SERVER-41412 Introduce a search_beta_auth suite.

This variant of search_beta turns on auth on the cluster,
including on the mongotmock, which supports the SCRAM-SHA-1
authentication mechanism.

Also configures the pre-existing search_beta_ssl suite to
use auth.

There are changes in this commit which permit mongotmock to
link in the necessary auth-related code and command line
parameters without pulling in unnecessary dependencies, or
adding new dependencies to mongocryptd.

10 files changed, 140 insertions, 32 deletions

diff --git a/src/mongo/SConscript b/src/mongo/SConscript
index c8c8d009de4..735952f429b 100644
--- a/src/mongo/SConscript
+++ b/src/mongo/SConscript
@@ -341,15 +341,15 @@ mongod = env.Program(
         'db/catalog/index_key_validate',
         'db/cloner',
         'db/collection_index_usage_tracker',
-        'db/commands/mongod_fcv',
         'db/commands/mongod',
+        'db/commands/mongod_fcv',
         'db/commands/server_status_servers',
         'db/common',
         'db/concurrency/flow_control_ticketholder',
         'db/concurrency/lock_manager',
         'db/concurrency/write_conflict_exception',
-        'db/curop_metrics',
         'db/curop',
+        'db/curop_metrics',
         'db/db_raii',
         'db/dbdirectclient',
         'db/dbhelpers',
@@ -357,9 +357,10 @@ mongod = env.Program(
         'db/free_mon/free_mon_mongod',
         'db/ftdc/ftdc_mongod',
         'db/fts/ftsmongod',
-        'db/index_builds_coordinator_mongod',
         'db/index/index_access_method',
         'db/index/index_descriptor',
+        'db/index_builds_coordinator_mongod',
+        'db/initialize_server_security_state',
         'db/initialize_snmp',
         'db/introspect',
         'db/keys_collection_client_direct',
@@ -368,7 +369,6 @@ mongod = env.Program(
         'db/logical_time_metadata_hook',
         'db/matcher/expressions_mongod_only',
         'db/mongod_options',
-        'db/mongodandmongos',
         'db/ops/write_ops_parsers',
         'db/periodic_runner_job_abort_expired_transactions',
         'db/periodic_runner_job_decrease_snapshot_cache_pressure',
@@ -389,8 +389,8 @@ mongod = env.Program(
         'db/repl/rs_rollback',
         'db/repl/rslog',
         'db/repl/serveronly_repl',
-        'db/repl/storage_interface_impl',
         'db/repl/storage_interface',
+        'db/repl/storage_interface_impl',
         'db/repl/topology_coordinator',
         'db/rw_concern_d',
         'db/s/balancer',
@@ -406,8 +406,8 @@ mongod = env.Program(
         'db/storage/biggie/storage_biggie',
         'db/storage/devnull/storage_devnull',
         'db/storage/ephemeral_for_test/storage_ephemeral_for_test',
-        'db/storage/flow_control_parameters',
         'db/storage/flow_control',
+        'db/storage/flow_control_parameters',
         'db/storage/storage_engine_lock_file',
         'db/storage/storage_engine_metadata',
         'db/storage/storage_init_d',
@@ -417,8 +417,8 @@ mongod = env.Program(
         'db/traffic_recorder',
         'db/ttl_collection_cache',
         'db/ttl_d',
-        'db/update_index_data',
         'db/update/update_driver',
+        'db/update_index_data',
         'db/views/views_mongod',
         'db/windows_options' if env.TargetOSIs('windows') else [],
         'executor/network_interface_factory',
@@ -506,17 +506,17 @@ mongos = env.Program(
     LIBDEPS=[
         'db/audit',
         'db/auth/authmongos',
+        'db/commands/server_status',
         'db/commands/server_status_core',
         'db/commands/server_status_servers',
-        'db/commands/server_status',
         'db/curop',
         'db/ftdc/ftdc_mongos',
-        'db/logical_session_cache_impl',
+        'db/initialize_server_security_state',
         'db/logical_session_cache',
+        'db/logical_session_cache_impl',
         'db/logical_time_metadata_hook',
-        'db/mongodandmongos',
-        'db/server_options_base',
         'db/server_options',
+        'db/server_options_base',
         'db/service_liaison_mongos',
         'db/sessions_collection_sharded',
         'db/startup_warnings_common',
diff --git a/src/mongo/db/SConscript b/src/mongo/db/SConscript
index 8d789440a4f..864d55d2248 100644
--- a/src/mongo/db/SConscript
+++ b/src/mongo/db/SConscript
@@ -406,6 +406,8 @@ env.Library(
     target='server_options_base',
     source=[
         'server_options_base.cpp',
+        env.Idlc('cluster_auth_mode_option.idl')[0],
+        env.Idlc('keyfile_option.idl')[0],
         env.Idlc('server_options_base.idl')[0],
         env.Idlc('server_options_general.idl')[0],
         env.Idlc('server_options_nongeneral.idl')[0],
@@ -448,7 +450,7 @@ env.CppUnitTest(
 
