diff options
author | Gabriel Marks <gabriel.marks@mongodb.com> | 2020-06-26 15:42:20 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-07-08 23:23:41 +0000 |
commit | b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b (patch) | |
tree | dca13f3eab48c9edb4f276ba89f5c8efd4338b5f /src/mongo/util | |
parent | 8895e4ca0321aa121cd0558a8622286bdf1f41b2 (diff) | |
download | mongo-b0b09d66b99d80a0a65c4bc552b6e9f443aadb3b.tar.gz |
SERVER-49112 Add Session::getSSLConfiguration
Diffstat (limited to 'src/mongo/util')
-rw-r--r-- | src/mongo/util/net/SConscript | 2 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.h | 21 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_peer_info.cpp | 46 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_peer_info.h | 67 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_types.cpp | 15 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_types.h | 43 |
9 files changed, 133 insertions, 64 deletions
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript index ccdef1287b2..41ff54ec20b 100644 --- a/src/mongo/util/net/SConscript +++ b/src/mongo/util/net/SConscript @@ -96,7 +96,6 @@ env.Library( '$BUILD_DIR/mongo/base', ], LIBDEPS_PRIVATE=[ - '$BUILD_DIR/mongo/transport/transport_layer_common', 'ssl_options', ] ) @@ -122,6 +121,7 @@ if not get_option('ssl') == 'off': "ssl_parameters.cpp", "ssl_manager_%s.cpp" % (ssl_provider), "ssl_stream.cpp", + "ssl_peer_info.cpp", env.Idlc('ssl_parameters.idl')[0], "ocsp/ocsp_manager.cpp", ], diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 8bcb12db721..979dc9f0f2f 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -44,6 +44,7 @@ #include "mongo/util/decorable.h" #include "mongo/util/net/sock.h" #include "mongo/util/net/ssl/apple.hpp" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/out_of_line_executor.h" #include "mongo/util/time_support.h" @@ -117,26 +118,6 @@ public: virtual ~SSLConnectionInterface(); }; -class SSLConfiguration { -public: - bool isClusterMember(StringData subjectName) const; - bool isClusterMember(SSLX509Name subjectName) const; - void getServerStatusBSON(BSONObjBuilder*) const; - Status setServerSubjectName(SSLX509Name name); - - const SSLX509Name& serverSubjectName() const { - return _serverSubjectName; - } - - SSLX509Name clientSubjectName; - Date_t serverCertificateExpirationDate; - bool hasCA = false; - -private: - SSLX509Name _serverSubjectName; - std::vector<SSLX509Name::Entry> _canonicalServerSubjectName; -}; - // These represent the ASN.1 type bytes for strings used in an X509 DirectoryString constexpr int kASN1BMPString = 30; constexpr int kASN1IA5String = 22; diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index c112e7db5ee..d96ee83ced1 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -55,6 +55,7 @@ #include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" using asio::ssl::apple::CFUniquePtr; diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 3dc7325a90a..90fd2d5eba9 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -62,6 +62,7 @@ #include "mongo/util/net/socket_exception.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/periodic_runner.h" #include "mongo/util/read_through_cache.h" diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 5c87b0161b0..5eed0bdb6a1 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -61,6 +61,7 @@ #include "mongo/util/net/ssl.hpp" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/str.h" #include "mongo/util/text.h" diff --git a/src/mongo/util/net/ssl_peer_info.cpp b/src/mongo/util/net/ssl_peer_info.cpp new file mode 100644 index 00000000000..315fa751993 --- /dev/null +++ b/src/mongo/util/net/ssl_peer_info.cpp @@ -0,0 +1,46 @@ +/** + * Copyright (C) 2018-present MongoDB, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Server Side Public License, version 1, + * as published by MongoDB, Inc. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Server Side Public License for more details. + * + * You should have received a copy of the Server Side Public License + * along with this program. If not, see + * <http://www.mongodb.com/licensing/server-side-public-license>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the Server Side Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#include "mongo/platform/basic.h" + +#include "mongo/util/net/ssl_peer_info.h" + +namespace mongo { +namespace { +const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = + transport::Session::declareDecoration<SSLPeerInfo>(); +} +SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) { + return peerInfoForSession(session.get()); +} + +const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) { + return peerInfoForSession(session.get()); +} +} // namespace mongo
