SERVER-17529 Let find on system.namespaces imply listCollections

6 files changed, 135 insertions, 12 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index c73439d2494..6614d362830 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -1471,6 +1471,16 @@ var authCommandsLib = {
                             actions: ["listCollections"]
                         }
                     ]
+                },
+                // test legacy (pre 3.0) way of authorizing listCollections
+                {
+                    runOnDb: firstDbName,
+                    privileges: [
+                        {
+                            resource: {db: firstDbName, collection: "system.namespaces"},
+                            actions: ["find"]
+                        }
+                    ]
                 }
             ]
         },
diff --git a/src/mongo/SConscript b/src/mongo/SConscript
index 5022f3d0008..31a178eeda6 100644
--- a/src/mongo/SConscript
+++ b/src/mongo/SConscript
@@ -474,6 +474,7 @@ coredbEnv.Library("coredb", [
         "db/commands/isself.cpp",
         "db/repl/isself.cpp",
         "db/commands/mr_common.cpp",
+        "db/commands/list_collections_common.cpp",
         "db/commands/rename_collection_common.cpp",
         "db/commands/server_status.cpp",
         "db/commands/parameters.cpp",
diff --git a/src/mongo/db/commands/list_collections.cpp b/src/mongo/db/commands/list_collections.cpp
index ef58e7c4961..32c25f6e712 100644
--- a/src/mongo/db/commands/list_collections.cpp
+++ b/src/mongo/db/commands/list_collections.cpp
@@ -40,6 +40,7 @@
 #include "mongo/db/client.h"
 #include "mongo/db/clientcursor.h"
 #include "mongo/db/commands.h"
+#include "mongo/db/commands/list_collections.h"
 #include "mongo/db/exec/queued_data_stage.h"
 #include "mongo/db/exec/working_set.h"
 #include "mongo/db/global_environment_experiment.h"
@@ -62,12 +63,10 @@ namespace mongo {
 
         virtual void help( stringstream& help ) const { help << "list collections for this db"; }
 
-        virtual void addRequiredPrivileges(const std::string& dbname,
-                                           const BSONObj& cmdObj,
-                                           std::vector<Privilege>* out) {
-            ActionSet actions;
-            actions.addAction(ActionType::listCollections);
-            out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
+        virtual Status checkAuthForCommand(ClientBasic* client,
+                                           const std::string& dbname,
+                                           const BSONObj& cmdObj) {
+            return checkAuthForListCollectionsCommand(client, dbname, cmdObj);
         }
 
