void addPrivilegesRequiredForMapReduce(Command* commandTemplate,
const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
Config::OutputOptions outputOptions = Config::parseOutputOptions(dbname, cmdObj);
ResourcePattern inputResource(commandTemplate->parseResourcePattern(dbname, cmdObj));
uassert(17142, mongoutils::str::stream() <<
"Invalid input resource " << inputResource.toString(),
inputResource.isExactNamespacePattern());
out->push_back(Privilege(inputResource, ActionType::find));
if (outputOptions.outType != Config::INMEMORY) {
ActionSet outputActions;
outputActions.addAction(ActionType::insert);
if (outputOptions.outType == Config::REPLACE) {
outputActions.addAction(ActionType::remove);
}
else {
outputActions.addAction(ActionType::update);
}
ResourcePattern outputResource(
ResourcePattern::forExactNamespace(
NamespaceString(outputOptions.finalNamespace)));
uassert(17143, mongoutils::str::stream() << "Invalid target namespace " <<
outputResource.ns().ns(),
outputResource.ns().isValid());
// TODO: check if outputNs exists and add createCollection privilege if not
out->push_back(Privilege(outputResource, outputActions));
}
}
void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) {
// Log out any already-logged-in user on the same database as "principal".
logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144.
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
const std::string dbname = principal->getName().getDB().toString();
if (dbname == StringData("local", StringData::LiteralTag()) &&
principal->getName().getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal->getName());
return;
}
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
_externalState->onAddAuthorizedPrincipal(principal);
}
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::backupThrottle);
out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
}
void calculateDependencyGraph()
{
// zero out the graph
DG = DependencyGraph<bool>(size());
// for each action we have
for (size_t a=0; a<actions.size(); ++a)
{
// get the prerequisites for this action
ActionSet pre = actions[a].getPrerequisites();
// subtract the worker from resource depot, prevent cyclic dependency
if (a == DATA.getResourceDepot())
{
pre.subtract(DATA.getWorker());
}
// loop through prerequisites
while (!pre.isEmpty())
{
// get the next action
Action p = pre.popAction();
// add it to the dependency graph
DG.set(a, p, true);
}
}
// do transitive reduction to obtain the tree
DG.transitiveReduction();
}
void WriteCmd::addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(_action);
out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
// builds the relevant action set for this search
ActionSet calculateRelevantActions()
{
// the initial mask is blank
ActionSet all;
// let's say that we will always allow workers and supply producers
all.add(DATA.getWorker());
all.add(DATA.getSupplyProvider());
// loop through each nonzero element of the goal
for (Action a(0); a<DATA.size(); ++a)
{
// if we want some of this action
if (params.goal.get(a) > 0)
{
//printf("GOAL HAS: %s\n", DATA[a].getName().c_str());
// add itself to the mask
all.add(a);
// if this action costs gas
if (DATA[a].gasPrice() > 0)
{
// extractors are now relevant
all.add(DATA.getRefinery());
}
// also add all recursive prerequisites of this action
calculateRecursivePrerequisites(a, all);
}
}
return all;
}
void DBHashCmd::addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::dbHash);
out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
}
void CombatSearch_BestResponse::doSearch(const GameState & state, size_t depth)
{
if (timeLimitReached())
{
throw BOSS_COMBATSEARCH_TIMEOUT;
}
_bestResponseData.update(_params.getInitialState(), state, _buildOrder);
updateResults(state);
if (isTerminalNode(state, depth))
{
return;
}
ActionSet legalActions;
generateLegalActions(state, legalActions, _params);
for (UnitCountType a(0); a < legalActions.size(); ++a)
{
size_t ri = legalActions.size() - 1 - a;
GameState child(state);
child.doAction(legalActions[ri]);
_buildOrder.add(legalActions[ri]);
doSearch(child,depth+1);
_buildOrder.pop_back();
}
}
void Pipeline::addRequiredPrivileges(Command* commandTemplate,
const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj));
uassert(17138,
mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(),
inputResource.isExactNamespacePattern());
if (false && cmdObj["allowDiskUsage"].trueValue()) {
// TODO no privilege for this yet.
