SERVER-34653 Add 'AuthorizationSession::isAuthenticated()'

5 files changed, 16 insertions, 14 deletions

diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp
index 8d990765552..8c71e6bdcea 100644
--- a/src/mongo/db/auth/authorization_session.cpp
+++ b/src/mongo/db/auth/authorization_session.cpp
@@ -218,6 +218,10 @@ void AuthorizationSession::logoutDatabase(const std::string& dbname) {
     _buildAuthenticatedRolesVector();
 }
 
+bool AuthorizationSession::isAuthenticated() {
+    return _authenticatedUsers.begin() != _authenticatedUsers.end();
+}
+
 UserNameIterator AuthorizationSession::getAuthenticatedUserNames() {
     return _authenticatedUsers.getNames();
 }
@@ -300,7 +304,7 @@ Status AuthorizationSession::checkAuthForAggregate(const NamespaceString& nss,
     }
 
     // We require at least one authenticated user when running aggregate with auth enabled.
-    if (!getAuthenticatedUserNames().more()) {
+    if (!isAuthenticated()) {
         return Status(ErrorCodes::Unauthorized, "unauthorized");
     }
 
@@ -382,7 +386,7 @@ Status AuthorizationSession::checkAuthForGetMore(const NamespaceString& ns,
                                                  bool hasTerm) {
     // Since users can only getMore their own cursors, we verify that a user either is authenticated
     // or does not need to be.
-    if (!_externalState->shouldIgnoreAuthChecks() && !getAuthenticatedUserNames().more()) {
+    if (!_externalState->shouldIgnoreAuthChecks() && !isAuthenticated()) {
         return Status(ErrorCodes::Unauthorized,
                       str::stream() << "not authorized for getMore on " << ns.db());
     }
@@ -974,7 +978,7 @@ bool AuthorizationSession::isCoauthorizedWith(UserNameIterator userNameIter) {
     if (!getAuthorizationManager().isAuthEnabled()) {
         return true;
     }
-    if (!userNameIter.more() && !getAuthenticatedUserNames().more()) {
+    if (!userNameIter.more() && !isAuthenticated()) {
         return true;
     }
 
@@ -1025,10 +1029,6 @@ auto mongo::checkCursorSessionPrivilege(OperationContext* const opCtx,
     }
     auto* const authSession = AuthorizationSession::get(opCtx->getClient());
 
-    auto nobodyIsLoggedIn = [authSession] {
-        return !authSession->getAuthenticatedUserNames().more();
-    };
-
     auto authHasImpersonatePrivilege = [authSession] {
         return authSession->isAuthorizedForPrivilege(
             Privilege(ResourcePattern::forClusterResource(), ActionType::impersonate));
@@ -1057,8 +1057,9 @@ auto mongo::checkCursorSessionPrivilege(OperationContext* const opCtx,
                                                             // the Operation Context's session, then
                                                             // we should forbid the operation even
                                                             // when the cursor has no session.
-        !nobodyIsLoggedIn() &&          // Unless, for some reason a user isn't actually using this
-                                        // Operation Context (which implies a background job
+        authSession->isAuthenticated() &&  // Unless, for some reason a user isn't actually using
+                                           // this Operation Context (which implies a background
+                                           // job)
         !authHasImpersonatePrivilege()  // Or if the user has an impersonation privilege, in which
                                         // case, the user gets to sidestep certain checks.
         ) {
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h
index 81cfdc466d0..e260d859651 100644
--- a/src/mongo/db/auth/authorization_session.h
+++ b/src/mongo/db/auth/authorization_session.h
@@ -144,6 +144,9 @@ public:
     // multiple users are authenticated, this method will throw an exception.
     User* getSingleUser();
 
+    // Is authenticated as at least one user.
+    bool isAuthenticated();
+
     // Gets an iterator over the names of all authenticated users stored in this manager.
     UserNameIterator getAuthenticatedUserNames();
 
diff --git a/src/mongo/db/commands/current_op.cpp b/src/mongo/db/commands/current_op.cpp
index 20d652fcaf2..a53d7876c2c 100644
--- a/src/mongo/db/commands/current_op.cpp
+++ b/src/mongo/db/commands/current_op.cpp
@@ -55,8 +55,7 @@ public:
             return Status::OK();
         }
 
-        bool isAuthenticated = authzSession->getAuthenticatedUserNames().more();
-        if (isAuthenticated && cmdObj["$ownOps"].trueValue()) {
+        if (authzSession->isAuthenticated() && cmdObj["$ownOps"].trueValue()) {
             return Status::OK();
         }
 
diff --git a/src/mongo/db/commands/kill_op_cmd_base.cpp b/src/mongo/db/commands/kill_op_cmd_base.cpp
index 50035b03eea..d6763a506fb 100644
--- a/src/mongo/db/commands/kill_op_cmd_base.cpp
+++ b/src/mongo/db/commands/kill_op_cmd_base.cpp
@@ -51,8 +51,7 @@ Status KillOpCmdBase::checkAuthForCommand(Client* client,
         return Status::OK();
     }
 
-    bool isAuthenticated = AuthorizationSession::get(client)->getAuthenticatedUserNames().more();
-    if (isAuthenticated && isKillingLocalOp(cmdObj.getField("op"))) {
+    if (authzSession->isAuthenticated() && isKillingLocalOp(cmdObj.getField("op"))) {
         // Look up the OperationContext and see if we have permission to kill it. This is done once
         // here and again in the command body. The check here in the checkAuthForCommand() function
         // is necessary because if the check fails, it will be picked up by the auditing system.
diff --git a/src/mongo/db/initialize_operation_session_info.cpp b/src/mongo/db/initialize_operation_session_info.cpp
index d76dc197c16..a4f3d005b10 100644
--- a/src/mongo/db/initialize_operation_session_info.cpp
+++ b/src/mongo/db/initialize_operation_session_info.cpp
@@ -54,7 +54,7 @@ boost::optional<OperationSessionInfoFromClient> initializeOperationSessionInfo(
         // or as an externally authorized user.
         AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
         if (authSession && authSession->isUsingLocalhostBypass() &&
-            !authSession->getAuthenticatedUserNames().more()) {
+            !authSession->isAuthenticated()) {
             return boost::none;
         }
     }