SERVER-54215 Rewire sasl/authenticate library dependencies

7 files changed, 57 insertions, 30 deletions

diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index 220d5a23d58..e128915a769 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -32,6 +32,9 @@ env.Library(
         '$BUILD_DIR/mongo/base',
         '$BUILD_DIR/mongo/db/service_context',
     ],
+    LIBDEPS_PRIVATE=[
+        'sasl_options',
+    ],
 )
 
 env.Library(
@@ -153,8 +156,9 @@ env.Library(
         'user_document_parser',
     ],
     LIBDEPS_PRIVATE=[
-        '$BUILD_DIR/mongo/db/audit',
+        '$BUILD_DIR/mongo/db/audit', # audit:logLogout in AuthZSession.
         '$BUILD_DIR/mongo/db/commands/create_command',
+        '$BUILD_DIR/mongo/db/stats/counters',
         '$BUILD_DIR/mongo/idl/server_parameter',
         '$BUILD_DIR/mongo/util/caching',
     ],
@@ -221,27 +225,39 @@ env.Library(
 )
 
 env.Library(
-    target='authservercommon',
+    target='sasl_commands',
     source=[
-        'authz_session_external_state_server_common.cpp',
         'sasl_commands.cpp',
         'sasl_commands.idl',
         'sasl_payload.cpp',
+    ],
+    LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/client/sasl_client',
+        '$BUILD_DIR/mongo/db/audit',
+        '$BUILD_DIR/mongo/db/commands',
+        '$BUILD_DIR/mongo/db/commands/test_commands_enabled',
+        'auth',
+        'auth_impl_internal',
+        'authorization_manager_global',
+        'saslauth',
+    ],
+)
+
+env.Library(
+    target='authservercommon',
+    source=[
+        'authz_session_external_state_server_common.cpp',
         'enable_localhost_auth_bypass_parameter.idl',
     ],
     LIBDEPS=[
+        '$BUILD_DIR/mongo/db/commands/authentication_commands',
         'auth',
         'auth_impl_internal',
         'authorization_manager_global',
+        'sasl_commands',
         'saslauth',
     ],
     LIBDEPS_PRIVATE=[
-        '$BUILD_DIR/mongo/client/sasl_client',
-        '$BUILD_DIR/mongo/db/audit',
-        '$BUILD_DIR/mongo/db/commands',
-        '$BUILD_DIR/mongo/db/commands/authentication_commands',
-        '$BUILD_DIR/mongo/db/commands/test_commands_enabled',
-        '$BUILD_DIR/mongo/db/stats/counters',
         'sasl_options_init',
     ],
 )
diff --git a/src/mongo/db/auth/auth_decorations.cpp b/src/mongo/db/auth/auth_decorations.cpp
index f3b2ae7f60f..233692329a6 100644
--- a/src/mongo/db/auth/auth_decorations.cpp
+++ b/src/mongo/db/auth/auth_decorations.cpp
@@ -35,9 +35,12 @@
 #include "mongo/db/auth/authentication_session.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/authorization_session.h"
+#include "mongo/db/auth/sasl_options.h"
 #include "mongo/db/client.h"
+#include "mongo/db/commands/authentication_commands.h"
 #include "mongo/db/service_context.h"
 #include "mongo/util/assert_util.h"
+#include "mongo/util/sequence_util.h"
 
 namespace mongo {
 namespace {
@@ -51,6 +54,12 @@ const auto getAuthorizationManager =
 const auto getAuthorizationSession =
     Client::declareDecoration<std::unique_ptr<AuthorizationSession>>();
 
+struct DisabledAuthMechanisms {
+    bool x509 = false;
+};
+
+const auto getDisabledAuthMechanisms = ServiceContext::declareDecoration<DisabledAuthMechanisms>();
+
 class AuthzClientObserver final : public ServiceContext::ClientObserver {
 public:
     void onCreateClient(Client* client) override {
@@ -65,6 +74,13 @@ public:
     void onDestroyOperationContext(OperationContext* opCtx) override {}
 };
 
+auto disableAuthMechanismsRegisterer = ServiceContext::ConstructorActionRegisterer{
+    "DisableAuthMechanisms", [](ServiceContext* service) {
+        if (!sequenceContains(saslGlobalParams.authenticationMechanisms, kX509AuthMechanism)) {
+            disableX509Auth(service);
+        }
+    }};
+
 ServiceContext::ConstructorActionRegisterer authzClientObserverRegisterer{
     "AuthzClientObserver", [](ServiceContext* service) {
         service->registerClientObserver(std::make_unique<AuthzClientObserver>());
@@ -124,4 +140,12 @@ void AuthorizationSession::set(Client* client,
     authzSession = std::move(authorizationSession);
 }
 
