SERVER-30434: Process authenticationRestrictions in FCV 3.4

6 files changed, 10 insertions, 127 deletions

diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index 396c0b4b24b..043641da879 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -276,9 +276,8 @@ env.Library(
         'address_restriction.cpp',
         env.Idlc('address_restriction.idl')[0],
     ],
-    LIBDEPS=[
+    LIBDEPS_PRIVATE=[
         'authentication_restriction',
-        '$BUILD_DIR/mongo/db/server_options_core',
         '$BUILD_DIR/mongo/base',
         '$BUILD_DIR/mongo/util/net/network',
         '$BUILD_DIR/mongo/idl/idl_parser',
diff --git a/src/mongo/db/auth/address_restriction.cpp b/src/mongo/db/auth/address_restriction.cpp
index 607aa3056e9..aa079a6f78b 100644
--- a/src/mongo/db/auth/address_restriction.cpp
+++ b/src/mongo/db/auth/address_restriction.cpp
@@ -74,12 +74,6 @@ mongo::StatusWith<mongo::SharedRestrictionDocument> mongo::parseAuthenticationRe
                                std::unique_ptr<document_type::element_type>>::value,
                   "SharedRestrictionDocument expected to contain a sequence of unique_ptrs");
 
-    if (serverGlobalParams.featureCompatibility.version.load() <
-        ServerGlobalParams::FeatureCompatibility::Version::k36) {
-        return Status(ErrorCodes::UnsupportedFormat,
-                      "'authenticationRestrictions' requires 3.6 feature compatibility version");
-    }
-
     document_type::sequence_type doc;
     for (const auto& elem : arr) {
         if (elem.type() != Object) {
@@ -103,12 +97,6 @@ mongo::StatusWith<mongo::BSONArray> mongo::getRawAuthenticationRestrictions(
     const BSONArray& arr) noexcept try {
     BSONArrayBuilder builder;
 
-    if (serverGlobalParams.featureCompatibility.version.load() <
-        ServerGlobalParams::FeatureCompatibility::Version::k36) {
-        return Status(ErrorCodes::UnsupportedFormat,
-                      "'authenticationRestrictions' requires 3.6 feature compatibility version");
-    }
-
     for (auto const& elem : arr) {
         if (elem.type() != Object) {
             return Status(ErrorCodes::UnsupportedFormat,
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp
index 9cdbe4aa730..e6626c58576 100644
--- a/src/mongo/db/auth/authorization_session_test.cpp
+++ b/src/mongo/db/auth/authorization_session_test.cpp
@@ -572,82 +572,6 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
         authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::insert));
 }
 
-TEST_F(AuthorizationSessionTest, AcquireUserFailsWithOldFeatureCompatibilityVersion) {
-    ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(),
-                                                    BSON("user"
-                                                         << "spencer"
-                                                         << "db"
-                                                         << "test"
-                                                         << "credentials"
-                                                         << BSON("MONGODB-CR"
-                                                                 << "a")
-                                                         << "roles"
-                                                         << BSON_ARRAY(BSON("role"
-                                                                            << "readWrite"
-                                                                            << "db"
-                                                                            << "test"))
-                                                         << "authenticationRestrictions"
-                                                         << BSON_ARRAY(BSON(
-                                                                "clientSource"
-                                                                << BSON_ARRAY("192.168.0.0/24"
-                                                                              << "192.168.2.10")
-                                                                << "serverAddress"
-                                                                << BSON_ARRAY("192.168.0.2")))),
-                                                    BSONObj()));
-
-    serverGlobalParams.featureCompatibility.version.store(
-        ServerGlobalParams::FeatureCompatibility::Version::k34);
-
-    RestrictionEnvironment::set(
-        session,
-        stdx::make_unique<RestrictionEnvironment>(SockAddr("192.168.0.6", 5555, AF_UNSPEC),
-                                                  SockAddr("192.168.0.2", 5555, AF_UNSPEC)));
-
-    ASSERT_NOT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
-}
-
-TEST_F(AuthorizationSessionTest, RefreshRemovesRestrictedUsersDuringFeatureCompatibilityDowngrade) {
-    ASSERT_OK(managerState->insertPrivilegeDocument(
-        _opCtx.get(),
-        BSON("user"
-             << "spencer"
-             << "db"
-             << "test"
-             << "credentials"
-             << BSON("MONGODB-CR"
-                     << "a")
-             << "roles"
-             << BSON_ARRAY(BSON("role"
-                                << "readWrite"
-                                << "db"
-                                << "test"))
-             << "authenticationRestrictions"
-             << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("192.168.0.0/24") << "serverAddress"
-                                               << BSON_ARRAY("192.168.0.2")))),
-        BSONObj()));
-
-    RestrictionEnvironment::set(
-        session,
-        stdx::make_unique<RestrictionEnvironment>(SockAddr("192.168.0.6", 5555, AF_UNSPEC),
-                                                  SockAddr("192.168.0.2", 5555, AF_UNSPEC)));
-
-    ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
-
-    serverGlobalParams.featureCompatibility.version.store(
-        ServerGlobalParams::FeatureCompatibility::Version::k34);
-
-    ASSERT_TRUE(authzSession->lookupUser(UserName("spencer", "test")));
-    ASSERT_TRUE(
-        authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::find));
-
-    authzManager->invalidateUserCache();
-    authzSession->startRequest(_opCtx.get());
-
-    ASSERT_FALSE(authzSession->lookupUser(UserName("spencer", "test")));
-    ASSERT_FALSE(
-        authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::find));
-}
-
 TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRestrictions) {
     ASSERT_OK(managerState->insertPrivilegeDocument(
         _opCtx.get(),
diff --git a/src/mongo/db/auth/authz_manager_external_state_local.cpp b/src/mongo/db/auth/authz_manager_external_state_local.cpp
index b4a37379529..c391dff44b0 100644
--- a/src/mongo/db/auth/authz_manager_external_state_local.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_local.cpp
@@ -31,6 +31,7 @@
 #include "mongo/db/auth/authz_manager_external_state_local.h"
 
