From 526230bafa6e5a49f5783507734fba93486c19ae Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Fri, 7 Aug 2020 17:20:40 +0000 Subject: SERVER-50187 Use AuthzManagerExternalState::roleExists() to simplify role checks --- src/mongo/db/commands/user_management_commands.cpp | 25 ++++++---------------- 1 file changed, 7 insertions(+), 18 deletions(-) (limited to 'src/mongo/db/commands') diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index fe1841aa8f9..47f5bc48ee7 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -882,11 +882,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext uassertStatusOK(V2UserDocumentParser().checkValidUserDocument(userObj)); // Role existence has to be checked after acquiring the update lock - for (const auto& role : cmd.getRoles()) { - BSONObj ignored; - uassertStatusOK( - authzManager->getRoleDescription(opCtx, role.getRoleName(dbname), &ignored)); - } + uassertStatusOK(authzManager->rolesExist(opCtx, resolvedRoles)); // Audit this event. auto optCustomData = cmd.getCustomData(); @@ -988,11 +984,8 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext // Role existence has to be checked after acquiring the update lock if (auto roles = cmd.getRoles()) { - for (const auto& role : roles.get()) { - BSONObj ignored; - uassertStatusOK( - authzManager->getRoleDescription(opCtx, role.getRoleName(dbname), &ignored)); - } + auto resolvedRoles = auth::resolveRoleNames(roles.get(), dbname); + uassertStatusOK(authzManager->rolesExist(opCtx, resolvedRoles)); } // Audit this event. @@ -1094,9 +1087,8 @@ void CmdUMCTyped::Invocation::typedRun(OperationC uassertStatusOK(getCurrentUserRoles(opCtx, authzManager, userName, &userRoles)); auto resolvedRoleNames = auth::resolveRoleNames(cmd.getRoles(), dbname); + uassertStatusOK(authzManager->rolesExist(opCtx, resolvedRoleNames)); for (const auto& role : resolvedRoleNames) { - BSONObj roleDoc; - uassertStatusOK(authzManager->getRoleDescription(opCtx, role, &roleDoc)); userRoles.insert(role); } @@ -1130,9 +1122,8 @@ void CmdUMCTyped::Invocation::typedRun(Operati uassertStatusOK(getCurrentUserRoles(opCtx, authzManager, userName, &userRoles)); auto resolvedUserRoles = auth::resolveRoleNames(cmd.getRoles(), dbname); + uassertStatusOK(authzManager->rolesExist(opCtx, resolvedUserRoles)); for (const auto& role : resolvedUserRoles) { - BSONObj roleDoc; - uassertStatusOK(authzManager->getRoleDescription(opCtx, role, &roleDoc)); userRoles.erase(role); } @@ -1400,8 +1391,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext auto lk = uassertStatusOK(requireWritableAuthSchema28SCRAM(opCtx, authzManager)); // Role existence has to be checked after acquiring the update lock - BSONObj ignored; - uassertStatusOK(authzManager->getRoleDescription(opCtx, roleName, &ignored)); + uassertStatusOK(authzManager->rolesExist(opCtx, {roleName})); if (optRoles) { uassertStatusOK(checkOkayToGrantRolesToRole(opCtx, roleName, *optRoles, authzManager)); @@ -1660,8 +1650,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext* auto* authzManager = AuthorizationManager::get(serviceContext); auto lk = uassertStatusOK(requireWritableAuthSchema28SCRAM(opCtx, authzManager)); - BSONObj roleDoc; - uassertStatusOK(authzManager->getRoleDescription(opCtx, roleName, &roleDoc)); + uassertStatusOK(authzManager->rolesExist(opCtx, {roleName})); // From here on, we always want to invalidate the user cache before returning. auto invalidateGuard = makeGuard([&] { -- cgit v1.2.1