SERVER-49112 Add Session::getSSLConfiguration

9 files changed, 133 insertions, 64 deletions

diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index ccdef1287b2..41ff54ec20b 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -96,7 +96,6 @@ env.Library(
         '$BUILD_DIR/mongo/base',
     ],
     LIBDEPS_PRIVATE=[
-        '$BUILD_DIR/mongo/transport/transport_layer_common',
         'ssl_options',
     ]
 )
@@ -122,6 +121,7 @@ if not get_option('ssl') == 'off':
             "ssl_parameters.cpp",
             "ssl_manager_%s.cpp" % (ssl_provider),
             "ssl_stream.cpp",
+            "ssl_peer_info.cpp",
             env.Idlc('ssl_parameters.idl')[0],
             "ocsp/ocsp_manager.cpp",
         ],
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index 8bcb12db721..979dc9f0f2f 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -44,6 +44,7 @@
 #include "mongo/util/decorable.h"
 #include "mongo/util/net/sock.h"
 #include "mongo/util/net/ssl/apple.hpp"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/out_of_line_executor.h"
 #include "mongo/util/time_support.h"
@@ -117,26 +118,6 @@ public:
     virtual ~SSLConnectionInterface();
 };
 
-class SSLConfiguration {
-public:
-    bool isClusterMember(StringData subjectName) const;
-    bool isClusterMember(SSLX509Name subjectName) const;
-    void getServerStatusBSON(BSONObjBuilder*) const;
-    Status setServerSubjectName(SSLX509Name name);
-
-    const SSLX509Name& serverSubjectName() const {
-        return _serverSubjectName;
-    }
-
-    SSLX509Name clientSubjectName;
-    Date_t serverCertificateExpirationDate;
-    bool hasCA = false;
-
-private:
-    SSLX509Name _serverSubjectName;
-    std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
-};
-
 // These represent the ASN.1 type bytes for strings used in an X509 DirectoryString
 constexpr int kASN1BMPString = 30;
 constexpr int kASN1IA5String = 22;
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index c112e7db5ee..d96ee83ced1 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -55,6 +55,7 @@
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 
 using asio::ssl::apple::CFUniquePtr;
 
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 3dc7325a90a..90fd2d5eba9 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -62,6 +62,7 @@
 #include "mongo/util/net/socket_exception.h"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/periodic_runner.h"
 #include "mongo/util/read_through_cache.h"
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 5c87b0161b0..5eed0bdb6a1 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -61,6 +61,7 @@
 #include "mongo/util/net/ssl.hpp"
 #include "mongo/util/net/ssl_options.h"
 #include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/str.h"
 #include "mongo/util/text.h"
diff --git a/src/mongo/util/net/ssl_peer_info.cpp b/src/mongo/util/net/ssl_peer_info.cpp
new file mode 100644
index 00000000000..315fa751993
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.cpp
@@ -0,0 +1,46 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/util/net/ssl_peer_info.h"
+
+namespace mongo {
+namespace {
+const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
+    transport::Session::declareDecoration<SSLPeerInfo>();
+}
+SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
+    return peerInfoForSession(session.get());
+}
+
+const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
+    return peerInfoForSession(session.get());
+}
+}  // namespace mongo
\ No newline at end of file
diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h
new file mode 100644
index 00000000000..b336fd95e18
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.h
@@ -0,0 +1,67 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+#include "mongo/transport/session.h"
+#include "mongo/util/net/ssl_types.h"
+
+namespace mongo {
+/**
+ * Contains information extracted from the peer certificate which is consumed by subsystems
+ * outside of the networking stack.
+ */
+struct SSLPeerInfo {
+    explicit SSLPeerInfo(SSLX509Name subjectName,
+                         boost::optional<std::string> sniName = {},
+                         stdx::unordered_set<RoleName> roles = {})
+        : isTLS(true),
+          subjectName(std::move(subjectName)),
+          sniName(std::move(sniName)),
+          roles(std::move(roles)) {}
+    SSLPeerInfo() = default;
+
+    explicit SSLPeerInfo(boost::optional<std::string> sniName)
+        : isTLS(true), sniName(std::move(sniName)) {}
+
+    /**
+     * This flag is used to indicate if the underlying socket is using TLS or not. A default
+     * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
+     * constructors set its value to true.
+     */
+    bool isTLS = false;
+
+    SSLX509Name subjectName;
+    boost::optional<std::string> sniName;
+    stdx::unordered_set<RoleName> roles;
+
+    static SSLPeerInfo& forSession(const transport::SessionHandle& session);
+    static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+};
+}  // namespace mongo
\ No newline at end of file
diff --git a/src/mongo/util/net/ssl_types.cpp b/src/mongo/util/net/ssl_types.cpp
index cc2f7e063ea..217da793c7c 100644
--- a/src/mongo/util/net/ssl_types.cpp
+++ b/src/mongo/util/net/ssl_types.cpp
@@ -35,21 +35,6 @@
 