 # This library is linked into mongos and mongod only, not into the shell or any tools.
 env.Library(
-    target="mongodandmongos",
+    target="initialize_server_security_state",
     source=[
         "initialize_server_security_state.cpp",
     ],
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index f26a2c3d5b2..f77549b799b 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -276,12 +276,12 @@ env.Library(
         'saslauth',
     ],
     LIBDEPS_PRIVATE=[
-        'sasl_options_init',
         '$BUILD_DIR/mongo/client/sasl_client',
         '$BUILD_DIR/mongo/db/audit',
         '$BUILD_DIR/mongo/db/commands',
-        '$BUILD_DIR/mongo/db/commands/servers',
+        '$BUILD_DIR/mongo/db/commands/authentication_commands',
         '$BUILD_DIR/mongo/db/commands/test_commands_enabled',
+        'sasl_options_init',
     ],
 )
 
diff --git a/src/mongo/db/cluster_auth_mode_option.idl b/src/mongo/db/cluster_auth_mode_option.idl
new file mode 100644
index 00000000000..e184eff2b08
--- /dev/null
+++ b/src/mongo/db/cluster_auth_mode_option.idl
@@ -0,0 +1,48 @@
+# Copyright (C) 2019-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+    cpp_namespace: "mongo"
+    cpp_includes:
+        - "mongo/db/server_options.h"
+        - "mongo/db/server_options_base.h"
+    configs:
+        section: 'General options'
+        source: [ cli, ini, yaml ]
+        initializer:
+            register: addClusterAuthModeServerOption
+
+configs:
+    'security.clusterAuthMode':
+        description: >-
+            Authentication mode used for cluster authentication. Alternatives are
+            (keyFile|sendKeyFile|sendX509|x509)
+        short_name: clusterAuthMode
+        arg_vartype: String
+        validator:
+            callback: validateSecurityClusterAuthModeSetting
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index ef2e9fa712c..61c39a599cd 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -133,7 +133,6 @@ env.Library(
 env.Library(
     target='servers',
     source=[
-        'authentication_commands.cpp',
         'conn_pool_stats.cpp',
         'conn_pool_sync.cpp',
         'connection_status.cpp',
@@ -149,9 +148,6 @@ env.Library(
     ],
     LIBDEPS_PRIVATE=[
         '$BUILD_DIR/mongo/client/clientdriver_minimal',
-        '$BUILD_DIR/mongo/db/audit',
-        '$BUILD_DIR/mongo/db/auth/sasl_options',
-        '$BUILD_DIR/mongo/db/auth/user_document_parser',
         '$BUILD_DIR/mongo/db/commands',
         '$BUILD_DIR/mongo/db/common',
         '$BUILD_DIR/mongo/db/log_process_details',
@@ -170,6 +166,7 @@ env.Library(
         '$BUILD_DIR/mongo/s/sharding_legacy_api',
         '$BUILD_DIR/mongo/scripting/scripting_common',
         '$BUILD_DIR/mongo/util/ntservice',
+        'authentication_commands',
         'core',
         'feature_compatibility_parsers',
         'server_status',
@@ -178,6 +175,20 @@ env.Library(
 )
 
