mongodb
diff --git a/‎lib/mongo/auth.rb‎
Lines changed: 15 additions & 2 deletions b/‎lib/mongo/auth.rb‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎lib/mongo/auth/cr/conversation.rb‎
Lines changed: 4 additions & 2 deletions b/‎lib/mongo/auth/cr/conversation.rb‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎lib/mongo/auth/ldap/conversation.rb‎
Lines changed: 4 additions & 2 deletions b/‎lib/mongo/auth/ldap/conversation.rb‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎lib/mongo/auth/scram.rb‎
Lines changed: 3 additions & 7 deletions b/‎lib/mongo/auth/scram.rb‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎lib/mongo/auth/scram/conversation.rb‎
Lines changed: 22 additions & 9 deletions b/‎lib/mongo/auth/scram/conversation.rb‎
Lines changed: 22 additions & 9 deletions
diff --git a/‎lib/mongo/auth/user.rb‎
Lines changed: 28 additions & 0 deletions b/‎lib/mongo/auth/user.rb‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎lib/mongo/auth/x509/conversation.rb‎
Lines changed: 4 additions & 2 deletions b/‎lib/mongo/auth/x509/conversation.rb‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎spec/integration/auth_spec.rb‎
Lines changed: 122 additions & 0 deletions b/‎spec/integration/auth_spec.rb‎
Lines changed: 122 additions & 0 deletions
@@ -102,10 +102,23 @@ class Unauthorized < RuntimeError
       #   Mongo::Auth::Unauthorized.new(user)
       #
       # @param [ Mongo::Auth::User ] user The unauthorized user.
+      # @param [ String ] used_mechanism Auth mechanism actually used for
+      #   authentication. This is a full string like SCRAM-SHA-256.
       #
       # @since 2.0.0
-      def initialize(user)
-        super("User #{user.name} is not authorized to access #{user.database}.")
+      def initialize(user, used_mechanism = nil)
+        specified_mechanism = if user.mechanism
+          " (mechanism: #{user.mechanism})"
+        else
+          ''
+        end
+        used_mechanism = if used_mechanism
+          " (used mechanism: #{used_mechanism})"
+        else
+          ''
+        end
+        msg = "User #{user.name}#{specified_mechanism} is not authorized to access #{user.database}#{used_mechanism}"
+        super(msg)
       end
     end
   end
 
@@ -92,7 +92,7 @@ def finalize(reply, connection = nil)
         end
 
         # Start the CR conversation. This returns the first message that
-        # needs to be send to the server.
+        # needs to be sent to the server.
         #
         # @example Start the conversation.
         #   conversation.start
@@ -130,7 +130,9 @@ def initialize(user)
         private
 
         def validate!(reply)
-          raise Unauthorized.new(user) if reply.documents[0][Operation::Result::OK] != 1
+          if reply.documents[0][Operation::Result::OK] != 1
+            raise Unauthorized.new(user, MECHANISM)
+          end
           @nonce = reply.documents[0][Auth::NONCE]
           @reply = reply
         end
 
@@ -51,7 +51,7 @@ def finalize(reply)
         end
 
         # Start the PLAIN conversation. This returns the first message that
-        # needs to be send to the server.
+        # needs to be sent to the server.
         #
         # @example Start the conversation.
         #   conversation.start
@@ -97,7 +97,9 @@ def payload
         end
 
         def validate!(reply)
-          raise Unauthorized.new(user) if reply.documents[0][Operation::Result::OK] != 1
+          if reply.documents[0][Operation::Result::OK] != 1
+            raise Unauthorized.new(user, MECHANISM)
+          end
           @reply = reply
         end
       end
 
@@ -32,7 +32,6 @@ class SCRAM
       # @since 2.6.0
       SCRAM_SHA_256_MECHANISM = 'SCRAM-SHA-256'.freeze
 
-
       # Map the user-specified authentication mechanism to the proper names of the mechanisms.
       #
       # @since 2.6.0
@@ -62,16 +61,13 @@ def initialize(user)
       #   user.login(connection)
       #
       # @param [ Mongo::Connection ] connection The connection to log into.
-      #   on.
-      # @param [ String ] mechanism The auth mechanism to use (either 'SCRAM-SHA-1' or
-      #   'SCRAM-SHA-256');
       #
       # @return [ Protocol::Message ] The authentication response.
       #
       # @since 2.0.0
-      def login(connection, mechanism = nil)
-        mechanism ||= user.mechanism || :scram
-        conversation = Conversation.new(user, MECHANISMS[mechanism])
+      def login(connection)
+        mechanism = user.mechanism || :scram
+        conversation = Conversation.new(user, mechanism)
         reply = connection.dispatch([ conversation.start(connection) ])
         connection.update_cluster_time(Operation::Result.new(reply))
         reply = connection.dispatch([ conversation.continue(reply, connection) ])
 
