diff options
Diffstat (limited to 'src/mongo/db/auth')
27 files changed, 484 insertions, 346 deletions
diff --git a/src/mongo/db/auth/action_set.cpp b/src/mongo/db/auth/action_set.cpp index 7d3dc9f1712..924ec1e1439 100644 --- a/src/mongo/db/auth/action_set.cpp +++ b/src/mongo/db/auth/action_set.cpp @@ -37,8 +37,8 @@ #include "mongo/base/status.h" #include "mongo/bson/util/builder.h" #include "mongo/util/log.h" -#include "mongo/util/stringutils.h" #include "mongo/util/mongoutils/str.h" +#include "mongo/util/stringutils.h" namespace mongo { @@ -97,9 +97,9 @@ Status ActionSet::parseActionSetFromString(const std::string& actionsString, Act } std::string unrecognizedActionsString; joinStringDelim(unrecognizedActions, &unrecognizedActionsString, ','); - return Status( - ErrorCodes::FailedToParse, - str::stream() << "Unrecognized action privilege strings: " << unrecognizedActionsString); + return Status(ErrorCodes::FailedToParse, + str::stream() << "Unrecognized action privilege strings: " + << unrecognizedActionsString); } Status ActionSet::parseActionSetFromStringVector(const std::vector<std::string>& actionsVector, diff --git a/src/mongo/db/auth/auth_decorations.cpp b/src/mongo/db/auth/auth_decorations.cpp index 2bd2264e0f9..60b148d1ad0 100644 --- a/src/mongo/db/auth/auth_decorations.cpp +++ b/src/mongo/db/auth/auth_decorations.cpp @@ -34,8 +34,8 @@ #include "mongo/base/init.h" #include "mongo/db/auth/authentication_session.h" #include "mongo/db/auth/authorization_manager.h" -#include "mongo/db/auth/authz_manager_external_state.h" #include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/authz_manager_external_state.h" #include "mongo/db/client.h" #include "mongo/db/server_options.h" #include "mongo/db/service_context.h" diff --git a/src/mongo/db/auth/auth_index_d.cpp b/src/mongo/db/auth/auth_index_d.cpp index ac3d38ebf03..8f45cfda0e3 100644 --- a/src/mongo/db/auth/auth_index_d.cpp +++ b/src/mongo/db/auth/auth_index_d.cpp @@ -61,16 +61,20 @@ std::string v3SystemRolesIndexName; MONGO_INITIALIZER(AuthIndexKeyPatterns)(InitializerContext*) { v1SystemUsersKeyPattern = BSON("user" << 1 << "userSource" << 1); - v3SystemUsersKeyPattern = BSON(AuthorizationManager::USER_NAME_FIELD_NAME - << 1 << AuthorizationManager::USER_DB_FIELD_NAME << 1); - v3SystemRolesKeyPattern = BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME - << 1 << AuthorizationManager::ROLE_DB_FIELD_NAME << 1); + v3SystemUsersKeyPattern = BSON( + AuthorizationManager::USER_NAME_FIELD_NAME << 1 << AuthorizationManager::USER_DB_FIELD_NAME + << 1); + v3SystemRolesKeyPattern = BSON( + AuthorizationManager::ROLE_NAME_FIELD_NAME << 1 << AuthorizationManager::ROLE_DB_FIELD_NAME + << 1); v3SystemUsersIndexName = std::string(str::stream() << AuthorizationManager::USER_NAME_FIELD_NAME << "_1_" - << AuthorizationManager::USER_DB_FIELD_NAME << "_1"); + << AuthorizationManager::USER_DB_FIELD_NAME + << "_1"); v3SystemRolesIndexName = std::string(str::stream() << AuthorizationManager::ROLE_NAME_FIELD_NAME << "_1_" - << AuthorizationManager::ROLE_DB_FIELD_NAME << "_1"); + << AuthorizationManager::ROLE_DB_FIELD_NAME + << "_1"); return Status::OK(); } @@ -113,12 +117,16 @@ void createSystemIndexes(OperationContext* txn, Collection* collection) { collection->getIndexCatalog()->createIndexOnEmptyCollection( txn, BSON("name" << v3SystemUsersIndexName << "ns" << collection->ns().ns() << "key" - << v3SystemUsersKeyPattern << "unique" << true)); + << v3SystemUsersKeyPattern + << "unique" + << true)); } else if (ns == AuthorizationManager::rolesCollectionNamespace) { collection->getIndexCatalog()->createIndexOnEmptyCollection( txn, BSON("name" << v3SystemRolesIndexName << "ns" << collection->ns().ns() << "key" - << v3SystemRolesKeyPattern << "unique" << true)); + << v3SystemRolesKeyPattern + << "unique" + << true)); } } diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index df65782689e..046ed24a1bc 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -69,8 +69,8 @@ using std::vector; AuthInfo internalSecurity; -MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, - MONGO_NO_PREREQUISITES)(InitializerContext* context) { +MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, MONGO_NO_PREREQUISITES) +(InitializerContext* context) { User* user = new User(UserName("__system", "local")); user->incrementRefCount(); // Pin this user so the ref count never drops below 1. @@ -381,7 +381,8 @@ Status AuthorizationManager::_initializeUserFromPrivilegeDocument(User* user, mongoutils::str::stream() << "User name from privilege document \"" << userName << "\" doesn't match name of provided User \"" - << user->getName().getUser() << "\"", + << user->getName().getUser() + << "\"", 0); } @@ -484,7 +485,8 @@ Status AuthorizationManager::acquireUser(OperationContext* txn, case schemaVersion24: status = Status(ErrorCodes::AuthSchemaIncompatible, mongoutils::str::stream() - << "Authorization data schema version " << schemaVersion24 + << "Authorization data schema version " + << schemaVersion24 << " not supported after MongoDB version 2.6."); break; } @@ -669,7 +671,8 @@ StatusWith<UserName> extractUserNameFromIdString(StringData idstr) { return StatusWith<UserName>(ErrorCodes::FailedToParse, mongoutils::str::stream() << "_id entries for user documents must be of " - "the form <dbname>.<username>. Found: " << idstr); + "the form <dbname>.<username>. Found: " + << idstr); } return StatusWith<UserName>( UserName(idstr.substr(splitPoint + 1), idstr.substr(0, splitPoint))); @@ -702,7 +705,8 @@ void AuthorizationManager::_invalidateRelevantCacheData(const char* op, if (!userName.isOK()) { warning() << "Invalidating user cache based on user being updated failed, will " - "invalidate the entire cache instead: " << userName.getStatus() << endl; + "invalidate the entire cache instead: " + << userName.getStatus() << endl; invalidateUserCache(); return; } diff --git a/src/mongo/db/auth/authorization_manager_global.cpp b/src/mongo/db/auth/authorization_manager_global.cpp index 2fc20deef25..9dd114247cb 100644 --- a/src/mongo/db/auth/authorization_manager_global.cpp +++ b/src/mongo/db/auth/authorization_manager_global.cpp @@ -50,7 +50,8 @@ public: MONGO_INITIALIZER_GENERAL(AuthzSchemaParameter, MONGO_NO_PREREQUISITES, - ("BeginStartupOptionParsing"))(InitializerContext*) { + ("BeginStartupOptionParsing")) +(InitializerContext*) { new AuthzVersionParameter(ServerParameterSet::getGlobal(), authSchemaVersionServerParameter); return Status::OK(); } diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index 2faf6d0fe10..cd2b83fa6b1 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -34,10 +34,10 @@ #include "mongo/bson/mutable/document.