SERVER-49112 Add Session::getSSLConfiguration

author: Gabriel Marks <gabriel.marks@mongodb.com> 2020-06-26 15:42:20 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2020-07-08 23:23:41 +0000
commit: b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b (patch)
tree: dca13f3eab48c9edb4f276ba89f5c8efd4338b5f
parent: 8895e4ca0321aa121cd0558a8622286bdf1f41b2 (diff)
download: mongo-b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b.tar.gz
30 files changed, 243 insertions, 75 deletions
diff --git a/src/mongo/client/async_client.cpp b/src/mongo/client/async_client.cpp
index 55cf701b484..41d08e5245e 100644
--- a/src/mongo/client/async_client.cpp
+++ b/src/mongo/client/async_client.cpp
@@ -52,6 +52,7 @@
 #include "mongo/rpc/reply_interface.h"
 #include "mongo/util/net/socket_utils.h"
 #include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/version.h"
 
 namespace mongo {
@@ -153,8 +154,9 @@ Future<void> AsyncDBClient::authenticate(const BSONObj& params) {
     // We will only have a valid clientName if SSL is enabled.
     std::string clientName;
 #ifdef MONGO_CONFIG_SSL
-    if (getSSLManager()) {
-        clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+    auto sslConfiguration = _session->getSSLConfiguration();
+    if (sslConfiguration) {
+        clientName = sslConfiguration->clientSubjectName.toString();
     }
 #endif
 
@@ -169,8 +171,9 @@ Future<void> AsyncDBClient::authenticateInternal(boost::optional<std::string> me
     // We will only have a valid clientName if SSL is enabled.
     std::string clientName;
 #ifdef MONGO_CONFIG_SSL
-    if (getSSLManager()) {
-        clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+    auto sslConfiguration = _session->getSSLConfiguration();
+    if (sslConfiguration) {
+        clientName = sslConfiguration->clientSubjectName.toString();
     }
 #endif
 
diff --git a/src/mongo/client/dbclient_base.cpp b/src/mongo/client/dbclient_base.cpp
index f13eb6a1b3c..83f2bfb98bc 100644
--- a/src/mongo/client/dbclient_base.cpp
+++ b/src/mongo/client/dbclient_base.cpp
@@ -461,8 +461,9 @@ void DBClientBase::_auth(const BSONObj& params) {
     // We will only have a client name if SSL is enabled
     std::string clientName = "";
 #ifdef MONGO_CONFIG_SSL
-    if (getSSLManager() != nullptr) {
-        clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+    auto sslConfiguration = getSSLConfiguration();
+    if (sslConfiguration) {
+        clientName = sslConfiguration->clientSubjectName.toString();
     }
 #endif
 
@@ -488,8 +489,9 @@ Status DBClientBase::authenticateInternalUser(auth::StepDownBehavior stepDownBeh
     // We will only have a client name if SSL is enabled
     std::string clientName = "";
 #ifdef MONGO_CONFIG_SSL
-    if (getSSLManager() != nullptr) {
-        clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+    auto sslConfiguration = getSSLConfiguration();
+    if (sslConfiguration) {
+        clientName = sslConfiguration->clientSubjectName.toString();
     }
 #endif
 
diff --git a/src/mongo/client/dbclient_base.h b/src/mongo/client/dbclient_base.h
index 4da50dcb286..6f6633496f1 100644
--- a/src/mongo/client/dbclient_base.h
+++ b/src/mongo/client/dbclient_base.h
@@ -40,6 +40,7 @@
 #include "mongo/client/mongo_uri.h"
 #include "mongo/client/query.h"
 #include "mongo/client/read_preference.h"
+#include "mongo/config.h"
 #include "mongo/db/dbmessage.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/write_concern_options.h"
@@ -755,6 +756,13 @@ public:
     // This is only for DBClientCursor.
     static void (*withConnection_do_not_use)(std::string host, std::function<void(DBClientBase*)>);
 