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h new file mode 100644 index 00000000000..b336fd95e18 --- /dev/null +++ b/src/mongo/util/net/ssl_peer_info.h @@ -0,0 +1,67 @@ +/** + * Copyright (C) 2018-present MongoDB, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Server Side Public License, version 1, + * as published by MongoDB, Inc. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Server Side Public License for more details. + * + * You should have received a copy of the Server Side Public License + * along with this program. If not, see + * <http://www.mongodb.com/licensing/server-side-public-license>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the Server Side Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#pragma once + +#include "mongo/transport/session.h" +#include "mongo/util/net/ssl_types.h" + +namespace mongo { +/** + * Contains information extracted from the peer certificate which is consumed by subsystems + * outside of the networking stack. + */ +struct SSLPeerInfo { + explicit SSLPeerInfo(SSLX509Name subjectName, + boost::optional<std::string> sniName = {}, + stdx::unordered_set<RoleName> roles = {}) + : isTLS(true), + subjectName(std::move(subjectName)), + sniName(std::move(sniName)), + roles(std::move(roles)) {} + SSLPeerInfo() = default; + + explicit SSLPeerInfo(boost::optional<std::string> sniName) + : isTLS(true), sniName(std::move(sniName)) {} + + /** + * This flag is used to indicate if the underlying socket is using TLS or not. A default + * constructor of SSLPeerInfo indicates that TLS is not being used, and the other + * constructors set its value to true. + */ + bool isTLS = false; + + SSLX509Name subjectName; + boost::optional<std::string> sniName; + stdx::unordered_set<RoleName> roles; + + static SSLPeerInfo& forSession(const transport::SessionHandle& session); + static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session); +}; +} // namespace mongo
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_types.cpp b/src/mongo/util/net/ssl_types.cpp index cc2f7e063ea..217da793c7c 100644 --- a/src/mongo/util/net/ssl_types.cpp +++ b/src/mongo/util/net/ssl_types.cpp @@ -35,21 +35,6 @@ namespace mongo { -namespace { - -const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = - transport::Session::declareDecoration<SSLPeerInfo>(); - -} // namespace - -SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) { - return peerInfoForSession(session.get()); -} - -const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) { - return peerInfoForSession(session.get()); -} - const SSLParams& getSSLGlobalParams() { return sslGlobalParams; } diff --git a/src/mongo/util/net/ssl_types.h b/src/mongo/util/net/ssl_types.h index a006fd721e1..6f859ee01aa 100644 --- a/src/mongo/util/net/ssl_types.h +++ b/src/mongo/util/net/ssl_types.h @@ -34,7 +34,6 @@ #include "mongo/bson/util/builder.h" #include "mongo/db/auth/role_name.h" #include "mongo/stdx/unordered_set.h" -#include "mongo/transport/session.h" namespace mongo { @@ -110,36 +109,24 @@ inline bool operator<(const SSLX509Name::Entry& lhs, const SSLX509Name::Entry& r return lhs.equalityLens() < rhs.equalityLens(); } -/** - * Contains information extracted from the peer certificate which is consumed by subsystems - * outside of the networking stack. - */ -struct SSLPeerInfo { - explicit SSLPeerInfo(SSLX509Name subjectName, - boost::optional<std::string> sniName = {}, - stdx::unordered_set<RoleName> roles = {}) - : isTLS(true), - subjectName(std::move(subjectName)), - sniName(std::move(sniName)), - roles(std::move(roles)) {} - SSLPeerInfo() = default; - - explicit SSLPeerInfo(boost::optional<std::string> sniName) - : isTLS(true), sniName(std::move(sniName)) {} +class SSLConfiguration { +public: + bool isClusterMember(StringData subjectName) const; + bool isClusterMember(SSLX509Name subjectName) const; + void getServerStatusBSON(BSONObjBuilder*) const; + Status setServerSubjectName(SSLX509Name name); - /** - * This flag is used to indicate if the underlying socket is using TLS or not. A default - * constructor of SSLPeerInfo indicates that TLS is not being used, and the other - * constructors set its value to true. - */ - bool isTLS = false; + const SSLX509Name& serverSubjectName() const { + return _serverSubjectName; + } - SSLX509Name subjectName; - boost::optional<std::string> sniName; - stdx::unordered_set<RoleName> roles; + SSLX509Name clientSubjectName; + Date_t serverCertificateExpirationDate; + bool hasCA = false; - static SSLPeerInfo& forSession(const transport::SessionHandle& session); - static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session); +private: + SSLX509Name _serverSubjectName; + std::vector<SSLX509Name::Entry> _canonicalServerSubjectName; }; } // namespace mongo |