RUST-2245 Implement GSSAPI auth support for Windows

[mattChiaravalloti]

This PR implements GSSAPI auth support for Windows as described by the spec. Similar to the Linux and Mac implementation in #1413, this one took longer than expected. In the end, it turned out that the sspi crate was not as amenable to this task as initially thought at scope time. I decided to attempt to implement this using the native Windows api (via windows-sys) and modeling it exactly off of libmongoc since I know the C implementation works. Of course, that results in a bit more C-style code than Rust-style code, but after several weeks of investigating and implementing, this is finally working.

I updated the GSSAPI codepath to share common code between Linux/Mac and Windows as much as possible. I only separated out the platform-specific implementations and guarded each with the relevant cfg attributes.

This PR also updates the e2e tests to run on Windows. I observed this implementation passing my local testing on a Windows host, and the e2e tests passing on this patch. I anticipate the evergreen patch associated with this PR to succeed off the bat, as well.

[codeowners-service-app]

Assigned rishitb-mongodb for team dbx-rust because abr-egn is out of office.

[mattChiaravalloti]

Is it possible to make exceptions to the semgrep policy to allow for the use of these unsafe blocks, or will we need to get rid of them?

[mattChiaravalloti]

Is it possible to make exceptions to the semgrep policy to allow for the use of these unsafe blocks, or will we need to get rid of them?

I investigated further and am not confident SSPI support can be implemented the way our drivers require if we do not use these unsafe blocks.

There are limited crate options for kerberos auth. We've ruled out libgssapi-sys/libgssapi/cross-krb5 since they rely on MIT KRB5. I discovered sspi is insufficient for our needs (it is incapable of producing the token types needed for MongoDB's SASL auth flow when using GSSAPI). Looking through crates.io, there are not any other viable candidates for this, so the windows crate is likely our best option.

Using the native Windows API inherently requires unsafe code. Hopefully we can make an exception for this. I know in the ODBC driver, we have some required unsafe code that is permitted.

[abr-egn]

Is it possible to make exceptions to the semgrep policy to allow for the use of these unsafe blocks, or will we need to get rid of them?

I investigated further and am not confident SSPI support can be implemented the way our drivers require if we do not use these unsafe blocks.

There are limited crate options for kerberos auth. We've ruled out libgssapi-sys/libgssapi/cross-krb5 since they rely on MIT KRB5. I discovered sspi is insufficient for our needs (it is incapable of producing the token types needed for MongoDB's SASL auth flow when using GSSAPI). Looking through crates.io, there are not any other viable candidates for this, so the windows crate is likely our best option.

Using the native Windows API inherently requires unsafe code. Hopefully we can make an exception for this. I know in the ODBC driver, we have some required unsafe code that is permitted.

I haven't had the chance to look into this PR in detail, but it should work to use a nosemgrep comment, we've had to do that in a couple other places in the code base (example). My recollection of the policy (I'll verify later) is that as long as we've investigated and have manually validated that the thing semgrep would complain about is not, in fact, a problem it's fine.

[abr-egn]

Not changed in this PR, but this being a fresh file made me realize - this is only ever either

GssapiAuthenticator { pending_ctx: Some(...), established_ctx: None, is_complete: false, ... }

or

GssapiAuthenticator { pending_ctx: None, established_ctx: Some(...), is_complete: true, ... }

right? That seems like it would be better modeled via a state enum, e.g.

enum CtxState {
  Pending(PendingClientCtx),
  Established(ClientCtx),
}

pub(super) struct GssapiAuthenticator {
  ctx: CtxState,
  user_principal: String,
}

[mattChiaravalloti]

Ah that's a nice refactor. I'll make this change.

[abr-egn]

I believe the only unsafe portion of this is calling AcquireCredentialsHandleW, right? I'd rather see the unsafe blocks as narrowly scoped as possible.

[mattChiaravalloti]

Good point! I started broad to allow for whatever had to be done, but I'll narrow these down now like you suggested 👍

[pmeredit]

This is like a monad transformer 😂

[isabelatkinson]

one tiny comment, I did a pass over the C-style code but will similarly defer to @kevinAlbs on the details

[isabelatkinson]

This filename should be able to stay the same - we stopped using mod.rs files a while ago (https://doc.rust-lang.org/reference/items/modules.html#module-source-filenames)

[mattChiaravalloti]

Thank you for pointing this out, I updated this to use the appropriate naming conventions.

[kevinAlbs]

The contribution is much appreciated! I have mostly minor comments and questions.

[mattChiaravalloti]

I suspect the "project fails validation: sync with base branch & run evergreen validate -p <project>" error is related to the ongoing Github problems. When I ran evergreen validate locally just now after merging main, it said the config was valid 👍 We should be able to run this patch whenever Github service is resolved and the evergreen team gives the green light for things to run as expected again.

[kevinAlbs]

LGTM!

[mattChiaravalloti]

I retagged everyone, but feel free to just take a look at the parts you commented on previously. I know this is a big and confusing PR. Plus, with 4 reviewers on this it could get hectic having too many cooks. Kevin's LGTM on the core functionality will be the primary indicator this is ready to merge 👍 Thanks for all the review and guidance on this one.