SERVER-50292 Refactor user acuisition via externalState

3 files changed, 34 insertions, 33 deletions

diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index 5ae45dadd70..b07b9c4ec1b 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -201,7 +201,9 @@ env.Library(
         '$BUILD_DIR/mongo/db/auth/user_document_parser',
         '$BUILD_DIR/mongo/db/commands',
         '$BUILD_DIR/mongo/db/stats/counters',
+        '$BUILD_DIR/mongo/rpc/client_metadata',
         '$BUILD_DIR/mongo/util/net/ssl_manager',
+        'test_commands_enabled',
     ]
 )
 
@@ -436,7 +438,7 @@ env.Library(
         '$BUILD_DIR/mongo/client/clientdriver_minimal',
         '$BUILD_DIR/mongo/db/auth/auth',
         '$BUILD_DIR/mongo/db/auth/authprivilege',
-        '$BUILD_DIR/mongo/db/auth/role_graph',
+        '$BUILD_DIR/mongo/db/auth/builtin_roles',
         '$BUILD_DIR/mongo/db/auth/sasl_options',
         '$BUILD_DIR/mongo/db/auth/user',
         '$BUILD_DIR/mongo/db/auth/user_document_parser',
diff --git a/src/mongo/db/commands/oplog_application_checks.cpp b/src/mongo/db/commands/oplog_application_checks.cpp
index 3b7f96fc224..52aa18a2a76 100644
--- a/src/mongo/db/commands/oplog_application_checks.cpp
+++ b/src/mongo/db/commands/oplog_application_checks.cpp
@@ -207,7 +207,7 @@ Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx,
     AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
     if (validity == OplogApplicationValidity::kNeedsSuperuser) {
         std::vector<Privilege> universalPrivileges;
-        RoleGraph::generateUniversalPrivileges(&universalPrivileges);
+        auth::generateUniversalPrivileges(&universalPrivileges);
         if (!authSession->isAuthorizedForPrivileges(universalPrivileges)) {
             return Status(ErrorCodes::Unauthorized, "Unauthorized");
         }
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp
index 33c64a07122..06414694bad 100644
--- a/src/mongo/db/commands/user_management_commands.cpp
+++ b/src/mongo/db/commands/user_management_commands.cpp
@@ -1145,29 +1145,23 @@ public:
              const BSONObj& cmdObj,
              BSONObjBuilder& result) override {
         auth::UsersInfoArgs args;
-        Status status = auth::parseUsersInfoCommand(cmdObj, dbname, &args);
-        uassertStatusOK(status);
+        uassertStatusOK(auth::parseUsersInfoCommand(cmdObj, dbname, &args));
 
-        AuthorizationManager* authzManager = AuthorizationManager::get(opCtx->getServiceContext());
+        auto* authzManager = AuthorizationManager::get(opCtx->getServiceContext());
         auto lk = uassertStatusOK(requireReadableAuthSchema26Upgrade(opCtx, authzManager));
 
-        if ((args.target != auth::UsersInfoArgs::Target::kExplicitUsers || args.filter) &&
-            (args.showPrivileges ||
-             args.authenticationRestrictionsFormat == AuthenticationRestrictionsFormat::kShow)) {
-            uasserted(ErrorCodes::IllegalOperation,
-                      "Privilege or restriction details require exact-match usersInfo "
-                      "queries.");
-        }
+        BSONArrayBuilder usersArrayBuilder(result.subarrayStart("users"));
+        if (args.showPrivileges ||
+            (args.authenticationRestrictionsFormat == AuthenticationRestrictionsFormat::kShow)) {
+            uassert(ErrorCodes::IllegalOperation,
+                    "Privilege or restriction details require exact-match usersInfo queries",
+                    !args.filter && (args.target == auth::UsersInfoArgs::Target::kExplicitUsers));
 
