Revert "SERVER-28334 startSession command"

This reverts commit ba8f82ff901ce971fadae87b4e45a3432248d434.

11 files changed, 5 insertions, 245 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index 6431052a403..d1e677af08b 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -4454,12 +4454,6 @@ var authCommandsLib = {
               {runOnDb: adminDbName, roles: {__system: 1}, expectFail: true},
           ]
         },
-        {
-          testname: "startSession",
-          command: {startSession: 1},
-          privileges: [{resource: {cluster: true}, actions: ["startSession"]}],
-          testcases: [{runOnDb: adminDbName, roles: roles_all}],
-        },
     ],
 
     /************* SHARED TEST LOGIC ****************/
diff --git a/jstests/core/views/views_all_commands.js b/jstests/core/views/views_all_commands.js
index a89ef8bce6c..ed8d3eb8747 100644
--- a/jstests/core/views/views_all_commands.js
+++ b/jstests/core/views/views_all_commands.js
@@ -472,7 +472,6 @@
             expectFailure: true,
         },
         stageDebug: {skip: isAnInternalCommand},
-        startSession: {skip: isAnInternalCommand},
         top: {skip: "tested in views/views_stats.js"},
         touch: {
             command: {touch: "view", data: true},
diff --git a/jstests/noPassthrough/start_session_command.js b/jstests/noPassthrough/start_session_command.js
deleted file mode 100644
index 5b1b438c4b3..00000000000
--- a/jstests/noPassthrough/start_session_command.js
+++ /dev/null
@@ -1,87 +0,0 @@
-(function() {
-    'use strict';
-    var conn;
-    var admin;
-    var foo;
-    var result;
-    var request = {startSession: 1};
-
-    conn = MongoRunner.runMongod({nojournal: ""});
-    admin = conn.getDB("admin");
-
-    // test that we can run startSession unauthenticated when the server is running without --auth
-
-    result = admin.runCommand(request);
-    assert.commandWorked(
-        result,
-        "failed test that we can run startSession unauthenticated when the server is running without --auth");
-    assert(result.id, "failed test that our session response has an id");
-    assert.eq(
-        result.timeoutMinutes, 30, "failed test that our session record has the correct timeout");
-
-    // test that we can run startSession authenticated when the server is running without --auth
-
-    admin.createUser({user: 'user0', pwd: 'password', roles: jsTest.basicUserRoles});
-    admin.auth("user0", "password");
-
-    result = admin.runCommand(request);
-    assert.commandWorked(
-        result,
-        "failed test that we can run startSession authenticated when the server is running without --auth");
-    assert(result.id, "failed test that our session response has an id");
-    assert.eq(
-        result.timeoutMinutes, 30, "failed test that our session record has the correct timeout");
-
-    MongoRunner.stopMongod(conn);
-
-    //
-
-    conn = MongoRunner.runMongod({auth: "", nojournal: ""});
-    admin = conn.getDB("admin");
-    foo = conn.getDB("foo");
-
-    // test that we can't run startSession unauthenticated when the server is running with --auth
-
-    assert.commandFailed(
-        admin.runCommand(request),
-        "failed test that we can't run startSession unauthenticated when the server is running with --auth");
-
-    //
-
-    admin.createUser({user: 'admin', pwd: 'admin', roles: jsTest.adminUserRoles});
-    admin.auth("admin", "admin");
-    admin.createUser({user: 'user0', pwd: 'password', roles: jsTest.basicUserRoles});
-    foo.createUser({user: 'user1', pwd: 'password', roles: jsTest.basicUserRoles});
-    admin.createUser({user: 'user2', pwd: 'password', roles: []});
-    admin.logout();
-
-    // test that we can run startSession authenticated as one user with proper permissions
-
-    admin.auth("user0", "password");
-    result = admin.runCommand(request);
-    assert.commandWorked(
-        result,
-        "failed test that we can run startSession authenticated as one user with proper permissions");
-    assert(result.id, "failed test that our session response has an id");
-    assert.eq(
-        result.timeoutMinutes, 30, "failed test that our session record has the correct timeout");
-
-    // test that we cant run startSession authenticated as two users with proper permissions
-
-    foo.auth("user1", "password");
-    assert.commandFailed(
-        admin.runCommand(request),
-        "failed test that we cant run startSession authenticated as two users with proper permissions");
-
-    // test that we cant run startSession authenticated as one user without proper permissions
-
-    admin.logout();
-    admin.auth("user2", "password");
-    assert.commandFailed(
-        admin.runCommand(request),
-        "failed test that we cant run startSession authenticated as one user without proper permissions");
-
-    //
-
-    MongoRunner.stopMongod(conn);
-})();
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index dd9e6a9c8cc..3800e3c5382 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -101,7 +101,6 @@
 "shutdown",
 "splitChunk",
 "splitVector",
-"startSession",
 "storageDetails",
 "top",
 "touch",
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index a9ee381c277..6273f4505f5 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -648,11 +648,6 @@ void addInternalRolePrivileges(PrivilegeVector* privileges) {
     RoleGraph::generateUniversalPrivileges(privileges);
 }
 
