diff options
30 files changed, 243 insertions, 75 deletions
diff --git a/src/mongo/client/async_client.cpp b/src/mongo/client/async_client.cpp index 55cf701b484..41d08e5245e 100644 --- a/src/mongo/client/async_client.cpp +++ b/src/mongo/client/async_client.cpp @@ -52,6 +52,7 @@ #include "mongo/rpc/reply_interface.h" #include "mongo/util/net/socket_utils.h" #include "mongo/util/net/ssl_manager.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/version.h" namespace mongo { @@ -153,8 +154,9 @@ Future<void> AsyncDBClient::authenticate(const BSONObj& params) { // We will only have a valid clientName if SSL is enabled. std::string clientName; #ifdef MONGO_CONFIG_SSL - if (getSSLManager()) { - clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString(); + auto sslConfiguration = _session->getSSLConfiguration(); + if (sslConfiguration) { + clientName = sslConfiguration->clientSubjectName.toString(); } #endif @@ -169,8 +171,9 @@ Future<void> AsyncDBClient::authenticateInternal(boost::optional<std::string> me // We will only have a valid clientName if SSL is enabled. std::string clientName; #ifdef MONGO_CONFIG_SSL - if (getSSLManager()) { - clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString(); + auto sslConfiguration = _session->getSSLConfiguration(); + if (sslConfiguration) { + clientName = sslConfiguration->clientSubjectName.toString(); } #endif diff --git a/src/mongo/client/dbclient_base.cpp b/src/mongo/client/dbclient_base.cpp index f13eb6a1b3c..83f2bfb98bc 100644 --- a/src/mongo/client/dbclient_base.cpp +++ b/src/mongo/client/dbclient_base.cpp @@ -461,8 +461,9 @@ void DBClientBase::_auth(const BSONObj& params) { // We will only have a client name if SSL is enabled std::string clientName = ""; #ifdef MONGO_CONFIG_SSL - if (getSSLManager() != nullptr) { - clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString(); + auto sslConfiguration = getSSLConfiguration(); + if (sslConfiguration) { + clientName = sslConfiguration->clientSubjectName.toString(); } #endif @@ -488,8 +489,9 @@ Status DBClientBase::authenticateInternalUser(auth::StepDownBehavior stepDownBeh // We will only have a client name if SSL is enabled std::string clientName = ""; #ifdef MONGO_CONFIG_SSL - if (getSSLManager() != nullptr) { - clientName = getSSLManager()->getSSLConfiguration().clientSubjectName.toString(); + auto sslConfiguration = getSSLConfiguration(); + if (sslConfiguration) { + clientName = sslConfiguration->clientSubjectName.toString(); } #endif diff --git a/src/mongo/client/dbclient_base.h b/src/mongo/client/dbclient_base.h index 4da50dcb286..6f6633496f1 100644 --- a/src/mongo/client/dbclient_base.h +++ b/src/mongo/client/dbclient_base.h @@ -40,6 +40,7 @@ #include "mongo/client/mongo_uri.h" #include "mongo/client/query.h" #include "mongo/client/read_preference.h" +#include "mongo/config.h" #include "mongo/db/dbmessage.h" #include "mongo/db/jsobj.h" #include "mongo/db/write_concern_options.h" @@ -755,6 +756,13 @@ public: // This is only for DBClientCursor. static void (*withConnection_do_not_use)(std::string host, std::function<void(DBClientBase*)>); +#ifdef MONGO_CONFIG_SSL + /** + * Get the SSL configuration of this client. + */ + virtual const SSLConfiguration* getSSLConfiguration() = 0; +#endif + protected: /** if the result of a command is ok*/ bool isOk(const BSONObj&); diff --git a/src/mongo/client/dbclient_connection.cpp b/src/mongo/client/dbclient_connection.cpp index 4b24f0652d2..08437ffc366 100644 --- a/src/mongo/client/dbclient_connection.cpp +++ b/src/mongo/client/dbclient_connection.cpp @@ -77,6 +77,7 @@ #include "mongo/util/net/socket_utils.h" #include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_options.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/password_digest.h" #include "mongo/util/time_support.h" #include "mongo/util/version.h" @@ -823,6 +824,12 @@ void DBClientConnection::handleNotMasterResponse(const BSONObj& replyBody, _markFailed(kSetFlag); } +#ifdef MONGO_CONFIG_SSL +const SSLConfiguration* DBClientConnection::getSSLConfiguration() { + return _session->getSSLConfiguration(); +} +#endif + AtomicWord<int> DBClientConnection::_numConnections; } // namespace mongo diff --git a/src/mongo/client/dbclient_connection.h b/src/mongo/client/dbclient_connection.h index 340c8670b3d..db6c0c2a567 100644 --- a/src/mongo/client/dbclient_connection.h +++ b/src/mongo/client/dbclient_connection.h @@ -39,6 +39,7 @@ #include "mongo/client/mongo_uri.h" #include "mongo/client/query.h" #include "mongo/client/read_preference.h" +#include "mongo/config.h" #include "mongo/db/dbmessage.h" #include "mongo/db/jsobj.h" #include "mongo/db/write_concern_options.h" @@ -307,6 +308,10 @@ public: return _authenticatedDuringConnect; } +#ifdef MONGO_CONFIG_SSL + const SSLConfiguration* getSSLConfiguration() override; +#endif + protected: int _minWireVersion{0}; int _maxWireVersion{0}; diff --git a/src/mongo/client/dbclient_rs.cpp b/src/mongo/client/dbclient_rs.cpp index 68ac0b84b50..86f35c50ef6 100644 --- a/src/mongo/client/dbclient_rs.cpp +++ b/src/mongo/client/dbclient_rs.cpp @@ -42,6 +42,7 @@ #include "mongo/client/global_conn_pool.h" #include "mongo/client/read_preference.h" #include "mongo/client/replica_set_monitor.h" +#include "mongo/config.h" #include "mongo/db/auth/sasl_command_constants.h" #include "mongo/db/dbmessage.h" #include "mongo/db/jsobj.h" @@ -1209,4 +1210,10 @@ void DBClientReplicaSet::resetSlaveOkConn() { _lastSlaveOkHost = HostAndPort(); } +#ifdef MONGO_CONFIG_SSL +const SSLConfiguration* DBClientReplicaSet::getSSLConfiguration() { + return checkMaster()->getSSLConfiguration(); +} +#endif + } // namespace mongo diff --git a/src/mongo/client/dbclient_rs.h b/src/mongo/client/dbclient_rs.h index 4069576cba0..4710a300c5d 100644 --- a/src/mongo/client/dbclient_rs.h +++ b/src/mongo/client/dbclient_rs.h @@ -37,6 +37,7 @@ #include "mongo/client/dbclient_connection.h" #include "mongo/client/mongo_uri.h" +#include "mongo/config.h" #include "mongo/util/net/hostandport.h" namespace mongo { @@ -258,6 +259,10 @@ public: */ static void setAuthPooledSecondaryConn(bool setting); +#ifdef MONGO_CONFIG_SSL + const SSLConfiguration* getSSLConfiguration() override; +#endif + protected: /** Authorize. Authorizes all nodes as needed */ diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp index 7e161867017..e793b33f51d 100644 --- a/src/mongo/db/auth/authorization_manager_impl.cpp +++ b/src/mongo/db/auth/authorization_manager_impl.cpp @@ -55,6 +55,7 @@ #include "mongo/db/mongod_options.h" #include "mongo/logv2/log.h" #include "mongo/util/assert_util.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/str.h" diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index b0e24ccaa38..cf30c5fbf4d 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -53,6 +53,7 @@ #include "mongo/transport/session.h" #include "mongo/transport/transport_layer_mock.h" #include "mongo/unittest/unittest.h" +#include "mongo/util/net/ssl_peer_info.h" #define ASSERT_NULL(EXPR) ASSERT_FALSE(EXPR) #define ASSERT_NON_NULL(EXPR) ASSERT_TRUE(EXPR) diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 1030b67f336..166bbd3ebe9 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -61,6 +61,7 @@ #include "mongo/transport/session.h" #include "mongo/util/concurrency/mutex.h" #include "mongo/util/net/ssl_manager.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/text.h" @@ -88,7 +89,9 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS "No verified subject name available from client", !clientName.empty()); - if (!getSSLManager()->getSSLConfiguration().hasCA) { + auto sslConfiguration = opCtx->getClient()->session()->getSSLConfiguration(); + + if (!sslConfiguration->hasCA) { return Status(ErrorCodes::AuthenticationFailed, "Unable to verify x.509 certificate, as no CA has been provided."); } else if (user.getUser() != clientName.toString()) { @@ -96,7 +99,7 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS "There is no x.509 client certificate matching the user."); } else { // Handle internal cluster member auth, only applies to server-server connections - if (getSSLManager()->getSSLConfiguration().isClusterMember(clientName)) { + if (sslConfiguration->isClusterMember(clientName)) { int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined || clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) { diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 8fc24ce6d79..d6f95c0e64f 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -843,7 +843,8 @@ void CmdUMCTyped<CreateUserCommand, void>::Invocation::typedRun(OperationContext "Cannot create an x.509 user with a subjectname that would be " "recognized as an internal cluster member", (dbname != "$external") || !getSSLManager() || - !getSSLManager()->getSSLConfiguration().isClusterMember(userName.getUser())); + !opCtx->getClient()->session()->getSSLConfiguration()->isClusterMember( + userName.getUser())); #endif // Synthesize a user document diff --git a/src/mongo/db/dbdirectclient.h b/src/mongo/db/dbdirectclient.h index 0554334d6fd..8f0ac5ec334 100644 --- a/src/mongo/db/dbdirectclient.h +++ b/src/mongo/db/dbdirectclient.h @@ -30,6 +30,7 @@ #pragma once #include "mongo/client/dbclient_base.h" +#include "mongo/config.h" #include "mongo/db/dbmessage.h" #include "mongo/db/lasterror.h" #include "mongo/util/net/hostandport.h" @@ -107,6 +108,13 @@ public: return false; } +#ifdef MONGO_CONFIG_SSL + const SSLConfiguration* getSSLConfiguration() override { + invariant(false); + return nullptr; + } +#endif + private: OperationContext* _opCtx; LastError _lastError; // This LastError will be used for all operations on this client. diff --git a/src/mongo/shell/encrypted_dbclient_base.cpp b/src/mongo/shell/encrypted_dbclient_base.cpp index f08af53e152..d190c5ebac3 100644 --- a/src/mongo/shell/encrypted_dbclient_base.cpp +++ b/src/mongo/shell/encrypted_dbclient_base.cpp @@ -35,6 +35,7 @@ #include "mongo/base/data_type_validated.h" #include "mongo/bson/bson_depth.h" #include "mongo/client/dbclient_base.h" +#include "mongo/config.h" #include "mongo/crypto/aead_encryption.h" #include "mongo/crypto/fle_data_frames.h" #include "mongo/crypto/symmetric_crypto.h" @@ -645,6 +646,12 @@ std::shared_ptr<SymmetricKey> EncryptedDBClientBase::getDataKeyFromDisk(const UU std::move(decryptedKey), crypto::aesAlgorithm, "kms_encryption"); } +#ifdef MONGO_CONFIG_SSL +const SSLConfiguration* EncryptedDBClientBase::getSSLConfiguration() { + return _conn->getSSLConfiguration(); +} +#endif + namespace { /** diff --git a/src/mongo/shell/encrypted_dbclient_base.h b/src/mongo/shell/encrypted_dbclient_base.h index 406c5884391..4281513cada 100644 --- a/src/mongo/shell/encrypted_dbclient_base.h +++ b/src/mongo/shell/encrypted_dbclient_base.h @@ -33,6 +33,7 @@ #include "mongo/base/data_type_validated.h" #include "mongo/bson/bson_depth.h" #include "mongo/client/dbclient_base.h" +#include "mongo/config.h" #include "mongo/crypto/aead_encryption.h" #include "mongo/crypto/symmetric_crypto.h" #include "mongo/db/client.h" @@ -140,6 +141,10 @@ public: bool isMongos() const final; +#ifdef MONGO_CONFIG_SSL + const SSLConfiguration* getSSLConfiguration() override; +#endif + protected: std::pair<rpc::UniqueReply, DBClientBase*> processResponse(rpc::UniqueReply result, const StringData databaseName); diff --git a/src/mongo/transport/SConscript b/src/mongo/transport/SConscript index ab1e34c702b..b5431d1db2a 100644 --- a/src/mongo/transport/SConscript +++ b/src/mongo/transport/SConscript @@ -15,6 +15,7 @@ env.Library( LIBDEPS=[ '$BUILD_DIR/mongo/base', '$BUILD_DIR/mongo/db/service_context', + '$BUILD_DIR/mongo/util/net/ssl_manager', ], ) diff --git a/src/mongo/transport/mock_session.h b/src/mongo/transport/mock_session.h index d9a6984f5b5..8fcb6fc789a 100644 --- a/src/mongo/transport/mock_session.h +++ b/src/mongo/transport/mock_session.h @@ -30,6 +30,7 @@ #pragma once #include "mongo/base/checked_cast.h" +#include "mongo/config.h" #include "mongo/transport/session.h" #include "mongo/transport/transport_layer_mock.h" #include "mongo/util/net/hostandport.h" @@ -123,6 +124,12 @@ public: return true; } +#ifdef MONGO_CONFIG_SSL + virtual const SSLConfiguration* getSSLConfiguration() const override { + return nullptr; + } +#endif + explicit MockSession(TransportLayer* tl) : _tl(checked_cast<TransportLayerMock*>(tl)), _remote(), _local() {} explicit MockSession(HostAndPort remote, diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp index 2d28455793e..fb09fa9ad85 100644 --- a/src/mongo/transport/service_state_machine.cpp +++ b/src/mongo/transport/service_state_machine.cpp @@ -54,6 +54,7 @@ #include "mongo/util/exit.h" #include "mongo/util/fail_point.h" #include "mongo/util/net/socket_exception.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/quick_exit.h" namespace mongo { diff --git a/src/mongo/transport/session.cpp b/src/mongo/transport/session.cpp index d3efb3051b6..c35d49aff1c 100644 --- a/src/mongo/transport/session.cpp +++ b/src/mongo/transport/session.cpp @@ -31,9 +31,13 @@ #include "mongo/transport/session.h" +#include "mongo/config.h" #include "mongo/platform/atomic_word.h" #include "mongo/transport/transport_layer.h" +#ifdef MONGO_CONFIG_SSL +#include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_types.h" +#endif namespace mongo { namespace transport { diff --git a/src/mongo/transport/session.h b/src/mongo/transport/session.h index 6f72aca8127..2f5aebb74f4 100644 --- a/src/mongo/transport/session.h +++ b/src/mongo/transport/session.h @@ -31,6 +31,7 @@ #include <memory> +#include "mongo/config.h" #include "mongo/db/baton.h" #include "mongo/platform/atomic_word.h" #include "mongo/rpc/message.h" @@ -40,6 +41,9 @@ #include "mongo/util/net/hostandport.h" #include "mongo/util/net/sockaddr.h" #include "mongo/util/time_support.h" +#ifdef MONGO_CONFIG_SSL +#include "mongo/util/net/ssl_types.h" +#endif namespace mongo { namespace transport { @@ -184,6 +188,13 @@ public: TagMask getTags() const; +#ifdef MONGO_CONFIG_SSL + /** + * Get the configuration from the SSL manager. + */ + virtual const SSLConfiguration* getSSLConfiguration() const = 0; +#endif + protected: Session(); diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h index bf19ccc31da..5795230daa6 100644 --- a/src/mongo/transport/session_asio.h +++ b/src/mongo/transport/session_asio.h @@ -41,6 +41,7 @@ #include "mongo/util/net/socket_utils.h" #ifdef MONGO_CONFIG_SSL #include "mongo/util/net/ssl_manager.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #endif @@ -240,6 +241,16 @@ public: return false; } +#ifdef MONGO_CONFIG_SSL + virtual const SSLConfiguration* getSSLConfiguration() const override { + auto sslManager = getSSLManager(); + if (!sslManager) { + return nullptr; + } + return &sslManager->getSSLConfiguration(); + } +#endif + protected: friend class TransportLayerASIO; friend TransportLayerASIO::BatonASIO; diff --git a/src/mongo/transport/transport_layer_mock.h b/src/mongo/transport/transport_layer_mock.h index eb095b1e65e..8d38a4c4ef5 100644 --- a/src/mongo/transport/transport_layer_mock.h +++ b/src/mongo/transport/transport_layer_mock.h @@ -33,6 +33,7 @@ #include "mongo/stdx/unordered_map.h" #include "mongo/transport/session.h" #include "mongo/transport/transport_layer.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/time_support.h" diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript index ccdef1287b2..41ff54ec20b 100644 --- a/src/mongo/util/net/SConscript +++ b/src/mongo/util/net/SConscript @@ -96,7 +96,6 @@ env.Library( '$BUILD_DIR/mongo/base', ], LIBDEPS_PRIVATE=[ - '$BUILD_DIR/mongo/transport/transport_layer_common', 'ssl_options', ] ) @@ -122,6 +121,7 @@ if not get_option('ssl') == 'off': "ssl_parameters.cpp", "ssl_manager_%s.cpp" % (ssl_provider), "ssl_stream.cpp", + "ssl_peer_info.cpp", env.Idlc('ssl_parameters.idl')[0], "ocsp/ocsp_manager.cpp", ], diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 8bcb12db721..979dc9f0f2f 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -44,6 +44,7 @@ #include "mongo/util/decorable.h" #include "mongo/util/net/sock.h" #include "mongo/util/net/ssl/apple.hpp" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/out_of_line_executor.h" #include "mongo/util/time_support.h" @@ -117,26 +118,6 @@ public: virtual ~SSLConnectionInterface(); }; -class SSLConfiguration { -public: - bool isClusterMember(StringData subjectName) const; - bool isClusterMember(SSLX509Name subjectName) const; - void getServerStatusBSON(BSONObjBuilder*) const; - Status setServerSubjectName(SSLX509Name name); - - const SSLX509Name& serverSubjectName() const { - return _serverSubjectName; - } - - SSLX509Name clientSubjectName; - Date_t serverCertificateExpirationDate; - bool hasCA = false; - -private: - SSLX509Name _serverSubjectName; - std::vector<SSLX509Name::Entry> _canonicalServerSubjectName; -}; - // These represent the ASN.1 type bytes for strings used in an X509 DirectoryString constexpr int kASN1BMPString = 30; constexpr int kASN1IA5String = 22; diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index c112e7db5ee..d96ee83ced1 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -55,6 +55,7 @@ #include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" using asio::ssl::apple::CFUniquePtr; diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 3dc7325a90a..90fd2d5eba9 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -62,6 +62,7 @@ #include "mongo/util/net/socket_exception.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/periodic_runner.h" #include "mongo/util/read_through_cache.h" diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 5c87b0161b0..5eed0bdb6a1 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -61,6 +61,7 @@ #include "mongo/util/net/ssl.hpp" #include "mongo/util/net/ssl_options.h" #include "mongo/util/net/ssl_parameters_gen.h" +#include "mongo/util/net/ssl_peer_info.h" #include "mongo/util/net/ssl_types.h" #include "mongo/util/str.h" #include "mongo/util/text.h" diff --git a/src/mongo/util/net/ssl_peer_info.cpp b/src/mongo/util/net/ssl_peer_info.cpp new file mode 100644 index 00000000000..315fa751993 --- /dev/null +++ b/src/mongo/util/net/ssl_peer_info.cpp @@ -0,0 +1,46 @@ +/** + * Copyright (C) 2018-present MongoDB, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Server Side Public License, version 1, + * as published by MongoDB, Inc. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Server Side Public License for more details. + * + * You should have received a copy of the Server Side Public License + * along with this program. If not, see + * <http://www.mongodb.com/licensing/server-side-public-license>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the Server Side Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#include "mongo/platform/basic.h" + +#include "mongo/util/net/ssl_peer_info.h" + +namespace mongo { +namespace { +const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = + transport::Session::declareDecoration<SSLPeerInfo>(); +} +SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) { + return peerInfoForSession(session.get()); +} + +const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) { + return peerInfoForSession(session.get()); +} +} // namespace mongo
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h new file mode 100644 index 00000000000..b336fd95e18 --- /dev/null +++ b/src/mongo/util/net/ssl_peer_info.h @@ -0,0 +1,67 @@ +/** + * Copyright (C) 2018-present MongoDB, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Server Side Public License, version 1, + * as published by MongoDB, Inc. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Server Side Public License for more details. + * + * You should have received a copy of the Server Side Public License + * along with this program. If not, see + * <http://www.mongodb.com/licensing/server-side-public-license>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the Server Side Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#pragma once + +#include "mongo/transport/session.h" +#include "mongo/util/net/ssl_types.h" + +namespace mongo { +/** + * Contains information extracted from the peer certificate which is consumed by subsystems + * outside of the networking stack. + */ +struct SSLPeerInfo { + explicit SSLPeerInfo(SSLX509Name subjectName, + boost::optional<std::string> sniName = {}, + stdx::unordered_set<RoleName> roles = {}) + : isTLS(true), + subjectName(std::move(subjectName)), + sniName(std::move(sniName)), + roles(std::move(roles)) {} + SSLPeerInfo() = default; + + explicit SSLPeerInfo(boost::optional<std::string> sniName) + : isTLS(true), sniName(std::move(sniName)) {} + + /** + * This flag is used to indicate if the underlying socket is using TLS or not. A default + * constructor of SSLPeerInfo indicates that TLS is not being used, and the other + * constructors set its value to true. + */ + bool isTLS = false; + + SSLX509Name subjectName; + boost::optional<std::string> sniName; + stdx::unordered_set<RoleName> roles; + + static SSLPeerInfo& forSession(const transport::SessionHandle& session); + static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session); +}; +} // namespace mongo
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_types.cpp b/src/mongo/util/net/ssl_types.cpp index cc2f7e063ea..217da793c7c 100644 --- a/src/mongo/util/net/ssl_types.cpp +++ b/src/mongo/util/net/ssl_types.cpp @@ -35,21 +35,6 @@ namespace mongo { -namespace { - -const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = - transport::Session::declareDecoration<SSLPeerInfo>(); - -} // namespace - -SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) { - return peerInfoForSession(session.get()); -} - -const SSLPeerInfo& SSLPeerInfo::forSession(const transport::ConstSessionHandle& session) { - return peerInfoForSession(session.get()); -} - const SSLParams& getSSLGlobalParams() { return sslGlobalParams; } diff --git a/src/mongo/util/net/ssl_types.h b/src/mongo/util/net/ssl_types.h index a006fd721e1..6f859ee01aa 100644 --- a/src/mongo/util/net/ssl_types.h +++ b/src/mongo/util/net/ssl_types.h @@ -34,7 +34,6 @@ #include "mongo/bson/util/builder.h" #include "mongo/db/auth/role_name.h" #include "mongo/stdx/unordered_set.h" -#include "mongo/transport/session.h" namespace mongo { @@ -110,36 +109,24 @@ inline bool operator<(const SSLX509Name::Entry& lhs, const SSLX509Name::Entry& r return lhs.equalityLens() < rhs.equalityLens(); } -/** - * Contains information extracted from the peer certificate which is consumed by subsystems - * outside of the networking stack. - */ -struct SSLPeerInfo { - explicit SSLPeerInfo(SSLX509Name subjectName, - boost::optional<std::string> sniName = {}, - stdx::unordered_set<RoleName> roles = {}) - : isTLS(true), - subjectName(std::move(subjectName)), - sniName(std::move(sniName)), - roles(std::move(roles)) {} - SSLPeerInfo() = default; - - explicit SSLPeerInfo(boost::optional<std::string> sniName) - : isTLS(true), sniName(std::move(sniName)) {} +class SSLConfiguration { +public: + bool isClusterMember(StringData subjectName) const; + bool isClusterMember(SSLX509Name subjectName) const; + void getServerStatusBSON(BSONObjBuilder*) const; + Status setServerSubjectName(SSLX509Name name); - /** - * This flag is used to indicate if the underlying socket is using TLS or not. A default - * constructor of SSLPeerInfo indicates that TLS is not being used, and the other - * constructors set its value to true. - */ - bool isTLS = false; + const SSLX509Name& serverSubjectName() const { + return _serverSubjectName; + } - SSLX509Name subjectName; - boost::optional<std::string> sniName; - stdx::unordered_set<RoleName> roles; + SSLX509Name clientSubjectName; + Date_t serverCertificateExpirationDate; + bool hasCA = false; - static SSLPeerInfo& forSession(const transport::SessionHandle& session); - static const SSLPeerInfo& forSession(const transport::ConstSessionHandle& session); +private: + SSLX509Name _serverSubjectName; + std::vector<SSLX509Name::Entry> _canonicalServerSubjectName; }; } // namespace mongo |