/** * Copyright (C) 2018-present MongoDB, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the Server Side Public License, version 1, * as published by MongoDB, Inc. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * Server Side Public License for more details. * * You should have received a copy of the Server Side Public License * along with this program. If not, see * . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the Server Side Public License in all respects for * all of the code used other than as permitted herein. If you modify file(s) * with this exception, you may extend this exception to your version of the * file(s), but you are not obligated to do so. If you do not wish to do so, * delete this exception statement from your version. If you delete this * exception statement from all source files in the program, then also delete * it in the license file. */ #pragma once #include "mongo/base/status_with.h" #include "mongo/base/string_data.h" #include "mongo/bson/bsonelement.h" #include "mongo/bson/bsonmisc.h" #include "mongo/db/auth/restriction.h" #include "mongo/db/auth/restriction_environment.h" #include "mongo/db/auth/restriction_set.h" #include "mongo/util/net/cidr.h" #include #include #include namespace mongo { namespace address_restriction_detail { struct ClientSource { static constexpr auto label = "Client source "_sd; static constexpr auto field = "clientSource"_sd; static auto addr(const RestrictionEnvironment& environment) { return environment.getClientSource(); } }; struct ServerAddress { static constexpr auto label = "Server address "_sd; static constexpr auto const field = "serverAddress"_sd; static auto addr(const RestrictionEnvironment& environment) { return environment.getServerAddress(); } }; // Represents a restriction based on client or server address template class AddressRestriction : public NamedRestriction { public: /** * Construct an empty AddressRestriction. * Note that an empty AddressRestriciton will not validate * against any addresses, since nothing has been whitelisted. */ AddressRestriction() = default; /** * Construct an AddressRestriction based on a human readable subnet spec */ explicit AddressRestriction(const StringData range) : _ranges({CIDR(range)}) {} /** * Construct an AddressRestriction based on several human readable subnet specs */ template explicit AddressRestriction(const std::vector& ranges) { for (auto const& range : ranges) { _ranges.emplace_back(range); } } /** * Returns true if the Environment's client/server's address * satisfies this restriction set. */ Status validate(const RestrictionEnvironment& environment) const override { auto const addr = T::addr(environment); if (!addr.isIP()) { std::ostringstream s; s << T::label << " is not an IP address: " << addr.getAddr(); return {ErrorCodes::AuthenticationRestrictionUnmet, s.str()}; } const CIDR address(addr.getAddr()); for (auto const& range : _ranges) { if (range.contains(address)) { return Status::OK(); } } std::ostringstream s; s << addr.getAddr() << " does not fall within: "; serialize(s); return {ErrorCodes::AuthenticationRestrictionUnmet, s.str()}; } /** * Append to builder an array element with the human-readable CIDR ranges. */ void appendToBuilder(BSONObjBuilder* builder) const override { BSONArrayBuilder b; for (auto const& range : _ranges) { b.append(range.toString()); } builder->append(T::field, b.arr()); } friend bool operator==(const AddressRestriction& lhs, const AddressRestriction& rhs) { return lhs.equalityLens() == rhs.equalityLens(); } friend bool operator!=(const AddressRestriction& lhs, const AddressRestriction& rhs) { return !(lhs == rhs); } private: auto equalityLens() const { return std::tie(_ranges); } void serialize(std::ostream& os) const override { os << "{\"" << T::field << "\": ["; auto sz = _ranges.size() - 1; for (auto const& range : _ranges) { os << '"' << range << '"'; if (sz--) { os << ", "; } } os << "]}"; } std::vector _ranges; }; } // namespace address_restriction_detail using ClientSourceRestriction = address_restriction_detail::AddressRestriction; using ServerAddressRestriction = address_restriction_detail::AddressRestriction; /** * Parse a set of clientSource, serverAddress, or both * and return a RestrictionSet on success. */ StatusWith> parseAddressRestrictionSet(const BSONObj& obj); /** * Parse a BSON representation of an array of RestrictionSet>s * and return a SharedRestrictionDocument on success. */ StatusWith parseAuthenticationRestriction(const BSONArray& arr); /** * Parse and validate a BSONArray containing AuthenticationRestrictions * and return a new BSONArray representing a sanitized portion thereof. */ StatusWith getRawAuthenticationRestrictions(const BSONArray& arr) noexcept; template <> inline BSONObjBuilder& BSONObjBuilderValueStream::operator<<( ClientSourceRestriction value) { BSONObjBuilder b; value.appendToBuilder(&b); _builder->append(_fieldName, b.obj()); _fieldName = StringData(); return *_builder; } template <> inline BSONObjBuilder& BSONObjBuilderValueStream::operator<<( ServerAddressRestriction value) { BSONObjBuilder b; value.appendToBuilder(&b); _builder->append(_fieldName, b.obj()); _fieldName = StringData(); return *_builder; } } // namespace mongo