diff options
| author | David Storch <david.storch@mongodb.com> | 2021-10-27 21:00:47 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-10-27 21:28:26 +0000 |
| commit | dea0353a2927370505ae22307d5d72362af9017b (patch) | |
| tree | 670904ec32cb06721523297f8274e859068e66a9 /src/mongo | |
| parent | 7e83c6092ab83917887d4b875842de9c4716c9f1 (diff) | |
| download | mongo-dea0353a2927370505ae22307d5d72362af9017b.tar.gz | |
SERVER-61030 Add 'authenticate' command to the OP_QUERY allowlist
Diffstat (limited to 'src/mongo')
| -rw-r--r-- | src/mongo/rpc/op_legacy_integration_test.cpp | 32 | ||||
| -rw-r--r-- | src/mongo/rpc/warn_deprecated_wire_ops.cpp | 1 |
2 files changed, 27 insertions, 6 deletions
diff --git a/src/mongo/rpc/op_legacy_integration_test.cpp b/src/mongo/rpc/op_legacy_integration_test.cpp index 050b595d65b..6270fc745da 100644 --- a/src/mongo/rpc/op_legacy_integration_test.cpp +++ b/src/mongo/rpc/op_legacy_integration_test.cpp @@ -477,9 +477,13 @@ TEST(OpLegacy, IsmasterCommandViaOpQuery) { } TEST(OpLegacy, SaslStartCommandViaOpQuery) { - // Here we verify that "saslStart" command passes parsing since the request is actually - // an invalid authentication request which is capture from a log. The AuthenticationFailed error - // code means that it passes request parsing. + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "saslStart" commands as OP_QUERY. + // + // Here we verify that "saslStart" command passes parsing since the request is actually an + // invalid authentication request. The AuthenticationFailed error code means that it passes + // request parsing. testAllowedCommand(R"({ saslStart: 1, "mechanism":"SCRAM-SHA-256", @@ -495,9 +499,13 @@ TEST(OpLegacy, SaslStartCommandViaOpQuery) { } TEST(OpLegacy, SaslContinueCommandViaOpQuery) { - // Here we verify that "saslContinue" command passes parsing since the request is actually - // an invalid authentication request which is captured from a log. The ProtocolError error code - // means that it passes request parsing. + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "saslContinue" commands as OP_QUERY. + // + // Here we verify that "saslContinue" command passes parsing since the request is actually an + // invalid authentication request. The ProtocolError error code means that it passes request + // parsing. testAllowedCommand(R"({ saslContinue: 1, "payload":{ @@ -511,5 +519,17 @@ TEST(OpLegacy, SaslContinueCommandViaOpQuery) { ErrorCodes::ProtocolError); } +TEST(OpLegacy, AuthenticateCommandViaOpQuery) { + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "authenticate" commands as OP_QUERY. + // + // Here we only verify that "authenticate" command passes parsing since the request is actually + // an invalid authentication request. The AuthenticationFailed error code means that it passes + // request parsing. + testAllowedCommand(R"({authenticate: 1, mechanism: "MONGODB-X509"})", + ErrorCodes::AuthenticationFailed); +} + } // namespace } // namespace mongo diff --git a/src/mongo/rpc/warn_deprecated_wire_ops.cpp b/src/mongo/rpc/warn_deprecated_wire_ops.cpp index 0f3fd7597d2..540e431cb8f 100644 --- a/src/mongo/rpc/warn_deprecated_wire_ops.cpp +++ b/src/mongo/rpc/warn_deprecated_wire_ops.cpp @@ -114,6 +114,7 @@ void warnDeprecation(Client& client, StringData op) { void checkAllowedOpQueryCommand(Client& client, StringData cmd) { static constexpr std::array allowedOpQueryCommands{ "_isSelf"_sd, + "authenticate"_sd, "buildinfo"_sd, "buildInfo"_sd, "hello"_sd, |