SERVER-70701: Allow AuthorizationSession to enforce expiration times

author: Varun Ravichandran <varun.ravichandran@mongodb.com> 2022-11-11 19:49:15 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2022-12-16 23:29:04 +0000
commit: 946cecc98dfb0047855add41fc344a1ffbb2baa9 (patch)
tree: 29ccefaeb61f3066f1344bb6827bb384ab0326c2 /src/mongo/db/commands.cpp
parent: ab506f144f44e24addaccbcb755b8d99e7ef29c3 (diff)
download: mongo-946cecc98dfb0047855add41fc344a1ffbb2baa9.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp
index f83ac353a23..0f9721a50b9 100644
--- a/src/mongo/db/commands.cpp
+++ b/src/mongo/db/commands.cpp
@@ -84,11 +84,18 @@ bool checkAuthorizationImplPreParse(OperationContext* opCtx,
     auto client = opCtx->getClient();
     if (client->isInDirectClient())
         return true;
+
     uassert(ErrorCodes::Unauthorized,
             str::stream() << command->getName() << " may only be run against the admin database.",
             !command->adminOnly() || request.getDatabase() == NamespaceString::kAdminDb);
 
     auto authzSession = AuthorizationSession::get(client);
+    uassert(ErrorCodes::ReauthenticationRequired,
+            fmt::format("Command {} requires reauthentication since the current authorization "
+                        "session has expired. Please re-auth.",
+                        command->getName()),
+            !command->requiresAuth() || !authzSession->isExpired());
+
     if (!authzSession->getAuthorizationManager().isAuthEnabled()) {
         // Running without auth, so everything should be allowed except remotely invoked
         // commands that have the 'localHostOnlyIfNoAuth' restriction.
@@ -99,13 +106,16 @@ bool checkAuthorizationImplPreParse(OperationContext* opCtx,
                     client->getIsLocalHostConnection());
         return true;  // Blanket authorization: don't need to check anything else.
     }
+
     if (authzSession->isUsingLocalhostBypass())
         return false;  // Still can't decide on auth because of the localhost bypass.
+
     uassert(ErrorCodes::Unauthorized,
-            str::stream() << "command " << command->getName() << " requires authentication",
+            str::stream() << "Command " << command->getName() << " requires authentication",
             !command->requiresAuth() || authzSession->isAuthenticated() ||
                 (request.validatedTenancyScope &&
                  request.validatedTenancyScope->hasAuthenticatedUser()));
+
     return false;
 }
author	Varun Ravichandran <varun.ravichandran@mongodb.com>	2022-11-11 19:49:15 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2022-12-16 23:29:04 +0000
commit	946cecc98dfb0047855add41fc344a1ffbb2baa9 (patch)
tree	29ccefaeb61f3066f1344bb6827bb384ab0326c2 /src/mongo/db/commands.cpp
parent	ab506f144f44e24addaccbcb755b8d99e7ef29c3 (diff)
download	mongo-946cecc98dfb0047855add41fc344a1ffbb2baa9.tar.gz