// security_common.cpp
/*
* Copyright (C) 2010 10gen Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see .
*/
/**
* This file contains inter-mongo instance security helpers. Due to the
* requirement that it be possible to compile this into mongos and mongod, it
* should not depend on much external stuff.
*/
#include "pch.h"
#include "security.h"
#include "security_common.h"
#include "../client/dbclient.h"
#include "commands.h"
#include "nonce.h"
#include "../util/md5.hpp"
#include "client_common.h"
#include
namespace mongo {
bool noauth = true;
AuthInfo internalSecurity;
bool setUpSecurityKey(const string& filename) {
struct stat stats;
// check obvious file errors
if (stat(filename.c_str(), &stats) == -1) {
log() << "error getting file " << filename << ": " << strerror(errno) << endl;
return false;
}
#if !defined(_WIN32)
// check permissions: must be X00, where X is >= 4
if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
log() << "permissions on " << filename << " are too open" << endl;
return false;
}
#endif
const unsigned long long fileLength = stats.st_size;
if (fileLength < 6 || fileLength > 1024) {
log() << " key file " << filename << " has length " << stats.st_size
<< ", must be between 6 and 1024 chars" << endl;
return false;
}
FILE* file = fopen( filename.c_str(), "rb" );
if (!file) {
log() << "error opening file: " << filename << ": " << strerror(errno) << endl;
return false;
}
string str = "";
// strip key file
unsigned long long read = 0;
while (read < fileLength) {
char buf;
int readLength = fread(&buf, 1, 1, file);
if (readLength < 1) {
log() << "error reading file " << filename << endl;
return false;
}
read++;
// check for whitespace
if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') {
continue;
}
// check valid base64
if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/') {
log() << "invalid char in key file " << filename << ": " << buf << endl;
return false;
}
str += buf;
}
if (str.size() < 6) {
log() << "security key must be at least 6 characters" << endl;
return false;
}
log(1) << "security key: " << str << endl;
// createPWDigest should really not be a member func
DBClientConnection conn;
internalSecurity.pwd = conn.createPasswordDigest(internalSecurity.user, str);
return true;
}
void CmdAuthenticate::authenticate(const string& dbname, const string& user, const bool readOnly) {
ClientBasic* c = ClientBasic::getCurrent();
assert(c);
AuthenticationInfo *ai = c->getAuthenticationInfo();
if ( readOnly ) {
ai->authorizeReadOnly( dbname , user );
}
else {
ai->authorize( dbname , user );
}
}
bool AuthenticationInfo::_isAuthorized(const string& dbname, Auth::Level level) const {
{
scoped_spinlock lk(_lock);
if ( _isAuthorizedSingle_inlock( dbname , level ) )
return true;
if ( noauth )
return true;
if ( _isAuthorizedSingle_inlock( "admin" , level ) )
return true;
if ( _isAuthorizedSingle_inlock( "local" , level ) )
return true;
}
return _isAuthorizedSpecialChecks( dbname );
}
bool AuthenticationInfo::_isAuthorizedSingle_inlock(const string& dbname, Auth::Level level) const {
MA::const_iterator i = _dbs.find(dbname);
return i != _dbs.end() && i->second.level >= level;
}
} // namespace mongo