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" -#include "mongo/db/auth/authz_session_external_state_mock.h" -#include "mongo/db/auth/authz_manager_external_state_mock.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/authz_manager_external_state_mock.h" +#include "mongo/db/auth/authz_session_external_state_mock.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespace_string.h" #include "mongo/db/operation_context_noop.h" @@ -175,36 +175,38 @@ public: TEST_F(AuthorizationManagerTest, testAcquireV2User) { OperationContextNoop txn; - ASSERT_OK( - externalState->insertPrivilegeDocument(&txn, - BSON("_id" - << "admin.v2read" - << "user" - << "v2read" - << "db" - << "test" - << "credentials" << BSON("MONGODB-CR" - << "password") - << "roles" << BSON_ARRAY(BSON("role" - << "read" - << "db" - << "test"))), - BSONObj())); - ASSERT_OK( - externalState->insertPrivilegeDocument(&txn, - BSON("_id" - << "admin.v2cluster" - << "user" - << "v2cluster" - << "db" - << "admin" - << "credentials" << BSON("MONGODB-CR" - << "password") - << "roles" << BSON_ARRAY(BSON("role" - << "clusterAdmin" - << "db" - << "admin"))), - BSONObj())); + ASSERT_OK(externalState->insertPrivilegeDocument(&txn, + BSON("_id" + << "admin.v2read" + << "user" + << "v2read" + << "db" + << "test" + << "credentials" + << BSON("MONGODB-CR" + << "password") + << "roles" + << BSON_ARRAY(BSON("role" + << "read" + << "db" + << "test"))), + BSONObj())); + ASSERT_OK(externalState->insertPrivilegeDocument(&txn, + BSON("_id" + << "admin.v2cluster" + << "user" + << "v2cluster" + << "db" + << "admin" + << "credentials" + << BSON("MONGODB-CR" + << "password") + << "roles" + << BSON_ARRAY(BSON("role" + << "clusterAdmin" + << "db" + << "admin"))), + BSONObj())); User* v2read; ASSERT_OK(authzManager->acquireUser(&txn, UserName("v2read", "test"), &v2read)); @@ -260,13 +262,13 @@ public: private: Status _getUserDocument(OperationContext* txn, const UserName& userName, BSONObj* userDoc) { - Status status = - findOne(txn, - AuthorizationManager::usersCollectionNamespace, - BSON(AuthorizationManager::USER_NAME_FIELD_NAME - << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME - << userName.getDB()), - userDoc); + Status status = findOne(txn, + AuthorizationManager::usersCollectionNamespace, + BSON(AuthorizationManager::USER_NAME_FIELD_NAME + << userName.getUser() + << AuthorizationManager::USER_DB_FIELD_NAME + << userName.getDB()), + userDoc); if (status == ErrorCodes::NoMatchingDocument) { status = Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "Could not find user " @@ -301,27 +303,33 @@ public: TEST_F(AuthorizationManagerTest, testAcquireV2UserWithUnrecognizedActions) { OperationContextNoop txn; - ASSERT_OK(externalState->insertPrivilegeDocument( - &txn, - BSON("_id" - << "admin.myUser" - << "user" - << "myUser" - << "db" - << "test" - << "credentials" << BSON("MONGODB-CR" - << "password") << "roles" << BSON_ARRAY(BSON("role" - << "myRole" - << "db" - << "test")) - << "inheritedPrivileges" << BSON_ARRAY(BSON("resource" << BSON("db" - << "test" - << "collection" - << "") << "actions" - << BSON_ARRAY("find" - << "fakeAction" - << "insert")))), - BSONObj())); + ASSERT_OK( + externalState->insertPrivilegeDocument(&txn, + BSON("_id" + << "admin.myUser" + << "user" + << "myUser" + << "db" + << "test" + << "credentials" + << BSON("MONGODB-CR" + << "password") + << "roles" + << BSON_ARRAY(BSON("role" + << "myRole" + << "db" + << "test")) + << "inheritedPrivileges" + << BSON_ARRAY(BSON( + "resource" << BSON("db" + << "test" + << "collection" + << "") + << "actions" + << BSON_ARRAY("find" + << "fakeAction" + << "insert")))), + BSONObj())); User* myUser; ASSERT_OK(authzManager->acquireUser(&txn, UserName("myUser", "test"), &myUser)); diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index c2474ac5199..7a620253cc6 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -38,8 +38,8 @@ #include "mongo/base/status.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" -#include "mongo/db/auth/authz_session_external_state.h" #include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/authz_session_external_state.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/security_key.h" #include "mongo/db/auth/user_management_commands_parser.h" @@ -338,7 +338,8 @@ Status AuthorizationSession::checkAuthorizedToGrantPrivilege(const Privilege& pr ActionType::grantRole)) { return Status(ErrorCodes::Unauthorized, str::stream() << "Not authorized to grant privileges on the " - << resource.databaseToMatch() << "database"); + << resource.databaseToMatch() + << "database"); } } else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"), ActionType::grantRole)) { @@ -358,7 +359,8 @@ Status AuthorizationSession::checkAuthorizedToRevokePrivilege(const Privilege& p ActionType::revokeRole)) { return Status(ErrorCodes::Unauthorized, str::stream() << "Not authorized to revoke privileges on the " - << resource.databaseToMatch() << "database"); + << resource.databaseToMatch() + << "database"); } } else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"), ActionType::revokeRole)) { diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 8dfc448910f..9098c5a8e1f 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -31,10 +31,10 @@ * Unit tests of the AuthorizationSession type. */ #include "mongo/base/status.h" -#include "mongo/db/auth/authz_session_external_state_mock.h" -#include "mongo/db/auth/authz_manager_external_state_mock.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/authz_manager_external_state_mock.h" +#include "mongo/db/auth/authz_session_external_state_mock.