diff options
Diffstat (limited to 'src/mongo/db/auth/security_token.cpp')
| -rw-r--r-- | src/mongo/db/auth/security_token.cpp | 147 |
1 files changed, 0 insertions, 147 deletions
diff --git a/src/mongo/db/auth/security_token.cpp b/src/mongo/db/auth/security_token.cpp deleted file mode 100644 index f20cffe04c2..00000000000 --- a/src/mongo/db/auth/security_token.cpp +++ /dev/null @@ -1,147 +0,0 @@ -/** - * Copyright (C) 2021-present MongoDB, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the Server Side Public License, version 1, - * as published by MongoDB, Inc. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * Server Side Public License for more details. - * - * You should have received a copy of the Server Side Public License - * along with this program. If not, see - * <http://www.mongodb.com/licensing/server-side-public-license>. - * - * As a special exception, the copyright holders give permission to link the - * code of portions of this program with the OpenSSL library under certain - * conditions as described in each individual source file and distribute - * linked combinations including the program with the OpenSSL library. You - * must comply with the Server Side Public License in all respects for - * all of the code used other than as permitted herein. If you modify file(s) - * with this exception, you may extend this exception to your version of the - * file(s), but you are not obligated to do so. If you do not wish to do so, - * delete this exception statement from your version. If you delete this - * exception statement from all source files in the program, then also delete - * it in the license file. - */ - - -#include "mongo/db/auth/security_token.h" - -#include <boost/optional.hpp> - -#include "mongo/base/init.h" -#include "mongo/db/auth/authorization_session.h" -#include "mongo/db/multitenancy_gen.h" -#include "mongo/db/server_feature_flags_gen.h" -#include "mongo/db/tenant_id.h" -#include "mongo/logv2/log.h" -#include "mongo/logv2/log_detail.h" - -#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kAccessControl - - -namespace mongo { -namespace auth { -namespace { -const auto securityTokenDecoration = OperationContext::declareDecoration<MaybeSecurityToken>(); -MONGO_INITIALIZER(SecurityTokenOptionValidate)(InitializerContext*) { - uassert(ErrorCodes::BadValue, - "multitenancySupport may not be specified if featureFlagMongoStore is not enabled", - !gMultitenancySupport || gFeatureFlagMongoStore.isEnabledAndIgnoreFCV()); - if (gMultitenancySupport) { - logv2::detail::setGetTenantIDCallback([]() -> boost::optional<TenantId> { - auto* client = Client::getCurrent(); - if (!client) - return boost::none; - - if (auto* opCtx = client->getOperationContext()) { - auto token = getSecurityToken(opCtx); - if (token) { - return token->getAuthenticatedUser().getTenant(); - } else { - return boost::none; - } - } - - return boost::none; - }); - } -} -} // namespace - -SecurityTokenAuthenticationGuard::SecurityTokenAuthenticationGuard(OperationContext* opCtx) { - auto token = getSecurityToken(opCtx); - if (token == boost::none) { - _client = nullptr; - return; - } - - auto client = opCtx->getClient(); - uassertStatusOK(AuthorizationSession::get(client)->addAndAuthorizeUser( - opCtx, token->getAuthenticatedUser())); - _client = client; -} - -SecurityTokenAuthenticationGuard::~SecurityTokenAuthenticationGuard() { - if (_client) { - // SecurityToken based users are "logged out" at the end of their request. - AuthorizationSession::get(_client)->logoutSecurityTokenUser(_client); - } -} - -BSONObj signSecurityToken(BSONObj obj) { - auto authUserElem = obj[SecurityToken::kAuthenticatedUserFieldName]; - uassert(ErrorCodes::BadValue, - "Invalid field(s) in token being signed", - (authUserElem.type() == Object) && (obj.nFields() == 1)); - - auto authUserObj = authUserElem.Obj(); - ConstDataRange authUserCDR(authUserObj.objdata(), authUserObj.objsize()); - - // Placeholder algorithm. - auto sig = SHA256Block::computeHash({authUserCDR}); - - BSONObjBuilder signedToken(obj); - signedToken.appendBinData(SecurityToken::kSigFieldName, sig.size(), BinDataGeneral, sig.data()); - return signedToken.obj(); -} - -SecurityToken verifySecurityToken(BSONObj obj) { - uassert(ErrorCodes::BadValue, "Multitenancy not enabled", gMultitenancySupport); - - auto token = SecurityToken::parse({"Security Token"}, obj); - auto authenticatedUser = token.getAuthenticatedUser(); - uassert(ErrorCodes::BadValue, - "Security token authenticated user requires a valid Tenant ID", - authenticatedUser.getTenant()); - - // Use actual authenticatedUser object as passed to preserve hash input. - auto authUserObj = obj[SecurityToken::kAuthenticatedUserFieldName].Obj(); - ConstDataRange authUserCDR(authUserObj.objdata(), authUserObj.objsize()); - - // Placeholder algorithm. - auto computed = SHA256Block::computeHash({authUserCDR}); - - uassert(ErrorCodes::Unauthorized, "Token signature invalid", computed == token.getSig()); - return token; -} - -void setSecurityToken(OperationContext* opCtx, const OpMsg& opMsg) { - if (opMsg.validatedTenant && opMsg.securityToken.nFields() > 0) { - // Use the security token directly as it has been validated by ValdiatedTenantId - // constructor. - securityTokenDecoration(opCtx) = - SecurityToken::parse({"Security Token"}, opMsg.securityToken); - LOGV2_DEBUG(5838100, 4, "Accepted security token", "token"_attr = opMsg.securityToken); - } -} - -MaybeSecurityToken getSecurityToken(OperationContext* opCtx) { - return securityTokenDecoration(opCtx); -} - -} // namespace auth -} // namespace mongo |