mongo 2.23.0 → 2.24.0

data/lib/mongo/auth/aws/credentials_retriever.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2020 MongoDB Inc.
 #
@@ -23,7 +22,7 @@ module Mongo
       # @api private
       class CredentialsNotFound < Mongo::Error::AuthError
         def initialize
-          super("Could not locate AWS credentials (checked Client URI and Ruby options, environment variables, ECS and EC2 metadata, and Web Identity)")
+          super('Could not locate AWS credentials (checked Client URI and Ruby options, environment variables, ECS and EC2 metadata, and Web Identity)')
         end
       end
 
@@ -110,7 +109,7 @@ module Mongo
             user.password,
             user.auth_mech_properties['aws_session_token']
           )
-          return credentials if credentials_valid?(credentials, 'Mongo::Client URI or Ruby options')
+          credentials if credentials_valid?(credentials, 'Mongo::Client URI or Ruby options')
         end
 
         # Returns credentials from environment variables.
@@ -138,14 +137,17 @@ module Mongo
         #
         # @raise Auth::InvalidConfiguration if a source contains an invalid set
         #   of credentials.
-        # @ raise Error::TimeoutError if credentials cannot be retrieved within
+        # @raise Error::TimeoutError if credentials cannot be retrieved within
         #   the timeout defined on the operation context.
         def obtain_credentials_from_endpoints(timeout_holder = nil)
-          if (credentials = web_identity_credentials(timeout_holder)) && credentials_valid?(credentials, 'Web identity token')
+          if (credentials = web_identity_credentials(timeout_holder)) && credentials_valid?(credentials,
+                                                                                            'Web identity token')
             credentials
-          elsif (credentials = ecs_metadata_credentials(timeout_holder)) && credentials_valid?(credentials, 'ECS task metadata')
+          elsif (credentials = ecs_metadata_credentials(timeout_holder)) && credentials_valid?(credentials,
+                                                                                               'ECS task metadata')
             credentials
-          elsif (credentials = ec2_metadata_credentials(timeout_holder)) && credentials_valid?(credentials, 'EC2 instance metadata')
+          elsif (credentials = ec2_metadata_credentials(timeout_holder)) && credentials_valid?(credentials,
+                                                                                               'EC2 instance metadata')
             credentials
           end
         end
@@ -157,39 +159,35 @@ module Mongo
         #
         # @return [ Auth::Aws::Credentials | nil ] A set of credentials, or nil
         #   if retrieval failed.
-        # @ raise Error::TimeoutError if credentials cannot be retrieved within
+        # @raise Error::TimeoutError if credentials cannot be retrieved within
         #   the timeout.
         def ec2_metadata_credentials(timeout_holder = nil)
           timeout_holder&.check_timeout!
           http = Net::HTTP.new('169.254.169.254')
           req = Net::HTTP::Put.new('/latest/api/token',
-            # The TTL is required in order to obtain the metadata token.
-            {'x-aws-ec2-metadata-token-ttl-seconds' => '30'})
+                                   # The TTL is required in order to obtain the metadata token.
+                                   { 'x-aws-ec2-metadata-token-ttl-seconds' => '30' })
           resp = with_timeout(timeout_holder) do
             http.request(req)
           end
-          if resp.code != '200'
-            return nil
-          end
+          return nil if resp.code != '200'
+
           metadata_token = resp.body
           resp = with_timeout(timeout_holder) do
             http_get(http, '/latest/meta-data/iam/security-credentials', metadata_token)
           end
-          if resp.code != '200'
-            return nil
-          end
+          return nil if resp.code != '200'
+
           role_name = resp.body
           escaped_role_name = CGI.escape(role_name).gsub('+', '%20')
           resp = with_timeout(timeout_holder) do
             http_get(http, "/latest/meta-data/iam/security-credentials/#{escaped_role_name}", metadata_token)
           end
-          if resp.code != '200'
-            return nil
-          end
+          return nil if resp.code != '200'
+
           payload = JSON.parse(resp.body)
-          unless payload['Code'] == 'Success'
-            return nil
-          end
+          return nil unless payload['Code'] == 'Success'
+
           Credentials.new(
             payload['AccessKeyId'],
             payload['SecretAccessKey'],
@@ -199,7 +197,7 @@ module Mongo
         # When trying to use the EC2 metadata endpoint on ECS:
         # Errno::EINVAL: Failed to open TCP connection to 169.254.169.254:80 (Invalid argument - connect(2) for "169.254.169.254" port 80)
         rescue ::Timeout::Error, IOError, SystemCallError, TypeError
-          return nil
+          nil
         end
 
