diff options
Diffstat (limited to 'db/security_commands.cpp')
-rw-r--r-- | db/security_commands.cpp | 58 |
1 files changed, 30 insertions, 28 deletions
diff --git a/db/security_commands.cpp b/db/security_commands.cpp index 19ebc55b93f..67605aab77d 100644 --- a/db/security_commands.cpp +++ b/db/security_commands.cpp @@ -22,7 +22,7 @@ #include "pch.h" #include "security.h" #include "../util/md5.hpp" -#include "json.h" +#include "json.h" #include "pdfile.h" #include "db.h" #include "dbhelpers.h" @@ -32,17 +32,17 @@ namespace mongo { -/* authentication + /* authentication - system.users contains - { user : <username>, pwd : <pwd_digest>, ... } + system.users contains + { user : <username>, pwd : <pwd_digest>, ... } - getnonce sends nonce to client + getnonce sends nonce to client - client then sends { authenticate:1, nonce:<nonce_str>, user:<username>, key:<key> } + client then sends { authenticate:1, nonce:<nonce_str>, user:<username>, key:<key> } - where <key> is md5(<nonce_str><username><pwd_digest_str>) as a string -*/ + where <key> is md5(<nonce_str><username><pwd_digest_str>) as a string + */ boost::thread_specific_ptr<nonce> lastNonce; @@ -83,7 +83,7 @@ namespace mongo { return true; } } cmdLogout; - + class CmdAuthenticate : public Command { public: virtual bool requiresAuth() { return false; } @@ -102,16 +102,16 @@ namespace mongo { string user = cmdObj.getStringField("user"); string key = cmdObj.getStringField("key"); string received_nonce = cmdObj.getStringField("nonce"); - - if( user.empty() || key.empty() || received_nonce.empty() ) { - log() << "field missing/wrong type in received authenticate command " - << dbname - << endl; + + if( user.empty() || key.empty() || received_nonce.empty() ) { + log() << "field missing/wrong type in received authenticate command " + << dbname + << endl; errmsg = "auth fails"; sleepmillis(10); return false; } - + stringstream digestBuilder; { @@ -120,12 +120,13 @@ namespace mongo { if ( ln == 0 ) { reject = true; log(1) << "auth: no lastNonce" << endl; - } else { + } + else { digestBuilder << hex << *ln; reject = digestBuilder.str() != received_nonce; if ( reject ) log(1) << "auth: different lastNonce" << endl; } - + if ( reject ) { log() << "auth: bad nonce received or getnonce not called. could be a driver bug or a security attack. db:" << cc().database()->name << endl; errmsg = "auth fails"; @@ -133,7 +134,7 @@ namespace mongo { return false; } } - + BSONObj userObj; string pwd; @@ -143,12 +144,12 @@ namespace mongo { else { static BSONObj userPattern = fromjson("{\"user\":1}"); string systemUsers = dbname + ".system.users"; - OCCASIONALLY Helpers::ensureIndex(systemUsers.c_str(), userPattern, false, "user_1"); + OCCASIONALLY Helpers::ensureIndex(systemUsers.c_str(), userPattern, false, "user_1"); { BSONObjBuilder b; b << "user" << user; BSONObj query = b.done(); - if( !Helpers::findOne(systemUsers.c_str(), query, userObj) ) { + if( !Helpers::findOne(systemUsers.c_str(), query, userObj) ) { log() << "auth: couldn't find user " << user << ", " << systemUsers << endl; errmsg = "auth fails"; return false; @@ -158,35 +159,36 @@ namespace mongo { pwd = userObj.getStringField("pwd"); } - + md5digest d; { digestBuilder << user << pwd; string done = digestBuilder.str(); - + md5_state_t st; md5_init(&st); md5_append(&st, (const md5_byte_t *) done.c_str(), done.size()); md5_finish(&st, d); } - + string computed = digestToString( d ); - - if ( key != computed ){ + + if ( key != computed ) { log() << "auth: key mismatch " << user << ", ns:" << dbname << endl; errmsg = "auth fails"; return false; } AuthenticationInfo *ai = cc().getAuthenticationInfo(); - + if ( userObj[ "readOnly" ].isBoolean() && userObj[ "readOnly" ].boolean() ) { ai->authorizeReadOnly( cc().database()->name.c_str() ); - } else { + } + else { ai->authorize( cc().database()->name.c_str() ); } return true; } } cmdAuthenticate; - + } // namespace mongo |