diff options
Diffstat (limited to 'src/mongo/db/auth')
24 files changed, 230 insertions, 383 deletions
diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp index 07996cd2f82..63e59eb4628 100644 --- a/src/mongo/db/auth/authorization_manager_impl.cpp +++ b/src/mongo/db/auth/authorization_manager_impl.cpp @@ -431,8 +431,7 @@ Status AuthorizationManagerImpl::_initializeUserFromPrivilegeDocument(User* user return Status(ErrorCodes::BadValue, str::stream() << "User name from privilege document \"" << userName << "\" doesn't match name of provided User \"" - << user->getName().getUser() - << "\""); + << user->getName().getUser() << "\""); } user->setID(parser.extractUserIDFromUserDocument(privDoc)); diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index ab3a650d6dd..46c6da88230 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -127,9 +127,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) { << "v2read" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "read" << "db" @@ -142,9 +140,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) { << "v2cluster" << "db" << "admin" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "clusterAdmin" << "db" @@ -249,19 +245,17 @@ public: private: Status _getUserDocument(OperationContext* opCtx, const UserName& userName, BSONObj* userDoc) { - Status status = findOne(opCtx, - AuthorizationManager::usersCollectionNamespace, - BSON(AuthorizationManager::USER_NAME_FIELD_NAME - << userName.getUser() - << AuthorizationManager::USER_DB_FIELD_NAME - << userName.getDB()), - userDoc); + Status status = + findOne(opCtx, + AuthorizationManager::usersCollectionNamespace, + BSON(AuthorizationManager::USER_NAME_FIELD_NAME + << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME + << userName.getDB()), + userDoc); if (status == ErrorCodes::NoMatchingDocument) { status = Status(ErrorCodes::UserNotFound, str::stream() << "Could not find user \"" << userName.getUser() - << "\" for db \"" - << userName.getDB() - << "\""); + << "\" for db \"" << userName.getDB() << "\""); } return status; } @@ -297,9 +291,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2UserWithUnrecognizedActions) { << "myUser" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "myRole" << "db" diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp index fd186c06d7d..c308e3f5304 100644 --- a/src/mongo/db/auth/authorization_session_impl.cpp +++ b/src/mongo/db/auth/authorization_session_impl.cpp @@ -493,8 +493,7 @@ Status AuthorizationSessionImpl::checkAuthorizedToGrantPrivilege(const Privilege ActionType::grantRole)) { return Status(ErrorCodes::Unauthorized, str::stream() << "Not authorized to grant privileges on the " - << resource.databaseToMatch() - << "database"); + << resource.databaseToMatch() << "database"); } } else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"), ActionType::grantRole)) { @@ -514,8 +513,7 @@ Status AuthorizationSessionImpl::checkAuthorizedToRevokePrivilege(const Privileg ActionType::revokeRole)) { return Status(ErrorCodes::Unauthorized, str::stream() << "Not authorized to revoke privileges on the " - << resource.databaseToMatch() - << "database"); + << resource.databaseToMatch() << "database"); } } else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"), ActionType::revokeRole)) { @@ -1001,9 +999,7 @@ bool AuthorizationSessionImpl::isImpersonating() const { auto AuthorizationSessionImpl::checkCursorSessionPrivilege( OperationContext* const opCtx, const boost::optional<LogicalSessionId> cursorSessionId) -> Status { - auto nobodyIsLoggedIn = [authSession = this] { - return !authSession->isAuthenticated(); - }; + auto nobodyIsLoggedIn = [authSession = this] { return !authSession->isAuthenticated(); }; auto authHasImpersonatePrivilege = [authSession = this] { return authSession->isAuthorizedForPrivilege( @@ -1037,13 +1033,12 @@ auto AuthorizationSessionImpl::checkCursorSessionPrivilege( // Operation Context (which implies a background job !authHasImpersonatePrivilege() // Or if the user has an impersonation privilege, in which // case, the user gets to sidestep certain checks. - ) { + ) { return Status{ErrorCodes::Unauthorized, - str::stream() << "Cursor session id (" - << sessionIdToStringOrNone(cursorSessionId) - << ") is not the same as the operation context's session id (" - << sessionIdToStringOrNone(opCtx->getLogicalSessionId()) - << ")"}; + str::stream() + << "Cursor session id (" << sessionIdToStringOrNone(cursorSessionId) + << ") is not the same as the operation context's session id (" + << sessionIdToStringOrNone(opCtx->getLogicalSessionId()) << ")"}; } return Status::OK(); diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 09476aca817..a8b51dc3137 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -179,9 +179,7 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -207,9 +205,7 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) { << "admin" << "db" << "admin" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWriteAnyDatabase" << "db" @@ -253,9 +249,7 @@ TEST_F(AuthorizationSessionTest, DuplicateRolesOK) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -285,9 +279,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "rw" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -302,9 +294,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "useradmin" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "userAdmin" << "db" @@ -316,9 +306,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "rwany" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWriteAnyDatabase" << "db" @@ -334,9 +322,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { << "useradminany" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "userAdminAnyDatabase" << "db" @@ -413,9 +399,7 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -445,9 +429,7 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "read" << "db" @@ -490,9 +472,7 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -523,9 +503,7 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "read" << "db" @@ -559,9 +537,7 @@ TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRes << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "readWrite" << "db" @@ -569,8 +545,7 @@ TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRes << "authenticationRestrictions" << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("192.168.0.0/24" << "192.168.2.10") - << "serverAddress" - << BSON_ARRAY("192.168.0.2")) + << "serverAddress" << BSON_ARRAY("192.168.0.2")) << BSON("clientSource" << BSON_ARRAY("2001:DB8::1") << "serverAddress" << BSON_ARRAY("2001:DB8::2")) << BSON("clientSource" << BSON_ARRAY("127.0.0.1" @@ -912,11 +887,9 @@ TEST_F(AuthorizationSessionTest, CanAggregateOutWithInsertAndRemoveOnTargetNames uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); - BSONObj cmdObjNoBypassDocumentValidation = BSON( - "aggregate" << testFooNss.coll() << "pipeline" << pipeline << "bypassDocumentValidation" - << false - << "cursor" - << BSONObj()); + BSONObj cmdObjNoBypassDocumentValidation = + BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline + << "bypassDocumentValidation" << false << "cursor" << BSONObj()); privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate( testFooNss, cmdObjNoBypassDocumentValidation, false)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -929,10 +902,8 @@ TEST_F(AuthorizationSessionTest, Privilege(testBarCollResource, {ActionType::insert, ActionType::remove})}); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - BSONObj cmdObj = - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() - << "bypassDocumentValidation" - << true); + BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" + << BSONObj() << "bypassDocumentValidation" << true); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, false)); ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -947,10 +918,8 @@ TEST_F(AuthorizationSessionTest, {ActionType::insert, ActionType::remove, ActionType::bypassDocumentValidation})}); BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll())); - BSONObj cmdObj = - BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj() - << "bypassDocumentValidation" - << true); + BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" + << BSONObj() << "bypassDocumentValidation" << true); PrivilegeVector privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, true)); ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges)); @@ -1145,9 +1114,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithEmptyUser << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); @@ -1164,9 +1131,7 @@ TEST_F(AuthorizationSessionTest, << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); @@ -1181,9 +1146,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsCoauthorizedWithIntersecting << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(), @@ -1191,9 +1154,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsCoauthorizedWithIntersecting << "admin" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); @@ -1211,9 +1172,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithNoninters << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(), @@ -1221,9 +1180,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithNoninters << "admin" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); @@ -1242,9 +1199,7 @@ TEST_F(AuthorizationSessionTest, << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(), @@ -1252,9 +1207,7 @@ TEST_F(AuthorizationSessionTest, << "admin" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSONArray()), BSONObj())); ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); diff --git a/src/mongo/db/auth/authz_manager_external_state_local.cpp b/src/mongo/db/auth/authz_manager_external_state_local.cpp index 7fa1f2ff5f0..e87a9880e73 100644 --- a/src/mongo/db/auth/authz_manager_external_state_local.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_local.cpp @@ -89,11 +89,8 @@ Status AuthzManagerExternalStateLocal::getStoredAuthorizationVersion(OperationCo str::stream() << "Could not determine schema version of authorization data. " "Bad (non-numeric) type " - << typeName(versionElement.type()) - << " (" - << versionElement.type() - << ") for " - << AuthorizationManager::schemaVersionFieldName + << typeName(versionElement.type()) << " (" << versionElement.type() + << ") for " << AuthorizationManager::schemaVersionFieldName << " field in version document"); } } else if (status == ErrorCodes::NoMatchingDocument) { @@ -132,8 +129,7 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges "", std::string(str::stream() << "Skipped privileges on resource " << privileges[i].getResourcePattern().toString() - << ". Reason: " - << errmsg))); + << ". Reason: " << errmsg))); } } } @@ -179,11 +175,8 @@ Status AuthzManagerExternalStateLocal::getUserDescription(OperationContext* opCt userRoles << BSON("role" << role.getRole() << "db" << role.getDB()); } *result = BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db" - << userName.getDB() - << "credentials" - << BSON("external" << true) - << "roles" - << userRoles.arr()); + << userName.getDB() << "credentials" << BSON("external" << true) + << "roles" << userRoles.arr()); } BSONElement directRolesElement; @@ -285,17 +278,14 @@ Status AuthzManagerExternalStateLocal::_getUserDocument(OperationContext* opCtx, Status status = findOne(opCtx, AuthorizationManager::usersCollectionNamespace, BSON(AuthorizationManager::USER_NAME_FIELD_NAME - << userName.getUser() - << AuthorizationManager::USER_DB_FIELD_NAME + << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME << userName.getDB()), userDoc); if (status == ErrorCodes::NoMatchingDocument) { - status = - Status(ErrorCodes::UserNotFound, - str::stream() << "Could not find user \"" << userName.getUser() << "\" for db \"" - << userName.getDB() - << "\""); + status = Status(ErrorCodes::UserNotFound, + str::stream() << "Could not find user \"" << userName.getUser() + << "\" for db \"" << userName.getDB() << "\""); } return status; } diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.cpp b/src/mongo/db/auth/authz_manager_external_state_mock.cpp index 16cdd668604..19a7977e605 100644 --- a/src/mongo/db/auth/authz_manager_external_state_mock.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_mock.cpp @@ -83,8 +83,7 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges "", std::string(str::stream() << "Skipped privileges on resource " << privileges[i].getResourcePattern().toString() - << ". Reason: " - << errmsg))); + << ". Reason: " << errmsg))); } } } diff --git a/src/mongo/db/auth/authz_manager_external_state_s.cpp b/src/mongo/db/auth/authz_manager_external_state_s.cpp index 98893954d4e..ec1a695ba53 100644 --- a/src/mongo/db/auth/authz_manager_external_state_s.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_s.cpp @@ -127,12 +127,8 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME << userName.getDB())) - << "showPrivileges" - << true - << "showCredentials" - << true - << "showAuthenticationRestrictions" - << true); + << "showPrivileges" << true << "showCredentials" << true + << "showAuthenticationRestrictions" << true); BSONObjBuilder builder; const bool ok = Grid::get(opCtx)->catalogClient()->runUserManagementReadCommand( opCtx, "admin", usersInfoCmd, &builder); @@ -149,10 +145,9 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC if (foundUsers.size() > 1) { return Status(ErrorCodes::UserDataInconsistent, - str::stream() << "Found multiple users on the \"" << userName.getDB() - << "\" database with name \"" - << userName.getUser() - << "\""); + str::stream() + << "Found multiple users on the \"" << userName.getDB() + << "\" database with name \"" << userName.getUser() << "\""); } *result = foundUsers[0].Obj().getOwned(); return Status::OK(); @@ -162,10 +157,9 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC BSONArrayBuilder userRolesBuilder; auto& sslPeerInfo = SSLPeerInfo::forSession(opCtx->getClient()->session()); for (const RoleName& role : sslPeerInfo.roles) { - userRolesBuilder.append(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME - << role.getRole() - << AuthorizationManager::ROLE_DB_FIELD_NAME - << role.getDB())); + userRolesBuilder.append(BSON( + AuthorizationManager::ROLE_NAME_FIELD_NAME + << role.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME << role.getDB())); } BSONArray providedRoles = userRolesBuilder.arr(); @@ -194,16 +188,12 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC "Recieved malformed response to request for X509 roles from config server"); } - *result = BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db" - << userName.getDB() - << "credentials" - << BSON("external" << true) - << "roles" - << BSONArray(cmdResult["roles"].Obj()) - << "inheritedRoles" - << BSONArray(cmdResult["inheritedRoles"].Obj()) - << "inheritedPrivileges" - << BSONArray(cmdResult["inheritedPrivileges"].Obj())); + *result = + BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db" + << userName.getDB() << "credentials" << BSON("external" << true) << "roles" + << BSONArray(cmdResult["roles"].Obj()) << "inheritedRoles" + << BSONArray(cmdResult["inheritedRoles"].Obj()) << "inheritedPrivileges" + << BSONArray(cmdResult["inheritedPrivileges"].Obj())); return Status::OK(); } } @@ -215,11 +205,11 @@ Status AuthzManagerExternalStateMongos::getRoleDescription( AuthenticationRestrictionsFormat showRestrictions, BSONObj* result) { BSONObjBuilder rolesInfoCmd; - rolesInfoCmd.append("rolesInfo", - BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME - << roleName.getRole() - << AuthorizationManager::ROLE_DB_FIELD_NAME - << roleName.getDB()))); + rolesInfoCmd.append( + "rolesInfo", + BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME + << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME + << roleName.getDB()))); addShowToBuilder(&rolesInfoCmd, showPrivileges, showRestrictions); BSONObjBuilder builder; @@ -238,9 +228,7 @@ Status AuthzManagerExternalStateMongos::getRoleDescription( if (foundRoles.size() > 1) { return Status(ErrorCodes::RoleDataInconsistent, str::stream() << "Found multiple roles on the \"" << roleName.getDB() - << "\" database with name \"" - << roleName.getRole() - << "\""); + << "\" database with name \"" << roleName.getRole() << "\""); } *result = foundRoles[0].Obj().getOwned(); return Status::OK(); @@ -255,8 +243,7 @@ Status AuthzManagerExternalStateMongos::getRolesDescription( for (const RoleName& roleName : roles) { rolesInfoCmdArray << BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME - << roleName.getRole() - << AuthorizationManager::ROLE_DB_FIELD_NAME + << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME << roleName.getDB()); } diff --git a/src/mongo/db/auth/privilege_parser_test.cpp b/src/mongo/db/auth/privilege_parser_test.cpp index 288760ffb0d..969360a6f51 100644 --- a/src/mongo/db/auth/privilege_parser_test.cpp +++ b/src/mongo/db/auth/privilege_parser_test.cpp @@ -56,24 +56,21 @@ TEST(PrivilegeParserTest, IsValidTest) { << "" << "collection" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); // resource can't have db without collection parsedPrivilege.parseBSON(BSON("resource" << BSON("db" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); // resource can't have collection without db parsedPrivilege.parseBSON(BSON("resource" << BSON("collection" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT_FALSE(parsedPrivilege.isValid(&errmsg)); @@ -82,8 +79,7 @@ TEST(PrivilegeParserTest, IsValidTest) { << "" << "collection" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); @@ -92,8 +88,7 @@ TEST(PrivilegeParserTest, IsValidTest) { << "test" << "collection" << "foo") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); @@ -116,8 +111,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { << "" << "collection" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -143,8 +137,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { << "test" << "collection" << "foo") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -171,8 +164,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { << "test" << "collection" << "") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( @@ -198,8 +190,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) { << "" << "collection" << "foo") - << "actions" - << BSON_ARRAY("find")), + << "actions" << BSON_ARRAY("find")), &errmsg); ASSERT(parsedPrivilege.isValid(&errmsg)); ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege( diff --git a/src/mongo/db/auth/role_graph.cpp b/src/mongo/db/auth/role_graph.cpp index 51f91a10ba8..164d09a2cb8 100644 --- a/src/mongo/db/auth/role_graph.cpp +++ b/src/mongo/db/auth/role_graph.cpp @@ -167,8 +167,8 @@ Status RoleGraph::addRoleToRole(const RoleName& recipient, const RoleName& role) } if (isBuiltinRole(recipient)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot grant roles to built-in role: " - << role.getFullName()); + str::stream() + << "Cannot grant roles to built-in role: " << role.getFullName()); } if (!roleExists(role)) { return Status(ErrorCodes::RoleNotFound, @@ -193,8 +193,8 @@ Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName& } if (isBuiltinRole(recipient)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot remove roles from built-in role: " - << role.getFullName()); + str::stream() + << "Cannot remove roles from built-in role: " << role.getFullName()); } if (!roleExists(role)) { return Status(ErrorCodes::RoleNotFound, @@ -207,8 +207,9 @@ Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName& _roleToMembers[role].erase(itToRm); } else { return Status(ErrorCodes::RolesNotRelated, - str::stream() << recipient.getFullName() << " is not a member" - " of " + str::stream() << recipient.getFullName() + << " is not a member" + " of " << role.getFullName()); } @@ -227,8 +228,8 @@ Status RoleGraph::removeAllRolesFromRole(const RoleName& victim) { } if (isBuiltinRole(victim)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot remove roles from built-in role: " - << victim.getFullName()); + str::stream() + << "Cannot remove roles from built-in role: " << victim.getFullName()); } RoleNameVector& subordinatesOfVictim = _roleToSubordinates[victim]; @@ -253,8 +254,8 @@ Status RoleGraph::addPrivilegeToRole(const RoleName& role, const Privilege& priv } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot grant privileges to built-in role: " - << role.getFullName()); + str::stream() + << "Cannot grant privileges to built-in role: " << role.getFullName()); } _addPrivilegeToRoleNoChecks(role, privilegeToAdd); @@ -277,8 +278,8 @@ Status RoleGraph::addPrivilegesToRole(const RoleName& role, } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot grant privileges to built-in role: " - << role.getFullName()); + str::stream() + << "Cannot grant privileges to built-in role: " << role.getFullName()); } for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end(); @@ -296,8 +297,8 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role, } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot remove privileges from built-in role: " - << role.getFullName()); + str::stream() + << "Cannot remove privileges from built-in role: " << role.getFullName()); } PrivilegeVector& currentPrivileges = _directPrivilegesForRole[role]; @@ -325,8 +326,9 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role, } } return Status(ErrorCodes::PrivilegeNotFound, - str::stream() << "Role: " << role.getFullName() << " does not " - "contain any privileges on " + str::stream() << "Role: " << role.getFullName() + << " does not " + "contain any privileges on " << privilegeToRemove.getResourcePattern().toString()); } @@ -350,8 +352,8 @@ Status RoleGraph::removeAllPrivilegesFromRole(const RoleName& role) { } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot remove privileges from built-in role: " - << role.getFullName()); + str::stream() + << "Cannot remove privileges from built-in role: " << role.getFullName()); } _directPrivilegesForRole[role].clear(); return Status::OK(); @@ -434,8 +436,8 @@ Status RoleGraph::_recomputePrivilegeDataHelper(const RoleName& startingRole, if (!roleExists(currentRole)) { return Status(ErrorCodes::RoleNotFound, - str::stream() << "Role: " << currentRole.getFullName() - << " does not exist"); + str::stream() + << "Role: " << currentRole.getFullName() << " does not exist"); } // Check for cycles diff --git a/src/mongo/db/auth/role_graph_test.cpp b/src/mongo/db/auth/role_graph_test.cpp index a2ed3dece7f..765d3d3c61c 100644 --- a/src/mongo/db/auth/role_graph_test.cpp +++ b/src/mongo/db/auth/role_graph_test.cpp @@ -196,7 +196,7 @@ TEST(RoleGraphTest, AddRemoveRoles) { * | * v * D - */ + */ it = graph.getDirectSubordinates(roleA); // should be roleB and roleC, order doesn't matter @@ -825,26 +825,22 @@ TEST(RoleGraphTest, AddRoleFromDocument) { << "dbA" << "collection" << "collA") - << "actions" - << BSON_ARRAY("insert"))), + << "actions" << BSON_ARRAY("insert"))), BSON_ARRAY(BSON("resource" << BSON("db" << "dbB" << "collection" << "collB") - << "actions" - << BSON_ARRAY("insert")) + << "actions" << BSON_ARRAY("insert")) << BSON("resource" << BSON("db" << "dbC" << "collection" << "collC") - << "actions" - << BSON_ARRAY("compact"))), + << "actions" << BSON_ARRAY("compact"))), BSON_ARRAY(BSON("resource" << BSON("db" << "" << "collection" << "") - << "actions" - << BSON_ARRAY("find"))), + << "actions" << BSON_ARRAY("find"))), }; const BSONArray restrictions[] = { @@ -922,33 +918,28 @@ TEST(RoleGraphTest, AddRoleFromDocumentWithRestricitonMerge) { BSON_ARRAY(BSON("serverAddress" << BSON_ARRAY("127.0.0.1/8"))); RoleGraph graph; - ASSERT_OK(graph.addRoleFromDocument(BSON("_id" - << "dbA.roleA" - << "role" - << "roleA" - << "db" - << "dbA" - << "privileges" - << BSONArray() - << "roles" - << BSONArray() - << "authenticationRestrictions" - << roleARestrictions))); - ASSERT_OK(graph.addRoleFromDocument(BSON("_id" - << "dbB.roleB" - << "role" - << "roleB" - << "db" - << "dbB" - << "privileges" - << BSONArray() - << "roles" - << BSON_ARRAY(BSON("role" - << "roleA" - << "db" - << "dbA")) - << "authenticationRestrictions" - << roleBRestrictions))); + ASSERT_OK( + graph.addRoleFromDocument(BSON("_id" + << "dbA.roleA" + << "role" + << "roleA" + << "db" + << "dbA" + << "privileges" << BSONArray() << "roles" << BSONArray() + << "authenticationRestrictions" << roleARestrictions))); + ASSERT_OK( + graph.addRoleFromDocument(BSON("_id" + << "dbB.roleB" + << "role" + << "roleB" + << "db" + << "dbB" + << "privileges" << BSONArray() << "roles" + << BSON_ARRAY(BSON("role" + << "roleA" + << "db" + << "dbA")) + << "authenticationRestrictions" << roleBRestrictions))); ASSERT_OK(graph.recomputePrivilegeData()); const auto A = graph.getDirectAuthenticationRestrictions(RoleName("roleA", "dbA")); diff --git a/src/mongo/db/auth/role_graph_update.cpp b/src/mongo/db/auth/role_graph_update.cpp index 02c89f36bd7..33ee260fa93 100644 --- a/src/mongo/db/auth/role_graph_update.cpp +++ b/src/mongo/db/auth/role_graph_update.cpp @@ -92,9 +92,7 @@ Status checkIdMatchesRoleName(const BSONElement& idElement, const RoleName& role return Status(ErrorCodes::FailedToParse, str::stream() << "Role document _id fields must be encoded as the string " "dbname.rolename. Found " - << idField - << " for " - << roleName.getFullName()); + << idField << " for " << roleName.getFullName()); } return Status::OK(); } @@ -312,16 +310,13 @@ Status handleOplogCommand(RoleGraph* roleGraph, const BSONObj& cmdObj) { if (cmdName == "createIndexes" && cmdObj.firstElement().str() == rolesCollectionNamespace.coll()) { UnorderedFieldsBSONObjComparator instance; - if (instance.evaluate(cmdObj == (BSON("createIndexes" - << "system.roles" - << "v" - << 2 - << "name" - << "role_1_db_1" - << "key" - << BSON("role" << 1 << "db" << 1) - << "unique" - << true)))) { + if (instance.evaluate( + cmdObj == + (BSON("createIndexes" + << "system.roles" + << "v" << 2 << "name" + << "role_1_db_1" + << "key" << BSON("role" << 1 << "db" << 1) << "unique" << true)))) { return Status::OK(); } } diff --git a/src/mongo/db/auth/sasl_authentication_session_test.cpp b/src/mongo/db/auth/sasl_authentication_session_test.cpp index 97750182061..e849832d6ff 100644 --- a/src/mongo/db/auth/sasl_authentication_session_test.cpp +++ b/src/mongo/db/auth/sasl_authentication_session_test.cpp @@ -131,19 +131,17 @@ SaslConversation::SaslConversation(std::string mech) << scram::Secrets<SHA256Block>::generateCredentials( "frim", saslGlobalParams.scramSHA256IterationCount.load())); - ASSERT_OK(authManagerExternalState->insert(opCtx.get(), - NamespaceString("admin.system.users"), - BSON("_id" - << "test.andy" - << "user" - << "andy" - << "db" - << "test" - << "credentials" - << creds - << "roles" - << BSONArray()), - BSONObj())); + ASSERT_OK( + authManagerExternalState->insert(opCtx.get(), + NamespaceString("admin.system.users"), + BSON("_id" + << "test.andy" + << "user" + << "andy" + << "db" + << "test" + << "credentials" << creds << "roles" << BSONArray()), + BSONObj())); } void SaslConversation::assertConversationFailure() { diff --git a/src/mongo/db/auth/sasl_mechanism_registry.cpp b/src/mongo/db/auth/sasl_mechanism_registry.cpp index 2de9fb02fee..bfe479143d3 100644 --- a/src/mongo/db/auth/sasl_mechanism_registry.cpp +++ b/src/mongo/db/auth/sasl_mechanism_registry.cpp @@ -79,8 +79,7 @@ StatusWith<std::unique_ptr<ServerMechanismBase>> SASLServerMechanismRegistry::ge