From c0bb6b8677c895e525c30c738b91c83608dcf04d Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Wed, 29 Sep 2021 18:57:08 +0000 Subject: SERVER-60333 Refactor UserName and RoleName --- src/mongo/db/commands/user_management_commands.cpp | 39 ++++++++++------------ .../commands/user_management_commands_common.cpp | 21 +++++------- 2 files changed, 27 insertions(+), 33 deletions(-) (limited to 'src/mongo/db/commands') diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index e5a43d3a7bc..28c1590e8d5 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -148,7 +148,7 @@ Status checkOkayToGrantRolesToRole(OperationContext* opCtx, for (const auto& roleToAdd : rolesToAdd) { if (roleToAdd == role) { return {ErrorCodes::InvalidRoleModification, - str::stream() << "Cannot grant role " << role.getFullName() << " to itself."}; + str::stream() << "Cannot grant role " << role << " to itself."}; } if (role.getDB() != "admin" && roleToAdd.getDB() != role.getDB()) { @@ -161,21 +161,20 @@ Status checkOkayToGrantRolesToRole(OperationContext* opCtx, auto status = authzManager->rolesExist(opCtx, rolesToAdd); if (!status.isOK()) { return {status.code(), - str::stream() << "Cannot grant roles to '" << role.toString() - << "': " << status.reason()}; + str::stream() << "Cannot grant roles to '" << role << "': " << status.reason()}; } auto swData = authzManager->resolveRoles( opCtx, rolesToAdd, AuthorizationManager::ResolveRoleOption::kRoles); if (!swData.isOK()) { return {swData.getStatus().code(), - str::stream() << "Cannot grant roles to '" << role.toString() + str::stream() << "Cannot grant roles to '" << role << "': " << swData.getStatus().reason()}; } if (sequenceContains(swData.getValue().roles.get(), role)) { return {ErrorCodes::InvalidRoleModification, - str::stream() << "Granting roles to " << role.getFullName() + str::stream() << "Granting roles to " << role << " would introduce a cycle in the role graph"}; } @@ -414,8 +413,7 @@ Status updateRoleDocument(OperationContext* opCtx, const RoleName& role, const B return status; } if (status.code() == ErrorCodes::NoMatchingDocument) { - return Status(ErrorCodes::RoleNotFound, - str::stream() << "Role " << role.getFullName() << " not found"); + return Status(ErrorCodes::RoleNotFound, str::stream() << "Role " << role << " not found"); } if (status.code() == ErrorCodes::UnknownError) { return Status(ErrorCodes::RoleModificationFailed, status.reason()); @@ -476,8 +474,7 @@ Status updatePrivilegeDocument(OperationContext* opCtx, return {ErrorCodes::UserModificationFailed, status.reason()}; } if (status.code() == ErrorCodes::NoMatchingDocument) { - return {ErrorCodes::UserNotFound, - str::stream() << "User " << user.getFullName() << " not found"}; + return {ErrorCodes::UserNotFound, str::stream() << "User " << user << " not found"}; } return status; } @@ -1228,7 +1225,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext* opCtx) uassertStatusOK(status); uassert(ErrorCodes::UserNotFound, - str::stream() << "User '" << userName.getFullName() << "' not found", + str::stream() << "User '" << userName << "' not found", numMatched > 0); } @@ -1598,7 +1595,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationCo !cmd.getPrivileges().empty()); uassert(ErrorCodes::BadValue, - str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified", + str::stream() << roleName << " is a built-in role and cannot be modified", !auth::isBuiltinRole(roleName)); auto* client = opCtx->getClient(); @@ -1647,7 +1644,7 @@ void CmdUMCTyped::Invocation::typedRun(Operatio !cmd.getPrivileges().empty()); uassert(ErrorCodes::BadValue, - str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified", + str::stream() << roleName << " is a built-in role and cannot be modified", !auth::isBuiltinRole(roleName)); auto* client = opCtx->getClient(); @@ -1701,7 +1698,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext !cmd.getRoles().empty()); uassert(ErrorCodes::BadValue, - str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified", + str::stream() << roleName << " is a built-in role and cannot be modified", !auth::isBuiltinRole(roleName)); auto rolesToAdd = auth::resolveRoleNames(cmd.getRoles(), dbname); @@ -1741,7 +1738,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationCont !cmd.getRoles().empty()); uassert(ErrorCodes::BadValue, - str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified", + str::stream() << roleName << " is a built-in role and cannot be modified", !auth::isBuiltinRole(roleName)); auto rolesToRemove = auth::resolveRoleNames(cmd.getRoles(), dbname); @@ -1842,7 +1839,7 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext* opCtx) RoleName roleName(cmd.getCommandParameter(), dbname); uassert(ErrorCodes::BadValue, - str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified", + str::stream() << roleName << " is a built-in role and cannot be modified", !auth::isBuiltinRole(roleName)); auto* client = opCtx->getClient(); @@ -1868,8 +1865,8 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext* opCtx) BSON("$pull" << BSON("roles" << roleName.toBSON()))); if (!swCount.isOK()) { return useDefaultCode(swCount.getStatus(), ErrorCodes::UserModificationFailed) - .withContext(str::stream() << "Failed to remove role " << roleName.getFullName() - << " from all users"); + .withContext(str::stream() + << "Failed to remove role " << roleName << " from all users"); } // Remove this role from all other roles @@ -1878,15 +1875,15 @@ void CmdUMCTyped::Invocation::typedRun(OperationContext* opCtx) BSON("$pull" << BSON("roles" << roleName.toBSON()))); if (!swCount.isOK()) { return useDefaultCode(swCount.getStatus(), ErrorCodes::RoleModificationFailed) - .withContext(str::stream() << "Failed to remove role " << roleName.getFullName() - << " from all users"); + .withContext(str::stream() + << "Failed to remove role " << roleName << " from all users"); } // Finally, remove the actual role document swCount = txn.remove(AuthorizationManager::rolesCollectionNamespace, roleName.toBSON()); if (!swCount.isOK()) { - return swCount.getStatus().withContext(str::stream() << "Failed to remove role " - << roleName.getFullName()); + return swCount.getStatus().withContext(str::stream() + << "Failed to remove role " << roleName); } return Status::OK(); diff --git a/src/mongo/db/commands/user_management_commands_common.cpp b/src/mongo/db/commands/user_management_commands_common.cpp index 0bc6f32cf49..7e2a861bfb1 100644 --- a/src/mongo/db/commands/user_management_commands_common.cpp +++ b/src/mongo/db/commands/user_management_commands_common.cpp @@ -90,8 +90,7 @@ Status checkAuthorizedToGrantRoles(AuthorizationSession* authzSession, if (!authzSession->isAuthorizedForActionsOnResource( ResourcePattern::forDatabaseName(roles[i].getDB()), ActionType::grantRole)) { return Status(ErrorCodes::Unauthorized, - str::stream() - << "Not authorized to grant role: " << roles[i].getFullName()); + str::stream() << "Not authorized to grant role: " << roles[i]); } } @@ -116,8 +115,7 @@ Status checkAuthorizedToRevokeRoles(AuthorizationSession* authzSession, if (!authzSession->isAuthorizedForActionsOnResource( ResourcePattern::forDatabaseName(roles[i].getDB()), ActionType::revokeRole)) { return Status(ErrorCodes::Unauthorized, - str::stream() - << "Not authorized to revoke role: " << roles[i].getFullName()); + str::stream() << "Not authorized to revoke role: " << roles[i]); } } return Status::OK(); @@ -201,16 +199,15 @@ void checkAuthForTypedCommand(Client* client, const UpdateUserCommand& request) auto* as = AuthorizationSession::get(client); UserName userName(request.getCommandParameter(), dbname); - uassert( - ErrorCodes::Unauthorized, - str::stream() << "Not authorized to change password of user: " << userName.getFullName(), - (request.getPwd() == boost::none) || isAuthorizedToChangeOwnPasswordAsUser(as, userName) || - as->isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(dbname), - ActionType::changePassword)); + uassert(ErrorCodes::Unauthorized, + str::stream() << "Not authorized to change password of user: " << userName, + (request.getPwd() == boost::none) || + isAuthorizedToChangeOwnPasswordAsUser(as, userName) || + as->isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(dbname), + ActionType::changePassword)); uassert(ErrorCodes::Unauthorized, - str::stream() << "Not authorized to change customData of user: " - << userName.getFullName(), + str::stream() << "Not authorized to change customData of user: " << userName, (request.getCustomData() == boost::none) || isAuthorizedToChangeOwnCustomDataAsUser(as, userName) || as->isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(dbname), -- cgit v1.2.1