Skip to content

fix: AJDA-2621 authenticationMechanism for default mongodb:// protocol#36

Merged
MiroCillik merged 4 commits into
mainfrom
miro-AJDA-2621-default-protocol
May 21, 2026
Merged

fix: AJDA-2621 authenticationMechanism for default mongodb:// protocol#36
MiroCillik merged 4 commits into
mainfrom
miro-AJDA-2621-default-protocol

Conversation

@MiroCillik

Copy link
Copy Markdown
Member

Summary

Phase 2 follow-up to PR #35 (AJDA-2621 / SUPPORT-15991). Phase 1 migrated testConnection() to mongosh so the UI's "Test Connection" button works against Azure Cosmos DB. Phase 2 fixes the actual extraction path — mongoexport on the default mongodb:// protocol previously omitted --authenticationMechanism, falling back to SCRAM-SHA-1, which Cosmos DB rejects.

  • Adds optional db.authenticationMechanism enum (SCRAM-SHA-1, SCRAM-SHA-256, MONGODB-X509, GSSAPI, PLAIN, MONGODB-AWS); rejected under custom_uri (users embed authMechanism= in the URI directly).
  • Default mongodb:// flag-based path now emits --authenticationMechanism <value> after --authenticationDatabase.
  • UriFactory appends authMechanism=<value> query param for mongodb and mongodb+srv protocols (used by mongoexport --uri for SRV and by mongosh for testConnection).
  • Existing code path with authenticationMechanism unset emits byte-identical commands to before.

Customer impact: once released, CSAS can switch their config from custom_uri workaround back to default mongodb:// protocol with authenticationMechanism: SCRAM-SHA-256.

Test plan

  • Unit tests — 118 pass (added 10 new cases across ConfigDefinitionTest, UriFactoryTest, ExportCommandFactoryTest)
  • Functional tests — 80 pass (added new export-with-auth-mechanism scenario running SCRAM-SHA-256 against mongodb-auth service)
  • composer ci (validate + phplint + phpcs + phpstan level 8 + tests) — all green
  • Customer verification on connection.cs.keboola.cloud project 383 once released — switch to default protocol with authenticationMechanism: SCRAM-SHA-256 and run extraction job

Notes

  • UI schema (separate platform repo) needs a matching field for end users to set this without editing raw JSON.
  • Default behavior unchanged — field is opt-in. Defaulting to SCRAM-SHA-256 was rejected (would break MongoDB <4.0).

🤖 Generated with Claude Code

@linear

linear Bot commented May 4, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for configuring MongoDB authenticationMechanism so the extractor can authenticate correctly against deployments like Azure Cosmos DB while keeping existing behavior unchanged when the field is omitted.

Changes:

  • Adds db.authenticationMechanism to config validation and documents the supported values.
  • Propagates the mechanism into generated connection settings for both mongoexport flags and URI-based connections.
  • Adds unit/functional tests covering URI generation, command generation, config validation, and a new extraction scenario.

Reviewed changes

Copilot reviewed 12 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/Config/DbNode.php Adds config schema/validation for authenticationMechanism and forbids it with custom_uri.
src/UriFactory.php Appends authMechanism to generated MongoDB URIs.
src/ExportCommandFactory.php Emits --authenticationMechanism for non-URI mongoexport connections.
README.md Documents the new connection option and its intended usage.
CLAUDE.md Updates maintainer notes about auth-related handling in command construction.
tests/phpunit/UriFactoryTest.php Adds URI construction cases for auth mechanism handling.
tests/phpunit/ExportCommandFactoryTest.php Adds command-generation assertions for auth mechanism support.
tests/phpunit/ConfigDefinitionTest.php Adds config validation cases for valid/invalid auth mechanism inputs.
tests/functional/export-with-auth-mechanism/source/data/config.json Defines a functional extraction scenario using SCRAM-SHA-256.
tests/functional/export-with-auth-mechanism/setUp.php Seeds the authenticated test dataset for the new scenario.
tests/functional/export-with-auth-mechanism/expected/data/out/tables/export-all.csv.manifest Captures expected manifest output for the new functional test.
tests/functional/export-with-auth-mechanism/expected/data/out/tables/export-all.csv Captures expected extracted rows for the new functional test.
tests/functional/export-with-auth-mechanism/expected/data/out/tables/.gitkeep Keeps expected tables directory in git.
tests/functional/export-with-auth-mechanism/expected/data/out/files/.gitkeep Keeps expected files directory in git.
tests/functional/export-with-auth-mechanism/expected-stdout Captures expected stdout for the new functional test.
tests/functional/export-with-auth-mechanism/expected-code Captures expected exit code for the new functional test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/Config/DbNode.php
Comment thread src/UriFactory.php
@MiroCillik