         CmdListCollections() : Command( "listCollections", true ) {}
diff --git a/src/mongo/db/commands/list_collections.h b/src/mongo/db/commands/list_collections.h
new file mode 100644
index 00000000000..8773f63200b
--- /dev/null
+++ b/src/mongo/db/commands/list_collections.h
@@ -0,0 +1,46 @@
+/**
+ *    Copyright (C) 2015 MongoDB Inc.
+ *
+ *    This program is free software: you can redistribute it and/or  modify
+ *    it under the terms of the GNU Affero General Public License, version 3,
+ *    as published by the Free Software Foundation.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    GNU Affero General Public License for more details.
+ *
+ *    You should have received a copy of the GNU Affero General Public License
+ *    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the GNU Affero General Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "mongo/db/auth/privilege.h"
+#include "mongo/db/jsobj.h"
+
+namespace mongo {
+
+    class ClientBasic;
+
+    Status checkAuthForListCollectionsCommand(ClientBasic* client,
+                                              const std::string& dbname,
+                                              const BSONObj& cmdObj);
+
+} // namespace mongo
+
+
diff --git a/src/mongo/db/commands/list_collections_common.cpp b/src/mongo/db/commands/list_collections_common.cpp
new file mode 100644
index 00000000000..9f5c2621a9f
--- /dev/null
+++ b/src/mongo/db/commands/list_collections_common.cpp
@@ -0,0 +1,68 @@
+/**
+*    Copyright (C) 2015 MongoDB Inc.
+*
+*    This program is free software: you can redistribute it and/or  modify
+*    it under the terms of the GNU Affero General Public License, version 3,
+*    as published by the Free Software Foundation.
+*
+*    This program is distributed in the hope that it will be useful,
+*    but WITHOUT ANY WARRANTY; without even the implied warranty of
+*    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*    GNU Affero General Public License for more details.
+*
+*    You should have received a copy of the GNU Affero General Public License
+*    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+*    As a special exception, the copyright holders give permission to link the
+*    code of portions of this program with the OpenSSL library under certain
+*    conditions as described in each individual source file and distribute
+*    linked combinations including the program with the OpenSSL library. You
+*    must comply with the GNU Affero General Public License in all respects for
+*    all of the code used other than as permitted herein. If you modify file(s)
+*    with this exception, you may extend this exception to your version of the
+*    file(s), but you are not obligated to do so. If you do not wish to do so,
+*    delete this exception statement from your version. If you delete this
+*    exception statement from all source files in the program, then also delete
+*    it in the license file.
+*/
+
+#include "mongo/db/commands/rename_collection.h"
+
+#include <string>
+
+#include "mongo/db/auth/action_set.h"
+#include "mongo/db/auth/action_type.h"
+#include "mongo/db/auth/authorization_session.h"
+#include "mongo/db/auth/privilege.h"
+#include "mongo/db/client_basic.h"
+#include "mongo/db/jsobj.h"
+#include "mongo/db/namespace_string.h"
+
+namespace mongo {
+
+    Status checkAuthForListCollectionsCommand(ClientBasic* client,
+                                              const std::string& dbname,
+                                              const BSONObj& cmdObj) {
+        AuthorizationSession* authzSession = client->getAuthorizationSession();
+
+        // Check for the listCollections ActionType on the database
+        // or find on system.namespaces for pre 3.0 systems.
+        if (authzSession->isAuthorizedForActionsOnResource(
+                ResourcePattern::forDatabaseName(dbname),
+                ActionType::listCollections)) {
+            return Status::OK();
+        }
+
+        if (authzSession->isAuthorizedForActionsOnResource(
+                ResourcePattern::forExactNamespace(
+                    NamespaceString(dbname, "system.namespaces")),
+                ActionType::find)) {
+            return Status::OK();
+        }
+
+        return Status(ErrorCodes::Unauthorized,
+                        str::stream() << "Not authorized to list collections on db: " <<
+                        dbname);
+    }
+
+} // namespace mongo
diff --git a/src/mongo/s/commands_public.cpp b/src/mongo/s/commands_public.cpp
index 0f3ced2ec5b..3d8cf5dc8ad 100644
--- a/src/mongo/s/commands_public.cpp
+++ b/src/mongo/s/commands_public.cpp
@@ -46,6 +46,7 @@
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/commands/copydb.h"
 #include "mongo/db/commands/find_and_modify.h"
+#include "mongo/db/commands/list_collections.h"
 #include "mongo/db/commands/mr.h"
 #include "mongo/db/commands/rename_collection.h"
 #include "mongo/db/commands.h"
@@ -2804,12 +2805,10 @@ namespace mongo {
         class CmdListCollections : public ListPassthroughWithAggFallbackCommand {
         public:
             CmdListCollections() : ListPassthroughWithAggFallbackCommand( "listCollections" ) {}
-            virtual void addRequiredPrivileges(const std::string& dbname,
-                                               const BSONObj& cmdObj,
-                                               std::vector<Privilege>* out) {
-                ActionSet actions;
-                actions.addAction(ActionType::listCollections);
-                out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
+            virtual Status checkAuthForCommand(ClientBasic* client,
+                                            const std::string& dbname,
+                                            const BSONObj& cmdObj) {
+                return checkAuthForListCollectionsCommand(client, dbname, cmdObj);
             }
 
         private: