diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2021-06-16 10:41:25 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-06-16 15:40:35 +0000 |
commit | c73b1c09eb5ce2053577abac0a4ba360e3845de8 (patch) | |
tree | 90ebcc920053920129cd0c2d4e60d0ca4146f3a2 /src/mongo/util/net/ssl_options_server.cpp | |
parent | a616859a60e6cbb40ab0b7ddbeed06e726bd40bc (diff) | |
download | mongo-c73b1c09eb5ce2053577abac0a4ba360e3845de8.tar.gz |
SERVER-55792 Verify credentials when clusterAuthMode is set via setParameter
Diffstat (limited to 'src/mongo/util/net/ssl_options_server.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_options_server.cpp | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp index 809befe82d8..4612993df07 100644 --- a/src/mongo/util/net/ssl_options_server.cpp +++ b/src/mongo/util/net/ssl_options_server.cpp @@ -190,7 +190,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { } #endif - const int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); + const auto clusterAuthMode = serverGlobalParams.startupClusterAuthMode; if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) { bool usingCertifiateSelectors = params.count("net.tls.certificateSelector"); if (sslGlobalParams.sslPEMKeyFile.size() == 0 && !usingCertifiateSelectors) { @@ -209,7 +209,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { // When using cetificate selectors, we use the local system certificate store for verifying // X.509 certificates for auth instead of relying on a CA file. if (sslGlobalParams.sslCAFile.empty() && !usingCertifiateSelectors && - clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) { + clusterAuthMode.allowsX509()) { uasserted(ErrorCodes::BadValue, sslCANotFoundError); } } else if (sslGlobalParams.sslPEMKeyFile.size() || sslGlobalParams.sslPEMKeyPassword.size() || @@ -227,9 +227,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { "using TLS configuration parameters"); } - if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile || - clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 || - clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) { + if (clusterAuthMode.allowsX509()) { if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_disabled) { uasserted(ErrorCodes::BadValue, "need to enable TLS via the tlsMode flag"); } @@ -243,9 +241,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) { // allowSSL and x509 is valid only when we are transitioning to auth. - if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 || - (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509 && - !serverGlobalParams.transitionToAuth)) { + if (clusterAuthMode.sendsX509() && !serverGlobalParams.transitionToAuth) { uasserted(ErrorCodes::BadValue, "cannot have x.509 cluster authentication in allowTLS mode"); } |