 namespace mongo {
 
-namespace {
-
-const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
-    transport::Session::declareDecoration<SSLPeerInfo>();
-
-}  // namespace
-
-SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
-    return peerInfoForSession(session.get());
-}
-
-const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
-    return peerInfoForSession(session.get());
-}
-
 const SSLParams& getSSLGlobalParams() {
     return sslGlobalParams;
 }
diff --git a/src/mongo/util/net/ssl_types.h b/src/mongo/util/net/ssl_types.h
index a006fd721e1..6f859ee01aa 100644
--- a/src/mongo/util/net/ssl_types.h
+++ b/src/mongo/util/net/ssl_types.h
@@ -34,7 +34,6 @@
 #include "mongo/bson/util/builder.h"
 #include "mongo/db/auth/role_name.h"
 #include "mongo/stdx/unordered_set.h"
-#include "mongo/transport/session.h"
 
 namespace mongo {
 
@@ -110,36 +109,24 @@ inline bool operator<(const SSLX509Name::Entry& lhs, const SSLX509Name::Entry& r
     return lhs.equalityLens() < rhs.equalityLens();
 }
 
-/**
- * Contains information extracted from the peer certificate which is consumed by subsystems
- * outside of the networking stack.
- */
-struct SSLPeerInfo {
-    explicit SSLPeerInfo(SSLX509Name subjectName,
-                         boost::optional<std::string> sniName = {},
-                         stdx::unordered_set<RoleName> roles = {})
-        : isTLS(true),
-          subjectName(std::move(subjectName)),
-          sniName(std::move(sniName)),
-          roles(std::move(roles)) {}
-    SSLPeerInfo() = default;
-
-    explicit SSLPeerInfo(boost::optional<std::string> sniName)
-        : isTLS(true), sniName(std::move(sniName)) {}
+class SSLConfiguration {
+public:
+    bool isClusterMember(StringData subjectName) const;
+    bool isClusterMember(SSLX509Name subjectName) const;
+    void getServerStatusBSON(BSONObjBuilder*) const;
+    Status setServerSubjectName(SSLX509Name name);
 
-    /**
-     * This flag is used to indicate if the underlying socket is using TLS or not. A default
-     * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
-     * constructors set its value to true.
-     */
-    bool isTLS = false;
+    const SSLX509Name& serverSubjectName() const {
+        return _serverSubjectName;
+    }
 
-    SSLX509Name subjectName;
-    boost::optional<std::string> sniName;
-    stdx::unordered_set<RoleName> roles;
+    SSLX509Name clientSubjectName;
+    Date_t serverCertificateExpirationDate;
+    bool hasCA = false;
 
-    static SSLPeerInfo& forSession(const transport::SessionHandle& session);
-    static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+private:
+    SSLX509Name _serverSubjectName;
+    std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
 };
 
 }  // namespace mongo