SERVER-30298 Add UserDigest LogicalSessionID

Inclusion of a sha256 digest of the full username to the logical session id (in addition to the current guid) is necessary to fully disambiguate logical sessions in degraded clusters (when the authoritative record for a session is unreachable). Semantics for the uid are as follows: session creation via startSession() * Sessions can only be created with one, and only one, user authenticated * The composite key is created from a guid created on the spot, as well as the digest of the currently auth'd username * Only the session guid is returned to the user * This prevents outside users from attempting to send back a value we'd have to check. It's preferable to decorate the guid with the user digest per command, rather than having to check a value the user might send. session use for a command * Sessions are passed via the lsid top level field in any command * Sessions are only meaningful for commands which requireAuth. For sessions which don't require auth, we strip session information from the command at parse time * Session ids are passed as an object, which can optionally include the username digest * It is illegal to pass the username digest unless the currently auth'd user has the impersonate privilege (the __system user does). This enables sessions on shard servers via mongos
author: Jason Carey <jcarey@argv.me> 2017-07-21 11:54:18 -0400
committer: Jason Carey <jcarey@argv.me> 2017-07-26 15:53:42 -0400
commit: edfe3f3b1276ef3598b1af673d088e6b5c4b3ad5 (patch)
tree: 08f0efcdb6100dc315cf5e9ac98c0c6261be928d /src/mongo/db/logical_session_id_helpers.cpp
parent: cb36a96d7c96cf1b24c7ef3b8b086cfc04c77642 (diff)
download: mongo-edfe3f3b1276ef3598b1af673d088e6b5c4b3ad5.tar.gz
1 files changed, 155 insertions, 0 deletions
diff --git a/src/mongo/db/logical_session_id_helpers.cpp b/src/mongo/db/logical_session_id_helpers.cpp
new file mode 100644
index 00000000000..e152e20bafb
--- /dev/null
+++ b/src/mongo/db/logical_session_id_helpers.cpp
@@ -0,0 +1,155 @@
+/**
+ * Copyright (C) 2017 MongoDB Inc.
+ *
+ * This program is free software: you can redistribute it and/or  modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU Affero General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/db/logical_session_id.h"
+
+#include "mongo/db/auth/authorization_session.h"
+#include "mongo/db/auth/user.h"
+#include "mongo/db/logical_session_cache.h"
+#include "mongo/db/operation_context.h"
+
+namespace mongo {
+
+namespace {
+
+/**
+ * This is a safe hash that will not collide with a username because all full usernames include an
+ * '@' character.
+ */
+const auto kNoAuthDigest = SHA256Block::computeHash(reinterpret_cast<const uint8_t*>(""), 0);
+
+SHA256Block lookupUserDigest(OperationContext* opCtx) {
+    auto client = opCtx->getClient();
+    ServiceContext* serviceContext = client->getServiceContext();
+
+    if (AuthorizationManager::get(serviceContext)->isAuthEnabled()) {
+        UserName userName;
+
+        auto authzSession = AuthorizationSession::get(client);
+        auto userNameItr = authzSession->getAuthenticatedUserNames();
+        if (userNameItr.more()) {
+            userName = userNameItr.next();
+            if (userNameItr.more()) {
+                uasserted(ErrorCodes::Unauthorized,
+                          "must only be authenticated as exactly one user "
+                          "to create a logical session");
+            }
+        } else {
+            uasserted(ErrorCodes::Unauthorized,
+                      "must only be authenticated as exactly one user "
+                      "to create a logical session");
+        }
+
+        User* user = authzSession->lookupUser(userName);
+        invariant(user);
+
+        return user->getDigest();
+    } else {
+        return kNoAuthDigest;
+    }
+}
+
+}  // namespace
+
+LogicalSessionId makeLogicalSessionId(const LogicalSessionFromClient& fromClient,
+                                      OperationContext* opCtx) {
+    LogicalSessionId lsid;
+
+    lsid.setId(fromClient.getId());
+
+    if (fromClient.getUid()) {
+        auto authSession = AuthorizationSession::get(opCtx->getClient());
+
+        uassert(ErrorCodes::Unauthorized,
+                "Unauthorized to set user digest in LogicalSessionId",
+                authSession->isAuthorizedForPrivilege(
+                    Privilege(ResourcePattern::forClusterResource(), ActionType::impersonate)));
+
+        lsid.setUid(*fromClient.getUid());
+    } else {
+        lsid.setUid(lookupUserDigest(opCtx));
+    }
+
+    return lsid;
+}
+
+LogicalSessionId makeLogicalSessionId(OperationContext* opCtx) {
+    LogicalSessionId id{};
+
+    id.setId(UUID::gen());
+    id.setUid(lookupUserDigest(opCtx));
+
+    return id;
+}
+
+LogicalSessionRecord makeLogicalSessionRecord(const LogicalSessionId& lsid, Date_t lastUse) {
+    LogicalSessionRecord lsr;
+
+    lsr.setId(lsid);
+    lsr.setLastUse(lastUse);
+
+    return lsr;
+}
+
+LogicalSessionToClient makeLogicalSessionToClient(const LogicalSessionId& lsid) {
+    LogicalSessionToClient id;
+    id.setId(lsid.getId());
+    id.setTimeoutMinutes(localLogicalSessionTimeoutMinutes);
+
+    return id;
+};
+
+void initializeOperationSessionInfo(OperationContext* opCtx,
+                                    const BSONObj& requestBody,
+                                    bool requiresAuth) {
+    if (!requiresAuth) {
+        return;
+    }
+
+    auto osi = OperationSessionInfoFromClient::parse(IDLParserErrorContext("OperationSessionInfo"),
+                                                     requestBody);
+
+    if (osi.getSessionId()) {
+        opCtx->setLogicalSessionId(makeLogicalSessionId(*(osi.getSessionId()), opCtx));
+    }
+
+    if (osi.getTxnNumber()) {
+        uassert(ErrorCodes::IllegalOperation,
+                "Transaction number requires a sessionId to be specified",
+                opCtx->getLogicalSessionId());
+        uassert(ErrorCodes::BadValue,
+                "Transaction number cannot be negative",
+                *osi.getTxnNumber() >= 0);
+
+        opCtx->setTxnNumber(*osi.getTxnNumber());
+    }
+}
+
+}  // namespace mongo
author	Jason Carey <jcarey@argv.me>	2017-07-21 11:54:18 -0400
committer	Jason Carey <jcarey@argv.me>	2017-07-26 15:53:42 -0400
commit	edfe3f3b1276ef3598b1af673d088e6b5c4b3ad5 (patch)
tree	08f0efcdb6100dc315cf5e9ac98c0c6261be928d /src/mongo/db/logical_session_id_helpers.cpp
parent	cb36a96d7c96cf1b24c7ef3b8b086cfc04c77642 (diff)
download	mongo-edfe3f3b1276ef3598b1af673d088e6b5c4b3ad5.tar.gz