diff options
| author | Andy Schwerin <schwerin@10gen.com> | 2012-12-12 15:30:09 -0500 |
|---|---|---|
| committer | Andy Schwerin <schwerin@10gen.com> | 2012-12-14 13:57:11 -0500 |
| commit | 079c9a78355677f170dc9da2cac05b6057881081 (patch) | |
| tree | 01910b46b5a93644725da9484e01ceed6d596fc3 /src/mongo/db/auth | |
| parent | 9da0609329171710ac085c66038c6399d4e4423b (diff) | |
| download | mongo-079c9a78355677f170dc9da2cac05b6057881081.tar.gz | |
SERVER-7934 Eliminate AcquiredPrivilege type.
Diffstat (limited to 'src/mongo/db/auth')
| -rw-r--r-- | src/mongo/db/auth/acquired_privilege.h | 44 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_manager.cpp | 44 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_manager.h | 12 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_manager_test.cpp | 12 | ||||
| -rw-r--r-- | src/mongo/db/auth/privilege_set.cpp | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/privilege_set.h | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/privilege_set_test.cpp | 3 |
7 files changed, 36 insertions, 81 deletions
diff --git a/src/mongo/db/auth/acquired_privilege.h b/src/mongo/db/auth/acquired_privilege.h deleted file mode 100644 index 97d632a1fa5..00000000000 --- a/src/mongo/db/auth/acquired_privilege.h +++ /dev/null @@ -1,44 +0,0 @@ -/* Copyright 2012 10gen Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#pragma once - -#include "mongo/db/auth/principal.h" -#include "mongo/db/auth/privilege.h" - -namespace mongo { - - /** - * A representation that a given principal has the permission to perform a set of actions on a - * specific resource. - */ - class AcquiredPrivilege { - public: - - AcquiredPrivilege(const Privilege& privilege, Principal* principal) : - _privilege(privilege), _principal(principal) {} - ~AcquiredPrivilege() {} - - const Principal* getPrincipal() const { return _principal; } - - const Privilege& getPrivilege() const { return _privilege; } - - private: - - Privilege _privilege; - Principal* _principal; - }; - -} // namespace mongo diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index ae25422644c..5a3976f8609 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -21,12 +21,12 @@ #include "mongo/base/init.h" #include "mongo/base/status.h" -#include "mongo/db/auth/acquired_privilege.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/auth_external_state.h" #include "mongo/db/auth/principal.h" #include "mongo/db/auth/principal_set.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/auth/privilege_set.h" #include "mongo/db/client.h" #include "mongo/db/namespacestring.h" @@ -202,19 +202,18 @@ namespace mongo { _authenticatedPrincipals.removeByDBName(dbname); } - Status AuthorizationManager::acquirePrivilege(const AcquiredPrivilege& privilege) { - const Principal* principal = privilege.getPrincipal(); - if (!_authenticatedPrincipals.lookup(principal->getName())) { + Status AuthorizationManager::acquirePrivilege(const Privilege& privilege, + const PrincipalName& authorizingPrincipal) { + if (!_authenticatedPrincipals.lookup(authorizingPrincipal)) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "No authenticated principle found with name: " - << principal->getName().getUser() + << authorizingPrincipal.getUser() << " from database " - << principal->getName().getDB(), + << authorizingPrincipal.getDB(), 0); } - - _acquiredPrivileges.grantPrivilege(privilege.getPrivilege(), principal->getName()); + _acquiredPrivileges.grantPrivilege(privilege, authorizingPrincipal); return Status::OK(); } @@ -222,10 +221,10 @@ namespace mongo { Principal* principal = new Principal(PrincipalName(principalName, "local")); ActionSet actions; actions.addAllActions(); - AcquiredPrivilege privilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), principal); addAuthorizedPrincipal(principal); - fassert(0, acquirePrivilege(privilege).isOK()); + fassert(0, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), + principal->getName()).isOK()); } bool AuthorizationManager::hasInternalAuthorization() { @@ -262,29 +261,28 @@ namespace mongo { } Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument( - const std::string& dbname, Principal* principal, const BSONObj& privilegeDocument) { - if (!