diff options
Diffstat (limited to 'src/mongo/rpc')
| -rw-r--r-- | src/mongo/rpc/metadata.cpp | 16 | ||||
| -rw-r--r-- | src/mongo/rpc/metadata.h | 2 |
2 files changed, 16 insertions, 2 deletions
diff --git a/src/mongo/rpc/metadata.cpp b/src/mongo/rpc/metadata.cpp index a9f9a65b336..b6c66f5e29b 100644 --- a/src/mongo/rpc/metadata.cpp +++ b/src/mongo/rpc/metadata.cpp @@ -31,6 +31,7 @@ #include "mongo/rpc/metadata.h" #include "mongo/client/dbclientinterface.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/jsobj.h" #include "mongo/db/logical_clock.h" #include "mongo/db/logical_time_validator.h" @@ -50,7 +51,7 @@ BSONObj makeEmptyMetadata() { return BSONObj(); } -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth) { BSONElement readPreferenceElem; BSONElement auditElem; BSONElement configSvrElem; @@ -96,6 +97,19 @@ void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { uassertStatusOK(rpc::LogicalTimeMetadata::readFromMetadata(logicalTimeElem)); auto& signedTime = logicalTimeMetadata.getSignedTime(); + + if (!requiresAuth && + AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() && + (!signedTime.getProof() || *signedTime.getProof() == TimeProofService::TimeProof())) { + + AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + // The client is not authenticated and is not using localhost auth bypass. + if (authSession && !authSession->isAuthenticated() && + !authSession->isUsingLocalhostBypass()) { + return; + } + } + // LogicalTimeMetadata is default constructed if no cluster time metadata was sent, so a // default constructed SignedLogicalTime should be ignored. if (signedTime.getTime() != LogicalTime::kUninitialized) { diff --git a/src/mongo/rpc/metadata.h b/src/mongo/rpc/metadata.h index 461927f32a7..55d5b6a2bee 100644 --- a/src/mongo/rpc/metadata.h +++ b/src/mongo/rpc/metadata.h @@ -54,7 +54,7 @@ BSONObj makeEmptyMetadata(); /** * Reads metadata from a metadata object and sets it on this OperationContext. */ -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj); +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth); /** * A legacy command object and a corresponding query flags bitfield. The legacy command object |