diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-03-16 15:21:12 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-04-02 11:32:09 -0400 |
commit | 61e9a413e9c8f09a034557cfcae678f7a8527ae2 (patch) | |
tree | 6e1c2b1531a3ee6ce4403afd54c45bcb816242d9 /src/mongo | |
parent | a0bb65b88e71c4f3cb1e2033b716716bae1a08f9 (diff) | |
download | mongo-61e9a413e9c8f09a034557cfcae678f7a8527ae2.tar.gz |
SERVER-17548: Refactor SSLManager's Param class
Diffstat (limited to 'src/mongo')
-rw-r--r-- | src/mongo/client/dbclient.cpp | 4 | ||||
-rw-r--r-- | src/mongo/db/commands/parameters.cpp | 20 | ||||
-rw-r--r-- | src/mongo/util/net/message_port.cpp | 4 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 99 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 16 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 6 |
6 files changed, 50 insertions, 99 deletions
diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp index b8e1f555dc5..bca7e7f348b 100644 --- a/src/mongo/client/dbclient.cpp +++ b/src/mongo/client/dbclient.cpp @@ -1077,8 +1077,8 @@ namespace mongo { #ifdef MONGO_CONFIG_SSL int sslModeVal = sslGlobalParams.sslMode.load(); - if (sslModeVal == SSLGlobalParams::SSLMode_preferSSL || - sslModeVal == SSLGlobalParams::SSLMode_requireSSL) { + if (sslModeVal == SSLParams::SSLMode_preferSSL || + sslModeVal == SSLParams::SSLMode_requireSSL) { return p->secure( sslManager(), _server.host() ); } #endif diff --git a/src/mongo/db/commands/parameters.cpp b/src/mongo/db/commands/parameters.cpp index 048175dd109..168a981d1fc 100644 --- a/src/mongo/db/commands/parameters.cpp +++ b/src/mongo/db/commands/parameters.cpp @@ -425,13 +425,13 @@ namespace mongo { std::string sslModeStr() { switch (sslGlobalParams.sslMode.load()) { - case SSLGlobalParams::SSLMode_disabled: + case SSLParams::SSLMode_disabled: return "disabled"; - case SSLGlobalParams::SSLMode_allowSSL: + case SSLParams::SSLMode_allowSSL: return "allowSSL"; - case SSLGlobalParams::SSLMode_preferSSL: + case SSLParams::SSLMode_preferSSL: return "preferSSL"; - case SSLGlobalParams::SSLMode_requireSSL: + case SSLParams::SSLMode_requireSSL: return "requireSSL"; default: return "undefined"; @@ -468,11 +468,11 @@ namespace mongo { } int oldMode = sslGlobalParams.sslMode.load(); - if (str == "preferSSL" && oldMode == SSLGlobalParams::SSLMode_allowSSL) { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_preferSSL); + if (str == "preferSSL" && oldMode == SSLParams::SSLMode_allowSSL) { + sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL); } - else if (str == "requireSSL" && oldMode == SSLGlobalParams::SSLMode_preferSSL) { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL); + else if (str == "requireSSL" && oldMode == SSLParams::SSLMode_preferSSL) { + sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL); } else { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << @@ -540,8 +540,8 @@ namespace mongo { int sslMode = sslGlobalParams.sslMode.load(); if (str == "sendX509" && oldMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) { - if (sslMode == SSLGlobalParams::SSLMode_disabled || - sslMode == SSLGlobalParams::SSLMode_allowSSL) { + if (sslMode == SSLParams::SSLMode_disabled || + sslMode == SSLParams::SSLMode_allowSSL) { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << "Illegal state transition for clusterAuthMode, " << "need to enable SSL for outgoing connections"); diff --git a/src/mongo/util/net/message_port.cpp b/src/mongo/util/net/message_port.cpp index 910749e24af..4a502d53280 100644 --- a/src/mongo/util/net/message_port.cpp +++ b/src/mongo/util/net/message_port.cpp @@ -214,14 +214,14 @@ again: && header.constView().getResponseTo() != -1) { uassert(17132, "SSL handshake received but server is started without SSL support", - sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled); + sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled); setX509SubjectName(psock->doSSLHandshake( reinterpret_cast<const char*>(&header), sizeof(header))); psock->setHandshakeReceived(); goto again; } uassert(17189, "The server is configured to only allow SSL connections", - sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_requireSSL); + sslGlobalParams.sslMode.load() != SSLParams::SSLMode_requireSSL); #endif // MONGO_CONFIG_SSL } if ( static_cast<size_t>(len) < sizeof(MSGHEADER::Value) || diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index af87701a590..748ca80f5de 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -63,7 +63,7 @@ using std::endl; namespace mongo { - SSLGlobalParams sslGlobalParams; + SSLParams sslGlobalParams; #ifndef MONGO_CONFIG_SSL const std::string getSSLVersion(const std::string &prefix, const std::string &suffix) { @@ -155,46 +155,9 @@ namespace mongo { static const int BUFFER_SIZE = 8*1024; static const int DATE_LEN = 128; - struct Params { - Params(const std::string& pemfile, - const std::string& pempwd, - const std::string& clusterfile, - const std::string& clusterpwd, - const std::string& cafile = "", - const std::string& crlfile = "", - const std::string& cipherConfig = "", - bool weakCertificateValidation = false, - bool allowInvalidCertificates = false, - bool allowInvalidHostnames = false, - bool fipsMode = false) : - pemfile(pemfile), - pempwd(pempwd), - clusterfile(clusterfile), - clusterpwd(clusterpwd), - cafile(cafile), - crlfile(crlfile), - cipherConfig(cipherConfig), - weakCertificateValidation(weakCertificateValidation), - allowInvalidCertificates(allowInvalidCertificates), - allowInvalidHostnames(allowInvalidHostnames), - fipsMode(fipsMode) {}; - - std::string pemfile; - std::string pempwd; - std::string clusterfile; - std::string clusterpwd; - std::string cafile; - std::string crlfile; - std::string cipherConfig; - bool weakCertificateValidation; - bool allowInvalidCertificates; - bool allowInvalidHostnames; - bool fipsMode; - }; - class SSLManager : public SSLManagerInterface { public: - explicit SSLManager(const Params& params, bool isServer); + explicit SSLManager(const SSLParams& params, bool isServer); virtual ~SSLManager(); @@ -251,7 +214,7 @@ namespace mongo { /* * Init the SSL context using parameters provided in params. */ - bool _initSSLContext(SSL_CTX** context, const Params& params); + bool _initSSLContext(SSL_CTX** context, const SSLParams& params); /* * Converts time from OpenSSL return value to unsigned long long @@ -325,20 +288,8 @@ namespace mongo { MONGO_INITIALIZER(SSLManager)(InitializerContext* context) { SimpleMutex::scoped_lock lck(sslManagerMtx); - if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled) { - const Params params( - sslGlobalParams.sslPEMKeyFile, - sslGlobalParams.sslPEMKeyPassword, - sslGlobalParams.sslClusterFile, - sslGlobalParams.sslClusterPassword, - sslGlobalParams.sslCAFile, - sslGlobalParams.sslCRLFile, - sslGlobalParams.sslCipherConfig, - sslGlobalParams.sslWeakCertificateValidation, - sslGlobalParams.sslAllowInvalidCertificates, - sslGlobalParams.sslAllowInvalidHostnames, - sslGlobalParams.sslFIPSMode); - theSSLManager = new SSLManager(params, isSSLServer); + if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) { + theSSLManager = new SSLManager(sslGlobalParams, isSSLServer); } return Status::OK(); } @@ -421,18 +372,18 @@ namespace mongo { SSLManagerInterface::~SSLManagerInterface() {} - SSLManager::SSLManager(const Params& params, bool isServer) : + SSLManager::SSLManager(const SSLParams& params, bool isServer) : _serverContext(NULL), _clientContext(NULL), - _weakValidation(params.weakCertificateValidation), - _allowInvalidCertificates(params.allowInvalidCertificates), - _allowInvalidHostnames(params.allowInvalidHostnames) { + _weakValidation(params.sslWeakCertificateValidation), + _allowInvalidCertificates(params.sslAllowInvalidCertificates), + _allowInvalidHostnames(params.sslAllowInvalidHostnames) { SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); - if (params.fipsMode) { + if (params.sslFIPSMode) { _setupFIPS(); } @@ -453,14 +404,14 @@ namespace mongo { // pick the certificate for use in outgoing connections, std::string clientPEM; - if (!isServer || params.clusterfile.empty()) { + if (!isServer || params.sslClusterFile.empty()) { // We are either a client, or a server without a cluster key, // so use the PEM key file, if specified - clientPEM = params.pemfile; + clientPEM = params.sslPEMKeyFile; } else { // We are a server with a cluster key, so use the cluster key file - clientPEM = params.clusterfile; + clientPEM = params.sslClusterFile; } if (!clientPEM.empty()) { @@ -475,7 +426,7 @@ namespace mongo { uasserted(16562, "ssl initialization problem"); } - if (!_parseAndValidateCertificate(params.pemfile, + if (!_parseAndValidateCertificate(params.sslPEMKeyFile, &_sslConfiguration.serverSubjectName, &_sslConfiguration.serverCertificateExpirationDate)) { uasserted(16942, "ssl initialization problem"); @@ -579,7 +530,7 @@ namespace mongo { #endif } - bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) { + bool SSLManager::_initSSLContext(SSL_CTX** context, const SSLParams& params) { *context = SSL_CTX_new(SSLv23_method()); massert(15864, mongoutils::str::stream() << "can't create SSL Context: " << @@ -598,8 +549,8 @@ namespace mongo { std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH"; // Allow the cipher configuration string to be overriden by --sslCipherConfig - if (!params.cipherConfig.empty()) { - cipherConfig = params.cipherConfig; + if (!params.sslCipherConfig.empty()) { + cipherConfig = params.sslCipherConfig; } massert(28615, mongoutils::str::stream() << "can't set supported cipher suites: " << @@ -619,29 +570,29 @@ namespace mongo { sizeof(*context))); // Use the clusterfile for internal outgoing SSL connections if specified - if (context == &_clientContext && !params.clusterfile.empty()) { + if (context == &_clientContext && !params.sslClusterFile.empty()) { EVP_set_pw_prompt("Enter cluster certificate passphrase"); - if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) { + if (!