mongo 2.20.0 → 2.20.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 281c66c9e5d92b0eb8040c342bb0dfcf554c9b5420ec803bc68748472d74a1ae
-  data.tar.gz: 423f31b24accb3ce674ea28a7aa8fcaf028730eb1370187c23f5304ba30698f6
+  metadata.gz: 8ccd08d09b5ee60c5da82105ce4bb165f1324e475e9f476f956d08a677a503b9
+  data.tar.gz: d055b854eb8f822e37ca7002bef5e3625c6ddf7052c06113c0568b0ca275eae6
 SHA512:
-  metadata.gz: 4f414d30bf15f7c32ac9181e25e707caa80447975690fc6c0eb9d8fa37a784f8c4d21125b385d5a6d7efdb4bd751ee2c9c4bea313adbf78d20de3b019c25ac8a
-  data.tar.gz: 7a83ba71f6a36d886769d755fb5ea45e6d1fae37bd92b490c58e9f643f51c25d5a489ed79928d67975f067d258c738f54cc3e5caecca6eb0bad2e2bf49d81613
+  metadata.gz: 291abbb2324d615f2061a7f924e31c7020c7da0541ff5a5b115a9c3edb7b4a74a921ff3e226a50bb6c74fb9f8f79f8343f14ea17f701b6796fde2dc774f0c915
+  data.tar.gz: 792ed0dd04ed391c9b644fa13e65d4282182cac3e54af1f1a4830a20d6ed30c6f6eecef0c0e8d3cbab0c02bef907065a70568fa44b346bb8d947cc02a6a5abb6

data/README.md

@@ -5,7 +5,43 @@ MongoDB Ruby Driver
 
 The officially supported Ruby driver for [MongoDB](https://www.mongodb.org/).
 
-The Ruby driver supports Ruby 2.5-3.0 and JRuby 9.2.
+The Ruby driver supports Ruby 2.7-3.3 and JRuby 9.3-9.4.
+
+## Installation
+
+Install via RubyGems, either via the command-line for ad-hoc uses:
+
+  $ gem install mongo
+
+Or via a Gemfile for more general use:
+
+  gem 'mongo'
+
+### Release Integrity
+
+Each release of the MongoDB Ruby driver after version 2.20.0 has been automatically built and signed using the team's GPG key.
+
+To verify the driver's gem file:
+
+1. [Download the GPG key](https://pgp.mongodb.com/ruby-driver.asc).
+2. Import the key into your GPG keyring with `gpg --import ruby-driver.asc`.
+3. Download the gem file (if you don't already have it). You can download it from RubyGems with `gem fetch mongo`, or you can download it from the [releases page](https://github.com/mongodb/mongo-ruby-driver/releases) on GitHub.
+4. Download the corresponding detached signature file from the [same release](https://github.com/mongodb/mongo-ruby-driver/releases). Look at the bottom of the release that corresponds to the gem file, under the 'Assets' list, for a `.sig` file with the same version number as the gem you wish to install.
+5. Verify the gem with `gpg --verify mongo-X.Y.Z.gem.sig mongo-X.Y.Z.gem` (replacing `X.Y.Z` with the actual version number).
+
+You are looking for text like "Good signature from "MongoDB Ruby Driver Release Signing Key <packaging@mongodb.com>" in the output. If you see that, the signature was found to correspond to the given gem file.
+
+(Note that other output, like "This key is not certified with a trusted signature!", is related to *web of trust* and depends on how strongly you, personally, trust the `ruby-driver.asc` key that you downloaded from us. To learn more, see https://www.gnupg.org/gph/en/manual/x334.html)
+
+### Why not use RubyGems' gem-signing functionality?
+
+RubyGems' own gem signing is problematic, most significantly because there is no established chain of trust related to the keys used to sign gems. RubyGems' own documentation admits that "this method of signing gems is not widely used" (see https://guides.rubygems.org/security/). Discussions about this in the RubyGems community have been off-and-on for more than a decade, and while a solution will eventually arrive, we have settled on using GPG instead for the following reasons:
+
+1. Many of the other driver teams at MongoDB are using GPG to sign their product releases. Consistency with the other teams means that we can reuse existing tooling for our own product releases.
+2. GPG is widely available and has existing tools and procedures for dealing with web of trust (though they are admittedly quite arcane and intimidating to the uninitiated, unfortunately).
+
+Ultimately, most users do not bother to verify gems, and will not be impacted by our choice of GPG over RubyGems' native method.
+
 