-        BSONArrayBuilder usersArrayBuilder;
-        if (args.target == auth::UsersInfoArgs::Target::kExplicitUsers &&
-            (args.showPrivileges ||
-             args.authenticationRestrictionsFormat == AuthenticationRestrictionsFormat::kShow)) {
-            // If you want privileges or restrictions you need to call getUserDescription on each
-            // user.
-            for (size_t i = 0; i < args.userNames.size(); ++i) {
+            // If you want privileges or restrictions you need to call getUserDescription
+            // on each user.
+            for (const auto& userName : args.userNames) {
                 BSONObj userDetails;
-                status = authzManager->getUserDescription(opCtx, args.userNames[i], &userDetails);
+                auto status = authzManager->getUserDescription(opCtx, userName, &userDetails);
                 if (status.code() == ErrorCodes::UserNotFound) {
                     continue;
                 }
@@ -1204,6 +1198,7 @@ public:
             // If you don't need privileges, or authenticationRestrictions, you can just do a
             // regular query on system.users
             std::vector<BSONObj> pipeline;
+
             if (args.target == auth::UsersInfoArgs::Target::kGlobal) {
                 // Leave the pipeline unconstrained, we want to return every user.
             } else if (args.target == auth::UsersInfoArgs::Target::kDB) {
@@ -1219,12 +1214,10 @@ public:
                 }
                 pipeline.push_back(BSON("$match" << BSON("$or" << usersMatchArray.arr())));
             }
+
             // Order results by user field then db field, matching how UserNames are ordered
             pipeline.push_back(BSON("$sort" << BSON("user" << 1 << "db" << 1)));
 
-            // Authentication restrictions are only rendered in the single user case.
-            pipeline.push_back(BSON("$project" << BSON("authenticationRestrictions" << false)));
-
             // Rewrite the credentials object into an array of its fieldnames.
             pipeline.push_back(
                 BSON("$addFields" << BSON("mechanisms"
@@ -1235,9 +1228,14 @@ public:
                                                                          << "in"
                                                                          << "$$cred.k")))));
 
-            // Remove credentials, they're not required in the output
-            if (!args.showCredentials) {
-                pipeline.push_back(BSON("$project" << BSON("credentials" << false)));
+            if (args.showCredentials) {
+                // Authentication restrictions are only rendered in the single user case.
+                pipeline.push_back(BSON("$unset"
+                                        << "authenticationRestrictions"));
+            } else {
+                // Remove credentials as well, they're not required in the output
+                pipeline.push_back(BSON("$unset" << BSON_ARRAY("authenticationRestrictions"
+                                                               << "credentials")));
             }
 
             // Handle a user specified filter.
@@ -1268,7 +1266,8 @@ public:
                 usersArrayBuilder.append(cursor.next());
             }
         }
-        result.append("users", usersArrayBuilder.arr());
+
+        usersArrayBuilder.doneFast();
         return true;
     }
 
@@ -1292,7 +1291,7 @@ void CmdUMCTyped<CreateRoleCommand, void>::Invocation::typedRun(OperationContext
 
     uassert(ErrorCodes::BadValue,
             "Cannot create roles with the same name as a built-in role",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     BSONObjBuilder roleObjBuilder;
     roleObjBuilder.append("_id", str::stream() << roleName.getDB() << "." << roleName.getRole());
@@ -1416,7 +1415,7 @@ void CmdUMCTyped<GrantPrivilegesToRoleCommand, void>::Invocation::typedRun(
 
     uassert(ErrorCodes::BadValue,
             str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     auto* client = opCtx->getClient();
     auto* serviceContext = client->getServiceContext();
@@ -1466,7 +1465,7 @@ void CmdUMCTyped<RevokePrivilegesFromRoleCommand, void>::Invocation::typedRun(
 
     uassert(ErrorCodes::BadValue,
             str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     auto* client = opCtx->getClient();
     auto* serviceContext = client->getServiceContext();
@@ -1520,7 +1519,7 @@ void CmdUMCTyped<GrantRolesToRoleCommand, void>::Invocation::typedRun(OperationC
 
     uassert(ErrorCodes::BadValue,
             str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     auto rolesToAdd = auth::resolveRoleNames(cmd.getRoles(), dbname);
 
@@ -1560,7 +1559,7 @@ void CmdUMCTyped<RevokeRolesFromRoleCommand, void>::Invocation::typedRun(Operati
 
     uassert(ErrorCodes::BadValue,
             str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     auto rolesToRemove = auth::resolveRoleNames(cmd.getRoles(), dbname);
 
@@ -1595,7 +1594,7 @@ void CmdUMCTyped<DropRoleCommand, void>::Invocation::typedRun(OperationContext*
 
     uassert(ErrorCodes::BadValue,
             str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified",
-            !RoleGraph::isBuiltinRole(roleName));
+            !auth::isBuiltinRole(roleName));
 
     auto* client = opCtx->getClient();
     auto* serviceContext = client->getServiceContext();