         # Returns credentials from the ECS metadata endpoint. The credentials
@@ -209,14 +207,12 @@ module Mongo
         #
         # @return [ Auth::Aws::Credentials | nil ] A set of credentials, or nil
         #   if retrieval failed.
-        # @ raise Error::TimeoutError if credentials cannot be retrieved within
+        # @raise Error::TimeoutError if credentials cannot be retrieved within
         #   the timeout defined on the operation context.
         def ecs_metadata_credentials(timeout_holder = nil)
           timeout_holder&.check_timeout!
           relative_uri = ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
-          if relative_uri.nil? || relative_uri.empty?
-            return nil
-          end
+          return nil if relative_uri.nil? || relative_uri.empty?
 
           http = Net::HTTP.new('169.254.170.2')
           # Per https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
@@ -229,9 +225,8 @@ module Mongo
           resp = with_timeout(timeout_holder) do
             http.request(req)
           end
-          if resp.code != '200'
-            return nil
-          end
+          return nil if resp.code != '200'
+
           payload = JSON.parse(resp.body)
           Credentials.new(
             payload['AccessKeyId'],
@@ -240,7 +235,7 @@ module Mongo
             DateTime.parse(payload['Expiration']).to_time
           )
         rescue ::Timeout::Error, IOError, SystemCallError, TypeError
-          return nil
+          nil
         end
 
         # Returns credentials associated with web identity token that is
@@ -255,10 +250,12 @@ module Mongo
         def web_identity_credentials(timeout_holder = nil)
           web_identity_token, role_arn, role_session_name = prepare_web_identity_inputs
           return nil if web_identity_token.nil?
+
           response = request_web_identity_credentials(
             web_identity_token, role_arn, role_session_name, timeout_holder
           )
           return if response.nil?
+
           credentials_from_web_identity_response(response)
         end
 
@@ -269,15 +266,12 @@ module Mongo
         def prepare_web_identity_inputs
           token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE']
           role_arn = ENV['AWS_ROLE_ARN']
-          if token_file.nil? || role_arn.nil?
-            return nil
-          end
-          web_identity_token = File.open(token_file).read
+          return nil if token_file.nil? || role_arn.nil?
+
+          web_identity_token = File.read(token_file)
           role_session_name = ENV['AWS_ROLE_SESSION_NAME']
-          if role_session_name.nil?
-            role_session_name = "ruby-app-#{SecureRandom.alphanumeric(50)}"
-          end
-          [web_identity_token, role_arn, role_session_name]
+          role_session_name = "ruby-app-#{SecureRandom.alphanumeric(50)}" if role_session_name.nil?
+          [ web_identity_token, role_arn, role_session_name ]
         rescue Errno::ENOENT, IOError, SystemCallError
           nil
         end
@@ -296,7 +290,7 @@ module Mongo
         # @return [ Net::HTTPResponse | nil ] AWS API response if successful,
         #   otherwise nil.
         #
-        # @ raise Error::TimeoutError if credentials cannot be retrieved within
+        # @raise Error::TimeoutError if credentials cannot be retrieved within
         #   the timeout defined on the operation context.
         def request_web_identity_credentials(token, role_arn, role_session_name, timeout_holder)
           timeout_holder&.check_timeout!
@@ -316,9 +310,8 @@ module Mongo
               https.request(req)
             end
           end
-          if resp.code != '200'
-            return nil
-          end
+          return nil if resp.code != '200'
+
           resp
         rescue Errno::ENOENT, IOError, SystemCallError
           nil
@@ -349,7 +342,7 @@ module Mongo
 
         def http_get(http, uri, metadata_token)
           req = Net::HTTP::Get.new(uri,
-            {'x-aws-ec2-metadata-token' => metadata_token})
+                                   { 'x-aws-ec2-metadata-token' => metadata_token })
           http.request(req)
         end
 
