SERVER-59294 Check action type for oidReset

(cherry picked from commit 9961fac1b2090484ec3ceaedc921ce2794e2fc79)

4 files changed, 27 insertions, 3 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index ae0e645a356..4169036623f 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -3501,8 +3501,24 @@ var authCommandsLib = {
           testname: "features",
           command: {features: 1},
           testcases: [
-              {runOnDb: firstDbName, roles: roles_all, privilegesRequired: []},
-              {runOnDb: secondDbName, roles: roles_all, privilegesRequired: []}
+              {runOnDb: firstDbName, roles: roles_all, privileges: []},
+              {runOnDb: secondDbName, roles: roles_all, privileges: []}
+          ]
+        },
+        {
+          testname: "features_oidReset",
+          command: {features: 1, oidReset: true},
+          testcases: [
+              {
+                runOnDb: firstDbName,
+                roles: roles_hostManager,
+                privileges: [{resource: {cluster: true}, actions: ["oidReset"]}],
+              },
+              {
+                runOnDb: secondDbName,
+                roles: roles_hostManager,
+                privileges: [{resource: {cluster: true}, actions: ["oidReset"]}],
+              }
           ]
         },
         {
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index 185e31a04f1..24aa0990bdf 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -85,6 +85,7 @@
 "logRotate",
 "moveChunk",
 "netstat",
+"oidReset",    # machine ID reset via the features command
 "planCacheIndexFilter", # view/update index filters
 "planCacheRead", # view contents of plan cache
 "planCacheWrite", # clear cache, drop cache entry, pin/unpin/shun plans
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index b218324130c..0ff5b8a51d5 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -210,6 +210,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) {
         << ActionType::connPoolSync
         << ActionType::dropConnections
         << ActionType::logRotate
+        << ActionType::oidReset
         << ActionType::setParameter
         << ActionType::shutdown
         << ActionType::touch
diff --git a/src/mongo/db/commands/generic_servers.cpp b/src/mongo/db/commands/generic_servers.cpp
index b626177d484..cde9a61764c 100644
--- a/src/mongo/db/commands/generic_servers.cpp
+++ b/src/mongo/db/commands/generic_servers.cpp
@@ -69,7 +69,13 @@ public:
     }
     virtual void addRequiredPrivileges(const std::string& dbname,
                                        const BSONObj& cmdObj,
-                                       std::vector<Privilege>* out) const {}  // No auth required
+                                       std::vector<Privilege>* out) const {
+        if (cmdObj["oidReset"].trueValue()) {
+            ActionSet actions;
+            actions.addAction(ActionType::oidReset);
+            out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
+        }
+    }
     virtual bool run(OperationContext* opCtx,
                      const std::string& ns,
                      const BSONObj& cmdObj,