SERVER-10353 Option to disable MONGODB-X509, server portion

author: Andreas Nilsson <andreas.nilsson@10gen.com> 2013-10-28 17:44:18 -0400
committer: Andreas Nilsson <andreas.nilsson@10gen.com> 2013-10-29 09:14:54 -0400
commit: f64377ea68e0f0003639672b886fc9e7be37942c (patch)
tree: 392c74cdc83b9b389a322fd8f5444d8fb2e01997 /src/mongo/db/commands/authentication_commands.cpp
parent: 202fe3e238fc378656482291d724728786581a2b (diff)
download: mongo-f64377ea68e0f0003639672b886fc9e7be37942c.tar.gz
1 files changed, 20 insertions, 6 deletions
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index bfb15aff3a5..d8857a1845a 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -54,11 +54,21 @@
 
 namespace mongo {
 
-    static bool _areNonceAuthenticateCommandsEnabled = true;
-    static const char _nonceAuthenticateCommandsDisabledMessage[] =
+    static bool _isCRAuthDisabled;
+    static bool _isX509AuthDisabled;
+    static const char _nonceAuthenticationDisabledMessage[] = 
         "Challenge-response authentication using getnonce and authenticate commands is disabled.";
-
-    void CmdAuthenticate::disableCommand() { _areNonceAuthenticateCommandsEnabled = false; }
+    static const char _x509AuthenticationDisabledMessage[] = 
+        "x.509 authentication is disabled.";
+    
+    void CmdAuthenticate::disableAuthMechanism(std::string authMechanism) {
+        if (authMechanism == "MONGODB-CR") {
+            _isCRAuthDisabled = true;
+        }
+        if (authMechanism == "MONGODB-X509") {
+            _isX509AuthDisabled = true;
+        }
+    }
 
     /* authentication
 
@@ -171,11 +181,11 @@ namespace mongo {
                           "Mechanism x509 is required for internal cluster authentication");
         }
 
-        if (!_areNonceAuthenticateCommandsEnabled) {
+        if (_isCRAuthDisabled) {
             // SERVER-8461, MONGODB-CR must be enabled for authenticating the internal user, so that
             // cluster members may communicate with each other.
             if (user != internalSecurity.user->getName()) {
-                return Status(ErrorCodes::BadValue, _nonceAuthenticateCommandsDisabledMessage);
+                return Status(ErrorCodes::BadValue, _nonceAuthenticationDisabledMessage);
             }
         }
 
@@ -285,6 +295,10 @@ namespace mongo {
             }
             // Handle normal client authentication, only applies to client-server connections
             else {
+                if (_isX509AuthDisabled) {
+                    return Status(ErrorCodes::BadValue,
+                                  _x509AuthenticationDisabledMessage);
+                }
                 Status status = authorizationSession->addAndAuthorizeUser(user);
                 if (!status.isOK()) {
                     return status;
author	Andreas Nilsson <andreas.nilsson@10gen.com>	2013-10-28 17:44:18 -0400
committer	Andreas Nilsson <andreas.nilsson@10gen.com>	2013-10-29 09:14:54 -0400
commit	f64377ea68e0f0003639672b886fc9e7be37942c (patch)
tree	392c74cdc83b9b389a322fd8f5444d8fb2e01997 /src/mongo/db/commands/authentication_commands.cpp
parent	202fe3e238fc378656482291d724728786581a2b (diff)
download	mongo-f64377ea68e0f0003639672b886fc9e7be37942c.tar.gz