mongodb
diff --git a/‎lib/mongo/auth.rb‎
Lines changed: 30 additions & 10 deletions b/‎lib/mongo/auth.rb‎
Lines changed: 30 additions & 10 deletions
diff --git a/‎lib/mongo/auth/cr.rb‎
Lines changed: 1 addition & 0 deletions b/‎lib/mongo/auth/cr.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/mongo/auth/cr/conversation.rb‎
Lines changed: 13 additions & 13 deletions b/‎lib/mongo/auth/cr/conversation.rb‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎lib/mongo/auth/ldap.rb‎
Lines changed: 2 additions & 1 deletion b/‎lib/mongo/auth/ldap.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎lib/mongo/auth/ldap/conversation.rb‎
Lines changed: 9 additions & 12 deletions b/‎lib/mongo/auth/ldap/conversation.rb‎
Lines changed: 9 additions & 12 deletions
diff --git a/‎lib/mongo/auth/scram.rb‎
Lines changed: 1 addition & 0 deletions b/‎lib/mongo/auth/scram.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/mongo/auth/scram/conversation.rb‎
Lines changed: 36 additions & 27 deletions b/‎lib/mongo/auth/scram/conversation.rb‎
Lines changed: 36 additions & 27 deletions
diff --git a/‎lib/mongo/auth/x509.rb‎
Lines changed: 2 additions & 1 deletion b/‎lib/mongo/auth/x509.rb‎
Lines changed: 2 additions & 1 deletion
@@ -110,25 +110,45 @@ class Unauthorized < Mongo::Error::AuthError
       # @param [ String ] used_mechanism Auth mechanism actually used for
       #   authentication. This is a full string like SCRAM-SHA-256.
       # @param [ String ] message The error message returned by the server.
+      # @param [ Server ] server The server instance that authentication
+      #   was attempted against.
       #
       # @since 2.0.0
-      def initialize(user, used_mechanism: nil, message: nil)
-        specified_mechanism = if user.mechanism
-          " (mechanism: #{user.mechanism})"
-        else
-          ''
+      def initialize(user, used_mechanism: nil, message: nil,
+        server: nil
+      )
+        configured_bits = []
+        used_bits = [
+          "auth source: #{user.auth_source}",
+        ]
+
+        if user.mechanism
+          configured_bits << "mechanism: #{user.mechanism}"
         end
-        used_mechanism = if used_mechanism
-          " (used mechanism: #{used_mechanism})"
-        else
-          ''
+
+        if used_mechanism
+          used_bits << "used mechanism: #{used_mechanism}"
+        end
+
+        if server
+          used_bits << "used server: #{server.address} (#{server.status})"
         end
+
         used_user = if user.mechanism == :mongodb_x509
           'Client certificate'
         else
           "User #{user.name}"
         end
-        msg = "#{used_user}#{specified_mechanism} is not authorized to access #{user.database} (auth source: #{user.auth_source})#{used_mechanism}"
+
+        if configured_bits.empty?
+          configured_bits = ''
+        else
+          configured_bits = " (#{configured_bits.join(', ')})"
+        end
+
+        used_bits = " (#{used_bits.join(', ')})"
+
+        msg = "#{used_user}#{configured_bits} is not authorized to access #{user.database}#{used_bits}"
         if message
           msg += ': ' + message
         end
 
@@ -23,6 +23,7 @@ module Auth
     # @deprecated MONGODB-CR authentication mechanism is deprecated
     #   as of MongoDB 3.6. Support for it in the Ruby driver will be
     #   removed in driver version 3.0. Please use SCRAM instead.
+    # @api private
     class CR
 
       # The authentication mechinism string.
 
@@ -52,13 +52,14 @@ class Conversation
         #
         # @param [ Protocol::Message ] reply The reply of the previous
         #   message.
-        # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
+        # @param [ Mongo::Server::Connection ] connection The connection being
+        #   authenticated.
         #
         # @return [ Protocol::Query ] The next message to send.
         #
         # @since 2.0.0
-        def continue(reply, connection = nil)
-          validate!(reply)
+        def continue(reply, connection)
+          validate!(reply, connection.server)
           if connection && connection.features.op_msg_enabled?
             selector = LOGIN.merge(user: user.name, nonce: nonce, key: user.auth_key(nonce))
             selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
@@ -78,29 +79,28 @@ def continue(reply, connection = nil)
         # Finalize the CR conversation. This is meant to be iterated until
         # the provided reply indicates the conversation is finished.
         #
-        # @example Finalize the conversation.
-        #   conversation.finalize(reply)
-        #
         # @param [ Protocol::Message ] reply The reply of the previous
         #   message.
+        # @param [ Server::Connection ] connection The connection being
+        #   authenticated.
         #
         # @return [ Protocol::Query ] The next message to send.
         #
         # @since 2.0.0
-        def finalize(reply, connection = nil)
-          validate!(reply)
+        def finalize(reply, connection)
+          validate!(reply, connection.server)
         end
 
