fix: AJDA-2621 authenticationMechanism for default mongodb:// protocol#36
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds support for configuring MongoDB authenticationMechanism so the extractor can authenticate correctly against deployments like Azure Cosmos DB while keeping existing behavior unchanged when the field is omitted.
Changes:
- Adds
db.authenticationMechanismto config validation and documents the supported values. - Propagates the mechanism into generated connection settings for both
mongoexportflags and URI-based connections. - Adds unit/functional tests covering URI generation, command generation, config validation, and a new extraction scenario.
Reviewed changes
Copilot reviewed 12 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/Config/DbNode.php |
Adds config schema/validation for authenticationMechanism and forbids it with custom_uri. |
src/UriFactory.php |
Appends authMechanism to generated MongoDB URIs. |
src/ExportCommandFactory.php |
Emits --authenticationMechanism for non-URI mongoexport connections. |
README.md |
Documents the new connection option and its intended usage. |
CLAUDE.md |
Updates maintainer notes about auth-related handling in command construction. |
tests/phpunit/UriFactoryTest.php |
Adds URI construction cases for auth mechanism handling. |
tests/phpunit/ExportCommandFactoryTest.php |
Adds command-generation assertions for auth mechanism support. |
tests/phpunit/ConfigDefinitionTest.php |
Adds config validation cases for valid/invalid auth mechanism inputs. |
tests/functional/export-with-auth-mechanism/source/data/config.json |
Defines a functional extraction scenario using SCRAM-SHA-256. |
tests/functional/export-with-auth-mechanism/setUp.php |
Seeds the authenticated test dataset for the new scenario. |
tests/functional/export-with-auth-mechanism/expected/data/out/tables/export-all.csv.manifest |
Captures expected manifest output for the new functional test. |
tests/functional/export-with-auth-mechanism/expected/data/out/tables/export-all.csv |
Captures expected extracted rows for the new functional test. |
tests/functional/export-with-auth-mechanism/expected/data/out/tables/.gitkeep |
Keeps expected tables directory in git. |
tests/functional/export-with-auth-mechanism/expected/data/out/files/.gitkeep |
Keeps expected files directory in git. |
tests/functional/export-with-auth-mechanism/expected-stdout |
Captures expected stdout for the new functional test. |
tests/functional/export-with-auth-mechanism/expected-code |
Captures expected exit code for the new functional test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ondrajodas
approved these changes
May 20, 2026
Member
Author
|
@keboola-pr-reviewer review |
…tocol The Phase 1 fix migrated testConnection() to mongosh, which negotiates SCRAM-SHA-256 correctly against Azure Cosmos DB. The extraction path remained broken: mongoexport on the default mongodb:// protocol emits individual --host/--port/--username/--password flags but never sets --authenticationMechanism, so it negotiates SCRAM-SHA-1 only -- which Cosmos DB rejects. Add an optional db.authenticationMechanism enum (SCRAM-SHA-1, SCRAM-SHA-256, MONGODB-X509, GSSAPI, PLAIN, MONGODB-AWS), thread it through to mongoexport's --authenticationMechanism flag for the default protocol and through UriFactory's authMechanism query param for the mongodb+srv protocol and mongosh-based testConnection. Custom URI users keep embedding authMechanism in the URI string and are unaffected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Treat empty authenticationMechanism as unset to keep the optional enum field from rejecting "" when the UI sends a blank value for an unselected mechanism. - Add functional testConnection scenario exercising the mongosh path with SCRAM-SHA-256 alongside the existing mongoexport scenario. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4634eb3 to
b12fc9b
Compare
Dismissing prior approval — a new commit was pushed and this review was for an earlier SHA. Run @keboola-pr-reviewer review to get a fresh verdict.
|
New commit on |
pecl mongodb 2.3.x requires zstd headers to compile mongoc-compression.c; without libzstd-dev the Docker build fails with "fatal error: zstd.h: No such file or directory". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pecl mongodb 2.3.x requires zstd headers and depends on glibc 2.38+ strlcpy (bookworm ships glibc 2.36), causing build failures with "undefined symbol: strlcpy" at composer install. Pin to 2.2.0, the last release that supports PHP 8.4 without those requirements. Reverts the libzstd-dev addition; it papered over zstd.h but did not fix the underlying strlcpy issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 2 follow-up to PR #35 (AJDA-2621 / SUPPORT-15991). Phase 1 migrated
testConnection()tomongoshso the UI's "Test Connection" button works against Azure Cosmos DB. Phase 2 fixes the actual extraction path —mongoexporton the defaultmongodb://protocol previously omitted--authenticationMechanism, falling back to SCRAM-SHA-1, which Cosmos DB rejects.db.authenticationMechanismenum (SCRAM-SHA-1,SCRAM-SHA-256,MONGODB-X509,GSSAPI,PLAIN,MONGODB-AWS); rejected undercustom_uri(users embedauthMechanism=in the URI directly).mongodb://flag-based path now emits--authenticationMechanism <value>after--authenticationDatabase.UriFactoryappendsauthMechanism=<value>query param formongodbandmongodb+srvprotocols (used bymongoexport --urifor SRV and bymongoshfortestConnection).authenticationMechanismunset emits byte-identical commands to before.Customer impact: once released, CSAS can switch their config from
custom_uriworkaround back to defaultmongodb://protocol withauthenticationMechanism: SCRAM-SHA-256.Test plan
ConfigDefinitionTest,UriFactoryTest,ExportCommandFactoryTest)export-with-auth-mechanismscenario running SCRAM-SHA-256 againstmongodb-authservice)composer ci(validate + phplint + phpcs + phpstan level 8 + tests) — all greenconnection.cs.keboola.cloudproject 383 once released — switch to default protocol withauthenticationMechanism: SCRAM-SHA-256and run extraction jobNotes
🤖 Generated with Claude Code