}
out->push_back(Privilege(inputResource, ActionType::find));
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " <<
outputNs.ns(),
outputNs.isValid());
ActionSet actions;
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
}
}
bb::cascades::VisualNode*
NSRLastDocItemFactory::createItem (bb::cascades::ListView* list,
const QString& type)
{
Q_UNUSED (type);
NSRLastDocsListView *listView = static_cast<NSRLastDocsListView *> (list);
NSRLastDocItem *item = new NSRLastDocItem ();
NSRTranslator *translator = item->getTranslator ();
ActionSet *actionSet = ActionSet::create ();
ActionItem *shareAction = ActionItem::create().title (trUtf8 ("Share"));
ActionItem *hideAction = ActionItem::create().title (trUtf8 ("Clear Recent", "Clear recent files"));
DeleteActionItem *removeAction = DeleteActionItem::create ();
shareAction->setImageSource (QUrl ("asset:///share.png"));
hideAction->setImageSource (QUrl ("asset:///list-remove.png"));
#if BBNDK_VERSION_AT_LEAST(10,2,0)
shareAction->accessibility()->setName (trUtf8 ("Share file with others"));
hideAction->accessibility()->setName (trUtf8 ("Remove file from the recent list only"));
translator->addTranslatable ((UIObject *) shareAction->accessibility (),
NSRTranslator::NSR_TRANSLATOR_TYPE_A11Y,
QString ("NSRLastDocItemFactory"),
QString ("Share file with others"));
translator->addTranslatable ((UIObject *) hideAction->accessibility (),
NSRTranslator::NSR_TRANSLATOR_TYPE_A11Y,
QString ("NSRLastDocItemFactory"),
QString ("Remove file from the recent list only"));
#endif
bool ok = connect (shareAction, SIGNAL (triggered ()), listView, SLOT (onShareActionTriggered ()));
Q_UNUSED (ok);
Q_ASSERT (ok);
ok = connect (removeAction, SIGNAL (triggered ()), listView, SLOT (onRemoveActionTriggered ()));
Q_ASSERT (ok);
ok = connect (hideAction, SIGNAL (triggered ()), listView, SLOT (onHideActionTriggered ()));
Q_ASSERT (ok);
actionSet->add (shareAction);
actionSet->add (hideAction);
actionSet->add (removeAction);
item->addActionSet (actionSet);
translator->addTranslatable ((UIObject *) shareAction,
NSRTranslator::NSR_TRANSLATOR_TYPE_ACTION,
QString ("NSRLastDocItemFactory"),
QString ("Share"));
translator->addTranslatable ((UIObject *) hideAction,
NSRTranslator::NSR_TRANSLATOR_TYPE_ACTION,
QString ("NSRLastDocItemFactory"),
QString ("Clear Recent"));
return item;
}
void createRecursiveActionSet_AllBulbOn()
{
string actionsetDesc;
ActionSet *allBulbOn = new ActionSet();
allBulbOn->type = OIC::ACTIONSET_TYPE::RECURSIVE;
allBulbOn->actionsetName = "AllBulbOnRecursiveCall";
allBulbOn->mTime.tm_year = 0;
allBulbOn->mTime.tm_mon = 0;
allBulbOn->mTime.tm_mday = 0;
allBulbOn->mTime.tm_hour = 0;
allBulbOn->mTime.tm_min = 0;
allBulbOn->mTime.tm_sec = 5;
allBulbOn->setDelay(allBulbOn->getSecAbsTime());
for (auto iter = lights.begin(); iter != lights.end(); ++iter)
{
Action *action = new Action();
action->target = (*iter);
Capability *capa = new Capability();
capa->capability = "power";
capa->status = "on";
action->listOfCapability.push_back(capa);
allBulbOn->listOfAction.push_back(action);
}
if (g_resource)
{
thingsMgr->addActionSet(g_resource, allBulbOn, onPut);
}
delete allBulbOn;
}
void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) const override {
ActionSet actions;
actions.addAction(ActionType::convertToCapped);
out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
void addPrivilegesRequiredForFindAndModify(Command* commandTemplate,
const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
bool update = cmdObj["update"].trueValue();
bool upsert = cmdObj["upsert"].trueValue();
bool remove = cmdObj["remove"].trueValue();
ActionSet actions;
actions.addAction(ActionType::find);
if (update) {
actions.addAction(ActionType::update);
}
if (upsert) {
actions.addAction(ActionType::insert);
}
if (remove) {
actions.addAction(ActionType::remove);
}
ResourcePattern resource(commandTemplate->parseResourcePattern(dbname, cmdObj));
uassert(17137,
"Invalid target namespace " + resource.toString(),
resource.isExactNamespacePattern());
out->push_back(Privilege(resource, actions));
}
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::resync);
out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
void XRuleIP::xrule_impl(
IronBee::Transaction tx,
ActionSet& actions
)
{
const char *remote_ip = tx.effective_remote_ip_string();
ib_ip4_t ipv4;
ib_ip6_t ipv6;
ib_log_debug_tx(tx.ib(), "Checking IP Access for %s", remote_ip);
// Check IP lists.
