PYTHON-4256 Ensure TOKEN_RESOURCE is url-encoded (#1616)

mongodb · Apr 24, 2024 · b5e54aa · b5e54aa
1 parent ec5711e
commit b5e54aa
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/pymongo/auth.py b/pymongo/auth.py
@@ -33,7 +33,7 @@
     Optional,
     cast,
 )
-from urllib.parse import quote
+from urllib.parse import quote, unquote
 
 from bson.binary import Binary
 from pymongo.auth_aws import _authenticate_aws
@@ -173,6 +173,8 @@ def _build_credentials_tuple(
         human_callback = properties.get("OIDC_HUMAN_CALLBACK")
         environ = properties.get("ENVIRONMENT")
         token_resource = properties.get("TOKEN_RESOURCE", "")
+        if unquote(token_resource) == token_resource:
+            token_resource = quote(token_resource)
         default_allowed = [
             "*.mongodb.net",
             "*.mongodb-dev.net",

diff --git a/test/auth/legacy/connection-string.json b/test/auth/legacy/connection-string.json
@@ -539,6 +539,36 @@
         }
       }
     },
+    {
+      "description": "should accept a url-encoded TOKEN_RESOURCE (MONGODB-OIDC)",
+      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:mongodb%253A//test-cluster",
+      "valid": true,
+      "credential": {
+        "username": "user",
+        "password": null,
+        "source": "$external",
+        "mechanism": "MONGODB-OIDC",
+        "mechanism_properties": {
+          "ENVIRONMENT": "azure",
+          "TOKEN_RESOURCE": "mongodb%253A//test-cluster"
+        }
+      }
+    },
+    {
+      "description": "should url-encode a TOKEN_RESOURCE (MONGODB-OIDC)",
+      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:a$b",
+      "valid": true,
+      "credential": {
+        "username": "user",
+        "password": null,
+        "source": "$external",
+        "mechanism": "MONGODB-OIDC",
+        "mechanism_properties": {
+          "ENVIRONMENT": "azure",
+          "TOKEN_RESOURCE": "a%24b"
+        }
+      }
+    },
     {
       "description": "should accept a username and throw an error for a password with azure provider (MONGODB-OIDC)",
       "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:foo",