-void addAnyBuiltinRolePrivileges(PrivilegeVector* privileges) {
-    Privilege::addPrivilegeToPrivilegeVector(
-        privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::startSession));
-}
-
 }  // namespace
 
 bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeVector* result) {
@@ -697,9 +692,6 @@ bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeV
     } else {
         return false;
     }
-
-    // One of the roles has matched, otherwise we would have returned already.
-    addAnyBuiltinRolePrivileges(result);
     return true;
 }
 
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index bb561818e98..9f16eda1e46 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -66,7 +66,6 @@ env.Library(
         "mr_common.cpp",
         "parameters.cpp",
         "rename_collection_common.cpp",
-        "start_session_command.cpp",
         "user_management_commands_common.cpp",
     ],
     LIBDEPS=[
diff --git a/src/mongo/db/commands/start_session_command.cpp b/src/mongo/db/commands/start_session_command.cpp
deleted file mode 100644
index 529b93b2323..00000000000
--- a/src/mongo/db/commands/start_session_command.cpp
+++ /dev/null
@@ -1,136 +0,0 @@
-/**
- *    Copyright (C) 2017 MongoDB Inc.
- *
- *    This program is free software: you can redistribute it and/or  modify
- *    it under the terms of the GNU Affero General Public License, version 3,
- *    as published by the Free Software Foundation.
- *
- *    This program is distributed in the hope that it will be useful,
- *    but WITHOUT ANY WARRANTY; without even the implied warranty of
- *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *    GNU Affero General Public License for more details.
- *
- *    You should have received a copy of the GNU Affero General Public License
- *    along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- *    As a special exception, the copyright holders give permission to link the
- *    code of portions of this program with the OpenSSL library under certain
- *    conditions as described in each individual source file and distribute
- *    linked combinations including the program with the OpenSSL library. You
- *    must comply with the GNU Affero General Public License in all respects for
- *    all of the code used other than as permitted herein. If you modify file(s)
- *    with this exception, you may extend this exception to your version of the
- *    file(s), but you are not obligated to do so. If you do not wish to do so,
- *    delete this exception statement from your version. If you delete this
- *    exception statement from all source files in the program, then also delete
- *    it in the license file.
- */
-
-#include "mongo/platform/basic.h"
-
-#include "mongo/base/init.h"
-#include "mongo/db/auth/action_set.h"
-#include "mongo/db/auth/action_type.h"
-#include "mongo/db/auth/authorization_manager.h"
-#include "mongo/db/auth/authorization_session.h"
-#include "mongo/db/auth/privilege.h"
-#include "mongo/db/client.h"
-#include "mongo/db/commands.h"
-#include "mongo/db/jsobj.h"
-#include "mongo/db/logical_session_cache.h"
-#include "mongo/db/logical_session_id.h"
-#include "mongo/db/logical_session_record.h"
-#include "mongo/db/operation_context.h"
-#include "mongo/db/stats/top.h"
-
-namespace mongo {
-
-class StartSessionCommand final : public BasicCommand {
-    MONGO_DISALLOW_COPYING(StartSessionCommand);
-
-public:
-    StartSessionCommand() : BasicCommand("startSession") {}
-
-    bool slaveOk() const override {
-        return true;
-    }
-    bool adminOnly() const override {
-        return false;
-    }
-    bool supportsWriteConcern(const BSONObj& cmd) const override {
-        return false;
-    }
-    void help(std::stringstream& help) const override {
-        help << "start a logical session";
-    }
-    Status checkAuthForOperation(OperationContext* opCtx,
-                                 const std::string& dbname,
-                                 const BSONObj& cmdObj) override {
-        AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
-        if (!authSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
-                                                           ActionType::startSession)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
-        }
-        return Status::OK();
-    }
-
-    virtual bool run(OperationContext* opCtx,
-                     const std::string& db,
-                     const BSONObj& cmdObj,
-                     BSONObjBuilder& result) override {
-
-        boost::optional<OID> uid;
-        auto client = opCtx->getClient();
-
-        ServiceContext* serviceContext = client->getServiceContext();
-        if (AuthorizationManager::get(serviceContext)->isAuthEnabled()) {
-
-            UserName userName;
-
-            auto authzSession = AuthorizationSession::get(client);
-            auto userNameItr = authzSession->getAuthenticatedUserNames();
-            if (userNameItr.more()) {
-                userName = userNameItr.next();
-                if (userNameItr.more()) {
-                    return appendCommandStatus(
-                        result,
-                        Status(ErrorCodes::Unauthorized,
-                               "must only be authenticated as exactly one user "
-                               "to create a logical session"));
-                }
-            } else {
-                return appendCommandStatus(result,
-                                           Status(ErrorCodes::Unauthorized,
-                                                  "must only be authenticated as exactly one user "
-                                                  "to create a logical session"));
-            }
-
-            User* user = authzSession->lookupUser(userName);
-            invariant(user);
-            uid = user->getID();
-        }
-
-        auto lsCache = LogicalSessionCache::get(serviceContext);
-
-        auto statusWithSlsid = lsCache->signLsid(opCtx, LogicalSessionId::gen(), uid);
-        if (!statusWithSlsid.isOK()) {
-            return appendCommandStatus(result, statusWithSlsid.getStatus());
-        }
-        auto slsid = statusWithSlsid.getValue();
-        auto lsRecord = LogicalSessionRecord::makeAuthoritativeRecord(
-            slsid, serviceContext->getFastClockSource()->now());
-        Status startSessionStatus = lsCache->startSession(std::move(slsid));
-
-        appendCommandStatus(result, startSessionStatus);
-
-        if (startSessionStatus.isOK()) {
-            result.append("id", lsRecord.toBSON());
-            result.append("timeoutMinutes", localLogicalSessionTimeoutMinutes);
-            return true;
-        }
-
-        return false;
-    }
-} startSessionCommand;
-
-}  // namespace mongo
diff --git a/src/mongo/db/logical_session_cache.cpp b/src/mongo/db/logical_session_cache.cpp
index 0a93fd5addd..7474c398159 100644
--- a/src/mongo/db/logical_session_cache.cpp
+++ b/src/mongo/db/logical_session_cache.cpp
@@ -171,7 +171,7 @@ Status LogicalSessionCache::startSession(SignedLogicalSessionId slsid) {
 }
 