if (remote_ip == NULL) {
BOOST_THROW_EXCEPTION(
IronBee::einval()
<< IronBee::errinfo_what("No remote IP available.")
);
}
else if (IB_OK == ib_ip4_str_to_ip(remote_ip, &ipv4)) {
const ib_ipset4_entry_t *entry;
ib_status_t rc;
rc = ib_ipset4_query(&(m_ipset4), ipv4, NULL, &entry, NULL);
if (rc == IB_OK) {
ib_log_debug_tx(tx.ib(), "IP matched %s", remote_ip);
action_ptr action =
IronBee::data_to_value<action_ptr>(entry->data);
actions.set(action);
}
else {
ib_log_debug_tx(
tx.ib(),
"IP set is empty or does not include %s",
remote_ip);
}
}
else if (IB_OK == ib_ip6_str_to_ip(remote_ip, &ipv6)) {
const ib_ipset6_entry_t *entry;
ib_status_t rc;
rc = ib_ipset6_query(&(m_ipset6), ipv6, NULL, &entry, NULL);
if (rc == IB_OK) {
ib_log_debug_tx(tx.ib(), "IP matched %s", remote_ip);
action_ptr action =
IronBee::data_to_value<action_ptr>(entry->data);
actions.set(action);
}
else {
ib_log_debug_tx(
tx.ib(),
"IP set is empty or does not include %s",
remote_ip);
}
}
else {
BOOST_THROW_EXCEPTION(
IronBee::enoent()
<< IronBee::errinfo_what("Cannot convert IP to v4 or v6.")
);
}
}
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
// TODO: update this with the new rules around user creation in 2.6.
ActionSet actions;
actions.addAction(ActionType::userAdmin);
out->push_back(Privilege(dbname, actions));
}
void PartialPolicyExecutor::executeActionStep() {
if (isGoalReached || hasFailed)
return;
if (active != NULL && !active->hasFinished()) {
if (newAction) {
for_each(executionObservers.begin(),executionObservers.end(),NotifyActionStart(active->toFluent(actionCounter)));
newAction = false;
}
active->run();
} else {
if (active != NULL) {
for_each(executionObservers.begin(),executionObservers.end(),NotifyActionTermination(active->toFluent(actionCounter++)));
}
isGoalReached = kr->currentStateQuery(goalRules).isSatisfied();
if (isGoalReached) //well done!
return;
//choose the next action
AnswerSet currentState = kr->currentStateQuery(vector<AspRule>());
set<AspFluent> state(currentState.getFluents().begin(), currentState.getFluents().end());
ActionSet options = policy->actions(state);
if (options.empty() || (active != NULL && active->hasFailed())) {
//there's no action for this state, computing more plans
//if the last action failed, we may want to have some more option
PartialPolicy *otherPolicy = planner->computePolicy(goalRules,suboptimality);
policy->merge(otherPolicy);
delete otherPolicy;
for_each(executionObservers.begin(),executionObservers.end(),bind2nd(mem_fun(&ExecutionObserver::policyChanged),policy));
options = policy->actions(state);
if (options.empty()) { //no actions available from here!
