SERVER-44435 Allow selective whitelisting of X509 based role authorizations

(cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7)

 create mode 100644 jstests/ssl/tlsCATrusts.js
 create mode 100644 jstests/ssl/x509/root-and-trusted-ca.pem
 create mode 100644 jstests/ssl/x509/trusted-client-testdb-roles.pem
 create mode 100644 src/mongo/db/auth/auth_types.idl
 create mode 100644 src/mongo/util/net/ssl_parameters.idl

16 files changed, 654 insertions, 1 deletions

diff --git a/jstests/ssl/tlsCATrusts.js b/jstests/ssl/tlsCATrusts.js
new file mode 100644
index 00000000000..67534a77e69
--- /dev/null
+++ b/jstests/ssl/tlsCATrusts.js
@@ -0,0 +1,189 @@
+// Test restricting role authorization via X509 extensions.
+load('jstests/ssl/libs/ssl_helpers.js');
+
+requireSSLProvider('openssl', function() {
+    "use strict";
+
+    const SERVER_CERT = 'jstests/libs/server.pem';
+    const COMBINED_CA_CERT = 'jstests/ssl/x509/root-and-trusted-ca.pem';
+    const CA_HASH = '539D91F8202641BF85C0C36C88FF69F3062D4AB370CECBF9B950A8B97DE72EAE';
+    const TRUSTED_CA_HASH = 'AEAEBB1BA947A7C1428D39EF6166B83409D0245D28013C9FDD71DF9E69BEA52B';
+
+    // Common suffix, keep the lines short.
+    const RDN_SUFFIX = ',O=MongoDB,L=New York City,ST=New York,C=US';
+    const USERS = [];
+
+    const CLIENT = {
+        cert: 'jstests/libs/client.pem',
+        roles: [],
+    };
+    USERS.push('CN=client,OU=KernelUser');
+
+    const CLIENT_ROLES = {
+        cert: 'jstests/libs/client_roles.pem',
+        roles: [{role: 'backup', db: 'admin'}, {role: 'readAnyDatabase', db: 'admin'}],
+    };
+    USERS.push('CN=Kernel Client Peer Role,OU=Kernel Users');
+
+    const TRUSTED_CLIENT_TESTDB_ROLES = {
+        cert: 'jstests/ssl/x509/trusted-client-testdb-roles.pem',
+        roles: [{role: 'role1', db: 'testDB'}, {role: 'role2', db: 'testDB'}],
+    };
+    USERS.push('CN=Trusted Kernel Test Client With Roles,OU=Kernel Users');
+
+    function test(tlsCATrusts, success, failure) {
+        const options = {
+            auth: '',
+            sslMode: 'requireSSL',
+            sslPEMKeyFile: SERVER_CERT,
+            sslCAFile: COMBINED_CA_CERT,
+        };
+
+        if (tlsCATrusts !== null) {
+            options.setParameter = {
+                tlsCATrusts: tojson(tlsCATrusts),
+            };
+        }
+
+        const mongod = MongoRunner.runMongod(options);
+
+        const admin = mongod.getDB('admin');
+        admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
+        admin.auth({user: 'admin', pwd: 'pwd'});
+
+        const external = mongod.getDB('$external');
+        USERS.forEach((u) => external.createUser({user: u + RDN_SUFFIX, roles: []}));
+
+        const testDB = mongod.getDB('test');
+        testDB.createRole({role: 'role1', privileges: [], roles: []});
+        testDB.createRole({role: 'role2', privileges: [], roles: []});
+
+        // Sorting JS arrays of objects with arbitrary order is... complex.
+        const serverTrusts =
+            assert.commandWorked(admin.runCommand({getParameter: 1, tlsCATrusts: 1})).tlsCATrusts;
+        function sortAndNormalizeRoles(roles) {
+            return roles.map((r) => r.role + '.' + r.db).sort().join('/');
+        }
+        function sortAndNormalizeTrusts(trusts) {
+            if (trusts === null) {
+                return "(unconfigured)";
+            }
+            return trusts.map((t) => t.sha256 + '/' + sortAndNormalizeRoles(t.roles)).sort();
+        }
+        assert.eq(sortAndNormalizeTrusts(tlsCATrusts), sortAndNormalizeTrusts(serverTrusts));
+
+        function impl(user, expect) {
+            const snRoles = tojson(sortAndNormalizeRoles(user.roles));
+            const uri = 'mongodb://localhost:' + mongod.port + '/admin';
+            const script = tojson(sortAndNormalizeRoles) +
+                'assert(db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509"}));' +
+                'const status = assert.commandWorked(db.runCommand({connectionStatus: 1}));' +
+                'const roles = status.authInfo.authenticatedUserRoles;' +
