void Pipeline::addRequiredPrivileges(Command* commandTemplate,
const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj));
uassert(17138,
mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(),
inputResource.isExactNamespacePattern());
out->push_back(Privilege(inputResource, ActionType::find));
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " <<
outputNs.ns(),
outputNs.isValid());
ActionSet actions;
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
}
}
intrusive_ptr<DocumentSource> DocumentSourceOut::createFromBson(
BSONElement elem, const intrusive_ptr<ExpressionContext>& pExpCtx) {
uassert(16990,
str::stream() << "$out only supports a string argument, not " << typeName(elem.type()),
elem.type() == String);
NamespaceString outputNs(pExpCtx->ns.db().toString() + '.' + elem.str());
uassert(17385, "Can't $out to special collection: " + elem.str(), !outputNs.isSpecial());
return new DocumentSourceOut(outputNs, pExpCtx);
}
intrusive_ptr<DocumentSource> DocumentSourceOut::createFromBson(
BSONElement *pBsonElement,
const intrusive_ptr<ExpressionContext> &pExpCtx) {
uassert(16990, str::stream() << "$out only supports a string argument, not "
<< typeName(pBsonElement->type()),
pBsonElement->type() == String);
NamespaceString outputNs(pExpCtx->getNs().db().toString() + '.' + pBsonElement->str());
return new DocumentSourceOut(outputNs, pExpCtx);
}
Status Pipeline::checkAuthForCommand(ClientBasic* client,
const std::string& db,
const BSONObj& cmdObj) {
NamespaceString inputNs(db, cmdObj.firstElement().str());
auto inputResource = ResourcePattern::forExactNamespace(inputNs);
uassert(17138,
mongoutils::str::stream() << "Invalid input namespace, " << inputNs.ns(),
inputNs.isValid());
std::vector<Privilege> privileges;
if (dps::extractElementAtPath(cmdObj, "pipeline.0.$indexStats")) {
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forAnyNormalResource(), ActionType::indexStats));
} else if (dps::extractElementAtPath(cmdObj, "pipeline.0.$collStats")) {
Privilege::addPrivilegeToPrivilegeVector(&privileges,
Privilege(inputResource, ActionType::collStats));
} else {
// If no source requiring an alternative permission scheme is specified then default to
// requiring find() privileges on the given namespace.
Privilege::addPrivilegeToPrivilegeVector(&privileges,
Privilege(inputResource, ActionType::find));
}
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
StringData stageName = stage.firstElementFieldName();
if (stageName == "$out" && stage.firstElementType() == String) {
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " << outputNs.ns(),
outputNs.isValid());
ActionSet actions;
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
if (shouldBypassDocumentValidationForCommand(cmdObj)) {
actions.addAction(ActionType::bypassDocumentValidation);
}
Privilege::addPrivilegeToPrivilegeVector(
&privileges, Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
} else if (stageName == "$lookup" && stage.firstElementType() == Object) {
NamespaceString fromNs(db, stage.firstElement()["from"].str());
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find));
} else if (stageName == "$graphLookup" && stage.firstElementType() == Object) {
NamespaceString fromNs(db, stage.firstElement()["from"].str());
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find));
}
}
intrusive_ptr<DocumentSource> DocumentSourceOut::createFromBson(
BSONElement elem, const intrusive_ptr<ExpressionContext>& pExpCtx) {
uassert(16990,
str::stream() << "$out only supports a string argument, not " << typeName(elem.type()),
elem.type() == String);
uassert(ErrorCodes::InvalidOptions,
"$out can only be used with the 'local' read concern level",
!pExpCtx->opCtx->recoveryUnit()->isReadingFromMajorityCommittedSnapshot());
NamespaceString outputNs(pExpCtx->ns.db().toString() + '.' + elem.str());
uassert(17385, "Can't $out to special collection: " + elem.str(), !outputNs.isSpecial());
return new DocumentSourceOut(outputNs, pExpCtx);
}
void Pipeline::addRequiredPrivileges(Command* commandTemplate,
const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj));
uassert(17138,
mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(),
inputResource.isExactNamespacePattern());
if (false && cmdObj["allowDiskUsage"].trueValue()) {
// TODO no privilege for this yet.
}
out->push_back(Privilege(inputResource, ActionType::find));
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
// TODO Figure out how to handle temp collection privileges. For now, using the
// output ns is ok since we only do db-level privilege checks.
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " <<
outputNs.ns(),
outputNs.isValid());
ActionSet actions;
// logically on output ns
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
// on temp ns due to implementation, but not logically on output ns
actions.addAction(ActionType::createCollection);
actions.addAction(ActionType::createIndex);
actions.addAction(ActionType::dropCollection);
actions.addAction(ActionType::renameCollectionSameDB);
out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
out->push_back(Privilege(ResourcePattern::forExactNamespace(
NamespaceString(db, "system.indexes")),
ActionType::find));
}
}
