diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2016-07-01 18:16:30 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2016-07-07 15:46:13 -0400 |
commit | 5aa7c8a0b64bcd7e6781d335e6c786483fadee8e (patch) | |
tree | a50e1c17728f70951b23c7c031c7678d67cd195e /src/mongo/db/auth | |
parent | eeceb5a64d98cfa2955b07efd998d0e059715877 (diff) | |
download | mongo-5aa7c8a0b64bcd7e6781d335e6c786483fadee8e.tar.gz |
SERVER-24821 Use authcid instead of authzid in SASL PLAIN mechanism
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r-- | src/mongo/db/auth/SConscript | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/sasl_plain_server_conversation.cpp | 51 |
2 files changed, 44 insertions, 8 deletions
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index 75dea236195..9508b702a26 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -115,6 +115,7 @@ env.Library('saslauth', 'authcore', 'authmocks', # Wat? 'sasl_options', + '$BUILD_DIR/mongo/base/secure_allocator', '$BUILD_DIR/mongo/crypto/scramauth', '$BUILD_DIR/mongo/db/commands/test_commands_enabled', '$BUILD_DIR/mongo/util/net/network', diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp index b5f0b9e3c8f..31945f6e9a6 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp @@ -28,6 +28,7 @@ #include "mongo/db/auth/sasl_plain_server_conversation.h" +#include "mongo/base/secure_allocator.h" #include "mongo/crypto/mechanism_scram.h" #include "mongo/db/auth/sasl_authentication_session.h" #include "mongo/util/base64.h" @@ -42,17 +43,51 @@ SaslPLAINServerConversation::SaslPLAINServerConversation(SaslAuthenticationSessi SaslPLAINServerConversation::~SaslPLAINServerConversation(){}; StatusWith<bool> SaslPLAINServerConversation::step(StringData inputData, std::string* outputData) { - // Expecting user input on the form: user\0user\0pwd + if (_saslAuthSession->getAuthenticationDatabase() == "$external") { + return Status(ErrorCodes::AuthenticationFailed, + "PLAIN mechanism must be used with internal users"); + } + + // Expecting user input on the form: [authz-id]\0authn-id\0pwd std::string input = inputData.toString(); - std::string pwd = ""; + SecureString pwd = ""; try { - _user = input.substr(0, inputData.find('\0')); - pwd = input.substr(inputData.find('\0', _user.size() + 1) + 1); + size_t firstNull = inputData.find('\0'); + if (firstNull == std::string::npos) { + return Status( + ErrorCodes::AuthenticationFailed, + str::stream() + << "Incorrectly formatted PLAIN client message, missing first NULL delimiter"); + } + size_t secondNull = inputData.find('\0', firstNull + 1); + if (secondNull == std::string::npos) { + return Status( + ErrorCodes::AuthenticationFailed, + str::stream() + << "Incorrectly formatted PLAIN client message, missing second NULL delimiter"); + } + + std::string authorizationIdentity = input.substr(0, firstNull); + _user = input.substr(firstNull + 1, (secondNull - firstNull) - 1); + if (_user.empty()) { + return Status(ErrorCodes::AuthenticationFailed, + str::stream() + << "Incorrectly formatted PLAIN client message, empty username"); + } else if (!authorizationIdentity.empty() && authorizationIdentity != _user) { + return Status(ErrorCodes::AuthenticationFailed, + str::stream() + << "SASL authorization identity must match authentication identity"); + } + pwd = SecureString(input.substr(secondNull + 1).c_str()); + if (pwd->empty()) { + return Status(ErrorCodes::AuthenticationFailed, + str::stream() + << "Incorrectly formatted PLAIN client message, empty password"); + } } catch (std::out_of_range& exception) { - return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() - << "Incorrectly formatted PLAIN client message"); + return Status(ErrorCodes::AuthenticationFailed, + mongoutils::str::stream() << "Incorrectly formatted PLAIN client message"); } User* userObj; @@ -70,7 +105,7 @@ StatusWith<bool> SaslPLAINServerConversation::step(StringData inputData, std::st const User::CredentialData creds = userObj->getCredentials(); _saslAuthSession->getAuthorizationSession()->getAuthorizationManager().releaseUser(userObj); - std::string authDigest = createPasswordDigest(_user, pwd); + std::string authDigest = createPasswordDigest(_user, pwd->c_str()); if (!creds.password.empty()) { // Handle schemaVersion26Final (MONGODB-CR/SCRAM mixed mode) |