 ## Documentation
 

data/Rakefile

@@ -2,17 +2,16 @@
 # rubocop:todo all
 
 require 'bundler'
-require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
-# TODO move the mongo require into the individual tasks that actually need it
-require 'mongo'
+
+if File.exist?('./spec/shared/lib/tasks/candidate.rake')
+  load 'spec/shared/lib/tasks/candidate.rake'
+end
 
 ROOT = File.expand_path(File.join(File.dirname(__FILE__)))
 
 $: << File.join(ROOT, 'spec/shared/lib')
 
-require 'mrss/spec_organizer'
-
 CLASSIFIERS = [
   [%r,^mongo/server,, :unit_server],
   [%r,^mongo,, :unit],
@@ -33,18 +32,63 @@ RUN_PRIORITY = %i(
   spec spec_sdam_integration
 )
 
-tasks = Rake.application.instance_variable_get('@tasks')
-tasks['release:do'] = tasks.delete('release')
-
 RSpec::Core::RakeTask.new(:spec) do |t|
   #t.rspec_opts = "--profile 5" if ENV['CI']
 end
 
 task :default => ['spec:prepare', :spec]
 
+desc 'Build the gem'
+task :build do
+  command = %w[ gem build ]
+  command << "--output=#{ENV['GEM_FILE_NAME']}" if ENV['GEM_FILE_NAME']
+  command << (ENV['GEMSPEC'] || 'mongo.gemspec')
+  system(*command)
+end
+
+# `rake version` is used by the deployment system so get the release version
+# of the product beng deployed. It must do nothing more than just print the
+# product version number.
+# 
+# See the mongodb-labs/driver-github-tools/ruby/publish Github action.
+desc "Print the current value of Mongo::VERSION"
+task :version do
+  require 'mongo/version'
+
+  puts Mongo::VERSION
+end
+
+# overrides the default Bundler-provided `release` task, which also
+# builds the gem. Our release process assumes the gem has already
+# been built (and signed via GPG), so we just need `rake release` to
+# push the gem to rubygems.
+task :release do
+  require 'mongo/version'
+
+  if ENV['GITHUB_ACTION'].nil?
+    abort <<~WARNING
+      `rake release` must be invoked from the `Driver Release` GitHub action,
+      and must not be invoked locally. This ensures the gem is properly signed
+      and distributed by the appropriate user.
+
+      Note that it is the `rubygems/release-gem@v1` step in the `Driver Release`
+      action that invokes this task. Do not rename or remove this task, or the
+      release-gem step will fail. Reimplement this task with caution.
+
+      mongo-#{Mongo::VERSION}.gem was NOT pushed to RubyGems.
+    WARNING
+  end
+
+  system 'gem', 'push', "mongo-#{Mongo::VERSION}.gem"
+end
+
+task :mongo do
+  require 'mongo'
+end
+
 namespace :spec do
   desc 'Creates necessary user accounts in the cluster'
-  task :prepare do
+  task prepare: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     require 'support/utils'
@@ -53,7 +97,7 @@ namespace :spec do
   end
 
   desc 'Waits for sessions to be available in the deployment'
-  task :wait_for_sessions do
+  task wait_for_sessions: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     require 'support/utils'
@@ -77,7 +121,7 @@ namespace :spec do
   end
 
   desc 'Prints configuration used by the test suite'
-  task :config do
+  task config: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     # Since this task is usually used for troubleshooting of test suite
@@ -90,6 +134,8 @@ namespace :spec do
   end
 
   def spec_organizer
+    require 'mrss/spec_organizer'
+
     Mrss::SpecOrganizer.new(
       root: ROOT,
       classifiers: CLASSIFIERS,
@@ -109,16 +155,6 @@ namespace :spec do
   end
 end
 