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespace_string.h" #include "mongo/db/operation_context_noop.h" @@ -144,8 +144,10 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -171,8 +173,10 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) { << "admin" << "db" << "admin" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWriteAnyDatabase" << "db" @@ -216,8 +220,10 @@ TEST_F(AuthorizationSessionTest, DuplicateRolesOK) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -247,8 +253,10 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "rw" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -263,8 +271,10 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "useradmin" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "userAdmin" << "db" @@ -276,8 +286,10 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "rwany" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWriteAnyDatabase" << "db" @@ -293,8 +305,10 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "useradminany" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "userAdminAnyDatabase" << "db" @@ -387,8 +401,10 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -413,8 +429,10 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "read" << "db" @@ -452,8 +470,10 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -479,8 +499,10 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "read" << "db" diff --git a/src/mongo/db/auth/authz_manager_external_state_d.cpp b/src/mongo/db/auth/authz_manager_external_state_d.cpp index 601c14decff..bd24c6c5b19 100644 --- a/src/mongo/db/auth/authz_manager_external_state_d.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_d.cpp @@ -87,7 +87,8 @@ Status AuthzManagerExternalStateMongod::findOne(OperationContext* txn, } return Status(ErrorCodes::NoMatchingDocument, mongoutils::str::stream() << "No document in " << collectionName.ns() - << " matches " << query); + << " matches " + << query); } } // namespace mongo diff --git a/src/mongo/db/auth/authz_manager_external_state_local.cpp b/src/mongo/db/auth/authz_manager_external_state_local.cpp index 5d76027fc22..82bd5c29440 100644 --- a/src/mongo/db/auth/authz_manager_external_state_local.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_local.cpp @@ -53,7 +53,8 @@ Status AuthzManagerExternalStateLocal::initialize(OperationContext* txn) { << status.reason(); } else { error() << "Could not generate role graph from admin.system.roles; " - "only system roles available: " << status; + "only system roles available: " + << status; } } @@ -81,8 +82,11 @@ Status AuthzManagerExternalStateLocal::getStoredAuthorizationVersion(OperationCo return Status(ErrorCodes::TypeMismatch, mongoutils::str::stream() << "Could not determine schema version of authorization data. " - "Bad (non-numeric) type " << typeName(versionElement.type()) - << " (" << versionElement.type() << ") for " + "Bad (non-numeric) type " + << typeName(versionElement.type()) + << " (" + << versionElement.type() + << ") for " << AuthorizationManager::schemaVersionFieldName << " field in version document"); } @@ -123,7 +127,8 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges std::string(mongoutils::str::stream() << "Skipped privileges on resource " << privileges[i].getResourcePattern().toString() - << ". Reason: " << errmsg))); + << ". Reason: " + << errmsg))); } } } @@ -222,7 +227,8 @@ Status AuthzManagerExternalStateLocal::_getUserDocument(OperationContext* txn, Status status = findOne(txn, AuthorizationManager::usersCollectionNamespace, BSON(AuthorizationManager::USER_NAME_FIELD_NAME - << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME + << userName.getUser() + << AuthorizationManager::USER_DB_FIELD_NAME << userName.getDB()), userDoc); if (status == ErrorCodes::NoMatchingDocument) { @@ -324,7 +330,8 @@ void addRoleFromDocumentOrWarn(RoleGraph* roleGraph, const BSONObj& doc) { Status status = roleGraph->addRoleFromDocument(doc); if (!status.isOK()) { warning() << "Skipping invalid admin.system.roles document while calculating privileges" - " for user-defined roles: " << status << "; document " << doc; + " for user-defined roles: " + << status << "; document " << doc; } } @@ -352,7 +359,8 @@ Status AuthzManagerExternalStateLocal::_initializeRoleGraph(OperationContext* tx RoleGraphState newState; if (status == ErrorCodes::GraphContainsCycle) { error() << "Inconsistent role graph during authorization manager initialization. Only " - "direct privileges available. " << status.reason(); + "direct privileges available. " + << status.reason(); newState = roleGraphStateHasCycle; status = Status::OK(); } else if (status.isOK()) { @@ -400,8 +408,8 @@ public: if (_isO2Set) oplogEntryBuilder << "o2" << _o2; error() << "Unsupported modification to roles collection in oplog; " - "restart this process to reenable user-defined roles; " << status.reason() - << "; Oplog entry: " << oplogEntryBuilder.done(); + "restart this process to reenable user-defined roles; " + << status.reason() << "; Oplog entry: " << oplogEntryBuilder.done(); } else if (!status.isOK()) { warning() << "Skipping bad update to roles collection in oplog. " << status << " Oplog entry: " << _op; @@ -410,8 +418,8 @@ public: if (status == ErrorCodes::GraphContainsCycle) { _externalState->_roleGraphState = _externalState->roleGraphStateHasCycle; error() << "Inconsistent role graph during authorization manager initialization. " - "Only direct privileges available. " << status.reason() - << " after applying oplog entry " << _op; + "Only direct privileges available. " + << status.reason() << " after applying oplog entry " << _op; } else { fassert(17183, status); _externalState->_roleGraphState = _externalState->roleGraphStateConsistent; diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.cpp b/src/mongo/db/auth/authz_manager_external_state_mock.cpp index 6bab48f91e9..6c2fe3f9398 100644 --- a/src/mongo/db/auth/authz_manager_external_state_mock.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_mock.cpp @@ -77,7 +77,8 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges std::string(mongoutils::str::stream() << "Skipped privileges on resource " << privileges[i].getResourcePattern().toString() - << ". Reason: " << errmsg))); + << ". Reason: " + << errmsg))); } } } diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.h b/src/mongo/db/auth/authz_manager_external_state_mock.h index d6b457e0de9..0b8fa3e0b3c 100644 --- a/src/mongo/db/auth/authz_manager_external_state_mock.h +++ b/src/mongo/db/auth/authz_manager_external_state_mock.h @@ -28,8 +28,8 @@ #pragma once -#include <string> #include <map> +#include <string> #include <vector> #include "mongo/base/disallow_copying.h" diff --git a/src/mongo/db/auth/authz_manager_external_state_s.cpp b/src/mongo/db/auth/authz_manager_external_state_s.cpp index 48800c500c4..4bdb2648688 100644 --- a/src/mongo/db/auth/authz_manager_external_state_s.