return Status(ErrorCodes::BadValue, str::stream() << "Unsupported mechanism '" << mechanismName - << "' on authentication database '" - << authenticationDatabase + << "' on authentication database '" << authenticationDatabase << "'"); } @@ -147,9 +146,7 @@ bool SASLServerMechanismRegistry::_mechanismSupportedByConfig(StringData mechNam namespace { ServiceContext::ConstructorActionRegisterer SASLServerMechanismRegistryInitializer{ - "CreateSASLServerMechanismRegistry", - {"EndStartupOptionStorage"}, - [](ServiceContext* service) { + "CreateSASLServerMechanismRegistry", {"EndStartupOptionStorage"}, [](ServiceContext* service) { SASLServerMechanismRegistry::set(service, std::make_unique<SASLServerMechanismRegistry>( saslGlobalParams.authenticationMechanisms)); diff --git a/src/mongo/db/auth/sasl_mechanism_registry_test.cpp b/src/mongo/db/auth/sasl_mechanism_registry_test.cpp index 6ca988bc9ae..b16df4ec3f8 100644 --- a/src/mongo/db/auth/sasl_mechanism_registry_test.cpp +++ b/src/mongo/db/auth/sasl_mechanism_registry_test.cpp @@ -27,11 +27,11 @@ * it in the license file. */ -#include "mongo/db/auth/sasl_mechanism_registry.h" #include "mongo/crypto/mechanism_scram.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_manager_impl.h" #include "mongo/db/auth/authz_manager_external_state_mock.h" +#include "mongo/db/auth/sasl_mechanism_registry.h" #include "mongo/db/operation_context.h" #include "mongo/db/service_context_test_fixture.h" #include "mongo/unittest/unittest.h" @@ -201,8 +201,7 @@ public: << "credentials" << BSON("SCRAM-SHA-256" << scram::Secrets<SHA256Block>::generateCredentials("sajackā", 15000)) - << "roles" - << BSONArray()), + << "roles" << BSONArray()), BSONObj())); @@ -214,10 +213,8 @@ public: << "sajack" << "db" << "$external" - << "credentials" - << BSON("external" << true) - << "roles" - << BSONArray()), + << "credentials" << BSON("external" << true) + << "roles" << BSONArray()), BSONObj())); internalSecurity.user = std::make_shared<User>(UserName("__system", "local")); diff --git a/src/mongo/db/auth/sasl_options_init.cpp b/src/mongo/db/auth/sasl_options_init.cpp index b83a94fa1c0..51ba683342b 100644 --- a/src/mongo/db/auth/sasl_options_init.cpp +++ b/src/mongo/db/auth/sasl_options_init.cpp @@ -95,4 +95,4 @@ MONGO_INITIALIZER_GENERAL(StoreSASLOptions, ("CoreOptions_Store"), ("EndStartupO (InitializerContext* const context) { return storeSASLOptions(moe::startupOptionsParsed); } -} +} // namespace mongo diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp index 5ef2cf6ac9e..0a88084dea3 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp @@ -60,8 +60,9 @@ StatusWith<bool> trySCRAM(const User::CredentialData& credentials, StringData pw reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()) + decodedSalt.size()), scram.iterationCount)); - if (scram.storedKey != base64::encode(reinterpret_cast<const char*>(secrets.storedKey().data()), - secrets.storedKey().size())) { + if (scram.storedKey != + base64::encode(reinterpret_cast<const char*>(secrets.storedKey().data()), + secrets.storedKey().size())) { return Status(ErrorCodes::AuthenticationFailed, str::stream() << "Incorrect user name or password"); } diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.h b/src/mongo/db/auth/sasl_plain_server_conversation.h index 26acd1e0aac..d3c6af215ce 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.h +++ b/src/mongo/db/auth/sasl_plain_server_conversation.h @@ -49,8 +49,9 @@ public: static constexpr bool isInternal = true; bool canMakeMechanismForUser(const User* user) const final { auto credentials = user->getCredentials(); - return !credentials.isExternal && (credentials.scram<SHA1Block>().isValid() || - credentials.scram<SHA256Block>().isValid()); + return !credentials.isExternal && + (credentials.scram<SHA1Block>().isValid() || + credentials.scram<SHA256Block>().isValid()); } }; diff --git a/src/mongo/db/auth/sasl_scram_server_conversation.cpp b/src/mongo/db/auth/sasl_scram_server_conversation.cpp index 04a8e53798a..fc223097b4f 100644 --- a/src/mongo/db/auth/sasl_scram_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scram_server_conversation.cpp @@ -99,8 +99,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir return Status(ErrorCodes::BadValue, str::stream() << "Incorrect number of arguments for first SCRAM client message, got " - << got - << " expected at least 3"); + << got << " expected at least 3"); }; /** @@ -168,8 +167,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir if (!authzId.empty() && ServerMechanismBase::_principalName != authzId) { return Status(ErrorCodes::BadValue, str::stream() << "SCRAM user name " << ServerMechanismBase::_principalName - << " does not match authzid " - << authzId); + << " does not match authzid " << authzId); } if (!str::startsWith(input[1], "r=") || input[1].size() < 6) { @@ -267,7 +265,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir * e=message * * NOTE: we are ignoring the channel binding part of the message -**/ + **/ template <typename Policy> StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_secondStep( OperationContext* opCtx, StringData inputData) { @@ -275,8 +273,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_sec return Status(ErrorCodes::BadValue, str::stream() << "Incorrect number of arguments for second SCRAM client message, got " - << got - << " expected at least 3"); + << got << " expected at least 3"); }; /** @@ -322,9 +319,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_sec return Status(ErrorCodes::BadValue, str::stream() << "Unmatched SCRAM nonce received from client in second step, expected " - << _nonce - << " but received " - << nonce); + << _nonce << " but received " << nonce); } // Do server side computations, compare storedKeys and generate client-final-message diff --git a/src/mongo/db/auth/sasl_scram_test.cpp b/src/mongo/db/auth/sasl_scram_test.cpp index 6bfd66667eb..23c6c548f3c 100644 --- a/src/mongo/db/auth/sasl_scram_test.cpp +++ b/src/mongo/db/auth/sasl_scram_test.cpp @@ -63,16 +63,10 @@ BSONObj generateSCRAMUserDocument(StringData username, StringData password) { const auto sha256Cred = scram::Secrets<SHA256Block>::generateCredentials(password.toString(), 15000); return BSON("_id" << (str::stream() << database << "." << username).operator StringData() - << AuthorizationManager::USER_NAME_FIELD_NAME - << username - << AuthorizationManager::USER_DB_FIELD_NAME - << database - << "credentials" - << BSON("SCRAM-SHA-1" << sha1Cred << "SCRAM-SHA-256" << sha256Cred) - << "roles" - << BSONArray() - << "privileges" - << BSONArray()); + << AuthorizationManager::USER_NAME_FIELD_NAME << username + << AuthorizationManager::USER_DB_FIELD_NAME << database << "credentials" + << BSON("SCRAM-SHA-1" << sha1Cred << "SCRAM-SHA-256" << sha256Cred) << "roles" + << BSONArray() << "privileges" << BSONArray()); } std::string corruptEncodedPayload(const std::string& message, @@ -303,7 +297,6 @@ TEST_F(SCRAMFixture, testServerStep1DoesNotIncludeNonceFromClientStep1) { std::string::iterator nonceBegin = serverMessage.begin() + serverMessage.find("r="); std::string::iterator nonceEnd = std::find(nonceBegin, serverMessage.end(), ','); serverMessage = serverMessage.replace(nonceBegin, nonceEnd, "r="); - }); ASSERT_EQ( SCRAMStepsResult(SaslTestState(SaslTestState::kClient, 2), @@ -349,7 +342,6 @@ TEST_F(SCRAMFixture, testClientStep2GivesBadProof) { std::string::iterator proofEnd = std::find(proofBegin, clientMessage.end(), ','); clientMessage = clientMessage.replace( proofBegin, proofEnd, corruptEncodedPayload(clientMessage, proofBegin, proofEnd)); - }); ASSERT_EQ(SCRAMStepsResult(SaslTestState(SaslTestState::kServer, 2), @@ -379,7 +371,6 @@ TEST_F(SCRAMFixture, testServerStep2GivesBadVerifier) { encodedVerifier = corruptEncodedPayload(serverMessage, verifierBegin, verifierEnd); serverMessage = serverMessage.replace(verifierBegin, verifierEnd, encodedVerifier); - }); auto result = runSteps(mutator); diff --git a/src/mongo/db/auth/security_file.cpp b/src/mongo/db/auth/security_file.cpp index 04efa479fbc..0dc4bfafe23 100644 --- a/src/mongo/db/auth/security_file.cpp +++ b/src/mongo/db/auth/security_file.cpp @@ -74,8 +74,8 @@ StatusWith<std::vector<std::string>> readSecurityFile(const std::string& filenam // check obvious file errors if (stat(filename.c_str(), &stats) == -1) { return Status(ErrorCodes::InvalidPath, - str::stream() << "Error reading file " << filename << ": " - << strerror(errno)); + str::stream() + << "Error reading file " << filename << ": " << strerror(errno)); } #if !defined(_WIN32) diff --git a/src/mongo/db/auth/user.cpp b/src/mongo/db/auth/user.cpp index ce869ea28f5..96d1251c316 100644 --- a/src/mongo/db/auth/user.cpp +++ b/src/mongo/db/auth/user.cpp @@ -160,7 +160,7 @@ void User::addPrivileges(const PrivilegeVector& privileges) { } } -void User::setRestrictions(RestrictionDocuments restrictions)& { +void User::setRestrictions(RestrictionDocuments restrictions) & { _restrictions = std::move(restrictions); } diff --git a/src/mongo/db/auth/user_document_parser.cpp b/src/mongo/db/auth/user_document_parser.cpp index 1c5da7795be..8eb6dc7a94b 100644 --- a/src/mongo/db/auth/user_document_parser.cpp +++ b/src/mongo/db/auth/user_document_parser.cpp @@ -152,8 +152,8 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const { StringData userDBStr = userDBElement.valueStringData(); if (!NamespaceString::validDBName(userDBStr, NamespaceString::DollarInDbNameBehavior::Allow) && userDBStr != "$external") { - return _badValue(str::stream() << "'" << userDBStr - << "' is not a valid value for the db field."); + return _badValue(str::stream() + << "'" << userDBStr << "' is not a valid value for the db field."); } // Validate the "credentials" element @@ -184,8 +184,8 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const { str::stream() << fieldName << " does not exist"); } if (scramElement.type() != Object) { - return _badValue(str::stream() << fieldName - << " credential must be an object, if present"); + return _badValue(str::stream() + << fieldName << " credential must be an object, if present"); } return Status::OK(); }; diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp index af798f525a6..44721c6570d 100644 --- a/src/mongo/db/auth/user_document_parser_test.cpp +++ b/src/mongo/db/auth/user_document_parser_test.cpp @@ -83,23 +83,18 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "pwd" << "a" - << "roles" - << BSON_ARRAY("read")))); + << "roles" << BSON_ARRAY("read")))); // Need name field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << emptyArray))); // Need source field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << emptyArray))); // Need credentials field @@ -107,16 +102,14 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "roles" - << emptyArray))); + << "roles" << emptyArray))); // Need roles field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" << "db" << "test" - << "credentials" - << credentials))); + << "credentials" << credentials))); // authenticationRestricitons