6 files changed, 145 insertions, 42 deletions
diff --git a/src/mongo/db/SConscript b/src/mongo/db/SConscript
index b3c8b2ab9a4..ddf8010f61c 100644
--- a/src/mongo/db/SConscript
+++ b/src/mongo/db/SConscript
@@ -438,20 +438,32 @@ env.CppUnitTest(
 env.Library(
     target="mongodandmongos",
     source=[
-        "initialize_server_global_state.cpp",
-        "server_options_init.cpp",
+        "initialize_server_security_state.cpp",
     ],
     LIBDEPS=[
-        "$BUILD_DIR/mongo/client/clientdriver_network",
+        "serverinit",
+    ],
+    LIBDEPS_PRIVATE=[
+        "$BUILD_DIR/mongo/client/authentication",
         "$BUILD_DIR/mongo/db/auth/auth",
-        "$BUILD_DIR/mongo/rpc/rpc",
+        "$BUILD_DIR/mongo/db/auth/security_key",
         "$BUILD_DIR/mongo/rpc/metadata",
-        "$BUILD_DIR/mongo/util/processinfo",
-        "$BUILD_DIR/mongo/util/signal_handlers",
+        "$BUILD_DIR/mongo/rpc/rpc",
+        "$BUILD_DIR/mongo/util/net/ssl_manager",
         "auth/authorization_manager_global",
+        "serverinit",
+    ],
+)
+
+env.Library(
+    target="serverinit",
+    source=[
+        "initialize_server_global_state.cpp",
+        "server_options_init.cpp",
     ],
     LIBDEPS_PRIVATE=[
-        "$BUILD_DIR/mongo/db/auth/security_key",
+        "$BUILD_DIR/mongo/util/processinfo",
+        "$BUILD_DIR/mongo/util/signal_handlers",
     ],
 )
 
diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp
index 202cce5e6a4..07b54f4ab9b 100644
--- a/src/mongo/db/db.cpp
+++ b/src/mongo/db/db.cpp
@@ -79,6 +79,7 @@
 #include "mongo/db/index_names.h"
 #include "mongo/db/index_rebuilder.h"
 #include "mongo/db/initialize_server_global_state.h"
+#include "mongo/db/initialize_server_security_state.h"
 #include "mongo/db/initialize_snmp.h"
 #include "mongo/db/introspect.h"
 #include "mongo/db/json.h"
@@ -1054,6 +1055,9 @@ int mongoDbMain(int argc, char* argv[], char** envp) {
     if (!initializeServerGlobalState(service))
         quickExit(EXIT_FAILURE);
 
+    if (!initializeServerSecurityGlobalState(service))
+        quickExit(EXIT_FAILURE);
+
     // Per SERVER-7434, startSignalProcessingThread must run after any forks (i.e.
     // initializeServerGlobalState) and before the creation of any other threads
     startSignalProcessingThread();
diff --git a/src/mongo/db/initialize_server_global_state.cpp b/src/mongo/db/initialize_server_global_state.cpp
index 1c40b0c3a6a..968c0214b07 100644
--- a/src/mongo/db/initialize_server_global_state.cpp
+++ b/src/mongo/db/initialize_server_global_state.cpp
@@ -41,17 +41,12 @@
 
 #ifndef _WIN32
 #include <sys/stat.h>
-#include <sys/types.h>
 #include <sys/wait.h>
 #include <syslog.h>
 #endif
 
 #include "mongo/base/init.h"
-#include "mongo/client/authenticate.h"
 #include "mongo/config.h"
-#include "mongo/db/auth/authorization_manager.h"
-#include "mongo/db/auth/sasl_command_constants.h"
-#include "mongo/db/auth/security_key.h"
 #include "mongo/db/server_options.h"
 #include "mongo/db/server_parameters.h"
 #include "mongo/logger/console_appender.h"
@@ -66,7 +61,6 @@
 #include "mongo/platform/process_id.h"
 #include "mongo/util/log.h"
 #include "mongo/util/mongoutils/str.h"
-#include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/processinfo.h"
 #include "mongo/util/quick_exit.h"
 #include "mongo/util/signal_handlers_synchronous.h"
@@ -388,35 +382,6 @@ bool initializeServerGlobalState(ServiceContext* service) {
         }
     }
 