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_s.cpp @@ -69,8 +69,8 @@ Status AuthzManagerExternalStateMongos::getStoredAuthorizationVersion(OperationC // that runs this command BSONObj getParameterCmd = BSON("getParameter" << 1 << authSchemaVersionServerParameter << 1); BSONObjBuilder builder; - const bool ok = grid.catalogManager(txn) - ->runUserManagementReadCommand(txn, "admin", getParameterCmd, &builder); + const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( + txn, "admin", getParameterCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); @@ -92,11 +92,14 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* txn BSON("usersInfo" << BSON_ARRAY(BSON(AuthorizationManager::USER_NAME_FIELD_NAME << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME - << userName.getDB())) << "showPrivileges" << true - << "showCredentials" << true); + << userName.getDB())) + << "showPrivileges" + << true + << "showCredentials" + << true); BSONObjBuilder builder; - const bool ok = grid.catalogManager(txn) - ->runUserManagementReadCommand(txn, "admin", usersInfoCmd, &builder); + const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( + txn, "admin", usersInfoCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); @@ -110,7 +113,9 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* txn if (foundUsers.size() > 1) { return Status(ErrorCodes::UserDataInconsistent, str::stream() << "Found multiple users on the \"" << userName.getDB() - << "\" database with name \"" << userName.getUser() << "\""); + << "\" database with name \"" + << userName.getUser() + << "\""); } *result = foundUsers[0].Obj().getOwned(); return Status::OK(); @@ -121,13 +126,15 @@ Status AuthzManagerExternalStateMongos::getRoleDescription(OperationContext* txn bool showPrivileges, BSONObj* result) { BSONObj rolesInfoCmd = - BSON("rolesInfo" << BSON_ARRAY(BSON( - AuthorizationManager::ROLE_NAME_FIELD_NAME - << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME - << roleName.getDB())) << "showPrivileges" << showPrivileges); + BSON("rolesInfo" << BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME + << roleName.getRole() + << AuthorizationManager::ROLE_DB_FIELD_NAME + << roleName.getDB())) + << "showPrivileges" + << showPrivileges); BSONObjBuilder builder; - const bool ok = grid.catalogManager(txn) - ->runUserManagementReadCommand(txn, "admin", rolesInfoCmd, &builder); + const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( + txn, "admin", rolesInfoCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); @@ -141,7 +148,9 @@ Status AuthzManagerExternalStateMongos::getRoleDescription(OperationContext* txn if (foundRoles.size() > 1) { return Status(ErrorCodes::RoleDataInconsistent, str::stream() << "Found multiple roles on the \"" << roleName.getDB() - << "\" database with name \"" << roleName.getRole() << "\""); + << "\" database with name \"" + << roleName.getRole() + << "\""); } *result = foundRoles[0].Obj().getOwned(); return Status::OK(); @@ -152,8 +161,9 @@ Status AuthzManagerExternalStateMongos::getRoleDescriptionsForDB(OperationContex bool showPrivileges, bool showBuiltinRoles, std::vector<BSONObj>* result) { - BSONObj rolesInfoCmd = BSON("rolesInfo" << 1 << "showPrivileges" << showPrivileges - << "showBuiltinRoles" << showBuiltinRoles); + BSONObj rolesInfoCmd = + BSON("rolesInfo" << 1 << "showPrivileges" << showPrivileges << "showBuiltinRoles" + << showBuiltinRoles); BSONObjBuilder builder; const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand(txn, dbname, rolesInfoCmd, &builder); @@ -170,8 +180,8 @@ Status AuthzManagerExternalStateMongos::getRoleDescriptionsForDB(OperationContex bool AuthzManagerExternalStateMongos::hasAnyPrivilegeDocuments(OperationContext* txn) { BSONObj usersInfoCmd = BSON("usersInfo" << 1); BSONObjBuilder userBuilder; - bool ok = grid.catalogManager(txn) - ->runUserManagementReadCommand(txn, "admin", usersInfoCmd, &userBuilder); + bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( + txn, "admin", usersInfoCmd, &userBuilder); if (!ok) { // If we were unable to complete the query, // it's best to assume that there _are_ privilege documents. This might happen @@ -188,8 +198,8 @@ bool AuthzManagerExternalStateMongos::hasAnyPrivilegeDocuments(OperationContext* BSONObj rolesInfoCmd = BSON("rolesInfo" << 1); BSONObjBuilder roleBuilder; - ok = grid.catalogManager(txn) - ->runUserManagementReadCommand(txn, "admin", rolesInfoCmd, &roleBuilder); + ok = grid.catalogManager(txn)->runUserManagementReadCommand( + txn, "admin", rolesInfoCmd, &roleBuilder); if (!ok) { return true; } diff --git a/src/mongo/db/auth/authz_session_external_state_server_common.cpp b/src/mongo/db/auth/authz_session_external_state_server_common.cpp index a85ab1c5ac2..16fb107f2f3 100644 --- a/src/mongo/db/auth/authz_session_external_state_server_common.cpp +++ b/src/mongo/db/auth/authz_session_external_state_server_common.cpp @@ -69,7 +69,8 @@ void AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost(Operation if (_allowLocalhost) { ONCE { log() << "note: no users configured in admin.system.users, allowing localhost " - "access" << std::endl; + "access" + << std::endl; } } } diff --git a/src/mongo/db/auth/native_sasl_authentication_session.cpp b/src/mongo/db/auth/native_sasl_authentication_session.cpp index 9566ba37487..9e21ffe8d9b 100644 --- a/src/mongo/db/auth/native_sasl_authentication_session.cpp +++ b/src/mongo/db/auth/native_sasl_authentication_session.cpp @@ -37,7 +37,6 @@ #include "mongo/base/string_data.h" #include "mongo/bson/util/bson_extract.h" #include "mongo/client/sasl_client_authenticate.h" -#include "mongo/db/commands.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_manager_global.h" #include "mongo/db/auth/authorization_session.h" @@ -46,6 +45,7 @@ #include "mongo/db/auth/sasl_options.h" #include "mongo/db/auth/sasl_plain_server_conversation.h" #include "mongo/db/auth/sasl_scramsha1_server_conversation.h" +#include "mongo/db/commands.h" #include "mongo/stdx/memory.h" #include "mongo/util/assert_util.h" #include "mongo/util/mongoutils/str.h" diff --git a/src/mongo/db/auth/privilege_parser_test.cpp b/src/mongo/db/auth/privilege_parser_test.cpp index 1192e911386..74bace49c7e 100644 --- a/src/mongo/db/auth/privilege_parser_test.cpp +++ b/src/mongo/db/auth/privilege_parser_test.cpp @@ -51,23 +51,28 @@ TEST(PrivilegeParserTest, IsValidTest) { ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); // resource can't have cluster as well as db or collection - parsedPrivilege.parseBSON( - BSON("resource" << BSON("cluster" << true << "db" - << "" - << "collection" - << "") << "actions" << BSON_ARRAY("find")), - &errmsg); + parsedPrivilege.parseBSON(BSON("resource" << BSON("cluster" << true << "db" + << "" + << "collection" + << "") + << "actions" + << BSON_ARRAY("find")), + &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); // resource can't have db without collection