SERVER-61030 Add 'authenticate' command to the OP_QUERY allowlist

(cherry picked from commit dea0353a2927370505ae22307d5d72362af9017b)

2 files changed, 27 insertions, 6 deletions

diff --git a/src/mongo/rpc/op_legacy_integration_test.cpp b/src/mongo/rpc/op_legacy_integration_test.cpp
index ec9f64eef36..fd7d21c6fa7 100644
--- a/src/mongo/rpc/op_legacy_integration_test.cpp
+++ b/src/mongo/rpc/op_legacy_integration_test.cpp
@@ -460,9 +460,13 @@ TEST(OpLegacy, IsmasterCommandViaOpQuery) {
 }
 
 TEST(OpLegacy, SaslStartCommandViaOpQuery) {
-    // Here we verify that "saslStart" command passes parsing since the request is actually
-    // an invalid authentication request which is capture from a log. The AuthenticationFailed error
-    // code means that it passes request parsing.
+    // Some older drivers continue to authenticate using OP_QUERY commands, even if the
+    // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must
+    // continue to accept "saslStart" commands as OP_QUERY.
+    //
+    // Here we verify that "saslStart" command passes parsing since the request is actually an
+    // invalid authentication request. The AuthenticationFailed error code means that it passes
+    // request parsing.
     testAllowedCommand(R"({
                            saslStart: 1,
                            "mechanism":"SCRAM-SHA-256",
@@ -478,9 +482,13 @@ TEST(OpLegacy, SaslStartCommandViaOpQuery) {
 }
 
 TEST(OpLegacy, SaslContinueCommandViaOpQuery) {
-    // Here we verify that "saslContinue" command passes parsing since the request is actually
-    // an invalid authentication request which is captured from a log. The ProtocolError error code
-    // means that it passes request parsing.
+    // Some older drivers continue to authenticate using OP_QUERY commands, even if the
+    // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must
+    // continue to accept "saslContinue" commands as OP_QUERY.
+    //
+    // Here we verify that "saslContinue" command passes parsing since the request is actually an
+    // invalid authentication request. The ProtocolError error code means that it passes request
+    // parsing.
     testAllowedCommand(R"({
                            saslContinue: 1,
                            "payload":{
@@ -494,5 +502,17 @@ TEST(OpLegacy, SaslContinueCommandViaOpQuery) {
                        ErrorCodes::ProtocolError);
 }
 
+TEST(OpLegacy, AuthenticateCommandViaOpQuery) {
+    // Some older drivers continue to authenticate using OP_QUERY commands, even if the
+    // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must
+    // continue to accept "authenticate" commands as OP_QUERY.
+    //
+    // Here we only verify that "authenticate" command passes parsing since the request is actually
+    // an invalid authentication request. The AuthenticationFailed error code means that it passes
+    // request parsing.
+    testAllowedCommand(R"({authenticate: 1, mechanism: "MONGODB-X509"})",
+                       ErrorCodes::AuthenticationFailed);
+}
+
 }  // namespace
 }  // namespace mongo
diff --git a/src/mongo/rpc/warn_deprecated_wire_ops.cpp b/src/mongo/rpc/warn_deprecated_wire_ops.cpp
index 0f3fd7597d2..540e431cb8f 100644
--- a/src/mongo/rpc/warn_deprecated_wire_ops.cpp
+++ b/src/mongo/rpc/warn_deprecated_wire_ops.cpp
@@ -114,6 +114,7 @@ void warnDeprecation(Client& client, StringData op) {
 void checkAllowedOpQueryCommand(Client& client, StringData cmd) {
     static constexpr std::array allowedOpQueryCommands{
         "_isSelf"_sd,
+        "authenticate"_sd,
         "buildinfo"_sd,
         "buildInfo"_sd,
         "hello"_sd,