diff options
20 files changed, 158 insertions, 158 deletions
diff --git a/src/mongo/client/cyrus_sasl_client_session.cpp b/src/mongo/client/cyrus_sasl_client_session.cpp index 98b9f25b988..bedfa1f5b06 100644 --- a/src/mongo/client/cyrus_sasl_client_session.cpp +++ b/src/mongo/client/cyrus_sasl_client_session.cpp @@ -46,7 +46,7 @@ namespace { } return new CyrusSaslClientSession(); } - + /* * Allocator functions to be used by the SASL library, if the client * doesn't initialize the library for us. @@ -127,17 +127,17 @@ namespace { * * If a client wishes to override this initialization but keep the allocator and mutex * initialization, it should implement a MONGO_INITIALIZER_GENERAL with - * CyrusSaslAllocatorsAndMutexes as a prerequisite and CyrusSaslClientContext as a + * CyrusSaslAllocatorsAndMutexes as a prerequisite and CyrusSaslClientContext as a * dependent. If it wishes to override both, it should implement a MONGO_INITIALIZER_GENERAL - * with CyrusSaslAllocatorsAndMutexes and CyrusSaslClientContext as dependents, or + * with CyrusSaslAllocatorsAndMutexes and CyrusSaslClientContext as dependents, or * initialize the library before calling mongo::runGlobalInitializersOrDie(). */ - MONGO_INITIALIZER_WITH_PREREQUISITES(CyrusSaslClientContext, + MONGO_INITIALIZER_WITH_PREREQUISITES(CyrusSaslClientContext, ("NativeSaslClientContext", "CyrusSaslAllocatorsAndMutexes")) (InitializerContext* context) { - static sasl_callback_t saslClientGlobalCallbacks[] = + static sasl_callback_t saslClientGlobalCallbacks[] = { { SASL_CB_LOG, SaslCallbackFn(saslClientLogSwallow), NULL /* context */ }, { SASL_CB_LIST_END } }; @@ -153,7 +153,7 @@ namespace { sasl_errstring(result, NULL, NULL) << ")"); } - + SaslClientSession::create = createCyrusSaslClientSession; return Status::OK(); } @@ -258,7 +258,7 @@ namespace { Status CyrusSaslClientSession::initialize() { if (_saslConnection != NULL) - return Status(ErrorCodes::AlreadyInitialized, + return Status(ErrorCodes::AlreadyInitialized, "Cannot reinitialize CyrusSaslClientSession."); int result = sasl_client_new(getParameter(parameterServiceName).toString().c_str(), diff --git a/src/mongo/client/native_sasl_client_session.cpp b/src/mongo/client/native_sasl_client_session.cpp index bbdcef55f7c..a03e6ecf2dd 100644 --- a/src/mongo/client/native_sasl_client_session.cpp +++ b/src/mongo/client/native_sasl_client_session.cpp @@ -41,7 +41,7 @@ namespace { SaslClientSession* createNativeSaslClientSession(const std::string mech) { return new NativeSaslClientSession(); } - + MONGO_INITIALIZER(NativeSaslClientContext)(InitializerContext* context) { SaslClientSession::create = createNativeSaslClientSession; return Status::OK(); @@ -52,15 +52,15 @@ namespace { NativeSaslClientSession::NativeSaslClientSession() : SaslClientSession(), _step(0), - _done(false), - _saslConversation(NULL) { + _done(false), + _saslConversation(NULL) { } NativeSaslClientSession::~NativeSaslClientSession() {} Status NativeSaslClientSession::initialize() { if (_saslConversation) - return Status(ErrorCodes::AlreadyInitialized, + return Status(ErrorCodes::AlreadyInitialized, "Cannot reinitialize NativeSaslClientSession."); std::string mechanism = getParameter(parameterMechanism).toString(); @@ -72,7 +72,7 @@ namespace { } else { return Status(ErrorCodes::BadValue, - mongoutils::str::stream() << "SASL mechanism " << mechanism << + mongoutils::str::stream() << "SASL mechanism " << mechanism << "is not supported"); } @@ -82,7 +82,7 @@ namespace { Status NativeSaslClientSession::step(const StringData& inputData, std::string* outputData) { if (!_saslConversation) { return Status(ErrorCodes::BadValue, - mongoutils::str::stream() << + mongoutils::str::stream() << "The client authentication session has not been properly initialized"); } diff --git a/src/mongo/client/native_sasl_client_session.h b/src/mongo/client/native_sasl_client_session.h index 3bb83230025..b96c3eb9469 100644 --- a/src/mongo/client/native_sasl_client_session.h +++ b/src/mongo/client/native_sasl_client_session.h @@ -56,7 +56,7 @@ namespace mongo { /// See isDone(). bool _done; - + /// The client side of a SASL authentication conversation. boost::scoped_ptr<SaslClientConversation> _saslConversation; }; diff --git a/src/mongo/client/sasl_client_session.cpp b/src/mongo/client/sasl_client_session.cpp index 06becc9b095..dfc3249eacf 100644 --- a/src/mongo/client/sasl_client_session.cpp +++ b/src/mongo/client/sasl_client_session.cpp @@ -36,7 +36,7 @@ namespace mongo { SaslClientSession::SaslClientSessionFactoryFn SaslClientSession::create = NULL; - + SaslClientSession::SaslClientSession() {} SaslClientSession::~SaslClientSession() {} @@ -46,7 +46,7 @@ namespace mongo { DataBuffer& buffer = _parameters[id]; buffer.size = value.size(); buffer.data.reset(new char[buffer.size + 1]); - + // Note that we append a terminal NUL to buffer.data, so it may be treated as a C-style // string. This is required for parameterServiceName, parameterServiceHostname, // parameterMechanism and parameterUser. diff --git a/src/mongo/client/sasl_client_session.h b/src/mongo/client/sasl_client_session.h index 69f012b6b11..6aec459a91a 100644 --- a/src/mongo/client/sasl_client_session.h +++ b/src/mongo/client/sasl_client_session.h @@ -56,7 +56,7 @@ namespace mongo { public: typedef stdx::function<SaslClientSession* (const std::string&)> SaslClientSessionFactoryFn; static SaslClientSessionFactoryFn create; - + /** * Identifiers of parameters used to configure a SaslClientSession. */ diff --git a/src/mongo/client/sasl_plain_client_conversation.cpp b/src/mongo/client/sasl_plain_client_conversation.cpp index b3436cc836e..a0c28aca40f 100644 --- a/src/mongo/client/sasl_plain_client_conversation.cpp +++ b/src/mongo/client/sasl_plain_client_conversation.cpp @@ -37,18 +37,18 @@ #include "mongo/util/text.h" namespace mongo { - + SaslPLAINClientConversation::SaslPLAINClientConversation( SaslClientSession* saslClientSession) : SaslClientConversation(saslClientSession) { } SaslPLAINClientConversation::~SaslPLAINClientConversation() {}; - - StatusWith<bool> SaslPLAINClientConversation::step(const StringData& inputData, + + StatusWith<bool> SaslPLAINClientConversation::step(const StringData& inputData, std::string* outputData) { // Create PLAIN message on the form: user\0user\0pwd - + StringBuilder sb; sb << _saslClientSession->getParameter(SaslClientSession::parameterUser).toString() << '\0' << @@ -60,5 +60,5 @@ namespace mongo { return StatusWith<bool>(true); } - + } // namespace mongo diff --git a/src/mongo/client/sasl_plain_client_conversation.h b/src/mongo/client/sasl_plain_client_conversation.h index ffd3f46b810..24017d75566 100644 --- a/src/mongo/client/sasl_plain_client_conversation.h +++ b/src/mongo/client/sasl_plain_client_conversation.h @@ -46,7 +46,7 @@ namespace mongo { * Implements the client side of a SASL PLAIN mechanism session. * **/ - explicit SaslPLAINClientConversation(SaslClientSession* saslClientSession); + explicit SaslPLAINClientConversation(SaslClientSession* saslClientSession); virtual ~SaslPLAINClientConversation(); diff --git a/src/mongo/client/sasl_scramsha1_client_conversation.cpp b/src/mongo/client/sasl_scramsha1_client_conversation.cpp index e1cee945ad4..621aadfd7eb 100644 --- a/src/mongo/client/sasl_scramsha1_client_conversation.cpp +++ b/src/mongo/client/sasl_scramsha1_client_conversation.cpp @@ -59,13 +59,13 @@ namespace mongo { memset(_saltedPassword, 0, scram::hashSize); } - StatusWith<bool> SaslSCRAMSHA1ClientConversation::step(const StringData& inputData, + StatusWith<bool> SaslSCRAMSHA1ClientConversation::step(const StringData& inputData, std::string* outputData) { std::vector<std::string> input = StringSplitter::split(inputData.toString(), ","); _step++; switch (_step) { - case 1: + case 1: return _firstStep(outputData); case 2: // Append server-first-message to _authMessage @@ -75,12 +75,12 @@ namespace mongo { return _thirdStep(input, outputData); default: return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() << + mongoutils::str::stream() << "Invalid SCRAM-SHA-1 authentication step: " << _step); } } - - /* + + /* * RFC 5802 specifies that in SCRAM user names characters ',' and '=' are encoded as * =2C and =3D respectively. */ @@ -101,19 +101,19 @@ namespace mongo { // Create text-based nonce as base64 encoding of a binary blob of length multiple of 3 const int nonceLenQWords = 3; uint64_t binaryNonce[nonceLenQWords]; - + scoped_ptr<SecureRandom> sr(SecureRandom::create()); binaryNonce[0] = sr->nextInt64(); binaryNonce[1] = sr->nextInt64(); binaryNonce[2] = sr->nextInt64(); - - std::string user = + + std::string user = _saslClientSession->getParameter(SaslClientSession::parameterUser).toString(); encodeSCRAMUsername(user); - std::string