Status CmdAuthenticate::_authenticateX509(const UserName& user, const BSONObj& cmdObj) {
if (!getSSLManager()) {
return Status(ErrorCodes::ProtocolError,
"SSL support is required for the MONGODB-X509 mechanism.");
}
if(user.getDB() != "$external") {
return Status(ErrorCodes::ProtocolError,
"X.509 authentication must always use the $external database.");
}
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
std::string subjectName = client->port()->getX509SubjectName();
if (user.getUser() != subjectName) {
return Status(ErrorCodes::AuthenticationFailed,
"There is no x.509 client certificate matching the user.");
}
else {
std::string srvSubjectName = getSSLManager()->getServerSubjectName();
size_t srvClusterIdPos = srvSubjectName.find(",OU=");
size_t peerClusterIdPos = subjectName.find(",OU=");
std::string srvClusterId = srvClusterIdPos != std::string::npos ?
srvSubjectName.substr(srvClusterIdPos) : "";
std::string peerClusterId = peerClusterIdPos != std::string::npos ?
subjectName.substr(peerClusterIdPos) : "";
// Handle internal cluster member auth, only applies to server-server connections
int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
if (srvClusterId == peerClusterId && !srvClusterId.empty()) {
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) {
return Status(ErrorCodes::AuthenticationFailed, "The provided certificate "
"can only be used for cluster authentication, not client "
"authentication. The current configuration does not allow "
"x.509 cluster authentication, check the --clusterAuthMode flag");
}
authorizationSession->grantInternalAuthorization();
}
// Handle normal client authentication, only applies to client-server connections
else {
if (_isX509AuthDisabled) {
return Status(ErrorCodes::BadValue,
_x509AuthenticationDisabledMessage);
}
Status status = authorizationSession->addAndAuthorizeUser(user);
if (!status.isOK()) {
return status;
}
}
return Status::OK();
}
}
Status CmdAuthenticate::_authenticateX509(
OperationContext* txn, const UserName& user, const BSONObj& cmdObj) {
if (!getSSLManager()) {
return Status(ErrorCodes::ProtocolError,
"SSL support is required for the MONGODB-X509 mechanism.");
}
if(user.getDB() != "$external") {
return Status(ErrorCodes::ProtocolError,
"X.509 authentication must always use the $external database.");
}
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = AuthorizationSession::get(client);
std::string subjectName = client->port()->getX509SubjectName();
if (!getSSLManager()->getSSLConfiguration().hasCA) {
return Status(ErrorCodes::AuthenticationFailed,
"Unable to verify x.509 certificate, as no CA has been provided.");
}
else if (user.getUser() != subjectName) {
return Status(ErrorCodes::AuthenticationFailed,
"There is no x.509 client certificate matching the user.");
}
else {
std::string srvSubjectName = getSSLManager()->getSSLConfiguration().serverSubjectName;
// Handle internal cluster member auth, only applies to server-server connections
if (_clusterIdMatch(subjectName, srvSubjectName)) {
int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) {
return Status(ErrorCodes::AuthenticationFailed, "The provided certificate "
"can only be used for cluster authentication, not client "
"authentication. The current configuration does not allow "
"x.509 cluster authentication, check the --clusterAuthMode flag");
}
authorizationSession->grantInternalAuthorization();
}
// Handle normal client authentication, only applies to client-server connections
else {
if (_isX509AuthDisabled) {
return Status(ErrorCodes::BadValue,
_x509AuthenticationDisabledMessage);
}
Status status = authorizationSession->addAndAuthorizeUser(txn, user);
if (!status.isOK()) {
return status;
}
}
return Status::OK();
}
}
bool CmdAuthenticate::authenticateX509(const string& dbname,
BSONObj& cmdObj,
string& errmsg,
BSONObjBuilder& result) {
if(dbname != "$external") {
errmsg = "X.509 authentication must always use the $external database.";
result.append(saslCommandCodeFieldName, ErrorCodes::AuthenticationFailed);
return false;
}
std::string user = cmdObj.getStringField("user");
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
StringData subjectName = client->port()->getX509SubjectName();
if (user != subjectName) {
errmsg = "There is no x.509 client certificate matching the user.";
result.append(saslCommandCodeFieldName, ErrorCodes::AuthenticationFailed);
return false;
}
else {
StringData srvSubjectName = getSSLManager()->getSubjectName();
StringData srvClusterId = srvSubjectName.substr(0, srvSubjectName.find("/CN")+1);
StringData peerClusterId = subjectName.substr(0, subjectName.find("/CN")+1);
// Handle internal cluster member
if (srvClusterId == peerClusterId) {
authorizationSession->grantInternalAuthorization(UserName(user, "$external"));
}
// Handle normal client authentication
else {
Principal* principal = new Principal(UserName(user, "$external"));
principal->setImplicitPrivilegeAcquisition(true);
authorizationSession->addAuthorizedPrincipal(principal);
}
result.append( "dbname" , dbname );
result.append( "user" , user );
return true;
}
}
Status CmdAuthenticate::_authenticateX509(const UserName& user, const BSONObj& cmdObj) {
if(user.getDB() != "$external") {
return Status(ErrorCodes::ProtocolError,
"X.509 authentication must always use the $external database.");
}
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
StringData subjectName = client->port()->getX509SubjectName();
if (user.getUser() != subjectName) {
return Status(ErrorCodes::AuthenticationFailed,
"There is no x.509 client certificate matching the user.");
}
else {
StringData srvSubjectName = getSSLManager()->getServerSubjectName();
StringData srvClusterId = srvSubjectName.substr(srvSubjectName.find(",OU="));
StringData peerClusterId = subjectName.substr(subjectName.find(",OU="));
fassert(17002, !srvClusterId.empty() && srvClusterId != srvSubjectName);
// Handle internal cluster member auth, only applies to server-server connections
if (srvClusterId == peerClusterId) {
if (cmdLine.clusterAuthMode.empty() || cmdLine.clusterAuthMode == "keyfile") {
return Status(ErrorCodes::AuthenticationFailed,
"X509 authentication is not allowed for cluster authentication");
}
authorizationSession->grantInternalAuthorization(user);
}
// Handle normal client authentication, only applies to client-server connections
else {
Principal* principal = new Principal(user);
authorizationSession->addAndAuthorizePrincipal(principal);
}
return Status::OK();
}
}