static async Task MainAsync()
{
var connectionString = "mongodb://localmongo1:27017?ssl=true&authMechanism=MONGODB-X509&ssl_ca_certs=./test-ca.pem";
var settings = new MongoClientSettings
{
Credential = MongoCredential.CreateMongoX509Credential("CN=ChrisChoClient,OU=TestClientCertificateOrgUnit,O=TestClientCertificateOrg,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US"),
SslSettings = new SslSettings
{
ClientCertificates = new List <X509Certificate>()
{
new X509Certificate2("./client-certificate.pfx", "mypass")
},
},
UseSsl = true
};
var client = new MongoClient(connectionString);
var database = client.GetDatabase("test");
var collection = database.GetCollection <Entity>("stuff");
var entity = new Entity {
Name = "Tom"
};
collection.InsertOne(entity);
var id = entity.Id;
//var query = Query<Entity>.EQ(e => e.Id, id);
//entity = collection.FindOne(query);
//entity.Name = "Mot";
//collection.Save(entity);
}
public void Authentication_succeeds_with_MONGODB_X509_mechanism(
[Values(false, true)] bool async)
{
RequireEnvironment.Check().EnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PATH", isDefined: true);
RequireEnvironment.Check().EnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PASSWORD", isDefined: true);
RequireServer.Check().Tls(required: true);
var pathToClientCertificate = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PATH");
var password = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PASSWORD");
var clientCertificate = new X509Certificate2(pathToClientCertificate, password);
var userName = GetRfc2253FormattedUsernameFromX509ClientCertificate(clientCertificate);
DropDatabaseUser(DriverTestConfiguration.Client, database: "$external", userName);
CreateX509DatabaseUser(DriverTestConfiguration.Client, userName);
var settings = DriverTestConfiguration.GetClientSettings().Clone();
var serverVersion = CoreTestConfiguration.ServerVersion;
if (Feature.ServerExtractsUsernameFromX509Certificate.IsSupported(serverVersion))
{
settings.Credential = MongoCredential.CreateMongoX509Credential();
}
else
{
settings.Credential = MongoCredential.CreateMongoX509Credential(userName);
}
settings.SslSettings = settings.SslSettings.Clone();
settings.SslSettings.ClientCertificates = new[] { clientCertificate };
AssertAuthenticationSucceeds(settings, async, speculativeAuthenticatationShouldSucceedIfPossible: true);
}
static async Task MainAsync()
{
var settingObjectOnlySettings = new MongoClientSettings
{
Credential = MongoCredential.CreateMongoX509Credential(null),
SslSettings = new SslSettings
{
ClientCertificates = new List <X509Certificate>()
{
new X509Certificate2("client-certificate.pfx", "password")
},
},
UseTls = true,
Server = new MongoServerAddress("localmongo1", 27017),
AllowInsecureTls = true // for testing using self-signed certs, use this option to skip validation. DO NOT USE THIS OPTION FOR PRODUCTION USES
};
var client = new MongoClient(settingObjectOnlySettings);
// just doing a quick read + insert to verify the usability of this connection
var database = client.GetDatabase("test");
var collection = database.GetCollection <BsonDocument>("stuff");
var allItemsInCollection = await collection.Find(new BsonDocument()).ToListAsync();
Console.WriteLine(allItemsInCollection.Count);
var entity = new BsonDocument {
{ "count", allItemsInCollection.Count }
};
collection.InsertOne(entity);
Console.WriteLine("wrote " + entity + " to DB");
}
public void TestCreateMongoX509Credential_without_username()
{
var credential = MongoCredential.CreateMongoX509Credential();
Assert.Equal("MONGODB-X509", credential.Mechanism);
Assert.Equal(null, credential.Username);
Assert.IsType <ExternalEvidence>(credential.Evidence);
}
public void TestCreateMongoX509Credential()
{
var credential = MongoCredential.CreateMongoX509Credential("username");
Assert.AreEqual("MONGODB-X509", credential.Mechanism);
Assert.AreEqual("username", credential.Username);