-    int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
-    if (!serverGlobalParams.keyFile.empty() &&
-        clusterAuthMode != ServerGlobalParams::ClusterAuthMode_x509) {
-        if (!setUpSecurityKey(serverGlobalParams.keyFile)) {
-            // error message printed in setUpPrivateKey
-            return false;
-        }
-    }
-
-    // Auto-enable auth unless we are in mixed auth/no-auth or clusterAuthMode was not provided.
-    // clusterAuthMode defaults to "keyFile" if a --keyFile parameter is provided.
-    if (clusterAuthMode != ServerGlobalParams::ClusterAuthMode_undefined &&
-        !serverGlobalParams.transitionToAuth) {
-        AuthorizationManager::get(service)->setAuthEnabled(true);
-    }
-
-#ifdef MONGO_CONFIG_SSL
-    if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509 ||
-        clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509) {
-        auth::setInternalUserAuthParams(
-            BSON(saslCommandMechanismFieldName
-                 << "MONGODB-X509"
-                 << saslCommandUserDBFieldName
-                 << "$external"
-                 << saslCommandUserFieldName
-                 << getSSLManager()->getSSLConfiguration().clientSubjectName.toString()));
-    }
-#endif
-
     return true;
 }
 
diff --git a/src/mongo/db/initialize_server_security_state.cpp b/src/mongo/db/initialize_server_security_state.cpp
new file mode 100644
index 00000000000..b5d660869c4
--- /dev/null
+++ b/src/mongo/db/initialize_server_security_state.cpp
@@ -0,0 +1,77 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/db/initialize_server_global_state.h"
+
+#include "mongo/client/authenticate.h"
+#include "mongo/config.h"
+#include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/auth/sasl_command_constants.h"
+#include "mongo/db/auth/security_key.h"
+#include "mongo/db/server_options.h"
+#include "mongo/util/net/ssl_manager.h"
+
+namespace mongo {
+
+bool initializeServerSecurityGlobalState(ServiceContext* service) {
+
+    int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
+    if (!serverGlobalParams.keyFile.empty() &&
+        clusterAuthMode != ServerGlobalParams::ClusterAuthMode_x509) {
+        if (!setUpSecurityKey(serverGlobalParams.keyFile)) {
+            // error message printed in setUpPrivateKey
+            return false;
+        }
+    }
+
+    // Auto-enable auth unless we are in mixed auth/no-auth or clusterAuthMode was not provided.
+    // clusterAuthMode defaults to "keyFile" if a --keyFile parameter is provided.
+    if (clusterAuthMode != ServerGlobalParams::ClusterAuthMode_undefined &&
+        !serverGlobalParams.transitionToAuth) {
+        AuthorizationManager::get(service)->setAuthEnabled(true);
+    }
+
+#ifdef MONGO_CONFIG_SSL
+    if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509 ||
+        clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509) {
+        auth::setInternalUserAuthParams(
+            BSON(saslCommandMechanismFieldName
+                 << "MONGODB-X509"
+                 << saslCommandUserDBFieldName
+                 << "$external"
+                 << saslCommandUserFieldName
+                 << getSSLManager()->getSSLConfiguration().clientSubjectName.toString()));
+    }
+#endif
+
+    return true;
+}
+}  // namespace mongo
diff --git a/src/mongo/db/initialize_server_security_state.h b/src/mongo/db/initialize_server_security_state.h
new file mode 100644
index 00000000000..d6c4d18b08e
--- /dev/null
+++ b/src/mongo/db/initialize_server_security_state.h
@@ -0,0 +1,41 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+namespace mongo {
+
+class ServiceContext;
+
+/**
+ * Perform security initialization activity for mongod and mongos.
+ */
+bool initializeServerSecurityGlobalState(ServiceContext* service);
+
+}  // namespace mongo
diff --git a/src/mongo/s/server.cpp b/src/mongo/s/server.cpp
index 5558bed206b..0b79526e63c 100644
--- a/src/mongo/s/server.cpp
+++ b/src/mongo/s/server.cpp
@@ -51,6 +51,7 @@
 #include "mongo/db/client.h"
 #include "mongo/db/ftdc/ftdc_mongos.h"
 #include "mongo/db/initialize_server_global_state.h"
+#include "mongo/db/initialize_server_security_state.h"
 #include "mongo/db/kill_sessions.h"
 #include "mongo/db/lasterror.h"
 #include "mongo/db/log_process_details.h"
@@ -601,6 +602,9 @@ ExitCode mongoSMain(int argc, char* argv[], char** envp) {
         if (!initializeServerGlobalState(service))
             return EXIT_ABRUPT;
 
+        if (!initializeServerSecurityGlobalState(service))
+            quickExit(EXIT_FAILURE);
+
         startSignalProcessingThread();
 
         return main(service);