diff options
| author | David Storch <david.storch@mongodb.com> | 2021-10-27 21:00:47 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-10-27 22:24:30 +0000 |
| commit | c3a2b06948ef5fe75dd49ddea12f50e1f65da00b (patch) | |
| tree | f7d146d6c7c800bbaea983ba3cee2cc01e05a1ae /src | |
| parent | d4d16f32181ad343dbc93176b621e2137eec9116 (diff) | |
| download | mongo-c3a2b06948ef5fe75dd49ddea12f50e1f65da00b.tar.gz | |
SERVER-61030 Add 'authenticate' command to the OP_QUERY allowlist
(cherry picked from commit dea0353a2927370505ae22307d5d72362af9017b)
Diffstat (limited to 'src')
| -rw-r--r-- | src/mongo/rpc/op_legacy_integration_test.cpp | 32 | ||||
| -rw-r--r-- | src/mongo/rpc/warn_deprecated_wire_ops.cpp | 1 |
2 files changed, 27 insertions, 6 deletions
diff --git a/src/mongo/rpc/op_legacy_integration_test.cpp b/src/mongo/rpc/op_legacy_integration_test.cpp index ec9f64eef36..fd7d21c6fa7 100644 --- a/src/mongo/rpc/op_legacy_integration_test.cpp +++ b/src/mongo/rpc/op_legacy_integration_test.cpp @@ -460,9 +460,13 @@ TEST(OpLegacy, IsmasterCommandViaOpQuery) { } TEST(OpLegacy, SaslStartCommandViaOpQuery) { - // Here we verify that "saslStart" command passes parsing since the request is actually - // an invalid authentication request which is capture from a log. The AuthenticationFailed error - // code means that it passes request parsing. + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "saslStart" commands as OP_QUERY. + // + // Here we verify that "saslStart" command passes parsing since the request is actually an + // invalid authentication request. The AuthenticationFailed error code means that it passes + // request parsing. testAllowedCommand(R"({ saslStart: 1, "mechanism":"SCRAM-SHA-256", @@ -478,9 +482,13 @@ TEST(OpLegacy, SaslStartCommandViaOpQuery) { } TEST(OpLegacy, SaslContinueCommandViaOpQuery) { - // Here we verify that "saslContinue" command passes parsing since the request is actually - // an invalid authentication request which is captured from a log. The ProtocolError error code - // means that it passes request parsing. + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "saslContinue" commands as OP_QUERY. + // + // Here we verify that "saslContinue" command passes parsing since the request is actually an + // invalid authentication request. The ProtocolError error code means that it passes request + // parsing. testAllowedCommand(R"({ saslContinue: 1, "payload":{ @@ -494,5 +502,17 @@ TEST(OpLegacy, SaslContinueCommandViaOpQuery) { ErrorCodes::ProtocolError); } +TEST(OpLegacy, AuthenticateCommandViaOpQuery) { + // Some older drivers continue to authenticate using OP_QUERY commands, even if the + // isMaster/hello protocol negotiation resolves to OP_MSG. For this reason, the server must + // continue to accept "authenticate" commands as OP_QUERY. + // + // Here we only verify that "authenticate" command passes parsing since the request is actually + // an invalid authentication request. The AuthenticationFailed error code means that it passes + // request parsing. + testAllowedCommand(R"({authenticate: 1, mechanism: "MONGODB-X509"})", + ErrorCodes::AuthenticationFailed); +} + } // namespace } // namespace mongo diff --git a/src/mongo/rpc/warn_deprecated_wire_ops.cpp b/src/mongo/rpc/warn_deprecated_wire_ops.cpp index 0f3fd7597d2..540e431cb8f 100644 --- a/src/mongo/rpc/warn_deprecated_wire_ops.cpp +++ b/src/mongo/rpc/warn_deprecated_wire_ops.cpp @@ -114,6 +114,7 @@ void warnDeprecation(Client& client, StringData op) { void checkAllowedOpQueryCommand(Client& client, StringData cmd) { static constexpr std::array allowedOpQueryCommands{ "_isSelf"_sd, + "authenticate"_sd, "buildinfo"_sd, "buildInfo"_sd, "hello"_sd, |