASL Authentication in cl-mongo

问题描述

我已经从fons中分叉了cl-mongo(通用的Lisp MongoDB库)存储库，因为该存储库已不再维护，并且不支持SCRAM-SHA-1登录过程.这是我的叉子: https://github.com/mprelude/cl-mongo -主要更改是添加了对 cl-scram 的依赖(我对SCRAM的实现)，并添加了bson二进制通用容器.

I've forked the cl-mongo (common lisp MongoDB library) repository from fons, as it has fallen out of maintenance and does not support the SCRAM-SHA-1 login process. This is my fork: https://github.com/mprelude/cl-mongo -- the main changes are adding a dependence on cl-scram (my implementation of SCRAM), and adding a bson binary generic container.

我仍在尝试发送初始消息，因此问题不在于密码不正确，因为该密码尚未使用.

I'm still trying to send the initial message, so the issue isn't that the password is wrong, as that isn't used yet.

为什么身份验证的这一部分失败?如果我希望将MESSAGE中的内容发送给mongo，谁能确认BINARY-MESSAGE是否应该发送?

这是我的电话，其中添加了一些调试输出:

This is my call, with some added debug output:

* (asdf:load-system :cl-mongo)

T
* (cl-mongo:db.use "test")

"test"
* (cl-mongo:db.auth "aurumrw" "pencil" :mechanism :SCRAM-SHA-1)

(kv-container : #(#S(CL-MONGO::PAIR :KEY saslStart :VALUE 1)
                  #S(CL-MONGO::PAIR :KEY mechanism :VALUE SCRAM-SHA-1)
                  #S(CL-MONGO::PAIR
                     :KEY payload
                     :VALUE [CL-MONGO::BSON-BINARY-GENERIC]  [binary data of type 0] ))
 ((CL-MONGO::BINARY-MESSAGE
   . #(98 105 119 115 98 106 49 104 100 88 74 49 98 88 74 51 76 72 73 57 83 87
       116 122 101 84 100 78 101 71 100 97 90 71 52 53 85 69 86 113 87 108 104
       85 89 108 78 75 89 106 74 80 79 87 78 84 99 49 108 84 82 68 99 61))
  (CL-MONGO::MESSAGE . "n,,n=aurumrw,r=Iksy7MxgZdn9PEjZXTbSJb2O9cSsYSD7")
  (CL-MONGO::CODE . 18) (CL-MONGO::OK . 0.0d0)
  (CL-MONGO::ERRMSG . "Authentication failed.")))

值得注意的是，我认为Mongo必须正确读取我的请求，因为消息为身份验证失败"(错误代码18)，这表明它理解我已经请求了SASL对话.

Notably, I think Mongo must be reading my request correctly as the message is 'Authentication failed' (error code 18), which suggests that it understands that I've requested a SASL conversation.

我认为我遇到的问题基于有效载荷，即内容(以base64开头的初始消息，以八位字节为单位)或格式.

I believe the issues I'm having are based on the payload, either the content (base64'd initial message, as octets) or the format.

使用 MongoDB文档，以及原始讨论的工作方式，这是我重写的db.auth函数:

Drawing on the MongoDB documentation, and the way the original discussion worked, this is my rewritten db.auth function:

(defmethod db.auth ((username string) (password string) &key (mongo (mongo)) (mechanism :SCRAM-SHA-1))
  (cond ((equal mechanism :SCRAM-SHA-1)
          ;; SCRAM-SHA-1 Login
          (let* ((nonce (cl-scram:gen-client-nonce))
                 (pwd (concatenate 'string username ":mongo:" password))
                 (md5-pwd (hex-md5 pwd))
                 (md5-pwd-str (ironclad:byte-array-to-hex-string md5-pwd))
                 (initial-message (cl-scram:gen-client-initial-message :username username
                                                                       :nonce nonce))
                 (request (kv (kv "saslStart" 1)
                              (kv "mechanism" "SCRAM-SHA-1")
                              (kv "payload"
                                  (bson-binary :generic (ironclad:ascii-string-to-byte-array
                                                          (cl-scram:base64-encode initial-message))))))
                 (response (car (docs (db.find "$cmd" request :limit 1 :mongo mongo))))
                 (retval (pairlis '(errmsg ok code message binary-message)
                                   (list (get-element "errmsg" response)
                                         (get-element "ok" response)
                                         (get-element "code" response)
                                         initial-message
                                         (ironclad:ascii-string-to-byte-array (cl-scram:base64-encode initial-message))))))
            (list request retval)))
        ((equal mechanism :MONGODB-CR)
          ;; MONGODB-CR Login.
          (let* ((nonce (get-element "nonce" (car (docs (db.run-command 'getnonce :mongo mongo)))))
                 (pwd (concatenate 'string username ":mongo:" password))
                 (md5-pwd (hex-md5 pwd))
                 (md5-pwd-str (ironclad:byte-array-to-hex-string md5-pwd))
                 (md5-key (hex-md5 (concatenate 'string nonce username md5-pwd-str)))
                 (md5-key-str (ironclad:byte-array-to-hex-string md5-key))
                 (request (kv (kv "authenticate" 1)
                              (kv "user" username)
                              (kv "nonce" nonce)
                              (kv "key" md5-key-str)))
                 (retval (get-element "ok" (car (docs (db.find "$cmd" request :limit 1 :mongo mongo))))))
            (if retval t nil)))
        (t nil)))

推荐答案

从连接到mongo服务器的位置检查客户端的mongo版本(mongo --version).

Check for the mongo version(mongo --version) of the client from where we are connecting to mongo server.

我的情况是，mongo服务器的版本为Mongo4.0.0，但我的客户端的版本为2.4.9.更新mongo版本以更新mongo cli.

My case, mongo server was of version Mongo4.0.0 but my client was of version 2.4.9. Update the mongo version to update mongo cli.

这篇关于在cl-mongo中实施MongoDB SASL身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！