SERVER-41412 Introduce a search_beta_auth suite.

This variant of search_beta turns on auth on the cluster, including on the mongotmock, which supports the SCRAM-SHA-1 authentication mechanism. Also configures the pre-existing search_beta_ssl suite to use auth. There are changes in this commit which permit mongotmock to link in the necessary auth-related code and command line parameters without pulling in unnecessary dependencies, or adding new dependencies to mongocryptd.
author: David Storch <david.storch@10gen.com> 2019-05-29 17:01:35 -0400
committer: David Storch <david.storch@10gen.com> 2019-06-05 15:56:45 -0400
commit: 22a595fbef4d023002b3c74d529368fcc4dbb196 (patch)
tree: 7b17834f3189c1b16647a40e71af43a2f38b768a /src/mongo/db
parent: bcad0d20e517e10f0dab71a0cfabe0a9e25c401b (diff)
download: mongo-22a595fbef4d023002b3c74d529368fcc4dbb196.tar.gz
8 files changed, 117 insertions, 21 deletions
diff --git a/src/mongo/db/SConscript b/src/mongo/db/SConscript
index 8d789440a4f..864d55d2248 100644
--- a/src/mongo/db/SConscript
+++ b/src/mongo/db/SConscript
@@ -406,6 +406,8 @@ env.Library(
     target='server_options_base',
     source=[
         'server_options_base.cpp',
+        env.Idlc('cluster_auth_mode_option.idl')[0],
+        env.Idlc('keyfile_option.idl')[0],
         env.Idlc('server_options_base.idl')[0],
         env.Idlc('server_options_general.idl')[0],
         env.Idlc('server_options_nongeneral.idl')[0],
@@ -448,7 +450,7 @@ env.CppUnitTest(
 
 # This library is linked into mongos and mongod only, not into the shell or any tools.
 env.Library(
-    target="mongodandmongos",
+    target="initialize_server_security_state",
     source=[
         "initialize_server_security_state.cpp",
     ],
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index f26a2c3d5b2..f77549b799b 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -276,12 +276,12 @@ env.Library(
         'saslauth',
     ],
     LIBDEPS_PRIVATE=[
-        'sasl_options_init',
         '$BUILD_DIR/mongo/client/sasl_client',
         '$BUILD_DIR/mongo/db/audit',
         '$BUILD_DIR/mongo/db/commands',
-        '$BUILD_DIR/mongo/db/commands/servers',
+        '$BUILD_DIR/mongo/db/commands/authentication_commands',
         '$BUILD_DIR/mongo/db/commands/test_commands_enabled',
+        'sasl_options_init',
     ],
 )
 
diff --git a/src/mongo/db/cluster_auth_mode_option.idl b/src/mongo/db/cluster_auth_mode_option.idl
new file mode 100644
index 00000000000..e184eff2b08
--- /dev/null
+++ b/src/mongo/db/cluster_auth_mode_option.idl
@@ -0,0 +1,48 @@
+# Copyright (C) 2019-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+    cpp_namespace: "mongo"
+    cpp_includes:
+        - "mongo/db/server_options.h"
+        - "mongo/db/server_options_base.h"
+    configs:
+        section: 'General options'
+        source: [ cli, ini, yaml ]
+        initializer:
+            register: addClusterAuthModeServerOption
+
+configs:
+    'security.clusterAuthMode':
+        description: >-
+            Authentication mode used for cluster authentication. Alternatives are
+            (keyFile|sendKeyFile|sendX509|x509)
+        short_name: clusterAuthMode
+        arg_vartype: String
+        validator:
+            callback: validateSecurityClusterAuthModeSetting
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index ef2e9fa712c..61c39a599cd 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -133,7 +133,6 @@ env.Library(
 env.Library(
     target='servers',
     source=[
-        'authentication_commands.cpp',
         'conn_pool_stats.cpp',
         'conn_pool_sync.cpp',
         'connection_status.cpp',
@@ -149,9 +148,6 @@ env.Library(
     ],
     LIBDEPS_PRIVATE=[
         '$BUILD_DIR/mongo/client/clientdriver_minimal',
-        '$BUILD_DIR/mongo/db/audit',
-        '$BUILD_DIR/mongo/db/auth/sasl_options',
-        '$BUILD_DIR/mongo/db/auth/user_document_parser',
         '$BUILD_DIR/mongo/db/commands',
         '$BUILD_DIR/mongo/db/common',
         '$BUILD_DIR/mongo/db/log_process_details',
@@ -170,6 +166,7 @@ env.Library(
         '$BUILD_DIR/mongo/s/sharding_legacy_api',
         '$BUILD_DIR/mongo/scripting/scripting_common',
         '$BUILD_DIR/mongo/util/ntservice',
+        'authentication_commands',
         'core',
         'feature_compatibility_parsers',
         'server_status',
@@ -178,6 +175,20 @@ env.Library(
 )
 
