SERVER-36463 bypass validation of dummy signatures for isMaster on the unauthenticated connectionsr3.6.7-rc0

(cherry picked from commit c764ee142f633b3a88954f336b11633e1baeffdc)
author: Misha Tyulenev <misha@mongodb.com> 2018-08-13 18:09:20 -0400
committer: Misha Tyulenev <misha@mongodb.com> 2018-08-14 14:27:33 -0400
commit: 56cd2418be38c4aeacdb26f95c48ecae7c4189fd (patch)
tree: 22ead4c530494359b46fce98de43b72da4ad8c48
parent: 4db65855dbdc64cd4ca97146c1b5b812e502c8e4 (diff)
download: mongo-56cd2418be38c4aeacdb26f95c48ecae7c4189fd.tar.gz
5 files changed, 24 insertions, 3 deletions
diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp
index 8d990765552..6b3e0800c2f 100644
--- a/src/mongo/db/auth/authorization_session.cpp
+++ b/src/mongo/db/auth/authorization_session.cpp
@@ -209,6 +209,10 @@ User* AuthorizationSession::getSingleUser() {
     return lookupUser(userName);
 }
 
+bool AuthorizationSession::isAuthenticated() {
+    return _authenticatedUsers.begin() != _authenticatedUsers.end();
+}
+
 void AuthorizationSession::logoutDatabase(const std::string& dbname) {
     User* removedUser = _authenticatedUsers.removeByDBName(dbname);
     if (removedUser) {
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h
index 81cfdc466d0..e260d859651 100644
--- a/src/mongo/db/auth/authorization_session.h
+++ b/src/mongo/db/auth/authorization_session.h
@@ -144,6 +144,9 @@ public:
     // multiple users are authenticated, this method will throw an exception.
     User* getSingleUser();
 
+    // Is authenticated as at least one user.
+    bool isAuthenticated();
+
     // Gets an iterator over the names of all authenticated users stored in this manager.
     UserNameIterator getAuthenticatedUserNames();
 
diff --git a/src/mongo/db/service_entry_point_mongod.cpp b/src/mongo/db/service_entry_point_mongod.cpp
index 6e5e7731422..25d96dadb59 100644
--- a/src/mongo/db/service_entry_point_mongod.cpp
+++ b/src/mongo/db/service_entry_point_mongod.cpp
@@ -571,7 +571,7 @@ void execCommandDatabase(OperationContext* opCtx,
 
         // TODO: move this back to runCommands when mongos supports OperationContext
         // see SERVER-18515 for details.
-        rpc::readRequestMetadata(opCtx, request.body);
+        rpc::readRequestMetadata(opCtx, request.body, command->requiresAuth());
         rpc::TrackingMetadata::get(opCtx).initWithOperName(command->getName());
 
         auto const replCoord = repl::ReplicationCoordinator::get(opCtx);
diff --git a/src/mongo/rpc/metadata.cpp b/src/mongo/rpc/metadata.cpp
index a9f9a65b336..b6c66f5e29b 100644
--- a/src/mongo/rpc/metadata.cpp
+++ b/src/mongo/rpc/metadata.cpp
@@ -31,6 +31,7 @@
 #include "mongo/rpc/metadata.h"
 
 #include "mongo/client/dbclientinterface.h"
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/logical_clock.h"
 #include "mongo/db/logical_time_validator.h"
@@ -50,7 +51,7 @@ BSONObj makeEmptyMetadata() {
     return BSONObj();
 }
 
-void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) {
+void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth) {
     BSONElement readPreferenceElem;
     BSONElement auditElem;
     BSONElement configSvrElem;
@@ -96,6 +97,19 @@ void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) {
             uassertStatusOK(rpc::LogicalTimeMetadata::readFromMetadata(logicalTimeElem));
 
         auto& signedTime = logicalTimeMetadata.getSignedTime();
+
+        if (!requiresAuth &&
+            AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() &&
+            (!signedTime.getProof() || *signedTime.getProof() == TimeProofService::TimeProof())) {
+
+            AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
+            // The client is not authenticated and is not using localhost auth bypass.
+            if (authSession && !authSession->isAuthenticated() &&
+                !authSession->isUsingLocalhostBypass()) {
+                return;
+            }
+        }
+
         // LogicalTimeMetadata is default constructed if no cluster time metadata was sent, so a
         // default constructed SignedLogicalTime should be ignored.
         if (signedTime.getTime() != LogicalTime::kUninitialized) {
diff --git a/src/mongo/rpc/metadata.h b/src/mongo/rpc/metadata.h
index 461927f32a7..55d5b6a2bee 100644
--- a/src/mongo/rpc/metadata.h
+++ b/src/mongo/rpc/metadata.h
@@ -54,7 +54,7 @@ BSONObj makeEmptyMetadata();
 /**
  * Reads metadata from a metadata object and sets it on this OperationContext.
  */
-void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj);
+void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth);
 
 /**
  * A legacy command object and a corresponding query flags bitfield. The legacy command object
author	Misha Tyulenev <misha@mongodb.com>	2018-08-13 18:09:20 -0400
committer	Misha Tyulenev <misha@mongodb.com>	2018-08-14 14:27:33 -0400
commit	56cd2418be38c4aeacdb26f95c48ecae7c4189fd (patch)
tree	22ead4c530494359b46fce98de43b72da4ad8c48
parent	4db65855dbdc64cd4ca97146c1b5b812e502c8e4 (diff)
download	mongo-56cd2418be38c4aeacdb26f95c48ecae7c4189fd.tar.gz