clientNonce = base64::encode(reinterpret_cast<char*>(binaryNonce), + std::string clientNonce = base64::encode(reinterpret_cast<char*>(binaryNonce), sizeof(binaryNonce)); - + // Append client-first-message-bare to authMessage _authMessage = "n=" + user + ",r=" + clientNonce + ","; @@ -127,7 +127,7 @@ namespace mongo { #endif // MONGO_SSL } - /** + /** * Parse server-first-message on the form: * r=client-nonce|server-nonce,s=user-salt,i=iteration-count * @@ -135,42 +135,42 @@ namespace mongo { * c=channel-binding(base64),r=client-nonce|server-nonce,p=ClientProof * **/ - StatusWith<bool> SaslSCRAMSHA1ClientConversation::_secondStep(const std::vector<string>& input, + StatusWith<bool> SaslSCRAMSHA1ClientConversation::_secondStep(const std::vector<string>& input, std::string* outputData) { #ifndef MONGO_SSL - return StatusWith<bool>(ErrorCodes::InternalError, + return StatusWith<bool>(ErrorCodes::InternalError, "The server is not compiled with SSL support"); #else if (input.size() != 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << - "Incorrect number of arguments for first SCRAM-SHA-1 server message, got " << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + "Incorrect number of arguments for first SCRAM-SHA-1 server message, got " << input.size() << " expected 3"); } else if (!str::startsWith(input[0], "r=") || input[0].size() < 2) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client|server nonce: " << input[0]); } else if (!str::startsWith(input[1], "s=") || input[1].size() < 6) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 salt: " << input[1]); } else if(!str::startsWith(input[2], "i=") || input[2].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 iteration count: " << input[2]); } std::string nonce = input[0].substr(2); if(!str::startsWith(nonce, _clientNonce)) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Server SCRAM-SHA-1 nonce does not match client nonce" << input[2]); } std::string salt = input[1].substr(2); int iterationCount; - + Status status = parseNumberFromStringWithBase(input[2].substr(2), 10, &iterationCount); if (status != Status::OK()) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Failed to parse SCRAM-SHA-1 iteration count: " << input[2]); } @@ -191,55 +191,55 @@ namespace mongo { decodedSalt.size(), iterationCount, _saltedPassword); - + std::string clientProof = scram::generateClientProof(_saltedPassword, _authMessage); - + StringBuilder sb; - sb << "c=biws,r=" << nonce << ",p=" << clientProof; + sb << "c=biws,r=" << nonce << ",p=" << clientProof; *outputData = sb.str(); return StatusWith<bool>(false); #endif // MONGO_SSL } - /** + /** * Verify server-final-message on the form: - * v=ServerSignature - * + * v=ServerSignature + * * or failed authentication server-final-message on the form: * e=message **/ - StatusWith<bool> SaslSCRAMSHA1ClientConversation::_thirdStep(const std::vector<string>& input, + StatusWith<bool> SaslSCRAMSHA1ClientConversation::_thirdStep(const std::vector<string>& input, std::string* outputData) { #ifndef MONGO_SSL - return StatusWith<bool>(ErrorCodes::InternalError, + return StatusWith<bool>(ErrorCodes::InternalError, "The server is not compiled with SSL support"); #else if (input.size() != 1) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << - "Incorrect number of arguments for final SCRAM-SHA-1 server message, got " << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + "Incorrect number of arguments for final SCRAM-SHA-1 server message, got " << input.size() << " expected 1"); } else if (input[0].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 server message length: " << input[0]); } else if (str::startsWith(input[0], "e=")) { - return StatusWith<bool>(ErrorCodes::AuthenticationFailed, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::AuthenticationFailed, mongoutils::str::stream() << "SCRAM-SHA-1 authentication failure: " << input[0].substr(2)); } else if (!str::startsWith(input[0], "v=")) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 ServerSignature: " << input[0]); } - bool validServerSignature = + bool validServerSignature = scram::verifyServerSignature(_saltedPassword, _authMessage, input[0].substr(2)); if (!validServerSignature) { *outputData = "e=Invalid server signature"; - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Client failed