_setupPEM(*context, params.sslClusterFile, params.sslClusterPassword)) { return false; } } // Use the pemfile for everything else - else if (!params.pemfile.empty()) { + else if (!params.sslPEMKeyFile.empty()) { EVP_set_pw_prompt("Enter PEM passphrase"); - if (!_setupPEM(*context, params.pemfile, params.pempwd)) { + if (!_setupPEM(*context, params.sslPEMKeyFile, params.sslPEMKeyPassword)) { return false; } } - if (!params.cafile.empty()) { + if (!params.sslCAFile.empty()) { // Set up certificate validation with a certificate authority - if (!_setupCA(*context, params.cafile)) { + if (!_setupCA(*context, params.sslCAFile)) { return false; } } - if (!params.crlfile.empty()) { - if (!_setupCRL(*context, params.crlfile)) { + if (!params.sslCRLFile.empty()) { + if (!_setupCRL(*context, params.sslCRLFile)) { return false; } } diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index c4ff4f2c48c..8369a1948b6 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -187,16 +187,16 @@ namespace mongo { if (params.count("net.ssl.mode")) { std::string sslModeParam = params["net.ssl.mode"].as<string>(); if (sslModeParam == "disabled") { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_disabled); + sslGlobalParams.sslMode.store(SSLParams::SSLMode_disabled); } else if (sslModeParam == "allowSSL") { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_allowSSL); + sslGlobalParams.sslMode.store(SSLParams::SSLMode_allowSSL); } else if (sslModeParam == "preferSSL") { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_preferSSL); + sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL); } else if (sslModeParam == "requireSSL") { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL); + sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL); } else { return Status(ErrorCodes::BadValue, @@ -258,7 +258,7 @@ namespace mongo { } int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); - if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled) { + if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) { if (sslGlobalParams.sslPEMKeyFile.size() == 0) { return Status(ErrorCodes::BadValue, "need sslPEMKeyFile when SSL is enabled"); @@ -299,11 +299,11 @@ namespace mongo { if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile || clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 || clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) { - if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_disabled) { + if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_disabled) { return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag"); } } - if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_allowSSL) { + if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) { if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 || clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) { return Status(ErrorCodes::BadValue, @@ -315,7 +315,7 @@ namespace mongo { Status storeSSLClientOptions(const moe::Environment& params) { if (params.count("ssl") && params["ssl"].as<bool>() == true) { - sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL); + sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL); } if (params.count("ssl.PEMKeyFile")) { sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>(); diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index f1b74c1f594..d2f2a79bc9a 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -39,7 +39,7 @@ namespace mongo { namespace moe = mongo::optionenvironment; - struct SSLGlobalParams { + struct SSLParams { AtomicInt32 sslMode; // --sslMode - the SSL operation mode, see enum SSLModes bool sslOnNormalPorts; // --sslOnNormalPorts (deprecated) std::string sslPEMKeyFile; // --sslPEMKeyFile @@ -54,7 +54,7 @@ namespace mongo { bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates bool sslAllowInvalidHostnames; // --sslAllowInvalidHostnames - SSLGlobalParams() { + SSLParams() { sslMode.store(SSLMode_disabled); } @@ -81,7 +81,7 @@ namespace mongo { }; }; - extern SSLGlobalParams sslGlobalParams; + extern SSLParams sslGlobalParams; Status addSSLServerOptions(moe::OptionSection* options); |