+                'assert.eq(' + snRoles + ', sortAndNormalizeRoles(roles));';
+            const mongo = runMongoProgram('mongo',
+                                          '--ssl',
+                                          '--sslPEMKeyFile',
+                                          user.cert,
+                                          '--sslCAFile',
+                                          CA_CERT,
+                                          uri,
+                                          '--eval',
+                                          script);
+            expect(mongo, 0);
+        }
+
+        success.forEach((u) => impl(u, assert.eq));
+        failure.forEach((u) => impl(u, assert.neq));
+
+        MongoRunner.stopMongod(mongod);
+    }
+
+    // Positive tests.
+    const unconfigured = null;
+    test(unconfigured, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);
+
+    const allRoles = [
+        {sha256: CA_HASH, roles: [{role: '', db: ''}]},
+        {sha256: TRUSTED_CA_HASH, roles: [{role: '', db: ''}]}
+    ];
+    test(allRoles, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);
+
+    const allRolesOnAdmin = [{sha256: CA_HASH, roles: [{role: '', db: 'admin'}]}];
+    test(allRolesOnAdmin, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const specificRolesOnAnyDB =
+        [{sha256: CA_HASH, roles: [{role: 'backup', db: ''}, {role: 'readAnyDatabase', db: ''}]}];
+    test(specificRolesOnAnyDB, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const exactRoles = [{
+        sha256: CA_HASH,
+        roles: [{role: 'backup', db: 'admin'}, {role: 'readAnyDatabase', db: 'admin'}]
+    }];
+    test(exactRoles, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const extraRoles = [{
+        sha256: CA_HASH,
+        roles: [
+            {role: 'backup', db: 'admin'},
+            {role: 'readAnyDatabase', db: 'admin'},
+            {role: 'readWrite', db: 'admin'}
+        ]
+    }];
+    test(extraRoles, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const similarRoles = [
+        {
+          sha256: CA_HASH,
+          roles: [
+              {role: 'backup', db: 'test'},
+              {role: 'readAnyDatabase', db: ''},
+              {role: 'backup', db: 'admin'}
+          ]
+        },
+        {
+          sha256: TRUSTED_CA_HASH,
+          roles: [
+              {role: 'role1', db: 'admin'},
+              {role: 'role2', db: 'testDB'},
+              {role: 'role1', db: 'testDB'},
+          ]
+        }
+    ];
+    test(similarRoles, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);
+
+    const withUntrusted =
+        [{sha256: CA_HASH, roles: [{role: '', db: ''}]}, {sha256: TRUSTED_CA_HASH, roles: []}];
+    test(withUntrusted, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const customRoles = [{
+        sha256: TRUSTED_CA_HASH,
+        roles: [
+            {role: 'role1', db: 'testDB'},
+            {role: 'role2', db: 'testDB'},
+        ]
+    }];
+    test(customRoles, [CLIENT, TRUSTED_CLIENT_TESTDB_ROLES], [CLIENT_ROLES]);
+
+    // Negative tests. CLIENT_CERT is okay because it doesn't ask for roles.
+    const noTrustedCAs = [];
+    test(noTrustedCAs, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const noRoles = [{sha256: CA_HASH, roles: []}];
+    test(noRoles, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const insufficientRoles1 = [
+        {sha256: CA_HASH, roles: [{role: 'backup', db: ''}]},
+        {sha256: TRUSTED_CA_HASH, roles: [{role: 'role1', db: 'testDB'}]}
+    ];
+    test(insufficientRoles1, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const insufficientRoles2 = [
+        {sha256: CA_HASH, roles: [{role: 'readWriteAnyDatabase', db: ''}]},
+        {sha256: TRUSTED_CA_HASH, roles: [{role: 'role2', db: 'testDB'}]}
+    ];
+    test(insufficientRoles2, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);
+
+    const withTrusted =
+        [{sha256: CA_HASH, roles: []}, {sha256: TRUSTED_CA_HASH, roles: [{role: '', db: ''}]}];
+    test(withTrusted, [CLIENT, TRUSTED_CLIENT_TESTDB_ROLES], [CLIENT_ROLES]);
+});
diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem b/jstests/ssl/x509/root-and-trusted-ca.pem
new file mode 100644
index 00000000000..219ecf6397d
--- /dev/null
+++ b/jstests/ssl/x509/root-and-trusted-ca.pem
@@ -0,0 +1,49 @@
+# Autogenerated file, do not edit.
+# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml root-and-trusted-ca.pem
+#
+# Combined ca.pem and trusted-ca.pem
+# Certificate from ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlwCBBmRIxIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCVVMxETAP
+BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
+DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5lbCBUZXN0
+IENBMB4XDTE5MDkyNTIzMjczOVoXDTM5MDkyNzIzMjczOVowdDELMAkGA1UEBhMC
+VVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAw
+DgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5l
+bCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAupVkx8+n
+AqzsANKwNPeCYlf2q0WgF4kSUMNJdpmMelrr7hh7EOnAU0hTAQx9BKTEbExeCzH6
+OArFNGjewjWVXwaOpCjK8FMvK6/lGVEpmoHNF9XuiQVmaQ4bJD6rC73YjpgNIPeL
+5PyoFLEZv+X2cRBPpTcSRcf87tk8HL7v0eyk1JBhkeKK68SYdWwZlHaa1jqwmliW
+WvVMkHVH3lx0VOgQwWtOgs0K1zpcZ0sH5MGpYRQOiidIRZj3PkKeTPQe2D6VQQtv
+2yDs9dWfCxJJP9QiWclL2rF/xqlFSNEIfNZpZhk6I1DHQpA2uyJfzRH62pFasJuB
+CVh5Tr0EDoVreQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQARdNCYYWxi2fyhJwzGHwIT261d/pTlOSYLlm84c72aEneFUnfp8/H5
+JjuFbnhiX+5+h3M7eDQhra9s+H3vKr7o38EIVf5OKXvpNLwv1UUmomBvKqccioYh
+bxrfwCzfBRuUmW05kcAVn8iKovqyxL7npEZbckwtT+BqZ4kOL4Uzre+S1HMx0zOu
+xulSYA/sBoJ2BB93ZIAqB+f/+InS9yggzyhhaQqS7QEl1L4nZE4Oy0jKcxdCzysm
+TqiyH+OI5SVRTfXh4XvHmdWBBaQyaTmQzXYUxUi7jg1jEAiebCGrEJv9plwq4KfC
+cze9NLBjaXR3GzonT8kICyVT/0UvhuJg
+-----END CERTIFICATE-----
+# Certificate from trusted-ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDojCCAooCBG585gswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxETAP
+BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
+DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxHzAdBgNVBAMMFlRydXN0ZWQgS2Vy
+bmVsIFRlc3QgQ0EwHhcNMTkwOTI1MjMyNzQxWhcNMzkwOTI3MjMyNzQxWjB8MQsw
+CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr
+IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UE
+AwwWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANlRxtpMeCGhkotkjHQqgqvO6O6hoRoAGGJlDaTVtqrjmC8nwySz
+1nAFndqUHttxS3A5j4enOabvffdOcV7+Z6vDQmREF6QZmQAk81pmazSc3wOnRiRs
+AhXjld7i+rhB50CW01oYzQB50rlBFu+ONKYj32nBjD+1YN4AZ2tuRlbxfx2uf8Bo
+Zowfr4n9nHVcWXBLFmaQLn+88WFO/wuwYUOn6Di1Bvtkvqum0or5QeAF0qkJxfhg
+3a4vBnomPdwEXCgAGLvHlB41CWG09EuAjrnE3HPPi5vII8pjY2dKKMomOEYmA+KJ
+AC1NlTWdN0TtsoaKnyhMMhLWs3eTyXL7kbkCAwEAAaMxMC8wDAYDVR0TBAUwAwEB
+/zAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsF
+AAOCAQEAQk56MO9xAhtO077COCqIYe6pYv3uzOplqjXpJ7Cph7GXwQqdFWfKls7B
+cLfF/fhIUZIu5itStEkY+AIwht4mBr1F5+hZUp9KZOed30/ewoBXAUgobLipJV66
+FKg8NRtmJbiZrrC00BSO+pKfQThU8k0zZjBmNmpjxnbKZZSFWUKtbhHV1vujver6
+SXZC7R6692vLwRBMoZxhgy/FkYRdiN0U9wpluKd63eo/O02Nt6OEMyeiyl+Z3JWi
+8g5iHNrBYGBbGSnDOnqV6tjEY3eq600JDWiodpA1OQheLi78pkc/VQZwof9dyBCm
+6BoCskTjip/UB+vIhdPFT9sgUdgDTg==
+-----END CERTIFICATE-----
diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem b/jstests/ssl/x509/trusted-client-testdb-roles.pem
new file mode 100644
index 00000000000..858ae8a773a
--- /dev/null
+++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem
@@ -0,0 +1,55 @@
+# Autogenerated file, do not edit.
+# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml trusted-client-testdb-roles.pem
+#
+# Client certificate with X509 role grants via trusted chain.
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIEQvQH6zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl
+ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMDAxMDcxNzMxNDhaFw00MDAxMDkxNzMxNDha
+MIGRMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5l
+dyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxFTATBgNVBAsMDEtlcm5lbCBV
+c2VyczEuMCwGA1UEAwwlVHJ1c3RlZCBLZXJuZWwgVGVzdCBDbGllbnQgV2l0aCBS
+b2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPgWO/0KXHIk0KH/
+jePx+uC8M34bx8ncAWvUXKZtaNGkv2+LI0k/1U5ybOTD8kg8tnIMYkquuuG2zeIB
+99vq2Ve+3j62PlqR4HDzXTt3M3eYp6muRzNn78yxVRn+eiIrdwbnvr28l3ikUaVV