to verify SCRAM-SHA-1 ServerSignature, received " << input[0].substr(2)); } diff --git a/src/mongo/client/sasl_scramsha1_client_conversation.h b/src/mongo/client/sasl_scramsha1_client_conversation.h index 668588bc03f..bb6cf29aa2c 100644 --- a/src/mongo/client/sasl_scramsha1_client_conversation.h +++ b/src/mongo/client/sasl_scramsha1_client_conversation.h @@ -48,7 +48,7 @@ namespace mongo { /** * Implements the client side of a SASL PLAIN mechanism session. **/ - explicit SaslSCRAMSHA1ClientConversation(SaslClientSession* saslClientSession); + explicit SaslSCRAMSHA1ClientConversation(SaslClientSession* saslClientSession); virtual ~SaslSCRAMSHA1ClientConversation(); @@ -66,21 +66,21 @@ namespace mongo { * Generates client-first-message. **/ StatusWith<bool> _firstStep(std::string* outputData); - - /** + + /** * Parses server-first-message and generate client-final-message. - **/ + **/ StatusWith<bool> _secondStep(const std::vector<string>& input, std::string* outputData); - + /** * Generates client-first-message. **/ StatusWith<bool> _thirdStep(const std::vector<string>& input, std::string* outputData); - + int _step; std::string _authMessage; unsigned char _saltedPassword[scram::hashSize]; - + // client and server nonce concatenated std::string _clientNonce; }; diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index 1d1dca82a71..0ed62da897c 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -724,7 +724,7 @@ namespace mongo { } namespace { - + /** * Logs that the auth schema upgrade failed because of "status" and returns "status". */ @@ -744,7 +744,7 @@ namespace { const BSONObj& userDoc, const BSONObj& writeConcern) { BSONElement credentialsElement = userDoc["credentials"]; - uassert(18743, + uassert(18806, mongoutils::str::stream() << "While preparing to upgrade user doc from " "2.6/2.8 user data schema to the 2.8 SCRAM only schema, found a user doc " "with missing or incorrectly formatted credentials: " @@ -754,7 +754,7 @@ namespace { BSONObj credentialsObj = credentialsElement.Obj(); BSONElement mongoCRElement = credentialsObj["MONGODB-CR"]; BSONElement scramElement = credentialsObj["SCRAM-SHA-1"]; - + // Ignore any user documents that already have SCRAM credentials. This should only // occur if a previous authSchemaUpgrade was interrupted halfway. if (!scramElement.eoo()) { @@ -774,10 +774,10 @@ namespace { BSONObjBuilder updateBuilder; { BSONObjBuilder toSetBuilder(updateBuilder.subobjStart("$set")); - toSetBuilder << "credentials" << + toSetBuilder << "credentials" << BSON("SCRAM-SHA-1" << scram::generateCredentials(hashedPassword)); } - + uassertStatusOK(externalState->updateOne(txn, NamespaceString("admin", "system.users"), query, @@ -806,7 +806,7 @@ namespace { boost::bind(updateUserCredentials, txn, externalState, "admin", _1, writeConcern)); if (!status.isOK()) return logUpgradeFailed(status); - + // Update the schema version document. status = externalState->updateOne( txn, @@ -818,7 +818,7 @@ namespace { writeConcern); if (!status.isOK()) return logUpgradeFailed(status); - + return Status::OK(); } } //namespace @@ -830,7 +830,7 @@ namespace { if (!status.isOK()) { return status; } - + switch (authzVersion) { case schemaVersion26Final: { Status status = updateCredentials(txn, _externalState.get(), writeConcern); diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h index 600a2ef032a..db5b02ad01d 100644 --- a/src/mongo/db/auth/authorization_manager.h +++ b/src/mongo/db/auth/authorization_manager.h @@ -121,13 +121,13 @@ namespace mongo { static const int schemaVersion26Upgrade = 2; /** - * Auth schema version for MongoDB 2.6 and 2.8 MONGODB-CR/SCRAM mixed auth mode. + * Auth schema version for MongoDB 2.6 and 2.8 MONGODB-CR/SCRAM mixed auth mode. * Users are stored in admin.system.users, roles in admin.system.roles. */ static const int schemaVersion26Final = 3; /** - * Auth schema version for MongoDB 2.8 SCRAM only mode. + * Auth schema version for MongoDB 2.8 SCRAM only mode. * Users are stored in admin.system.users, roles in admin.system.roles. * MONGODB-CR credentials have been replaced with SCRAM credentials in the user documents. */ diff --git a/src/mongo/db/auth/native_sasl_authentication_session.cpp b/src/mongo/db/auth/native_sasl_authentication_session.cpp index 96a7ff16c1b..2ca92ac3de1 100644 --- a/src/mongo/db/auth/native_sasl_authentication_session.cpp +++ b/src/mongo/db/auth/native_sasl_authentication_session.cpp @@ -63,11 +63,11 @@ namespace { saslGlobalParams.hostName = getHostNameCached(); if (saslGlobalParams.serviceName.empty()) saslGlobalParams.serviceName = "mongodb"; - + SaslAuthenticationSession::create = createNativeSaslAuthenticationSession; return Status::OK(); } - + // PostSaslCommands is reversely dependent on CyrusSaslCommands having been run MONGO_INITIALIZER_WITH_PREREQUISITES(PostSaslCommands, ("NativeSaslServerCore")) @@ -75,14 +75,14 @@ namespace { AuthorizationManager authzManager(new AuthzManagerExternalStateMock()); AuthorizationSession authzSession(new AuthzSessionExternalStateMock(&authzManager)); - + for (size_t i = 0; i < saslGlobalParams.authenticationMechanisms.size(); ++i) { const std::string& mechanism = saslGlobalParams.authenticationMechanisms[i]; if (mechanism == "MONGODB-CR" || mechanism == "MONGODB-X509") { // Not a SASL mechanism; no need to smoke test built-in mechanisms. continue; } - scoped_ptr<SaslAuthenticationSession> + scoped_ptr<SaslAuthenticationSession> session(SaslAuthenticationSession::create(&authzSession, mechanism)); Status status = session->start("test", mechanism, @@ -97,10 +97,10 @@ namespace { return Status::OK(); } } //namespace - + NativeSaslAuthenticationSession::NativeSaslAuthenticationSession( AuthorizationSession* authzSession) : - SaslAuthenticationSession(authzSession), + SaslAuthenticationSession(authzSession), _mechanism("") { } @@ -125,7 +125,7 @@ namespace { _serviceHostname = serviceHostname.toString(); _conversationId = conversationId; _autoAuthorize = autoAuthorize; - + if (mechanism == "PLAIN") { _saslConversation.reset(new SaslPLAINServerConversation(this)); } @@ -134,18 +134,18 @@ namespace { } else { return Status(ErrorCodes::BadValue, - mongoutils::str::stream() << "SASL mechanism " << mechanism << + mongoutils::str::stream() << "SASL mechanism " << mechanism << "is not supported"); } return Status::OK(); } - Status NativeSaslAuthenticationSession::step(const StringData& inputData, + Status NativeSaslAuthenticationSession::step(const StringData& inputData, std::string* outputData) { if (!_saslConversation) { return Status(ErrorCodes::BadValue, - mongoutils::str::stream() << + mongoutils::str::stream() << "The authentication session has not been properly initialized"); } diff --git a/src/mongo/db/auth/native_sasl_authentication_session.h b/src/mongo/db/auth/native_sasl_authentication_session.h index eefb124ee7b..60a54f078bd 100644 --- a/src/mongo/db/auth/native_sasl_authentication_session.h +++ b/src/mongo/db/auth/native_sasl_authentication_session.h @@ -39,7 +39,7 @@ #include "mongo/db/auth/sasl_server_conversation.h" namespace mongo { - + /** * Authentication session data for the server side of SASL authentication. */ @@ -60,7 +60,7 @@ namespace mongo { virtual Status step(const StringData& inputData, std::string* outputData); virtual std::string getPrincipalId() const; - + virtual const char* getMechanism() const; private: diff --git a/src/mongo/db/auth/sasl_authentication_session.cpp b/src/mongo/db/auth/sasl_authentication_session.cpp index 4fba45521fb..350b9bf1607 100644 --- a/src/mongo/db/auth/sasl_authentication_session.cpp +++ b/src/mongo/db/auth/sasl_authentication_session.cpp @@ -47,7 +47,7 @@ #include "mongo/util/mongoutils/str.h" namespace mongo { - SaslAuthenticationSession::SaslAuthenticationSessionFactoryFn + SaslAuthenticationSession::SaslAuthenticationSessionFactoryFn SaslAuthenticationSession::create = NULL; // Mechanism name constants. @@ -56,7 +56,7 @@ namespace mongo { const char SaslAuthenticationSession::mechanismSCRAMSHA1[] = "SCRAM-SHA-1"; const char SaslAuthenticationSession::mechanismGSSAPI[] = "GSSAPI"; const char SaslAuthenticationSession::mechanismPLAIN[] = "PLAIN"; - + /** * Standard method in mongodb for determining if "authenticatedUser" may act as "requestedUser." * diff --git a/src/mongo/db/auth/sasl_authentication_session.h b/src/mongo/db/auth/sasl_authentication_session.h index fd608adc801..207d34888d4 100644 --- a/src/mongo/db/auth/sasl_authentication_session.h +++ b/src/mongo/db/auth/sasl_authentication_session.h @@ -51,9 +51,9 @@ namespace mongo { MONGO_DISALLOW_COPYING(SaslAuthenticationSession); public: typedef stdx::function<SaslAuthenticationSession* (AuthorizationSession*, - const std::string&)> + const std::string&)> SaslAuthenticationSessionFactoryFn; - static SaslAuthenticationSessionFactoryFn create; + static SaslAuthenticationSessionFactoryFn create; // Mechanism name constants. static const char mechanismCRAMMD5[]; @@ -100,7 +100,7 @@ namespace mongo { /** * Returns the the operation context associated with the currently executing command.
