Ejemplo n.º 1
0
bool initializeServerGlobalState() {
    Listener::globalTicketHolder.resize(serverGlobalParams.maxConns).transitional_ignore();

#ifndef _WIN32
    if (!serverGlobalParams.noUnixSocket && !fs::is_directory(serverGlobalParams.socket)) {
        cout << serverGlobalParams.socket << " must be a directory" << endl;
        return false;
    }
#endif

    if (!serverGlobalParams.pidFile.empty()) {
        if (!writePidFile(serverGlobalParams.pidFile)) {
            // error message logged in writePidFile
            return false;
        }
    }

    int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
    if (!serverGlobalParams.keyFile.empty() &&
        clusterAuthMode != ServerGlobalParams::ClusterAuthMode_x509) {
        if (!setUpSecurityKey(serverGlobalParams.keyFile)) {
            // error message printed in setUpPrivateKey
            return false;
        }
    }

    // Auto-enable auth unless we are in mixed auth/no-auth or clusterAuthMode was not provided.
    // clusterAuthMode defaults to "keyFile" if a --keyFile parameter is provided.
    if (clusterAuthMode != ServerGlobalParams::ClusterAuthMode_undefined &&
        !serverGlobalParams.transitionToAuth) {
        getGlobalAuthorizationManager()->setAuthEnabled(true);
    }

#ifdef MONGO_CONFIG_SSL

    if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509 ||
        clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509) {
        setInternalUserAuthParams(
            BSON(saslCommandMechanismFieldName
                 << "MONGODB-X509"
                 << saslCommandUserDBFieldName
                 << "$external"
                 << saslCommandUserFieldName
                 << getSSLManager()->getSSLConfiguration().clientSubjectName));
    }
#endif
    return true;
}
Ejemplo n.º 2
0
    bool setUpSecurityKey(const string& filename) {
        struct stat stats;

        // check obvious file errors
        if (stat(filename.c_str(), &stats) == -1) {
            log() << "error getting file " << filename << ": " << strerror(errno) << endl;
            return false;
        }

#if !defined(_WIN32)
        // check permissions: must be X00, where X is >= 4
        if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
            log() << "permissions on " << filename << " are too open" << endl;
            return false;
        }
#endif

        const unsigned long long fileLength = stats.st_size;
        if (fileLength < 6 || fileLength > 1024) {
            log() << " key file " << filename << " has length " << stats.st_size
                  << ", must be between 6 and 1024 chars" << endl;
            return false;
        }

        FILE* file = fopen( filename.c_str(), "rb" );
        if (!file) {
            log() << "error opening file: " << filename << ": " << strerror(errno) << endl;
            return false;
        }

        string str = "";

        // strip key file
        unsigned long long read = 0;
        while (read < fileLength) {
            char buf;
            int readLength = fread(&buf, 1, 1, file);
            if (readLength < 1) {
                log() << "error reading file " << filename << endl;
                fclose( file );
                return false;
            }
            read++;

            // check for whitespace
            if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') {
                continue;
            }

            // check valid base64
            if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/') {
                log() << "invalid char in key file " << filename << ": " << buf << endl;
                fclose( file );
                return false;
            }

            str += buf;
        }

        fclose( file );

        if (str.size() < 6) {
            log() << "security key must be at least 6 characters" << endl;
            return false;
        }

        LOG(1) << "security key: " << str << endl;

        // createPWDigest should really not be a member func
        DBClientConnection conn;
        internalSecurity.pwd = conn.createPasswordDigest(internalSecurity.user, str);

        setInternalUserAuthParams(BSON(saslCommandMechanismFieldName << "MONGODB-CR" <<
                       saslCommandUserSourceFieldName << "local" <<
                       saslCommandUserFieldName << internalSecurity.user <<
                       saslCommandPasswordFieldName << internalSecurity.pwd <<
                       saslCommandDigestPasswordFieldName << false));

        return true;
    }
Ejemplo n.º 3
0
    bool setUpSecurityKey(const string& filename) {
        struct stat stats;

        // check obvious file errors
        if (stat(filename.c_str(), &stats) == -1) {
            log() << "error getting file " << filename << ": " << strerror(errno) << endl;
            return false;
        }

#if !defined(_WIN32)
        // check permissions: must be X00, where X is >= 4
        if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
            log() << "permissions on " << filename << " are too open" << endl;
            return false;
        }
#endif

        FILE* file = fopen( filename.c_str(), "rb" );
        if (!file) {
            log() << "error opening file: " << filename << ": " << strerror(errno) << endl;
            return false;
        }

        string str = "";

        // strip key file
        const unsigned long long fileLength = stats.st_size;
        unsigned long long read = 0;
        while (read < fileLength) {
            char buf;
            int readLength = fread(&buf, 1, 1, file);
            if (readLength < 1) {
                log() << "error reading file " << filename << endl;
                fclose( file );
                return false;
            }
            read++;

            // check for whitespace
            if ((buf >= '\x09' && buf <= '\x0D') || buf == ' ') {
                continue;
            }

            // check valid base64
            if ((buf < 'A' || buf > 'Z') && (buf < 'a' || buf > 'z') && (buf < '0' || buf > '9') && buf != '+' && buf != '/') {
                log() << "invalid char in key file " << filename << ": " << buf << endl;
                fclose( file );
                return false;
            }

            str += buf;
        }

        fclose( file );

        const unsigned long long keyLength = str.size();
        if (keyLength < 6 || keyLength > 1024) {
            log() << " security key in " << filename << " has length " << keyLength
                  << ", must be between 6 and 1024 chars" << endl;
            return false;
        }

        User::CredentialData credentials;
        credentials.password = DBClientWithCommands::createPasswordDigest(
                internalSecurity.user->getName().getUser().toString(), str);
        internalSecurity.user->setCredentials(credentials);

        if (cmdLine.clusterAuthMode == "keyfile" || cmdLine.clusterAuthMode == "sendKeyfile") {
            setInternalUserAuthParams(
                    BSON(saslCommandMechanismFieldName << "MONGODB-CR" <<
                         saslCommandUserSourceFieldName <<
                         internalSecurity.user->getName().getDB() <<
                         saslCommandUserFieldName << internalSecurity.user->getName().getUser() <<
                         saslCommandPasswordFieldName << credentials.password <<
                         saslCommandDigestPasswordFieldName << false));
        }
        return true;
    }