Auth refactor to prepare for PYTHON-465.

This also addresses PYTHON-464 and makes
logout sane.

Author: behackett

pymongo/auth.py

@@ -0,0 +1,70 @@
+# Copyright 2013 10gen, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Authentication helpers."""
+
+try:
+    import hashlib
+    _MD5 = hashlib.md5
+except ImportError:  # for Python < 2.5
+    import md5
+    _MD5 = md5.new
+
+from bson.son import SON
+
+
+def _password_digest(username, password):
+    """Get a password digest to use for authentication.
+    """
+    if not isinstance(password, basestring):
+        raise TypeError("password must be an instance "
+                        "of %s" % (basestring.__name__,))
+    if len(password) == 0:
+        raise TypeError("password can't be empty")
+    if not isinstance(username, basestring):
+        raise TypeError("username must be an instance "
+                        "of %s" % (basestring.__name__,))
+
+    md5hash = _MD5()
+    data = "%s:mongo:%s" % (username, password)
+    md5hash.update(data.encode('utf-8'))
+    return unicode(md5hash.hexdigest())
+
+
+def _auth_key(nonce, username, password):
+    """Get an auth key to use for authentication.
+    """
+    digest = _password_digest(username, password)
+    md5hash = _MD5()
+    data = "%s%s%s" % (nonce, unicode(username), digest)
+    md5hash.update(data.encode('utf-8'))
+    return unicode(md5hash.hexdigest())
+
+
+def authenticate(credentials, sock_info, cmd_func):
+    """Authenticate sock_info using credentials.
+    """
+    source, username, password = credentials
+    # Get a nonce
+    response, _ = cmd_func(sock_info, source, {'getnonce': 1})
+    nonce = response['nonce']
+    key = _auth_key(nonce, username, password)
+
+    # Actually authenticate
+    query = SON([('authenticate', 1),
+                 ('user', username),
+                 ('nonce', nonce),
+                 ('key', key)])
+    cmd_func(sock_info, source, query)
+

pymongo/database.py

@@ -14,13 +14,11 @@
 
 """Database level operations."""
 
-import warnings
-
 from bson.binary import OLD_UUID_SUBTYPE
 from bson.code import Code
 from bson.dbref import DBRef
 from bson.son import SON
-from pymongo import common, helpers
+from pymongo import auth, common, helpers
 from pymongo.collection import Collection
 from pymongo.errors import (CollectionInvalid,
                             InvalidName,
@@ -471,7 +469,7 @@ def validate_collection(self, name_or_collection,
                 raise CollectionInvalid("%s invalid: %s" % (name, info))
         # Sharded results
         elif "raw" in result:
-            for repl, res in result["raw"].iteritems():
+            for _, res in result["raw"].iteritems():
                 if "result" in res:
                     info = res["result"]
                     if (info.find("exception") != -1 or
@@ -627,7 +625,7 @@ def add_user(self, name, password, read_only=False):
         """
 
         user = self.system.users.find_one({"user": name}) or {"user": name}
-        user["pwd"] = helpers._password_digest(name, password)
+        user["pwd"] = auth._password_digest(name, password)
         user["readOnly"] = common.validate_boolean('read_only', read_only)
 
         try:
@@ -656,12 +654,10 @@ def remove_user(self, name):
     def authenticate(self, name, password):
         """Authenticate to use this database.
 
-        Once authenticated, the user has full read and write access to
-        this database. Raises :class:`TypeError` if either `name` or
-        `password` is not an instance of :class:`basestring`
-        (:class:`str` in python 3). Authentication lasts for the life
-        of the underlying :class:`~pymongo.connection.Connection`, or
-        until :meth:`logout` is called.
+        Raises :class:`TypeError` if either `name` or `password` is not
+        an instance of :class:`basestring` (:class:`str` in python 3).
+        Authentication lasts for the life of the underlying client
+        instance, or until :meth:`logout` is called.
 
         The "admin" database is special. Authenticating on "admin"
         gives access to *all* databases. Effectively, "admin" access
@@ -670,28 +666,20 @@ def authenticate(self, name, password):
         .. note::
           This method authenticates the current connection, and
           will also cause all new :class:`~socket.socket` connections
-          in the underlying :class:`~pymongo.connection.Connection` to
-          be authenticated automatically.
-
-         - When sharing a :class:`~pymongo.connection.Connection`
-           between multiple threads, all threads will share the
-           authentication. If you need different authentication profiles
-           for different purposes (e.g. admin users) you must use
-           distinct instances of :class:`~pymongo.connection.Connection`.
+          in the underlying client instance to be authenticated automatically.
 
-         - To get authentication to apply immediately to all
-           existing sockets you may need to reset this Connection's
-           sockets using :meth:`~pymongo.connection.Connection.disconnect`.
+         - Authenticating more than once on the same database with different
+           credentials is not supported. You must call :meth:`logout` before
+           authenticating with new credentials.
 
-        .. warning::
+         - When sharing a client instance between multiple threads, all
+           threads will share the authentication. If you need different
+           authentication profiles for different purposes you must use
+           distinct client instances.
 
