SERVER-10745 Eliminate AuthorizationSession::hasInternalAuthorization() method.

This requires eliminating the "skipAuthCheck" parameter to replAuthenticate(), which
the linked jira ticket describes as folly, anyways.

5 files changed, 24 insertions, 86 deletions

diff --git a/src/mongo/db/repl/oplogreader.cpp b/src/mongo/db/repl/oplogreader.cpp
index b25e5cf725a..b7c2034c70a 100644
--- a/src/mongo/db/repl/oplogreader.cpp
+++ b/src/mongo/db/repl/oplogreader.cpp
@@ -54,48 +54,13 @@ namespace mongo {
 
     static const BSONObj userReplQuery = fromjson("{\"user\":\"repl\"}");
 
-    /* Generally replAuthenticate will only be called within system threads to fully authenticate
-     * connections to other nodes in the cluster that will be used as part of internal operations.
-     * If a user-initiated action results in needing to call replAuthenticate, you can call it
-     * with skipAuthCheck set to false. Only do this if you are certain that the proper auth
-     * checks have already run to ensure that the user is authorized to do everything that this
-     * connection will be used for!
-     */
-    bool replAuthenticate(DBClientBase *conn, bool skipAuthCheck) {
-        if(!AuthorizationManager::isAuthEnabled()) {
+    bool replAuthenticate(DBClientBase *conn) {
+        if (!AuthorizationManager::isAuthEnabled())
             return true;
-        }
-        if (!skipAuthCheck && !cc().getAuthorizationSession()->hasInternalAuthorization()) {
-            log() << "replauthenticate: requires internal authorization, failing" << endl;
-            return false;
-        }
 
-        if (isInternalAuthSet()) { 
-            return authenticateInternalUser(conn); 
-        }
-
-        BSONObj user;
-        {
-            Client::ReadContext ctxt("local.");
-            if( !Helpers::findOne("local.system.users", userReplQuery, user) ||
-                    // try the first user in local
-                    !Helpers::getSingleton("local.system.users", user) ) {
-                log() << "replauthenticate: no user in local.system.users to use for authentication" << endl;
-                return false;
-            }
-        }
-        std::string u = user.getStringField("user");
-        std::string p = user.getStringField("pwd");
-        massert( 10392 , "bad user object? [1]", !u.empty());
-        massert( 10393 , "bad user object? [2]", !p.empty());
-
-        std::string err;
-        if( !conn->auth("local", u.c_str(), p.c_str(), err, false) ) {
-            log() << "replauthenticate: can't authenticate to master server, user:" << u << endl;
+        if (!isInternalAuthSet())
             return false;
-        }
-
-        return true;
+        return authenticateInternalUser(conn);
     }
 
     bool replHandshake(DBClientConnection *conn, const BSONObj& me) {
@@ -132,7 +97,7 @@ namespace mongo {
                                                                           tcp_timeout));
             string errmsg;
             if ( !_conn->connect(hostName.c_str(), errmsg) ||
-                 (AuthorizationManager::isAuthEnabled() && !replAuthenticate(_conn.get(), true)) ) {
+                 (AuthorizationManager::isAuthEnabled() && !replAuthenticate(_conn.get())) ) {
                 resetConnection();
                 log() << "repl: " << errmsg << endl;
                 return false;
diff --git a/src/mongo/db/repl/oplogreader.h b/src/mongo/db/repl/oplogreader.h
index 3f6f062d9ee..cdde20baa3e 100644
--- a/src/mongo/db/repl/oplogreader.h
+++ b/src/mongo/db/repl/oplogreader.h
@@ -37,6 +37,13 @@
 
 namespace mongo {
 
+    /**
+     * Authenticates conn using the server's cluster-membership credentials.
+     *
+     * Returns true on successful authentication.
+     */
+    bool replAuthenticate(DBClientBase* conn);
+
     /* started abstracting out the querying of the primary/master's oplog
        still fairly awkward but a start.
     */
diff --git a/src/mongo/db/repl/replication_server_status.cpp b/src/mongo/db/repl/replication_server_status.cpp
index e0cd8c87e44..ddbe4d2c312 100644
--- a/src/mongo/db/repl/replication_server_status.cpp
+++ b/src/mongo/db/repl/replication_server_status.cpp
@@ -38,6 +38,7 @@
 #include "mongo/db/query/internal_plans.h"
 #include "mongo/db/repl/is_master.h"
 #include "mongo/db/repl/master_slave.h"
+#include "mongo/db/repl/oplogreader.h"
 #include "mongo/db/repl/rs.h"
 #include "mongo/db/wire_version.h"
 
