diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2019-01-11 21:57:08 +0000 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2019-01-15 20:08:11 +0000 |
commit | 861f1f607c03ca78939ecc82afa91f9ec21b2bf4 (patch) | |
tree | 875a34cca6548a6f52a05f46c90982046f629566 | |
parent | 27cbd015c82dbd4e961382aee2499ec449db081f (diff) | |
download | mongo-861f1f607c03ca78939ecc82afa91f9ec21b2bf4.tar.gz |
SERVER-38963 Convert tlsX509ClusterAuthDNOverride to IDL
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 107 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_parameters.idl | 6 |
2 files changed, 50 insertions, 63 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 7035053b51f..0d7ef15046e 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -50,6 +50,8 @@ #include "mongo/util/log.h" #include "mongo/util/mongoutils/str.h" #include "mongo/util/net/ssl_options.h" +#include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/synchronized_value.h" #include "mongo/util/text.h" namespace mongo { @@ -327,79 +329,58 @@ std::vector<SSLX509Name::Entry> canonicalizeClusterDN( return ret; } -class ClusterMemberDNOverride : public ServerParameter { -public: - ClusterMemberDNOverride() - : ServerParameter( - ServerParameterSet::getGlobal(), "tlsX509ClusterAuthDNOverride", true, true) {} - - void append(OperationContext* opCtx, BSONObjBuilder& b, const std::string& name) override { - stdx::lock_guard<stdx::mutex> lk(_mutex); - if (!_value) { - return; - } +struct DNValue { + explicit DNValue(SSLX509Name dn) + : fullDN(std::move(dn)), canonicalized(canonicalizeClusterDN(fullDN.entries())) {} - b.append(name, _value->fullDN.toString()); + SSLX509Name fullDN; + std::vector<SSLX509Name::Entry> canonicalized; +}; +synchronized_value<boost::optional<DNValue>> clusterMemberOverride; +boost::optional<std::vector<SSLX509Name::Entry>> getClusterMemberDNOverrideParameter() { + auto guarded_value = clusterMemberOverride.synchronize(); + auto& value = *guarded_value; + if (!value) { + return boost::none; } + return value->canonicalized; +} +} // namespace - Status set(const BSONElement& newValueElement) override { - if (newValueElement.type() != String) { - return {ErrorCodes::BadValue, "DN must be a string"}; - } - return setFromString(newValueElement.String()); +void ClusterMemberDNOverride::append(OperationContext* opCtx, + BSONObjBuilder& b, + const std::string& name) { + auto value = clusterMemberOverride.get(); + if (value) { + b.append(name, value->fullDN.toString()); } +} - Status setFromString(const std::string& str) override { - if (str.empty()) { - stdx::lock_guard<stdx::mutex> lk(_mutex); - _value = boost::none; - return Status::OK(); - } - - auto swDN = parseDN(str); - if (!swDN.isOK()) { - return swDN.getStatus(); - } - auto dn = std::move(swDN.getValue()); - auto status = dn.normalizeStrings(); - if (!status.isOK()) { - return status; - } - - DNValue val(std::move(dn)); - if (val.canonicalized.empty()) { - return {ErrorCodes::BadValue, - "Cluster member DN's must contain at least one O, OU, or DC component"}; - } - - stdx::lock_guard<stdx::mutex> lk(_mutex); - _value = {std::move(val)}; - +Status ClusterMemberDNOverride::setFromString(const std::string& str) { + if (str.empty()) { + *clusterMemberOverride = boost::none; return Status::OK(); } - boost::optional<std::vector<SSLX509Name::Entry>> getCanonical() { - stdx::lock_guard<stdx::mutex> lk(_mutex); - if (!_value) { - return boost::none; - } - return _value->canonicalized; + auto swDN = parseDN(str); + if (!swDN.isOK()) { + return swDN.getStatus(); + } + auto dn = std::move(swDN.getValue()); + auto status = dn.normalizeStrings(); + if (!status.isOK()) { + return status; } -private: - struct DNValue { - explicit DNValue(SSLX509Name dn) - : fullDN(std::move(dn)), canonicalized(canonicalizeClusterDN(fullDN.entries())) {} - - SSLX509Name fullDN; - std::vector<SSLX509Name::Entry> canonicalized; - }; - - stdx::mutex _mutex; - boost::optional<DNValue> _value; -} clusterMemberDNOverrideParameter; + DNValue val(std::move(dn)); + if (val.canonicalized.empty()) { + return {ErrorCodes::BadValue, + "Cluster member DN's must contain at least one O, OU, or DC component"}; + } -} // namespace + *clusterMemberOverride = {std::move(val)}; + return Status::OK(); +} StatusWith<SSLX509Name> parseDN(StringData sd) try { uassert(ErrorCodes::BadValue, "DN strings must be valid UTF-8 strings", isValidUTF8(sd)); @@ -683,7 +664,7 @@ bool SSLConfiguration::isClusterMember(SSLX509Name subject) const { return true; } - auto altClusterDN = clusterMemberDNOverrideParameter.getCanonical(); + auto altClusterDN = getClusterMemberDNOverrideParameter(); return (altClusterDN && (client == *altClusterDN)); } diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl index 3f1ea51c49d..88970003750 100644 --- a/src/mongo/util/net/ssl_parameters.idl +++ b/src/mongo/util/net/ssl_parameters.idl @@ -77,3 +77,9 @@ server_parameters: description: "Transition from sendKeyFile to sendX509, or sendX509 to x509 clusterAuthModes" set_at: runtime cpp_class: ClusterAuthModeServerParameter + + tlsX509ClusterAuthDNOverride: + description: "Distinguished name to use for cluster membership" + set_at: [startup, runtime] + cpp_class: ClusterMemberDNOverride + |