SERVER-54508 Speculative saslStart discards "options" subelement

5 files changed, 17 insertions, 10 deletions

diff --git a/src/mongo/db/auth/authentication_session.cpp b/src/mongo/db/auth/authentication_session.cpp
index 54e7e6efe36..45b70cacd68 100644
--- a/src/mongo/db/auth/authentication_session.cpp
+++ b/src/mongo/db/auth/authentication_session.cpp
@@ -224,7 +224,8 @@ void AuthenticationSession::setMechanism(std::unique_ptr<ServerMechanismBase> me
 
     _mech = std::move(mech);
     if (options) {
-        uassertStatusOK(_mech->setOptions(options->getOwned()));
+        invariant(options->isOwned());
+        uassertStatusOK(_mech->setOptions(*options));
     }
 
     LOGV2_DEBUG(5286304, kDiagnosticLogLevel, "Determined mechanism for authentication");
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp
index 2e4281a7b21..2c997e12c85 100644
--- a/src/mongo/db/auth/sasl_commands.cpp
+++ b/src/mongo/db/auth/sasl_commands.cpp
@@ -261,28 +261,32 @@ constexpr auto kDBFieldName = "db"_sd;
 }  // namespace
 }  // namespace auth
 
-void doSpeculativeSaslStart(OperationContext* opCtx, BSONObj cmdObj, BSONObjBuilder* result) try {
+void doSpeculativeSaslStart(OperationContext* opCtx,
+                            const BSONObj& sourceObj,
+                            BSONObjBuilder* result) try {
     // TypedCommands expect DB overrides in the "$db" field,
     // but saslStart coming from the Hello command has it in the "db" field.
     // Rewrite it for handling here.
-    BSONObjBuilder cmd;
+    BSONObjBuilder bob;
     bool hasDBField = false;
-    for (const auto& elem : cmdObj) {
+    for (const auto& elem : sourceObj) {
         if (elem.fieldName() == auth::kDBFieldName) {
-            cmd.appendAs(elem, auth::SaslStartCommand::kDbNameFieldName);
+            bob.appendAs(elem, auth::SaslStartCommand::kDbNameFieldName);
             hasDBField = true;
         } else {
-            cmd.append(elem);
+            bob.append(elem);
         }
     }
     if (!hasDBField) {
         return;
     }
 
+    const auto cmdObj = bob.obj();
+
     AuthenticationSession::doStep(
         opCtx, AuthenticationSession::StepType::kSpeculativeSaslStart, [&](auto session) {
             auto request = auth::SaslStartCommand::parse(
-                IDLParserErrorContext("speculative saslStart"), cmd.obj());
+                IDLParserErrorContext("speculative saslStart"), cmdObj);
             auto reply = auth::runSaslStart(opCtx, session, request);
             result->append(auth::kSpeculativeAuthenticate, reply.toBSON());
         });
diff --git a/src/mongo/db/auth/sasl_commands.h b/src/mongo/db/auth/sasl_commands.h
index 394e6034b0c..054756745e6 100644
--- a/src/mongo/db/auth/sasl_commands.h
+++ b/src/mongo/db/auth/sasl_commands.h
@@ -38,5 +38,7 @@ class OperationContext;
 /**
  * Handle isMaster: { speculativeAuthenticate: {...} }
  */
-void doSpeculativeSaslStart(OperationContext* opCtx, BSONObj cmdObj, BSONObjBuilder* result);
+void doSpeculativeSaslStart(OperationContext* opCtx,
+                            const BSONObj& sourceObj,
+                            BSONObjBuilder* result);
 }  // namespace mongo
diff --git a/src/mongo/db/auth/sasl_commands.idl b/src/mongo/db/auth/sasl_commands.idl
index c6ef7cad125..638696c38a4 100644
--- a/src/mongo/db/auth/sasl_commands.idl
+++ b/src/mongo/db/auth/sasl_commands.idl
@@ -77,7 +77,7 @@ commands:
                 default: true
             options:
                 description: "SASL mechanism specific options"
-                type: object
+                type: object_owned
                 optional: true
             payload:
                 description: "Initial client message for SASL exchange"
diff --git a/src/mongo/db/repl/hello_auth.cpp b/src/mongo/db/repl/hello_auth.cpp
index 85e31a617a0..007070aab66 100644
--- a/src/mongo/db/repl/hello_auth.cpp
+++ b/src/mongo/db/repl/hello_auth.cpp
@@ -53,7 +53,7 @@ void handleHelloAuth(OperationContext* opCtx, const HelloCommand& cmd, BSONObjBu
     }
 
     // speculativeAuthenticate: SaslStart -> SaslReply or Authenticate -> AuthenticateReply
-    auto specAuth = cmd.getSpeculativeAuthenticate();
+    auto& specAuth = cmd.getSpeculativeAuthenticate();
     if (!specAuth) {
         return;
     }