parsedPrivilege.parseBSON(BSON("resource" << BSON("db" - << "") << "actions" << BSON_ARRAY("find")), + << "") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); // resource can't have collection without db parsedPrivilege.parseBSON(BSON("resource" << BSON("collection" - << "") << "actions" << BSON_ARRAY("find")), + << "") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); @@ -75,7 +80,9 @@ TEST(PrivilegeParserTest, IsValidTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "" << "collection" - << "") << "actions" << BSON_ARRAY("find")), + << "") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); @@ -83,7 +90,9 @@ TEST(PrivilegeParserTest, IsValidTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "test" << "collection" - << "foo") << "actions" << BSON_ARRAY("find")), + << "foo") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); @@ -105,7 +114,9 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "" << "collection" - << "") << "actions" << BSON_ARRAY("find")), + << "") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -130,7 +141,9 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "test" << "collection" - << "foo") << "actions" << BSON_ARRAY("find")), + << "foo") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -156,7 +169,9 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "test" << "collection" - << "") << "actions" << BSON_ARRAY("find")), + << "") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -181,7 +196,9 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "" << "collection" - << "foo") << "actions" << BSON_ARRAY("find")), + << "foo") + << "actions" + << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -232,13 +249,14 @@ TEST(PrivilegeParserTest, ParseInvalidActionsTest) { std::vector<std::string> unrecognizedActions; actionsVector.push_back("find"); - parsedPrivilege.parseBSON( - BSON("resource" << BSON("db" - << "" - << "collection" - << "") << "actions" << BSON_ARRAY("find" - << "fakeAction")), - &errmsg); + parsedPrivilege.parseBSON(BSON("resource" << BSON("db" + << "" + << "collection" + << "") + << "actions" + << BSON_ARRAY("find" + << "fakeAction")), + &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( parsedPrivilege, &privilege, &unrecognizedActions)); diff --git a/src/mongo/db/auth/role_graph.cpp b/src/mongo/db/auth/role_graph.cpp index a0861b98236..15e8fc87646 100644 --- a/src/mongo/db/auth/role_graph.cpp +++ b/src/mongo/db/auth/role_graph.cpp @@ -119,8 +119,8 @@ Status RoleGraph::deleteRole(const RoleName& role) { } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot delete built-in role: " << role.getFullName(), + mongoutils::str::stream() << "Cannot delete built-in role: " + << role.getFullName(), 0); } @@ -183,8 +183,8 @@ Status RoleGraph::addRoleToRole(const RoleName& recipient, const RoleName& role) } if (isBuiltinRole(recipient)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot grant roles to built-in role: " << role.getFullName()); + mongoutils::str::stream() << "Cannot grant roles to built-in role: " + << role.getFullName()); } if (!roleExists(role)) { return Status(ErrorCodes::RoleNotFound, @@ -212,8 +212,8 @@ Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName& } if (isBuiltinRole(recipient)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot remove roles from built-in role: " << role.getFullName(), + mongoutils::str::stream() << "Cannot remove roles from built-in role: " + << role.getFullName(), 0); } if (!roleExists(role)) { @@ -252,8 +252,8 @@ Status RoleGraph::removeAllRolesFromRole(const RoleName& victim) { } if (isBuiltinRole(victim)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot remove roles from built-in role: " << victim.getFullName(), + mongoutils::str::stream() << "Cannot remove roles from built-in role: " + << victim.getFullName(), 0); } @@ -281,8 +281,8 @@ Status RoleGraph::addPrivilegeToRole(const RoleName& role, const Privilege& priv } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot grant privileges to built-in role: " << role.getFullName(), + mongoutils::str::stream() << "Cannot grant privileges to built-in role: " + << role.getFullName(), 0); } @@ -308,8 +308,8 @@ Status RoleGraph::addPrivilegesToRole(const RoleName& role, } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot grant privileges to built-in role: " << role.getFullName(), + mongoutils::str::stream() << "Cannot grant privileges to built-in role: " + << role.getFullName(), 0); } @@ -330,8 +330,8 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role, } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot remove privileges from built-in role: " << role.getFullName()); + mongoutils::str::stream() << "Cannot remove privileges from built-in role: " + << role.getFullName()); } PrivilegeVector& currentPrivileges = _directPrivilegesForRole[role]; @@ -343,13 +343,14 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role, if (!curActions.isSupersetOf(privilegeToRemove.getActions())) { // Didn't possess all the actions being removed. - return Status(ErrorCodes::PrivilegeNotFound, - mongoutils::str::stream() - << "Role: " << role.getFullName() - << " does not contain a privilege on " - << privilegeToRemove.getResourcePattern().toString() - << " with actions: " << privilegeToRemove.getActions().toString(), - 0); + return Status( + ErrorCodes::PrivilegeNotFound, + mongoutils::str::stream() << "Role: " << role.getFullName() + << " does not contain a privilege on " + << privilegeToRemove.getResourcePattern().toString() + << " with actions: " + << privilegeToRemove.getActions().toString(), + 0); } curPrivilege.removeActions(privilegeToRemove.getActions()); @@ -389,8 +390,8 @@ Status RoleGraph::removeAllPrivilegesFromRole(const RoleName& role) { } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - mongoutils::str::stream() - << "Cannot remove privileges from built-in role: " << role.getFullName()); + mongoutils::str::stream() << "Cannot remove privileges from built-in role: " + << role.getFullName()); } _directPrivilegesForRole[role].clear(); return Status::OK(); diff --git a/src/mongo/db/auth/role_graph_update.cpp b/src/mongo/db/auth/role_graph_update.cpp index f9dd3b10efe..21be828753c 100644 --- a/src/mongo/db/auth/role_graph_update.cpp +++ b/src/mongo/db/auth/role_graph_update.cpp @@ -87,7 +87,9 @@ Status checkIdMatchesRoleName(const BSONElement& idElement, const RoleName& role return Status(ErrorCodes::FailedToParse, mongoutils::str::stream() << "Role document _id fields must be encoded as the string " - "dbname.rolename. Found " << idField << " for " + "dbname.rolename. Found " + << idField + << " for " << roleName.getFullName()); } return Status::OK(); diff --git a/src/mongo/db/auth/sasl_authentication_session.cpp b/src/mongo/db/auth/sasl_authentication_session.cpp index c74bba6fadb..c64e4be8100 100644 --- a/src/mongo/db/auth/sasl_authentication_session.cpp +++ b/src/mongo/db/auth/sasl_authentication_session.cpp @@ -36,12 +36,12 @@ #include "mongo/base/string_data.h" #include "mongo/bson/util/bson_extract.h" #include "mongo/client/sasl_client_authenticate.h" -#include "mongo/db/commands.