_authenticatedPrincipals.lookup(principal->getName())) { + const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) { + if (!_authenticatedPrincipals.lookup(principal)) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "No authenticated principle found with name: " - << principal->getName().getUser() + << principal.getUser() << " from database " - << principal->getName().getDB(), + << principal.getDB(), 0); } - if (principal->getName().getUser() == internalSecurity.user) { + if (principal.getUser() == internalSecurity.user) { // Grant full access to internal user ActionSet allActions; allActions.addAllActions(); - AcquiredPrivilege privilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), - principal); - return acquirePrivilege(privilege); + return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), + principal); } return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges); } Status AuthorizationManager::buildPrivilegeSet(const std::string& dbname, - Principal* principal, + const PrincipalName& principal, const BSONObj& privilegeDocument, PrivilegeSet* result) { if (!privilegeDocument.hasField("privileges")) { @@ -304,7 +302,7 @@ namespace mongo { Status AuthorizationManager::_buildPrivilegeSetFromOldStylePrivilegeDocument( const std::string& dbname, - Principal* principal, + const PrincipalName& principal, const BSONObj& privilegeDocument, PrivilegeSet* result) { if (!(privilegeDocument.hasField("user") && privilegeDocument.hasField("pwd"))) { @@ -314,12 +312,12 @@ namespace mongo { << privilegeDocument, 0); } - if (privilegeDocument["user"].str() != principal->getName().getUser()) { + if (privilegeDocument["user"].str() != principal.getUser()) { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << "Principal name from privilege document \"" << privilegeDocument["user"].str() << "\" doesn't match name of provided Principal \"" - << principal->getName().getUser() + << principal.getUser() << "\"", 0); } @@ -329,7 +327,7 @@ namespace mongo { ActionSet actions = getActionsForOldStyleUser(dbname, readOnly); std::string resourceName = (dbname == ADMIN_DBNAME || dbname == LOCAL_DBNAME) ? PrivilegeSet::WILDCARD_RESOURCE : dbname; - result->grantPrivilege(Privilege(resourceName, actions), principal->getName()); + result->grantPrivilege(Privilege(resourceName, actions), principal); return Status::OK(); } diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h index 9320ef9fb56..234b2bae272 100644 --- a/src/mongo/db/auth/authorization_manager.h +++ b/src/mongo/db/auth/authorization_manager.h @@ -21,12 +21,13 @@ #include "mongo/base/disallow_copying.h" #include "mongo/base/status.h" -#include "mongo/db/auth/acquired_privilege.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/auth_external_state.h" #include "mongo/db/auth/principal.h" +#include "mongo/db/auth/principal_name.h" #include "mongo/db/auth/principal_set.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/auth/privilege_set.h" namespace mongo { @@ -72,7 +73,8 @@ namespace mongo { void logoutDatabase(const std::string& dbname); // Grant this connection the given privilege. - Status acquirePrivilege(const AcquiredPrivilege& privilege); + Status acquirePrivilege(const Privilege& privilege, + const PrincipalName& authorizingPrincipal); // Adds a new principal with the given principal name and authorizes it with full access. // Used to grant internal threads full access. @@ -93,7 +95,7 @@ namespace mongo { // Parses the privilege documents and acquires all privileges that the privilege document // grants Status acquirePrivilegesFromPrivilegeDocument(const std::string& dbname, - Principal* principal, + const PrincipalName& principal, const BSONObj& privilegeDocument); // Returns the privilege