 StatusWith<SignedLogicalSessionId> LogicalSessionCache::signLsid(OperationContext* opCtx,
-                                                                 const LogicalSessionId& id,
+                                                                 LogicalSessionId* id,
                                                                  boost::optional<OID> userId) {
     return _service->signLsid(opCtx, id, std::move(userId));
 }
diff --git a/src/mongo/db/logical_session_cache.h b/src/mongo/db/logical_session_cache.h
index da3d521b02e..56ce96eec34 100644
--- a/src/mongo/db/logical_session_cache.h
+++ b/src/mongo/db/logical_session_cache.h
@@ -146,7 +146,7 @@ public:
      * this call will return an error.
      */
     StatusWith<SignedLogicalSessionId> signLsid(OperationContext* opCtx,
-                                                const LogicalSessionId& id,
+                                                LogicalSessionId* id,
                                                 boost::optional<OID> userId);
 
     /**
diff --git a/src/mongo/db/service_liason.cpp b/src/mongo/db/service_liason.cpp
index 96bb92d2b00..a4a576c17f6 100644
--- a/src/mongo/db/service_liason.cpp
+++ b/src/mongo/db/service_liason.cpp
@@ -63,7 +63,7 @@ KeysCollectionManagerZero kKeysCollectionManagerZero{"HMAC"};
 ServiceLiason::~ServiceLiason() = default;
 
 StatusWith<SignedLogicalSessionId> ServiceLiason::signLsid(OperationContext* opCtx,
-                                                           const LogicalSessionId& lsid,
+                                                           LogicalSessionId* lsid,
                                                            boost::optional<OID> userId) {
     auto& keyManager = kKeysCollectionManagerZero;
 
@@ -75,7 +75,7 @@ StatusWith<SignedLogicalSessionId> ServiceLiason::signLsid(OperationContext* opC
 
     SignedLogicalSessionId signedLsid;
     signedLsid.setUserId(std::move(userId));
-    signedLsid.setLsid(lsid);
+    signedLsid.setLsid(*lsid);
 
     auto keyDoc = res.getValue();
     signedLsid.setKeyId(keyDoc.getKeyId());
diff --git a/src/mongo/db/service_liason.h b/src/mongo/db/service_liason.h
index b74b9c0f8d4..dca11f50182 100644
--- a/src/mongo/db/service_liason.h
+++ b/src/mongo/db/service_liason.h
@@ -84,7 +84,7 @@ public:
      * this call will return an error.
      */
     StatusWith<SignedLogicalSessionId> signLsid(OperationContext* opCtx,
-                                                const LogicalSessionId& lsid,
+                                                LogicalSessionId* lsid,
                                                 boost::optional<OID> userId);
 
     /**