diff options
author | Ruoxin Xu <ruoxin.xu@mongodb.com> | 2020-10-29 12:14:01 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-01-07 11:20:50 +0000 |
commit | 90c89d33c400d2f1eb8972170b7a17e3315c4198 (patch) | |
tree | 2aaee3468e4350950b546b2b24783d9ddc2d8e2e /src/mongo/db/auth | |
parent | 66cdb6d0fccf3b65c61a1bea5d6171591d21c9da (diff) | |
download | mongo-90c89d33c400d2f1eb8972170b7a17e3315c4198.tar.gz |
SERVER-51649 Convert aggregate command input to IDL
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r-- | src/mongo/db/auth/authorization_session.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 4 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_impl.cpp | 14 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_impl.h | 4 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 172 |
5 files changed, 112 insertions, 83 deletions
diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index caed33df1b9..fc5810e7a18 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -48,7 +48,6 @@ #include "mongo/db/client.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespace_string.h" -#include "mongo/db/pipeline/aggregation_request.h" #include "mongo/db/pipeline/lite_parsed_pipeline.h" #include "mongo/util/assert_util.h" #include "mongo/util/str.h" diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index b18d8409099..98360a2b66d 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -44,7 +44,7 @@ #include "mongo/db/namespace_string.h" #include "mongo/db/operation_context.h" #include "mongo/db/ops/write_ops_parsers.h" -#include "mongo/db/pipeline/aggregation_request.h" +#include "mongo/db/pipeline/aggregate_command_gen.h" namespace mongo { @@ -217,7 +217,7 @@ public: // Attempts to get the privileges necessary to run the aggregation pipeline specified in // 'request' on the namespace 'ns' either directly on mongoD or via mongoS. virtual StatusWith<PrivilegeVector> getPrivilegesForAggregate(const NamespaceString& ns, - const AggregationRequest& request, + const AggregateCommand& request, bool isMongos) = 0; // Checks if this connection has the privileges necessary to create 'ns' with the options diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp index 0684c536269..8b16d95ae72 100644 --- a/src/mongo/db/auth/authorization_session_impl.cpp +++ b/src/mongo/db/auth/authorization_session_impl.cpp @@ -52,7 +52,7 @@ #include "mongo/db/jsobj.h" #include "mongo/db/namespace_string.h" #include "mongo/db/operation_context.h" -#include "mongo/db/pipeline/aggregation_request.h" +#include "mongo/db/pipeline/aggregation_request_helper.h" #include "mongo/db/pipeline/lite_parsed_pipeline.h" #include "mongo/logv2/log.h" #include "mongo/util/assert_util.h" @@ -90,10 +90,10 @@ Status checkAuthForCreateOrModifyView(AuthorizationSession* authzSession, return Status::OK(); } - auto status = AggregationRequest::parseFromBSON(viewNs, - BSON("aggregate" << viewOnNs.coll() - << "pipeline" << viewPipeline - << "cursor" << BSONObj())); + auto status = aggregation_request_helper::parseFromBSON( + viewNs, + BSON("aggregate" << viewOnNs.coll() << "pipeline" << viewPipeline << "cursor" << BSONObj() + << "$db" << viewOnNs.db())); if (!status.isOK()) return status.getStatus(); @@ -269,7 +269,7 @@ PrivilegeVector AuthorizationSessionImpl::getDefaultPrivileges() { } StatusWith<PrivilegeVector> AuthorizationSessionImpl::getPrivilegesForAggregate( - const NamespaceString& nss, const AggregationRequest& request, bool isMongos) { + const NamespaceString& nss, const AggregateCommand& request, bool isMongos) { if (!nss.isValid()) { return Status(ErrorCodes::InvalidNamespace, str::stream() << "Invalid input namespace, " << nss.ns()); @@ -306,7 +306,7 @@ StatusWith<PrivilegeVector> AuthorizationSessionImpl::getPrivilegesForAggregate( for (auto&& pipelineStage : pipeline) { liteParsedDocSource = LiteParsedDocumentSource::parse(nss, pipelineStage); PrivilegeVector currentPrivs = liteParsedDocSource->requiredPrivileges( - isMongos, request.shouldBypassDocumentValidation()); + isMongos, request.getBypassDocumentValidation().value_or(false)); Privilege::addPrivilegesToPrivilegeVector(&privileges, currentPrivs); } return privileges; diff --git a/src/mongo/db/auth/authorization_session_impl.h b/src/mongo/db/auth/authorization_session_impl.h index b7896daf518..f7f4b0aa596 100644 --- a/src/mongo/db/auth/authorization_session_impl.h +++ b/src/mongo/db/auth/authorization_session_impl.h @@ -42,7 +42,7 @@ #include "mongo/db/auth/user_name.h" #include "mongo/db/auth/user_set.h" #include "mongo/db/namespace_string.h" -#include "mongo/db/pipeline/aggregation_request.h" +#include "mongo/db/pipeline/aggregate_command_gen.h" namespace mongo { @@ -118,7 +118,7 @@ public: UserNameIterator cursorOwner) override; StatusWith<PrivilegeVector> getPrivilegesForAggregate(const NamespaceString& ns, - const AggregationRequest& request, + const AggregateCommand& request, bool isMongos) override; Status checkAuthForCreate(const