Assert.IsInstanceOf <ExternalEvidence>(credential.Evidence);
}
private MongoClientSettings GetMongoSettings(Models.MongoDBConnectionDetails connectionParameters, out string logs)
{
logs = string.Empty;
MongoClientSettings settings = new MongoClientSettings
{
Server = new MongoServerAddress(connectionParameters.HostName, connectionParameters.Port),
UseSsl = connectionParameters.IsSslEnabled,
RetryWrites = true
};
logs += "--- Basic MongoDB Settings has done. \n";
if (connectionParameters.IsSslEnabled &&
!connectionParameters.AuthenticationMechanism.Equals(Models.MongoAuthentication.X509))
{
settings.VerifySslCertificate = !connectionParameters.IsSelfSignedEnabled;
connectionParameters.SslCertificateData = FilePathHelper.ReadFile(Server, connectionParameters.SslClientCertificate);
logs += "--- SSL Certificate data has been retrieved. \n";
if (connectionParameters.SslCertificateData != null)
{
logs += "--- SSL Certificate data not null. \n";
logs += "----CertificateData. \n" + System.Text.Encoding.UTF8.GetString(connectionParameters.SslCertificateData);
var certificate = string.IsNullOrEmpty(connectionParameters.SslCertificatePassword) ? new X509Certificate2(connectionParameters.SslCertificateData) : new X509Certificate2(connectionParameters.SslCertificateData, connectionParameters.SslCertificatePassword);
logs += "----CertificateAdded. \n";
settings.SslSettings = new SslSettings()
{
ClientCertificates = new[] { certificate }
};
logs += certificate.Subject;
logs += "--- Certificate has been added. \n";
}
}
switch (connectionParameters.AuthenticationMechanism)
{
case Models.MongoAuthentication.SCRAM:
break;
case Models.MongoAuthentication.X509:
settings.VerifySslCertificate = !connectionParameters.IsSelfSignedEnabled;
settings.UseSsl = true;
connectionParameters.SslCertificateData = FilePathHelper.ReadFile(Server, connectionParameters.SslClientCertificate);
var certificate = string.IsNullOrEmpty(connectionParameters.SslCertificatePassword) ? new X509Certificate2(connectionParameters.SslCertificateData) : new X509Certificate2(connectionParameters.SslCertificateData, connectionParameters.SslCertificatePassword);
settings.SslSettings = new SslSettings()
{
ClientCertificates = new[] { certificate }
};
settings.Credential = MongoCredential.CreateMongoX509Credential(certificate.Subject.ToString().Replace("S=", "ST=").Replace(", ", ","));
logs += "--- switch called for x509 \n";
break;
default:
break;
}
logs += "--- settings has been returned. \n";
return(settings);
}
/// <summary>
/// 根据config获得MongoClientSettings,同时更新一些运行时变量
/// </summary>
/// <param name="config"></param>
/// <returns></returns>
public static MongoClientSettings CreateMongoClientSettingsByConfig(ref MongoConnectionConfig config)
{
//修改获得数据实例的方法
var mongoClientSetting = new MongoClientSettings();
if (string.IsNullOrEmpty(config.ConnectionString))
{
mongoClientSetting.ConnectionMode = ConnectionMode.Direct;
SetReadPreferenceWriteConcern(mongoClientSetting, config);
//Replset时候可以不用设置吗?
mongoClientSetting.Server = new MongoServerAddress(config.Host, config.Port);
//MapReduce的时候将消耗大量时间。不过这里需要平衡一下,太长容易造成并发问题
//The default value for SocketTimeout has been changed from 30 seconds to 0,
if (config.SocketTimeoutMs != 0)
{
mongoClientSetting.SocketTimeout = new TimeSpan(0, 0, (int)(config.SocketTimeoutMs / 1000));
}
if (config.ConnectTimeoutMs != 0)
{
mongoClientSetting.ConnectTimeout = new TimeSpan(0, 0, (int)(config.ConnectTimeoutMs / 1000));
}
// if (SystemConfig.configHelperInstance.wtimeoutMS != 0)
// {
// mongoClientSetting.WaitQueueTimeout = new TimeSpan(0, 0, (int)(SystemConfig.configHelperInstance.wtimeoutMS / 1000));
// }
// if (SystemConfig.configHelperInstance.WaitQueueSize != 0)
// {
// mongoClientSetting.WaitQueueSize = SystemConfig.configHelperInstance.WaitQueueSize;
// }
//运行时LoginAsAdmin的设定
config.LoginAsAdmin = config.DataBaseName == string.Empty;
if (!(string.IsNullOrEmpty(config.UserName) || string.IsNullOrEmpty(config.Password)))