- * Authentication commands must set this on their associated + * Authentication commands must set this on their associated * SaslAuthenticationSession. */ OperationContext* getOpCtxt() const { return _txn; } diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp index d9625b96b1e..ce7c167935b 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp @@ -33,20 +33,20 @@ #include "mongo/util/text.h" namespace mongo { - + SaslPLAINServerConversation::SaslPLAINServerConversation( SaslAuthenticationSession* saslAuthSession) : SaslServerConversation(saslAuthSession) { } SaslPLAINServerConversation::~SaslPLAINServerConversation() {}; - - StatusWith<bool> SaslPLAINServerConversation::step(const StringData& inputData, + + StatusWith<bool> SaslPLAINServerConversation::step(const StringData& inputData, std::string* outputData) { // Expecting user input on the form: user\0user\0pwd std::string input = inputData.toString(); std::string pwd = ""; - + try { _user = input.substr(0, inputData.find('\0')); pwd = input.substr(inputData.find('\0', _user.size()+1)+1); @@ -72,7 +72,7 @@ namespace mongo { releaseUser(userObj); std::string authDigest = createPasswordDigest(_user, pwd); - + if (authDigest != creds.password) { return StatusWith<bool>(ErrorCodes::AuthenticationFailed, mongoutils::str::stream() << "Incorrect user name or password"); @@ -82,5 +82,5 @@ namespace mongo { return StatusWith<bool>(true); } - + } // namespace mongo diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.h b/src/mongo/db/auth/sasl_plain_server_conversation.h index 450ae71cb1e..629983a62e3 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.h +++ b/src/mongo/db/auth/sasl_plain_server_conversation.h @@ -46,7 +46,7 @@ namespace mongo { * Implements the server side of a SASL PLAIN mechanism session. * **/ - explicit SaslPLAINServerConversation(SaslAuthenticationSession* saslAuthSession); + explicit SaslPLAINServerConversation(SaslAuthenticationSession* saslAuthSession); virtual ~SaslPLAINServerConversation(); diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 373093a26fc..304e040846f 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -55,9 +55,9 @@ namespace mongo { _nonce("") { } - StatusWith<bool> SaslSCRAMSHA1ServerConversation::step(const StringData& inputData, + StatusWith<bool> SaslSCRAMSHA1ServerConversation::step(const StringData& inputData, std::string* outputData) { - + std::vector<std::string> input = StringSplitter::split(inputData.toString(), ","); _step++; @@ -76,8 +76,8 @@ namespace mongo { return StatusWith<bool>(true); } - - /* + + /* * RFC 5802 specifies that in SCRAM user names characters ',' and '=' are encoded as * =2C and =3D respectively. */ @@ -86,7 +86,7 @@ namespace mongo { boost::replace_all(user, "=3D", "="); } - /* + /* * Parse client-first-message of the form: * n,a=authzid,n=encoded-username,r=client-nonce * @@ -104,45 +104,45 @@ namespace mongo { std::string authzId = ""; if (input.size() == 4) { - /* The second entry a=authzid is optional. If provided it will be + /* The second entry a=authzid is optional. If provided it will be * validated against the encoded username. - * + * * The two allowed input forms are: * n,,n=encoded-username,r=client-nonce * n,a=authzid,n=encoded-username,r=client-nonce */ if (!str::startsWith(input[1], "a=") || input[1].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 authzid: " << input[1]); } authzId = input[1].substr(2); input.erase(input.begin() + 1); } - + if (input.size() != 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect number of arguments for first SCRAM-SHA-1 client message, got " << input.size() << " expected 4"); } else if (input[0] != "n") { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client message prefix: " << input[0]); } else if (!str::startsWith(input[1], "n=") || input[1].