+#ifdef MONGO_CONFIG_SSL
+    /**
+     * Get the SSL configuration of this client.
+     */
+    virtual const SSLConfiguration* getSSLConfiguration() = 0;
+#endif
+
 protected:
     /** if the result of a command is ok*/
     bool isOk(const BSONObj&);
diff --git a/src/mongo/client/dbclient_connection.cpp b/src/mongo/client/dbclient_connection.cpp
index 4b24f0652d2..08437ffc366 100644
--- a/src/mongo/client/dbclient_connection.cpp
+++ b/src/mongo/client/dbclient_connection.cpp
@@ -77,6 +77,7 @@
 #include "mongo/util/net/socket_utils.h"
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/password_digest.h"
 #include "mongo/util/time_support.h"
 #include "mongo/util/version.h"
@@ -823,6 +824,12 @@ void DBClientConnection::handleNotMasterResponse(const BSONObj& replyBody,
     _markFailed(kSetFlag);
 }
 
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* DBClientConnection::getSSLConfiguration() {
+    return _session->getSSLConfiguration();
+}
+#endif
+
 AtomicWord<int> DBClientConnection::_numConnections;
 
 }  // namespace mongo
diff --git a/src/mongo/client/dbclient_connection.h b/src/mongo/client/dbclient_connection.h
index 340c8670b3d..db6c0c2a567 100644
--- a/src/mongo/client/dbclient_connection.h
+++ b/src/mongo/client/dbclient_connection.h
@@ -39,6 +39,7 @@
 #include "mongo/client/mongo_uri.h"
 #include "mongo/client/query.h"
 #include "mongo/client/read_preference.h"
+#include "mongo/config.h"
 #include "mongo/db/dbmessage.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/write_concern_options.h"
@@ -307,6 +308,10 @@ public:
         return _authenticatedDuringConnect;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
 protected:
     int _minWireVersion{0};
     int _maxWireVersion{0};
diff --git a/src/mongo/client/dbclient_rs.cpp b/src/mongo/client/dbclient_rs.cpp
index 68ac0b84b50..86f35c50ef6 100644
--- a/src/mongo/client/dbclient_rs.cpp
+++ b/src/mongo/client/dbclient_rs.cpp
@@ -42,6 +42,7 @@
 #include "mongo/client/global_conn_pool.h"
 #include "mongo/client/read_preference.h"
 #include "mongo/client/replica_set_monitor.h"
+#include "mongo/config.h"
 #include "mongo/db/auth/sasl_command_constants.h"
 #include "mongo/db/dbmessage.h"
 #include "mongo/db/jsobj.h"
@@ -1209,4 +1210,10 @@ void DBClientReplicaSet::resetSlaveOkConn() {
     _lastSlaveOkHost = HostAndPort();
 }
 
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* DBClientReplicaSet::getSSLConfiguration() {
+    return checkMaster()->getSSLConfiguration();
+}
+#endif
+
 }  // namespace mongo
diff --git a/src/mongo/client/dbclient_rs.h b/src/mongo/client/dbclient_rs.h
index 4069576cba0..4710a300c5d 100644
--- a/src/mongo/client/dbclient_rs.h
+++ b/src/mongo/client/dbclient_rs.h
@@ -37,6 +37,7 @@
 
 #include "mongo/client/dbclient_connection.h"
 #include "mongo/client/mongo_uri.h"
+#include "mongo/config.h"
 #include "mongo/util/net/hostandport.h"
 
 namespace mongo {
@@ -258,6 +259,10 @@ public:
      */
     static void setAuthPooledSecondaryConn(bool setting);
 
+#ifdef MONGO_CONFIG_SSL
+    const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
 protected:
     /** Authorize.  Authorizes all nodes as needed
      */
diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp
index 7e161867017..e793b33f51d 100644
--- a/src/mongo/db/auth/authorization_manager_impl.cpp
+++ b/src/mongo/db/auth/authorization_manager_impl.cpp
@@ -55,6 +55,7 @@
 #include "mongo/db/mongod_options.h"
 #include "mongo/logv2/log.h"
 #include "mongo/util/assert_util.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/str.h"
 
diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp
index b0e24ccaa38..cf30c5fbf4d 100644
--- a/src/mongo/db/auth/authorization_manager_test.cpp
+++ b/src/mongo/db/auth/authorization_manager_test.cpp
@@ -53,6 +53,7 @@
 #include "mongo/transport/session.h"
 #include "mongo/transport/transport_layer_mock.h"
 #include "mongo/unittest/unittest.h"
+#include "mongo/util/net/ssl_peer_info.h"
 
 #define ASSERT_NULL(EXPR) ASSERT_FALSE(EXPR)
 #define ASSERT_NON_NULL(EXPR) ASSERT_TRUE(EXPR)
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 1030b67f336..166bbd3ebe9 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -61,6 +61,7 @@
 #include "mongo/transport/session.h"
 #include "mongo/util/concurrency/mutex.h"
 #include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/text.h"
 