+/u9fsHGZOXto+I6tWSWB7MNEVcPtIu2d8XU2gMrqKfpnG0paUKVWkaKyjUX1DsBL
+FUybBbjQj0zK5cUeKoZjSmMtRfqV6ngKmOK4xTBsQ2VKi7AntpALq/knAYU8BaqS
+wWbVuj5sJX86tdRGGhZ6QKIODTQENPprFaJhy34qrhRkD+YHy7tQ+7vc1JpGodiu
+C7/5K+kCAwEAAaM3MDUwMwYLKwYBBAGCjikCAQEEJDEiMA8MBXJvbGUxDAZ0ZXN0
+REIwDwwFcm9sZTIMBnRlc3REQjANBgkqhkiG9w0BAQsFAAOCAQEAlYR0WB/0yHxM
+gvS+hjxQWyRFOJdWcFn0xresIBd4PmQO8cnOz8iuFrg8DKnYroBRFp5tR9VSLFpq
+EH5xoEUMYEAGryYNp8jjOqxy6lIFUZIOf5Li0CtnnV2qHqsiq0kLpSEt+SbpGXtt
+zS1CkgKwj0VMXwl+3HY73Xj6EVUPqqMf+Frc68S0ey1S7+pgr1fHzFN309tcGt4r
+uxDsSAvYJcYTYDj4KaycXovUsIq+kB+E+k5DnbwJYqHErx2r86QCasK9QIE2Eujl
+t+sBpj8JIObPdpsxEiQ9r1+lurWhyEB4qrtI8fzys/0yHP+EYvra3+HftHXY/t32
+jZ79J4C3YQ==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD4Fjv9ClxyJNCh
+/43j8frgvDN+G8fJ3AFr1FymbWjRpL9viyNJP9VOcmzkw/JIPLZyDGJKrrrhts3i
+Affb6tlXvt4+tj5akeBw8107dzN3mKeprkczZ+/MsVUZ/noiK3cG5769vJd4pFGl
+Vf7vX7BxmTl7aPiOrVklgezDRFXD7SLtnfF1NoDK6in6ZxtKWlClVpGiso1F9Q7A
+SxVMmwW40I9MyuXFHiqGY0pjLUX6lep4CpjiuMUwbENlSouwJ7aQC6v5JwGFPAWq
+ksFm1bo+bCV/OrXURhoWekCiDg00BDT6axWiYct+Kq4UZA/mB8u7UPu73NSaRqHY
+rgu/+SvpAgMBAAECggEALVaa5fajyHRz8HcsrjDF4ZZjbrOTApADbnpj6EJseou6
+NJ9f9n4E9I4y2mf4+jymNxeOSwm9u4xV+ezUKEu2JrQKF7nkkVbBhsLjEgAJ1tx+
+H6Nq/bkL+QObguGf3mjFGuz1TeWOZQzaovWhXovFSi1vdN9NNX32ocUpyNHPPrvW
+nc3Gun/hws4qWwBFpR+8fzMHPJc/NCwZpDRoJl0yXEAkGTKtIEGEJ7tlWLSb5Bz2
+5N0Dkn2S3t8uozPIuv0rjdYd1t+FfOUUAZGI09LCIu9ndBYO6Vj+Vh99xedZ2oBa
+9lHQp3vhLaCXg7O3bY3ac9BIOwdAqcbWAJV/oQl5gQKBgQD90geToF81xZYgLZoU
+iU8RRUSmdurZtNirDkMU+/u5Fwu7yn8M53l++TPP76Hi1yGP9803LwIXNXfyg+sb
+BRAPJg+bJ8N6m1vFdfg509oqlrzoxnmulwBshqt5HbpiOjYAc1cSOpYSXGJjHoFL
++Au4MRsfDh5RhT1zrUT11+6ZEQKBgQD6N5nGaPOsLHdYXk2//yZF1Ol9kl3L0VWM
+XT0F9m/KSCg1kSf+2XCt1U/b1JsrjMTOZWVHNV3yebPs9/pR2ffmyeXtySFuEVeb
+ZVNSxaCSVVbTJL9W+mpXdqzcTj9IL9tMN6J5PE8eQ6pjG299sBmdj5S92a3uoxQr
+5RmGn36lWQKBgQCix4XQaXNmGteSv2wna3/nxZKnZ3BqOo8R9M2UsZ3YMC14O/+L
+GRBUHCHcYwRhZDLED9nuYBlpJQNN5shqxa5s6K3thWzaPrR2SJfvDizGT3HLny3+
+iBzffOaPgD8+K7LiSxY2PJhuIg1/H9swC14IvIV2Pym2gkrM2vx05gzA4QKBgQCW
+FmngEK4xVY7U6+Q5SYQcmSThVL18d3mYM4laHUNbE8NCtmpGPQmQzAYV98aH7e1T
+XJDOkN1kh8n8V5bIKDXCMtL/ugiabD6fkLzVRoQVoqjtB/rZ4mWNRztS/oCI/WPO
+qQSFMj7HCZGX1yoeO1ZyI2D2LC9fmGSOG+Me1Gb0KQKBgQCZazY6Wb7HPO50HnN3
+e3QrT9VE1PKLW6dWpokdYzq2ISnX8ZBeKvMBX+TpKASduNVXK5shsuNqjMAeXtVk
+V90P2QkgswCoUlgiaxKby7jBqDIO9CsLt0erQ328WUsf9mgk18CmCc42EWBPuQv7
+WTykB3JVLPGKjKcZVI4PP91yAw==
+-----END PRIVATE KEY-----
diff --git a/src/mongo/crypto/sha1_block.idl b/src/mongo/crypto/sha1_block.idl
index d6054d9e3f6..59ddbbeca61 100644
--- a/src/mongo/crypto/sha1_block.idl
+++ b/src/mongo/crypto/sha1_block.idl
@@ -44,3 +44,10 @@ types:
     cpp_type: mongo::SHA1Block
     serializer: "mongo::SHA1Block::toCDR"
     deserializer: "mongo::SHA1Block::fromBinData"
+
+  sha1BlockHex:
+    bson_serialization_type: string
+    description: "A fixed size hex string representing a SHA1 computation"
+    cpp_type: mongo::SHA1Block
+    serializer: "mongo::SHA1Block::toHexString"
+    deserializer: "mongo::SHA1Block::fromHexString"
diff --git a/src/mongo/crypto/sha256_block.idl b/src/mongo/crypto/sha256_block.idl
index 734983f286a..a5b4a1cef41 100644
--- a/src/mongo/crypto/sha256_block.idl
+++ b/src/mongo/crypto/sha256_block.idl
@@ -44,3 +44,10 @@ types:
     cpp_type: mongo::SHA256Block
     serializer: "mongo::SHA256Block::toCDR"
     deserializer: "mongo::SHA256Block::fromBinData"
+
+  sha256BlockHex:
+    bson_serialization_type: string
+    description: "A fixed size hex string representing a SHA256 computation"
+    cpp_type: mongo::SHA256Block
+    serializer: "mongo::SHA256Block::toHexString"
+    deserializer: "mongo::SHA256Block::fromHexString"
diff --git a/src/mongo/crypto/sha_block.h b/src/mongo/crypto/sha_block.h
index 45be68dc753..331b865c371 100644
--- a/src/mongo/crypto/sha_block.h
+++ b/src/mongo/crypto/sha_block.h
@@ -40,7 +40,9 @@
 #include "mongo/base/status_with.h"
 #include "mongo/bson/bsonmisc.h"
 #include "mongo/bson/bsonobjbuilder.h"
+#include "mongo/bson/util/builder.h"
 #include "mongo/util/base64.h"
+#include "mongo/util/hex.h"
 #include "mongo/util/secure_compare_memory.h"
 
