SERVER-7455 Common internal cluster auth function

13 files changed, 77 insertions, 68 deletions

diff --git a/src/mongo/SConscript b/src/mongo/SConscript
index bdeb82b5a2b..ed2cccb461c 100644
--- a/src/mongo/SConscript
+++ b/src/mongo/SConscript
@@ -858,7 +858,7 @@ if shellEnv is not None:
     mongo_shell = shellEnv.Program(
         "mongo",
         coreShellFiles,
-        LIBDEPS=[ "db/auth/authcore","clientandshell", "mongocommon", "scripting", 
+        LIBDEPS=[ "clientandshell", "mongocommon", "scripting", 
                  "$BUILD_DIR/third_party/shim_pcrecpp"] + env['MODULE_LIBDEPS_MONGOSHELL'] )
 
     shellEnv.Install( '#/', mongo_shell )
diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
index 703d6d3f0e2..2c775c483a8 100644
--- a/src/mongo/db/auth/authorization_manager.cpp
+++ b/src/mongo/db/auth/authorization_manager.cpp
@@ -37,11 +37,6 @@
 
 namespace mongo {
 
-    AuthInfo::AuthInfo() {
-        user = "__system";
-    }
-    AuthInfo internalSecurity;
-
     const std::string AuthorizationManager::SERVER_RESOURCE_NAME = "$SERVER";
     const std::string AuthorizationManager::CLUSTER_RESOURCE_NAME = "$CLUSTER";
     const std::string AuthorizationManager::USER_NAME_FIELD_NAME = "user";
diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
index 2dd04e2d1df..b0a67ad68c9 100644
--- a/src/mongo/db/auth/authorization_manager.h
+++ b/src/mongo/db/auth/authorization_manager.h
@@ -34,16 +34,6 @@
 namespace mongo {
 
     /**
-     * Internal secret key info.
-     */
-    struct AuthInfo {
-        AuthInfo();
-        std::string user;
-        std::string pwd;
-    };
-    extern AuthInfo internalSecurity; // set at startup and not changed after initialization.
-
-    /**
      * Contains server/cluster-wide information about Authorization.
      */
     class AuthorizationManager {
diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp
index 24f28251f27..50e79501b0c 100644
--- a/src/mongo/db/auth/authorization_session.cpp
+++ b/src/mongo/db/auth/authorization_session.cpp
@@ -28,6 +28,7 @@
 #include "mongo/db/auth/principal_set.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/privilege_set.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/client.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/namespacestring.h"
diff --git a/src/mongo/db/auth/authz_manager_external_state.cpp b/src/mongo/db/auth/authz_manager_external_state.cpp
index 128b5436a2f..a2cf986ab99 100644
--- a/src/mongo/db/auth/authz_manager_external_state.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state.cpp
@@ -18,6 +18,7 @@
 
 #include "mongo/base/status.h"
 #include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/namespacestring.h"
 #include "mongo/util/mongoutils/str.h"
diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp
index c5f85bee877..70a152fa289 100644
--- a/src/mongo/db/auth/security_key.cpp
+++ b/src/mongo/db/auth/security_key.cpp
@@ -20,7 +20,6 @@
 #include <string>
 #include <vector>
 
-#include "mongo/client/dbclientinterface.h"
 #include "mongo/db/auth/action_set.h"
 #include "mongo/db/auth/action_type.h"
 #include "mongo/db/auth/authorization_manager.h"
@@ -29,6 +28,24 @@
 
 namespace mongo {
 
+    AuthInfo::AuthInfo() {
+        user = "__system";
+    }
+    AuthInfo internalSecurity;
+
+    bool authenticateInternalUser(DBClientWithCommands* conn){
+        string err;
+        if( !conn->auth("local", 
+                        internalSecurity.user,
+                        internalSecurity.pwd, 
+                        err, 
+                        false) ) {
+            log() << "can't authenticate as internal user, error: " << err << endl;
+            return false;
+        }
+        return true;
+    }
+
     bool setUpSecurityKey(const string& filename) {
         struct stat stats;
 
diff --git a/src/mongo/db/auth/security_key.h b/src/mongo/db/auth/security_key.h
index e261123dcea..e62bb3f32fd 100644
--- a/src/mongo/db/auth/security_key.h
+++ b/src/mongo/db/auth/security_key.h
@@ -18,9 +18,28 @@
 
 #include <string>
 
+#include "mongo/client/dbclientinterface.h"
+
 namespace mongo {
 
     /**
+     * Internal secret key info.
+     */
+    struct AuthInfo {
+        AuthInfo();
+        std::string user;
+        std::string pwd;
+    };
+    extern AuthInfo internalSecurity; // set at startup and not changed after initialization.
+
+    /**
+     * This method authenticates to another cluster member using appropriate
+     * authentication data
+     * @return true if the authentication was succesful
+     */
+    extern bool authenticateInternalUser(DBClientWithCommands* conn);
+
+    /**
      * This method checks the validity of filename as a security key, hashes its
      * contents, and stores it in the internalSecurity variable.  Prints an
      * error message to the logs if there's an error.
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 3372fe40c60..1f89d79c0d9 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -29,6 +29,7 @@
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/auth/mongo_authentication_session.h"
 #include "mongo/db/auth/privilege.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/client_basic.h"
 #include "mongo/db/commands.h"
 #include "mongo/db/jsobj.h"
diff --git a/src/mongo/db/commands/isself.cpp b/src/mongo/db/commands/isself.cpp
index a33c0f8e7a7..055f966c3fe 100644
--- a/src/mongo/db/commands/isself.cpp
+++ b/src/mongo/db/commands/isself.cpp
@@ -25,6 +25,7 @@
 #include "mongo/db/auth/action_type.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/privilege.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/jsobj.h"
 #include "../../util/net/listen.h"
 #include "../commands.h"
@@ -244,7 +245,7 @@ namespace mongo {
             }
 
             if (AuthorizationManager::isAuthEnabled() && !cmdLine.keyFile.empty() ) {
-                if (!conn.auth("local", internalSecurity.user, internalSecurity.pwd, errmsg, false)) {
+                if (!authenticateInternalUser(&conn)) {
                     return false;
                 }
             }
diff --git a/src/mongo/db/repl/connections.h b/src/mongo/db/repl/connections.h
index 0ebc162eed1..753c28f42f3 100644
--- a/src/mongo/db/repl/connections.h
+++ b/src/mongo/db/repl/connections.h
@@ -21,6 +21,7 @@
 #include <map>
 
 #include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/repl/rs.h" // extern Tee* rslog
 
 namespace mongo {
@@ -128,11 +129,7 @@ namespace mongo {
           // be rebooting. if their file has to change, they'll be rebooted so the
           // connection created above will go dead, reconnect, and reauth.
           if (AuthorizationManager::isAuthEnabled()) {
-              if (!connInfo->cc->auth("local",
-                                      internalSecurity.user,
-                                      internalSecurity.pwd,
-                                      err,
-                                      false)) {
+              if (!authenticateInternalUser(connInfo->cc.get())) {
                   log() << "could not authenticate against " << _hostport << ", " << err << rsLog;
                   return false;
               }
diff --git a/src/mongo/db/repl/oplogreader.cpp b/src/mongo/db/repl/oplogreader.cpp
index b2154ba0868..994ea872a30 100644
--- a/src/mongo/db/repl/oplogreader.cpp
+++ b/src/mongo/db/repl/oplogreader.cpp
@@ -21,9 +21,9 @@
 
 #include "mongo/base/counter.h"
 #include "mongo/client/dbclientinterface.h"
-#include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/commands/server_status.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/dbhelpers.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/db/repl/rs.h"  // theReplSet
@@ -58,30 +58,25 @@ namespace mongo {
             return false;
         }
 
-        string u;
-        string p;
         if (internalSecurity.pwd.length() > 0) {
-            u = internalSecurity.user;
-            p = internalSecurity.pwd;
+            return authenticateInternalUser(conn); 
         }
-        else {
-            BSONObj user;
-            {
-                Client::ReadContext ctxt("local.");
-                if( !Helpers::findOne("local.system.users", userReplQuery, user) ||
-                        // try the first user in local
-                        !Helpers::getSingleton("local.system.users", user) ) {
-                    log() << "replauthenticate: no user in local.system.users to use for authentication" << endl;
-                    return false;
-                }
+        BSONObj user;
+        {
+            Client::ReadContext ctxt("local.");
+            if( !Helpers::findOne("local.system.users", userReplQuery, user) ||
+                    // try the first user in local
+                    !Helpers::getSingleton("local.system.users", user) ) {
+                log() << "replauthenticate: no user in local.system.users to use for authentication" << endl;
+                return false;
             }
-            u = user.getStringField("user");
-            p = user.getStringField("pwd");
-            massert( 10392 , "bad user object? [1]", !u.empty());
-            massert( 10393 , "bad user object? [2]", !p.empty());
         }
+        std::string u = user.getStringField("user");
+        std::string p = user.getStringField("pwd");
+        massert( 10392 , "bad user object? [1]", !u.empty());
+        massert( 10393 , "bad user object? [2]", !p.empty());
 
-        string err;
+        std::string err;
         if( !conn->auth("local", u.c_str(), p.c_str(), err, false) ) {
             log() << "replauthenticate: can't authenticate to master server, user:" << u << endl;
             return false;
diff --git a/src/mongo/db/repl/sync_source_feedback.cpp b/src/mongo/db/repl/sync_source_feedback.cpp
index 985f5a63c85..b26a7a644b9 100644
--- a/src/mongo/db/repl/sync_source_feedback.cpp
+++ b/src/mongo/db/repl/sync_source_feedback.cpp
@@ -18,8 +18,8 @@
 
 #include "mongo/client/constants.h"
 #include "mongo/client/dbclientcursor.h"
-#include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/authorization_session.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/dbhelpers.h"
 #include "mongo/db/repl/bgsync.h"
 #include "mongo/db/repl/rs.h"  // theReplSet
@@ -47,29 +47,24 @@ namespace mongo {
             return false;
         }
 
-        string u;
-        string p;
         if (internalSecurity.pwd.length() > 0) {
-            u = internalSecurity.user;
-            p = internalSecurity.pwd;
+            return authenticateInternalUser(_connection.get());  
         }
-        else {
-            BSONObj user;
-            {
-                Client::ReadContext ctxt("local.");
-                if(!Helpers::findOne("local.system.users", userReplQuery, user) ||
-                        // try the first user in local
-                        !Helpers::getSingleton("local.system.users", user)) {
-                    log() << "replauthenticate: no user in local.system.users to use"
-                          << "for authentication" << endl;
-                    return false;
-                }
+        BSONObj user;
+        {
+            Client::ReadContext ctxt("local.");
+            if(!Helpers::findOne("local.system.users", userReplQuery, user) ||
+                    // try the first user in local
+                    !Helpers::getSingleton("local.system.users", user)) {
+                log() << "replauthenticate: no user in local.system.users to use"
+                        << "for authentication" << endl;
+                return false;
             }
-            u = user.getStringField("user");
-            p = user.getStringField("pwd");
-            massert(16889, "bad user object? [1]", !u.empty());
-            massert(16887, "bad user object? [2]", !p.empty());
         }
+        std::string u = user.getStringField("user");
+        std::string p = user.getStringField("pwd");
+        massert(16889, "bad user object? [1]", !u.empty());
+        massert(16887, "bad user object? [2]", !p.empty());
 
         string err;
         if( !_connection->auth("local", u.c_str(), p.c_str(), err, false) ) {
diff --git a/src/mongo/s/shard.cpp b/src/mongo/s/shard.cpp
index c5516d6e6d2..b57bf714cae 100644
--- a/src/mongo/s/shard.cpp
+++ b/src/mongo/s/shard.cpp
@@ -28,6 +28,7 @@
 #include "mongo/db/auth/action_type.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/privilege.h"
+#include "mongo/db/auth/security_key.h"
 #include "mongo/db/commands.h"
 #include "mongo/db/jsobj.h"
 #include "mongo/s/client_info.h"
@@ -406,11 +407,7 @@ namespace mongo {
             string err;
             LOG(2) << "calling onCreate auth for " << conn->toString() << endl;
 
-            bool result = conn->auth( "local",
-                                      internalSecurity.user,
-                                      internalSecurity.pwd,
-                                      err,
-                                      false );
+            bool result = authenticateInternalUser(conn);
 
             uassert( 15847, str::stream() << "can't authenticate to server "
                                           << conn->getServerAddress() << causedBy( err ),