{
//认证的设定:注意,这里的密码是明文
//3.0开始默认SCRAM-SHA-1
if (config.AuthMechanism == ConstMgr.MONGODB_CR)
{
if (string.IsNullOrEmpty(config.DataBaseName))
{
mongoClientSetting.Credentials = new[] { MongoCredential.CreateMongoCRCredential(ConstMgr.DatabaseNameAdmin, config.UserName, config.Password) };
}
else
{
mongoClientSetting.Credentials = new[] { MongoCredential.CreateMongoCRCredential(config.DataBaseName, config.UserName, config.Password) };
}
}
if (config.AuthMechanism == ConstMgr.SCRAM_SHA_1)
{
if (string.IsNullOrEmpty(config.DataBaseName))
{
mongoClientSetting.Credentials = new[] { MongoCredential.CreateCredential(ConstMgr.DatabaseNameAdmin, config.UserName, config.Password) };
}
else
{
mongoClientSetting.Credentials = new[] { MongoCredential.CreateCredential(config.DataBaseName, config.UserName, config.Password) };
}
}
}
//X509
if (!string.IsNullOrEmpty(config.UserName))
{
if (config.AuthMechanism == ConstMgr.MONGODB_X509)
{
mongoClientSetting.Credentials = new[] { MongoCredential.CreateMongoX509Credential(config.UserName) };
}
}
//ReplSetName
if (!string.IsNullOrEmpty(config.ReplSetName))
{
mongoClientSetting.ReplicaSetName = config.ReplSetName;
config.ServerRole = MongoConnectionConfig.SvrRoleType.ReplsetSvr;
}
else
{
config.ServerRole = MongoConnectionConfig.SvrRoleType.DataSvr;
}
if (config.ServerRole == MongoConnectionConfig.SvrRoleType.ReplsetSvr)
{
//ReplsetName不是固有属性,可以设置,不过必须保持与配置文件的一致
mongoClientSetting.ConnectionMode = ConnectionMode.ReplicaSet;
//添加Replset服务器,注意,这里可能需要事先初始化副本
var replsetSvrList = new List <MongoServerAddress>();
foreach (var item in config.ReplsetList)
{
//如果这里的服务器在启动的时候没有--Replset参数,将会出错,当然作为单体的服务器,启动是没有任何问题的
MongoServerAddress replSrv;
if (item.Split(":".ToCharArray()).Length == 2)
{
replSrv = new MongoServerAddress(
item.Split(":".ToCharArray())[0],
Convert.ToInt16(item.Split(":".ToCharArray())[1]));
}
else
{
replSrv = new MongoServerAddress(item);
}
replsetSvrList.Add(replSrv);
}
mongoClientSetting.Servers = replsetSvrList;
}
}
else
{
//使用MongoConnectionString建立连接
mongoClientSetting = MongoClientSettings.FromUrl(MongoUrl.Create(config.ConnectionString));
}
//为了避免出现无法读取数据库结构的问题,将读权限都设置为Preferred
if (Equals(mongoClientSetting.ReadPreference, ReadPreference.Primary))
{
mongoClientSetting.ReadPreference = ReadPreference.PrimaryPreferred;
}
if (Equals(mongoClientSetting.ReadPreference, ReadPreference.Secondary))
{
mongoClientSetting.ReadPreference = ReadPreference.SecondaryPreferred;
}
return(mongoClientSetting);
}
static async Task MainAsync()
{
// EXAMPLE PULLED FROM THE DOCS: https://mongodb.github.io/mongo-csharp-driver/2.8/reference/driver/authentication/
// does not work
var client_cert = new X509Certificate2("client-certificate.pfx", "password");
var docsExampleVersionOfSettings = new MongoClientSettings
{
Credentials = new[]
{ // i just pulled this DN (username for x509) from openssl using: openssl pkcs12 -info -in client-certificate.pfx
MongoCredential.CreateMongoX509Credential("OU=TestClientCertificateOrgUnit, O=TestClientCertificateOrg, L=TestClientCertificateLocality, ST=TestClientCertificateState")
}, // note that this DN also matches the DN/subject printed out using cert.ToString()
SslSettings = new SslSettings
{
ClientCertificates = new[] { client_cert },
},
UseSsl = true
};
// working example starting with a connection string, and avoiding the Credential part of the setting object entirely
var connectionString = "mongodb://localmongo1/?authMechanism=MONGODB-X509&tls=true";
var connectionStringPlusObjectSettings = MongoClientSettings.FromConnectionString(connectionString);
var cert = new X509Certificate2("client-certificate.pfx", "password");
Console.WriteLine(cert.ToString());
Console.WriteLine(cert.PrivateKey != null ? "contains private key" : "does not contain private key"); // verify that there's a private key in the cert, docs tell us we need this
var sslSettings = new SslSettings {
