diff options
author | Kristina <kristina@10gen.com> | 2011-06-22 13:21:02 -0400 |
---|---|---|
committer | Kristina <kristina@10gen.com> | 2011-06-22 14:20:53 -0400 |
commit | 67945f8b00d6e3cad4eaace5ee8f3cd9a6a71dde (patch) | |
tree | ba8e2ff7da1d3ae5a9162088a35dd8d6f51dd64b /db/security_common.cpp | |
parent | 5798ea831b53e4c303c57cb14e72406a789fc86a (diff) | |
download | mongo-67945f8b00d6e3cad4eaace5ee8f3cd9a6a71dde.tar.gz |
split security into s-only, d-only, and common SERVER-921
Diffstat (limited to 'db/security_common.cpp')
-rw-r--r-- | db/security_common.cpp | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/db/security_common.cpp b/db/security_common.cpp new file mode 100644 index 00000000000..04cea992b86 --- /dev/null +++ b/db/security_common.cpp @@ -0,0 +1,134 @@ +// security_common.cpp +/* + * Copyright (C) 2010 10gen Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +/** + * This file contains inter-mongo instance security helpers. Due to the + * requirement that it be possible to compile this into mongos and mongod, it + * should not depend on much external stuff. + */ + +#include "pch.h" +#include "security.h" +#include "security_common.h" +#include "../client/dbclient.h" +#include "commands.h" +#include "nonce.h" +#include "../util/md5.hpp" + +#include <sys/stat.h> + +namespace mongo { + + bool noauth = true; + AuthInfo internalSecurity; + + bool setUpSecurityKey(const string& filename) { + struct stat stats; + + // check obvious file errors + if (stat(filename.c_str(), &stats) == -1) { + log() << "error getting file " << filename << ": " << strerror(errno) << endl; + return false; + } + +#if !defined(_WIN32) + // check permissions: must be X00, where X is >= 4 + if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) { + log() << "permissions on " << filename << " are too open" << endl; + return false; + } +#endif + + const unsigned long long fileLength = stats.st_size; + if (fileLength < 6 || fileLength > 1024) { + log() << " key file " << filename << " has length " << stats.st_size + << ", must be between 6 and 1024 chars" << endl; + return false; + } + + FILE* file = fopen( filename.c_str(), "rb" ); + if (!file) { + log() << "error opening file: " << filename << ": " << strerror(errno) << endl; + return false; + } + + string str = ""; + + // strip key file + unsigned long long read = 0; + while (read < fileLength) { + char buf; + int readLength = fread(&buf, 1, 1, file); + if (readLength < 1) { + log() << "error reading file " << filename << endl; + return false; + } + read++; + + // check for whitespace + if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') { + continue; + } + + // check valid base64 + if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/') { + log() << "invalid char in key file " << filename << ": " << buf << endl; + return false; + } + + str += buf; + } + + if (str.size() < 6) { + log() << "security key must be at least 6 characters" << endl; + return false; + } + + log(1) << "security key: " << str << endl; + + // createPWDigest should really not be a member func + DBClientConnection conn; + internalSecurity.pwd = conn.createPasswordDigest(internalSecurity.user, str); + + return true; + } + + bool AuthenticationInfo::_isAuthorized(const string& dbname, int level) const { + { + scoped_spinlock lk(_lock); + + if ( _isAuthorizedSingle_inlock( dbname , level ) ) + return true; + + if ( noauth ) + return true; + + if ( _isAuthorizedSingle_inlock( "admin" , level ) ) + return true; + + if ( _isAuthorizedSingle_inlock( "local" , level ) ) + return true; + } + return _isAuthorizedSpecialChecks( dbname ); + } + + bool AuthenticationInfo::_isAuthorizedSingle_inlock(const string& dbname, int level) const { + MA::const_iterator i = _dbs.find(dbname); + return i != _dbs.end() && i->second.level >= level; + } + +} // namespace mongo |