diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/db/auth/authorization_session.cpp | 4 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 3 | ||||
-rw-r--r-- | src/mongo/db/service_entry_point_mongod.cpp | 2 | ||||
-rw-r--r-- | src/mongo/rpc/metadata.cpp | 16 | ||||
-rw-r--r-- | src/mongo/rpc/metadata.h | 2 |
5 files changed, 24 insertions, 3 deletions
diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index 8d990765552..6b3e0800c2f 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -209,6 +209,10 @@ User* AuthorizationSession::getSingleUser() { return lookupUser(userName); } +bool AuthorizationSession::isAuthenticated() { + return _authenticatedUsers.begin() != _authenticatedUsers.end(); +} + void AuthorizationSession::logoutDatabase(const std::string& dbname) { User* removedUser = _authenticatedUsers.removeByDBName(dbname); if (removedUser) { diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index 81cfdc466d0..e260d859651 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -144,6 +144,9 @@ public: // multiple users are authenticated, this method will throw an exception. User* getSingleUser(); + // Is authenticated as at least one user. + bool isAuthenticated(); + // Gets an iterator over the names of all authenticated users stored in this manager. UserNameIterator getAuthenticatedUserNames(); diff --git a/src/mongo/db/service_entry_point_mongod.cpp b/src/mongo/db/service_entry_point_mongod.cpp index 6e5e7731422..25d96dadb59 100644 --- a/src/mongo/db/service_entry_point_mongod.cpp +++ b/src/mongo/db/service_entry_point_mongod.cpp @@ -571,7 +571,7 @@ void execCommandDatabase(OperationContext* opCtx, // TODO: move this back to runCommands when mongos supports OperationContext // see SERVER-18515 for details. - rpc::readRequestMetadata(opCtx, request.body); + rpc::readRequestMetadata(opCtx, request.body, command->requiresAuth()); rpc::TrackingMetadata::get(opCtx).initWithOperName(command->getName()); auto const replCoord = repl::ReplicationCoordinator::get(opCtx); diff --git a/src/mongo/rpc/metadata.cpp b/src/mongo/rpc/metadata.cpp index a9f9a65b336..b6c66f5e29b 100644 --- a/src/mongo/rpc/metadata.cpp +++ b/src/mongo/rpc/metadata.cpp @@ -31,6 +31,7 @@ #include "mongo/rpc/metadata.h" #include "mongo/client/dbclientinterface.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/jsobj.h" #include "mongo/db/logical_clock.h" #include "mongo/db/logical_time_validator.h" @@ -50,7 +51,7 @@ BSONObj makeEmptyMetadata() { return BSONObj(); } -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth) { BSONElement readPreferenceElem; BSONElement auditElem; BSONElement configSvrElem; @@ -96,6 +97,19 @@ void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj) { uassertStatusOK(rpc::LogicalTimeMetadata::readFromMetadata(logicalTimeElem)); auto& signedTime = logicalTimeMetadata.getSignedTime(); + + if (!requiresAuth && + AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() && + (!signedTime.getProof() || *signedTime.getProof() == TimeProofService::TimeProof())) { + + AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + // The client is not authenticated and is not using localhost auth bypass. + if (authSession && !authSession->isAuthenticated() && + !authSession->isUsingLocalhostBypass()) { + return; + } + } + // LogicalTimeMetadata is default constructed if no cluster time metadata was sent, so a // default constructed SignedLogicalTime should be ignored. if (signedTime.getTime() != LogicalTime::kUninitialized) { diff --git a/src/mongo/rpc/metadata.h b/src/mongo/rpc/metadata.h index 461927f32a7..55d5b6a2bee 100644 --- a/src/mongo/rpc/metadata.h +++ b/src/mongo/rpc/metadata.h @@ -54,7 +54,7 @@ BSONObj makeEmptyMetadata(); /** * Reads metadata from a metadata object and sets it on this OperationContext. */ -void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj); +void readRequestMetadata(OperationContext* opCtx, const BSONObj& metadataObj, bool requiresAuth); /** * A legacy command object and a corresponding query flags bitfield. The legacy command object |