 namespace mongo {
@@ -78,6 +80,20 @@ public:
         return SHABlock(newHash);
     }
 
+    static StatusWith<SHABlock> fromHexStringNoThrow(StringData hex) {
+        if (!isValidHex(hex)) {
+            return {ErrorCodes::BadValue, "Hash input is not a hex string"};
+        }
+
+        BufBuilder buf;
+        mongo::fromHexString(hex, &buf);
+        return fromBuffer(reinterpret_cast<const uint8_t*>(buf.buf()), buf.len());
+    }
+
+    static SHABlock fromHexString(StringData hex) {
+        return uassertStatusOK(fromHexStringNoThrow(hex));
+    }
+
     /**
      * Computes a hash of 'input' from multiple contigous buffers.
      */
@@ -188,6 +204,13 @@ public:
         return base64::encode(reinterpret_cast<const char*>(_hash.data()), _hash.size());
     }
 
+    /**
+     * Hex encoded hash block.
+     */
+    std::string toHexString() const {
+        return toHex(_hash.data(), _hash.size());
+    }
+
     bool operator==(const SHABlock& other) const {
         return consttimeMemEqual(this->_hash.data(), other._hash.data(), kHashLength);
     }
@@ -196,6 +219,10 @@ public:
         return !(*this == other);
     }
 
+    bool operator<(const SHABlock& other) const {
+        return this->_hash < other._hash;
+    }
+
     /**
      * Custom hasher so SHABlocks can be used in unordered data structures.
      *
diff --git a/src/mongo/db/auth/auth_types.idl b/src/mongo/db/auth/auth_types.idl
new file mode 100644
index 00000000000..aae786f5b53
--- /dev/null
+++ b/src/mongo/db/auth/auth_types.idl
@@ -0,0 +1,44 @@
+# Copyright (C) 2020-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+  cpp_namespace: "mongo"
+  cpp_includes:
+    - "mongo/db/auth/role_name.h"
+
+imports:
+  - "mongo/idl/basic_types.idl"
+
+types:
+
+  RoleName:
+    bson_serialization_type: any
+    description: "A struct representing a Role"
+    cpp_type: "RoleName"
+    deserializer: "mongo::RoleName::parseFromBSON"
+    serializer: "mongo::RoleName::serializeToBSON"
diff --git a/src/mongo/db/auth/role_name.cpp b/src/mongo/db/auth/role_name.cpp
index d05c623463a..d3c16e771bb 100644
--- a/src/mongo/db/auth/role_name.cpp
+++ b/src/mongo/db/auth/role_name.cpp
@@ -35,6 +35,7 @@
 #include <string>
 
 #include "mongo/base/string_data.h"
+#include "mongo/db/auth/authorization_manager.h"
 #include "mongo/util/assert_util.h"
 
 namespace mongo {
@@ -54,4 +55,37 @@ std::ostream& operator<<(std::ostream& os, const RoleName& name) {
     return os << name.getFullName();
 }
 
+RoleName RoleName::parseFromBSON(const BSONElement& elem) {
+    auto obj = elem.embeddedObjectUserCheck();
+    std::array<BSONElement, 2> fields;
+    obj.getFields({"role", "db"}, &fields);
+    const auto& nameField = fields[0];
+    uassert(ErrorCodes::BadValue,
+            "user name must contain a string field named: role",
+            nameField.type() == String);
+
+    const auto& dbField = fields[1];
+    uassert(ErrorCodes::BadValue,
+            "role name must contain a string field named: db",
+            nameField.type() == String);
+
+    return RoleName(nameField.valueStringData(), dbField.valueStringData());
+}
+
+void RoleName::serializeToBSON(StringData fieldName, BSONObjBuilder* bob) const {
+    BSONObjBuilder sub(bob->subobjStart(fieldName));
+    _serializeToSubObj(&sub);
+}
+
+void RoleName::serializeToBSON(BSONArrayBuilder* bob) const {
+    BSONObjBuilder sub(bob->subobjStart());
+    _serializeToSubObj(&sub);
+}
+
+void RoleName::_serializeToSubObj(BSONObjBuilder* sub) const {
+    sub->append("role", getRole());
+    sub->append("db", getDB());
+}
+
+
 }  // namespace mongo
diff --git a/src/mongo/db/auth/role_name.h b/src/mongo/db/auth/role_name.h
index 99fdeee9489..d335998c9e0 100644
--- a/src/mongo/db/auth/role_name.h
+++ b/src/mongo/db/auth/role_name.h
@@ -38,6 +38,8 @@
 
 #include "mongo/base/disallow_copying.h"
 #include "mongo/base/string_data.h"
+#include "mongo/bson/bsonelement.h"
+#include "mongo/bson/bsonobjbuilder.h"
 #include "mongo/platform/hash_namespace.h"
 #include "mongo/util/assert_util.h"
 
@@ -53,6 +55,11 @@ public:
     RoleName() : _splitPoint(0) {}
     RoleName(StringData role, StringData dbname);
 
+    // Added for IDL support
+    static RoleName parseFromBSON(const BSONElement& elem);
+    void serializeToBSON(StringData fieldName, BSONObjBuilder* bob) const;
+    void serializeToBSON(BSONArrayBuilder* bob) const;
+
     /**
      * Gets the name of the role excluding the "@dbname" component.
      */
@@ -90,6 +97,8 @@ public:
 private:
     std::string _fullName;  // The full name, stored as a string.  "role@db".
     size_t _splitPoint;     // The index of the "@" separating the role and db name parts.
+
+    void _serializeToSubObj(BSONObjBuilder* sub) const;
 };
 
 static inline bool operator==(const RoleName& lhs, const RoleName& rhs) {
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index fa19e7c2034..5095c270e77 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -80,6 +80,7 @@ if not get_option('ssl') == 'off':
             "ssl_parameters.cpp",
             "ssl_manager_%s.cpp" % (ssl_provider),
             "ssl_stream.cpp",
+            env.Idlc('ssl_parameters.idl')[0],
         ],
         LIBDEPS=[
             '$BUILD_DIR/mongo/base',
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 1fb532ffc8e..2adb9de1f4e 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1398,6 +1398,7 @@ StatusWith<TLSVersion> mapTLSVersion(SSLContextRef ssl) {
 StatusWith<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate(
     ::SSLContextRef ssl, const std::string& remoteHost, const HostAndPort& hostForLogging) {
     auto sniName = getRawSNIServerName(ssl);
+    invariant(!sslGlobalParams.tlsCATrusts);
 
     // Record TLS version stats
     auto tlsVersionStatus = mapTLSVersion(ssl);
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index fae8072c630..99320199a4f 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1350,6 +1350,68 @@ StatusWith<TLSVersion> mapTLSVersion(SSL* conn) {
     }
 }
 
