summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/mongo/client/async_client.cpp11
-rw-r--r--src/mongo/client/dbclient_base.cpp10
-rw-r--r--src/mongo/client/dbclient_base.h8
-rw-r--r--src/mongo/client/dbclient_connection.cpp7
-rw-r--r--src/mongo/client/dbclient_connection.h5
-rw-r--r--src/mongo/client/dbclient_rs.cpp7
-rw-r--r--src/mongo/client/dbclient_rs.h5
-rw-r--r--src/mongo/db/auth/authorization_manager_impl.cpp1
-rw-r--r--src/mongo/db/auth/authorization_manager_test.cpp1
-rw-r--r--src/mongo/db/commands/authentication_commands.cpp7
-rw-r--r--src/mongo/db/commands/user_management_commands.cpp3
-rw-r--r--src/mongo/db/dbdirectclient.h8
-rw-r--r--src/mongo/shell/encrypted_dbclient_base.cpp7
-rw-r--r--src/mongo/shell/encrypted_dbclient_base.h5
-rw-r--r--src/mongo/transport/SConscript1
-rw-r--r--src/mongo/transport/mock_session.h7
-rw-r--r--src/mongo/transport/service_state_machine.cpp1
-rw-r--r--src/mongo/transport/session.cpp4
-rw-r--r--src/mongo/transport/session.h11
-rw-r--r--src/mongo/transport/session_asio.h11
-rw-r--r--src/mongo/transport/transport_layer_mock.h1
-rw-r--r--src/mongo/util/net/SConscript2
-rw-r--r--src/mongo/util/net/ssl_manager.h21
-rw-r--r--src/mongo/util/net/ssl_manager_apple.cpp1
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp1
-rw-r--r--src/mongo/util/net/ssl_manager_windows.cpp1
-rw-r--r--src/mongo/util/net/ssl_peer_info.cpp46
-rw-r--r--src/mongo/util/net/ssl_peer_info.h67
-rw-r--r--src/mongo/util/net/ssl_types.cpp15
-rw-r--r--src/mongo/util/net/ssl_types.h43
30 files changed, 243 insertions, 75 deletions
diff --git a/src/mongo/client/async_client.cpp b/src/mongo/client/async_client.cpp
index 55cf701b484..41d08e5245e 100644
--- a/src/mongo/client/async_client.cpp
+++ b/src/mongo/client/async_client.cpp
@@ -52,6 +52,7 @@
#include "mongo/rpc/reply_interface.h"
#include "mongo/util/net/socket_utils.h"
#include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/version.h"
namespace mongo {
@@ -153,8 +154,9 @@ Future<void> AsyncDBClient::authenticate(const BSONObj& params) {
// We will only have a valid clientName if SSL is enabled.
std::string clientName;
#ifdef MONGO_CONFIG_SSL
- if (getSSLManager()) {
- clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+ auto sslConfiguration = _session->getSSLConfiguration();
+ if (sslConfiguration) {
+ clientName = sslConfiguration->clientSubjectName.toString();
}
#endif
@@ -169,8 +171,9 @@ Future<void> AsyncDBClient::authenticateInternal(boost::optional<std::string> me
// We will only have a valid clientName if SSL is enabled.