Copy link
Copy Markdown
Member Author

@keboola-pr-reviewer review

keboola-pr-reviewer[bot]
keboola-pr-reviewer Bot previously approved these changes May 20, 2026

@keboola-pr-reviewer keboola-pr-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: auto_approve (risk 2/5) · profile component-factory

This PHP extractor PR is a well-scoped, additive change that adds an optional authenticationMechanism enum field to the MongoDB connection config.

MiroCillik and others added 2 commits May 20, 2026 16:04
…tocol

The Phase 1 fix migrated testConnection() to mongosh, which negotiates
SCRAM-SHA-256 correctly against Azure Cosmos DB. The extraction path
remained broken: mongoexport on the default mongodb:// protocol emits
individual --host/--port/--username/--password flags but never sets
--authenticationMechanism, so it negotiates SCRAM-SHA-1 only -- which
Cosmos DB rejects.

Add an optional db.authenticationMechanism enum (SCRAM-SHA-1, SCRAM-SHA-256,
MONGODB-X509, GSSAPI, PLAIN, MONGODB-AWS), thread it through to
mongoexport's --authenticationMechanism flag for the default protocol and
through UriFactory's authMechanism query param for the mongodb+srv
protocol and mongosh-based testConnection. Custom URI users keep
embedding authMechanism in the URI string and are unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Treat empty authenticationMechanism as unset to keep the optional
  enum field from rejecting "" when the UI sends a blank value for an
  unselected mechanism.
- Add functional testConnection scenario exercising the mongosh path
  with SCRAM-SHA-256 alongside the existing mongoexport scenario.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MiroCillik MiroCillik force-pushed the miro-AJDA-2621-default-protocol branch from 4634eb3 to b12fc9b Compare May 20, 2026 14:04
@keboola-pr-reviewer keboola-pr-reviewer Bot dismissed their stale review May 20, 2026 14:04

Dismissing prior approval — a new commit was pushed and this review was for an earlier SHA. Run @keboola-pr-reviewer review to get a fresh verdict.

@keboola-pr-reviewer

Copy link
Copy Markdown

New commit on b12fc9b — dismissed 1 stale bot approval. Comment @keboola-pr-reviewer review when you want a fresh review.

MiroCillik and others added 2 commits May 21, 2026 09:18
pecl mongodb 2.3.x requires zstd headers to compile
mongoc-compression.c; without libzstd-dev the Docker build fails
with "fatal error: zstd.h: No such file or directory".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pecl mongodb 2.3.x requires zstd headers and depends on glibc 2.38+
strlcpy (bookworm ships glibc 2.36), causing build failures with
"undefined symbol: strlcpy" at composer install. Pin to 2.2.0, the
last release that supports PHP 8.4 without those requirements.

Reverts the libzstd-dev addition; it papered over zstd.h but did not
fix the underlying strlcpy issue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MiroCillik MiroCillik merged commit cbe0bfb into main May 21, 2026
8 checks passed
@MiroCillik MiroCillik deleted the miro-AJDA-2621-default-protocol branch May 21, 2026 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants