diff options
author | Misha Tyulenev <misha@mongodb.com> | 2018-08-13 18:09:20 -0400 |
---|---|---|
committer | Misha Tyulenev <misha@mongodb.com> | 2018-08-13 18:11:15 -0400 |
commit | c764ee142f633b3a88954f336b11633e1baeffdc (patch) | |
tree | 6a7a47f7851952f1a607ca7974a8b2b35c820a5a | |
parent | 9554bfa400f25347c98aa983535224734db8bfa0 (diff) | |
download | mongo-c764ee142f633b3a88954f336b11633e1baeffdc.tar.gz |
SERVER-36463 bypass validation of dummy signatures for isMaster on the unauthenticated connections
-rw-r--r-- | src/mongo/db/service_entry_point_common.cpp | 2 | ||||
-rw-r--r-- | src/mongo/rpc/metadata.cpp | 16 | ||||
-rw-r--r-- | src/mongo/rpc/metadata.h | 2 |
3 files changed, 17 insertions, 3 deletions
diff --git a/src/mongo/db/service_entry_point_common.cpp b/src/mongo/db/service_entry_point_common.cpp index 3929cb7f795..2ca860f142e 100644 --- a/src/mongo/db/service_entry_point_common.cpp +++ b/src/mongo/db/service_entry_point_common.cpp @@ -638,7 +638,7 @@ void execCommandDatabase(OperationContext* opCtx, // TODO: move this back to runCommands when mongos supports OperationContext // see SERVER-18515 for details. - rpc::readRequestMetadata(opCtx, request.body); + rpc::readRequestMetadata(opCtx, request.body, command->requiresAuth()); rpc::TrackingMetadata::get(opCtx).initWithOperName(command->getName()); auto const replCoord = repl::ReplicationCoordinator::get(opCtx); diff --git a/src/mongo/rpc/metadata.cpp b/src/mongo/rpc/metadata.cpp index 8c88cb23717..74360ead237 100644 --- a/src/mongo/rpc/metadata.cpp +++ b/src/mongo/rpc/metadata.cpp @@ -31,6 +31,7 @@ #include "mongo/rpc/metadata.h" #include "mongo/client/read_preference.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/dbmessage.h" #include "mongo/db/jsobj.h" #include "mongo/db/logical_clock.h" @@ -50,7 +51,7 @@ BSONObj makeEmptyMetadata() { return BSONObj(); } -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth) { BSONElement readPreferenceElem; BSONElement auditElem; BSONElement configSvrElem; @@ -96,6 +97,19 @@ void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { uassertStatusOK(rpc::LogicalTimeMetadata::readFromMetadata(logicalTimeElem)); auto& signedTime = logicalTimeMetadata.getSignedTime(); + + if (!requiresAuth && + AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() && + (!signedTime.getProof() || *signedTime.getProof() == TimeProofService::TimeProof())) { + + AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + // The client is not authenticated and is not using localhost auth bypass. + if (authSession && !authSession->isAuthenticated() && + !authSession->isUsingLocalhostBypass()) { + return; + } + } + // LogicalTimeMetadata is default constructed if no cluster time metadata was sent, so a // default constructed SignedLogicalTime should be ignored. if (signedTime.getTime() != LogicalTime::kUninitialized) { diff --git a/src/mongo/rpc/metadata.h b/src/mongo/rpc/metadata.h index 0231cfcebf5..f83ac1dcdeb 100644 --- a/src/mongo/rpc/metadata.h +++ b/src/mongo/rpc/metadata.h @@ -53,7 +53,7 @@ BSONObj makeEmptyMetadata(); /** * Reads metadata from a metadata object and sets it on this OperationContext. */ -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj); +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth); /** * A legacy command object and a corresponding query flags bitfield. The legacy command object |