+void disableX509Auth(ServiceContext* svcCtx) {
+    getDisabledAuthMechanisms(svcCtx).x509 = true;
+}
+
+bool isX509AuthDisabled(ServiceContext* svcCtx) {
+    return getDisabledAuthMechanisms(svcCtx).x509;
+}
+
 }  // namespace mongo
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp
index 72108f01a0e..d1300ee7a6b 100644
--- a/src/mongo/db/auth/sasl_commands.cpp
+++ b/src/mongo/db/auth/sasl_commands.cpp
@@ -331,13 +331,6 @@ SaslReply CmdSaslContinue::Invocation::typedRun(OperationContext* opCtx) {
     return uassertStatusOK(swReply);
 }
 
-// The CyrusSaslCommands Enterprise initializer is dependent on PreSaslCommands
-MONGO_INITIALIZER(PreSaslCommands)
-(InitializerContext*) {
-    if (!sequenceContains(saslGlobalParams.authenticationMechanisms, kX509AuthMechanism))
-        disableAuthMechanism(kX509AuthMechanism);
-}
-
 constexpr auto kDBFieldName = "db"_sd;
 }  // namespace
 }  // namespace auth
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index bea673cd004..6aa23bb7b07 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -200,9 +200,9 @@ env.Library(
         'authentication_commands.idl',
     ],
     LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/bson/mutable/mutable_bson',
         '$BUILD_DIR/mongo/db/audit',
-        '$BUILD_DIR/mongo/db/auth/sasl_options',
-        '$BUILD_DIR/mongo/db/auth/user_document_parser',
+        '$BUILD_DIR/mongo/db/auth/auth',
         '$BUILD_DIR/mongo/db/commands',
         '$BUILD_DIR/mongo/db/stats/counters',
         '$BUILD_DIR/mongo/rpc/client_metadata',
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index c673bbae22f..040e49b1b1f 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -47,7 +47,6 @@
 #include "mongo/db/auth/authentication_session.h"
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/auth/privilege.h"
-#include "mongo/db/auth/sasl_options.h"
 #include "mongo/db/auth/security_key.h"
 #include "mongo/db/auth/user_name.h"
 #include "mongo/db/client.h"
@@ -173,8 +172,6 @@ public:
     }
 } cmdLogout;
 
-bool _isX509AuthDisabled;
-
 #ifdef MONGO_CONFIG_SSL
 constexpr auto kX509AuthenticationDisabledMessage = "x.509 authentication is disabled."_sd;
 
@@ -255,7 +252,9 @@ void _authenticateX509(OperationContext* opCtx, UserName& user, StringData dbnam
         authorizationSession->grantInternalAuthorization(client);
     } else {
         // Handle normal client authentication, only applies to client-server connections
-        uassert(ErrorCodes::BadValue, kX509AuthenticationDisabledMessage, !_isX509AuthDisabled);
+        uassert(ErrorCodes::BadValue,
+                kX509AuthenticationDisabledMessage,
+                !isX509AuthDisabled(opCtx->getServiceContext()));
         uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, user));
     }
 }
@@ -369,12 +368,6 @@ public:
 
 }  // namespace
 
-void disableAuthMechanism(StringData authMechanism) {
-    if (authMechanism == kX509AuthMechanism) {
-        _isX509AuthDisabled = true;
-    }
-}
-
 void doSpeculativeAuthenticate(OperationContext* opCtx,
                                BSONObj cmdObj,
                                BSONObjBuilder* result) try {
diff --git a/src/mongo/db/commands/authentication_commands.h b/src/mongo/db/commands/authentication_commands.h
index c211b799ef2..2e82168e050 100644
--- a/src/mongo/db/commands/authentication_commands.h
+++ b/src/mongo/db/commands/authentication_commands.h
@@ -32,13 +32,15 @@
 #include "mongo/base/string_data.h"
 #include "mongo/bson/bsonobj.h"
 #include "mongo/bson/bsonobjbuilder.h"
+#include "mongo/db/service_context.h"
 
 namespace mongo {
 class OperationContext;
 
 constexpr StringData kX509AuthMechanism = "MONGODB-X509"_sd;
 
-void disableAuthMechanism(StringData authMechanism);
+void disableX509Auth(ServiceContext* svcCtx);
+bool isX509AuthDisabled(ServiceContext* svcCtx);
 
 void doSpeculativeAuthenticate(OperationContext* opCtx, BSONObj isMaster, BSONObjBuilder* result);
 
diff --git a/src/mongo/db/repl/SConscript b/src/mongo/db/repl/SConscript
index 105bf15073c..21297ac713b 100644
--- a/src/mongo/db/repl/SConscript
+++ b/src/mongo/db/repl/SConscript
@@ -1733,7 +1733,6 @@ env.Library(
     LIBDEPS_PRIVATE=[
         '$BUILD_DIR/mongo/base',
         '$BUILD_DIR/mongo/db/auth/authservercommon',
-        '$BUILD_DIR/mongo/db/commands/authentication_commands',
     ],
 )