@@ -88,7 +89,9 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS
             "No verified subject name available from client",
             !clientName.empty());
 
-    if (!getSSLManager()->getSSLConfiguration().hasCA) {
+    auto sslConfiguration = opCtx->getClient()->session()->getSSLConfiguration();
+
+    if (!sslConfiguration->hasCA) {
         return Status(ErrorCodes::AuthenticationFailed,
                       "Unable to verify x.509 certificate, as no CA has been provided.");
     } else if (user.getUser() != clientName.toString()) {
@@ -96,7 +99,7 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS
                       "There is no x.509 client certificate matching the user.");
     } else {
         // Handle internal cluster member auth, only applies to server-server connections
-        if (getSSLManager()->getSSLConfiguration().isClusterMember(clientName)) {
+        if (sslConfiguration->isClusterMember(clientName)) {
             int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
             if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined ||
                 clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) {
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp
index 8fc24ce6d79..d6f95c0e64f 100644
--- a/src/mongo/db/commands/user_management_commands.cpp
+++ b/src/mongo/db/commands/user_management_commands.cpp
@@ -843,7 +843,8 @@ void CmdUMCTyped<CreateUserCommand, void>::Invocation::typedRun(OperationContext
             "Cannot create an x.509 user with a subjectname that would be "
             "recognized as an internal cluster member",
             (dbname != "$external") || !getSSLManager() ||
-                !getSSLManager()->getSSLConfiguration().isClusterMember(userName.getUser()));
+                !opCtx->getClient()->session()->getSSLConfiguration()->isClusterMember(
+                    userName.getUser()));
 #endif
 
     // Synthesize a user document
diff --git a/src/mongo/db/dbdirectclient.h b/src/mongo/db/dbdirectclient.h
index 0554334d6fd..8f0ac5ec334 100644
--- a/src/mongo/db/dbdirectclient.h
+++ b/src/mongo/db/dbdirectclient.h
@@ -30,6 +30,7 @@
 #pragma once
 
 #include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
 #include "mongo/db/dbmessage.h"
 #include "mongo/db/lasterror.h"
 #include "mongo/util/net/hostandport.h"
@@ -107,6 +108,13 @@ public:
         return false;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    const SSLConfiguration* getSSLConfiguration() override {
+        invariant(false);
+        return nullptr;
+    }
+#endif
+
 private:
     OperationContext* _opCtx;
     LastError _lastError;  // This LastError will be used for all operations on this client.
diff --git a/src/mongo/shell/encrypted_dbclient_base.cpp b/src/mongo/shell/encrypted_dbclient_base.cpp
index f08af53e152..d190c5ebac3 100644
--- a/src/mongo/shell/encrypted_dbclient_base.cpp
+++ b/src/mongo/shell/encrypted_dbclient_base.cpp
@@ -35,6 +35,7 @@
 #include "mongo/base/data_type_validated.h"
 #include "mongo/bson/bson_depth.h"
 #include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
 #include "mongo/crypto/aead_encryption.h"
 #include "mongo/crypto/fle_data_frames.h"
 #include "mongo/crypto/symmetric_crypto.h"
@@ -645,6 +646,12 @@ std::shared_ptr<SymmetricKey> EncryptedDBClientBase::getDataKeyFromDisk(const UU
         std::move(decryptedKey), crypto::aesAlgorithm, "kms_encryption");
 }
 
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* EncryptedDBClientBase::getSSLConfiguration() {
+    return _conn->getSSLConfiguration();
+}
+#endif
+
 namespace {
 
 /**
diff --git a/src/mongo/shell/encrypted_dbclient_base.h b/src/mongo/shell/encrypted_dbclient_base.h
index 406c5884391..4281513cada 100644
--- a/src/mongo/shell/encrypted_dbclient_base.h
+++ b/src/mongo/shell/encrypted_dbclient_base.h
@@ -33,6 +33,7 @@
 #include "mongo/base/data_type_validated.h"
 #include "mongo/bson/bson_depth.h"
 #include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
 #include "mongo/crypto/aead_encryption.h"
 #include "mongo/crypto/symmetric_crypto.h"
 #include "mongo/db/client.h"
@@ -140,6 +141,10 @@ public:
 
     bool isMongos() const final;
 