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_manager_global.h" #include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/authz_manager_external_state_mock.h" #include "mongo/db/auth/authz_session_external_state_mock.h" +#include "mongo/db/commands.h" #include "mongo/util/assert_util.h" #include "mongo/util/mongoutils/str.h" diff --git a/src/mongo/db/auth/sasl_options.cpp b/src/mongo/db/auth/sasl_options.cpp index 69bfb504e83..fdb64f044e2 100644 --- a/src/mongo/db/auth/sasl_options.cpp +++ b/src/mongo/db/auth/sasl_options.cpp @@ -60,27 +60,31 @@ SASLGlobalParams::SASLGlobalParams() { Status addSASLOptions(moe::OptionSection* options) { moe::OptionSection saslOptions("SASL Options"); - saslOptions.addOptionChaining("security.authenticationMechanisms", - "", - moe::StringVector, - "List of supported authentication mechanisms. " - "Default is MONGODB-CR, SCRAM-SHA-1 and MONGODB-X509.") + saslOptions + .addOptionChaining("security.authenticationMechanisms", + "", + moe::StringVector, + "List of supported authentication mechanisms. " + "Default is MONGODB-CR, SCRAM-SHA-1 and MONGODB-X509.") .setSources(moe::SourceYAMLConfig); - saslOptions.addOptionChaining( - "security.sasl.hostName", "", moe::String, "Fully qualified server domain name") + saslOptions + .addOptionChaining( + "security.sasl.hostName", "", moe::String, "Fully qualified server domain name") .setSources(moe::SourceYAMLConfig); - saslOptions.addOptionChaining("security.sasl.serviceName", - "", - moe::String, - "Registered name of the service using SASL") + saslOptions + .addOptionChaining("security.sasl.serviceName", + "", + moe::String, + "Registered name of the service using SASL") .setSources(moe::SourceYAMLConfig); - saslOptions.addOptionChaining("security.sasl.saslauthdSocketPath", - "", - moe::String, - "Path to Unix domain socket file for saslauthd") + saslOptions + .addOptionChaining("security.sasl.saslauthdSocketPath", + "", + moe::String, + "Path to Unix domain socket file for saslauthd") .setSources(moe::SourceYAMLConfig); Status ret = options->addSection(saslOptions); @@ -178,11 +182,11 @@ public: virtual Status validate(const int& newValue) { if (newValue < minimumScramIterationCount) { - return Status(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Invalid value for SCRAM iteration count: " << newValue - << " is less than the minimum SCRAM iteration count, " - << minimumScramIterationCount); + return Status( + ErrorCodes::BadValue, + mongoutils::str::stream() << "Invalid value for SCRAM iteration count: " << newValue + << " is less than the minimum SCRAM iteration count, " + << minimumScramIterationCount); } return Status::OK(); diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 9fd8496b7bc..ed812ddb27f 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -61,9 +61,9 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::step(StringData inputData, _step++; if (_step > 3 || _step <= 0) { - return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() - << "Invalid SCRAM-SHA-1 authentication step: " << _step); + return StatusWith<bool>( + ErrorCodes::AuthenticationFailed, + mongoutils::str::stream() << "Invalid SCRAM-SHA-1 authentication step: " << _step); } if (_step == 1) { return _firstStep(input, outputData); @@ -109,8 +109,8 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_firstStep(std::vector<string> */ if (!str::startsWith(input[1], "a=") || input[1].size() < 3) { return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 authzid: " << input[1]); + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 authzid: " + << input[1]); } authzId = input[1].substr(2); input.erase(input.begin() + 1); @@ -121,26 +121,29 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_firstStep(std::vector<string> ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect number of arguments for first SCRAM-SHA-1 client message, got " - << input.size() << " expected 4"); + << input.size() + << " expected 4"); } else if (input[0] != "n") { return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 client message prefix: " << input[0]); + << "Incorrect SCRAM-SHA-1 client message prefix: " + << input[0]); } else if (!str::startsWith(input[1], "n=") || input[1].size() < 3) { return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 user name: " << input[1]); + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 user name: " + << input[1]); } else if (!str::startsWith(input[2], "r=") || input[2].size() < 6) { return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 client nonce: " << input[2]); + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client nonce: " + << input[2]); } _user = input[1].substr(2); if (!authzId.empty() && _user != authzId) { return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << "SCRAM-SHA-1 user name " << _user - << " does not match authzid " << authzId); + << " does not match authzid " + << authzId); } decodeSCRAMUsername(_user); @@ -237,19 +240,20 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_secondStep(const std::vector< ErrorCodes::BadValue, mongoutils::str::stream() << "Incorrect number of arguments for second SCRAM-SHA-1 client message, got " - << input.size() << " expected 3"); + << input.size() + << " expected 3"); } else if (!str::startsWith(input[0], "c=") || input[0].size() < 3) { - return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 channel binding: " << input[0]); + return StatusWith<bool>( + ErrorCodes::BadValue, + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 channel binding: " << input[0]); } else if (!str::startsWith(input[1], "r=") || input[1].size() < 6) { - return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 client|server nonce: " << input[1]); + return StatusWith<bool>( + ErrorCodes::BadValue, + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 client|server nonce: " << input[1]); } else if (!str::startsWith(input[2], "p=") || input[2].size() < 3) { return