 env.Library(
+    target="authentication_commands",
+    source=[
+        'authentication_commands.cpp',
+    ],
+    LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/db/audit',
+        '$BUILD_DIR/mongo/db/auth/sasl_options',
+        '$BUILD_DIR/mongo/db/auth/user_document_parser',
+        '$BUILD_DIR/mongo/db/commands',
+        '$BUILD_DIR/mongo/util/net/ssl_manager',
+    ]
+)
+
+env.Library(
     target="mongod_fsync",
     source=[
         "fsync.cpp",
diff --git a/src/mongo/db/keyfile_option.idl b/src/mongo/db/keyfile_option.idl
new file mode 100644
index 00000000000..09c1f66a145
--- /dev/null
+++ b/src/mongo/db/keyfile_option.idl
@@ -0,0 +1,45 @@
+# Copyright (C) 2019-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+    cpp_namespace: "mongo"
+    cpp_includes:
+        - "mongo/db/server_options.h"
+        - "mongo/db/server_options_base.h"
+    configs:
+        section: 'General options'
+        source: [ cli, ini, yaml ]
+        initializer:
+            register: addKeyfileServerOption
+
+configs:
+    'security.keyFile':
+        description: 'Private key for cluster authentication'
+        short_name: keyFile
+        arg_vartype: String
+        conflicts: noauth
diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp
index cdbff5a8d20..756263a6ff5 100644
--- a/src/mongo/db/mongod_options.cpp
+++ b/src/mongo/db/mongod_options.cpp
@@ -40,7 +40,9 @@
 #include "mongo/bson/json.h"
 #include "mongo/bson/util/builder.h"
 #include "mongo/config.h"
+#include "mongo/db/cluster_auth_mode_option_gen.h"
 #include "mongo/db/global_settings.h"
+#include "mongo/db/keyfile_option_gen.h"
 #include "mongo/db/mongod_options_general_gen.h"
 #include "mongo/db/mongod_options_legacy_gen.h"
 #include "mongo/db/mongod_options_replication_gen.h"
@@ -84,6 +86,8 @@ Status addMongodOptions(moe::OptionSection* options) try {
     uassertStatusOK(addMongodShardingOptions(options));
     uassertStatusOK(addMongodStorageOptions(options));
     uassertStatusOK(addMongodLegacyOptions(options));
+    uassertStatusOK(addKeyfileServerOption(options));
+    uassertStatusOK(addClusterAuthModeServerOption(options));
 
     return Status::OK();
 } catch (const AssertionException& ex) {
diff --git a/src/mongo/db/server_options_general.idl b/src/mongo/db/server_options_general.idl
index e6183be0c5d..2761bb62a94 100644
--- a/src/mongo/db/server_options_general.idl
+++ b/src/mongo/db/server_options_general.idl
@@ -169,4 +169,3 @@ configs:
         arg_vartype: Switch
         source: [ cli, ini ]
         hidden: true
-
diff --git a/src/mongo/db/server_options_nongeneral.idl b/src/mongo/db/server_options_nongeneral.idl
index b561fb5ce1a..72d4108aa89 100644
--- a/src/mongo/db/server_options_nongeneral.idl
+++ b/src/mongo/db/server_options_nongeneral.idl
@@ -49,11 +49,6 @@ configs:
         arg_vartype: Switch
         canonicalize: canonicalizeNetBindIpAll
 
-    'security.keyFile':
-        description: 'Private key for cluster authentication'
-        short_name: keyFile
-        arg_vartype: String
-        conflicts: noauth
     noauth:
         description: 'Run without security'
         arg_vartype: Switch
@@ -71,14 +66,6 @@ configs:
         short_name: transitionToAuth
         arg_vartype: Switch
         conflicts: noauth
-    'security.clusterAuthMode':
-        description: >-
-            Authentication mode used for cluster authentication. Alternatives are
-            (keyFile|sendKeyFile|sendX509|x509)
-        short_name: clusterAuthMode
-        arg_vartype: String
-        validator:
-            callback: validateSecurityClusterAuthModeSetting
 
     'operationProfiling.slowOpThresholdMs':
         description: 'Value of slow for profile and console log'
diff --git a/src/mongo/s/mongos_options_init.cpp b/src/mongo/s/mongos_options_init.cpp
index 3b10a7a2ce0..cf139b81b92 100644
--- a/src/mongo/s/mongos_options_init.cpp
+++ b/src/mongo/s/mongos_options_init.cpp
@@ -33,6 +33,8 @@
 
 #include <iostream>
 
+#include "mongo/db/cluster_auth_mode_option_gen.h"
+#include "mongo/db/keyfile_option_gen.h"
 #include "mongo/db/server_options_base.h"
 #include "mongo/db/server_options_nongeneral_gen.h"
 #include "mongo/util/exit_code.h"
@@ -47,6 +49,16 @@ MONGO_GENERAL_STARTUP_OPTIONS_REGISTER(MongosOptions)(InitializerContext* contex
         return status;
     }
 
+    status = addKeyfileServerOption(&moe::startupOptions);
+    if (!status.isOK()) {
+        return status;
+    }
+
+    status = addClusterAuthModeServerOption(&moe::startupOptions);
+    if (!status.isOK()) {
+        return status;
+    }
+
     return addNonGeneralServerOptions(&moe::startupOptions);
 }