-          Currently, calls to
-          :meth:`~pymongo.connection.Connection.end_request` will
-          lead to unpredictable behavior in combination with
-          auth. The :class:`~socket.socket` owned by the calling
-          thread will be returned to the pool, so whichever thread
-          uses that :class:`~socket.socket` next will have whatever
-          permissions were granted to the calling thread.
+         - To get authentication to apply immediately to all
+           existing sockets you may need to reset this client instance's
+           sockets using :meth:`~pymongo.mongo_client.MongoClient.disconnect`.
 
         :Parameters:
           - `name`: the name of the user to authenticate
@@ -706,42 +694,22 @@ def authenticate(self, name, password):
             raise TypeError("password must be an instance "
                             "of %s" % (basestring.__name__,))
 
-        # So we can authenticate during a failover. The start_request()
-        # call below will pin the host used for getnonce so we use the
-        # same host for authenticate.
-        read_pref = rp.ReadPreference.PRIMARY_PREFERRED
-
-        in_request = self.connection.in_request()
         try:
-            if not in_request:
-                self.connection.start_request()
-
-            nonce = self.command("getnonce",
-                                 read_preference=read_pref)["nonce"]
-            key = helpers._auth_key(nonce, name, password)
-            try:
-                self.command("authenticate", user=unicode(name),
-                             nonce=nonce, key=key, read_preference=read_pref)
-                self.connection._cache_credentials(self.name,
-                                                   unicode(name),
-                                                   unicode(password))
-                return True
-            except OperationFailure:
-                return False
-        finally:
-            if not in_request:
-                self.connection.end_request()
+            credentials = (self.name, unicode(name), unicode(password))
+            self.connection._cache_credentials(self.name, credentials)
+            return True
+        except OperationFailure:
+            return False
 
     def logout(self):
-        """Deauthorize use of this database for this connection
-        and future connections.
+        """Deauthorize use of this database for this client instance.
 
         .. note:: Other databases may still be authenticated, and other
            existing :class:`~socket.socket` connections may remain
            authenticated for this database unless you reset all sockets
-           with :meth:`~pymongo.connection.Connection.disconnect`.
+           with :meth:`~pymongo.mongo_client.MongoClient.disconnect`.
         """
-        self.command("logout")
+        # Sockets will be deauthenticated as they are used.
         self.connection._purge_credentials(self.name)
 
     def dereference(self, dbref):

pymongo/helpers.py

@@ -14,12 +14,6 @@
 
 """Bits and pieces used by the driver that don't really fit elsewhere."""
 
-try:
-    import hashlib
-    _md5func = hashlib.md5
-except:  # for Python < 2.5
-    import md5
-    _md5func = md5.new
 import random
 import struct
 
@@ -76,8 +70,8 @@ def _index_document(index_list):
     return index
 
 
-def _unpack_response(response, cursor_id=None,
-                     as_class=dict, tz_aware=False, uuid_subtype=OLD_UUID_SUBTYPE):
+def _unpack_response(response, cursor_id=None, as_class=dict,
+                     tz_aware=False, uuid_subtype=OLD_UUID_SUBTYPE):
     """Unpack a response from the database.
 
     Check the response for errors and unpack, returning a dictionary
@@ -115,7 +109,8 @@ def _unpack_response(response, cursor_id=None,
 
 
 def _check_command_response(response, reset, msg="%s", allowable_errors=[]):
-
+    """Check the response to a command for errors.
+    """
     if not response["ok"]:
         if "wtimeout" in response and response["wtimeout"]:
             raise TimeoutError(msg % response["errmsg"])
@@ -147,34 +142,6 @@ def _check_command_response(response, reset, msg="%s", allowable_errors=[]):
             raise OperationFailure(msg % errmsg)
 
 
-def _password_digest(username, password):
-    """Get a password digest to use for authentication.
-    """
-    if not isinstance(password, basestring):
-        raise TypeError("password must be an instance "
-                        "of %s" % (basestring.__name__,))
-    if len(password) == 0:
-        raise TypeError("password can't be empty")
-    if not isinstance(username, basestring):
-        raise TypeError("username must be an instance "
-                        "of %s" % (basestring.__name__,))
-
-    md5hash = _md5func()
-    data = "%s:mongo:%s" % (username, password)
-    md5hash.update(data.encode('utf-8'))
-    return unicode(md5hash.hexdigest())
-
-
-def _auth_key(nonce, username, password):
-    """Get an auth key to use for authentication.
-    """
-    digest = _password_digest(username, password)
-    md5hash = _md5func()
-    data = "%s%s%s" % (nonce, unicode(username), digest)
-    md5hash.update(data.encode('utf-8'))
-    return unicode(md5hash.hexdigest())
-
-
 def _fields_list_to_dict(fields):
     """Takes a list of field names and returns a matching dictionary.
 
@@ -192,6 +159,7 @@ def _fields_list_to_dict(fields):
         as_dict[field] = 1
     return as_dict
 
+
 def shuffled(sequence):
     """Returns a copy of the sequence (as a :class:`list`) which has been
     shuffled by :func:`random.shuffle`.