hasFailed = true;
return;
}
}
set<AspFluent>::const_iterator chosen = selector->choose(options);
delete active;
active = instantiateAction(actionMap,*chosen);
actionCounter++;
newAction = true;
}
}
ActionSet AuthorizationManager::getAllUserActions() const {
ActionSet allActions;
allActions.addAllActionsFromSet(readRoleActions);
allActions.addAllActionsFromSet(readWriteRoleActions);
allActions.addAllActionsFromSet(userAdminRoleActions);
allActions.addAllActionsFromSet(dbAdminRoleActions);
allActions.addAllActionsFromSet(clusterAdminRoleActions);
return allActions;
}
ActionSet PrivilegeDocumentParser::getAllUserActions() const {
ActionSet allActions;
allActions.addAllActionsFromSet(readRoleActions);
allActions.addAllActionsFromSet(readWriteRoleActions);
allActions.addAllActionsFromSet(userAdminRoleActions);
allActions.addAllActionsFromSet(dbAdminRoleActions);
allActions.addAllActionsFromSet(clusterAdminRoleActions);
return allActions;
}
void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) {
Principal* principal = new Principal(PrincipalName(principalName, "local"));
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void XRuleTime::xrule_impl(
IronBee::Transaction tx,
ActionSet& actions
)
{
if (actions.overrides(m_action)) {
/* Get tx start time, shifted into the local time zone. */
boost::posix_time::ptime tx_start =
tx.started_time() + m_zone_info->base_utc_offset();
std::ostringstream os;
std::locale loc(
os.getloc(),
new boost::posix_time::time_facet("%H:%M:%S"));
os.imbue(loc);
os << "Checking current time "
<< tx_start
<< " against window "
<< m_start_time
<< "-"
<< m_end_time
<< ".";
ib_log_debug_tx(tx.ib(), "%s", os.str().c_str());
bool in_window = (
m_start_time.time_of_day() <= tx_start.time_of_day() &&
tx_start.time_of_day() < m_end_time.time_of_day()
);
// If any days of the week are specified in our window...
if (m_days.size() > 0) {
// ...get the day of the week...
short dow =
boost::gregorian::gregorian_calendar::day_of_week(
tx_start.date().year_month_day());
// ...and update the in_window boolean.
in_window &= (m_days.find(dow) != m_days.end());
}
// If we are in the window specified (considering the
// m_invert member) then execute the associated action.
if (in_window ^ m_invert) {
ib_log_debug_tx(tx.ib(), "XRuleTime was matched.");
actions.set(m_action);
}
else {
ib_log_debug_tx(tx.ib(), "XRuleTime was not matched.");
}
}
else {
ib_log_debug_tx(
tx.ib(),
"Skipping rule as action does not override tx actions.");
}
}
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) {
AuthorizationManager& authMan = getAuthorizationManager();
const ResourcePattern& target(privilege.getResourcePattern());
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList);
ActionSet unmetRequirements = privilege.getActions();
UserSet::iterator it = _authenticatedUsers.begin();
while (it != _authenticatedUsers.end()) {
User* user = *it;
if (!user->isValid()) {
// Make a good faith effort to acquire an up-to-date user object, since the one
// we've cached is marked "out-of-date."
UserName name = user->getName();
User* updatedUser;
Status status = authMan.acquireUser(name, &updatedUser);
switch (status.code()) {
case ErrorCodes::OK: {
// Success! Replace the old User object with the updated one.
fassert(17067, _authenticatedUsers.replaceAt(it, updatedUser) == user);
authMan.releaseUser(user);
user = updatedUser;
LOG(1) << "Updated session cache of user information for " << name;
break;
}
case ErrorCodes::UserNotFound: {
// User does not exist anymore; remove it from _authenticatedUsers.
fassert(17068, _authenticatedUsers.removeAt(it) == user);
authMan.releaseUser(user);
LOG(1) << "Removed deleted user " << name <<
" from session cache of user information.";
continue; // No need to advance "it" in this case.
}
default:
// Unrecognized error; assume that it's transient, and continue working with the
// out-of-date privilege data.
