/** * Copyright (C) 2018-present MongoDB, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the Server Side Public License, version 1, * as published by MongoDB, Inc. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * Server Side Public License for more details. * * You should have received a copy of the Server Side Public License * along with this program. If not, see * . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the Server Side Public License in all respects for * all of the code used other than as permitted herein. If you modify file(s) * with this exception, you may extend this exception to your version of the * file(s), but you are not obligated to do so. If you do not wish to do so, * delete this exception statement from your version. If you delete this * exception statement from all source files in the program, then also delete * it in the license file. */ #pragma once #include "mongo/crypto/mechanism_scram.h" #include "mongo/db/auth/sasl_mechanism_policies.h" #include "mongo/db/auth/sasl_mechanism_registry.h" #include "mongo/util/icu.h" namespace mongo { /** * Server side authentication session for SASL SCRAM-SHA-1/256. */ template class SaslSCRAMServerMechanism final : public MakeServerMechanism { public: using HashBlock = typename Policy::HashBlock; explicit SaslSCRAMServerMechanism(std::string authenticationDatabase) : MakeServerMechanism(std::move(authenticationDatabase)) {} /** * Take one step in a SCRAM-SHA-1 conversation. * * @return !Status::OK() if auth failed. The boolean part indicates if the * authentication conversation is finished or not. * **/ StatusWith> stepImpl(OperationContext* opCtx, StringData inputData); StatusWith saslPrep(StringData str) const { if (std::is_same::value) { return str.toString(); } else { return icuSaslPrep(str); } } Status setOptions(BSONObj options) final; private: /** * Parse client-first-message and generate server-first-message **/ StatusWith> _firstStep(OperationContext* opCtx, StringData input); /** * Parse client-final-message and generate server-final-message **/ StatusWith> _secondStep(OperationContext* opCtx, StringData input); int _step{0}; std::string _authMessage; // The secrets to check the client proof against during the second step // Usually only contains one element, except during key rollover. std::vector> _secrets; // client and server nonce concatenated std::string _nonce; // Do not send empty 3rd reply in scram conversation. bool _skipEmptyExchange{false}; }; extern template class SaslSCRAMServerMechanism; extern template class SaslSCRAMServerMechanism; template class SCRAMServerFactory : public MakeServerFactory { public: using MakeServerFactory::MakeServerFactory; static constexpr bool isInternal = true; bool canMakeMechanismForUser(const User* user) const final { auto credentials = user->getCredentials(); return credentials.scram().isValid(); } }; using SaslSCRAMSHA1ServerMechanism = SaslSCRAMServerMechanism; using SCRAMSHA1ServerFactory = SCRAMServerFactory; using SaslSCRAMSHA256ServerMechanism = SaslSCRAMServerMechanism; using SCRAMSHA256ServerFactory = SCRAMServerFactory; } // namespace mongo