@@ -360,25 +353,24 @@ module Mongo
         # incomplete (i.e. some of the components are missing).
         def credentials_valid?(credentials, source)
           unless credentials.access_key_id || credentials.secret_access_key ||
-            credentials.session_token
-          then
+                 credentials.session_token
             return false
           end
 
           if credentials.access_key_id || credentials.secret_access_key
             if credentials.access_key_id && !credentials.secret_access_key
               raise Auth::InvalidConfiguration,
-                "Access key ID is provided without secret access key (source: #{source})"
+                    "Access key ID is provided without secret access key (source: #{source})"
             end
 
             if credentials.secret_access_key && !credentials.access_key_id
               raise Auth::InvalidConfiguration,
-                "Secret access key is provided without access key ID (source: #{source})"
+                    "Secret access key is provided without access key ID (source: #{source})"
             end
 
           elsif credentials.session_token
             raise Auth::InvalidConfiguration,
-              "Session token is provided without access key ID or secret access key (source: #{source})"
+                  "Session token is provided without access key ID or secret access key (source: #{source})"
           end
 
           true
@@ -392,17 +384,11 @@ module Mongo
         #
         # @param [ CsotTimeoutHolder | nil ] timeout_holder CSOT timeout.
         #
-        # @ raise Error::TimeoutError if deadline exceeded.
-        def with_timeout(timeout_holder)
+        # @raise Error::TimeoutError if deadline exceeded.
+        def with_timeout(timeout_holder, &block)
           timeout = timeout_holder&.remaining_timeout_sec! || METADATA_TIMEOUT
-          exception_class = if timeout_holder&.csot?
-                              Error::TimeoutError
-                            else
-                              nil
-                            end
-          ::Timeout.timeout(timeout, exception_class) do
-            yield
-          end
+          exception_class = (Error::TimeoutError if timeout_holder&.csot?)
+          ::Timeout.timeout(timeout, exception_class, &block)
         end
       end
     end

data/lib/mongo/auth/aws/request.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2020 MongoDB Inc.
 #
@@ -22,7 +21,6 @@ end
 module Mongo
   module Auth
     class Aws
-
       # Helper class for working with AWS requests.
       #
       # The primary purpose of this class is to produce the canonical AWS
@@ -30,11 +28,10 @@ module Mongo
       #
       # @api private
       class Request
-
         # The body of the STS GetCallerIdentity request.
         #
         # This is currently the only request that this class supports making.
-        STS_REQUEST_BODY = "Action=GetCallerIdentity&Version=2011-06-15".freeze
+        STS_REQUEST_BODY = 'Action=GetCallerIdentity&Version=2011-06-15'
 
         # The timeout, in seconds, to use for validating credentials via STS.
         VALIDATE_TIMEOUT = 10
@@ -51,9 +48,7 @@ module Mongo
         # @param [ String ] host The value of Host HTTP header to use.
         # @param [ String ] server_nonce The server nonce binary string.
         # @param [ Time ] time The time of the request.
-        def initialize(access_key_id:, secret_access_key:, session_token: nil,
-          host:, server_nonce:, time: Time.now
-        )
+        def initialize(access_key_id:, secret_access_key:, host:, server_nonce:, session_token: nil, time: Time.now)
           @access_key_id = access_key_id
           @secret_access_key = secret_access_key
           @session_token = session_token
@@ -61,16 +56,14 @@ module Mongo
           @server_nonce = server_nonce
           @time = time
 
