Skip to content

Commit ac0f721

Browse files
mattChiaravallotimattChiaravalloti
authored
RUST-2245 Implement GSSAPI auth support for Windows (#1444)
1 parent 21a884f commit ac0f721

File tree

8 files changed

+714
-153
lines changed

8 files changed

+714
-153
lines changed

.evergreen/config.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,14 @@ buildvariants:
274274
tasks:
275275
- test-gssapi-auth
276276

277+
- name: gssapi-auth-windows
278+
display_name: "GSSAPI Authentication - Windows"
279+
patchable: true
280+
run_on:
281+
- windows-vsCurrent-small
282+
tasks:
283+
- test-gssapi-auth
284+
277285
- name: x509-auth
278286
display_name: "x509 Authentication"
279287
patchable: false
@@ -1406,7 +1414,7 @@ functions:
14061414
type: test
14071415
params:
14081416
binary: bash
1409-
working_dir: ${PROJECT_DIRECTORY}
1417+
working_dir: src
14101418
args:
14111419
- .evergreen/run-gssapi-tests.sh
14121420
include_expansions_in_env:

.evergreen/run-gssapi-tests.sh

Lines changed: 44 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -16,50 +16,60 @@ FEATURE_FLAGS+=("gssapi-auth")
1616

1717
set +o errexit
1818

19-
# Create a krb5 config file with relevant
20-
touch krb5.conf
21-
echo "[realms]
22-
$SASL_REALM = {
23-
kdc = $SASL_HOST
24-
admin_server = $SASL_HOST
25-
}
26-
27-
$SASL_REALM_CROSS = {
28-
kdc = $SASL_HOST
29-
admin_server = $SASL_HOST
30-
}
31-
32-
[domain_realm]
33-
.$SASL_DOMAIN = $SASL_REALM
34-
$SASL_DOMAIN = $SASL_REALM
35-
" > krb5.conf
36-
37-
export KRB5_CONFIG=krb5.conf
38-
39-
# Authenticate the user principal in the KDC before running the e2e test
40-
echo "Authenticating $PRINCIPAL"
41-
echo "$SASL_PASS" | kinit -p $PRINCIPAL
42-
klist
19+
# On Windows, `kinit`/`kdestroy` and other krb5 config settings are
20+
# not available, nor are they required steps. Windows uses SSPI which
21+
# is similar to but distinct from (KRB5) GSSAPI. Therefore, we only
22+
# run the following steps if we are not on Windows.
23+
if [[ "cygwin" != "$OSTYPE" ]]; then
24+
# Create a krb5 config file with relevant
25+
touch krb5.conf
26+
echo "[realms]
27+
$SASL_REALM = {
28+
kdc = $SASL_HOST
29+
admin_server = $SASL_HOST
30+
}
31+
32+
$SASL_REALM_CROSS = {
33+
kdc = $SASL_HOST
34+
admin_server = $SASL_HOST
35+
}
36+
37+
[domain_realm]
38+
.$SASL_DOMAIN = $SASL_REALM
39+
$SASL_DOMAIN = $SASL_REALM
40+
" > krb5.conf
41+
42+
export KRB5_CONFIG=krb5.conf
43+
44+
# Authenticate the user principal in the KDC before running the e2e test
45+
echo "Authenticating $PRINCIPAL"
46+
echo "$SASL_PASS" | kinit -p $PRINCIPAL
47+
klist
48+
fi
4349

4450
# Run end-to-end auth tests for "$PRINCIPAL" user
4551
TEST_OPTIONS+=("--skip with_service_realm_and_host_options")
4652
cargo_test test::auth::gssapi_skip_local
4753

48-
# Unauthenticate
49-
echo "Unauthenticating $PRINCIPAL"
50-
kdestroy
54+
if [[ "cygwin" != "$OSTYPE" ]]; then
55+
# Unauthenticate
56+
echo "Unauthenticating $PRINCIPAL"
57+
kdestroy
5158

52-
# Authenticate the alternative user principal in the KDC and run other e2e test
53-
echo "Authenticating $PRINCIPAL_CROSS"
54-
echo "$SASL_PASS_CROSS" | kinit -p $PRINCIPAL_CROSS
55-
klist
59+
# Authenticate the alternative user principal in the KDC and run other e2e test
60+
echo "Authenticating $PRINCIPAL_CROSS"
61+
echo "$SASL_PASS_CROSS" | kinit -p $PRINCIPAL_CROSS
62+
klist
63+
fi
5664

5765
TEST_OPTIONS=()
5866
cargo_test test::auth::gssapi_skip_local::with_service_realm_and_host_options
5967

60-
# Unauthenticate
61-
echo "Unuthenticating $PRINCIPAL_CROSS"
62-
kdestroy
68+
if [[ "cygwin" != "$OSTYPE" ]]; then
69+
# Unauthenticate
70+
echo "Unauthenticating $PRINCIPAL_CROSS"
71+
kdestroy
72+
fi
6373

6474
# Run remaining tests
6575
cargo_test spec::auth

Cargo.lock

Lines changed: 76 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ gcp-oidc = ["dep:reqwest"]
5656
gcp-kms = ["dep:reqwest"]
5757

5858
# Enable support for GSSAPI (Kerberos) authentication.
59-
gssapi-auth = ["dep:cross-krb5", "dns-resolver"]
59+
gssapi-auth = ["dep:cross-krb5", "dep:windows-sys", "dns-resolver"]
6060

6161
zstd-compression = ["dep:zstd"]
6262
zlib-compression = ["dep:flate2"]
@@ -80,7 +80,6 @@ chrono = { version = "0.4.7", default-features = false, features = [
8080
"clock",
8181
"std",
8282
] }
83-
cross-krb5 = { version = "0.4.2", optional = true, default-features = false }
8483
derive_more = "0.99.17"
8584
derive-where = "1.2.7"
8685
flate2 = { version = "1.0", optional = true }
@@ -246,6 +245,13 @@ features = ["serde", "serde_json-1"]
246245
rustdoc-args = ["--cfg", "docsrs"]
247246
all-features = true
248247

248+
# Target-specific dependencies for GSSAPI authentication
249+
[target.'cfg(not(windows))'.dependencies]
250+
cross-krb5 = { version = "0.4.2", optional = true, default-features = false }
251+
252+
[target.'cfg(windows)'.dependencies]
253+
windows-sys = { version = "0.60", optional = true, features = ["Win32_Security_Authentication_Identity", "Win32_Security_Credentials", "Win32_Foundation", "Win32_System", "Win32_System_Rpc"] }
254+
249255
[lints.rust]
250256
unexpected_cfgs = { level = "warn", check-cfg = [
251257
'cfg(mongodb_internal_tracking_arc)',

0 commit comments

Comments
 (0)