document with the given user name in the given database. Currently @@ -134,7 +136,7 @@ namespace mongo { // Parses the privilege document and returns a PrivilegeSet of all the Privileges that // the privilege document grants. static Status buildPrivilegeSet(const std::string& dbname, - Principal* principal, + const PrincipalName& principal, const BSONObj& privilegeDocument, PrivilegeSet* result); @@ -144,7 +146,7 @@ namespace mongo { // Privileges that the privilege document grants. static Status _buildPrivilegeSetFromOldStylePrivilegeDocument( const std::string& dbname, - Principal* principal, + const PrincipalName& principal, const BSONObj& privilegeDocument, PrivilegeSet* result); diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index 88b8c63e934..0efa8b9c125 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -34,8 +34,8 @@ namespace { Principal* principal = new Principal(PrincipalName("Spencer", "test")); ActionSet actions; actions.addAction(ActionType::insert); - AcquiredPrivilege writePrivilege(Privilege("test", actions), principal); - AcquiredPrivilege allDBsWritePrivilege(Privilege("*", actions), principal); + Privilege writePrivilege("test", actions); + Privilege allDBsWritePrivilege("*", actions); AuthExternalStateMock* externalState = new AuthExternalStateMock(); AuthorizationManager authManager(externalState); @@ -46,13 +46,13 @@ namespace { ASSERT_FALSE(authManager.checkAuthorization("test", ActionType::insert)); ASSERT_EQUALS(ErrorCodes::UserNotFound, - authManager.acquirePrivilege(writePrivilege).code()); + authManager.acquirePrivilege(writePrivilege, principal->getName())); authManager.addAuthorizedPrincipal(principal); - ASSERT_OK(authManager.acquirePrivilege(writePrivilege)); + ASSERT_OK(authManager.acquirePrivilege(writePrivilege, principal->getName())); ASSERT_TRUE(authManager.checkAuthorization("test", ActionType::insert)); ASSERT_FALSE(authManager.checkAuthorization("otherDb", ActionType::insert)); - ASSERT_OK(authManager.acquirePrivilege(allDBsWritePrivilege)); + ASSERT_OK(authManager.acquirePrivilege(allDBsWritePrivilege, principal->getName())); ASSERT_TRUE(authManager.checkAuthorization("otherDb", ActionType::insert)); // Auth checks on a collection should be applied to the database name. ASSERT_TRUE(authManager.checkAuthorization("otherDb.collectionName", ActionType::insert)); @@ -62,7 +62,7 @@ namespace { } TEST(AuthorizationManagerTest, GetPrivilegesFromPrivilegeDocument) { - Principal* principal = new Principal(PrincipalName("Spencer", "test")); + PrincipalName principal("Spencer", "test"); BSONObj invalid; BSONObj readWrite = BSON("user" << "Spencer" << "pwd" << "passwordHash"); BSONObj readOnly = BSON("user" << "Spencer" << "pwd" << "passwordHash" << diff --git a/src/mongo/db/auth/privilege_set.cpp b/src/mongo/db/auth/privilege_set.cpp index d572bf3b4c1..26189be05a8 100644 --- a/src/mongo/db/auth/privilege_set.cpp +++ b/src/mongo/db/auth/privilege_set.cpp @@ -20,7 +20,6 @@ #include <map> #include <string> -#include "mongo/db/auth/acquired_privilege.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/principal.h" diff --git a/src/mongo/db/auth/privilege_set.h b/src/mongo/db/auth/privilege_set.h index 1c110f13681..b73fe52c739 100644 --- a/src/mongo/db/auth/privilege_set.h +++ b/src/mongo/db/auth/privilege_set.h @@ -18,7 +18,6 @@ #include <string> #include "mongo/base/disallow_copying.h" -#include "mongo/db/auth/acquired_privilege.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/privilege.h" diff --git a/src/mongo/db/auth/privilege_set_test.cpp b/src/mongo/db/auth/privilege_set_test.cpp index 2d01f2b3617..36af7b82205 100644 --- a/src/mongo/db/auth/privilege_set_test.cpp +++ b/src/mongo/db/auth/privilege_set_test.cpp @@ -17,7 +17,8 @@ * Unit tests of the PrivilegeSet type. */ -#include "mongo/db/auth/acquired_privilege.h" +#include <iostream> + #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/privilege_set.h" #include "mongo/unittest/unittest.h" |