-namespace :release do
-  task :check_private_key do
-    unless File.exist?('gem-private_key.pem')
-      raise "No private key present, cannot release"
-    end
-  end
-end
-
-task :release => ['release:check_private_key', 'release:do']
-
 desc 'Build and validate the evergreen config'
 task eg: %w[ eg:build eg:validate ]
 

data/lib/mongo/config.rb

@@ -16,7 +16,7 @@ module Mongo
 
     # When this flag is off, an aggregation done on a view will be executed over
     # the documents included in that view, instead of all documents in the
-    # collection. When this flag is on, the view fiter is ignored.
+    # collection. When this flag is on, the view filter is ignored.
     option :broken_view_aggregate, default: true
 
     # When this flag is set to false, the view options will be correctly
@@ -24,7 +24,7 @@ module Mongo
     option :broken_view_options, default: true
 
     # When this flag is set to true, the update and replace methods will
-    # validate the paramters and raise an error if they are invalid.
+    # validate the parameters and raise an error if they are invalid.
     option :validate_update_replace, default: false
 
     # Set the configuration options.

data/lib/mongo/retryable/base_worker.rb

@@ -49,7 +49,8 @@ module Mongo
 
       private
 
-      # Indicate which exception classes that are generally retryable. 
+      # Indicate which exception classes that are generally retryable
+      # when using modern retries mechanism.
       #
       # @return [ Array<Mongo:Error> ] Array of exception classes that are
       #   considered retryable.
@@ -58,18 +59,42 @@ module Mongo
           Error::ConnectionPerished,
           Error::ServerNotUsable,
           Error::SocketError,
-          Error::SocketTimeoutError
+          Error::SocketTimeoutError,
         ].freeze
       end
 
+      # Indicate which exception classes that are generally retryable
+      # when using legacy retries mechanism.
+      #
+      # @return [ Array<Mongo:Error> ] Array of exception classes that are
+      #   considered retryable.
+      def legacy_retryable_exceptions
+        [
+          Error::ConnectionPerished,
+          Error::ServerNotUsable,
+          Error::SocketError,
+          Error::SocketTimeoutError,
+          Error::PoolClearedError,
+          Error::PoolPausedError,
+        ].freeze
+      end
+
+
       # Tests to see if the given exception instance is of a type that can
-      # be retried.
+      # be retried with modern retry mechanism.
       #
       # @return [ true | false ] true if the exception is retryable.
       def is_retryable_exception?(e)
         retryable_exceptions.any? { |klass| klass === e }
       end
 
+      # Tests to see if the given exception instance is of a type that can
+      # be retried with legacy retry mechanism.
+      #
+      # @return [ true | false ] true if the exception is retryable.
+      def is_legacy_retryable_exception?(e)
+        legacy_retryable_exceptions.any? { |klass| klass === e }
+      end
       # Logs the given deprecation warning the first time it is called for a
       # given key; after that, it does nothing when given the same key.
       def deprecation_warning(key, warning)

data/lib/mongo/retryable/read_worker.rb

@@ -198,7 +198,7 @@ module Mongo
         raise e if !is_retryable_exception?(e) && !e.write_retryable?
         retry_read(e, session, server_selector, failed_server: server, &block)
       end
-  
+
       # Attempts to do a "legacy" read with retry. The operation will be
       # attempted multiple times, up to the client's `max_read_retries`
       # setting.
@@ -213,17 +213,18 @@ module Mongo
       def legacy_read_with_retry(session, server_selector, &block)
         attempt = attempt ? attempt + 1 : 1
         yield select_server(cluster, server_selector, session)
-      rescue *retryable_exceptions, Error::OperationFailure, Error::PoolError => e
+      rescue *legacy_retryable_exceptions, Error::OperationFailure => e
         e.add_notes('legacy retry', "attempt #{attempt}")
-        
-        if is_retryable_exception?(e)
+
+        if is_legacy_retryable_exception?(e)
+
           raise e if attempt > client.max_read_retries || session&.in_transaction?
         elsif e.retryable? && !session&.in_transaction?
           raise e if attempt > client.max_read_retries
         else
           raise e
         end
-        
+
         log_retry(e, message: 'Legacy read retry')
         sleep(client.read_retry_interval) unless is_retryable_exception?(e)
         retry
@@ -261,7 +262,7 @@ module Mongo
       # @param [ Mongo::Server ] failed_server The server on which the original
       #   operation failed.
       # @param [ Proc ] block The block to execute.
-      # 
+      #
       # @return [ Result ] The result of the operation.
       def retry_read(original_error, session, server_selector, failed_server: nil, &block)
         begin
@@ -270,9 +271,9 @@ module Mongo
           original_error.add_note("later retry failed: #{e.class}: #{e}")
           raise original_error
         end
-  
+
         log_retry(original_error, message: 'Read retry')
-  
+
         begin
           yield server, true
         rescue *retryable_exceptions => e