         # Start the CR conversation. This returns the first message that
         # needs to be sent to the server.
         #
-        # @example Start the conversation.
-        #   conversation.start
+        # @param [ Server::Connection ] connection The connection being
+        #   authenticated.
         #
         # @return [ Protocol::Query ] The first CR conversation message.
         #
         # @since 2.0.0
-        def start(connection = nil)
+        def start(connection)
           if connection && connection.features.op_msg_enabled?
             selector = Auth::GET_NONCE.merge(Protocol::Msg::DATABASE_IDENTIFIER => user.auth_source)
             cluster_time = connection.mongos? && connection.cluster_time
@@ -129,9 +129,9 @@ def initialize(user)
 
         private
 
-        def validate!(reply)
+        def validate!(reply, server)
           if reply.documents[0][Operation::Result::OK] != 1
-            raise Unauthorized.new(user, used_mechanism: MECHANISM)
+            raise Unauthorized.new(user, used_mechanism: MECHANISM, server: server)
           end
           @nonce = reply.documents[0][Auth::NONCE]
           @reply = reply
 
@@ -20,6 +20,7 @@ module Auth
     # Defines behavior for LDAP Proxy authentication.
     #
     # @since 2.0.0
+    # @api private
     class LDAP
 
       # The authentication mechinism string.
@@ -56,7 +57,7 @@ def login(connection)
         conversation = Conversation.new(user)
         reply = connection.dispatch([ conversation.start(connection) ])
         connection.update_cluster_time(Operation::Result.new(reply))
-        conversation.finalize(reply)
+        conversation.finalize(reply, connection)
       end
     end
   end
 
@@ -37,31 +37,28 @@ class Conversation
         # Finalize the PLAIN conversation. This is meant to be iterated until
         # the provided reply indicates the conversation is finished.
         #
-        # @example Finalize the conversation.
-        #   conversation.finalize(reply)
-        #
         # @param [ Protocol::Message ] reply The reply of the previous
         #   message.
+        # @param [ Server::Connection ] connection The connection being
+        #   authenticated.
         #
         # @return [ Protocol::Query ] The next message to send.
         #
         # @since 2.0.0
-        def finalize(reply)
-          validate!(reply)
+        def finalize(reply, connection)
+          validate!(reply, connection.server)
         end
 
         # Start the PLAIN conversation. This returns the first message that
         # needs to be sent to the server.
         #
-        # @example Start the conversation.
-        #   conversation.start
-        #
-        # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
+        # @param [ Server::Connection ] connection The connection being
+        #   authenticated.
         #
         # @return [ Protocol::Query ] The first PLAIN conversation message.
         #
         # @since 2.0.0
-        def start(connection = nil)
+        def start(connection)
           if connection && connection.features.op_msg_enabled?
             selector = LOGIN.merge(payload: payload, mechanism: LDAP::MECHANISM)
             selector[Protocol::Msg::DATABASE_IDENTIFIER] = Auth::EXTERNAL
@@ -96,9 +93,9 @@ def payload
           BSON::Binary.new("\x00#{user.name}\x00#{user.password}")
         end
 
-        def validate!(reply)
+        def validate!(reply, server)
           if reply.documents[0][Operation::Result::OK] != 1
-            raise Unauthorized.new(user, used_mechanism: MECHANISM)
+            raise Unauthorized.new(user, used_mechanism: MECHANISM, server: server)
           end
           @reply = reply
         end
 
@@ -20,6 +20,7 @@ module Auth
     # Defines behavior for SCRAM authentication.
     #
     # @since 2.0.0
+    # @api private
     class SCRAM
 
       # The authentication mechanism string for SCRAM-SHA-1.
 
@@ -20,6 +20,7 @@ class SCRAM
       # the client and server.
       #
       # @since 2.0.0
+      # @api private
       class Conversation
 
         # The base client continue message.
@@ -103,13 +104,14 @@ class Conversation
         #
         # @param [ Protocol::Message ] reply The reply of the previous
         #   message.
-        # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
+        # @param [ Server::Connection ] connection The connection being
+        #   authenticated.
         #
-        # @return [ Protocol::Query ] The next message to send.
+        # @return [ Protocol::Message ] The next message to send.
         #
         # @since 2.0.0
-        def continue(reply, connection = nil)
-          validate_first_message!(reply)
+        def continue(reply, connection)
+          validate_first_message!(reply, connection.server)
 