StatusWith<bool>(ErrorCodes::BadValue, - mongoutils::str::stream() - << "Incorrect SCRAM-SHA-1 ClientProof: " << input[2]); + mongoutils::str::stream() << "Incorrect SCRAM-SHA-1 ClientProof: " + << input[2]); } // add client-final-message-without-proof to authMessage @@ -262,7 +266,9 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_secondStep(const std::vector< ErrorCodes::BadValue, mongoutils::str::stream() << "Unmatched SCRAM-SHA-1 nonce received from client in second step, expected " - << _nonce << " but received " << nonce); + << _nonce + << " but received " + << nonce); } std::string clientProof = input[2].substr(2); diff --git a/src/mongo/db/auth/security_file.cpp b/src/mongo/db/auth/security_file.cpp index fd31a13a6f3..2538259bcae 100644 --- a/src/mongo/db/auth/security_file.cpp +++ b/src/mongo/db/auth/security_file.cpp @@ -32,8 +32,8 @@ #include "mongo/db/auth/security_key.h" -#include <sys/stat.h> #include <string> +#include <sys/stat.h> #include "mongo/base/status_with.h" #include "mongo/util/mongoutils/str.h" @@ -92,9 +92,9 @@ StatusWith<std::string> readSecurityFile(const std::string& filename) { if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/' && buf != '=') { fclose(file); - return StatusWith<std::string>(ErrorCodes::UnsupportedFormat, - str::stream() << "invalid char in key file " << filename - << ": " << buf); + return StatusWith<std::string>( + ErrorCodes::UnsupportedFormat, + str::stream() << "invalid char in key file " << filename << ": " << buf); } str += buf; diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index a8e5611e1c0..97e7076c447 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -32,8 +32,8 @@ #include "mongo/db/auth/security_key.h" -#include <sys/stat.h> #include <string> +#include <sys/stat.h> #include <vector> #include "mongo/base/status_with.h" @@ -89,11 +89,14 @@ bool setUpSecurityKey(const string& filename) { if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile || clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) { setInternalUserAuthParams( - BSON(saslCommandMechanismFieldName - << "SCRAM-SHA-1" << saslCommandUserDBFieldName - << internalSecurity.user->getName().getDB() << saslCommandUserFieldName - << internalSecurity.user->getName().getUser() << saslCommandPasswordFieldName - << credentials.password << saslCommandDigestPasswordFieldName << false)); + BSON(saslCommandMechanismFieldName << "SCRAM-SHA-1" << saslCommandUserDBFieldName + << internalSecurity.user->getName().getDB() + << saslCommandUserFieldName + << internalSecurity.user->getName().getUser() + << saslCommandPasswordFieldName + << credentials.password + << saslCommandDigestPasswordFieldName + << false)); } return true; diff --git a/src/mongo/db/auth/user_cache_invalidator_job.cpp b/src/mongo/db/auth/user_cache_invalidator_job.cpp index ef64311cbe6..5f58d956c5c 100644 --- a/src/mongo/db/auth/user_cache_invalidator_job.cpp +++ b/src/mongo/db/auth/user_cache_invalidator_job.cpp @@ -130,7 +130,8 @@ void UserCacheInvalidator::initialize(OperationContext* txn) { "running an outdated version of mongod on the config servers"; } else { warning() << "An error occurred while fetching initial user cache generation from " - "config servers: " << currentGeneration.getStatus(); + "config servers: " + << currentGeneration.getStatus(); } _previousCacheGeneration = OID(); } @@ -162,7 +163,8 @@ void UserCacheInvalidator::run() { if (currentGeneration.getStatus().code() == ErrorCodes::CommandNotFound) { warning() << "_getUserCacheGeneration command not found on config server(s), " "this most likely means you are running an outdated version of mongod " - "on the config servers" << std::endl; + "on the config servers" + << std::endl; } else { warning() << "An error occurred while fetching current user cache generation " "to check if user cache needs invalidation: " diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp index c3a1e0a490f..273eaff86f5 100644 --- a/src/mongo/db/auth/user_document_parser_test.cpp +++ b/src/mongo/db/auth/user_document_parser_test.cpp @@ -74,7 +74,8 @@ TEST_F(V1UserDocumentParsing, testParsingV0UserDocuments) { << "spencer" << "pwd" << "passwordHash" - << "readOnly" << true); + << "readOnly" + << true); BSONObj readWriteAdmin = BSON("user" << "admin" << "pwd" @@ -83,7 +84,8 @@ TEST_F(V1UserDocumentParsing, testParsingV0UserDocuments) { << "admin" << "pwd" << "passwordHash" - << "readOnly" << true); + << "readOnly" + << true); ASSERT_OK(v1parser.initializeUserRolesFromUserDocument(user.get(), readOnly, "test")); RoleNameIterator roles = user->getRoles(); @@ -124,15 +126,15 @@ TEST_F(V1UserDocumentParsing, VerifyRolesFieldMustBeAnArray) { } TEST_F(V1UserDocumentParsing, VerifySemanticallyInvalidRolesStillParse) { - ASSERT_OK( - v1parser.initializeUserRolesFromUserDocument(user.get(), - BSON("user" - << "spencer" - << "pwd" - << "" - << "roles" << BSON_ARRAY("read" - << "frim")), - "test")); + ASSERT_OK(v1parser.initializeUserRolesFromUserDocument(user.get(), + BSON("user" + << "spencer" + << "pwd" + << "" + << "roles" + << BSON_ARRAY("read" + << "frim")), + "test")); RoleNameIterator roles = user->getRoles(); RoleName role = roles.next(); if (role == RoleName("read", "test")) { @@ -145,26 +147,28 @@ TEST_F(V1UserDocumentParsing, VerifySemanticallyInvalidRolesStillParse) { } TEST_F(V1UserDocumentParsing, VerifyOtherDBRolesMustBeAnObjectOfArraysOfStrings) { - ASSERT_NOT_OK( - v1parser.initializeUserRolesFromUserDocument(adminUser.get(), - BSON("user" - << "admin" - << "pwd" - << "" - << "roles" << BSON_ARRAY("read") - << "otherDBRoles" << BSON_ARRAY("read")), - "admin")); + ASSERT_NOT_OK(v1parser.initializeUserRolesFromUserDocument(adminUser.get(), + BSON("user" + << "admin" + << "pwd" + << "" + << "roles" + << BSON_ARRAY("read") + << "otherDBRoles" + << BSON_ARRAY("read")), + "admin")); - ASSERT_NOT_OK( - v1parser.initializeUserRolesFromUserDocument(adminUser.get(), - BSON("user" - << "admin" - << "pwd" - << "" - << "roles" << BSON_ARRAY("read") - << "otherDBRoles" << BSON("test2" - << "read")), - "admin")); + ASSERT_NOT_OK(v1parser.initializeUserRolesFromUserDocument(adminUser.get(), + BSON("user" + << "admin" + << "pwd" + << "" + << "roles" + << BSON_ARRAY("read") + << "otherDBRoles" + << BSON("test2" + << "read")), + "admin")); } TEST_F(V1UserDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormally) { @@ -175,7 +179,8 @@ TEST_F(V1UserDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormall << "spencer" << "pwd" << "" - << "roles" << BSONArrayBuilder().arr() + << "roles" + << BSONArrayBuilder().arr() << "otherDBRoles" << BSON("test2" << BSON_ARRAY("read"))), "test")); @@ -184,15 +189,17 @@ TEST_F(V1UserDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormall TEST_F(V1UserDocumentParsing, GrantUserAdminOnTestViaAdmin) { // Grant userAdmin on test via admin. - ASSERT_OK(v1parser.initializeUserRolesFromUserDocument( - adminUser.get(), - BSON("user" - << "admin" - << "pwd" - << "" - << "roles" << BSONArrayBuilder().arr() << "otherDBRoles" - << BSON("test" << BSON_ARRAY("userAdmin"))), - "admin")); + ASSERT_OK(v1parser.initializeUserRolesFromUserDocument(adminUser.get(), + BSON("user" + << "admin" + << "pwd" + << "" + << "roles" + << BSONArrayBuilder().arr() + << "otherDBRoles" + << BSON("test" << BSON_ARRAY( + "userAdmin"))), + "admin")); RoleNameIterator roles = adminUser->getRoles(); ASSERT_EQUALS(RoleName("userAdmin", "test"), roles.next()); ASSERT_FALSE(roles.more()); @@ -200,15 +207,16 @@ TEST_F(V1UserDocumentParsing, GrantUserAdminOnTestViaAdmin) { TEST_F(V1UserDocumentParsing, MixedV0V1UserDocumentsAreInvalid) { // Try to mix fields from V0 and V1 user documents and make sure it fails. - ASSERT_NOT_OK( - v1parser.initializeUserRolesFromUserDocument(user.get(), - BSON("user" - << "spencer" - << "pwd" - << "passwordHash" - << "readOnly" << false << "roles" - << BSON_ARRAY("read")), - "test")); + ASSERT_NOT_OK(v1parser.initializeUserRolesFromUserDocument(user.get(), + BSON("user" + << "spencer" + << "pwd" + << "passwordHash" + << "readOnly" + << false + << "roles" + << BSON_ARRAY("read")), + "test")); ASSERT_FALSE(user->getRoles().more()); } @@ -235,20 +243,25 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "pwd" << "a" - << "roles" << BSON_ARRAY("read")))); + << "roles" + << BSON_ARRAY("read")))); // Need name field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << emptyArray))); // Need source field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << emptyArray))); // Need credentials field @@ -256,23 +269,27 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "roles" << emptyArray))); + << "roles" + << emptyArray))); // Need roles field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a")))); + << "credentials" + << BSON("MONGODB-CR" + << "a")))); // Empty roles arrays are OK ASSERT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << emptyArray))); // Need credentials of {external: true} if user's db is $external @@ -280,16 +297,20 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "$external" - << "credentials" << BSON("external" << true) - << "roles" << emptyArray))); + << "credentials" + << BSON("external" << true) + << "roles" + << emptyArray))); // Roles must be objects ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY("read")))); // Role needs name @@ -297,8 +318,10 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("db" << "dbA"))))); @@ -307,8 +330,10 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "roleA"))))); @@ -318,8 +343,10 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "roleA" << "db" @@ -330,8 +357,10 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "roles" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "roles" << BSON_ARRAY(BSON("role" << "roleA" << "db" @@ -346,10 +375,13 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" << BSON("MONGODB-CR" - << "a") << "extraData" + << "credentials" + << BSON("MONGODB-CR" + << "a") + << "extraData" << BSON("foo" - << "bar") << "roles" + << "bar") + << "roles" << BSON_ARRAY(BSON("role" << "roleA" << "db" @@ -424,44 +456,45 @@ TEST_F(V2UserDocumentParsing, V2RoleExtraction) { user.get())); // V1-style roles arrays no longer work - ASSERT_NOT_OK( - v2parser.initializeUserRolesFromUserDocument(BSON("user" - << "spencer" - << "roles" << BSON_ARRAY("read")), - user.get())); + ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" + << "spencer" + << "roles" + << BSON_ARRAY("read")), + user.get())); // Roles must have "db" field - ASSERT_NOT_OK( - v2parser.initializeUserRolesFromUserDocument(BSON("user" - << "spencer" - << "roles" << BSON_ARRAY(BSONObj())), - user.get())); - ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" << "spencer" - << "roles" << BSON_ARRAY(BSON( - "role" - << "roleA"))), + << "roles" + << BSON_ARRAY(BSONObj())), user.get())); ASSERT_NOT_OK( v2parser.initializeUserRolesFromUserDocument(BSON("user" << "spencer" - << "roles" << BSON_ARRAY(BSON("user" - << "roleA" - << "db" - << "dbA"))), + << "roles" + << BSON_ARRAY(BSON("role" + << "roleA"))), user.get())); + ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" + << "spencer" + << "roles" + << BSON_ARRAY(BSON("user" + << "roleA" + << "db" + << "dbA"))), + user.get())); + // Valid role names are extracted successfully - ASSERT_OK( - v2parser.initializeUserRolesFromUserDocument(BSON("user" - << "spencer" - << "roles" << BSON_ARRAY(BSON("role" - << "roleA" - << "db" - << "dbA"))), - user.get())); + ASSERT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" + << "spencer" + << "roles" + << BSON_ARRAY(BSON("role" + << "roleA" + << "db" + << "dbA"))), + user.get())); RoleNameIterator roles = user->getRoles(); ASSERT_EQUALS(RoleName("roleA", "dbA"), roles.next()); ASSERT_FALSE(roles.more()); diff --git a/src/mongo/db/auth/user_management_commands_parser.cpp b/src/mongo/db/auth/user_management_commands_parser.cpp index 6707a70b8ca..db6a2f96f9a 100644 --- a/src/mongo/db/auth/user_management_commands_parser.cpp +++ b/src/mongo/db/auth/user_management_commands_parser.cpp @@ -684,8 +684,11 @@ Status parseAuthSchemaUpgradeCommand(const BSONObj& cmdObj, if (steps < minUpgradeSteps || steps > maxUpgradeSteps) { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << "Legal values for \"maxSteps\" are at least " - << minUpgradeSteps << " and no more than " - << maxUpgradeSteps << "; found " << steps); + << minUpgradeSteps + << " and no more than " + << maxUpgradeSteps + << "; found " + << steps); } parsedArgs->maxSteps = static_cast<int>(steps); diff --git a/src/mongo/db/auth/user_management_commands_parser.h b/src/mongo/db/auth/user_management_commands_parser.h index ff65eca69e4..94dc3b7b2ae 100644 --- a/src/mongo/db/auth/user_management_commands_parser.h +++ b/src/mongo/db/auth/user_management_commands_parser.h @@ -31,9 +31,9 @@ #include <string> #include <vector> +#include "mongo/base/disallow_copying.h" #include "mongo/base/status.h" #include "mongo/base/string_data.h" -#include "mongo/base/disallow_copying.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/role_name.h" #include "mongo/db/auth/user.h" |