summaryrefslogtreecommitdiff
path: root/src/mongo/db/auth
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r--src/mongo/db/auth/authorization_manager_impl.cpp3
-rw-r--r--src/mongo/db/auth/authorization_manager_test.cpp30
-rw-r--r--src/mongo/db/auth/authorization_session_impl.cpp21
-rw-r--r--src/mongo/db/auth/authorization_session_test.cpp103
-rw-r--r--src/mongo/db/auth/authz_manager_external_state_local.cpp28
-rw-r--r--src/mongo/db/auth/authz_manager_external_state_mock.cpp3
-rw-r--r--src/mongo/db/auth/authz_manager_external_state_s.cpp55
-rw-r--r--src/mongo/db/auth/privilege_parser_test.cpp27
-rw-r--r--src/mongo/db/auth/role_graph.cpp42
-rw-r--r--src/mongo/db/auth/role_graph_test.cpp63
-rw-r--r--src/mongo/db/auth/role_graph_update.cpp21
-rw-r--r--src/mongo/db/auth/sasl_authentication_session_test.cpp24
-rw-r--r--src/mongo/db/auth/sasl_mechanism_registry.cpp7
-rw-r--r--src/mongo/db/auth/sasl_mechanism_registry_test.cpp11
-rw-r--r--src/mongo/db/auth/sasl_options_init.cpp2
-rw-r--r--src/mongo/db/auth/sasl_plain_server_conversation.cpp5
-rw-r--r--src/mongo/db/auth/sasl_plain_server_conversation.h5
-rw-r--r--src/mongo/db/auth/sasl_scram_server_conversation.cpp15
-rw-r--r--src/mongo/db/auth/sasl_scram_test.cpp17
-rw-r--r--src/mongo/db/auth/security_file.cpp4
-rw-r--r--src/mongo/db/auth/user.cpp2
-rw-r--r--src/mongo/db/auth/user_document_parser.cpp8
-rw-r--r--src/mongo/db/auth/user_document_parser_test.cpp102
-rw-r--r--src/mongo/db/auth/user_management_commands_parser.cpp15
24 files changed, 230 insertions, 383 deletions
diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp
index 07996cd2f82..63e59eb4628 100644
--- a/src/mongo/db/auth/authorization_manager_impl.cpp
+++ b/src/mongo/db/auth/authorization_manager_impl.cpp
@@ -431,8 +431,7 @@ Status AuthorizationManagerImpl::_initializeUserFromPrivilegeDocument(User* user
return Status(ErrorCodes::BadValue,
str::stream() << "User name from privilege document \"" << userName
<< "\" doesn't match name of provided User \""
- << user->getName().getUser()
- << "\"");
+ << user->getName().getUser() << "\"");
}
user->setID(parser.extractUserIDFromUserDocument(privDoc));
diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp
index ab3a650d6dd..46c6da88230 100644
--- a/src/mongo/db/auth/authorization_manager_test.cpp
+++ b/src/mongo/db/auth/authorization_manager_test.cpp
@@ -127,9 +127,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) {
<< "v2read"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "read"
<< "db"
@@ -142,9 +140,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) {
<< "v2cluster"
<< "db"
<< "admin"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "clusterAdmin"
<< "db"
@@ -249,19 +245,17 @@ public:
private:
Status _getUserDocument(OperationContext* opCtx, const UserName& userName, BSONObj* userDoc) {
- Status status = findOne(opCtx,
- AuthorizationManager::usersCollectionNamespace,
- BSON(AuthorizationManager::USER_NAME_FIELD_NAME
- << userName.getUser()
- << AuthorizationManager::USER_DB_FIELD_NAME
- << userName.getDB()),
- userDoc);
+ Status status =
+ findOne(opCtx,
+ AuthorizationManager::usersCollectionNamespace,
+ BSON(AuthorizationManager::USER_NAME_FIELD_NAME
+ << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME
+ << userName.getDB()),
+ userDoc);
if (status == ErrorCodes::NoMatchingDocument) {
status = Status(ErrorCodes::UserNotFound,
str::stream() << "Could not find user \"" << userName.getUser()
- << "\" for db \""
- << userName.getDB()
- << "\"");
+ << "\" for db \"" << userName.getDB() << "\"");
}
return status;
}
@@ -297,9 +291,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2UserWithUnrecognizedActions) {
<< "myUser"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "myRole"
<< "db"
diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp
index fd186c06d7d..c308e3f5304 100644
--- a/src/mongo/db/auth/authorization_session_impl.cpp
+++ b/src/mongo/db/auth/authorization_session_impl.cpp
@@ -493,8 +493,7 @@ Status AuthorizationSessionImpl::checkAuthorizedToGrantPrivilege(const Privilege
ActionType::grantRole)) {
return Status(ErrorCodes::Unauthorized,
str::stream() << "Not authorized to grant privileges on the "
- << resource.databaseToMatch()
- << "database");
+ << resource.databaseToMatch() << "database");
}
} else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"),
ActionType::grantRole)) {
@@ -514,8 +513,7 @@ Status AuthorizationSessionImpl::checkAuthorizedToRevokePrivilege(const Privileg
ActionType::revokeRole)) {
return Status(ErrorCodes::Unauthorized,
str::stream() << "Not authorized to revoke privileges on the "
- << resource.databaseToMatch()
- << "database");
+ << resource.databaseToMatch() << "database");
}
} else if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName("admin"),
ActionType::revokeRole)) {
@@ -1001,9 +999,7 @@ bool AuthorizationSessionImpl::isImpersonating() const {
auto AuthorizationSessionImpl::checkCursorSessionPrivilege(
OperationContext* const opCtx, const boost::optional<LogicalSessionId> cursorSessionId)
-> Status {
- auto nobodyIsLoggedIn = [authSession = this] {
- return !authSession->isAuthenticated();
- };
+ auto nobodyIsLoggedIn = [authSession = this] { return !authSession->isAuthenticated(); };
auto authHasImpersonatePrivilege = [authSession = this] {
return authSession->isAuthorizedForPrivilege(
@@ -1037,13 +1033,12 @@ auto AuthorizationSessionImpl::checkCursorSessionPrivilege(
// Operation Context (which implies a background job
!authHasImpersonatePrivilege() // Or if the user has an impersonation privilege, in which
// case, the user gets to sidestep certain checks.
- ) {
+ ) {
return Status{ErrorCodes::Unauthorized,
- str::stream() << "Cursor session id ("
- << sessionIdToStringOrNone(cursorSessionId)
- << ") is not the same as the operation context's session id ("
- << sessionIdToStringOrNone(opCtx->getLogicalSessionId())
- << ")"};
+ str::stream()
+ << "Cursor session id (" << sessionIdToStringOrNone(cursorSessionId)
+ << ") is not the same as the operation context's session id ("
+ << sessionIdToStringOrNone(opCtx->getLogicalSessionId()) << ")"};
}
return Status::OK();
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp
index 09476aca817..a8b51dc3137 100644
--- a/src/mongo/db/auth/authorization_session_test.cpp
+++ b/src/mongo/db/auth/authorization_session_test.cpp
@@ -179,9 +179,7 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -207,9 +205,7 @@ TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) {
<< "admin"
<< "db"
<< "admin"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWriteAnyDatabase"
<< "db"
@@ -253,9 +249,7 @@ TEST_F(AuthorizationSessionTest, DuplicateRolesOK) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -285,9 +279,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) {
<< "rw"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -302,9 +294,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) {
<< "useradmin"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "userAdmin"
<< "db"
@@ -316,9 +306,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) {
<< "rwany"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWriteAnyDatabase"
<< "db"
@@ -334,9 +322,7 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) {
<< "useradminany"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "userAdminAnyDatabase"
<< "db"
@@ -413,9 +399,7 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -445,9 +429,7 @@ TEST_F(AuthorizationSessionTest, InvalidateUser) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "read"
<< "db"
@@ -490,9 +472,7 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -523,9 +503,7 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "read"
<< "db"
@@ -559,9 +537,7 @@ TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRes
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
@@ -569,8 +545,7 @@ TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRes
<< "authenticationRestrictions"
<< BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("192.168.0.0/24"
<< "192.168.2.10")
- << "serverAddress"
- << BSON_ARRAY("192.168.0.2"))
+ << "serverAddress" << BSON_ARRAY("192.168.0.2"))
<< BSON("clientSource" << BSON_ARRAY("2001:DB8::1") << "serverAddress"
<< BSON_ARRAY("2001:DB8::2"))
<< BSON("clientSource" << BSON_ARRAY("127.0.0.1"
@@ -912,11 +887,9 @@ TEST_F(AuthorizationSessionTest, CanAggregateOutWithInsertAndRemoveOnTargetNames
uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, false));
ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges));
- BSONObj cmdObjNoBypassDocumentValidation = BSON(
- "aggregate" << testFooNss.coll() << "pipeline" << pipeline << "bypassDocumentValidation"
- << false
- << "cursor"
- << BSONObj());
+ BSONObj cmdObjNoBypassDocumentValidation =
+ BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline
+ << "bypassDocumentValidation" << false << "cursor" << BSONObj());
privileges = uassertStatusOK(authzSession->getPrivilegesForAggregate(
testFooNss, cmdObjNoBypassDocumentValidation, false));
ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges));
@@ -929,10 +902,8 @@ TEST_F(AuthorizationSessionTest,
Privilege(testBarCollResource, {ActionType::insert, ActionType::remove})});
BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll()));
- BSONObj cmdObj =
- BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()
- << "bypassDocumentValidation"
- << true);
+ BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor"
+ << BSONObj() << "bypassDocumentValidation" << true);
PrivilegeVector privileges =
uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, false));
ASSERT_FALSE(authzSession->isAuthorizedForPrivileges(privileges));
@@ -947,10 +918,8 @@ TEST_F(AuthorizationSessionTest,
{ActionType::insert, ActionType::remove, ActionType::bypassDocumentValidation})});
BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll()));
- BSONObj cmdObj =
- BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor" << BSONObj()
- << "bypassDocumentValidation"
- << true);
+ BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline << "cursor"
+ << BSONObj() << "bypassDocumentValidation" << true);
PrivilegeVector privileges =
uassertStatusOK(authzSession->getPrivilegesForAggregate(testFooNss, cmdObj, true));
ASSERT_TRUE(authzSession->isAuthorizedForPrivileges(privileges));
@@ -1145,9 +1114,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithEmptyUser
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
@@ -1164,9 +1131,7 @@ TEST_F(AuthorizationSessionTest,
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
@@ -1181,9 +1146,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsCoauthorizedWithIntersecting
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(),
@@ -1191,9 +1154,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsCoauthorizedWithIntersecting
<< "admin"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
@@ -1211,9 +1172,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithNoninters
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(),
@@ -1221,9 +1180,7 @@ TEST_F(AuthorizationSessionTest, AuthorizedSessionIsNotCoauthorizedWithNoninters
<< "admin"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
@@ -1242,9 +1199,7 @@ TEST_F(AuthorizationSessionTest,
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(),
@@ -1252,9 +1207,7 @@ TEST_F(AuthorizationSessionTest,
<< "admin"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSONArray()),
BSONObj()));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
diff --git a/src/mongo/db/auth/authz_manager_external_state_local.cpp b/src/mongo/db/auth/authz_manager_external_state_local.cpp
index 7fa1f2ff5f0..e87a9880e73 100644
--- a/src/mongo/db/auth/authz_manager_external_state_local.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_local.cpp
@@ -89,11 +89,8 @@ Status AuthzManagerExternalStateLocal::getStoredAuthorizationVersion(OperationCo
str::stream()
<< "Could not determine schema version of authorization data. "
"Bad (non-numeric) type "
- << typeName(versionElement.type())
- << " ("
- << versionElement.type()
- << ") for "
- << AuthorizationManager::schemaVersionFieldName
+ << typeName(versionElement.type()) << " (" << versionElement.type()
+ << ") for " << AuthorizationManager::schemaVersionFieldName
<< " field in version document");
}
} else if (status == ErrorCodes::NoMatchingDocument) {
@@ -132,8 +129,7 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges
"",
std::string(str::stream() << "Skipped privileges on resource "
<< privileges[i].getResourcePattern().toString()
- << ". Reason: "
- << errmsg)));
+ << ". Reason: " << errmsg)));
}
}
}
@@ -179,11 +175,8 @@ Status AuthzManagerExternalStateLocal::getUserDescription(OperationContext* opCt
userRoles << BSON("role" << role.getRole() << "db" << role.getDB());
}
*result = BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db"
- << userName.getDB()
- << "credentials"
- << BSON("external" << true)
- << "roles"
- << userRoles.arr());
+ << userName.getDB() << "credentials" << BSON("external" << true)
+ << "roles" << userRoles.arr());
}
BSONElement directRolesElement;
@@ -285,17 +278,14 @@ Status AuthzManagerExternalStateLocal::_getUserDocument(OperationContext* opCtx,
Status status = findOne(opCtx,
AuthorizationManager::usersCollectionNamespace,
BSON(AuthorizationManager::USER_NAME_FIELD_NAME
- << userName.getUser()
- << AuthorizationManager::USER_DB_FIELD_NAME
+ << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME
<< userName.getDB()),
userDoc);
if (status == ErrorCodes::NoMatchingDocument) {
- status =
- Status(ErrorCodes::UserNotFound,
- str::stream() << "Could not find user \"" << userName.getUser() << "\" for db \""
- << userName.getDB()
- << "\"");
+ status = Status(ErrorCodes::UserNotFound,
+ str::stream() << "Could not find user \"" << userName.getUser()
+ << "\" for db \"" << userName.getDB() << "\"");
}
return status;
}
diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.cpp b/src/mongo/db/auth/authz_manager_external_state_mock.cpp
index 16cdd668604..19a7977e605 100644
--- a/src/mongo/db/auth/authz_manager_external_state_mock.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_mock.cpp
@@ -83,8 +83,7 @@ void addPrivilegeObjectsOrWarningsToArrayElement(mutablebson::Element privileges
"",
std::string(str::stream() << "Skipped privileges on resource "
<< privileges[i].getResourcePattern().toString()
- << ". Reason: "
- << errmsg)));
+ << ". Reason: " << errmsg)));
}
}
}
diff --git a/src/mongo/db/auth/authz_manager_external_state_s.cpp b/src/mongo/db/auth/authz_manager_external_state_s.cpp
index 98893954d4e..ec1a695ba53 100644
--- a/src/mongo/db/auth/authz_manager_external_state_s.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_s.cpp
@@ -127,12 +127,8 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC
<< userName.getUser()
<< AuthorizationManager::USER_DB_FIELD_NAME
<< userName.getDB()))
- << "showPrivileges"
- << true
- << "showCredentials"
- << true
- << "showAuthenticationRestrictions"
- << true);
+ << "showPrivileges" << true << "showCredentials" << true
+ << "showAuthenticationRestrictions" << true);
BSONObjBuilder builder;
const bool ok = Grid::get(opCtx)->catalogClient()->runUserManagementReadCommand(
opCtx, "admin", usersInfoCmd, &builder);
@@ -149,10 +145,9 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC
if (foundUsers.size() > 1) {
return Status(ErrorCodes::UserDataInconsistent,
- str::stream() << "Found multiple users on the \"" << userName.getDB()
- << "\" database with name \""
- << userName.getUser()
- << "\"");
+ str::stream()
+ << "Found multiple users on the \"" << userName.getDB()
+ << "\" database with name \"" << userName.getUser() << "\"");
}
*result = foundUsers[0].Obj().getOwned();
return Status::OK();
@@ -162,10 +157,9 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC
BSONArrayBuilder userRolesBuilder;
auto& sslPeerInfo = SSLPeerInfo::forSession(opCtx->getClient()->session());
for (const RoleName& role : sslPeerInfo.roles) {
- userRolesBuilder.append(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME
- << role.getRole()
- << AuthorizationManager::ROLE_DB_FIELD_NAME
- << role.getDB()));
+ userRolesBuilder.append(BSON(
+ AuthorizationManager::ROLE_NAME_FIELD_NAME
+ << role.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME << role.getDB()));
}
BSONArray providedRoles = userRolesBuilder.arr();
@@ -194,16 +188,12 @@ Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* opC
"Recieved malformed response to request for X509 roles from config server");
}
- *result = BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db"
- << userName.getDB()
- << "credentials"
- << BSON("external" << true)
- << "roles"
- << BSONArray(cmdResult["roles"].Obj())
- << "inheritedRoles"
- << BSONArray(cmdResult["inheritedRoles"].Obj())
- << "inheritedPrivileges"
- << BSONArray(cmdResult["inheritedPrivileges"].Obj()));
+ *result =
+ BSON("_id" << userName.getUser() << "user" << userName.getUser() << "db"
+ << userName.getDB() << "credentials" << BSON("external" << true) << "roles"
+ << BSONArray(cmdResult["roles"].Obj()) << "inheritedRoles"
+ << BSONArray(cmdResult["inheritedRoles"].Obj()) << "inheritedPrivileges"
+ << BSONArray(cmdResult["inheritedPrivileges"].Obj()));
return Status::OK();
}
}
@@ -215,11 +205,11 @@ Status AuthzManagerExternalStateMongos::getRoleDescription(
AuthenticationRestrictionsFormat showRestrictions,
BSONObj* result) {
BSONObjBuilder rolesInfoCmd;
- rolesInfoCmd.append("rolesInfo",
- BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME
- << roleName.getRole()
- << AuthorizationManager::ROLE_DB_FIELD_NAME
- << roleName.getDB())));
+ rolesInfoCmd.append(
+ "rolesInfo",
+ BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME
+ << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME
+ << roleName.getDB())));
addShowToBuilder(&rolesInfoCmd, showPrivileges, showRestrictions);
BSONObjBuilder builder;
@@ -238,9 +228,7 @@ Status AuthzManagerExternalStateMongos::getRoleDescription(
if (foundRoles.size() > 1) {
return Status(ErrorCodes::RoleDataInconsistent,
str::stream() << "Found multiple roles on the \"" << roleName.getDB()
- << "\" database with name \""
- << roleName.getRole()
- << "\"");
+ << "\" database with name \"" << roleName.getRole() << "\"");
}
*result = foundRoles[0].Obj().getOwned();
return Status::OK();
@@ -255,8 +243,7 @@ Status AuthzManagerExternalStateMongos::getRolesDescription(
for (const RoleName& roleName : roles) {
rolesInfoCmdArray << BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME
- << roleName.getRole()
- << AuthorizationManager::ROLE_DB_FIELD_NAME
+ << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME
<< roleName.getDB());
}
diff --git a/src/mongo/db/auth/privilege_parser_test.cpp b/src/mongo/db/auth/privilege_parser_test.cpp
index 288760ffb0d..969360a6f51 100644
--- a/src/mongo/db/auth/privilege_parser_test.cpp
+++ b/src/mongo/db/auth/privilege_parser_test.cpp
@@ -56,24 +56,21 @@ TEST(PrivilegeParserTest, IsValidTest) {
<< ""
<< "collection"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT_FALSE(parsedPrivilege.isValid(&errmsg));
// resource can't have db without collection
parsedPrivilege.parseBSON(BSON("resource" << BSON("db"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT_FALSE(parsedPrivilege.isValid(&errmsg));
// resource can't have collection without db
parsedPrivilege.parseBSON(BSON("resource" << BSON("collection"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT_FALSE(parsedPrivilege.isValid(&errmsg));
@@ -82,8 +79,7 @@ TEST(PrivilegeParserTest, IsValidTest) {
<< ""
<< "collection"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
@@ -92,8 +88,7 @@ TEST(PrivilegeParserTest, IsValidTest) {
<< "test"
<< "collection"
<< "foo")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
@@ -116,8 +111,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) {
<< ""
<< "collection"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege(
@@ -143,8 +137,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) {
<< "test"
<< "collection"
<< "foo")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege(
@@ -171,8 +164,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) {
<< "test"
<< "collection"
<< "")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege(
@@ -198,8 +190,7 @@ TEST(PrivilegeParserTest, ConvertBetweenPrivilegeTest) {
<< ""
<< "collection"
<< "foo")
- << "actions"
- << BSON_ARRAY("find")),
+ << "actions" << BSON_ARRAY("find")),
&errmsg);
ASSERT(parsedPrivilege.isValid(&errmsg));
ASSERT_OK(ParsedPrivilege::parsedPrivilegeToPrivilege(
diff --git a/src/mongo/db/auth/role_graph.cpp b/src/mongo/db/auth/role_graph.cpp
index 51f91a10ba8..164d09a2cb8 100644
--- a/src/mongo/db/auth/role_graph.cpp
+++ b/src/mongo/db/auth/role_graph.cpp
@@ -167,8 +167,8 @@ Status RoleGraph::addRoleToRole(const RoleName& recipient, const RoleName& role)
}
if (isBuiltinRole(recipient)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot grant roles to built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot grant roles to built-in role: " << role.getFullName());
}
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
@@ -193,8 +193,8 @@ Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName&
}
if (isBuiltinRole(recipient)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot remove roles from built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot remove roles from built-in role: " << role.getFullName());
}
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
@@ -207,8 +207,9 @@ Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName&
_roleToMembers[role].erase(itToRm);
} else {
return Status(ErrorCodes::RolesNotRelated,
- str::stream() << recipient.getFullName() << " is not a member"
- " of "
+ str::stream() << recipient.getFullName()
+ << " is not a member"
+ " of "
<< role.getFullName());
}
@@ -227,8 +228,8 @@ Status RoleGraph::removeAllRolesFromRole(const RoleName& victim) {
}
if (isBuiltinRole(victim)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot remove roles from built-in role: "
- << victim.getFullName());
+ str::stream()
+ << "Cannot remove roles from built-in role: " << victim.getFullName());
}
RoleNameVector& subordinatesOfVictim = _roleToSubordinates[victim];
@@ -253,8 +254,8 @@ Status RoleGraph::addPrivilegeToRole(const RoleName& role, const Privilege& priv
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot grant privileges to built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot grant privileges to built-in role: " << role.getFullName());
}
_addPrivilegeToRoleNoChecks(role, privilegeToAdd);
@@ -277,8 +278,8 @@ Status RoleGraph::addPrivilegesToRole(const RoleName& role,
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot grant privileges to built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot grant privileges to built-in role: " << role.getFullName());
}
for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end();
@@ -296,8 +297,8 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role,
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot remove privileges from built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot remove privileges from built-in role: " << role.getFullName());
}
PrivilegeVector& currentPrivileges = _directPrivilegesForRole[role];
@@ -325,8 +326,9 @@ Status RoleGraph::removePrivilegeFromRole(const RoleName& role,
}
}
return Status(ErrorCodes::PrivilegeNotFound,
- str::stream() << "Role: " << role.getFullName() << " does not "
- "contain any privileges on "
+ str::stream() << "Role: " << role.getFullName()
+ << " does not "
+ "contain any privileges on "
<< privilegeToRemove.getResourcePattern().toString());
}
@@ -350,8 +352,8 @@ Status RoleGraph::removeAllPrivilegesFromRole(const RoleName& role) {
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
- str::stream() << "Cannot remove privileges from built-in role: "
- << role.getFullName());
+ str::stream()
+ << "Cannot remove privileges from built-in role: " << role.getFullName());
}
_directPrivilegesForRole[role].clear();
return Status::OK();
@@ -434,8 +436,8 @@ Status RoleGraph::_recomputePrivilegeDataHelper(const RoleName& startingRole,
if (!roleExists(currentRole)) {
return Status(ErrorCodes::RoleNotFound,
- str::stream() << "Role: " << currentRole.getFullName()
- << " does not exist");
+ str::stream()
+ << "Role: " << currentRole.getFullName() << " does not exist");
}
// Check for cycles
diff --git a/src/mongo/db/auth/role_graph_test.cpp b/src/mongo/db/auth/role_graph_test.cpp
index a2ed3dece7f..765d3d3c61c 100644
--- a/src/mongo/db/auth/role_graph_test.cpp
+++ b/src/mongo/db/auth/role_graph_test.cpp
@@ -196,7 +196,7 @@ TEST(RoleGraphTest, AddRemoveRoles) {
* |
* v
* D
- */
+ */
it = graph.getDirectSubordinates(roleA); // should be roleB and roleC, order doesn't matter
@@ -825,26 +825,22 @@ TEST(RoleGraphTest, AddRoleFromDocument) {
<< "dbA"
<< "collection"
<< "collA")
- << "actions"
- << BSON_ARRAY("insert"))),
+ << "actions" << BSON_ARRAY("insert"))),
BSON_ARRAY(BSON("resource" << BSON("db"
<< "dbB"
<< "collection"
<< "collB")
- << "actions"
- << BSON_ARRAY("insert"))
+ << "actions" << BSON_ARRAY("insert"))
<< BSON("resource" << BSON("db"
<< "dbC"
<< "collection"
<< "collC")
- << "actions"
- << BSON_ARRAY("compact"))),
+ << "actions" << BSON_ARRAY("compact"))),
BSON_ARRAY(BSON("resource" << BSON("db"
<< ""
<< "collection"
<< "")
- << "actions"
- << BSON_ARRAY("find"))),
+ << "actions" << BSON_ARRAY("find"))),
};
const BSONArray restrictions[] = {
@@ -922,33 +918,28 @@ TEST(RoleGraphTest, AddRoleFromDocumentWithRestricitonMerge) {
BSON_ARRAY(BSON("serverAddress" << BSON_ARRAY("127.0.0.1/8")));
RoleGraph graph;
- ASSERT_OK(graph.addRoleFromDocument(BSON("_id"
- << "dbA.roleA"
- << "role"
- << "roleA"
- << "db"
- << "dbA"
- << "privileges"
- << BSONArray()
- << "roles"
- << BSONArray()
- << "authenticationRestrictions"
- << roleARestrictions)));
- ASSERT_OK(graph.addRoleFromDocument(BSON("_id"
- << "dbB.roleB"
- << "role"
- << "roleB"
- << "db"
- << "dbB"
- << "privileges"
- << BSONArray()
- << "roles"
- << BSON_ARRAY(BSON("role"
- << "roleA"
- << "db"
- << "dbA"))
- << "authenticationRestrictions"
- << roleBRestrictions)));
+ ASSERT_OK(
+ graph.addRoleFromDocument(BSON("_id"
+ << "dbA.roleA"
+ << "role"
+ << "roleA"
+ << "db"
+ << "dbA"
+ << "privileges" << BSONArray() << "roles" << BSONArray()
+ << "authenticationRestrictions" << roleARestrictions)));
+ ASSERT_OK(
+ graph.addRoleFromDocument(BSON("_id"
+ << "dbB.roleB"
+ << "role"
+ << "roleB"
+ << "db"
+ << "dbB"
+ << "privileges" << BSONArray() << "roles"
+ << BSON_ARRAY(BSON("role"
+ << "roleA"
+ << "db"
+ << "dbA"))
+ << "authenticationRestrictions" << roleBRestrictions)));
ASSERT_OK(graph.recomputePrivilegeData());
const auto A = graph.getDirectAuthenticationRestrictions(RoleName("roleA", "dbA"));
diff --git a/src/mongo/db/auth/role_graph_update.cpp b/src/mongo/db/auth/role_graph_update.cpp
index 02c89f36bd7..33ee260fa93 100644
--- a/src/mongo/db/auth/role_graph_update.cpp
+++ b/src/mongo/db/auth/role_graph_update.cpp
@@ -92,9 +92,7 @@ Status checkIdMatchesRoleName(const BSONElement& idElement, const RoleName& role
return Status(ErrorCodes::FailedToParse,
str::stream() << "Role document _id fields must be encoded as the string "
"dbname.rolename. Found "
- << idField
- << " for "
- << roleName.getFullName());
+ << idField << " for " << roleName.getFullName());
}
return Status::OK();
}
@@ -312,16 +310,13 @@ Status handleOplogCommand(RoleGraph* roleGraph, const BSONObj& cmdObj) {
if (cmdName == "createIndexes" &&
cmdObj.firstElement().str() == rolesCollectionNamespace.coll()) {
UnorderedFieldsBSONObjComparator instance;
- if (instance.evaluate(cmdObj == (BSON("createIndexes"
- << "system.roles"
- << "v"
- << 2
- << "name"
- << "role_1_db_1"
- << "key"
- << BSON("role" << 1 << "db" << 1)
- << "unique"
- << true)))) {
+ if (instance.evaluate(
+ cmdObj ==
+ (BSON("createIndexes"
+ << "system.roles"
+ << "v" << 2 << "name"
+ << "role_1_db_1"
+ << "key" << BSON("role" << 1 << "db" << 1) << "unique" << true)))) {
return Status::OK();
}
}
diff --git a/src/mongo/db/auth/sasl_authentication_session_test.cpp b/src/mongo/db/auth/sasl_authentication_session_test.cpp
index 97750182061..e849832d6ff 100644
--- a/src/mongo/db/auth/sasl_authentication_session_test.cpp
+++ b/src/mongo/db/auth/sasl_authentication_session_test.cpp
@@ -131,19 +131,17 @@ SaslConversation::SaslConversation(std::string mech)
<< scram::Secrets<SHA256Block>::generateCredentials(
"frim", saslGlobalParams.scramSHA256IterationCount.load()));
- ASSERT_OK(authManagerExternalState->insert(opCtx.get(),
- NamespaceString("admin.system.users"),
- BSON("_id"
- << "test.andy"
- << "user"
- << "andy"
- << "db"
- << "test"
- << "credentials"
- << creds
- << "roles"
- << BSONArray()),
- BSONObj()));
+ ASSERT_OK(
+ authManagerExternalState->insert(opCtx.get(),
+ NamespaceString("admin.system.users"),
+ BSON("_id"
+ << "test.andy"
+ << "user"
+ << "andy"
+ << "db"
+ << "test"
+ << "credentials" << creds << "roles" << BSONArray()),
+ BSONObj()));
}
void SaslConversation::assertConversationFailure() {
diff --git a/src/mongo/db/auth/sasl_mechanism_registry.cpp b/src/mongo/db/auth/sasl_mechanism_registry.cpp
index 2de9fb02fee..bfe479143d3 100644
--- a/src/mongo/db/auth/sasl_mechanism_registry.cpp
+++ b/src/mongo/db/auth/sasl_mechanism_registry.cpp
@@ -79,8 +79,7 @@ StatusWith<std::unique_ptr<ServerMechanismBase>> SASLServerMechanismRegistry::ge
return Status(ErrorCodes::BadValue,
str::stream() << "Unsupported mechanism '" << mechanismName
- << "' on authentication database '"
- << authenticationDatabase
+ << "' on authentication database '" << authenticationDatabase
<< "'");
}
@@ -147,9 +146,7 @@ bool SASLServerMechanismRegistry::_mechanismSupportedByConfig(StringData mechNam
namespace {
ServiceContext::ConstructorActionRegisterer SASLServerMechanismRegistryInitializer{
- "CreateSASLServerMechanismRegistry",
- {"EndStartupOptionStorage"},
- [](ServiceContext* service) {
+ "CreateSASLServerMechanismRegistry", {"EndStartupOptionStorage"}, [](ServiceContext* service) {
SASLServerMechanismRegistry::set(service,
std::make_unique<SASLServerMechanismRegistry>(
saslGlobalParams.authenticationMechanisms));
diff --git a/src/mongo/db/auth/sasl_mechanism_registry_test.cpp b/src/mongo/db/auth/sasl_mechanism_registry_test.cpp
index 6ca988bc9ae..b16df4ec3f8 100644
--- a/src/mongo/db/auth/sasl_mechanism_registry_test.cpp
+++ b/src/mongo/db/auth/sasl_mechanism_registry_test.cpp
@@ -27,11 +27,11 @@
* it in the license file.
*/
-#include "mongo/db/auth/sasl_mechanism_registry.h"
#include "mongo/crypto/mechanism_scram.h"
#include "mongo/db/auth/authorization_manager.h"
#include "mongo/db/auth/authorization_manager_impl.h"
#include "mongo/db/auth/authz_manager_external_state_mock.h"
+#include "mongo/db/auth/sasl_mechanism_registry.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context_test_fixture.h"
#include "mongo/unittest/unittest.h"
@@ -201,8 +201,7 @@ public:
<< "credentials"
<< BSON("SCRAM-SHA-256"
<< scram::Secrets<SHA256Block>::generateCredentials("sajackā€", 15000))
- << "roles"
- << BSONArray()),
+ << "roles" << BSONArray()),
BSONObj()));
@@ -214,10 +213,8 @@ public:
<< "sajack"
<< "db"
<< "$external"
- << "credentials"
- << BSON("external" << true)
- << "roles"
- << BSONArray()),
+ << "credentials" << BSON("external" << true)
+ << "roles" << BSONArray()),
BSONObj()));
internalSecurity.user = std::make_shared<User>(UserName("__system", "local"));
diff --git a/src/mongo/db/auth/sasl_options_init.cpp b/src/mongo/db/auth/sasl_options_init.cpp
index b83a94fa1c0..51ba683342b 100644
--- a/src/mongo/db/auth/sasl_options_init.cpp
+++ b/src/mongo/db/auth/sasl_options_init.cpp
@@ -95,4 +95,4 @@ MONGO_INITIALIZER_GENERAL(StoreSASLOptions, ("CoreOptions_Store"), ("EndStartupO
(InitializerContext* const context) {
return storeSASLOptions(moe::startupOptionsParsed);
}
-}
+} // namespace mongo
diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp
index 5ef2cf6ac9e..0a88084dea3 100644
--- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp
+++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp
@@ -60,8 +60,9 @@ StatusWith<bool> trySCRAM(const User::CredentialData& credentials, StringData pw
reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()) +
decodedSalt.size()),
scram.iterationCount));
- if (scram.storedKey != base64::encode(reinterpret_cast<const char*>(secrets.storedKey().data()),
- secrets.storedKey().size())) {
+ if (scram.storedKey !=
+ base64::encode(reinterpret_cast<const char*>(secrets.storedKey().data()),
+ secrets.storedKey().size())) {
return Status(ErrorCodes::AuthenticationFailed,
str::stream() << "Incorrect user name or password");
}
diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.h b/src/mongo/db/auth/sasl_plain_server_conversation.h
index 26acd1e0aac..d3c6af215ce 100644
--- a/src/mongo/db/auth/sasl_plain_server_conversation.h
+++ b/src/mongo/db/auth/sasl_plain_server_conversation.h
@@ -49,8 +49,9 @@ public:
static constexpr bool isInternal = true;
bool canMakeMechanismForUser(const User* user) const final {
auto credentials = user->getCredentials();
- return !credentials.isExternal && (credentials.scram<SHA1Block>().isValid() ||
- credentials.scram<SHA256Block>().isValid());
+ return !credentials.isExternal &&
+ (credentials.scram<SHA1Block>().isValid() ||
+ credentials.scram<SHA256Block>().isValid());
}
};
diff --git a/src/mongo/db/auth/sasl_scram_server_conversation.cpp b/src/mongo/db/auth/sasl_scram_server_conversation.cpp
index 04a8e53798a..fc223097b4f 100644
--- a/src/mongo/db/auth/sasl_scram_server_conversation.cpp
+++ b/src/mongo/db/auth/sasl_scram_server_conversation.cpp
@@ -99,8 +99,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir
return Status(ErrorCodes::BadValue,
str::stream()
<< "Incorrect number of arguments for first SCRAM client message, got "
- << got
- << " expected at least 3");
+ << got << " expected at least 3");
};
/**
@@ -168,8 +167,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir
if (!authzId.empty() && ServerMechanismBase::_principalName != authzId) {
return Status(ErrorCodes::BadValue,
str::stream() << "SCRAM user name " << ServerMechanismBase::_principalName
- << " does not match authzid "
- << authzId);
+ << " does not match authzid " << authzId);
}
if (!str::startsWith(input[1], "r=") || input[1].size() < 6) {
@@ -267,7 +265,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_fir
* e=message
*
* NOTE: we are ignoring the channel binding part of the message
-**/
+ **/
template <typename Policy>
StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_secondStep(
OperationContext* opCtx, StringData inputData) {
@@ -275,8 +273,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_sec
return Status(ErrorCodes::BadValue,
str::stream()
<< "Incorrect number of arguments for second SCRAM client message, got "
- << got
- << " expected at least 3");
+ << got << " expected at least 3");
};
/**
@@ -322,9 +319,7 @@ StatusWith<std::tuple<bool, std::string>> SaslSCRAMServerMechanism<Policy>::_sec
return Status(ErrorCodes::BadValue,
str::stream()
<< "Unmatched SCRAM nonce received from client in second step, expected "
- << _nonce
- << " but received "
- << nonce);
+ << _nonce << " but received " << nonce);
}
// Do server side computations, compare storedKeys and generate client-final-message
diff --git a/src/mongo/db/auth/sasl_scram_test.cpp b/src/mongo/db/auth/sasl_scram_test.cpp
index 6bfd66667eb..23c6c548f3c 100644
--- a/src/mongo/db/auth/sasl_scram_test.cpp
+++ b/src/mongo/db/auth/sasl_scram_test.cpp
@@ -63,16 +63,10 @@ BSONObj generateSCRAMUserDocument(StringData username, StringData password) {
const auto sha256Cred =
scram::Secrets<SHA256Block>::generateCredentials(password.toString(), 15000);
return BSON("_id" << (str::stream() << database << "." << username).operator StringData()
- << AuthorizationManager::USER_NAME_FIELD_NAME
- << username
- << AuthorizationManager::USER_DB_FIELD_NAME
- << database
- << "credentials"
- << BSON("SCRAM-SHA-1" << sha1Cred << "SCRAM-SHA-256" << sha256Cred)
- << "roles"
- << BSONArray()
- << "privileges"
- << BSONArray());
+ << AuthorizationManager::USER_NAME_FIELD_NAME << username
+ << AuthorizationManager::USER_DB_FIELD_NAME << database << "credentials"
+ << BSON("SCRAM-SHA-1" << sha1Cred << "SCRAM-SHA-256" << sha256Cred) << "roles"
+ << BSONArray() << "privileges" << BSONArray());
}
std::string corruptEncodedPayload(const std::string& message,
@@ -303,7 +297,6 @@ TEST_F(SCRAMFixture, testServerStep1DoesNotIncludeNonceFromClientStep1) {
std::string::iterator nonceBegin = serverMessage.begin() + serverMessage.find("r=");
std::string::iterator nonceEnd = std::find(nonceBegin, serverMessage.end(), ',');
serverMessage = serverMessage.replace(nonceBegin, nonceEnd, "r=");
-
});
ASSERT_EQ(
SCRAMStepsResult(SaslTestState(SaslTestState::kClient, 2),
@@ -349,7 +342,6 @@ TEST_F(SCRAMFixture, testClientStep2GivesBadProof) {
std::string::iterator proofEnd = std::find(proofBegin, clientMessage.end(), ',');
clientMessage = clientMessage.replace(
proofBegin, proofEnd, corruptEncodedPayload(clientMessage, proofBegin, proofEnd));
-
});
ASSERT_EQ(SCRAMStepsResult(SaslTestState(SaslTestState::kServer, 2),
@@ -379,7 +371,6 @@ TEST_F(SCRAMFixture, testServerStep2GivesBadVerifier) {
encodedVerifier = corruptEncodedPayload(serverMessage, verifierBegin, verifierEnd);
serverMessage = serverMessage.replace(verifierBegin, verifierEnd, encodedVerifier);
-
});
auto result = runSteps(mutator);
diff --git a/src/mongo/db/auth/security_file.cpp b/src/mongo/db/auth/security_file.cpp
index 04efa479fbc..0dc4bfafe23 100644
--- a/src/mongo/db/auth/security_file.cpp
+++ b/src/mongo/db/auth/security_file.cpp
@@ -74,8 +74,8 @@ StatusWith<std::vector<std::string>> readSecurityFile(const std::string& filenam
// check obvious file errors
if (stat(filename.c_str(), &stats) == -1) {
return Status(ErrorCodes::InvalidPath,
- str::stream() << "Error reading file " << filename << ": "
- << strerror(errno));
+ str::stream()
+ << "Error reading file " << filename << ": " << strerror(errno));
}
#if !defined(_WIN32)
diff --git a/src/mongo/db/auth/user.cpp b/src/mongo/db/auth/user.cpp
index ce869ea28f5..96d1251c316 100644
--- a/src/mongo/db/auth/user.cpp
+++ b/src/mongo/db/auth/user.cpp
@@ -160,7 +160,7 @@ void User::addPrivileges(const PrivilegeVector& privileges) {
}
}
-void User::setRestrictions(RestrictionDocuments restrictions)& {
+void User::setRestrictions(RestrictionDocuments restrictions) & {
_restrictions = std::move(restrictions);
}
diff --git a/src/mongo/db/auth/user_document_parser.cpp b/src/mongo/db/auth/user_document_parser.cpp
index 1c5da7795be..8eb6dc7a94b 100644
--- a/src/mongo/db/auth/user_document_parser.cpp
+++ b/src/mongo/db/auth/user_document_parser.cpp
@@ -152,8 +152,8 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const {
StringData userDBStr = userDBElement.valueStringData();
if (!NamespaceString::validDBName(userDBStr, NamespaceString::DollarInDbNameBehavior::Allow) &&
userDBStr != "$external") {
- return _badValue(str::stream() << "'" << userDBStr
- << "' is not a valid value for the db field.");
+ return _badValue(str::stream()
+ << "'" << userDBStr << "' is not a valid value for the db field.");
}
// Validate the "credentials" element
@@ -184,8 +184,8 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const {
str::stream() << fieldName << " does not exist");
}
if (scramElement.type() != Object) {
- return _badValue(str::stream() << fieldName
- << " credential must be an object, if present");
+ return _badValue(str::stream()
+ << fieldName << " credential must be an object, if present");
}
return Status::OK();
};
diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp
index af798f525a6..44721c6570d 100644
--- a/src/mongo/db/auth/user_document_parser_test.cpp
+++ b/src/mongo/db/auth/user_document_parser_test.cpp
@@ -83,23 +83,18 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "pwd"
<< "a"
- << "roles"
- << BSON_ARRAY("read"))));
+ << "roles" << BSON_ARRAY("read"))));
// Need name field
ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< emptyArray)));
// Need source field
ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user"
<< "spencer"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< emptyArray)));
// Need credentials field
@@ -107,16 +102,14 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "roles"
- << emptyArray)));
+ << "roles" << emptyArray)));
// Need roles field
ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user"
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials)));
+ << "credentials" << credentials)));
// authenticationRestricitons must be an array if it exists
ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user"
@@ -131,11 +124,8 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
- << emptyArray
- << "authenticationRestrictions"
+ << "credentials" << credentials << "roles"
+ << emptyArray << "authenticationRestrictions"
<< emptyArray)));
// Empty roles arrays are OK
@@ -143,9 +133,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< emptyArray)));
// Need credentials of {external: true} if user's db is $external
@@ -153,19 +141,15 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "$external"
- << "credentials"
- << BSON("external" << true)
- << "roles"
- << emptyArray)));
+ << "credentials" << BSON("external" << true)
+ << "roles" << emptyArray)));
// Roles must be objects
ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user"
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY("read"))));
// Role needs name
@@ -173,9 +157,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("db"
<< "dbA")))));
@@ -184,9 +166,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "roleA")))));
@@ -196,9 +176,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "roleA"
<< "db"
@@ -209,9 +187,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "roles"
+ << "credentials" << credentials << "roles"
<< BSON_ARRAY(BSON("role"
<< "roleA"
<< "db"
@@ -227,9 +203,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "authenticationRestrictions"
+ << "credentials" << credentials << "authenticationRestrictions"
<< BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("127.0.0.1/8") << "serverAddress"
<< BSON_ARRAY("127.0.0.1/8")))
<< "roles"
@@ -243,9 +217,7 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) {
<< "spencer"
<< "db"
<< "test"
- << "credentials"
- << credentials
- << "extraData"
+ << "credentials" << credentials << "extraData"
<< BSON("foo"
<< "bar")
<< "roles"
@@ -318,13 +290,13 @@ TEST_F(V2UserDocumentParsing, V2CredentialExtraction) {
ASSERT(!user->getCredentials().isExternal);
// Make sure extracting valid combined credentials works
- ASSERT_OK(v2parser.initializeUserCredentialsFromUserDocument(user.get(),
- BSON("user"
- << "spencer"
- << "db"
- << "test"
- << "credentials"
- << credentials)));
+ ASSERT_OK(
+ v2parser.initializeUserCredentialsFromUserDocument(user.get(),
+ BSON("user"
+ << "spencer"
+ << "db"
+ << "test"
+ << "credentials" << credentials)));
ASSERT(user->getCredentials().scram_sha1.isValid());
ASSERT(user->getCredentials().scram_sha256.isValid());
ASSERT(!user->getCredentials().isExternal);
@@ -350,18 +322,18 @@ TEST_F(V2UserDocumentParsing, V2RoleExtraction) {
user.get()));
// V1-style roles arrays no longer work
- ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user"
- << "spencer"
- << "roles"
- << BSON_ARRAY("read")),
- user.get()));
+ ASSERT_NOT_OK(
+ v2parser.initializeUserRolesFromUserDocument(BSON("user"
+ << "spencer"
+ << "roles" << BSON_ARRAY("read")),
+ user.get()));
// Roles must have "db" field
- ASSERT_NOT_OK(v2parser.initializeUserRolesFromUserDocument(BSON("user"
- << "spencer"
- << "roles"
- << BSON_ARRAY(BSONObj())),
- user.get()));
+ ASSERT_NOT_OK(
+ v2parser.initializeUserRolesFromUserDocument(BSON("user"
+ << "spencer"
+ << "roles" << BSON_ARRAY(BSONObj())),
+ user.get()));
ASSERT_NOT_OK(
v2parser.initializeUserRolesFromUserDocument(BSON("user"
@@ -428,16 +400,14 @@ TEST_F(V2UserDocumentParsing, V2AuthenticationRestrictionsExtraction) {
ASSERT_OK(v2parser.initializeAuthenticationRestrictionsFromUserDocument(
BSON("user"
<< "spencer"
- << "authenticationRestrictions"
- << emptyArray),
+ << "authenticationRestrictions" << emptyArray),
user.get()));
// authenticationRestrictions must have at least one of "clientSource"/"serverAdddress" fields
ASSERT_NOT_OK(v2parser.initializeAuthenticationRestrictionsFromUserDocument(
BSON("user"
<< "spencer"
- << "authenticationRestrictions"
- << BSON_ARRAY(emptyObj)),
+ << "authenticationRestrictions" << BSON_ARRAY(emptyObj)),
user.get()));
// authenticationRestrictions must not have unexpected elements
diff --git a/src/mongo/db/auth/user_management_commands_parser.cpp b/src/mongo/db/auth/user_management_commands_parser.cpp
index 29f4bc53574..0d380888ac9 100644
--- a/src/mongo/db/auth/user_management_commands_parser.cpp
+++ b/src/mongo/db/auth/user_management_commands_parser.cpp
@@ -64,8 +64,9 @@ Status _checkNoExtraFields(const BSONObj& cmdObj,
StringData fieldName = (*iter).fieldNameStringData();
if (!isGenericArgument(fieldName) && !validFieldNames.count(fieldName.toString())) {
return Status(ErrorCodes::BadValue,
- str::stream() << "\"" << fieldName << "\" is not "
- "a valid argument to "
+ str::stream() << "\"" << fieldName
+ << "\" is not "
+ "a valid argument to "
<< cmdName);
}
}
@@ -175,8 +176,9 @@ Status parseRolePossessionManipulationCommands(const BSONObj& cmdObj,
if (!parsedRoleNames->size()) {
return Status(ErrorCodes::BadValue,
- str::stream() << cmdName << " command requires a non-empty "
- "\"roles\" array");
+ str::stream() << cmdName
+ << " command requires a non-empty "
+ "\"roles\" array");
}
return Status::OK();
}
@@ -634,8 +636,9 @@ Status parseAndValidateRolePrivilegeManipulationCommands(const BSONObj& cmdObj,
}
if (!parsedPrivileges->size()) {
return Status(ErrorCodes::BadValue,
- str::stream() << cmdName << " command requires a non-empty "
- "\"privileges\" array");
+ str::stream() << cmdName
+ << " command requires a non-empty "
+ "\"privileges\" array");
}
return Status::OK();