 #include "mongo/base/status.h"
+#include "mongo/bson/mutable/algorithm.h"
 #include "mongo/bson/mutable/document.h"
 #include "mongo/bson/mutable/element.h"
 #include "mongo/bson/util/bson_extract.h"
@@ -197,21 +198,6 @@ Status AuthzManagerExternalStateLocal::getUserDescription(OperationContext* opCt
     resolveUserRoles(&resultDoc, directRoles);
     *result = resultDoc.getObject();
 
-    const auto isNonEmptyArray = [](const BSONObj& doc, StringData element) {
-        const auto& e = doc[element];
-        return !e.eoo() && (e.type() == Array) && !e.Obj().isEmpty();
-    };
-
-    if ((isNonEmptyArray(*result, "authenticationRestrictions") ||
-         isNonEmptyArray(*result, "inheritedAuthenticationRestrictions")) &&
-        serverGlobalParams.featureCompatibility.version.load() <
-            ServerGlobalParams::FeatureCompatibility::Version::k36) {
-        // Mongos isn't able to evaluate whether documents are valid under the current
-        // featureCompatibilityVersion. We must make the decision before it sees them.
-        return Status(ErrorCodes::UnsupportedFormat,
-                      "'authenticationRestrictions' requires 3.6 feature compatibility version");
-    }
-
     return Status::OK();
 }
 
@@ -300,13 +286,6 @@ Status AuthzManagerExternalStateLocal::_getUserDocument(OperationContext* opCtx,
         status =
             Status(ErrorCodes::UserNotFound,
                    mongoutils::str::stream() << "Could not find user " << userName.getFullName());
-    } else if ((*userDoc)["authenticationRestrictions"] &&
-               serverGlobalParams.featureCompatibility.version.load() <
-                   ServerGlobalParams::FeatureCompatibility::Version::k36) {
-        // Mongos isn't able to evaluate whether documents are valid under the current
-        // featureCompatibilityVersion. We must make the decision before it sees them.
-        status = Status(ErrorCodes::UnsupportedFormat,
-                        "'authenticationRestrictions' requires 3.6 feature compatibility version");
     }
     return status;
 }
diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp
index 12f5bffed87..ae27f0d0c6c 100644
--- a/src/mongo/db/auth/user_document_parser_test.cpp
+++ b/src/mongo/db/auth/user_document_parser_test.cpp
@@ -613,19 +613,6 @@ TEST_F(V2UserDocumentParsing, V2RoleExtraction) {
     ASSERT_FALSE(roles.more());
 }
 
-TEST_F(V2UserDocumentParsing,
-       V2AuthenticationRestrictionsExtractioniFailsOnOldFeatureCompatibilityVersion) {
-    serverGlobalParams.featureCompatibility.version.store(
-        ServerGlobalParams::FeatureCompatibility::Version::k34);
-    Status status = v2parser.initializeAuthenticationRestrictionsFromUserDocument(
-        BSON("user"
-             << "spencer"
-             << "authenticationRestrictions"
-             << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("::1")))),
-        user.get());
-    ASSERT_EQ(ErrorCodes::UnsupportedFormat, status.code());
-}
-
 TEST_F(V2UserDocumentParsing, V2AuthenticationRestrictionsExtraction) {
     const auto emptyArray = BSONArrayBuilder().arr();
     const auto emptyObj = BSONObjBuilder().obj();
diff --git a/src/mongo/db/auth/user_management_commands_parser.cpp b/src/mongo/db/auth/user_management_commands_parser.cpp
index 9a7742d14a4..f1ab1f40735 100644
--- a/src/mongo/db/auth/user_management_commands_parser.cpp
+++ b/src/mongo/db/auth/user_management_commands_parser.cpp
@@ -192,7 +192,10 @@ Status parseCreateOrUpdateUserCommands(const BSONObj& cmdObj,
     validFieldNames.insert("digestPassword");
     validFieldNames.insert("pwd");
     validFieldNames.insert("roles");
-    validFieldNames.insert("authenticationRestrictions");
+    if (serverGlobalParams.featureCompatibility.version.load() >=
+        ServerGlobalParams::FeatureCompatibility::Version::k36) {
+        validFieldNames.insert("authenticationRestrictions");
+    }
 
     Status status = _checkNoExtraFields(cmdObj, cmdName, validFieldNames);
     if (!status.isOK()) {
@@ -490,7 +493,10 @@ Status parseCreateOrUpdateRoleCommands(const BSONObj& cmdObj,
     validFieldNames.insert(cmdName.toString());
     validFieldNames.insert("privileges");
     validFieldNames.insert("roles");
-    validFieldNames.insert("authenticationRestrictions");
+    if (serverGlobalParams.featureCompatibility.version.load() >=
+        ServerGlobalParams::FeatureCompatibility::Version::k36) {
+        validFieldNames.insert("authenticationRestrictions");
+    }
 
     Status status = _checkNoExtraFields(cmdObj, cmdName, validFieldNames);
     if (!status.isOK()) {