-          %i(access_key_id secret_access_key host server_nonce).each do |arg|
+          %i[access_key_id secret_access_key host server_nonce].each do |arg|
             value = instance_variable_get("@#{arg}")
-            if value.nil? || value.empty?
-              raise Error::InvalidServerAuthResponse, "Value for '#{arg}' is required"
-            end
+            raise Error::InvalidServerAuthResponse, "Value for '#{arg}' is required" if value.nil? || value.empty?
           end
 
-          if host && host.length > 255
-              raise Error::InvalidServerAuthHost, "Value for 'host' is too long: #{@host}"
-          end
+          return unless host && host.length > 255
+
+          raise Error::InvalidServerAuthHost, "Value for 'host' is too long: #{@host}"
         end
 
         # @return [ String ] access_key_id The access key id.
@@ -106,16 +99,10 @@ module Mongo
         # @return [ String ] region The region of the host, derived from the host.
         def region
           # Common case
-          if host == 'sts.amazonaws.com'
-            return 'us-east-1'
-          end
+          return 'us-east-1' if host == 'sts.amazonaws.com'
 
-          if host.start_with?('.')
-            raise Error::InvalidServerAuthHost, "Host begins with a period: #{host}"
-          end
-          if host.end_with?('.')
-            raise Error::InvalidServerAuthHost, "Host ends with a period: #{host}"
-          end
+          raise Error::InvalidServerAuthHost, "Host begins with a period: #{host}" if host.start_with?('.')
+          raise Error::InvalidServerAuthHost, "Host ends with a period: #{host}" if host.end_with?('.')
 
           parts = host.split('.')
           if parts.any? { |part| part.empty? }
@@ -151,11 +138,9 @@ module Mongo
             'host' => host,
             'x-amz-date' => formatted_time,
             'x-mongodb-gs2-cb-flag' => 'n',
-            'x-mongodb-server-nonce' => Base64.encode64(server_nonce).gsub("\n", ''),
+            'x-mongodb-server-nonce' => Base64.encode64(server_nonce).delete("\n"),
           }
-          if session_token
-            headers['x-amz-security-token'] = session_token
-          end
+          headers['x-amz-security-token'] = session_token if session_token
           headers
         end
 
@@ -216,9 +201,9 @@ module Mongo
         def signature
           hashed_canonical_request = Digest::SHA256.hexdigest(canonical_request)
           string_to_sign = "AWS4-HMAC-SHA256\n" +
-            "#{formatted_time}\n" +
-            "#{scope}\n" +
-            hashed_canonical_request
+                           "#{formatted_time}\n" +
+                           "#{scope}\n" +
+                           hashed_canonical_request
           # All of the intermediate HMAC operations are not hex-encoded.
           mac = hmac("AWS4#{secret_access_key}", formatted_date)
           mac = hmac(mac, region)
@@ -252,7 +237,8 @@ module Mongo
           http = Net::HTTP.new(host, 443)
           http.use_ssl = true
           http.start do
-            resp = Timeout.timeout(VALIDATE_TIMEOUT, Error::CredentialCheckError, 'GetCallerIdentity request timed out') do
+            resp = Timeout.timeout(VALIDATE_TIMEOUT, Error::CredentialCheckError,
+                                   'GetCallerIdentity request timed out') do
               http.request(sts_request)
             end
             payload = JSON.parse(resp.body)
@@ -261,7 +247,7 @@ module Mongo
               aws_message = payload.fetch('Error').fetch('Message')
               msg = "Credential check for user #{access_key_id} failed with HTTP status code #{resp.code}: #{aws_code}: #{aws_message}"
               msg += '.' unless msg.end_with?('.')
-              msg += " Please check that the credentials are valid, and if they are temporary (i.e. use the session token) that the session token is provided and not expired"
+              msg += ' Please check that the credentials are valid, and if they are temporary (i.e. use the session token) that the session token is provided and not expired'
               raise Error::CredentialCheckError, msg
             end
             payload.fetch('GetCallerIdentityResponse').fetch('GetCallerIdentityResult')
@@ -271,13 +257,12 @@ module Mongo
         private
 