NamespaceString& ns, diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 81dff04b7f3..318a7cd509e 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -47,7 +47,7 @@ #include "mongo/db/json.h" #include "mongo/db/namespace_string.h" #include "mongo/db/operation_context.h" -#include "mongo/db/pipeline/aggregation_request.h" +#include "mongo/db/pipeline/aggregation_request_helper.h" #include "mongo/db/service_context_test_fixture.h" #include "mongo/transport/session.h" #include "mongo/transport/transport_layer_mock.h" @@ -595,10 +595,10 @@ TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRes } TEST_F(AuthorizationSessionTest, CannotAggregateEmptyPipelineWithoutFindAction) { - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray() << "cursor" - << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray() << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -607,10 +607,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateEmptyPipelineWithoutFindAction) TEST_F(AuthorizationSessionTest, CanAggregateEmptyPipelineWithFindAction) { authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray() << "cursor" - << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray() << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -623,9 +623,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateWithoutFindActionIfFirstStageNot BSONArray pipeline = BSON_ARRAY(BSON("$limit" << 1) << BSON("$collStats" << BSONObj()) << BSON("$indexStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -636,9 +637,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateWithFindActionIfPipelineContains BSONArray pipeline = BSON_ARRAY(BSON("$limit" << 1) << BSON("$collStats" << BSONObj()) << BSON("$indexStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -648,9 +650,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCollStatsWithoutCollStatsAction) authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$collStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -660,9 +663,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateCollStatsWithCollStatsAction) { authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::collStats})); BSONArray pipeline = BSON_ARRAY(BSON("$collStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -672,9 +676,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateIndexStatsWithoutIndexStatsActio authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$indexStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -684,9 +689,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateIndexStatsWithIndexStatsAction) { authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::indexStats})); BSONArray pipeline = BSON_ARRAY(BSON("$indexStats" << BSONObj())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -696,9 +702,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersFalseWithoutInprog authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -708,9 +715,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseWithoutInp authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -718,17 +726,19 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseWithoutInp TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseIfNotAuthenticatedOnMongoD) { BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); ASSERT_FALSE(authzSession->isAuthenticated()); } TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseIfNotAuthenticatedOnMongoS) { BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); @@ -739,9 +749,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersTrueWithoutInpr authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -751,9 +762,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersTrueWithoutInpr authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -764,9 +776,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersTrueWithInprogActi Privilege(ResourcePattern::forClusterResource(), {ActionType::inprog})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -777,9 +790,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersTrueWithInprogActi Privilege(ResourcePattern::forClusterResource(), {ActionType::inprog})); BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -790,9 +804,10 @@ TEST_F(AuthorizationSessionTest, CannotSpoofAllUsersTrueWithoutInprogActionOnMon BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false << "allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -803,9 +818,10 @@ TEST_F(AuthorizationSessionTest, CannotSpoofAllUsersTrueWithoutInprogActionOnMon BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false << "allUsers" << true))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -816,9 +832,10 @@ TEST_F(AuthorizationSessionTest, AddPrivilegesForStageFailsIfOutNamespaceIsNotVa BSONArray pipeline = BSON_ARRAY(BSON("$out" << "")); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); ASSERT_THROWS_CODE(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false), AssertionException, ErrorCodes::InvalidNamespace); @@ -829,9 +846,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateOutWithoutInsertAndRemoveOnTarge authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -853,17 +871,20 @@ TEST_F(AuthorizationSessionTest, CanAggregateOutWithInsertAndRemoveOnTargetNames Privilege(testBarCollResource, {ActionType::insert, ActionType::remove})}); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); - auto aggNoBypassDocumentValidationReq = uassertStatusOK(AggregationRequest::parseFromBSON( - testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline - << "bypassDocumentValidation" << false << "cursor" << BSONObj()))); + auto aggNoBypassDocumentValidationReq = + uassertStatusOK(aggregation_request_helper::parseFromBSON( + testFooNss, + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline + << "bypassDocumentValidation" << false << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate( testFooNss, aggNoBypassDocumentValidationReq, false)); @@ -877,10 +898,10 @@ TEST_F(AuthorizationSessionTest, Privilege(testBarCollResource, {ActionType::insert, ActionType::remove})}); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() - << "bypassDocumentValidation" << true))); + << "bypassDocumentValidation" << true << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -895,10 +916,10 @@ TEST_F(AuthorizationSessionTest, {ActionType::insert, ActionType::remove, ActionType::bypassDocumentValidation})}); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() - << "bypassDocumentValidation" << true))); + << "bypassDocumentValidation" << true << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -908,9 +929,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateLookupWithoutFindOnJoinedNamespa authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testBarNss.coll()))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -921,9 +943,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateLookupWithFindOnJoinedNamespace) { Privilege(testBarCollResource, {ActionType::find})}); BSONArray pipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testBarNss.coll()))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -937,9 +960,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateLookupWithoutFindOnNestedJoinedN BSONArray nestedPipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testQuxNss.coll()))); BSONArray pipeline = BSON_ARRAY( BSON("$lookup" << BSON("from" << testBarNss.coll() << "pipeline" << nestedPipeline))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -953,9 +977,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateLookupWithFindOnNestedJoinedNamespa BSONArray nestedPipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testQuxNss.coll()))); BSONArray pipeline = BSON_ARRAY( BSON("$lookup" << BSON("from" << testBarNss.coll() << "pipeline" << nestedPipeline))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -997,9 +1022,10 @@ TEST_F(AuthorizationSessionTest, CheckAuthForAggregateWithDeeplyNestedLookup) { BSONArrayBuilder pipelineBuilder(cmdBuilder.subarrayStart("pipeline")); addNestedPipeline(&pipelineBuilder, maxLookupDepth); pipelineBuilder.doneFast(); - cmdBuilder << "cursor" << BSONObj(); + cmdBuilder << "cursor" << BSONObj() << "$db" << testFooNss.db(); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON(testFooNss, cmdBuilder.obj())); + auto aggReq = + uassertStatusOK(aggregation_request_helper::parseFromBSON(testFooNss, cmdBuilder.obj())); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -1010,9 +1036,10 @@ TEST_F(AuthorizationSessionTest, CannotAggregateGraphLookupWithoutFindOnJoinedNa authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find})); BSONArray pipeline = BSON_ARRAY(BSON("$graphLookup" << BSON("from" << testBarNss.coll()))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -1023,9 +1050,10 @@ TEST_F(AuthorizationSessionTest, CanAggregateGraphLookupWithFindOnJoinedNamespac Privilege(testBarCollResource, {ActionType::find})}); BSONArray pipeline = BSON_ARRAY(BSON("$graphLookup" << BSON("from" << testBarNss.coll()))); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -1039,9 +1067,10 @@ TEST_F(AuthorizationSessionTest, BSONArray pipeline = BSON_ARRAY(fromjson("{$facet: {lookup: [{$lookup: {from: 'bar'}}], graphLookup: " "[{$graphLookup: {from: 'qux'}}]}}")); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -1067,9 +1096,10 @@ TEST_F(AuthorizationSessionTest, BSON_ARRAY(fromjson("{$facet: {lookup: [{$lookup: {from: 'bar'}}], graphLookup: " "[{$graphLookup: {from: 'qux'}}]}}")); - auto aggReq = uassertStatusOK(AggregationRequest::parseFromBSON( + auto aggReq = uassertStatusOK(aggregation_request_helper::parseFromBSON( testFooNss, - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()))); + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() + << "$db" << testFooNss.db()))); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, aggReq, true)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); |