+#ifdef MONGO_CONFIG_SSL
+    const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
 protected:
     std::pair<rpc::UniqueReply, DBClientBase*> processResponse(rpc::UniqueReply result,
                                                                const StringData databaseName);
diff --git a/src/mongo/transport/SConscript b/src/mongo/transport/SConscript
index ab1e34c702b..b5431d1db2a 100644
--- a/src/mongo/transport/SConscript
+++ b/src/mongo/transport/SConscript
@@ -15,6 +15,7 @@ env.Library(
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
         '$BUILD_DIR/mongo/db/service_context',
+        '$BUILD_DIR/mongo/util/net/ssl_manager',
     ],
 )
 
diff --git a/src/mongo/transport/mock_session.h b/src/mongo/transport/mock_session.h
index d9a6984f5b5..8fcb6fc789a 100644
--- a/src/mongo/transport/mock_session.h
+++ b/src/mongo/transport/mock_session.h
@@ -30,6 +30,7 @@
 #pragma once
 
 #include "mongo/base/checked_cast.h"
+#include "mongo/config.h"
 #include "mongo/transport/session.h"
 #include "mongo/transport/transport_layer_mock.h"
 #include "mongo/util/net/hostandport.h"
@@ -123,6 +124,12 @@ public:
         return true;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    virtual const SSLConfiguration* getSSLConfiguration() const override {
+        return nullptr;
+    }
+#endif
+
     explicit MockSession(TransportLayer* tl)
         : _tl(checked_cast<TransportLayerMock*>(tl)), _remote(), _local() {}
     explicit MockSession(HostAndPort remote,
diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp
index 2d28455793e..fb09fa9ad85 100644
--- a/src/mongo/transport/service_state_machine.cpp
+++ b/src/mongo/transport/service_state_machine.cpp
@@ -54,6 +54,7 @@
 #include "mongo/util/exit.h"
 #include "mongo/util/fail_point.h"
 #include "mongo/util/net/socket_exception.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/quick_exit.h"
 
 namespace mongo {
diff --git a/src/mongo/transport/session.cpp b/src/mongo/transport/session.cpp
index d3efb3051b6..c35d49aff1c 100644
--- a/src/mongo/transport/session.cpp
+++ b/src/mongo/transport/session.cpp
@@ -31,9 +31,13 @@
 
 #include "mongo/transport/session.h"
 
+#include "mongo/config.h"
 #include "mongo/platform/atomic_word.h"
 #include "mongo/transport/transport_layer.h"
+#ifdef MONGO_CONFIG_SSL
+#include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_types.h"
+#endif
 
 namespace mongo {
 namespace transport {
diff --git a/src/mongo/transport/session.h b/src/mongo/transport/session.h
index 6f72aca8127..2f5aebb74f4 100644
--- a/src/mongo/transport/session.h
+++ b/src/mongo/transport/session.h
@@ -31,6 +31,7 @@
 
 #include <memory>
 
+#include "mongo/config.h"
 #include "mongo/db/baton.h"
 #include "mongo/platform/atomic_word.h"
 #include "mongo/rpc/message.h"
@@ -40,6 +41,9 @@
 #include "mongo/util/net/hostandport.h"
 #include "mongo/util/net/sockaddr.h"
 #include "mongo/util/time_support.h"
+#ifdef MONGO_CONFIG_SSL
+#include "mongo/util/net/ssl_types.h"
+#endif
 
 namespace mongo {
 namespace transport {
@@ -184,6 +188,13 @@ public:
 
     TagMask getTags() const;
 
+#ifdef MONGO_CONFIG_SSL
+    /**
+     * Get the configuration from the SSL manager.
+     */
+    virtual const SSLConfiguration* getSSLConfiguration() const = 0;
+#endif
+
 protected:
     Session();
 
diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h
index bf19ccc31da..5795230daa6 100644
--- a/src/mongo/transport/session_asio.h
+++ b/src/mongo/transport/session_asio.h
@@ -41,6 +41,7 @@
 #include "mongo/util/net/socket_utils.h"
 #ifdef MONGO_CONFIG_SSL
 #include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #endif
 
