Allow bypassing authentication

[AlekSi]

Description

Closes #3459.

Readiness checklist

• I added/updated unit tests (and they pass).
• I added/updated integration/compatibility tests (and they pass).
• I added/updated comments and checked rendering.
• I made spot refactorings.
• I updated user documentation.
• I ran task all, and it passed.
• I ensured that PR title is good enough for the changelog.
• (for maintainers only) I set Reviewers (@FerretDB/core), Milestone (Next), Labels, Project and project's Sprint fields.
• I marked all done items in this checklist.

[codecov]

Codecov Report

Merging #3840 (b9d9eb0) into main (6737d32) will decrease coverage by 0.55%.
The diff coverage is 38.46%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3840      +/-   ##
==========================================
- Coverage   76.70%   76.16%   -0.55%     
==========================================
  Files         316      316              
  Lines       23666    23687      +21     
==========================================
- Hits        18153    18041     -112     
- Misses       4470     4599     +129     
- Partials     1043     1047       +4     

Files	Coverage Δ
internal/clientconn/conninfo/conn_info.go	94.28% <ø> (ø)
internal/backends/postgresql/metadata/registry.go	70.06% <71.42%> (-0.21%)	⬇️
internal/backends/postgresql/metadata/pool/pool.go	60.60% <0.00%> (-8.36%)	⬇️

... and 17 files with indirect coverage changes

Flag	Coverage Δ
filter-false	?
filter-true	72.29% <26.92%> (-0.39%)	⬇️
hana-1	?
integration	72.29% <26.92%> (-0.58%)	⬇️
mongodb-1	5.17% <0.00%> (-0.01%)	⬇️
mysql-1	?
mysql-2	?
mysql-3	?
postgresql-1	51.91% <26.92%> (-0.15%)	⬇️
postgresql-2	51.51% <26.92%> (-0.08%)	⬇️
postgresql-3	53.01% <26.92%> (-0.30%)	⬇️
sqlite-1	51.03% <0.00%> (-0.09%)	⬇️
sqlite-2	50.60% <0.00%> (-0.13%)	⬇️
sqlite-3	52.09% <0.00%> (-0.39%)	⬇️
unit	30.68% <38.46%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[rumyantseva]

LGTM.

Side question: so, we always store every new username-password group in the connection pool. But we don't cleanup the pool, right? E.g. if 100 users connect with different usernames and passwords, we will store them all unless FerretDB is stopped?

[AlekSi]

we always store every new username-password group in the connection pool.

Pools.

But we don't cleanup the pool, right?

Right, we don't clean-up pools.

E.g. if 100 users connect with different usernames and passwords, we will store them all unless FerretDB is stopped?

If there are 100 valid username/password combinations, then yes, in that case we store 100 strings and 100 pointers. Each pointer points to a pool of connections which automatically scales down to zero:

FerretDB/internal/backends/postgresql/metadata/pool/uri.go

Lines 28 to 31 in 6737d32

	// to avoid the need to close unused pools ourselves
	if values.Has("pool_max_conn_idle_time") {
	values.Set("pool_max_conn_idle_time", "1m")
	}

[xaitx]

Why would this cause authentication bypass

[AlekSi]

Authentication is bypassed when ConnInfo's (object representing client connection information) field BypassAuth is set to true. It is not set for normal connections, but needed for background workers such as capped collection clean-up (#3459).