diff options
Diffstat (limited to 'src/mongo/db/auth/privilege_parser.cpp')
| -rw-r--r-- | src/mongo/db/auth/privilege_parser.cpp | 705 |
1 files changed, 357 insertions, 348 deletions
diff --git a/src/mongo/db/auth/privilege_parser.cpp b/src/mongo/db/auth/privilege_parser.cpp index f1b4777a74c..140fbde2d7f 100644 --- a/src/mongo/db/auth/privilege_parser.cpp +++ b/src/mongo/db/auth/privilege_parser.cpp @@ -37,420 +37,429 @@ namespace mongo { - using std::string; - using std::vector; +using std::string; +using std::vector; - using mongoutils::str::stream; +using mongoutils::str::stream; - const BSONField<bool> ParsedResource::anyResource("anyResource"); - const BSONField<bool> ParsedResource::cluster("cluster"); - const BSONField<string> ParsedResource::db("db"); - const BSONField<string> ParsedResource::collection("collection"); +const BSONField<bool> ParsedResource::anyResource("anyResource"); +const BSONField<bool> ParsedResource::cluster("cluster"); +const BSONField<string> ParsedResource::db("db"); +const BSONField<string> ParsedResource::collection("collection"); - ParsedResource::ParsedResource() { - clear(); - } - - ParsedResource::~ParsedResource() { - } - - bool ParsedResource::isValid(std::string* errMsg) const { - std::string dummy; - if (errMsg == NULL) { - errMsg = &dummy; - } +ParsedResource::ParsedResource() { + clear(); +} - int numCandidateTypes = 0; - if (isAnyResourceSet()) ++numCandidateTypes; - if (isClusterSet()) ++numCandidateTypes; - if (isDbSet() || isCollectionSet()) ++numCandidateTypes; +ParsedResource::~ParsedResource() {} - if (isDbSet() != isCollectionSet()) { - *errMsg = stream() << "resource must set both " << db.name() << " and " << - collection.name() << " or neither, but not exactly one."; - return false; - } - if (numCandidateTypes != 1) { - *errMsg = stream() << "resource must have exactly " << db.name() << " and " << - collection.name() << " set, or have only " << cluster.name() << " set " << - " or have only " << anyResource.name() << " set"; - return false; - } - if (isAnyResourceSet() && !getAnyResource()) { - *errMsg = stream() << anyResource.name() << " must be true when specified"; - return false; - } - if (isClusterSet() && !getCluster()) { - *errMsg = stream() << cluster.name() << " must be true when specified"; - return false; - } - if (isDbSet() && (!NamespaceString::validDBName(getDb()) && !getDb().empty())) { - *errMsg = stream() << getDb() << " is not a valid database name"; - return false; - } - if (isCollectionSet() && (!NamespaceString::validCollectionName(getCollection()) && - !getCollection().empty())) { - *errMsg = stream() << getCollection() << " is not a valid collection name"; - return false; - } - return true; +bool ParsedResource::isValid(std::string* errMsg) const { + std::string dummy; + if (errMsg == NULL) { + errMsg = &dummy; } - BSONObj ParsedResource::toBSON() const { - BSONObjBuilder builder; - - if (_isAnyResourceSet) builder.append(anyResource(), _anyResource); - - if (_isClusterSet) builder.append(cluster(), _cluster); - - if (_isDbSet) builder.append(db(), _db); - - if (_isCollectionSet) builder.append(collection(), _collection); + int numCandidateTypes = 0; + if (isAnyResourceSet()) + ++numCandidateTypes; + if (isClusterSet()) + ++numCandidateTypes; + if (isDbSet() || isCollectionSet()) + ++numCandidateTypes; - return builder.obj(); + if (isDbSet() != isCollectionSet()) { + *errMsg = stream() << "resource must set both " << db.name() << " and " << collection.name() + << " or neither, but not exactly one."; + return false; } - - bool ParsedResource::parseBSON(const BSONObj& source, string* errMsg) { - clear(); - - std::string dummy; - if (!errMsg) errMsg = &dummy; - - FieldParser::FieldState fieldState; - fieldState = FieldParser::extract(source, anyResource, &_anyResource, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isAnyResourceSet = fieldState == FieldParser::FIELD_SET; - - fieldState = FieldParser::extract(source, cluster, &_cluster, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isClusterSet = fieldState == FieldParser::FIELD_SET; - - fieldState = FieldParser::extract(source, db, &_db, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isDbSet = fieldState == FieldParser::FIELD_SET; - - fieldState = FieldParser::extract(source, collection, &_collection, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isCollectionSet = fieldState == FieldParser::FIELD_SET; - - return true; + if (numCandidateTypes != 1) { + *errMsg = stream() << "resource must have exactly " << db.name() << " and " + << collection.name() << " set, or have only " << cluster.name() + << " set " + << " or have only " << anyResource.name() << " set"; + return false; } - - void ParsedResource::clear() { - _anyResource = false; - _isAnyResourceSet = false; - - _cluster = false; - _isClusterSet = false; - - _db.clear(); - _isDbSet = false; - - _collection.clear(); - _isCollectionSet = false; - + if (isAnyResourceSet() && !getAnyResource()) { + *errMsg = stream() << anyResource.name() << " must be true when specified"; + return false; } - - void ParsedResource::cloneTo(ParsedResource* other) const { - other->clear(); - - other->_anyResource = _anyResource; - other->_isAnyResourceSet = _isAnyResourceSet; - - other->_cluster = _cluster; - other->_isClusterSet = _isClusterSet; - - other->_db = _db; - other->_isDbSet = _isDbSet; - - other->_collection = _collection; - other->_isCollectionSet = _isCollectionSet; + if (isClusterSet() && !getCluster()) { + *errMsg = stream() << cluster.name() << " must be true when specified"; + return false; } - - std::string ParsedResource::toString() const { - return toBSON().toString(); + if (isDbSet() && (!NamespaceString::validDBName(getDb()) && !getDb().empty())) { + *errMsg = stream() << getDb() << " is not a valid database name"; + return false; } - - void ParsedResource::setAnyResource(bool anyResource) { - _anyResource = anyResource; - _isAnyResourceSet = true; + if (isCollectionSet() && + (!NamespaceString::validCollectionName(getCollection()) && !getCollection().empty())) { + *errMsg = stream() << getCollection() << " is not a valid collection name"; + return false; } + return true; +} - void ParsedResource::unsetAnyResource() { - _isAnyResourceSet = false; - } +BSONObj ParsedResource::toBSON() const { + BSONObjBuilder builder; - bool ParsedResource::isAnyResourceSet() const { - return _isAnyResourceSet; - } + if (_isAnyResourceSet) + builder.append(anyResource(), _anyResource); - bool ParsedResource::getAnyResource() const { - dassert(_isAnyResourceSet); - return _anyResource; - } - - void ParsedResource::setCluster(bool cluster) { - _cluster = cluster; - _isClusterSet = true; - } + if (_isClusterSet) + builder.append(cluster(), _cluster); - void ParsedResource::unsetCluster() { - _isClusterSet = false; - } + if (_isDbSet) + builder.append(db(), _db); - bool ParsedResource::isClusterSet() const { - return _isClusterSet; - } + if (_isCollectionSet) + builder.append(collection(), _collection); - bool ParsedResource::getCluster() const { - dassert(_isClusterSet); - return _cluster; - } + return builder.obj(); +} - void ParsedResource::setDb(StringData db) { - _db = db.toString(); - _isDbSet = true; - } +bool ParsedResource::parseBSON(const BSONObj& source, string* errMsg) { + clear(); - void ParsedResource::unsetDb() { - _isDbSet = false; - } + std::string dummy; + if (!errMsg) + errMsg = &dummy; - bool ParsedResource::isDbSet() const { - return _isDbSet; - } + FieldParser::FieldState fieldState; + fieldState = FieldParser::extract(source, anyResource, &_anyResource, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isAnyResourceSet = fieldState == FieldParser::FIELD_SET; - const std::string& ParsedResource::getDb() const { - dassert(_isDbSet); - return _db; - } + fieldState = FieldParser::extract(source, cluster, &_cluster, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isClusterSet = fieldState == FieldParser::FIELD_SET; - void ParsedResource::setCollection(StringData collection) { - _collection = collection.toString(); - _isCollectionSet = true; - } + fieldState = FieldParser::extract(source, db, &_db, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isDbSet = fieldState == FieldParser::FIELD_SET; - void ParsedResource::unsetCollection() { - _isCollectionSet = false; - } + fieldState = FieldParser::extract(source, collection, &_collection, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isCollectionSet = fieldState == FieldParser::FIELD_SET; - bool ParsedResource::isCollectionSet() const { - return _isCollectionSet; - } + return true; +} + +void ParsedResource::clear() { + _anyResource = false; + _isAnyResourceSet = false; + + _cluster = false; + _isClusterSet = false; + + _db.clear(); + _isDbSet = false; - const std::string& ParsedResource::getCollection() const { - dassert(_isCollectionSet); - return _collection; - } + _collection.clear(); + _isCollectionSet = false; +} + +void ParsedResource::cloneTo(ParsedResource* other) const { + other->clear(); - const BSONField<std::vector<string> > ParsedPrivilege::actions("actions"); - const BSONField<ParsedResource> ParsedPrivilege::resource("resource"); + other->_anyResource = _anyResource; + other->_isAnyResourceSet = _isAnyResourceSet; - ParsedPrivilege::ParsedPrivilege() { - clear(); - } + other->_cluster = _cluster; + other->_isClusterSet = _isClusterSet; - ParsedPrivilege::~ParsedPrivilege() { - } + other->_db = _db; + other->_isDbSet = _isDbSet; - bool ParsedPrivilege::isValid(std::string* errMsg) const { - std::string dummy; - if (errMsg == NULL) { - errMsg = &dummy; - } + other->_collection = _collection; + other->_isCollectionSet = _isCollectionSet; +} - // All the mandatory fields must be present. - if (!_isActionsSet || !_actions.size()) { - *errMsg = stream() << "missing " << actions.name() << " field"; - return false; - } +std::string ParsedResource::toString() const { + return toBSON().toString(); +} - if (!_isResourceSet) { - *errMsg = stream() << "missing " << resource.name() << " field"; - return false; - } +void ParsedResource::setAnyResource(bool anyResource) { + _anyResource = anyResource; + _isAnyResourceSet = true; +} - return getResource().isValid(errMsg); - } +void ParsedResource::unsetAnyResource() { + _isAnyResourceSet = false; +} - BSONObj ParsedPrivilege::toBSON() const { - BSONObjBuilder builder; +bool ParsedResource::isAnyResourceSet() const { + return _isAnyResourceSet; +} - if (_isResourceSet) builder.append(resource(), _resource.toBSON()); +bool ParsedResource::getAnyResource() const { + dassert(_isAnyResourceSet); + return _anyResource; +} - if (_isActionsSet) { - BSONArrayBuilder actionsBuilder(builder.subarrayStart(actions())); - for (std::vector<string>::const_iterator it = _actions.begin(); - it != _actions.end(); - ++it) { - actionsBuilder.append(*it); - } - actionsBuilder.doneFast(); - } +void ParsedResource::setCluster(bool cluster) { + _cluster = cluster; + _isClusterSet = true; +} - return builder.obj().getOwned(); - } +void ParsedResource::unsetCluster() { + _isClusterSet = false; +} - bool ParsedPrivilege::parseBSON(const BSONObj& source, string* errMsg) { - clear(); +bool ParsedResource::isClusterSet() const { + return _isClusterSet; +} - std::string dummy; - if (!errMsg) errMsg = &dummy; +bool ParsedResource::getCluster() const { + dassert(_isClusterSet); + return _cluster; +} - FieldParser::FieldState fieldState; - fieldState = FieldParser::extract(source, actions, &_actions, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isActionsSet = fieldState == FieldParser::FIELD_SET; +void ParsedResource::setDb(StringData db) { + _db = db.toString(); + _isDbSet = true; +} - fieldState = FieldParser::extract(source, resource, &_resource, errMsg); - if (fieldState == FieldParser::FIELD_INVALID) return false; - _isResourceSet = fieldState == FieldParser::FIELD_SET; +void ParsedResource::unsetDb() { + _isDbSet = false; +} - return true; - } +bool ParsedResource::isDbSet() const { + return _isDbSet; +} - void ParsedPrivilege::clear() { - _actions.clear(); - _isActionsSet = false; - _resource.clear(); - _isResourceSet = false; +const std::string& ParsedResource::getDb() const { + dassert(_isDbSet); + return _db; +} - } +void ParsedResource::setCollection(StringData collection) { + _collection = collection.toString(); + _isCollectionSet = true; +} - std::string ParsedPrivilege::toString() const { - return toBSON().toString(); - } +void ParsedResource::unsetCollection() { + _isCollectionSet = false; +} - void ParsedPrivilege::setActions(const std::vector<string>& actions) { - for (std::vector<string>::const_iterator it = actions.begin(); - it != actions.end(); - ++it) { - addToActions((*it)); - } - _isActionsSet = actions.size() > 0; - } +bool ParsedResource::isCollectionSet() const { + return _isCollectionSet; +} - void ParsedPrivilege::addToActions(const string& actions) { - _actions.push_back(actions); - _isActionsSet = true; - } +const std::string& ParsedResource::getCollection() const { + dassert(_isCollectionSet); + return _collection; +} - void ParsedPrivilege::unsetActions() { - _actions.clear(); - _isActionsSet = false; - } +const BSONField<std::vector<string>> ParsedPrivilege::actions("actions"); +const BSONField<ParsedResource> ParsedPrivilege::resource("resource"); - bool ParsedPrivilege::isActionsSet() const { - return _isActionsSet; - } +ParsedPrivilege::ParsedPrivilege() { + clear(); +} - size_t ParsedPrivilege::sizeActions() const { - return _actions.size(); - } +ParsedPrivilege::~ParsedPrivilege() {} - const std::vector<string>& ParsedPrivilege::getActions() const { - dassert(_isActionsSet); - return _actions; +bool ParsedPrivilege::isValid(std::string* errMsg) const { + std::string dummy; + if (errMsg == NULL) { + errMsg = &dummy; } - const string& ParsedPrivilege::getActionsAt(size_t pos) const { - dassert(_isActionsSet); - dassert(_actions.size() > pos); - return _actions.at(pos); + // All the mandatory fields must be present. + if (!_isActionsSet || !_actions.size()) { + *errMsg = stream() << "missing " << actions.name() << " field"; + return false; } - void ParsedPrivilege::setResource(const ParsedResource& resource) { - resource.cloneTo(&_resource); - _isResourceSet = true; + if (!_isResourceSet) { + *errMsg = stream() << "missing " << resource.name() << " field"; + return false; } - void ParsedPrivilege::unsetResource() { - _isResourceSet = false; - } + return getResource().isValid(errMsg); +} - bool ParsedPrivilege::isResourceSet() const { - return _isResourceSet; - } +BSONObj ParsedPrivilege::toBSON() const { + BSONObjBuilder builder; - const ParsedResource& ParsedPrivilege::getResource() const { - dassert(_isResourceSet); - return _resource; - } - - bool ParsedPrivilege::parsedPrivilegeToPrivilege(const ParsedPrivilege& parsedPrivilege, - Privilege* result, - std::string* errmsg) { - if (!parsedPrivilege.isValid(errmsg)) { - return false; - } + if (_isResourceSet) + builder.append(resource(), _resource.toBSON()); - // Build actions - ActionSet actions; - const vector<std::string>& parsedActions = parsedPrivilege.getActions(); - Status status = ActionSet::parseActionSetFromStringVector(parsedActions, &actions); - if (!status.isOK()) { - *errmsg = status.reason(); - return false; + if (_isActionsSet) { + BSONArrayBuilder actionsBuilder(builder.subarrayStart(actions())); + for (std::vector<string>::const_iterator it = _actions.begin(); it != _actions.end(); + ++it) { + actionsBuilder.append(*it); } - - // Build resource - ResourcePattern resource; - const ParsedResource& parsedResource = parsedPrivilege.getResource(); - if (parsedResource.isAnyResourceSet() && parsedResource.getAnyResource()) { - resource = ResourcePattern::forAnyResource(); - } else if (parsedResource.isClusterSet() && parsedResource.getCluster()) { - resource = ResourcePattern::forClusterResource(); + actionsBuilder.doneFast(); + } + + return builder.obj().getOwned(); +} + +bool ParsedPrivilege::parseBSON(const BSONObj& source, string* errMsg) { + clear(); + + std::string dummy; + if (!errMsg) + errMsg = &dummy; + + FieldParser::FieldState fieldState; + fieldState = FieldParser::extract(source, actions, &_actions, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isActionsSet = fieldState == FieldParser::FIELD_SET; + + fieldState = FieldParser::extract(source, resource, &_resource, errMsg); + if (fieldState == FieldParser::FIELD_INVALID) + return false; + _isResourceSet = fieldState == FieldParser::FIELD_SET; + + return true; +} + +void ParsedPrivilege::clear() { + _actions.clear(); + _isActionsSet = false; + _resource.clear(); + _isResourceSet = false; +} + +std::string ParsedPrivilege::toString() const { + return toBSON().toString(); +} + +void ParsedPrivilege::setActions(const std::vector<string>& actions) { + for (std::vector<string>::const_iterator it = actions.begin(); it != actions.end(); ++it) { + addToActions((*it)); + } + _isActionsSet = actions.size() > 0; +} + +void ParsedPrivilege::addToActions(const string& actions) { + _actions.push_back(actions); + _isActionsSet = true; +} + +void ParsedPrivilege::unsetActions() { + _actions.clear(); + _isActionsSet = false; +} + +bool ParsedPrivilege::isActionsSet() const { + return _isActionsSet; +} + +size_t ParsedPrivilege::sizeActions() const { + return _actions.size(); +} + +const std::vector<string>& ParsedPrivilege::getActions() const { + dassert(_isActionsSet); + return _actions; +} + +const string& ParsedPrivilege::getActionsAt(size_t pos) const { + dassert(_isActionsSet); + dassert(_actions.size() > pos); + return _actions.at(pos); +} + +void ParsedPrivilege::setResource(const ParsedResource& resource) { + resource.cloneTo(&_resource); + _isResourceSet = true; +} + +void ParsedPrivilege::unsetResource() { + _isResourceSet = false; +} + +bool ParsedPrivilege::isResourceSet() const { + return _isResourceSet; +} + +const ParsedResource& ParsedPrivilege::getResource() const { + dassert(_isResourceSet); + return _resource; +} + +bool ParsedPrivilege::parsedPrivilegeToPrivilege(const ParsedPrivilege& parsedPrivilege, + Privilege* result, + std::string* errmsg) { + if (!parsedPrivilege.isValid(errmsg)) { + return false; + } + + // Build actions + ActionSet actions; + const vector<std::string>& parsedActions = parsedPrivilege.getActions(); + Status status = ActionSet::parseActionSetFromStringVector(parsedActions, &actions); + if (!status.isOK()) { + *errmsg = status.reason(); + return false; + } + + // Build resource + ResourcePattern resource; + const ParsedResource& parsedResource = parsedPrivilege.getResource(); + if (parsedResource.isAnyResourceSet() && parsedResource.getAnyResource()) { + resource = ResourcePattern::forAnyResource(); + } else if (parsedResource.isClusterSet() && parsedResource.getCluster()) { + resource = ResourcePattern::forClusterResource(); + } else { + if (parsedResource.isDbSet() && !parsedResource.getDb().empty()) { + if (parsedResource.isCollectionSet() && !parsedResource.getCollection().empty()) { + resource = ResourcePattern::forExactNamespace( + NamespaceString(parsedResource.getDb(), parsedResource.getCollection())); + } else { + resource = ResourcePattern::forDatabaseName(parsedResource.getDb()); + } } else { - if (parsedResource.isDbSet() && !parsedResource.getDb().empty()) { - if (parsedResource.isCollectionSet() && !parsedResource.getCollection().empty()) { - resource = ResourcePattern::forExactNamespace( - NamespaceString(parsedResource.getDb(), - parsedResource.getCollection())); - } else { - resource = ResourcePattern::forDatabaseName(parsedResource.getDb()); - } + if (parsedResource.isCollectionSet() && !parsedResource.getCollection().empty()) { + resource = ResourcePattern::forCollectionName(parsedResource.getCollection()); } else { - if (parsedResource.isCollectionSet() && !parsedResource.getCollection().empty()) { - resource = ResourcePattern::forCollectionName(parsedResource.getCollection()); - } else { - resource = ResourcePattern::forAnyNormalResource(); - } + resource = ResourcePattern::forAnyNormalResource(); } } - - *result = Privilege(resource, actions); - return true; } - bool ParsedPrivilege::privilegeToParsedPrivilege(const Privilege& privilege, - ParsedPrivilege* result, - std::string* errmsg) { - ParsedResource parsedResource; - if (privilege.getResourcePattern().isExactNamespacePattern()) { - parsedResource.setDb(privilege.getResourcePattern().databaseToMatch()); - parsedResource.setCollection(privilege.getResourcePattern().collectionToMatch()); - } else if (privilege.getResourcePattern().isDatabasePattern()) { - parsedResource.setDb(privilege.getResourcePattern().databaseToMatch()); - parsedResource.setCollection(""); - } else if (privilege.getResourcePattern().isCollectionPattern()) { - parsedResource.setDb(""); - parsedResource.setCollection(privilege.getResourcePattern().collectionToMatch()); - } else if (privilege.getResourcePattern().isAnyNormalResourcePattern()) { - parsedResource.setDb(""); - parsedResource.setCollection(""); - } else if (privilege.getResourcePattern().isClusterResourcePattern()) { - parsedResource.setCluster(true); - } else if (privilege.getResourcePattern().isAnyResourcePattern()) { - parsedResource.setAnyResource(true); - } else { - *errmsg = stream() << privilege.getResourcePattern().toString() << - " is not a valid user-grantable resource pattern"; - return false; - } - - result->clear(); - result->setResource(parsedResource); - result->setActions(privilege.getActions().getActionsAsStrings()); - return result->isValid(errmsg); - } -} // namespace mongo + *result = Privilege(resource, actions); + return true; +} + +bool ParsedPrivilege::privilegeToParsedPrivilege(const Privilege& privilege, + ParsedPrivilege* result, + std::string* errmsg) { + ParsedResource parsedResource; + if (privilege.getResourcePattern().isExactNamespacePattern()) { + parsedResource.setDb(privilege.getResourcePattern().databaseToMatch()); + parsedResource.setCollection(privilege.getResourcePattern().collectionToMatch()); + } else if (privilege.getResourcePattern().isDatabasePattern()) { + parsedResource.setDb(privilege.getResourcePattern().databaseToMatch()); + parsedResource.setCollection(""); + } else if (privilege.getResourcePattern().isCollectionPattern()) { + parsedResource.setDb(""); + parsedResource.setCollection(privilege.getResourcePattern().collectionToMatch()); + } else if (privilege.getResourcePattern().isAnyNormalResourcePattern()) { + parsedResource.setDb(""); + parsedResource.setCollection(""); + } else if (privilege.getResourcePattern().isClusterResourcePattern()) { + parsedResource.setCluster(true); + } else if (privilege.getResourcePattern().isAnyResourcePattern()) { + parsedResource.setAnyResource(true); + } else { + *errmsg = stream() << privilege.getResourcePattern().toString() + << " is not a valid user-grantable resource pattern"; + return false; + } + + result->clear(); + result->setResource(parsedResource); + result->setActions(privilege.getActions().getActionsAsStrings()); + return result->isValid(errmsg); +} +} // namespace mongo |