Status AuthorizationManager::_buildPrivilegeSetFromOldStylePrivilegeDocument(
const std::string& dbname,
const PrincipalName& principal,
const BSONObj& privilegeDocument,
PrivilegeSet* result) {
if (!(privilegeDocument.hasField(USER_NAME_FIELD_NAME) &&
privilegeDocument.hasField(PASSWORD_FIELD_NAME))) {
return Status(ErrorCodes::UnsupportedFormat,
mongoutils::str::stream() << "Invalid old-style privilege document "
"received when trying to extract privileges: "
<< privilegeDocument,
0);
}
if (privilegeDocument[USER_NAME_FIELD_NAME].str() != principal.getUser()) {
return Status(ErrorCodes::BadValue,
mongoutils::str::stream() << "Principal name from privilege document \""
<< privilegeDocument[USER_NAME_FIELD_NAME].str()
<< "\" doesn't match name of provided Principal \""
<< principal.getUser()
<< "\"",
0);
}
bool readOnly = privilegeDocument[READONLY_FIELD_NAME].trueValue();
ActionSet actions = getActionsForOldStyleUser(dbname, readOnly);
std::string resourceName = (dbname == ADMIN_DBNAME || dbname == LOCAL_DBNAME) ?
PrivilegeSet::WILDCARD_RESOURCE : dbname;
result->grantPrivilege(Privilege(resourceName, actions), principal);
return Status::OK();
}
Status AuthorizationManager::acquirePrivilege(const Privilege& privilege,
const PrincipalName& authorizingPrincipal) {
if (!_authenticatedPrincipals.lookup(authorizingPrincipal)) {
return Status(ErrorCodes::UserNotFound,
mongoutils::str::stream()
<< "No authenticated principle found with name: "
<< authorizingPrincipal.getUser()
<< " from database "
<< authorizingPrincipal.getDB(),
0);
}
_acquiredPrivileges.grantPrivilege(privilege, authorizingPrincipal);
return Status::OK();
}
Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument(
const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) {
if (!_authenticatedPrincipals.lookup(principal)) {
return Status(ErrorCodes::UserNotFound,
mongoutils::str::stream()
<< "No authenticated principle found with name: "
<< principal.getUser()
<< " from database "
<< principal.getDB(),
0);
}
if (principal.getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal);
}
return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges);
}
Status AuthExternalState::getPrivilegeDocument(const std::string& dbname,
const PrincipalName& principalName,
BSONObj* result) {
if (principalName.getUser() == internalSecurity.user) {
if (internalSecurity.pwd.empty()) {
return Status(ErrorCodes::UserNotFound,
"key file must be used to log in with internal user",
15889);
}
*result = BSON(USER_FIELD << internalSecurity.user <<
PASSWORD_FIELD << internalSecurity.pwd).getOwned();
return Status::OK();
}
std::string usersNamespace = dbname + ".system.users";
BSONObj userBSONObj;
BSONObjBuilder queryBuilder;
queryBuilder.append(USER_FIELD, principalName.getUser());
if (principalName.getDB() == dbname) {
queryBuilder.appendNull(USER_SOURCE_FIELD);
}
else {
queryBuilder.append(USER_SOURCE_FIELD, principalName.getDB());
}
bool found = _findUser(usersNamespace, queryBuilder.obj(), &userBSONObj);
if (!found) {
return Status(ErrorCodes::UserNotFound,
mongoutils::str::stream() << "auth: couldn't find user " <<
principalName.toString() << ", " << usersNamespace,
0);
}
*result = userBSONObj.getOwned();
return Status::OK();
}
