SERVER-33549 Refactor OpenSSL to use common ASN.1 code and add test

1 files changed, 3 insertions, 94 deletions

diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 190e39ea6b8..98db6a830fc 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1361,100 +1361,9 @@ StatusWith<stdx::unordered_set<RoleName>> SSLManagerOpenSSL::_parsePeerRoles(X50
             // We've found an extension which has our roles OID
             ASN1_OCTET_STRING* data = X509_EXTENSION_get_data(ex);
 
-            /*
-             * MongoDBAuthorizationGrant ::= CHOICE {
-             *  MongoDBRole,
-             *  ...!UTF8String:"Unrecognized entity in MongoDBAuthorizationGrant"
-             * }
-             * MongoDBAuthorizationGrants ::= SET OF MongoDBAuthorizationGrant
-             */
-            // Extract the set of roles from our extension, and load them into an OpenSSL stack.
-            STACK_OF(ASN1_TYPE)* mongoDBAuthorizationGrants = nullptr;
-
-            // OpenSSL's parsing function will try and manipulate the pointer it's passed. If we
-            // passed it 'data->data' directly, it would modify structures owned by peerCert.
-            const unsigned char* dataBytes = data->data;
-            mongoDBAuthorizationGrants =
-                d2i_ASN1_SET_ANY(&mongoDBAuthorizationGrants, &dataBytes, data->length);
-            if (!mongoDBAuthorizationGrants) {
-                return Status(ErrorCodes::FailedToParse,
-                              "Failed to parse x509 authorization grants");
-            }
-            const auto grantGuard = MakeGuard([&mongoDBAuthorizationGrants]() {
-                sk_ASN1_TYPE_pop_free(mongoDBAuthorizationGrants, ASN1_TYPE_free);
-            });
-
-            /*
-             * MongoDBRole ::= SEQUENCE {
-             *  role     UTF8String,
-             *  database UTF8String
-             * }
-             */
-            // Loop through every role in the stack.
-            ASN1_TYPE* MongoDBRoleWrapped = nullptr;
-            while ((MongoDBRoleWrapped = sk_ASN1_TYPE_pop(mongoDBAuthorizationGrants))) {
-                const auto roleWrappedGuard =
-                    MakeGuard([MongoDBRoleWrapped]() { ASN1_TYPE_free(MongoDBRoleWrapped); });
-
-                if (MongoDBRoleWrapped->type == V_ASN1_SEQUENCE) {
-                    // Unwrap the ASN1Type into a STACK_OF(ASN1_TYPE)
-                    unsigned char* roleBytes = ASN1_STRING_data(MongoDBRoleWrapped->value.sequence);
-                    int roleBytesLength = ASN1_STRING_length(MongoDBRoleWrapped->value.sequence);
-                    ASN1_SEQUENCE_ANY* MongoDBRole = nullptr;
-                    MongoDBRole = d2i_ASN1_SEQUENCE_ANY(
-                        &MongoDBRole, (const unsigned char**)&roleBytes, roleBytesLength);
-                    if (!MongoDBRole) {
-                        return Status(ErrorCodes::FailedToParse,
-                                      "Failed to parse role in x509 authorization grant");
-                    }
-                    const auto roleGuard = MakeGuard(
-                        [&MongoDBRole]() { sk_ASN1_TYPE_pop_free(MongoDBRole, ASN1_TYPE_free); });
-
-                    if (sk_ASN1_TYPE_num(MongoDBRole) != 2) {
-                        return Status(ErrorCodes::FailedToParse,
-                                      "Role entity in MongoDBAuthorizationGrant must have exactly "
-                                      "2 sequence elements");
-                    }
-                    // Extract the subcomponents of the sequence, which are popped off the stack in
-                    // reverse order. Here, parse the role's database.
-                    ASN1_TYPE* roleComponent = sk_ASN1_TYPE_pop(MongoDBRole);
-                    const auto roleDBGuard =
-                        MakeGuard([roleComponent]() { ASN1_TYPE_free(roleComponent); });
-                    if (roleComponent->type != V_ASN1_UTF8STRING) {
-                        return Status(ErrorCodes::FailedToParse,
-                                      "database in MongoDBRole must be a UTF8 string");
-                    }
-                    std::string roleDB(
-                        reinterpret_cast<char*>(ASN1_STRING_data(roleComponent->value.utf8string)));
-
-                    // Parse the role's name.
-                    roleComponent = sk_ASN1_TYPE_pop(MongoDBRole);
-                    const auto roleNameGuard =
-                        MakeGuard([roleComponent]() { ASN1_TYPE_free(roleComponent); });
-                    if (roleComponent->type != V_ASN1_UTF8STRING) {
-                        return Status(ErrorCodes::FailedToParse,
-                                      "role in MongoDBRole must be a UTF8 string");
-                    }
-                    std::string roleName(
-                        reinterpret_cast<char*>(ASN1_STRING_data(roleComponent->value.utf8string)));
-
-                    // Construct a RoleName from the subcomponents
-                    roles.emplace(RoleName(roleName, roleDB));
-
-                } else {
-                    return Status(ErrorCodes::FailedToParse,
-                                  "Unrecognized entity in MongoDBAuthorizationGrant");
-                }
-            }
-            LOG(1) << "MONGODB-X509 authorization parsed the following roles from peer "
-                      "certificate: "
-                   << [&roles]() {
-                          StringBuilder sb;
-                          std::for_each(roles.begin(), roles.end(), [&sb](const RoleName& role) {
-                              sb << role.toString();
-                          });
-                          return sb.str();
-                      }();
+            return parsePeerRoles(
+                ConstDataRange(reinterpret_cast<char*>(data->data),
+                               reinterpret_cast<char*>(data->data) + data->length));
         }
     }