diff options
Diffstat (limited to 'src/mongo/db/auth/security_key.cpp')
-rw-r--r-- | src/mongo/db/auth/security_key.cpp | 156 |
1 files changed, 78 insertions, 78 deletions
diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index 8edbc6ef140..d7d7c96410e 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -51,97 +51,97 @@ namespace mongo { - using std::endl; - using std::string; +using std::endl; +using std::string; - bool setUpSecurityKey(const string& filename) { - struct stat stats; +bool setUpSecurityKey(const string& filename) { + struct stat stats; - // check obvious file errors - if (stat(filename.c_str(), &stats) == -1) { - log() << "error getting file " << filename << ": " << strerror(errno) << endl; - return false; - } + // check obvious file errors + if (stat(filename.c_str(), &stats) == -1) { + log() << "error getting file " << filename << ": " << strerror(errno) << endl; + return false; + } #if !defined(_WIN32) - // check permissions: must be X00, where X is >= 4 - if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) { - log() << "permissions on " << filename << " are too open" << endl; - return false; - } + // check permissions: must be X00, where X is >= 4 + if ((stats.st_mode & (S_IRWXG | S_IRWXO)) != 0) { + log() << "permissions on " << filename << " are too open" << endl; + return false; + } #endif - FILE* file = fopen( filename.c_str(), "rb" ); - if (!file) { - log() << "error opening file: " << filename << ": " << strerror(errno) << endl; + FILE* file = fopen(filename.c_str(), "rb"); + if (!file) { + log() << "error opening file: " << filename << ": " << strerror(errno) << endl; + return false; + } + + string str = ""; + + // strip key file + const unsigned long long fileLength = stats.st_size; + unsigned long long read = 0; + while (read < fileLength) { + char buf; + int readLength = fread(&buf, 1, 1, file); + if (readLength < 1) { + log() << "error reading file " << filename << endl; + fclose(file); return false; } + read++; - string str = ""; - - // strip key file - const unsigned long long fileLength = stats.st_size; - unsigned long long read = 0; - while (read < fileLength) { - char buf; - int readLength = fread(&buf, 1, 1, file); - if (readLength < 1) { - log() << "error reading file " << filename << endl; - fclose( file ); - return false; - } - read++; - - // check for whitespace - if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') { - continue; - } - - // check valid base64 - if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/') { - log() << "invalid char in key file " << filename << ": " << buf << endl; - fclose( file ); - return false; - } - - str += buf; + // check for whitespace + if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') { + continue; } - fclose( file ); - - const unsigned long long keyLength = str.size(); - if (keyLength < 6 || keyLength > 1024) { - log() << " security key in " << filename << " has length " << keyLength - << ", must be between 6 and 1024 chars" << endl; + // check valid base64 + if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && + buf != '+' && buf != '/') { + log() << "invalid char in key file " << filename << ": " << buf << endl; + fclose(file); return false; } - // Generate MONGODB-CR and SCRAM credentials for the internal user based on the keyfile. - User::CredentialData credentials; - credentials.password = mongo::createPasswordDigest( - internalSecurity.user->getName().getUser().toString(), str); - - BSONObj creds = scram::generateCredentials(credentials.password, - saslGlobalParams.scramIterationCount); - credentials.scram.iterationCount = creds[scram::iterationCountFieldName].Int(); - credentials.scram.salt = creds[scram::saltFieldName].String(); - credentials.scram.storedKey = creds[scram::storedKeyFieldName].String(); - credentials.scram.serverKey = creds[scram::serverKeyFieldName].String(); - - internalSecurity.user->setCredentials(credentials); - - int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); - if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile || - clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) { - setInternalUserAuthParams( - BSON(saslCommandMechanismFieldName << "SCRAM-SHA-1" << - saslCommandUserDBFieldName << - internalSecurity.user->getName().getDB() << - saslCommandUserFieldName << internalSecurity.user->getName().getUser() << - saslCommandPasswordFieldName << credentials.password << - saslCommandDigestPasswordFieldName << false)); - } - return true; + str += buf; + } + + fclose(file); + + const unsigned long long keyLength = str.size(); + if (keyLength < 6 || keyLength > 1024) { + log() << " security key in " << filename << " has length " << keyLength + << ", must be between 6 and 1024 chars" << endl; + return false; + } + + // Generate MONGODB-CR and SCRAM credentials for the internal user based on the keyfile. + User::CredentialData credentials; + credentials.password = + mongo::createPasswordDigest(internalSecurity.user->getName().getUser().toString(), str); + + BSONObj creds = + scram::generateCredentials(credentials.password, saslGlobalParams.scramIterationCount); + credentials.scram.iterationCount = creds[scram::iterationCountFieldName].Int(); + credentials.scram.salt = creds[scram::saltFieldName].String(); + credentials.scram.storedKey = creds[scram::storedKeyFieldName].String(); + credentials.scram.serverKey = creds[scram::serverKeyFieldName].String(); + + internalSecurity.user->setCredentials(credentials); + + int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); + if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile || + clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) { + setInternalUserAuthParams( + BSON(saslCommandMechanismFieldName + << "SCRAM-SHA-1" << saslCommandUserDBFieldName + << internalSecurity.user->getName().getDB() << saslCommandUserFieldName + << internalSecurity.user->getName().getUser() << saslCommandPasswordFieldName + << credentials.password << saslCommandDigestPasswordFieldName << false)); } + return true; +} -} // namespace mongo +} // namespace mongo |