SERVER-38963 Convert tlsX509ClusterAuthDNOverride to IDL

2 files changed, 50 insertions, 63 deletions

diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 7035053b51f..0d7ef15046e 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -50,6 +50,8 @@
 #include "mongo/util/log.h"
 #include "mongo/util/mongoutils/str.h"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/synchronized_value.h"
 #include "mongo/util/text.h"
 
 namespace mongo {
@@ -327,79 +329,58 @@ std::vector<SSLX509Name::Entry> canonicalizeClusterDN(
     return ret;
 }
 
-class ClusterMemberDNOverride : public ServerParameter {
-public:
-    ClusterMemberDNOverride()
-        : ServerParameter(
-              ServerParameterSet::getGlobal(), "tlsX509ClusterAuthDNOverride", true, true) {}
-
-    void append(OperationContext* opCtx, BSONObjBuilder& b, const std::string& name) override {
-        stdx::lock_guard<stdx::mutex> lk(_mutex);
-        if (!_value) {
-            return;
-        }
+struct DNValue {
+    explicit DNValue(SSLX509Name dn)
+        : fullDN(std::move(dn)), canonicalized(canonicalizeClusterDN(fullDN.entries())) {}
 
-        b.append(name, _value->fullDN.toString());
+    SSLX509Name fullDN;
+    std::vector<SSLX509Name::Entry> canonicalized;
+};
+synchronized_value<boost::optional<DNValue>> clusterMemberOverride;
+boost::optional<std::vector<SSLX509Name::Entry>> getClusterMemberDNOverrideParameter() {
+    auto guarded_value = clusterMemberOverride.synchronize();
+    auto& value = *guarded_value;
+    if (!value) {
+        return boost::none;
     }
+    return value->canonicalized;
+}
+}  // namespace
 
-    Status set(const BSONElement& newValueElement) override {
-        if (newValueElement.type() != String) {
-            return {ErrorCodes::BadValue, "DN must be a string"};
-        }
-        return setFromString(newValueElement.String());
+void ClusterMemberDNOverride::append(OperationContext* opCtx,
+                                     BSONObjBuilder& b,
+                                     const std::string& name) {
+    auto value = clusterMemberOverride.get();
+    if (value) {
+        b.append(name, value->fullDN.toString());
     }
+}
 
-    Status setFromString(const std::string& str) override {
-        if (str.empty()) {
-            stdx::lock_guard<stdx::mutex> lk(_mutex);
-            _value = boost::none;
-            return Status::OK();
-        }
-
-        auto swDN = parseDN(str);
-        if (!swDN.isOK()) {
-            return swDN.getStatus();
-        }
-        auto dn = std::move(swDN.getValue());
-        auto status = dn.normalizeStrings();
-        if (!status.isOK()) {
-            return status;
-        }
-
-        DNValue val(std::move(dn));
-        if (val.canonicalized.empty()) {
-            return {ErrorCodes::BadValue,
-                    "Cluster member DN's must contain at least one O, OU, or DC component"};
-        }
-
-        stdx::lock_guard<stdx::mutex> lk(_mutex);
-        _value = {std::move(val)};
-
+Status ClusterMemberDNOverride::setFromString(const std::string& str) {
+    if (str.empty()) {
+        *clusterMemberOverride = boost::none;
         return Status::OK();
     }
 
-    boost::optional<std::vector<SSLX509Name::Entry>> getCanonical() {
-        stdx::lock_guard<stdx::mutex> lk(_mutex);
-        if (!_value) {
-            return boost::none;
-        }
-        return _value->canonicalized;
+    auto swDN = parseDN(str);
+    if (!swDN.isOK()) {
+        return swDN.getStatus();
+    }
+    auto dn = std::move(swDN.getValue());
+    auto status = dn.normalizeStrings();
+    if (!status.isOK()) {
+        return status;
     }
 
-private:
-    struct DNValue {
-        explicit DNValue(SSLX509Name dn)
-            : fullDN(std::move(dn)), canonicalized(canonicalizeClusterDN(fullDN.entries())) {}
-
-        SSLX509Name fullDN;
-        std::vector<SSLX509Name::Entry> canonicalized;
-    };
-
-    stdx::mutex _mutex;
-    boost::optional<DNValue> _value;
-} clusterMemberDNOverrideParameter;
+    DNValue val(std::move(dn));
+    if (val.canonicalized.empty()) {
+        return {ErrorCodes::BadValue,
+                "Cluster member DN's must contain at least one O, OU, or DC component"};
+    }
 
-}  // namespace
+    *clusterMemberOverride = {std::move(val)};
+    return Status::OK();
+}
 
 StatusWith<SSLX509Name> parseDN(StringData sd) try {
     uassert(ErrorCodes::BadValue, "DN strings must be valid UTF-8 strings", isValidUTF8(sd));
@@ -683,7 +664,7 @@ bool SSLConfiguration::isClusterMember(SSLX509Name subject) const {
         return true;
     }
 
-    auto altClusterDN = clusterMemberDNOverrideParameter.getCanonical();
+    auto altClusterDN = getClusterMemberDNOverrideParameter();
     return (altClusterDN && (client == *altClusterDN));
 }
 
diff --git a/src/mongo/util/net/ssl_parameters.idl b/src/mongo/util/net/ssl_parameters.idl
index 3f1ea51c49d..88970003750 100644
--- a/src/mongo/util/net/ssl_parameters.idl
+++ b/src/mongo/util/net/ssl_parameters.idl
@@ -77,3 +77,9 @@ server_parameters:
     description: "Transition from sendKeyFile to sendX509, or sendX509 to x509 clusterAuthModes"
     set_at: runtime
     cpp_class: ClusterAuthModeServerParameter
+
+  tlsX509ClusterAuthDNOverride:
+    description: "Distinguished name to use for cluster membership"
+    set_at: [startup, runtime]
+    cpp_class: ClusterMemberDNOverride
+