         def hmac(key, data)
-          OpenSSL::HMAC.digest("SHA256", key, data)
+          OpenSSL::HMAC.digest('SHA256', key, data)
         end
 
         def hmac_hex(key, data)
-          OpenSSL::HMAC.hexdigest("SHA256", key, data)
+          OpenSSL::HMAC.hexdigest('SHA256', key, data)
         end
-
       end
     end
   end

data/lib/mongo/auth/aws.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2020 MongoDB Inc.
 #
@@ -18,7 +17,7 @@
 module Mongo
   module Auth
     class Aws < Base
-      MECHANISM = 'MONGODB-AWS'.freeze
+      MECHANISM = 'MONGODB-AWS'
 
       # Log the user in on the current connection.
       #

data/lib/mongo/auth/base.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2014-2020 MongoDB Inc.
 #
@@ -17,7 +16,6 @@
 
 module Mongo
   module Auth
-
     # Base class for authenticators.
     #
     # Each authenticator is instantiated for authentication over a particular
@@ -25,7 +23,6 @@ module Mongo
     #
     # @api private
     class Base
-
       # @return [ Mongo::Auth::User ] The user to authenticate.
       attr_reader :user
 
@@ -37,7 +34,7 @@ module Mongo
       # @param [ Auth::User ] user The user to authenticate.
       # @param [ Mongo::Connection ] connection The connection to authenticate
       #   over.
-      def initialize(user, connection, **opts)
+      def initialize(user, connection, **_opts)
         @user = user
         @connection = connection
       end
@@ -74,8 +71,7 @@ module Mongo
       #   value of speculativeAuthenticate field of hello response of
       #   the handshake on the specified connection.
       def converse_multi_step(connection, conversation,
-        speculative_auth_result: nil
-      )
+                              speculative_auth_result: nil)
         # Although the SASL conversation in theory can have any number of
         # steps, all defined authentication methods have a predefined number
         # of steps, and therefore all of our authenticators have a fixed set
@@ -97,26 +93,22 @@ module Mongo
         end
         unless reply_document[:done]
           raise Error::InvalidServerAuthResponse,
-            'Server did not respond with {done: true} after finalizing the conversation'
+                'Server did not respond with {done: true} after finalizing the conversation'
         end
         reply_document
       end
 
       def dispatch_msg(connection, conversation, msg)
         context = Operation::Context.new(options: {
-          server_api: connection.options[:server_api],
-        })
+                                           server_api: connection.options[:server_api],
+                                         })
         if server_api = context.server_api
           msg = msg.maybe_add_server_api(server_api)
         end
-        reply = connection.dispatch([msg], context)
+        reply = connection.dispatch([ msg ], context)
         reply_document = reply.documents.first
         validate_reply!(connection, conversation, reply_document)
-        connection_global_id = if connection.respond_to?(:global_id)
-          connection.global_id
-        else
-          nil
-        end
+        connection_global_id = (connection.global_id if connection.respond_to?(:global_id))
         result = Operation::Result.new(reply, connection.description, connection_global_id, context: context)
         connection.update_cluster_time(result)
         reply_document
@@ -124,21 +116,20 @@ module Mongo
 
       # Checks whether reply is successful (i.e. has {ok: 1} set) and
       # raises Unauthorized if not.
-      def validate_reply!(connection, conversation, doc)
-        if doc[:ok] != 1
-          message = Error::Parser.build_message(
-            code: doc[:code],
-            code_name: doc[:codeName],
-            message: doc[:errmsg],
-          )
+      def validate_reply!(connection, _conversation, doc)
+        return unless doc[:ok] != 1
 