warning() << "Could not fetch updated user privilege information for " <<
name << "; continuing to use old information. Reason is " << status;
break;
}
}
for (int i = 0; i < resourceSearchListLength; ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
++it;
}
return false;
}
void AuthorizationSession::grantInternalAuthorization(const UserName& userName) {
Principal* principal = new Principal(userName);
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void AuthorizationManager::grantInternalAuthorization() {
Principal* internalPrincipal = new Principal("__system");
_authenticatedPrincipals.add(internalPrincipal);
ActionSet allActions;
allActions.addAllActions();
AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal);
Status status = acquirePrivilege(privilege);
verify (status == Status::OK());
}
void printActionNames(ActionSet s)
{
while (!s.isEmpty())
{
Action a = s.popAction();
printf("%s\n", getStarcraftAction(a).getName().c_str());
}
}
// recursive function which does all search logic
void DFBBMonteCarlo(StarcraftStateType & s, int depth)
{
printf("Depth %d\n", depth);
// increase the node expansion count
nodesExpanded++;
// the time at which the last thing in the queue will finish
int finishTime = s.getLastFinishTime();
if (finishTime >= upperBound)
{
return;
}
int bucket = getBucket(finishTime);
int armyValue = s.getArmyValue();
if (armyValue > armyValues[bucket])
{
armyValues[bucket] = armyValue;
buildOrders[bucket] = getBuildOrder(s);
}
// if we are using search timeout and we are over the limit
if (params.searchTimeLimit && (nodesExpanded % 1000 == 0) && (searchTimer.getElapsedTimeInMilliSec() > params.searchTimeLimit))
{
// throw an exception to unroll the recursion
throw 1;
}
// get the legal action set
ActionSet legalActions = s.getLegalActionsMonteCarlo(params.goal);
// if we have children, update the counter
if (!legalActions.isEmpty())
{
numGenerations += 1;
numChildren += legalActions.numActions();
Action nextAction = legalActions.randomAction();
StarcraftStateType child(s);
int readyTime = child.resourcesReady(nextAction);
child.doAction(nextAction, readyTime);
child.setParent(&s);
DFBBMonteCarlo(child, depth+1);
}
else
{
printf("No legal actions %d\n", depth);
}
}
virtual Status checkAuthForCommand(ClientBasic* client,
const std::string& dbname,
const BSONObj& cmdObj) {
ActionSet actions;
actions.addAction(ActionType::createIndex);
Privilege p(parseResourcePattern(dbname, cmdObj), actions);
if ( client->getAuthorizationSession()->isAuthorizedForPrivilege(p) )
return Status::OK();
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
Status Pipeline::checkAuthForCommand(ClientBasic* client,
const std::string& db,
const BSONObj& cmdObj) {
NamespaceString inputNs(db, cmdObj.firstElement().str());
auto inputResource = ResourcePattern::forExactNamespace(inputNs);
uassert(17138,
mongoutils::str::stream() << "Invalid input namespace, " << inputNs.ns(),
inputNs.isValid());
std::vector<Privilege> privileges;
if (dps::extractElementAtPath(cmdObj, "pipeline.0.$indexStats")) {
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forAnyNormalResource(), ActionType::indexStats));
} else if (dps::extractElementAtPath(cmdObj, "pipeline.0.$collStats")) {
Privilege::addPrivilegeToPrivilegeVector(&privileges,
Privilege(inputResource, ActionType::collStats));
} else {
// If no source requiring an alternative permission scheme is specified then default to
// requiring find() privileges on the given namespace.
Privilege::addPrivilegeToPrivilegeVector(&privileges,
Privilege(inputResource, ActionType::find));
}
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
StringData stageName = stage.firstElementFieldName();
if (stageName == "$out" && stage.firstElementType() == String) {
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " << outputNs.ns(),
outputNs.isValid());
ActionSet actions;
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
if (shouldBypassDocumentValidationForCommand(cmdObj)) {
actions.addAction(ActionType::bypassDocumentValidation);
}
Privilege::addPrivilegeToPrivilegeVector(
&privileges, Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
} else if (stageName == "$lookup" && stage.firstElementType() == Object) {
NamespaceString fromNs(db, stage.firstElement()["from"].str());
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find));
} else if (stageName == "$graphLookup" && stage.firstElementType() == Object) {
NamespaceString fromNs(db, stage.firstElement()["from"].str());
Privilege::addPrivilegeToPrivilegeVector(
&privileges,
Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find));
}
}
void Pipeline::addRequiredPrivileges(const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
out->push_back(Privilege(db + '.' + cmdObj.firstElement().str(), actions));
if (false && cmdObj["allowDiskUsage"].trueValue()) {
// TODO no privilege for this yet.
}
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
// TODO Figure out how to handle temp collection privileges. For now, using the
// output ns is ok since we only do db-level privilege checks.
const string outputNs = db + '.' + stage.firstElement().str();
ActionSet actions;
// logically on output ns
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
actions.addAction(ActionType::indexRead);
// on temp ns due to implementation, but not logically on output ns
actions.addAction(ActionType::createCollection);
actions.addAction(ActionType::ensureIndex);
actions.addAction(ActionType::dropCollection);
actions.addAction(ActionType::renameCollectionSameDB);
out->push_back(Privilege(outputNs, actions));
}
}
