diff options
author | Andy Schwerin <schwerin@10gen.com> | 2012-12-21 15:55:14 -0500 |
---|---|---|
committer | Andy Schwerin <schwerin@10gen.com> | 2012-12-21 16:55:58 -0500 |
commit | acd3c9d43be478b209f5e0b732e0f4d5ff72cea7 (patch) | |
tree | 42084f69667fa413c5d5d312aeeeb21fba602a9d /src/mongo/client | |
parent | 5f7f17708b5b2de1c6b6625376abb78a957e10c7 (diff) | |
download | mongo-acd3c9d43be478b209f5e0b732e0f4d5ff72cea7.tar.gz |
SERVER-8013 Update shell helper db.auth() to support SASL authentication.
Make the parameters to saslClientAuthenticate in the C++ driver use field names
consistent with the field names in system.users documents.
Remove an information leak on auth failure in which the non-existence of a user
was revealed.
Have saslClientAuthenticate take a clear password as input, like DBClientWithCommands::auth().
Diffstat (limited to 'src/mongo/client')
-rw-r--r-- | src/mongo/client/sasl_client_authenticate.cpp | 28 | ||||
-rw-r--r-- | src/mongo/client/sasl_client_authenticate.h | 6 |
2 files changed, 18 insertions, 16 deletions
diff --git a/src/mongo/client/sasl_client_authenticate.cpp b/src/mongo/client/sasl_client_authenticate.cpp index a4bd08ca5c8..e7966c359d9 100644 --- a/src/mongo/client/sasl_client_authenticate.cpp +++ b/src/mongo/client/sasl_client_authenticate.cpp @@ -38,10 +38,10 @@ namespace mongo { const char* const saslCommandErrmsgFieldName = "errmsg"; const char* const saslCommandMechanismFieldName = "mechanism"; const char* const saslCommandMechanismListFieldName = "supportedMechanisms"; - const char* const saslCommandPasswordFieldName = "password"; + const char* const saslCommandPasswordFieldName = "pwd"; const char* const saslCommandPayloadFieldName = "payload"; - const char* const saslCommandPrincipalFieldName = "principal"; - const char* const saslCommandPrincipalSourceFieldName = "principalSource"; + const char* const saslCommandPrincipalFieldName = "user"; + const char* const saslCommandPrincipalSourceFieldName = "userSource"; const char* const saslCommandServiceHostnameFieldName = "serviceHostname"; const char* const saslCommandServiceNameFieldName = "serviceName"; const char* const saslDefaultDBName = "$sasl"; @@ -127,22 +127,24 @@ namespace { return status; session->setProperty(GSASL_HOSTNAME, hostname); - BSONElement element = saslParameters[saslCommandPrincipalFieldName]; - if (element.type() == String) { - session->setProperty(GSASL_AUTHID, element.str()); + BSONElement principalElement = saslParameters[saslCommandPrincipalFieldName]; + if (principalElement.type() == String) { + session->setProperty(GSASL_AUTHID, principalElement.str()); } - else if (!element.eoo()) { + else if (!principalElement.eoo()) { return Status(ErrorCodes::TypeMismatch, - str::stream() << "Expected string for " << element); + str::stream() << "Expected string for " << principalElement); } - element = saslParameters[saslCommandPasswordFieldName]; - if (element.type() == String) { - session->setProperty(GSASL_PASSWORD, element.str()); + BSONElement passwordElement = saslParameters[saslCommandPasswordFieldName]; + if (passwordElement.type() == String) { + std::string passwordHash = client->createPasswordDigest(principalElement.str(), + passwordElement.str()); + session->setProperty(GSASL_PASSWORD, passwordHash); } - else if (!element.eoo()) { + else if (!passwordElement.eoo()) { return Status(ErrorCodes::TypeMismatch, - str::stream() << "Expected string for " << element); + str::stream() << "Expected string for " << passwordElement); } return Status::OK(); diff --git a/src/mongo/client/sasl_client_authenticate.h b/src/mongo/client/sasl_client_authenticate.h index 11e7f446b34..62e6419e2d6 100644 --- a/src/mongo/client/sasl_client_authenticate.h +++ b/src/mongo/client/sasl_client_authenticate.h @@ -38,11 +38,11 @@ namespace mongo { * "autoAuthorize": Truthy values tell the server to automatically acquire privileges on * all resources after successful authentication, which is the default. Falsey values * instruct the server to await separate privilege-acquisition commands. - * "principal": The string name of the principal to authenticate, GSASL_AUTHID. - * "principalSource": The database target of the auth command, which identifies the location + * "user": The string name of the principal to authenticate, GSASL_AUTHID. + * "userSource": The database target of the auth command, which identifies the location * of the credential information for the principal. May be "$sasl" if credential * information is stored outside of the mongo cluster. - * "password": The password data, GSASL_PASSWORD. + * "pwd": The password data, GSASL_PASSWORD. * "serviceName": The GSSAPI service name to use. Defaults to "mongodb". * "serviceHostname": The GSSAPI hostname to use. Defaults to the name of the remote host. * |