data/lib/mongo/retryable/write_worker.rb

@@ -104,7 +104,7 @@ module Mongo
         session = context.session
         server = select_server(cluster, ServerSelector.primary, session)
         options = session&.client&.options || {}
-        
+
         if options[:retry_writes]
           begin
             server.with_connection(connection_global_id: context.connection_global_id) do |connection|
@@ -219,7 +219,7 @@ module Mongo
       def modern_write_with_retry(session, server, context, &block)
         txn_num = nil
         connection_succeeded = false
-        
+
         server.with_connection(connection_global_id: context.connection_global_id) do |connection|
           connection_succeeded = true
 
@@ -264,7 +264,7 @@ module Mongo
         # a socket error or a not master error should have marked the respective
         # server unknown). Here we just need to wait for server selection.
         server = select_server(cluster, ServerSelector.primary, session, failed_server)
-        
+
         unless server.retry_writes?
           # Do not need to add "modern retry" here, it should already be on
           # the first exception.
@@ -278,7 +278,7 @@ module Mongo
           # special marker class to bypass the ordinarily applicable rescues.
           raise Error::RaiseOriginalError
         end
-        
+
         log_retry(original_error, message: 'Write retry')
         server.with_connection(connection_global_id: context.connection_global_id) do |connection|
           yield(connection, txn_num, context)

data/lib/mongo/server/pending_connection.rb

@@ -110,6 +110,24 @@ module Mongo
 
       private
 
+      # Sends the hello command to the server, then receive and deserialize
+      # the response.
+      #
+      # This method is extracted to be mocked in the tests.
+      #
+      # @param [ Protocol::Message ] Command that should be sent to a server
+      #   for handshake purposes.
+      #
+      # @return [ Mongo::Protocol::Reply ] Deserialized server response.
+      def get_handshake_response(hello_command)
+        @server.round_trip_time_averager.measure do
+          add_server_diagnostics do
+            socket.write(hello_command.serialize.to_s)
+            Protocol::Message.deserialize(socket, Protocol::Message::MAX_MESSAGE_SIZE)
+          end
+        end
+      end
+
       # @param [ BSON::Document | nil ] speculative_auth_doc The document to
       #   provide in speculativeAuthenticate field of handshake command.
       #
@@ -131,12 +149,7 @@ module Mongo
         doc = nil
         @server.handle_handshake_failure! do
           begin
-            response = @server.round_trip_time_averager.measure do
-              add_server_diagnostics do
-                socket.write(hello_command.serialize.to_s)
-                Protocol::Message.deserialize(socket, Protocol::Message::MAX_MESSAGE_SIZE)
-              end
-            end
+            response = get_handshake_response(hello_command)
             result = Operation::Result.new([response])
             result.validate!
             doc = result.documents.first

data/lib/mongo/socket/ssl.rb

@@ -23,6 +23,7 @@ module Mongo
     # @since 2.0.0
     class SSL < Socket
       include OpenSSL
+      include Loggable
 
       # Initializes a new TLS socket.
       #
@@ -287,7 +288,7 @@ module Mongo
         # for instance, if there is no newline between two certificates
         # this code will extract them both but OpenSSL fails in this situation.
         if cert_text
-          certs = cert_text.scan(/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/)
+          certs = extract_certs(cert_text)
           if certs.length > 1
             context.cert = OpenSSL::X509::Certificate.new(certs.shift)
             context.extra_chain_cert = certs.map do |cert|
@@ -363,12 +364,15 @@ module Mongo
       end
 
       def verify_ocsp_endpoint!(socket)
-        unless verify_ocsp_endpoint?
-          return
-        end
+        return unless verify_ocsp_endpoint?
 