ClientCertificates = new List <X509Certificate>()
{
new X509Certificate2("client-certificate.pfx", "password")
}
};
connectionStringPlusObjectSettings.AllowInsecureTls = true; // for testing using self-signed certs, use this option to skip validation. DO NOT USE THIS OPTION FOR PRODUCTION USES
connectionStringPlusObjectSettings.SslSettings = sslSettings;
// just to demonstrate the difference between what mongod uses (order + spacing) vs openssl/c# version of the string:
var from_mongod_logs_str = "OU=TestClientCertificateOrgUnit,O=TestClientCertificateOrg,L=TestClientCertificateLocality,ST=TestClientCertificateState";
var from_openssl_str = "ST = TestClientCertificateState, L = TestClientCertificateLocality, O = TestClientCertificateOrg, OU = TestClientCertificateOrgUnit";
var from_csharp_str = "OU=TestClientCertificateOrgUnit, O=TestClientCertificateOrg, L=TestClientCertificateLocality, S=TestClientCertificateState";
// note that C# adds extra spaces and uses S instead of ST; openssl adds even more extra spaces and puts values in a completely different order.
// suggested example to replace the existing docs example. Should work as long as the certificate is valid!
var settingObjectOnlySettings = new MongoClientSettings
{
Credential = MongoCredential.CreateMongoX509Credential(null),
SslSettings = new SslSettings
{
ClientCertificates = new List <X509Certificate>()
{
new X509Certificate2("client-certificate.pfx", "password")
},
},
UseTls = true,
Server = new MongoServerAddress("localmongo1", 27017),
AllowInsecureTls = true // for testing using self-signed certs, use this option to skip validation. DO NOT USE THIS OPTION FOR PRODUCTION USES
};
var client = new MongoClient(settingObjectOnlySettings); // suggested fixed example
//var client = new MongoClient(connectionStringPlusObjectSettings); // x509 auth activated via connection string
//var client = new MongoClient(docsExampleVersionOfSettings); // example from the docs, in case you want to play around with it
// just doing a quick read + insert to verify the usability of this connection
var database = client.GetDatabase("test");
var collection = database.GetCollection <BsonDocument>("stuff");
var allItemsInCollection = await collection.Find(new BsonDocument()).ToListAsync();
Console.WriteLine(allItemsInCollection.Count);
var entity = new BsonDocument {
{ "count", allItemsInCollection.Count }
};
collection.InsertOne(entity);
Console.WriteLine("wrote " + entity + " to DB");
/*
*
* Driver suggestions:
*
* https://api.mongodb.com/csharp/2.2/html/T_MongoDB_Driver_MongoCredential.htm
*
* - the X509Credential arguments are missing for some reason from the API docs MongoCredential page (above)
*
* https://mongodb.github.io/mongo-csharp-driver/2.8/reference/driver/authentication/
*
* - the x.509 auth portion of this page has 3 problems:
*
* 1) Credentials is deprecated, replaced by Credential
*
* 2) useSsl is deprecated, should be useTls
*
* 3) the value of Credential (created by MongoCredential.CreateMongoX509Credential(connectionStr)) must
*
* match the DN of the certificate EXACTLY as interpreted by mongodb. Unfortunately this means it must
*
* match spacing that openSSL/C# do not necessarily include when one prints out a pfx file with commands
*
* like ``openssl pkcs12 -info -in client-certificate.pfx``.
*
*
*
* Two solutions to #3 for our documentation:
*
* 1) set connectionStr to null and this snippet will work just fine
*
* 2) set the authentication mechanism to x509 in a connection string, then import
*
* that connection string into a settings object using MongoClientSettings.FromConnectionString,
*
* then add the certificate to the SslSettings. This lets you avoid setting a Credential entirely
*
*
*
* Personally I would simply recommend removing/deprecating the argument
*
* from CreateMongoX509Credential entirely, as it was only a source of
*
* pain for me when trying to use X.509 with the drivers.
*
*
*
*/
}