diff options
author | Adam Rayner <adam.rayner@gmail.com> | 2022-05-05 15:27:05 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-05-05 16:14:41 +0000 |
commit | 5d80a6fad7b11d69f51e73353cf6712f05c5d1d2 (patch) | |
tree | 8c03e48a457d46c429e4a9964f8b2e1cab1c0966 | |
parent | b76f5a6e67e5929af7c0265c6ca93b089ce36306 (diff) | |
download | mongo-5d80a6fad7b11d69f51e73353cf6712f05c5d1d2.tar.gz |
SERVER-61110 backport to 5.0
-rw-r--r-- | src/mongo/db/auth/authorization_contract.cpp | 16 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_contract.h | 7 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/mongo/db/auth/authorization_contract.cpp b/src/mongo/db/auth/authorization_contract.cpp index 6f78c07f150..1991e1be954 100644 --- a/src/mongo/db/auth/authorization_contract.cpp +++ b/src/mongo/db/auth/authorization_contract.cpp @@ -41,6 +41,8 @@ namespace mongo { void AuthorizationContract::clear() { + stdx::lock_guard<Mutex> lck(_mutex); + _checks.reset(); for (size_t i = 0; i < _privilegeChecks.size(); ++i) { _privilegeChecks[i].removeAllActions(); @@ -48,20 +50,28 @@ void AuthorizationContract::clear() { } void AuthorizationContract::addAccessCheck(AccessCheckEnum check) { + stdx::lock_guard<Mutex> lck(_mutex); + _checks.set(static_cast<size_t>(check), true); } bool AuthorizationContract::hasAccessCheck(AccessCheckEnum check) const { + stdx::lock_guard<Mutex> lck(_mutex); + return _checks.test(static_cast<size_t>(check)); } void AuthorizationContract::addPrivilege(const Privilege& p) { + stdx::lock_guard<Mutex> lck(_mutex); + auto matchType = p.getResourcePattern().matchType(); _privilegeChecks[static_cast<size_t>(matchType)].addAllActionsFromSet(p.getActions()); } bool AuthorizationContract::hasPrivileges(const Privilege& p) const { + stdx::lock_guard<Mutex> lck(_mutex); + auto matchType = p.getResourcePattern().matchType(); return _privilegeChecks[static_cast<size_t>(matchType)].contains(p.getActions()); @@ -69,6 +79,12 @@ bool AuthorizationContract::hasPrivileges(const Privilege& p) const { bool AuthorizationContract::contains(const AuthorizationContract& other) const { + if (this == &other) { + return true; // this and other are same - so contains is necessarily true + } + + std::scoped_lock<Mutex, Mutex> lk(_mutex, other._mutex); + if ((_checks | other._checks) != _checks) { if (kDebugBuild) { auto missingChecks = (_checks ^ other._checks) & other._checks; diff --git a/src/mongo/db/auth/authorization_contract.h b/src/mongo/db/auth/authorization_contract.h index 2541481d72e..f5400557d3c 100644 --- a/src/mongo/db/auth/authorization_contract.h +++ b/src/mongo/db/auth/authorization_contract.h @@ -67,6 +67,11 @@ public: } } + AuthorizationContract(const AuthorizationContract& other) { + _checks = other._checks; + _privilegeChecks = other._privilegeChecks; + } + /** * Clear the authorization contract */ @@ -98,6 +103,8 @@ public: bool contains(const AuthorizationContract& other) const; private: + mutable Mutex _mutex = MONGO_MAKE_LATCH("AuthorizationContract::_mutex"); + // Set of access checks performed std::bitset<kNumAccessCheckEnum> _checks; |