@@ -19,8 +19,8 @@ module Mongo
   module Auth
     class SCRAM
 
-      # Defines behavior around a single SCRAM-SHA-1 conversation between the
-      # client and server.
+      # Defines behavior around a single SCRAM-SHA-1/256 conversation between
+      # the client and server.
       #
       # @since 2.0.0
       class Conversation
@@ -168,7 +168,7 @@ def finalize(reply, connection = nil)
         end
 
         # Start the SCRAM conversation. This returns the first message that
-        # needs to be send to the server.
+        # needs to be sent to the server.
         #
         # @example Start the conversation.
         #   conversation.start
@@ -180,7 +180,8 @@ def finalize(reply, connection = nil)
         # @since 2.0.0
         def start(connection = nil)
           if connection && connection.features.op_msg_enabled?
-            selector = CLIENT_FIRST_MESSAGE.merge(payload: client_first_message, mechanism: @mechanism)
+            selector = CLIENT_FIRST_MESSAGE.merge(
+              payload: client_first_message, mechanism: full_mechanism)
             selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
             cluster_time = connection.mongos? && connection.cluster_time
             selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
@@ -189,12 +190,17 @@ def start(connection = nil)
             Protocol::Query.new(
               user.auth_source,
               Database::COMMAND,
-              CLIENT_FIRST_MESSAGE.merge(payload: client_first_message, mechanism: @mechanism),
+              CLIENT_FIRST_MESSAGE.merge(
+                payload: client_first_message, mechanism: full_mechanism),
               limit: -1
             )
           end
         end
 
+        def full_mechanism
+          MECHANISMS[@mechanism]
+        end
+
         # Get the id of the conversation.
         #
         # @example Get the id of the conversation.
@@ -213,9 +219,14 @@ def id
         #   Conversation.new(user, mechanism)
         #
         # @param [ Auth::User ] user The user to converse about.
+        # @param [ Symbol ] mechanism Authentication mechanism.
         #
         # @since 2.0.0
         def initialize(user, mechanism)
+          unless [:scram, :scram256].include?(mechanism)
+            raise InvalidMechanism.new(mechanism)
+          end
+
           @user = user
           @nonce = SecureRandom.base64
           @client_key = user.send(:client_key)
@@ -343,7 +354,7 @@ def h(string)
         # @since 2.0.0
         def hi(data)
           case @mechanism
-          when SCRAM::SCRAM_SHA_256_MECHANISM
+          when :scram256
             OpenSSL::PKCS5.pbkdf2_hmac(
               data,
               Base64.strict_decode64(salt),
@@ -422,7 +433,7 @@ def salt
         # @since 2.0.0
         def salted_password
           @salted_password ||= case @mechanism
-          when SCRAM::SCRAM_SHA_256_MECHANISM
+          when :scram256
             hi(user.sasl_prepped_password)
           else
             hi(user.hashed_password)
@@ -510,15 +521,17 @@ def validate_first_message!(reply)
         end
 
         def validate!(reply)
-          raise Unauthorized.new(user) unless reply.documents[0][Operation::Result::OK] == 1
+          if reply.documents[0][Operation::Result::OK] != 1
+            raise Unauthorized.new(user, full_mechanism)
+          end
           @reply = reply
         end
 
         private
 
         def digest
           @digest ||= case @mechanism
-                      when SCRAM::SCRAM_SHA_256_MECHANISM
+                      when :scram256
                         OpenSSL::Digest::SHA256.new.freeze
                       else
                         OpenSSL::Digest::SHA1.new.freeze
 
@@ -21,6 +21,7 @@ module Auth
     #
     # @since 2.0.0
     class User
+      include Loggable
 
       # @return [ String ] The authorization source, either a database or
       #   external name.
@@ -44,6 +45,14 @@ class User
       # @return [ Array<String> ] roles The user roles.
       attr_reader :roles
 
+      # Loggable requires an options attribute. We don't have any options
+      # hence provide this as a stub.
+      #
+      # @api private
+      def options
+        {}
+      end
+
       # Determine if this user is equal to another.
       #
       # @example Check user equality.
@@ -154,6 +163,25 @@ def initialize(options)
         @name = options[:user]
         @password = options[:password] || options[:pwd]
         @mechanism = options[:auth_mech]
+        if @mechanism
+          # Since the driver must select an authentication class for
+          # the specified mechanism, mechanisms that the driver does not
+          # know about, and cannot translate to an authentication class,
+          # need to be rejected.
+          unless @mechanism.is_a?(Symbol)
+            # Although we documented auth_mech option as being a symbol, we
+            # have not enforced this; warn, reject in lint mode
+            if Lint.enabled?
+              raise Error::LintError, "Auth mechanism #{@mechanism.inspect} must be specified as a symbol"
+            else
+              log_warn("Auth mechanism #{@mechanism.inspect} should be specified as a symbol")
+              @mechanism = @mechanism.to_sym
+            end
+          end
+          unless Auth::SOURCES.key?(@mechanism)
+            raise InvalidMechanism.new(options[:auth_mech])
+          end
+        end
         @auth_mech_properties = options[:auth_mech_properties] || {}
         @roles = options[:roles] || []
         @client_key = options[:client_key]
 