-          raise Unauthorized.new(user,
-            used_mechanism: self.class.const_get(:MECHANISM),
-            message: message,
-            server: connection.server,
-            code: doc[:code]
-          )
-        end
+        message = Error::Parser.build_message(
+          code: doc[:code],
+          code_name: doc[:codeName],
+          message: doc[:errmsg]
+        )
+
+        raise Unauthorized.new(user,
+                               used_mechanism: self.class.const_get(:MECHANISM),
+                               message: message,
+                               server: connection.server,
+                               code: doc[:code])
       end
     end
   end

data/lib/mongo/auth/conversation_base.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2020 MongoDB Inc.
 #
@@ -17,19 +16,17 @@
 
 module Mongo
   module Auth
-
     # Defines common behavior around authentication conversations between
     # the client and the server.
     #
     # @api private
     class ConversationBase
-
       # Create the new conversation.
       #
       # @param [ Auth::User ] user The user to authenticate.
       # @param [ Mongo::Connection ] connection The connection to authenticate
       #   over.
-      def initialize(user, connection, **opts)
+      def initialize(user, connection, **_opts)
         @user = user
         @connection = connection
       end
@@ -53,34 +50,33 @@ module Mongo
 
       # @return [ Protocol::Message ] The message to send.
       def build_message(connection, auth_source, selector)
-        if connection && connection.features.op_msg_enabled?
+        if connection
           selector = selector.dup
           selector[Protocol::Msg::DATABASE_IDENTIFIER] = auth_source
           cluster_time = connection.mongos? && connection.cluster_time
-          if cluster_time
-            selector[Operation::CLUSTER_TIME] = cluster_time
-          end
+          selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
           Protocol::Msg.new([], {}, selector)
         else
           Protocol::Query.new(
             auth_source,
             Database::COMMAND,
             selector,
-            limit: -1,
+            limit: -1
           )
         end
       end
 
       def validate_external_auth_source
-        if user.auth_source != '$external'
-          user_name_msg = if user.name
-            " #{user.name}"
-          else
-            ''
-          end
-          mechanism = user.mechanism
-          raise Auth::InvalidConfiguration, "User#{user_name_msg} specifies auth source '#{user.auth_source}', but the only valid auth source for #{mechanism} is '$external'"
-        end
+        return unless user.auth_source != '$external'
+
+        user_name_msg = if user.name
+                          " #{user.name}"
+                        else
+                          ''
+                        end
+        mechanism = user.mechanism
+        raise Auth::InvalidConfiguration,
+              "User#{user_name_msg} specifies auth source '#{user.auth_source}', but the only valid auth source for #{mechanism} is '$external'"
       end
     end
   end

data/lib/mongo/auth/cr/conversation.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2014-2020 MongoDB Inc.
 #
@@ -18,7 +17,6 @@
 module Mongo
   module Auth
     class CR
-
       # Defines behavior around a single MONGODB-CR conversation between the
       # client and server.
       #
@@ -28,7 +26,6 @@ module Mongo
       #   removed in driver version 3.0. Please use SCRAM instead.
       # @api private
       class Conversation < ConversationBase
-
         # The login message base.
         #
         # @since 2.0.0

data/lib/mongo/auth/cr.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2014-2020 MongoDB Inc.
 #
@@ -17,7 +16,6 @@
 
 module Mongo
   module Auth
-
     # Defines behavior for MongoDB-CR authentication.
     #
     # @since 2.0.0
@@ -26,11 +24,10 @@ module Mongo
     #   removed in driver version 3.0. Please use SCRAM instead.
     # @api private
     class CR < Base
-
       # The authentication mechanism string.
       #
       # @since 2.0.0
-      MECHANISM = 'MONGODB-CR'.freeze
+      MECHANISM = 'MONGODB-CR'
 
       # Log the user in on the current connection.
       #

data/lib/mongo/auth/credential_cache.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2020 MongoDB Inc.
 #
@@ -17,7 +16,6 @@
 
 module Mongo
   module Auth
-
     # Cache store for computed SCRAM credentials.
     #
     # @api private