Skip to content

Commit b5e54aa

Browse files
blink1073blink1073
authored
PYTHON-4256 Ensure TOKEN_RESOURCE is url-encoded (#1616)
1 parent ec5711e commit b5e54aa

File tree

2 files changed

+33
-1
lines changed

2 files changed

+33
-1
lines changed

pymongo/auth.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@
3333
Optional,
3434
cast,
3535
)
36-
from urllib.parse import quote
36+
from urllib.parse import quote, unquote
3737

3838
from bson.binary import Binary
3939
from pymongo.auth_aws import _authenticate_aws
@@ -173,6 +173,8 @@ def _build_credentials_tuple(
173173
human_callback = properties.get("OIDC_HUMAN_CALLBACK")
174174
environ = properties.get("ENVIRONMENT")
175175
token_resource = properties.get("TOKEN_RESOURCE", "")
176+
if unquote(token_resource) == token_resource:
177+
token_resource = quote(token_resource)
176178
default_allowed = [
177179
"*.mongodb.net",
178180
"*.mongodb-dev.net",

test/auth/legacy/connection-string.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -539,6 +539,36 @@
539539
}
540540
}
541541
},
542+
{
543+
"description": "should accept a url-encoded TOKEN_RESOURCE (MONGODB-OIDC)",
544+
"uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:mongodb%253A//test-cluster",
545+
"valid": true,
546+
"credential": {
547+
"username": "user",
548+
"password": null,
549+
"source": "$external",
550+
"mechanism": "MONGODB-OIDC",
551+
"mechanism_properties": {
552+
"ENVIRONMENT": "azure",
553+
"TOKEN_RESOURCE": "mongodb%253A//test-cluster"
554+
}
555+
}
556+
},
557+
{
558+
"description": "should url-encode a TOKEN_RESOURCE (MONGODB-OIDC)",
559+
"uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:a$b",
560+
"valid": true,
561+
"credential": {
562+
"username": "user",
563+
"password": null,
564+
"source": "$external",
565+
"mechanism": "MONGODB-OIDC",
566+
"mechanism_properties": {
567+
"ENVIRONMENT": "azure",
568+
"TOKEN_RESOURCE": "a%24b"
569+
}
570+
}
571+
},
542572
{
543573
"description": "should accept a username and throw an error for a password with azure provider (MONGODB-OIDC)",
544574
"uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:foo",

0 commit comments

Comments
 (0)