 env.Library(
+    target="authentication_commands",
+    source=[
+        'authentication_commands.cpp',
+    ],
+    LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/db/audit',
+        '$BUILD_DIR/mongo/db/auth/sasl_options',
+        '$BUILD_DIR/mongo/db/auth/user_document_parser',
+        '$BUILD_DIR/mongo/db/commands',
+        '$BUILD_DIR/mongo/util/net/ssl_manager',
+    ]
+)
+
+env.Library(
     target="mongod_fsync",
     source=[
         "fsync.cpp",
diff --git a/src/mongo/db/keyfile_option.idl b/src/mongo/db/keyfile_option.idl
new file mode 100644
index 00000000000..09c1f66a145
--- /dev/null
+++ b/src/mongo/db/keyfile_option.idl
@@ -0,0 +1,45 @@
+# Copyright (C) 2019-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+    cpp_namespace: "mongo"
+    cpp_includes:
+        - "mongo/db/server_options.h"
+        - "mongo/db/server_options_base.h"
+    configs:
+        section: 'General options'
+        source: [ cli, ini, yaml ]
+        initializer:
+            register: addKeyfileServerOption
+
+configs:
+    'security.keyFile':
+        description: 'Private key for cluster authentication'
+        short_name: keyFile
+        arg_vartype: String
+        conflicts: noauth
diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp
index cdbff5a8d20..756263a6ff5 100644
--- a/src/mongo/db/mongod_options.cpp
+++ b/src/mongo/db/mongod_options.cpp
@@ -40,7 +40,9 @@
 #include "mongo/bson/json.h"
 #include "mongo/bson/util/builder.h"
 #include "mongo/config.h"
+#include "mongo/db/cluster_auth_mode_option_gen.h"
 #include "mongo/db/global_settings.h"
+#include "mongo/db/keyfile_option_gen.h"
 #include "mongo/db/mongod_options_general_gen.h"
 #include "mongo/db/mongod_options_legacy_gen.h"
 #include "mongo/db/mongod_options_replication_gen.h"
@@ -84,6 +86,8 @@ Status addMongodOptions(moe::OptionSection* options) try {
     uassertStatusOK(addMongodShardingOptions(options));
     uassertStatusOK(addMongodStorageOptions(options));
     uassertStatusOK(addMongodLegacyOptions(options));
+    uassertStatusOK(addKeyfileServerOption(options));
+    uassertStatusOK(addClusterAuthModeServerOption(options));
 
     return Status::OK();
 } catch (const AssertionException& ex) {
diff --git a/src/mongo/db/server_options_general.idl b/src/mongo/db/server_options_general.idl
index e6183be0c5d..2761bb62a94 100644
--- a/src/mongo/db/server_options_general.idl
+++ b/src/mongo/db/server_options_general.idl
@@ -169,4 +169,3 @@ configs:
         arg_vartype: Switch
         source: [ cli, ini ]
         hidden: true
-
diff --git a/src/mongo/db/server_options_nongeneral.idl b/src/mongo/db/server_options_nongeneral.idl
index b561fb5ce1a..72d4108aa89 100644
--- a/src/mongo/db/server_options_nongeneral.idl
+++ b/src/mongo/db/server_options_nongeneral.idl
@@ -49,11 +49,6 @@ configs:
         arg_vartype: Switch
         canonicalize: canonicalizeNetBindIpAll
 
-    'security.keyFile':
-        description: 'Private key for cluster authentication'
-        short_name: keyFile
-        arg_vartype: String
-        conflicts: noauth
     noauth:
         description: 'Run without security'
         arg_vartype: Switch
@@ -71,14 +66,6 @@ configs:
         short_name: transitionToAuth
         arg_vartype: Switch
         conflicts: noauth
-    'security.clusterAuthMode':
-        description: >-
-            Authentication mode used for cluster authentication. Alternatives are
-            (keyFile|sendKeyFile|sendX509|x509)
-        short_name: clusterAuthMode
-        arg_vartype: String
-        validator:
-            callback: validateSecurityClusterAuthModeSetting
 
     'operationProfiling.slowOpThresholdMs':
         description: 'Value of slow for profile and console log'
author	David Storch <david.storch@10gen.com>	2019-05-29 17:01:35 -0400
committer	David Storch <david.storch@10gen.com>	2019-06-05 15:56:45 -0400
commit	22a595fbef4d023002b3c74d529368fcc4dbb196 (patch)
tree	7b17834f3189c1b16647a40e71af43a2f38b768a /src/mongo/db
parent	bcad0d20e517e10f0dab71a0cfabe0a9e25c401b (diff)
download	mongo-22a595fbef4d023002b3c74d529368fcc4dbb196.tar.gz