RUBY-2619 Add test for security-sensitive commands

lib/mongo/monitoring/event/secure.rb

@@ -41,7 +41,8 @@ module Secure
         ].freeze
 
         # Redact secure information from the document if it's command is in the
-        # list.
+        # list or if it's command is a hello/legacy hello command, and
+        # speculative authentication is enabled.
         #
         # @example Get the redacted document.
         #   secure.redacted(command_name, document)
@@ -53,9 +54,20 @@ module Secure
         #
         # @since 2.1.0
         def redacted(command_name, document)
-          if REDACTED_COMMANDS.include?(command_name.to_s) &&
-            !%w(1 true yes).include?(ENV['MONGO_RUBY_DRIVER_UNREDACT_EVENTS']&.downcase)
+          if %w(1 true yes).include?(ENV['MONGO_RUBY_DRIVER_UNREDACT_EVENTS']&.downcase)
+            return document
+          end
+
+          if REDACTED_COMMANDS.include?(command_name.to_s)
+            BSON::Document.new
+          elsif %w(hello ismaster isMaster).include?(command_name.to_s) &&
+            !!document['speculativeAuthenticate']
           then
+            # According to Command Monitoring spec,for hello/lecagy hello commands
+            # when speculativeAuthenticate is present, their commands AND replies
+            # MUST be redacted from the events. So, we replace the entire event
+            # payload.
+            # See https://github.com/mongodb/specifications/blob/master/source/command-monitoring/command-monitoring.rst#security
             BSON::Document.new
           else
             document

spec/mongo/monitoring/event/secure_spec.rb

@@ -48,13 +48,34 @@
 
     context 'when the command is not in the redacted list' do
 
-      let(:redacted) do
-        secure.redacted(:find, document)
+      context 'the command is not a hello/legacy hello command' do
+
+        let(:redacted) do
+          secure.redacted(:find, document)
+        end
+
+        it 'returns the document' do
+          expect(redacted).to eq(document)
+        end
+
       end
 
-      it 'returns the document' do
-        expect(redacted).to eq(document)
+      %w(hello ismaster isMaster).each do |command|
+        context command do
+          it 'returns an empty document if speculative auth' do
+            expect(
+              secure.redacted(command, BSON::Document.new('speculativeAuthenticate' => "foo"))
+            ).to be_empty
+          end
+
+          it 'returns an original document if no speculative auth' do
+            expect(
+              secure.redacted(command, document)
+            ).to eq(document)
+          end
+        end
       end
+
     end
   end
 

spec/runners/crud/requirement.rb

@@ -4,7 +4,7 @@
 module Mongo
   module CRUD
     class Requirement
-      YAML_KEYS = %w(minServerVersion maxServerVersion topology topologies serverParameters serverless).freeze
+      YAML_KEYS = %w(auth minServerVersion maxServerVersion topology topologies serverParameters serverless).freeze
 
       def initialize(spec)
         spec = spec.dup
@@ -48,6 +48,7 @@ def initialize(spec)
         else
           nil
         end
+        @auth = spec['auth']
       end
 
       attr_reader :min_server_version
@@ -106,6 +107,11 @@ def satisfied?
             ok = ok && [:allow, :forbid].include?(serverless)
           end
         end
+        if @auth == true
+          ok &&= cc.auth_enabled?
+        elsif @auth == false
+          ok &&= !cc.auth_enabled?
+        end
         ok
       end
 

spec/runners/unified/assertions.rb

@@ -99,7 +99,7 @@ def assert_events
         client = entities.get(:client, client_id)
         subscriber = @subscribers.fetch(client)
         expected_events = spec.use!('events')
-        actual_events = subscriber.wanted_events
+        actual_events = subscriber.wanted_events(@observe_sensitive)
         case spec.use('eventType')
         when nil, 'command'
           actual_events.select! do |event|

spec/runners/unified/event_subscriber.rb

@@ -10,8 +10,8 @@ def ignore_commands(command_names)
       @ignore_commands = command_names
     end
 
-    def wanted_events
-      all_events.select do |event|
+    def wanted_events(observe_sensitive = false)
+      events = all_events.select do |event|
         kind = event.class.name.sub(/.*::/, '').sub('Command', '').gsub(/([A-Z])/) { "_#{$1}" }.sub(/^_/, '').downcase.to_sym
         @wanted_events[kind]
       end.select do |event|
@@ -25,9 +25,14 @@ def wanted_events
         else
           true
         end
-      end.reject do |event|
-        event.respond_to?(:command_name) &&
-          %w(authenticate getnonce saslStart saslContinue).include?(event.command_name)
+      end
+      if observe_sensitive
+        events
+      else
+        events.reject do |event|
+          event.respond_to?(:command_name) &&
+            %w(authenticate getnonce saslStart saslContinue).include?(event.command_name)
+        end
       end
     end
 

spec/runners/unified/test.rb

@@ -131,6 +131,7 @@ def create_entities
           end
 
           create_client(**opts).tap do |client|
+            @observe_sensitive = spec.use('observeSensitiveCommands')
             if oe = spec.use('observeEvents')
               oe.each do |event|
                 case event

spec/spec_tests/command_monitoring_unified_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+require 'runners/unified'
+
+base = "#{CURRENT_PATH}/spec_tests/data/command_monitoring_unified"
+COMMAND_MONITORING_UNIFIED_TESTS = Dir.glob("#{base}/**/*.yml").sort
+
+describe 'Command monitoring unified spec tests' do
+  define_unified_spec_tests(base, COMMAND_MONITORING_UNIFIED_TESTS)
+end