From 8d23154ed3e086213c5bd59b3e2fcba96a3cca41 Mon Sep 17 00:00:00 2001
From: Randolph Tan <randolph@10gen.com>
Date: Mon, 28 Jan 2019 17:00:20 -0500
Subject: SERVER-39232 Allow commands that do not require auth to refresh
 sessions

---
 src/mongo/db/initialize_operation_session_info.cpp | 14 +++++++++-----
 src/mongo/db/logical_session_id_test.cpp           | 17 +++++++++++++++++
 2 files changed, 26 insertions(+), 5 deletions(-)

(limited to 'src/mongo/db')

diff --git a/src/mongo/db/initialize_operation_session_info.cpp b/src/mongo/db/initialize_operation_session_info.cpp
index e513126f173..b48027bc130 100644
--- a/src/mongo/db/initialize_operation_session_info.cpp
+++ b/src/mongo/db/initialize_operation_session_info.cpp
@@ -60,16 +60,20 @@ OperationSessionInfoFromClient initializeOperationSessionInfo(OperationContext*
                 !osi.getAutocommit());
         uassert(
             50889, "It is illegal to provide a txnNumber for this command", !osi.getTxnNumber());
-        return {};
     }
 
-    {
+    if (auto authSession = AuthorizationSession::get(opCtx->getClient())) {
         // If we're using the localhost bypass, and the client hasn't authenticated,
         // logical sessions are disabled. A client may authenticate as the __sytem user,
         // or as an externally authorized user.
-        AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
-        if (authSession && authSession->isUsingLocalhostBypass() &&
-            !authSession->isAuthenticated()) {
+        if (authSession->isUsingLocalhostBypass() && !authSession->isAuthenticated()) {
+            return {};
+        }
+
+        // Do not initialize lsid when auth is enabled and no user is logged in since
+        // there is no sensible uid that can be assigned to it.
+        if (AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() &&
+            !authSession->isAuthenticated() && !requiresAuth) {
             return {};
         }
     }
diff --git a/src/mongo/db/logical_session_id_test.cpp b/src/mongo/db/logical_session_id_test.cpp
index 1bf9e9b4658..3d90d189d5b 100644
--- a/src/mongo/db/logical_session_id_test.cpp
+++ b/src/mongo/db/logical_session_id_test.cpp
@@ -383,5 +383,22 @@ TEST_F(LogicalSessionIdTest, ConstructorFromClientWithTooLongName) {
     ASSERT_THROWS(makeLogicalSessionId(req, _opCtx.get()), AssertionException);
 }
 
+TEST_F(LogicalSessionIdTest, MultipleUsersPerSessionIsNotAllowed) {
+    addSimpleUser(UserName("simple", "test"));
+    addSimpleUser(UserName("simple", "test2"));
+
+    LogicalSessionFromClient lsid;
+    lsid.setId(UUID::gen());
+
+    ASSERT_THROWS_CODE(initializeOperationSessionInfo(
+                           _opCtx.get(),
+                           BSON("TestCmd" << 1 << "lsid" << lsid.toBSON() << "txnNumber" << 100LL),
+                           true,
+                           true,
+                           true),
+                       AssertionException,
+                       ErrorCodes::Unauthorized);
+}
+
 }  // namespace
 }  // namespace mongo
-- 
cgit v1.2.1