SERVER-1891 Add hooks to audit authentications using MONGODB-CR and MONGODB-X509.

5 files changed, 37 insertions, 6 deletions

diff --git a/src/mongo/db/audit.cpp b/src/mongo/db/audit.cpp
index 86eb3577339..b8a8c8c70c2 100644
--- a/src/mongo/db/audit.cpp
+++ b/src/mongo/db/audit.cpp
@@ -25,6 +25,11 @@
 namespace mongo {
 namespace audit {
 
+    void logAuthentication(ClientBasic* client,
+                           const StringData& mechanism,
+                           const UserName& user,
+                           ErrorCodes::Error result) MONGO_AUDIT_STUB
+
     void logCommandAuthzCheck(ClientBasic* client,
                               const NamespaceString& ns,
                               const mutablebson::Document& cmdObj,
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h
index ef25fea0a6c..a9791b44f82 100644
--- a/src/mongo/db/audit.h
+++ b/src/mongo/db/audit.h
@@ -28,6 +28,8 @@ namespace mongo {
     class BSONObj;
     class ClientBasic;
     class NamespaceString;
+    class StringData;
+    class UserName;
 
 namespace mutablebson {
     class Document;
@@ -35,6 +37,14 @@ namespace mutablebson {
 
 namespace audit {
 
+    /**
+     * Logs the result of an authentication attempt.
+     */
+    void logAuthentication(ClientBasic* client,
+                           const StringData& mechanism,
+                           const UserName& user,
+                           ErrorCodes::Error result);
+
     //
     // Authorization (authz) logging functions.
     //
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index 532f1a41564..4a153189afe 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -6,6 +6,7 @@
 # also may change between versions.
 ["addShard",
 "authCheck",  # Not used for permissions checks, but to id the authorization-checking event in logs.
+"authenticate",  # Not used for permission checks, but to id authentication events in logs.
 "captrunc",
 "clean",
 "clone",
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 6098707e824..85cd9197a28 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -22,6 +22,7 @@
 
 #include "mongo/base/status.h"
 #include "mongo/client/sasl_client_authenticate.h"
+#include "mongo/db/audit.h"
 #include "mongo/db/auth/action_set.h"
 #include "mongo/db/auth/action_type.h"
 #include "mongo/db/auth/authorization_manager.h"
@@ -104,7 +105,15 @@ namespace mongo {
 
         log() << " authenticate db: " << dbname << " " << cmdObj << endl;
         UserName user(cmdObj.getStringField("user"), dbname);
-        Status status = _authenticate(user, cmdObj);
+        std::string mechanism = cmdObj.getStringField("mechanism");
+        if (mechanism.empty()) {
+            mechanism = "MONGODB-CR";
+        }
+        Status status = _authenticate(mechanism, user, cmdObj);
+        audit::logAuthentication(ClientBasic::getCurrent(),
+                                 mechanism,
+                                 user,
+                                 status.code());
         if (!status.isOK()) {
             if (status.code() == ErrorCodes::AuthenticationFailed) {
                 // Statuses with code AuthenticationFailed may contain messages we do not wish to
@@ -122,9 +131,11 @@ namespace mongo {
         return true;
     }
 
-    Status CmdAuthenticate::_authenticate(const UserName& user, const BSONObj& cmdObj) {
-        std::string mechanism = cmdObj.getStringField("mechanism");
-        if (mechanism.empty() || mechanism == "MONGODB-CR") {
+    Status CmdAuthenticate::_authenticate(const std::string& mechanism,
+                                          const UserName& user,
+                                          const BSONObj& cmdObj) {
+
+        if (mechanism == "MONGODB-CR") {
             return _authenticateCR(user, cmdObj);
         }
 #ifdef MONGO_SSL
diff --git a/src/mongo/db/commands/authentication_commands.h b/src/mongo/db/commands/authentication_commands.h
index d051637014b..e98a7c0914b 100644
--- a/src/mongo/db/commands/authentication_commands.h
+++ b/src/mongo/db/commands/authentication_commands.h
@@ -16,6 +16,8 @@
 
 #pragma once
 
+#include <string>
+
 #include "mongo/base/status.h"
 #include "mongo/db/auth/user_name.h"
 #include "mongo/db/commands.h"
@@ -47,7 +49,7 @@ namespace mongo {
 
     private:
         /**
-         * Completes the authentication of "user" using parameters from "cmdObj".
+         * Completes the authentication of "user" using "mechanism" and parameters from "cmdObj".
          *
          * Returns Status::OK() on success.  All other statuses indicate failed authentication.  The
          * entire status returned here may always be used for logging.  However, if the code is
@@ -58,7 +60,9 @@ namespace mongo {
          * mechanism, and ProtocolError, indicating an error in the use of the authentication
          * protocol.
          */
-        Status _authenticate(const UserName& user, const BSONObj& cmdObj);
+        Status _authenticate(const std::string& mechanism,
+                             const UserName& user,
+                             const BSONObj& cmdObj);
         Status _authenticateCR(const UserName& user, const BSONObj& cmdObj);
         Status _authenticateX509(const UserName& user, const BSONObj& cmdObj);
     };