must be an array if it exists ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" @@ -131,11 +124,8 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" - << emptyArray - << "authenticationRestrictions" + << "credentials" << credentials << "roles" + << emptyArray << "authenticationRestrictions" << emptyArray))); // Empty roles arrays are OK @@ -143,9 +133,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << emptyArray))); // Need credentials of {external: true} if user's db is $external @@ -153,19 +141,15 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "$external" - << "credentials" - << BSON("external" << true) - << "roles" - << emptyArray))); + << "credentials" << BSON("external" << true) + << "roles" << emptyArray))); // Roles must be objects ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY("read")))); // Role needs name @@ -173,9 +157,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("db" << "dbA"))))); @@ -184,9 +166,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "roleA"))))); @@ -196,9 +176,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "roleA" << "db" @@ -209,9 +187,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "roles" + << "credentials" << credentials << "roles" << BSON_ARRAY(BSON("role" << "roleA" << "db" @@ -227,9 +203,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "authenticationRestrictions" + << "credentials" << credentials << "authenticationRestrictions" << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("127.0.0.1/8") << "serverAddress" << BSON_ARRAY("127.0.0.1/8"))) << "roles" @@ -243,9 +217,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "spencer" << "db" << "test" - << "credentials" - << credentials - << "extraData" + << "credentials" << credentials << "extraData" << BSON("foo" << "bar") << "roles" @@ -318,13 +290,13 @@ TEST_F(V2UserDocumentParsing, V2CredentialExtraction) { ASSERT(!user->getCredentials().isExternal); // Make sure extracting valid combined credentials works - ASSERT_OK(v2parser.initializeUserCredentialsFromUserDocument(user.get(), - BSON("user" - << "spencer" - << "db" - << "test" - << "credentials" - << credentials))); + ASSERT_OK( + v2parser.initializeUserCredentialsFromUserDocument(user.get(), + BSON("user" + << "spencer" + << "db" + << "test" + << "credentials" << credentials))); ASSERT(user->getCredentials().scram_sha1.isValid()); ASSERT(user->getCredentials().scram_sha256.isValid()); ASSERT(!user->getCredentials().isExternal); @@ -350,18 +322,18 @@ TEST_F(V2UserDocumentParsing, V2RoleExtraction) { user.get())); // V1-style roles arrays no longer work - ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" - << "spencer" - << "roles" - << BSON_ARRAY("read")), - user.get())); + ASSERT_NOT_OK( + v2parser.initializeUserRolesFromUserDocument(BSON("user" + << "spencer" + << "roles" << BSON_ARRAY("read")), + user.get())); // Roles must have "db" field - ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user" - << "spencer" - << "roles" - << BSON_ARRAY(BSONObj())), - user.get())); + ASSERT_NOT_OK( + v2parser.initializeUserRolesFromUserDocument(BSON("user" + << "spencer" + << "roles" << BSON_ARRAY(BSONObj())), + user.get())); ASSERT_NOT_OK( v2parser.initializeUserRolesFromUserDocument(BSON("user" @@ -428,16 +400,14 @@ TEST_F(V2UserDocumentParsing, V2AuthenticationRestrictionsExtraction) { ASSERT_OK(v2parser.initializeAuthenticationRestrictionsFromUserDocument( BSON("user" << "spencer" - << "authenticationRestrictions" - << emptyArray), + << "authenticationRestrictions" << emptyArray), user.get())); // authenticationRestrictions must have at least one of "clientSource"/"serverAdddress" fields ASSERT_NOT_OK(v2parser.initializeAuthenticationRestrictionsFromUserDocument( BSON("user" << "spencer" - << "authenticationRestrictions" - << BSON_ARRAY(emptyObj)), + << "authenticationRestrictions" << BSON_ARRAY(emptyObj)), user.get())); // authenticationRestrictions must not have unexpected elements diff --git a/src/mongo/db/auth/user_management_commands_parser.cpp b/src/mongo/db/auth/user_management_commands_parser.cpp index 29f4bc53574..0d380888ac9 100644 --- a/src/mongo/db/auth/user_management_commands_parser.cpp +++ b/src/mongo/db/auth/user_management_commands_parser.cpp @@ -64,8 +64,9 @@ Status _checkNoExtraFields(const BSONObj& cmdObj, StringData fieldName = (*iter).fieldNameStringData(); if (!isGenericArgument(fieldName) && !validFieldNames.count(fieldName.toString())) { return Status(ErrorCodes::BadValue, - str::stream() << "\"" << fieldName << "\" is not " - "a valid argument to " + str::stream() << "\"" << fieldName + << "\" is not " + "a valid argument to " << cmdName); } } @@ -175,8 +176,9 @@ Status parseRolePossessionManipulationCommands(const BSONObj& cmdObj, if (!parsedRoleNames->size()) { return Status(ErrorCodes::BadValue, - str::stream() << cmdName << " command requires a non-empty " - "\"roles\" array"); + str::stream() << cmdName + << " command requires a non-empty " + "\"roles\" array"); } return Status::OK(); } @@ -634,8 +636,9 @@ Status parseAndValidateRolePrivilegeManipulationCommands(const BSONObj& cmdObj, } if (!parsedPrivileges->size()) { return Status(ErrorCodes::BadValue, - str::stream() << cmdName << " command requires a non-empty " - "\"privileges\" array"); + str::stream() << cmdName + << " command requires a non-empty " + "\"privileges\" array"); } return Status::OK(); |