@@ -51,7 +51,7 @@ def finalize(reply)
         end
 
         # Start the x.509 conversation. This returns the first message that
-        # needs to be send to the server.
+        # needs to be sent to the server.
         #
         # @example Start the conversation.
         #   conversation.start
@@ -95,7 +95,9 @@ def initialize(user)
         private
 
         def validate!(reply)
-          raise Unauthorized.new(user) if reply.documents[0][Operation::Result::OK] != 1
+          if reply.documents[0][Operation::Result::OK] != 1
+            raise Unauthorized.new(user, MECHANISM)
+          end
           @reply = reply
         end
       end
 
@@ -0,0 +1,122 @@
+require 'spec_helper'
+
+describe 'Auth' do
+  describe 'Unauthorized exception message' do
+    let(:server) do
+      authorized_client.cluster.next_primary
+    end
+
+    let(:connection) do
+      Mongo::Server::Connection.new(server, options)
+    end
+
+    before(:all) do
+      # If auth is configured, the test suite uses the configured user
+      # and does not create its own users. However, the configured user may
+      # not have the auth mechanisms we need. Therefore we create a user
+      # for this test without specifying auth mechanisms, which gets us
+      # server default (scram for 4.0, scram & scram256 for 4.2).
+
+      users = ClientRegistry.instance.global_client('root_authorized').use(:admin).database.users
+      unless users.info('existing_user').empty?
+        users.remove('existing_user')
+      end
+      users.create('existing_user', password: 'password')
+    end
+
+    context 'user mechanism not provided' do
+
+      context 'user does not exist' do
+        let(:options) { SpecConfig.instance.ssl_options.merge(
+          user: 'nonexistent_user') }
+
+        before do
+          expect(connection.app_metadata.send(:document)[:saslSupportedMechs]).to eq('admin.nonexistent_user')
+        end
+
+        context 'scram-sha-1 only server' do
+          min_server_fcv '3.0'
+          max_server_version '3.6'
+
+          it 'indicates scram-sha-1 was used' do
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Auth::Unauthorized, 'User nonexistent_user (mechanism: scram) is not authorized to access admin (used mechanism: SCRAM-SHA-1)')
+          end
+        end
+
+        context 'scram-sha-256 server' do
+          min_server_fcv '4.0'
+
+          # An existing user on 4.0+ will negotiate scram-sha-256.
+          # A non-existing user on 4.0+ will negotiate scram-sha-1.
+          it 'indicates scram-sha-1 was used' do
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Auth::Unauthorized, 'User nonexistent_user (mechanism: scram) is not authorized to access admin (used mechanism: SCRAM-SHA-1)')
+          end
+        end
+      end
+
+      context 'user exists' do
+        let(:options) { SpecConfig.instance.ssl_options.merge(
+          user: 'existing_user', password: 'bogus') }
+
+        before do
+          expect(connection.app_metadata.send(:document)[:saslSupportedMechs]).to eq("admin.existing_user")
+        end
+
+        context 'scram-sha-1 only server' do
+          min_server_fcv '3.0'
+          max_server_version '3.6'
+
+          it 'indicates scram-sha-1 was used' do
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Auth::Unauthorized, "User existing_user (mechanism: scram) is not authorized to access admin (used mechanism: SCRAM-SHA-1)")
+          end
+        end
+
+        context 'scram-sha-256 server' do
+          min_server_fcv '4.0'
+
+          # An existing user on 4.0+ will negotiate scram-sha-256.
+          # A non-existing user on 4.0+ will negotiate scram-sha-1.
+          it 'indicates scram-sha-256 was used' do
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Auth::Unauthorized, "User existing_user (mechanism: scram256) is not authorized to access admin (used mechanism: SCRAM-SHA-256)")
+          end
+        end
+      end
+    end
+
+    context 'user mechanism is provided' do
+      min_server_fcv '3.0'
+
+      context 'scram-sha-1 requested' do
+        let(:options) { SpecConfig.instance.ssl_options.merge(
+          user: 'nonexistent_user', auth_mech: :scram) }
+
+        it 'indicates scram-sha-1 was requested and used' do
+          expect do
+            connection.connect!
+          end.to raise_error(Mongo::Auth::Unauthorized, 'User nonexistent_user (mechanism: scram) is not authorized to access admin (used mechanism: SCRAM-SHA-1)')
+        end
+      end
+
+      context 'scram-sha-256 requested' do
+        min_server_fcv '4.0'
+
+        let(:options) { SpecConfig.instance.ssl_options.merge(
+          user: 'nonexistent_user', auth_mech: :scram256) }
+
+        it 'indicates scram-sha-256 was requested and used' do
+          expect do
+            connection.connect!
+          end.to raise_error(Mongo::Auth::Unauthorized, 'User nonexistent_user (mechanism: scram256) is not authorized to access admin (used mechanism: SCRAM-SHA-256)')
+        end
+      end
+    end
+  end
+end