std::string clientName;
#ifdef MONGO_CONFIG_SSL
- if (getSSLManager()) {
- clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+ auto sslConfiguration = _session->getSSLConfiguration();
+ if (sslConfiguration) {
+ clientName = sslConfiguration->clientSubjectName.toString();
}
#endif
diff --git a/src/mongo/client/dbclient_base.cpp b/src/mongo/client/dbclient_base.cpp
index f13eb6a1b3c..83f2bfb98bc 100644
--- a/src/mongo/client/dbclient_base.cpp
+++ b/src/mongo/client/dbclient_base.cpp
@@ -461,8 +461,9 @@ void DBClientBase::_auth(const BSONObj& params) {
// We will only have a client name if SSL is enabled
std::string clientName = "";
#ifdef MONGO_CONFIG_SSL
- if (getSSLManager() != nullptr) {
- clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+ auto sslConfiguration = getSSLConfiguration();
+ if (sslConfiguration) {
+ clientName = sslConfiguration->clientSubjectName.toString();
}
#endif
@@ -488,8 +489,9 @@ Status DBClientBase::authenticateInternalUser(auth::StepDownBehavior stepDownBeh
// We will only have a client name if SSL is enabled
std::string clientName = "";
#ifdef MONGO_CONFIG_SSL
- if (getSSLManager() != nullptr) {
- clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString();
+ auto sslConfiguration = getSSLConfiguration();
+ if (sslConfiguration) {
+ clientName = sslConfiguration->clientSubjectName.toString();
}
#endif
diff --git a/src/mongo/client/dbclient_base.h b/src/mongo/client/dbclient_base.h
index 4da50dcb286..6f6633496f1 100644
--- a/src/mongo/client/dbclient_base.h
+++ b/src/mongo/client/dbclient_base.h
@@ -40,6 +40,7 @@
#include "mongo/client/mongo_uri.h"
#include "mongo/client/query.h"
#include "mongo/client/read_preference.h"
+#include "mongo/config.h"
#include "mongo/db/dbmessage.h"
#include "mongo/db/jsobj.h"
#include "mongo/db/write_concern_options.h"
@@ -755,6 +756,13 @@ public:
// This is only for DBClientCursor.
static void (*withConnection_do_not_use)(std::string host, std::function<void(DBClientBase*)>);
+#ifdef MONGO_CONFIG_SSL
+ /**
+ * Get the SSL configuration of this client.
+ */
+ virtual const SSLConfiguration* getSSLConfiguration() = 0;
+#endif
+
protected:
/** if the result of a command is ok*/
bool isOk(const BSONObj&);
diff --git a/src/mongo/client/dbclient_connection.cpp b/src/mongo/client/dbclient_connection.cpp
index 4b24f0652d2..08437ffc366 100644
--- a/src/mongo/client/dbclient_connection.cpp
+++ b/src/mongo/client/dbclient_connection.cpp
@@ -77,6 +77,7 @@
#include "mongo/util/net/socket_utils.h"
#include "mongo/util/net/ssl_manager.h"
#include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/password_digest.h"
#include "mongo/util/time_support.h"
#include "mongo/util/version.h"
@@ -823,6 +824,12 @@ void DBClientConnection::handleNotMasterResponse(const BSONObj& replyBody,
_markFailed(kSetFlag);
}
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* DBClientConnection::getSSLConfiguration() {
+ return _session->getSSLConfiguration();
+}
+#endif
+
AtomicWord<int> DBClientConnection::_numConnections;
} // namespace mongo
diff --git a/src/mongo/client/dbclient_connection.h b/src/mongo/client/dbclient_connection.h
index 340c8670b3d..db6c0c2a567 100644
--- a/src/mongo/client/dbclient_connection.h
+++ b/src/mongo/client/dbclient_connection.h
@@ -39,6 +39,7 @@
#include "mongo/client/mongo_uri.h"
#include "mongo/client/query.h"
#include "mongo/client/read_preference.h"
+#include "mongo/config.h"
#include "mongo/db/dbmessage.h"
#include "mongo/db/jsobj.h"
#include "mongo/db/write_concern_options.h"
@@ -307,6 +308,10 @@ public:
return _authenticatedDuringConnect;
}
+#ifdef MONGO_CONFIG_SSL
+ const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
protected:
int _minWireVersion{0};
int _maxWireVersion{0};
diff --git a/src/mongo/client/dbclient_rs.cpp b/src/mongo/client/dbclient_rs.cpp
index 68ac0b84b50..86f35c50ef6 100644
--- a/src/mongo/client/dbclient_rs.cpp
+++ b/src/mongo/client/dbclient_rs.cpp
@@ -42,6 +42,7 @@
#include "mongo/client/global_conn_pool.h"
#include "mongo/client/read_preference.h"
#include "mongo/client/replica_set_monitor.h"
+#include "mongo/config.h"
#include "mongo/db/auth/sasl_command_constants.h"
#include "mongo/db/dbmessage.h"
#include "mongo/db/jsobj.h"
@@ -1209,4 +1210,10 @@ void DBClientReplicaSet::resetSlaveOkConn() {