@@ -240,6 +241,16 @@ public:
         return false;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    virtual const SSLConfiguration* getSSLConfiguration() const override {
+        auto sslManager = getSSLManager();
+        if (!sslManager) {
+            return nullptr;
+        }
+        return &sslManager->getSSLConfiguration();
+    }
+#endif
+
 protected:
     friend class TransportLayerASIO;
     friend TransportLayerASIO::BatonASIO;
diff --git a/src/mongo/transport/transport_layer_mock.h b/src/mongo/transport/transport_layer_mock.h
index eb095b1e65e..8d38a4c4ef5 100644
--- a/src/mongo/transport/transport_layer_mock.h
+++ b/src/mongo/transport/transport_layer_mock.h
@@ -33,6 +33,7 @@
 #include "mongo/stdx/unordered_map.h"
 #include "mongo/transport/session.h"
 #include "mongo/transport/transport_layer.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/time_support.h"
 
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index ccdef1287b2..41ff54ec20b 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -96,7 +96,6 @@ env.Library(
         '$BUILD_DIR/mongo/base',
     ],
     LIBDEPS_PRIVATE=[
-        '$BUILD_DIR/mongo/transport/transport_layer_common',
         'ssl_options',
     ]
 )
@@ -122,6 +121,7 @@ if not get_option('ssl') == 'off':
             "ssl_parameters.cpp",
             "ssl_manager_%s.cpp" % (ssl_provider),
             "ssl_stream.cpp",
+            "ssl_peer_info.cpp",
             env.Idlc('ssl_parameters.idl')[0],
             "ocsp/ocsp_manager.cpp",
         ],
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index 8bcb12db721..979dc9f0f2f 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -44,6 +44,7 @@
 #include "mongo/util/decorable.h"
 #include "mongo/util/net/sock.h"
 #include "mongo/util/net/ssl/apple.hpp"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/out_of_line_executor.h"
 #include "mongo/util/time_support.h"
@@ -117,26 +118,6 @@ public:
     virtual ~SSLConnectionInterface();
 };
 
-class SSLConfiguration {
-public:
-    bool isClusterMember(StringData subjectName) const;
-    bool isClusterMember(SSLX509Name subjectName) const;
-    void getServerStatusBSON(BSONObjBuilder*) const;
-    Status setServerSubjectName(SSLX509Name name);
-
-    const SSLX509Name& serverSubjectName() const {
-        return _serverSubjectName;
-    }
-
-    SSLX509Name clientSubjectName;
-    Date_t serverCertificateExpirationDate;
-    bool hasCA = false;
-
-private:
-    SSLX509Name _serverSubjectName;
-    std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
-};
-
 // These represent the ASN.1 type bytes for strings used in an X509 DirectoryString
 constexpr int kASN1BMPString = 30;
 constexpr int kASN1IA5String = 22;
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index c112e7db5ee..d96ee83ced1 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -55,6 +55,7 @@
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 
 using asio::ssl::apple::CFUniquePtr;
 
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 3dc7325a90a..90fd2d5eba9 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -62,6 +62,7 @@
 #include "mongo/util/net/socket_exception.h"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/periodic_runner.h"
 #include "mongo/util/read_through_cache.h"
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 5c87b0161b0..5eed0bdb6a1 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -61,6 +61,7 @@
 #include "mongo/util/net/ssl.hpp"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/str.h"
 #include "mongo/util/text.h"
diff --git a/src/mongo/util/net/ssl_peer_info.cpp b/src/mongo/util/net/ssl_peer_info.cpp
new file mode 100644
index 00000000000..315fa751993
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.cpp
@@ -0,0 +1,46 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/util/net/ssl_peer_info.h"
+
+namespace mongo {
+namespace {
+const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
+    transport::Session::declareDecoration<SSLPeerInfo>();
+}
+SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
+    return peerInfoForSession(session.get());
+}
+
+const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
+    return peerInfoForSession(session.get());
+}
+}  // namespace mongo
+\ No newline at end of file
diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h
new file mode 100644
index 00000000000..b336fd95e18
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.h
@@ -0,0 +1,67 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+#include "mongo/transport/session.h"
+#include "mongo/util/net/ssl_types.h"
+
+namespace mongo {
+/**
+ * Contains information extracted from the peer certificate which is consumed by subsystems
+ * outside of the networking stack.
+ */
+struct SSLPeerInfo {
+    explicit SSLPeerInfo(SSLX509Name subjectName,
+                         boost::optional<std::string> sniName = {},
+                         stdx::unordered_set<RoleName> roles = {})
+        : isTLS(true),
+          subjectName(std::move(subjectName)),
+          sniName(std::move(sniName)),
+          roles(std::move(roles)) {}
+    SSLPeerInfo() = default;
+
+    explicit SSLPeerInfo(boost::optional<std::string> sniName)
+        : isTLS(true), sniName(std::move(sniName)) {}
+
+    /**
+     * This flag is used to indicate if the underlying socket is using TLS or not. A default
+     * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
+     * constructors set its value to true.
+     */
+    bool isTLS = false;
+
+    SSLX509Name subjectName;
+    boost::optional<std::string> sniName;
+    stdx::unordered_set<RoleName> roles;
+
+    static SSLPeerInfo& forSession(const transport::SessionHandle& session);
+    static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+};
+}  // namespace mongo
+\ No newline at end of file
diff --git a/src/mongo/util/net/ssl_types.cpp b/src/mongo/util/net/ssl_types.cpp
index cc2f7e063ea..217da793c7c 100644
--- a/src/mongo/util/net/ssl_types.cpp
+++ b/src/mongo/util/net/ssl_types.cpp
@@ -35,21 +35,6 @@
 
