From c1bfa707cdfbaeec7c6b05aaac787bfb354665ba Mon Sep 17 00:00:00 2001
From: Sara Golemon <sara.golemon@mongodb.com>
Date: Sun, 28 Feb 2021 23:33:34 +0000
Subject: SERVER-54972 Add ActionTypes, ErrorCodes, and OpObserver hook for
 Runtime Audit Config

---
 src/mongo/base/error_codes.yml      | 3 +++
 src/mongo/db/audit.cpp              | 2 ++
 src/mongo/db/audit.h                | 7 +++++++
 src/mongo/db/auth/action_type.idl   | 1 +
 src/mongo/db/auth/builtin_roles.cpp | 1 +
 src/mongo/db/mongod_main.cpp        | 8 ++++++++
 6 files changed, 22 insertions(+)

(limited to 'src/mongo')

diff --git a/src/mongo/base/error_codes.yml b/src/mongo/base/error_codes.yml
index dbaa419226b..948745052fd 100644
--- a/src/mongo/base/error_codes.yml
+++ b/src/mongo/base/error_codes.yml
@@ -431,6 +431,9 @@ error_codes:
     - {code: 343, name: ShardCannotRefreshDueToLocksHeld,
                   extra: ShardCannotRefreshDueToLocksHeldInfo}
 
+    - {code: 344, name: AuditingNotEnabled}
+    - {code: 345, name: RuntimeAuditConfigurationNotEnabled}
+
     # Error codes 4000-8999 are reserved.
 
     # Non-sequential error codes for compatibility only)
diff --git a/src/mongo/db/audit.cpp b/src/mongo/db/audit.cpp
index 512e8692e69..18b55d59a3e 100644
--- a/src/mongo/db/audit.cpp
+++ b/src/mongo/db/audit.cpp
@@ -31,6 +31,8 @@
 
 namespace mongo {
 namespace audit {
+std::function<void(OperationContext*)> initializeManager;
+std::function<void(OpObserverRegistry*)> opObserverRegistrar;
 
 #if !MONGO_ENTERPRISE_AUDIT
 
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h
index 914184c49b3..6927467abae 100644
--- a/src/mongo/db/audit.h
+++ b/src/mongo/db/audit.h
@@ -34,6 +34,8 @@
 
 #pragma once
 
+#include <functional>
+
 #include "mongo/base/error_codes.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/user.h"
@@ -49,6 +51,7 @@ class BSONObjBuilder;
 class Client;
 class NamespaceString;
 class OperationContext;
+class OpObserverRegistry;
 class StringData;
 class UserName;
 
@@ -58,6 +61,10 @@ class Document;
 
 namespace audit {
 
+// AuditManager hooks.
+extern std::function<void(OperationContext*)> initializeManager;
+extern std::function<void(OpObserverRegistry*)> opObserverRegistrar;
+
 /**
  * Struct that temporarily stores client information when an audit hook
  * executes on a separate thread with a new Client. In those cases, ImpersonatedClientAttrs
diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl
index 05876605f42..ab8effd2b09 100644
--- a/src/mongo/db/auth/action_type.idl
+++ b/src/mongo/db/auth/action_type.idl
@@ -45,6 +45,7 @@ enums:
            anyAction :  "anyAction"         # Special ActionType that represents *all* actions
            appendOplogNote :  "appendOplogNote"
            applicationMessage :  "applicationMessage"
+           auditConfigure :  "auditConfigure"
            auditLogRotate :  "auditLogRotate"  # ID only
            authCheck :  "authCheck"       # ID only
            authenticate :  "authenticate"    # ID only
diff --git a/src/mongo/db/auth/builtin_roles.cpp b/src/mongo/db/auth/builtin_roles.cpp
index c7e52878c0b..3f53b990080 100644
--- a/src/mongo/db/auth/builtin_roles.cpp
+++ b/src/mongo/db/auth/builtin_roles.cpp
@@ -208,6 +208,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) {
     // hostManager role actions that target the cluster resource
     hostManagerRoleClusterActions
         << ActionType::applicationMessage  // clusterManager gets this also
+        << ActionType::auditConfigure
         << ActionType::connPoolSync
         << ActionType::dropConnections
         << ActionType::logRotate
diff --git a/src/mongo/db/mongod_main.cpp b/src/mongo/db/mongod_main.cpp
index fed12fe6c3f..87ef0c7a245 100644
--- a/src/mongo/db/mongod_main.cpp
+++ b/src/mongo/db/mongod_main.cpp
@@ -520,6 +520,10 @@ ExitCode _initAndListen(ServiceContext* serviceContext, int listenPort) {
     auto const globalAuthzManager = AuthorizationManager::get(serviceContext);
     uassertStatusOK(globalAuthzManager->initialize(startupOpCtx.get()));
 
+    if (audit::initializeManager) {
+        audit::initializeManager(startupOpCtx.get());
+    }
+
     // This is for security on certain platforms (nonce generation)
     srand((unsigned)(curTimeMicros64()) ^ (unsigned(uintptr_t(&startupOpCtx))));
 
@@ -1034,6 +1038,10 @@ void setUpObservers(ServiceContext* serviceContext) {
 
     setupFreeMonitoringOpObserver(opObserverRegistry.get());
 
+    if (audit::opObserverRegistrar) {
+        audit::opObserverRegistrar(opObserverRegistry.get());
+    }
+
     serviceContext->setOpObserver(std::move(opObserverRegistry));
 }
 
-- 
cgit v1.2.1