         cert = socket.peer_cert
-        ca_cert = socket.peer_cert_chain.last
+        ca_cert = find_issuer(cert, socket.peer_cert_chain)
+
+        unless ca_cert
+          log_warn("TLS certificate of '#{host_name}' could not be definitively verified via OCSP: issuer certificate not found in the chain.")
+          return
+        end
 
         verifier = OcspVerifier.new(@host_name, cert, ca_cert, context.cert_store,
           **Utils.shallow_symbolize_keys(options))
@@ -390,6 +394,32 @@ module Mongo
           hook.call(@context)
         end
       end
+
+      BEGIN_CERT = "-----BEGIN CERTIFICATE-----"
+      END_CERT = "-----END CERTIFICATE-----"
+
+      # This was originally a scan + regex, but the regex was particularly
+      # inefficient and was flagged as a concern by static analysis.
+      def extract_certs(text)
+        [].tap do |list|
+          pos = 0
+
+          while (begin_idx = text.index(BEGIN_CERT, pos))
+            end_idx = text.index(END_CERT, begin_idx)
+            break unless end_idx
+
+            end_idx += END_CERT.length
+            list.push(text[begin_idx...end_idx])
+
+            pos = end_idx
+          end
+        end
+      end
+
+      # Find the issuer certificate in the chain.
+      def find_issuer(cert, cert_chain)
+        cert_chain.find { |c| c.subject == cert.issuer }
+      end
     end
   end
 end

data/lib/mongo/version.rb

@@ -1,24 +1,9 @@
 # frozen_string_literal: true
-# rubocop:todo all
-
-# Copyright (C) 2014-2020 MongoDB Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
 
 module Mongo
-
   # The current version of the driver.
   #
-  # @since 2.0.0
-  VERSION = '2.20.0'.freeze
+  # Note that this file is automatically updated via `rake candidate:create`.
+  # Manual changes to this file will be overwritten by that rake task.
+  VERSION = '2.20.2'
 end

data/mongo.gemspec

@@ -9,28 +9,25 @@ Gem::Specification.new do |s|
   s.name              = 'mongo'
   s.version           = Mongo::VERSION
   s.platform          = Gem::Platform::RUBY
-  s.authors           = ["The MongoDB Ruby Team"]
-  s.email             = "dbx-ruby@mongodb.com"
+  s.authors           = [ 'The MongoDB Ruby Team' ]
+  s.email             = 'dbx-ruby@mongodb.com'
   s.homepage          = 'https://mongodb.com/docs/ruby-driver/'
   s.summary           = 'Ruby driver for MongoDB'
-  s.description       = 'A Ruby driver for MongoDB'
   s.license           = 'Apache-2.0'
+  s.description       = <<~DESC
+    A pure-Ruby driver for connecting to, querying, and manipulating MongoDB
+    databases. Officially developed and supported by MongoDB, with love for
+    the Ruby community.
+  DESC
 
   s.metadata = {
     'bug_tracker_uri' => 'https://jira.mongodb.org/projects/RUBY',
     'changelog_uri' => 'https://github.com/mongodb/mongo-ruby-driver/releases',
-    'documentation_uri' => 'https://mongodb.com/docs/ruby-driver/',
     'homepage_uri' => 'https://mongodb.com/docs/ruby-driver/',
+    'documentation_uri' => 'https://mongodb.com/docs/ruby-driver/current/tutorials/quick-start/',
     'source_code_uri' => 'https://github.com/mongodb/mongo-ruby-driver',
   }
 
-  if File.exist?('gem-private_key.pem')
-    s.signing_key     = 'gem-private_key.pem'
-    s.cert_chain      = ['gem-public_cert.pem']
-  else
-    warn "[#{s.name}] Warning: No private key present, creating unsigned gem."
-  end
-
   s.files             = Dir.glob('{bin,lib,spec}/**/*')
   s.files             += %w[mongo.gemspec LICENSE README.md CONTRIBUTING.md Rakefile]
   s.test_files        = Dir.glob('spec/**/*')

data/spec/integration/client_side_encryption/range_explicit_encryption_prose_spec.rb

@@ -7,6 +7,9 @@ require 'spec_helper'
 # rubocop:disable RSpec/ExampleLength
 describe 'Range Explicit Encryption' do
   min_server_version '7.0.0-rc0'
+  # https://jira.mongodb.org/browse/RUBY-3457
+  max_server_version '7.99.99'
+
   require_libmongocrypt
   include_context 'define shared FLE helpers'