_lastSlaveOkHost = HostAndPort();
}
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* DBClientReplicaSet::getSSLConfiguration() {
+ return checkMaster()->getSSLConfiguration();
+}
+#endif
+
} // namespace mongo
diff --git a/src/mongo/client/dbclient_rs.h b/src/mongo/client/dbclient_rs.h
index 4069576cba0..4710a300c5d 100644
--- a/src/mongo/client/dbclient_rs.h
+++ b/src/mongo/client/dbclient_rs.h
@@ -37,6 +37,7 @@
#include "mongo/client/dbclient_connection.h"
#include "mongo/client/mongo_uri.h"
+#include "mongo/config.h"
#include "mongo/util/net/hostandport.h"
namespace mongo {
@@ -258,6 +259,10 @@ public:
*/
static void setAuthPooledSecondaryConn(bool setting);
+#ifdef MONGO_CONFIG_SSL
+ const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
protected:
/** Authorize. Authorizes all nodes as needed
*/
diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp
index 7e161867017..e793b33f51d 100644
--- a/src/mongo/db/auth/authorization_manager_impl.cpp
+++ b/src/mongo/db/auth/authorization_manager_impl.cpp
@@ -55,6 +55,7 @@
#include "mongo/db/mongod_options.h"
#include "mongo/logv2/log.h"
#include "mongo/util/assert_util.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/str.h"
diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp
index b0e24ccaa38..cf30c5fbf4d 100644
--- a/src/mongo/db/auth/authorization_manager_test.cpp
+++ b/src/mongo/db/auth/authorization_manager_test.cpp
@@ -53,6 +53,7 @@
#include "mongo/transport/session.h"
#include "mongo/transport/transport_layer_mock.h"
#include "mongo/unittest/unittest.h"
+#include "mongo/util/net/ssl_peer_info.h"
#define ASSERT_NULL(EXPR) ASSERT_FALSE(EXPR)
#define ASSERT_NON_NULL(EXPR) ASSERT_TRUE(EXPR)
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 1030b67f336..166bbd3ebe9 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -61,6 +61,7 @@
#include "mongo/transport/session.h"
#include "mongo/util/concurrency/mutex.h"
#include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/text.h"
@@ -88,7 +89,9 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS
"No verified subject name available from client",
!clientName.empty());
- if (!getSSLManager()->getSSLConfiguration().hasCA) {
+ auto sslConfiguration = opCtx->getClient()->session()->getSSLConfiguration();
+
+ if (!sslConfiguration->hasCA) {
return Status(ErrorCodes::AuthenticationFailed,
"Unable to verify x.509 certificate, as no CA has been provided.");
} else if (user.getUser() != clientName.toString()) {
@@ -96,7 +99,7 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS
"There is no x.509 client certificate matching the user.");
} else {
// Handle internal cluster member auth, only applies to server-server connections
- if (getSSLManager()->getSSLConfiguration().isClusterMember(clientName)) {
+ if (sslConfiguration->isClusterMember(clientName)) {
int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) {
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp
index 8fc24ce6d79..d6f95c0e64f 100644
--- a/src/mongo/db/commands/user_management_commands.cpp
+++ b/src/mongo/db/commands/user_management_commands.cpp
@@ -843,7 +843,8 @@ void CmdUMCTyped<CreateUserCommand, void>::Invocation::typedRun(OperationContext
"Cannot create an x.509 user with a subjectname that would be "
"recognized as an internal cluster member",
(dbname != "$external") || !getSSLManager() ||
- !getSSLManager()->getSSLConfiguration().isClusterMember(userName.getUser()));
+ !opCtx->getClient()->session()->getSSLConfiguration()->isClusterMember(
+ userName.getUser()));
#endif
// Synthesize a user document
diff --git a/src/mongo/db/dbdirectclient.h b/src/mongo/db/dbdirectclient.h
index 0554334d6fd..8f0ac5ec334 100644
--- a/src/mongo/db/dbdirectclient.h
+++ b/src/mongo/db/dbdirectclient.h
@@ -30,6 +30,7 @@
#pragma once
#include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
#include "mongo/db/dbmessage.h"
#include "mongo/db/lasterror.h"
#include "mongo/util/net/hostandport.h"
@@ -107,6 +108,13 @@ public:
return false;
}
+#ifdef MONGO_CONFIG_SSL
+ const SSLConfiguration* getSSLConfiguration() override {
+ invariant(false);
+ return nullptr;
+ }
+#endif
+
private:
OperationContext* _opCtx;
LastError _lastError; // This LastError will be used for all operations on this client.
