bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) {
AuthorizationManager& authMan = getAuthorizationManager();
const ResourcePattern& target(privilege.getResourcePattern());
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList);
ActionSet unmetRequirements = privilege.getActions();
UserSet::iterator it = _authenticatedUsers.begin();
while (it != _authenticatedUsers.end()) {
User* user = *it;
if (!user->isValid()) {
// Make a good faith effort to acquire an up-to-date user object, since the one
// we've cached is marked "out-of-date."
UserName name = user->getName();
User* updatedUser;
Status status = authMan.acquireUser(name, &updatedUser);
switch (status.code()) {
case ErrorCodes::OK: {
// Success! Replace the old User object with the updated one.
fassert(17067, _authenticatedUsers.replaceAt(it, updatedUser) == user);
authMan.releaseUser(user);
user = updatedUser;
LOG(1) << "Updated session cache of user information for " << name;
break;
}
case ErrorCodes::UserNotFound: {
// User does not exist anymore; remove it from _authenticatedUsers.
fassert(17068, _authenticatedUsers.removeAt(it) == user);
authMan.releaseUser(user);
LOG(1) << "Removed deleted user " << name <<
" from session cache of user information.";
continue; // No need to advance "it" in this case.
}
default:
// Unrecognized error; assume that it's transient, and continue working with the
// out-of-date privilege data.
warning() << "Could not fetch updated user privilege information for " <<
name << "; continuing to use old information. Reason is " << status;
break;
}
}
for (int i = 0; i < resourceSearchListLength; ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
++it;
}
return false;
}
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) {
const ResourcePattern& target(privilege.getResourcePattern());
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList);
ActionSet unmetRequirements = privilege.getActions();
PrivilegeVector defaultPrivileges = getDefaultPrivileges();
for (PrivilegeVector::iterator it = defaultPrivileges.begin(); it != defaultPrivileges.end();
++it) {
for (int i = 0; i < resourceSearchListLength; ++i) {
if (!(it->getResourcePattern() == resourceSearchList[i]))
continue;
ActionSet userActions = it->getActions();
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
}
for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end();
++it) {
User* user = *it;
for (int i = 0; i < resourceSearchListLength; ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
}
return false;
}
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) {
const ResourcePattern& target(privilege.getResourcePattern());
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList);
ActionSet unmetRequirements = privilege.getActions();
for (UserSet::iterator it = _authenticatedUsers.begin();
it != _authenticatedUsers.end(); ++it) {
User* user = *it;
if (user->getSchemaVersion() == AuthorizationManager::schemaVersion24 &&
(target.isDatabasePattern() || target.isExactNamespacePattern()) &&
!user->hasProbedV1(target.databaseToMatch())) {
UserName name = user->getName();
User* updatedUser;
Status status = getAuthorizationManager().acquireV1UserProbedForDb(
name,
target.databaseToMatch(),
&updatedUser);
if (status.isOK()) {
if (user != updatedUser) {
LOG(1) << "Updated session cache with privileges on the " <<
target.databaseToMatch() << " database for V1 user " << name;
fassert(17226, _authenticatedUsers.replaceAt(it, updatedUser) == user);
}
getAuthorizationManager().releaseUser(user);
user = updatedUser;
}
else if (status != ErrorCodes::UserNotFound) {
warning() << "Could not fetch updated user privilege information for V1-style "
"user " << name << "; continuing to use old information. Reason is "
<< status;
}
}
for (int i = 0; i < resourceSearchListLength; ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
}
return false;
}
bool PrivilegeSet::hasPrivilege(const Privilege& desiredPrivilege) {
if (desiredPrivilege.getActions().empty())
return true;
StringData resourceSearchList[2];
resourceSearchList[0] = WILDCARD_RESOURCE;
resourceSearchList[1] = desiredPrivilege.getResource();
ActionSet unmetRequirements = desiredPrivilege.getActions();
for (int i = 0; i < boost::size(resourceSearchList); ++i) {
ResourcePrivilegeCacheEntry* entry = _lookupEntry(resourceSearchList[i]);
if (NULL == entry)
continue;
if (entry->dirty)
_rebuildEntry(resourceSearchList[i], entry);
unmetRequirements.removeAllActionsFromSet(entry->actions);
if (unmetRequirements.empty())
return true;
}
return false;
}
Status AuthorizationSession::_checkAuthForPrivilegeHelper(const Privilege& privilege) {
AuthorizationManager& authMan = getAuthorizationManager();
Privilege modifiedPrivilege = _modifyPrivilegeForSpecialCases(privilege);
// Need to check not just the resource of the privilege, but also just the database
// component and the "*" resource.
std::string resourceSearchList[3];
resourceSearchList[0] = AuthorizationManager::WILDCARD_RESOURCE_NAME;
resourceSearchList[1] = nsToDatabase(modifiedPrivilege.getResource());
resourceSearchList[2] = modifiedPrivilege.getResource();
ActionSet unmetRequirements = modifiedPrivilege.getActions();
UserSet::iterator it = _authenticatedUsers.begin();
while (it != _authenticatedUsers.end()) {
User* user = *it;
if (!user->isValid()) {
// Make a good faith effort to acquire an up-to-date user object, since the one
// we've cached is marked "out-of-date."
UserName name = user->getName();
User* updatedUser;
Status status = authMan.acquireUser(name, &updatedUser);
switch (status.code()) {
case ErrorCodes::OK: {
// Success! Replace the old User object with the updated one.
fassert(17067, _authenticatedUsers.replaceAt(it, updatedUser) == user);
authMan.releaseUser(user);
user = updatedUser;
LOG(1) << "Updated session cache of user information for " << name;
break;
}
case ErrorCodes::UserNotFound: {
// User does not exist anymore; remove it from _authenticatedUsers.
fassert(17068, _authenticatedUsers.removeAt(it) == user);
authMan.releaseUser(user);
LOG(1) << "Removed deleted user " << name <<
" from session cache of user information.";
continue; // No need to advance "it" in this case.
}
default:
// Unrecognized error; assume that it's transient, and continue working with the
// out-of-date privilege data.
warning() << "Could not fetch updated user privilege information for " <<
name << "; continuing to use old information. Reason is " << status;
break;
}
}
for (int i = 0; i < static_cast<int>(boost::size(resourceSearchList)); ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return Status::OK();
}
++it;
}
return Status(ErrorCodes::Unauthorized, "unauthorized");
}
