diff options
Diffstat (limited to 'src/mongo/db/auth/authz_session_external_state_server_common.cpp')
| -rw-r--r-- | src/mongo/db/auth/authz_session_external_state_server_common.cpp | 75 |
1 files changed, 37 insertions, 38 deletions
diff --git a/src/mongo/db/auth/authz_session_external_state_server_common.cpp b/src/mongo/db/auth/authz_session_external_state_server_common.cpp index 453980e19f7..a85ab1c5ac2 100644 --- a/src/mongo/db/auth/authz_session_external_state_server_common.cpp +++ b/src/mongo/db/auth/authz_session_external_state_server_common.cpp @@ -42,50 +42,49 @@ namespace mongo { namespace { - MONGO_EXPORT_STARTUP_SERVER_PARAMETER(enableLocalhostAuthBypass, bool, true); -} // namespace +MONGO_EXPORT_STARTUP_SERVER_PARAMETER(enableLocalhostAuthBypass, bool, true); +} // namespace - // NOTE: we default _allowLocalhost to true under the assumption that _checkShouldAllowLocalhost - // will always be called before any calls to shouldAllowLocalhost. If this is not the case, - // it could cause a security hole. - AuthzSessionExternalStateServerCommon::AuthzSessionExternalStateServerCommon( - AuthorizationManager* authzManager) : - AuthzSessionExternalState(authzManager), - _allowLocalhost(enableLocalhostAuthBypass) {} - AuthzSessionExternalStateServerCommon::~AuthzSessionExternalStateServerCommon() {} +// NOTE: we default _allowLocalhost to true under the assumption that _checkShouldAllowLocalhost +// will always be called before any calls to shouldAllowLocalhost. If this is not the case, +// it could cause a security hole. +AuthzSessionExternalStateServerCommon::AuthzSessionExternalStateServerCommon( + AuthorizationManager* authzManager) + : AuthzSessionExternalState(authzManager), _allowLocalhost(enableLocalhostAuthBypass) {} +AuthzSessionExternalStateServerCommon::~AuthzSessionExternalStateServerCommon() {} - void AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost(OperationContext* txn) { - if (!_authzManager->isAuthEnabled()) - return; - // If we know that an admin user exists, don't re-check. - if (!_allowLocalhost) - return; - // Don't bother checking if we're not on a localhost connection - if (!ClientBasic::getCurrent()->getIsLocalHostConnection()) { - _allowLocalhost = false; - return; - } +void AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost(OperationContext* txn) { + if (!_authzManager->isAuthEnabled()) + return; + // If we know that an admin user exists, don't re-check. + if (!_allowLocalhost) + return; + // Don't bother checking if we're not on a localhost connection + if (!ClientBasic::getCurrent()->getIsLocalHostConnection()) { + _allowLocalhost = false; + return; + } - _allowLocalhost = !_authzManager->hasAnyPrivilegeDocuments(txn); - if (_allowLocalhost) { - ONCE { - log() << "note: no users configured in admin.system.users, allowing localhost " - "access" << std::endl; - } + _allowLocalhost = !_authzManager->hasAnyPrivilegeDocuments(txn); + if (_allowLocalhost) { + ONCE { + log() << "note: no users configured in admin.system.users, allowing localhost " + "access" << std::endl; } } +} - bool AuthzSessionExternalStateServerCommon::serverIsArbiter() const { - return false; - } +bool AuthzSessionExternalStateServerCommon::serverIsArbiter() const { + return false; +} - bool AuthzSessionExternalStateServerCommon::shouldAllowLocalhost() const { - ClientBasic* client = ClientBasic::getCurrent(); - return _allowLocalhost && client->getIsLocalHostConnection(); - } +bool AuthzSessionExternalStateServerCommon::shouldAllowLocalhost() const { + ClientBasic* client = ClientBasic::getCurrent(); + return _allowLocalhost && client->getIsLocalHostConnection(); +} - bool AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks() const { - return !_authzManager->isAuthEnabled(); - } +bool AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks() const { + return !_authzManager->isAuthEnabled(); +} -} // namespace mongo +} // namespace mongo |