+namespace {
+Status _validatePeerRoles(const stdx::unordered_set<RoleName>& embeddedRoles, SSL* conn) {
+    if (embeddedRoles.empty()) {
+        // Nothing offered, nothing to restrict.
+        return Status::OK();
+    }
+
+    if (!sslGlobalParams.tlsCATrusts) {
+        // Nothing restricted.
+        return Status::OK();
+    }
+
+    const auto& tlsCATrusts = sslGlobalParams.tlsCATrusts.get();
+    if (tlsCATrusts.empty()) {
+        // Nothing permitted.
+        return {ErrorCodes::BadValue,
+                "tlsCATrusts parameter prohibits role based authorization via X509 certificates"};
+    }
+
+    auto stack = SSLgetVerifiedChain(conn);
+    if (!stack || !sk_X509_num(stack.get())) {
+        return {ErrorCodes::BadValue, "Unable to obtain certificate chain"};
+    }
+
+    auto root = sk_X509_value(stack.get(), sk_X509_num(stack.get()) - 1);
+    SHA256Block::HashType digest;
+    if (!X509_digest(root, EVP_sha256(), digest.data(), nullptr)) {
+        return {ErrorCodes::BadValue, "Unable to digest root certificate"};
+    }
+
+    SHA256Block sha256(digest);
+    auto it = tlsCATrusts.find(sha256);
+    if (it == tlsCATrusts.end()) {
+        return {
+            ErrorCodes::BadValue,
+            str::stream() << "CA: " << sha256.toHexString()
+                          << " is not authorized to grant any roles due to tlsCATrusts parameter"};
+    }
+
+    auto allowedRoles = it->second;
+    // See TLSCATrustsSetParameter::set() for a description of tlsCATrusts format.
+    if (allowedRoles.count(RoleName("", ""))) {
+        // CA is authorized for all role assignments.
+        return Status::OK();
+    }
+
+    for (const auto& role : embeddedRoles) {
+        // Check for exact match or wildcard matches.
+        if (!allowedRoles.count(role) && !allowedRoles.count(RoleName(role.getRole(), "")) &&
+            !allowedRoles.count(RoleName("", role.getDB()))) {
+            return {ErrorCodes::BadValue,
+                    str::stream() << "CA: " << sha256.toHexString()
+                                  << " is not authorized to grant role "
+                                  << role.toString()
+                                  << " due to tlsCATrusts parameter"};
+        }
+    }
+
+    return Status::OK();
+}
+}  // namespace
+
 StatusWith<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate(
     SSL* conn, const std::string& remoteHost, const HostAndPort& hostForLogging) {
     auto sniName = getRawSNIServerName(conn);
@@ -1406,6 +1468,13 @@ StatusWith<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate(
         return swPeerCertificateRoles.getStatus();
     }
 
+    {
+        auto status = _validatePeerRoles(swPeerCertificateRoles.getValue(), conn);
+        if (!status.isOK()) {
+            return status;
+        }
+    }
+
     // If this is an SSL client context (on a MongoDB server or client)
     // perform hostname validation of the remote server
     if (remoteHost.empty()) {
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 8db03e9891a..c322f21198a 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1784,6 +1784,8 @@ StatusWith<TLSVersion> mapTLSVersion(PCtxtHandle ssl) {
 StatusWith<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate(
     PCtxtHandle ssl, const std::string& remoteHost, const HostAndPort& hostForLogging) {
     auto sniName = getSNIServerName_impl();
+    invariant(!sslGlobalParams.tlsCATrusts);
+
     PCCERT_CONTEXT cert;
 
     auto tlsVersionStatus = mapTLSVersion(ssl);
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 63e898b213c..e9d771850dc 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -30,11 +30,16 @@
 
 #pragma once
 
+#include <boost/optional.hpp>
+#include <map>
+#include <set>
 #include <string>
 #include <vector>
 
 #include "mongo/base/status.h"
 #include "mongo/config.h"
+#include "mongo/crypto/sha256_block.h"
+#include "mongo/db/auth/role_name.h"
 
 namespace mongo {
 
@@ -49,6 +54,8 @@ class Environment;
 }  // namespace optionenvironment
 
 struct SSLParams {
+    using TLSCATrusts = std::map<SHA256Block, std::set<RoleName>>;
+
     enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 };
     AtomicInt32 sslMode;            // --sslMode - the TLS operation mode, see enum SSLModes
     std::string sslPEMTempDHParam;  // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file
@@ -62,6 +69,8 @@ struct SSLParams {
     std::string sslCRLFile;          // --sslCRLFile
     std::string sslCipherConfig;     // --sslCipherConfig
 
+    boost::optional<TLSCATrusts> tlsCATrusts;  // --setParameter tlsCATrusts
+
     struct CertificateSelector {
         std::string subject;
         std::vector<uint8_t> thumbprint;
diff --git a/src/mongo/util/net/ssl_parameters.cpp b/src/mongo/util/net/ssl_parameters.cpp
index c15af3f9e59..27475d3ae34 100644
--- a/src/mongo/util/net/ssl_parameters.cpp
+++ b/src/mongo/util/net/ssl_parameters.cpp
@@ -30,6 +30,7 @@
 
 #include "mongo/platform/basic.h"
 
