SERVER-31389: Make an ActionType for manipulating authentication restrictions

author: Spencer Jackson <spencer.jackson@mongodb.com> 2017-10-04 15:18:07 -0400
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2017-10-09 17:25:18 -0400
commit: 893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20 (patch)
tree: 9c9b81be8592744c0779428a86db7bcdadf75972 /src/mongo/db
parent: 574f5ae3d799ff2ba551200157495104ad697e96 (diff)
download: mongo-893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20.tar.gz
3 files changed, 62 insertions, 4 deletions
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index d037cc255ae..45eedf4312f 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -98,6 +98,7 @@
 "revokeRolesFromRole",  # Not used for permissions checks, but to id the event in logs.
 "revokeRolesFromUser",  # Not used for permissions checks, but to id the event in logs.
 "serverStatus",
+"setAuthenticationRestriction",
 "setParameter",
 "shardCollection",  # Not used for permissions checks, but to id the event in logs.
 "shardingState",
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index 018f8dffb96..c466f334c72 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -149,6 +149,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) {
         << ActionType::dropRole
         << ActionType::grantRole
         << ActionType::revokeRole
+        << ActionType::setAuthenticationRestriction
         << ActionType::viewUser
         << ActionType::viewRole;
 
diff --git a/src/mongo/db/commands/user_management_commands_common.cpp b/src/mongo/db/commands/user_management_commands_common.cpp
index 608719e0341..09a110b9051 100644
--- a/src/mongo/db/commands/user_management_commands_common.cpp
+++ b/src/mongo/db/commands/user_management_commands_common.cpp
@@ -110,6 +110,20 @@ Status checkAuthorizedToRevokePrivileges(AuthorizationSession* authzSession,
     return Status::OK();
 }
 
+Status checkAuthorizedToSetRestrictions(AuthorizationSession* authzSession,
+                                        bool hasAuthRestriction,
+                                        StringData dbname) {
+    if (hasAuthRestriction) {
+        if (!authzSession->isAuthorizedForActionsOnResource(
+                ResourcePattern::forDatabaseName(dbname),
+                ActionType::setAuthenticationRestriction)) {
+            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+        }
+    }
+
+    return Status::OK();
+}
+
 Status checkAuthForCreateUserCommand(Client* client,
                                      const std::string& dbname,
                                      const BSONObj& cmdObj) {
@@ -127,7 +141,18 @@ Status checkAuthForCreateUserCommand(Client* client,
                                     << args.userName.getDB());
     }
 
-    return checkAuthorizedToGrantRoles(authzSession, args.roles);
+    status = checkAuthorizedToGrantRoles(authzSession, args.roles);
+    if (!status.isOK()) {
+        return status;
+    }
+
+    status = checkAuthorizedToSetRestrictions(
+        authzSession, static_cast<bool>(args.authenticationRestrictions), args.userName.getDB());
+    if (!status.isOK()) {
+        return status;
+    }
+
+    return Status::OK();
 }
 
 Status checkAuthForUpdateUserCommand(Client* client,
@@ -172,7 +197,16 @@ Status checkAuthForUpdateUserCommand(Client* client,
                           "authorized to revoke any role in the system");
         }
 
-        return checkAuthorizedToGrantRoles(authzSession, args.roles);
+        status = checkAuthorizedToGrantRoles(authzSession, args.roles);
+        if (!status.isOK()) {
+            return status;
+        }
+    }
+
+    status = checkAuthorizedToSetRestrictions(
+        authzSession, static_cast<bool>(args.authenticationRestrictions), args.userName.getDB());
+    if (!status.isOK()) {
+        return status;
     }
 
     return Status::OK();
@@ -214,7 +248,18 @@ Status checkAuthForCreateRoleCommand(Client* client,
         return status;
     }
 
-    return checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
+    status = checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
+    if (!status.isOK()) {
+        return status;
+    }
+
+    status = checkAuthorizedToSetRestrictions(
+        authzSession, static_cast<bool>(args.authenticationRestrictions), args.roleName.getDB());
+    if (!status.isOK()) {
+        return status;
+    }
+
+    return Status::OK();
 }
 
 Status checkAuthForUpdateRoleCommand(Client* client,
@@ -241,7 +286,18 @@ Status checkAuthForUpdateRoleCommand(Client* client,
         return status;
     }
 
-    return checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
+    status = checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
+    if (!status.isOK()) {
+        return status;
+    }
+
+    status = checkAuthorizedToSetRestrictions(
+        authzSession, static_cast<bool>(args.authenticationRestrictions), args.roleName.getDB());
+    if (!status.isOK()) {
+        return status;
+    }
+
+    return Status::OK();
 }
 
 Status checkAuthForGrantRolesToRoleCommand(Client* client,
author	Spencer Jackson <spencer.jackson@mongodb.com>	2017-10-04 15:18:07 -0400
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2017-10-09 17:25:18 -0400
commit	893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20 (patch)
tree	9c9b81be8592744c0779428a86db7bcdadf75972 /src/mongo/db
parent	574f5ae3d799ff2ba551200157495104ad697e96 (diff)
download	mongo-893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20.tar.gz