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 user name: " << input[1]); } else if(!str::startsWith(input[2], "r=") || input[2].size() < 6) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client nonce: " << input[2]); } - + // add client-first-message-bare to _authMessage _authMessage += input[1] + "," + input[2] + ","; _user = input[1].substr(2); if (!authzId.empty() && _user != authzId) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "SCRAM-SHA-1 user name " << _user << " does not match authzid " << authzId); } @@ -163,7 +163,7 @@ namespace mongo { _creds = userObj->getCredentials(); _saslAuthSession->getAuthorizationSession()->getAuthorizationManager(). releaseUser(userObj); - + // Generate SCRAM credentials on the fly for mixed MONGODB-CR/SCRAM mode. if (_creds.scram.salt.empty() && !_creds.password.empty()) { BSONObj scramCreds = scram::generateCredentials(_creds.password); @@ -177,21 +177,21 @@ namespace mongo { // Create text-based nonce as base64 encoding of a binary blob of length multiple of 3 const int nonceLenQWords = 3; uint64_t binaryNonce[nonceLenQWords]; - + scoped_ptr<SecureRandom> sr(SecureRandom::create()); binaryNonce[0] = sr->nextInt64(); binaryNonce[1] = sr->nextInt64(); binaryNonce[2] = sr->nextInt64(); - - _nonce = clientNonce + + + _nonce = clientNonce + base64::encode(reinterpret_cast<char*>(binaryNonce), sizeof(binaryNonce)); StringBuilder sb; sb << "r=" << _nonce << - ",s=" << _creds.scram.salt << + ",s=" << _creds.scram.salt << ",i=" << _creds.scram.iterationCount; *outputData = sb.str(); - + // add server-first-message to authMessage _authMessage += *outputData + ","; @@ -199,39 +199,39 @@ namespace mongo { #endif // MONGO_SSL } - /** + /** * Parse client-final-message of the form: * c=channel-binding(base64),r=client-nonce|server-nonce,p=ClientProof * * Generate successful authentication server-final-message on the form: - * v=ServerSignature - * + * v=ServerSignature + * * or failed authentication server-final-message on the form: * e=message * * NOTE: we are ignoring the channel binding part of the message **/ - StatusWith<bool> SaslSCRAMSHA1ServerConversation::_secondStep(const std::vector<string>& input, + StatusWith<bool> SaslSCRAMSHA1ServerConversation::_secondStep(const std::vector<string>& input, std::string* outputData) { #ifndef MONGO_SSL - return StatusWith<bool>(ErrorCodes::InternalError, + return StatusWith<bool>(ErrorCodes::InternalError, "The server is not compiled with SSL support"); #else if (input.size() != 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << - "Incorrect number of arguments for second SCRAM-SHA-1 client message, got " << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + "Incorrect number of arguments for second SCRAM-SHA-1 client message, got " << input.size() << " expected 3"); } else if (!str::startsWith(input[0], "c=") || input[0].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 channel binding: " << input[0]); } else if (!str::startsWith(input[1], "r=") || input[1].size() < 6) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client|server nonce: " << input[1]); } else if(!str::startsWith(input[2], "p=") || input[2].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 ClientProof: " << input[2]); } @@ -241,13 +241,13 @@ namespace mongo { // Concatenated nonce sent by client should equal the one in server-first-message std::string nonce = input[1].substr(2); if (nonce != _nonce) { - return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << + return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "Unmatched SCRAM-SHA-1 nonce received from client in second step, expected " << _nonce << " but received " << nonce); } std::string clientProof = input[2].substr(2); - + // Do server side computations, compare storedKeys and generate client-final-message // AuthMessage := client-first-message-bare + "," + // server-first-message + "," + @@ -255,7 +255,7 @@ namespace mongo { // ClientSignature := HMAC(StoredKey, AuthMessage) // ClientKey := ClientSignature XOR ClientProof // ServerSignature := HMAC(ServerKey, AuthMessage) - + unsigned int hashLen = 0; unsigned char clientSignature[scram::hashSize]; @@ -268,7 +268,7 @@ namespace mongo { _authMessage.size(), clientSignature, &hashLen)); - + fassert(18658, hashLen == scram::hashSize); try { @@ -277,7 +277,7 @@ namespace mongo { catch (const DBException& ex) { return StatusWith<bool>(ex.toStatus()); } - const unsigned char *decodedClientProof = + const unsigned char *decodedClientProof = reinterpret_cast<const unsigned char*>(clientProof.c_str()); // ClientKey := ClientSignature XOR ClientProof @@ -287,15 +287,15 @@ namespace mongo { } // StoredKey := H(ClientKey) - unsigned char computedStoredKey[scram::hashSize]; + unsigned char computedStoredKey[scram::hashSize]; fassert(18659, SHA1(clientKey, scram::hashSize, computedStoredKey)); - + if (memcmp(decodedStoredKey.c_str(), computedStoredKey, scram::hashSize) != 0) { return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() << + mongoutils::str::stream() << "SCRAM-SHA-1 auhentication failed, storedKey mismatch"); } - + // ServerSignature := HMAC(ServerKey, AuthMessage) unsigned char serverSignature[scram::hashSize]; std::string decodedServerKey = base64::decode(_creds.scram.serverKey); @@ -306,7 +306,7 @@ namespace mongo { _authMessage.size(), serverSignature, &hashLen)); - + fassert(18661, hashLen == scram::hashSize); StringBuilder sb; diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.h b/src/mongo/db/auth/sasl_scramsha1_server_conversation.h index c4767e8cf93..e530da32559 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.h +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.h @@ -65,16 +65,16 @@ namespace mongo { * Parse client-first-message and generate server-first-message **/ StatusWith<bool> _firstStep(std::vector<std::string>& input, std::string* outputData); - - /** + + /** * Parse client-final-message and generate server-final-message - **/ + **/ StatusWith<bool> _secondStep(const std::vector<string>& input, std::string* outputData); - + int _step; std::string _authMessage; User::CredentialData _creds; - + // client and server nonce concatenated std::string _nonce; }; diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index f4970409bd5..2f284b4fafa 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -300,7 +300,7 @@ namespace mongo { return Status( ErrorCodes::AuthSchemaIncompatible, str::stream() << "The usersInfo and rolesInfo commands require auth data to " - "have at least schema version " << + "have at least schema version " << AuthorizationManager::schemaVersion26Upgrade << " but found " << foundSchemaVersion); } @@ -379,7 +379,7 @@ namespace mongo { " with '$external' as the user's source db")); } - if ((args.hasHashedPassword) && + if ((args.hasHashedPassword) && args.userName.getDB() == "$external") { return appendCommandStatus( result, @@ -397,7 +397,7 @@ namespace mongo { #ifdef MONGO_SSL if (args.userName.getDB() == "$external" && - getSSLManager() && + getSSLManager() && getSSLManager()->getSSLConfiguration() .serverSubjectName == args.userName.getUser()) { return appendCommandStatus( @@ -407,7 +407,7 @@ namespace mongo { "subjectname as the server")); } #endif - + BSONObjBuilder userObjBuilder; userObjBuilder.append("_id", str::stream() << args.userName.getDB() << "." << @@ -416,19 +416,19 @@ namespace mongo { args.userName.getUser()); userObjBuilder.append(AuthorizationManager::USER_DB_FIELD_NAME, args.userName.getDB()); - if (!args.hasHashedPassword) { + if (!args.hasHashedPassword) { // Must be an external user userObjBuilder.append("credentials", BSON("external" << true)); } - else if (args.mechanism == "SCRAM-SHA-1" || - args.mechanism == "MONGODB-CR" || - args.mechanism == "CRAM-MD5" || + else if (args.mechanism == "SCRAM-SHA-1" || + args.mechanism == "MONGODB-CR" || + args.mechanism == "CRAM-MD5" || args.mechanism.empty()) { - + // At the moment we are ignoring the mechanism parameter and create // both SCRAM-SHA-1 and MONGODB-CR credentials for all new users. BSONObjBuilder credentialsBuilder(userObjBuilder.subobjStart("credentials")); - + AuthorizationManager* authzManager = getGlobalAuthorizationManager(); int authzVersion; Status status = authzManager->getAuthorizationVersion(txn, &authzVersion); @@ -451,7 +451,7 @@ namespace mongo { else { return appendCommandStatus( result, - Status(ErrorCodes::BadValue, + Status(ErrorCodes::BadValue, "Unsupported password authentication mechanism " + args.mechanism)); } if (args.hasCustomData) { @@ -605,7 +605,7 @@ namespace mongo { if (args.hasHashedPassword) { // Create both SCRAM-SHA-1 and MONGODB-CR credentials for all new users BSONObjBuilder credentialsBuilder(updateSetBuilder.subobjStart("credentials")); - + AuthorizationManager* authzManager = getGlobalAuthorizationManager(); int authzVersion; Status status = authzManager->getAuthorizationVersion(txn, &authzVersion); |