RUBY-2342 Implement proper AWS auth region calculation (#2032)

Co-authored-by: Oleg Pudeyev <oleg@bsdpower.com>

Author: p-mongo

lib/mongo/auth/aws/request.rb

@@ -61,9 +61,13 @@ def initialize(access_key_id:, secret_access_key:, session_token: nil,
           %i(access_key_id secret_access_key host server_nonce).each do |arg|
             value = instance_variable_get("@#{arg}")
             if value.nil? || value.empty?
-              raise ArgumentError, "Value for #{arg} is required"
+              raise Error::InvalidServerAuthResponse, "Value for '#{arg}' is required"
             end
           end
+
+          if host && host.length > 255
+              raise Error::InvalidServerAuthHost, "Value for 'host' is too long: #{@host}"
+          end
         end
 
         # @return [ String ] access_key_id The access key id.
@@ -98,8 +102,28 @@ def formatted_date
 
         # @return [ String ] region The region of the host, derived from the host.
         def region
-          # TODO implement region derivation when SPEC-1646 is done.
-          'us-east-1'
+          # Common case
+          if host == 'sts.amazonaws.com'
+            return 'us-east-1'
+          end
+
+          if host.start_with?('.')
+            raise Error::InvalidServerAuthHost, "Host begins with a period: #{host}"
+          end
+          if host.end_with?('.')
+            raise Error::InvalidServerAuthHost, "Host ends with a period: #{host}"
+          end
+
+          parts = host.split('.')
+          if parts.any? { |part| part.empty? }
+            raise Error::InvalidServerAuthHost, "Host has an empty component: #{host}"
+          end
+
+          if parts.length == 1
+            'us-east-1'
+          else
+            parts[1]
+          end
         end
 
         # Returns the scope of the request, per the AWS signature V4 specification.

lib/mongo/error.rb

@@ -190,6 +190,8 @@ def add_label(label)
 require 'mongo/error/invalid_nonce'
 require 'mongo/error/invalid_replacement_document'
 require 'mongo/error/invalid_server_auth_response'
+# Subclass of InvalidServerAuthResponse
+require 'mongo/error/invalid_server_auth_host'
 require 'mongo/error/invalid_server_preference'
 require 'mongo/error/invalid_session'
 require 'mongo/error/invalid_signature'

lib/mongo/error/invalid_server_auth_host.rb

@@ -0,0 +1,22 @@
+# Copyright (C) 2020 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  class Error
+
+    # Raised when the server returned an invalid Host value in AWS auth.
+    class InvalidServerAuthHost < InvalidServerAuthResponse
+    end
+  end
+end

spec/mongo/auth/aws/request_region_spec.rb

@@ -0,0 +1,42 @@
+require 'lite_spec_helper'
+
+AWS_REGION_TEST_CASES = {
+  'sts.amazonaws.com' => 'us-east-1',
+  'sts.us-west-2.amazonaws.com' => 'us-west-2',
+  'sts.us-west-2.amazonaws.com.ch' => 'us-west-2',
+  'example.com' => 'com',
+  'localhost' => 'us-east-1',
+  'sts..com' => Mongo::Error::InvalidServerAuthHost,
+  '.amazonaws.com' => Mongo::Error::InvalidServerAuthHost,
+  'sts.amazonaws.' => Mongo::Error::InvalidServerAuthHost,
+  '' => Mongo::Error::InvalidServerAuthResponse,
+  'x' * 256 => Mongo::Error::InvalidServerAuthHost,
+}
+
+describe 'AWS auth region tests' do
+
+  AWS_REGION_TEST_CASES.each do |host, expected_region|
+    context "host '#{host}'" do
+      let(:request) do
+        Mongo::Auth::Aws::Request.new(access_key_id: 'access_key_id',
+          secret_access_key: 'secret_access_key',
+          session_token: 'session_token',
+          host: host,
+          server_nonce: 'server_nonce',
+        )
+      end
+
+      if expected_region.is_a?(String)
+        it 'derives expected region' do
+          request.region.should == expected_region
+        end
+      else
+        it 'fails with an error' do
+          lambda do
+            request.region
+          end.should raise_error(expected_region)
+        end
+      end
+    end
+  end
+end

spec/mongo/auth/aws/request_spec.rb

@@ -1,15 +1,15 @@
 require 'spec_helper'
 
-describe Mongo::Auth::Aws::Request do 
+describe Mongo::Auth::Aws::Request do
 
-  describe "#formatted_time" do 
-    context "when time is provided and frozen" do 
+  describe "#formatted_time" do
+    context "when time is provided and frozen" do
       let(:original_time) { Time.at(1592399523).freeze }
-      let(:request) do 
-        described_class.new(access_key_id: 'access_key_id', 
-          secret_access_key: 'secret_access_key', 
-          session_token: 'session_token', 
-          host: 'host', 
+      let(:request) do
+        described_class.new(access_key_id: 'access_key_id',
+          secret_access_key: 'secret_access_key',
+          session_token: 'session_token',
+          host: 'host',
           server_nonce: 'server_nonce',
           time: original_time
         )
@@ -24,12 +24,12 @@
       end
     end
 
-    context "when time is not provided" do 
-      let(:request) do 
-        described_class.new(access_key_id: 'access_key_id', 
-          secret_access_key: 'secret_access_key', 
-          session_token: 'session_token', 
-          host: 'host', 
+    context "when time is not provided" do
+      let(:request) do
+        described_class.new(access_key_id: 'access_key_id',
+          secret_access_key: 'secret_access_key',
+          session_token: 'session_token',
+          host: 'host',
           server_nonce: 'server_nonce'
         )
       end
@@ -40,37 +40,37 @@
     end
   end
 
-  describe "#signature" do 
-    context "when time is provided and frozen" do 
+  describe "#signature" do
+    context "when time is provided and frozen" do
       let(:original_time) { Time.at(1592399523).freeze }
-      let(:request) do 
-        described_class.new(access_key_id: 'access_key_id', 
-          secret_access_key: 'secret_access_key', 
-          session_token: 'session_token', 
-          host: 'host', 
+      let(:request) do
+        described_class.new(access_key_id: 'access_key_id',
+          secret_access_key: 'secret_access_key',
+          session_token: 'session_token',
+          host: 'host',
           server_nonce: 'server_nonce',
           time: original_time
         )
       end
-  
-      it 'doesn\'t raise error on signature' do 
+
+      it 'doesn\'t raise error on signature' do
         expect { request.signature }.to_not raise_error
       end
     end
 
-    context "when time is not provided" do 
-      let(:request) do 
-        described_class.new(access_key_id: 'access_key_id', 
-          secret_access_key: 'secret_access_key', 
-          session_token: 'session_token', 
-          host: 'host', 
+    context "when time is not provided" do
+      let(:request) do
+        described_class.new(access_key_id: 'access_key_id',
+          secret_access_key: 'secret_access_key',
+          session_token: 'session_token',
+          host: 'host',
           server_nonce: 'server_nonce'
         )
       end
-  
-      it 'doesn\'t raise error on signature' do 
+
+      it 'doesn\'t raise error on signature' do
         expect { request.signature }.to_not raise_error
       end
-    end    
+    end
   end
 end