@@ -51,8 +52,6 @@ namespace mongo {
         return replSettings.slave || replSettings.master || theReplSet;
     }
 
-    bool replAuthenticate(DBClientBase *conn, bool skipAuthCheck);
-
     void appendReplicationInfo(BSONObjBuilder& result, int level) {
         if ( replSet ) {
             if( theReplSet == 0 || theReplSet->state().shunned() ) {
@@ -115,7 +114,7 @@ namespace mongo {
                     ScopedDbConnection conn(s["host"].valuestr());
                     
                     DBClientConnection *cliConn = dynamic_cast< DBClientConnection* >( &conn.conn() );
-                    if ( cliConn && replAuthenticate(cliConn, false) ) {
+                    if ( cliConn && replAuthenticate(cliConn) ) {
                         BSONObj first = conn->findOne( (string)"local.oplog.$" + sourcename,
                                                               Query().sort( BSON( "$natural" << 1 ) ) );
                         BSONObj last = conn->findOne( (string)"local.oplog.$" + sourcename,
diff --git a/src/mongo/db/repl/sync_source_feedback.cpp b/src/mongo/db/repl/sync_source_feedback.cpp
index 0425922e87c..c80e34f861a 100644
--- a/src/mongo/db/repl/sync_source_feedback.cpp
+++ b/src/mongo/db/repl/sync_source_feedback.cpp
@@ -49,44 +49,13 @@ namespace mongo {
         _cond.notify_all();
     }
 
-    bool SyncSourceFeedback::replAuthenticate(bool skipAuthCheck) {
-
-        if (!AuthorizationManager::isAuthEnabled()) {
+    bool SyncSourceFeedback::replAuthenticate() {
+        if (!AuthorizationManager::isAuthEnabled())
             return true;
-        }
-        if (!skipAuthCheck && !cc().getAuthorizationSession()->hasInternalAuthorization()) {
-            log() << "replauthenticate: requires internal authorization, failing" << endl;
-            return false;
-        }
 
-        if (isInternalAuthSet()) { 
-            return authenticateInternalUser(_connection.get()); 
-        }
-
-        BSONObj user;
-        {
-            Client::ReadContext ctxt("local.");
-            if(!Helpers::findOne("local.system.users", userReplQuery, user) ||
-                    // try the first user in local
-                    !Helpers::getSingleton("local.system.users", user)) {
-                log() << "replauthenticate: no user in local.system.users to use"
-                        << "for authentication" << endl;
-                return false;
-            }
-        }
-        std::string u = user.getStringField("user");
-        std::string p = user.getStringField("pwd");
-        massert(16889, "bad user object? [1]", !u.empty());
-        massert(16887, "bad user object? [2]", !p.empty());
-
-        std::string err;
-
-        if( !_connection->auth("local", u.c_str(), p.c_str(), err, false) ) {
-            log() << "replauthenticate: can't authenticate to master server, user:" << u << endl;
+        if (!isInternalAuthSet())
             return false;
-        }
-
-        return true;
+        return authenticateInternalUser(_connection.get());
     }
 
     void SyncSourceFeedback::ensureMe() {
@@ -181,7 +150,7 @@ namespace mongo {
         _connection.reset(new DBClientConnection(false, 0, OplogReader::tcp_timeout));
         string errmsg;
         if (!_connection->connect(hostName.c_str(), errmsg) ||
-                (AuthorizationManager::isAuthEnabled() && !replAuthenticate(true))) {
+                (AuthorizationManager::isAuthEnabled() && !replAuthenticate())) {
             resetConnection();
             log() << "repl: " << errmsg << endl;
             return false;
diff --git a/src/mongo/db/repl/sync_source_feedback.h b/src/mongo/db/repl/sync_source_feedback.h
index bcb2115a25c..e16f9888746 100644
--- a/src/mongo/db/repl/sync_source_feedback.h
+++ b/src/mongo/db/repl/sync_source_feedback.h
@@ -133,14 +133,12 @@ namespace mongo {
         }
 
     private:
-        /* Generally replAuthenticate will only be called within system threads to fully
-         * authenticate connections to other nodes in the cluster that will be used as part of
-         * internal operations. If a user-initiated action results in needing to call
-         * replAuthenticate, you can call it with skipAuthCheck set to false. Only do this if you
-         * are certain that the proper auth checks have already run to ensure that the user is
-         * authorized to do everything that this connection will be used for!
+        /**
+         * Authenticates _connection using the server's cluster-membership credentials.
+         *
+         * Returns true on successful authentication.
          */
-        bool replAuthenticate(bool skipAuthCheck);
+        bool replAuthenticate();
 
         /* Sends initialization information to our sync target, also determines whether or not they
          * support the updater command.