+#include "mongo/bson/json.h"
 #include "mongo/config.h"
 #include "mongo/db/auth/internal_user_auth.h"
 #include "mongo/db/auth/sasl_command_constants.h"
@@ -37,6 +38,7 @@
 #include "mongo/db/server_parameters.h"
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
 
 namespace mongo {
 
@@ -196,6 +198,110 @@ public:
     }
 } clusterAuthModeSetting;
 
-}  // namespace
+class TLSCATrustsSetParameter : public ServerParameter {
+public:
+    TLSCATrustsSetParameter()
+        : ServerParameter(ServerParameterSet::getGlobal(),
+                          "tlsCATrusts",
+                          true,  // allowedToChangeAtStartup
+                          false  // allowedToChangeAtRuntime
+                          ) {}
+
+    void append(OperationContext*, BSONObjBuilder&, const std::string&) final;
+    Status set(const BSONElement&) final;
+    Status setFromString(const std::string&) final;
+} tlsCATrustsSetParameter;
+
+void TLSCATrustsSetParameter::append(OperationContext*,
+                                     BSONObjBuilder& b,
+                                     const std::string& name) {
+    if (!sslGlobalParams.tlsCATrusts) {
+        b.appendNull(name);
+        return;
+    }
+
+    BSONArrayBuilder trusts;
+
+    for (const auto& cait : sslGlobalParams.tlsCATrusts.get()) {
+        BSONArrayBuilder roles;
 
+        for (const auto& rolename : cait.second) {
+            BSONObjBuilder role;
+            role.append("role", rolename.getRole());
+            role.append("db", rolename.getDB());
+            roles.append(role.obj());
+        }
+
+        BSONObjBuilder ca;
+        ca.append("sha256", cait.first.toHexString());
+        ca.append("roles", roles.arr());
+
+        trusts.append(ca.obj());
+    }
+
+    b.append(name, trusts.arr());
+}
+
+/**
+ * tlsCATrusts takes the form of an array of documents describing
+ * a set of roles which a given certificate authority may grant.
+ *
+ * [
+ *   {
+ *     "sha256": "0123456789abcdef...",   // SHA256 digest of a CA, as hex.
+ *     "roles": [                         // Array of grantable RoleNames
+ *       { role: "read", db: "foo" },
+ *       { role: "readWrite", "db: "bar" },
+ *       // etc...
+ *     ],
+ *   },
+ *   // { "sha256": "...", roles: [...]}, // Additional documents...
+ * ]
+ *
+ * If this list has been set, and a client connects with a certificate
+ * containing roles which it has not been authorized to grant,
+ * then the connection will be refused.
+ *
+ * Wilcard roles may be defined by omitting the role and/or db portions:
+ *
+ *   { role: "", db: "foo" }       // May grant any role on the 'foo' DB.
+ *   { role: "read", db: "" }      // May grant 'read' role on any DB.
+ *   { role: "", db: "" }          // May grant any role on any DB.
+ */
+Status TLSCATrustsSetParameter::set(const BSONElement& element) try {
+    if ((element.type() != Object) || !element.Obj().couldBeArray()) {
+        return {ErrorCodes::BadValue, "Value must be an array"};
+    }
+
+    SSLParams::TLSCATrusts trusts;
+    for (const auto& trustElement : BSONArray(element.Obj())) {
+        if (trustElement.type() != Object) {
+            return {ErrorCodes::BadValue, "Value must be an array of trust definitions"};
+        }
+
+        IDLParserErrorContext ctx("tlsCATrusts");
+        auto trust = TLSCATrust::parse(ctx, trustElement.Obj());
+
+        if (trusts.find(trust.getSha256()) != trusts.end()) {
+            return {ErrorCodes::BadValue,
+                    str::stream() << "Duplicate thumbprint: " << trust.getSha256().toString()};
+        }
+
+        const auto& roles = trust.getRoles();
+        trusts[std::move(trust.getSha256())] = std::set<RoleName>(roles.begin(), roles.end());
+    }
+
+    sslGlobalParams.tlsCATrusts = std::move(trusts);
+    return Status::OK();
+} catch (...) {
+    return exceptionToStatus();
+}
+
+Status TLSCATrustsSetParameter::setFromString(const std::string& json) try {
+    return set(BSON("" << fromjson(json)).firstElement());
+} catch (...) {
+    return exceptionToStatus();
+}
+
+}  // namespace
 }  // namespace mongo
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
new file mode 100644
index 00000000000..21d376a7bc2
--- /dev/null
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -0,0 +1,44 @@
+# Copyright (C) 2020-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+  cpp_namespace: "mongo"
+  cpp_includes:
+    - "mongo/util/net/ssl_options.h"
+
+imports:
+    - "mongo/crypto/sha256_block.idl"
+    - "mongo/db/auth/auth_types.idl"
+
+structs:
+  TLSCATrust:
+    description:
+    strict: true
+    fields:
+        sha256: sha256BlockHex
+        roles: array<RoleName>