diff --git a/src/mongo/shell/encrypted_dbclient_base.cpp b/src/mongo/shell/encrypted_dbclient_base.cpp
index f08af53e152..d190c5ebac3 100644
--- a/src/mongo/shell/encrypted_dbclient_base.cpp
+++ b/src/mongo/shell/encrypted_dbclient_base.cpp
@@ -35,6 +35,7 @@
#include "mongo/base/data_type_validated.h"
#include "mongo/bson/bson_depth.h"
#include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
#include "mongo/crypto/aead_encryption.h"
#include "mongo/crypto/fle_data_frames.h"
#include "mongo/crypto/symmetric_crypto.h"
@@ -645,6 +646,12 @@ std::shared_ptr<SymmetricKey> EncryptedDBClientBase::getDataKeyFromDisk(const UU
std::move(decryptedKey), crypto::aesAlgorithm, "kms_encryption");
}
+#ifdef MONGO_CONFIG_SSL
+const SSLConfiguration* EncryptedDBClientBase::getSSLConfiguration() {
+ return _conn->getSSLConfiguration();
+}
+#endif
+
namespace {
/**
diff --git a/src/mongo/shell/encrypted_dbclient_base.h b/src/mongo/shell/encrypted_dbclient_base.h
index 406c5884391..4281513cada 100644
--- a/src/mongo/shell/encrypted_dbclient_base.h
+++ b/src/mongo/shell/encrypted_dbclient_base.h
@@ -33,6 +33,7 @@
#include "mongo/base/data_type_validated.h"
#include "mongo/bson/bson_depth.h"
#include "mongo/client/dbclient_base.h"
+#include "mongo/config.h"
#include "mongo/crypto/aead_encryption.h"
#include "mongo/crypto/symmetric_crypto.h"
#include "mongo/db/client.h"
@@ -140,6 +141,10 @@ public:
bool isMongos() const final;
+#ifdef MONGO_CONFIG_SSL
+ const SSLConfiguration* getSSLConfiguration() override;
+#endif
+
protected:
std::pair<rpc::UniqueReply, DBClientBase*> processResponse(rpc::UniqueReply result,
const StringData databaseName);
diff --git a/src/mongo/transport/SConscript b/src/mongo/transport/SConscript
index ab1e34c702b..b5431d1db2a 100644
--- a/src/mongo/transport/SConscript
+++ b/src/mongo/transport/SConscript
@@ -15,6 +15,7 @@ env.Library(
LIBDEPS=[
'$BUILD_DIR/mongo/base',
'$BUILD_DIR/mongo/db/service_context',
+ '$BUILD_DIR/mongo/util/net/ssl_manager',
],
)
diff --git a/src/mongo/transport/mock_session.h b/src/mongo/transport/mock_session.h
index d9a6984f5b5..8fcb6fc789a 100644
--- a/src/mongo/transport/mock_session.h
+++ b/src/mongo/transport/mock_session.h
@@ -30,6 +30,7 @@
#pragma once
#include "mongo/base/checked_cast.h"
+#include "mongo/config.h"
#include "mongo/transport/session.h"
#include "mongo/transport/transport_layer_mock.h"
#include "mongo/util/net/hostandport.h"
@@ -123,6 +124,12 @@ public:
return true;
}
+#ifdef MONGO_CONFIG_SSL
+ virtual const SSLConfiguration* getSSLConfiguration() const override {
+ return nullptr;
+ }
+#endif
+
explicit MockSession(TransportLayer* tl)
: _tl(checked_cast<TransportLayerMock*>(tl)), _remote(), _local() {}
explicit MockSession(HostAndPort remote,
diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp
index 2d28455793e..fb09fa9ad85 100644
--- a/src/mongo/transport/service_state_machine.cpp
+++ b/src/mongo/transport/service_state_machine.cpp
@@ -54,6 +54,7 @@
#include "mongo/util/exit.h"
#include "mongo/util/fail_point.h"
#include "mongo/util/net/socket_exception.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/quick_exit.h"
namespace mongo {
diff --git a/src/mongo/transport/session.cpp b/src/mongo/transport/session.cpp
index d3efb3051b6..c35d49aff1c 100644
--- a/src/mongo/transport/session.cpp
+++ b/src/mongo/transport/session.cpp
@@ -31,9 +31,13 @@
#include "mongo/transport/session.h"
+#include "mongo/config.h"
#include "mongo/platform/atomic_word.h"
#include "mongo/transport/transport_layer.h"
+#ifdef MONGO_CONFIG_SSL
