diff options
author | Varun Ravichandran <varun.ravichandran@mongodb.com> | 2022-11-11 19:49:15 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-12-16 23:29:04 +0000 |
commit | 946cecc98dfb0047855add41fc344a1ffbb2baa9 (patch) | |
tree | 29ccefaeb61f3066f1344bb6827bb384ab0326c2 /src/mongo/db/commands.cpp | |
parent | ab506f144f44e24addaccbcb755b8d99e7ef29c3 (diff) | |
download | mongo-946cecc98dfb0047855add41fc344a1ffbb2baa9.tar.gz |
SERVER-70701: Allow AuthorizationSession to enforce expiration times
Diffstat (limited to 'src/mongo/db/commands.cpp')
-rw-r--r-- | src/mongo/db/commands.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index f83ac353a23..0f9721a50b9 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -84,11 +84,18 @@ bool checkAuthorizationImplPreParse(OperationContext* opCtx, auto client = opCtx->getClient(); if (client->isInDirectClient()) return true; + uassert(ErrorCodes::Unauthorized, str::stream() << command->getName() << " may only be run against the admin database.", !command->adminOnly() || request.getDatabase() == NamespaceString::kAdminDb); auto authzSession = AuthorizationSession::get(client); + uassert(ErrorCodes::ReauthenticationRequired, + fmt::format("Command {} requires reauthentication since the current authorization " + "session has expired. Please re-auth.", + command->getName()), + !command->requiresAuth() || !authzSession->isExpired()); + if (!authzSession->getAuthorizationManager().isAuthEnabled()) { // Running without auth, so everything should be allowed except remotely invoked // commands that have the 'localHostOnlyIfNoAuth' restriction. @@ -99,13 +106,16 @@ bool checkAuthorizationImplPreParse(OperationContext* opCtx, client->getIsLocalHostConnection()); return true; // Blanket authorization: don't need to check anything else. } + if (authzSession->isUsingLocalhostBypass()) return false; // Still can't decide on auth because of the localhost bypass. + uassert(ErrorCodes::Unauthorized, - str::stream() << "command " << command->getName() << " requires authentication", + str::stream() << "Command " << command->getName() << " requires authentication", !command->requiresAuth() || authzSession->isAuthenticated() || (request.validatedTenancyScope && request.validatedTenancyScope->hasAuthenticatedUser())); + return false; } |