           # The salted password needs to be calculated now; otherwise, if the
           # client key is cached from a previous authentication, the salt in the
@@ -118,7 +120,10 @@ def continue(reply, connection = nil)
           salted_password
 
           if connection && connection.features.op_msg_enabled?
-            selector = CLIENT_CONTINUE_MESSAGE.merge(payload: client_final_message, conversationId: id)
+            selector = CLIENT_CONTINUE_MESSAGE.merge(
+              payload: client_final_message,
+              conversationId: id,
+            )
             selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
             cluster_time = connection.mongos? && connection.cluster_time
             selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
@@ -127,29 +132,32 @@ def continue(reply, connection = nil)
             Protocol::Query.new(
               user.auth_source,
               Database::COMMAND,
-              CLIENT_CONTINUE_MESSAGE.merge(payload: client_final_message, conversationId: id),
-              limit: -1
+              CLIENT_CONTINUE_MESSAGE.merge(
+                payload: client_final_message,
+                conversationId: id,
+              ),
+              limit: -1,
             )
           end
         end
 
         # Finalize the SCRAM conversation. This is meant to be iterated until
         # the provided reply indicates the conversation is finished.
         #
-        # @example Finalize the conversation.
-        #   conversation.finalize(reply)
-        #
         # @param [ Protocol::Message ] reply The reply of the previous
         #   message.
-        # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
+        # @param [ Server::Connection ] connection The connection being authenticated.
         #
         # @return [ Protocol::Query ] The next message to send.
         #
         # @since 2.0.0
-        def finalize(reply, connection = nil)
-          validate_final_message!(reply)
+        def finalize(reply, connection)
+          validate_final_message!(reply, connection.server)
           if connection && connection.features.op_msg_enabled?
-            selector = CLIENT_CONTINUE_MESSAGE.merge(payload: client_empty_message, conversationId: id)
+            selector = CLIENT_CONTINUE_MESSAGE.merge(
+              payload: client_empty_message,
+              conversationId: id,
+            )
             selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
             cluster_time = connection.mongos? && connection.cluster_time
             selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
@@ -158,24 +166,24 @@ def finalize(reply, connection = nil)
             Protocol::Query.new(
               user.auth_source,
               Database::COMMAND,
-              CLIENT_CONTINUE_MESSAGE.merge(payload: client_empty_message, conversationId: id),
-              limit: -1
+              CLIENT_CONTINUE_MESSAGE.merge(
+                payload: client_empty_message,
+                conversationId: id,
+              ),
+              limit: -1,
             )
           end
         end
 
         # Start the SCRAM conversation. This returns the first message that
         # needs to be sent to the server.
         #
-        # @example Start the conversation.
-        #   conversation.start
-        #
-        # @param [ Mongo::Server::Connection ] connection The connection being authenticated.
+        # @param [ Server::Connection ] connection The connection being authenticated.
         #
         # @return [ Protocol::Query ] The first SCRAM conversation message.
         #
         # @since 2.0.0
-        def start(connection = nil)
+        def start(connection)
           if connection && connection.features.op_msg_enabled?
             selector = CLIENT_FIRST_MESSAGE.merge(
               payload: client_first_message, mechanism: full_mechanism)
@@ -189,7 +197,7 @@ def start(connection = nil)
               Database::COMMAND,
               CLIENT_FIRST_MESSAGE.merge(
                 payload: client_first_message, mechanism: full_mechanism),
-              limit: -1
+              limit: -1,
             )
           end
         end
@@ -505,23 +513,24 @@ def compare_digest(a, b)
           check == 0
         end
 
-        def validate_final_message!(reply)
-          validate!(reply)
+        def validate_final_message!(reply, server)
+          validate!(reply, server)
           unless compare_digest(verifier, server_signature)
             raise Error::InvalidSignature.new(verifier, server_signature)
           end
         end
 
-        def validate_first_message!(reply)
-          validate!(reply)
+        def validate_first_message!(reply, server)
+          validate!(reply, server)
           raise Error::InvalidNonce.new(nonce, rnonce) unless rnonce.start_with?(nonce)
         end
 
-        def validate!(reply)
+        def validate!(reply, server)
           if reply.documents[0][Operation::Result::OK] != 1
             raise Unauthorized.new(user,
               used_mechanism: full_mechanism,
               message: reply.documents[0]['errmsg'],
+              server: server,
             )
           end
           @reply = reply
 
@@ -20,6 +20,7 @@ module Auth
     # Defines behavior for X.509 authentication.
     #
     # @since 2.0.0
+    # @api private
     class X509
 
       # The authentication mechinism string.
@@ -67,7 +68,7 @@ def login(connection)
         conversation = Conversation.new(user)
         reply = connection.dispatch([ conversation.start(connection) ])
         connection.update_cluster_time(Operation::Result.new(reply))
-        conversation.finalize(reply)
+        conversation.finalize(reply, connection)
       end
     end
   end
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ module Auth`
`20`	`20`	`# Defines behavior for SCRAM authentication.`
`21`	`21`	`#`
`22`	`22`	`# @since 2.0.0`
	`23`	`+ # @api private`
`23`	`24`	`class SCRAM`
`24`	`25`
`25`	`26`	`# The authentication mechanism string for SCRAM-SHA-1.`