+#include "mongo/util/net/ssl_manager.h"
#include "mongo/util/net/ssl_types.h"
+#endif
namespace mongo {
namespace transport {
diff --git a/src/mongo/transport/session.h b/src/mongo/transport/session.h
index 6f72aca8127..2f5aebb74f4 100644
--- a/src/mongo/transport/session.h
+++ b/src/mongo/transport/session.h
@@ -31,6 +31,7 @@
#include <memory>
+#include "mongo/config.h"
#include "mongo/db/baton.h"
#include "mongo/platform/atomic_word.h"
#include "mongo/rpc/message.h"
@@ -40,6 +41,9 @@
#include "mongo/util/net/hostandport.h"
#include "mongo/util/net/sockaddr.h"
#include "mongo/util/time_support.h"
+#ifdef MONGO_CONFIG_SSL
+#include "mongo/util/net/ssl_types.h"
+#endif
namespace mongo {
namespace transport {
@@ -184,6 +188,13 @@ public:
TagMask getTags() const;
+#ifdef MONGO_CONFIG_SSL
+ /**
+ * Get the configuration from the SSL manager.
+ */
+ virtual const SSLConfiguration* getSSLConfiguration() const = 0;
+#endif
+
protected:
Session();
diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h
index bf19ccc31da..5795230daa6 100644
--- a/src/mongo/transport/session_asio.h
+++ b/src/mongo/transport/session_asio.h
@@ -41,6 +41,7 @@
#include "mongo/util/net/socket_utils.h"
#ifdef MONGO_CONFIG_SSL
#include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#endif
@@ -240,6 +241,16 @@ public:
return false;
}
+#ifdef MONGO_CONFIG_SSL
+ virtual const SSLConfiguration* getSSLConfiguration() const override {
+ auto sslManager = getSSLManager();
+ if (!sslManager) {
+ return nullptr;
+ }
+ return &sslManager->getSSLConfiguration();
+ }
+#endif
+
protected:
friend class TransportLayerASIO;
friend TransportLayerASIO::BatonASIO;
diff --git a/src/mongo/transport/transport_layer_mock.h b/src/mongo/transport/transport_layer_mock.h
index eb095b1e65e..8d38a4c4ef5 100644
--- a/src/mongo/transport/transport_layer_mock.h
+++ b/src/mongo/transport/transport_layer_mock.h
@@ -33,6 +33,7 @@
#include "mongo/stdx/unordered_map.h"
#include "mongo/transport/session.h"
#include "mongo/transport/transport_layer.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/time_support.h"
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index ccdef1287b2..41ff54ec20b 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -96,7 +96,6 @@ env.Library(
'$BUILD_DIR/mongo/base',
],
LIBDEPS_PRIVATE=[
- '$BUILD_DIR/mongo/transport/transport_layer_common',
'ssl_options',
]
)
@@ -122,6 +121,7 @@ if not get_option('ssl') == 'off':
"ssl_parameters.cpp",
"ssl_manager_%s.cpp" % (ssl_provider),
"ssl_stream.cpp",
+ "ssl_peer_info.cpp",
env.Idlc('ssl_parameters.idl')[0],
"ocsp/ocsp_manager.cpp",
],
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index 8bcb12db721..979dc9f0f2f 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -44,6 +44,7 @@
#include "mongo/util/decorable.h"
#include "mongo/util/net/sock.h"
#include "mongo/util/net/ssl/apple.hpp"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/out_of_line_executor.h"
#include "mongo/util/time_support.h"
@@ -117,26 +118,6 @@ public:
virtual ~SSLConnectionInterface();
};
-class SSLConfiguration {
-public:
- bool isClusterMember(StringData subjectName) const;
- bool isClusterMember(SSLX509Name subjectName) const;
- void getServerStatusBSON(BSONObjBuilder*) const;
- Status setServerSubjectName(SSLX509Name name);
-
- const SSLX509Name& serverSubjectName() const {
- return _serverSubjectName;
- }
-
- SSLX509Name clientSubjectName;
- Date_t serverCertificateExpirationDate;
- bool hasCA = false;
-
-private:
- SSLX509Name _serverSubjectName;