 namespace mongo {
 
-namespace {
-
-const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
-    transport::Session::declareDecoration<SSLPeerInfo>();
-
-}  // namespace
-
-SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
-    return peerInfoForSession(session.get());
-}
-
-const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
-    return peerInfoForSession(session.get());
-}
-
 const SSLParams& getSSLGlobalParams() {
     return sslGlobalParams;
 }
diff --git a/src/mongo/util/net/ssl_types.h b/src/mongo/util/net/ssl_types.h
index a006fd721e1..6f859ee01aa 100644
--- a/src/mongo/util/net/ssl_types.h
+++ b/src/mongo/util/net/ssl_types.h
@@ -34,7 +34,6 @@
 #include "mongo/bson/util/builder.h"
 #include "mongo/db/auth/role_name.h"
 #include "mongo/stdx/unordered_set.h"
-#include "mongo/transport/session.h"
 
 namespace mongo {
 
@@ -110,36 +109,24 @@ inline bool operator<(const SSLX509Name::Entry& lhs, const SSLX509Name::Entry& r
     return lhs.equalityLens() < rhs.equalityLens();
 }
 
-/**
- * Contains information extracted from the peer certificate which is consumed by subsystems
- * outside of the networking stack.
- */
-struct SSLPeerInfo {
-    explicit SSLPeerInfo(SSLX509Name subjectName,
-                         boost::optional<std::string> sniName = {},
-                         stdx::unordered_set<RoleName> roles = {})
-        : isTLS(true),
-          subjectName(std::move(subjectName)),
-          sniName(std::move(sniName)),
-          roles(std::move(roles)) {}
-    SSLPeerInfo() = default;
-
-    explicit SSLPeerInfo(boost::optional<std::string> sniName)
-        : isTLS(true), sniName(std::move(sniName)) {}
+class SSLConfiguration {
+public:
+    bool isClusterMember(StringData subjectName) const;
+    bool isClusterMember(SSLX509Name subjectName) const;
+    void getServerStatusBSON(BSONObjBuilder*) const;
+    Status setServerSubjectName(SSLX509Name name);
 
-    /**
-     * This flag is used to indicate if the underlying socket is using TLS or not. A default
-     * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
-     * constructors set its value to true.
-     */
-    bool isTLS = false;
+    const SSLX509Name& serverSubjectName() const {
+        return _serverSubjectName;
+    }
 
-    SSLX509Name subjectName;
-    boost::optional<std::string> sniName;
-    stdx::unordered_set<RoleName> roles;
+    SSLX509Name clientSubjectName;
+    Date_t serverCertificateExpirationDate;
+    bool hasCA = false;
 
-    static SSLPeerInfo& forSession(const transport::SessionHandle& session);
-    static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+private:
+    SSLX509Name _serverSubjectName;
+    std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
 };
 
 }  // namespace mongo
author	Gabriel Marks <gabriel.marks@mongodb.com>	2020-06-26 15:42:20 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2020-07-08 23:23:41 +0000
commit	b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b (patch)
tree	dca13f3eab48c9edb4f276ba89f5c8efd4338b5f
parent	8895e4ca0321aa121cd0558a8622286bdf1f41b2 (diff)
download	mongo-b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b.tar.gz