- std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
-};
-
// These represent the ASN.1 type bytes for strings used in an X509 DirectoryString
constexpr int kASN1BMPString = 30;
constexpr int kASN1IA5String = 22;
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index c112e7db5ee..d96ee83ced1 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -55,6 +55,7 @@
#include "mongo/util/net/ssl_manager.h"
#include "mongo/util/net/ssl_options.h"
#include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
using asio::ssl::apple::CFUniquePtr;
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 3dc7325a90a..90fd2d5eba9 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -62,6 +62,7 @@
#include "mongo/util/net/socket_exception.h"
#include "mongo/util/net/ssl_options.h"
#include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/periodic_runner.h"
#include "mongo/util/read_through_cache.h"
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 5c87b0161b0..5eed0bdb6a1 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -61,6 +61,7 @@
#include "mongo/util/net/ssl.hpp"
#include "mongo/util/net/ssl_options.h"
#include "mongo/util/net/ssl_parameters_gen.h"
+#include "mongo/util/net/ssl_peer_info.h"
#include "mongo/util/net/ssl_types.h"
#include "mongo/util/str.h"
#include "mongo/util/text.h"
diff --git a/src/mongo/util/net/ssl_peer_info.cpp b/src/mongo/util/net/ssl_peer_info.cpp
new file mode 100644
index 00000000000..315fa751993
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.cpp
@@ -0,0 +1,46 @@
+/**
+ * Copyright (C) 2018-present MongoDB, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the Server Side Public License in all respects for
+ * all of the code used other than as permitted herein. If you modify file(s)
+ * with this exception, you may extend this exception to your version of the
+ * file(s), but you are not obligated to do so. If you do not wish to do so,
+ * delete this exception statement from your version. If you delete this
+ * exception statement from all source files in the program, then also delete
+ * it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/util/net/ssl_peer_info.h"
+
+namespace mongo {
+namespace {
+const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
+ transport::Session::declareDecoration<SSLPeerInfo>();
+}
+SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
+ return peerInfoForSession(session.get());
+}
+
+const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
+ return peerInfoForSession(session.get());
+}
+} // namespace mongo \ No newline at end of file
diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h
new file mode 100644
index 00000000000..b336fd95e18
--- /dev/null
+++ b/src/mongo/util/net/ssl_peer_info.h
@@ -0,0 +1,67 @@
+/**
+ * Copyright (C) 2018-present MongoDB, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the Server Side Public License in all respects for
+ * all of the code used other than as permitted herein. If you modify file(s)
+ * with this exception, you may extend this exception to your version of the
+ * file(s), but you are not obligated to do so. If you do not wish to do so,
+ * delete this exception statement from your version. If you delete this
+ * exception statement from all source files in the program, then also delete
+ * it in the license file.
+ */
+
+#pragma once
+
+#include "mongo/transport/session.h"
+#include "mongo/util/net/ssl_types.h"
+
+namespace mongo {
+/**
+ * Contains information extracted from the peer certificate which is consumed by subsystems
+ * outside of the networking stack.
+ */
+struct SSLPeerInfo {
+ explicit SSLPeerInfo(SSLX509Name subjectName,
+ boost::optional<std::string> sniName = {},
+ stdx::unordered_set<RoleName> roles = {})
+ : isTLS(true),
+ subjectName(std::move(subjectName)),
+ sniName(std::move(sniName)),
+ roles(std::move(roles)) {}
+ SSLPeerInfo() = default;
+
+ explicit SSLPeerInfo(boost::optional<std::string> sniName)
+ : isTLS(true), sniName(std::move(sniName)) {}
+
+ /**
+ * This flag is used to indicate if the underlying socket is using TLS or not. A default
+ * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
+ * constructors set its value to true.
+ */
+ bool isTLS = false;
+
+ SSLX509Name subjectName;
+ boost::optional<std::string> sniName;
+ stdx::unordered_set<RoleName> roles;
+
+ static SSLPeerInfo& forSession(const transport::SessionHandle& session);
+ static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+};
+} // namespace mongo \ No newline at end of file
diff --git a/src/mongo/util/net/ssl_types.cpp b/src/mongo/util/net/ssl_types.cpp
index cc2f7e063ea..217da793c7c 100644
--- a/src/mongo/util/net/ssl_types.cpp
+++ b/src/mongo/util/net/ssl_types.cpp
@@ -35,21 +35,6 @@
namespace mongo {
-namespace {
-
-const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
- transport::Session::declareDecoration<SSLPeerInfo>();
-
-} // namespace
-
-SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
- return peerInfoForSession(session.get());
-}
-
-const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) {
- return peerInfoForSession(session.get());
-}
-
const SSLParams& getSSLGlobalParams() {
return sslGlobalParams;
}
diff --git a/src/mongo/util/net/ssl_types.h b/src/mongo/util/net/ssl_types.h
index a006fd721e1..6f859ee01aa 100644
--- a/src/mongo/util/net/ssl_types.h
+++ b/src/mongo/util/net/ssl_types.h
@@ -34,7 +34,6 @@
#include "mongo/bson/util/builder.h"
#include "mongo/db/auth/role_name.h"
#include "mongo/stdx/unordered_set.h"
-#include "mongo/transport/session.h"
namespace mongo {
@@ -110,36 +109,24 @@ inline bool operator<(const SSLX509Name::Entry& lhs, const SSLX509Name::Entry& r
return lhs.equalityLens() < rhs.equalityLens();
}
-/**
- * Contains information extracted from the peer certificate which is consumed by subsystems
- * outside of the networking stack.
- */
-struct SSLPeerInfo {
- explicit SSLPeerInfo(SSLX509Name subjectName,
- boost::optional<std::string> sniName = {},
- stdx::unordered_set<RoleName> roles = {})
- : isTLS(true),
- subjectName(std::move(subjectName)),
- sniName(std::move(sniName)),
- roles(std::move(roles)) {}
- SSLPeerInfo() = default;
-
- explicit SSLPeerInfo(boost::optional<std::string> sniName)
- : isTLS(true), sniName(std::move(sniName)) {}
+class SSLConfiguration {
+public:
+ bool isClusterMember(StringData subjectName) const;
+ bool isClusterMember(SSLX509Name subjectName) const;
+ void getServerStatusBSON(BSONObjBuilder*) const;
+ Status setServerSubjectName(SSLX509Name name);
- /**
- * This flag is used to indicate if the underlying socket is using TLS or not. A default
- * constructor of SSLPeerInfo indicates that TLS is not being used, and the other
- * constructors set its value to true.
- */
- bool isTLS = false;
+ const SSLX509Name& serverSubjectName() const {
+ return _serverSubjectName;
+ }
- SSLX509Name subjectName;
- boost::optional<std::string> sniName;
- stdx::unordered_set<RoleName> roles;
+ SSLX509Name clientSubjectName;
+ Date_t serverCertificateExpirationDate;
+ bool hasCA = false;
- static SSLPeerInfo& forSession(const transport::SessionHandle& session);
- static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session);
+private:
+ SSLX509Name _serverSubjectName;
+ std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
};
} // namespace mongo