Status checkAuthForUpdateRoleCommand(ClientBasic* client,
const std::string& dbname,
const BSONObj& cmdObj) {
AuthorizationSession* authzSession = AuthorizationSession::get(client);
auth::CreateOrUpdateRoleArgs args;
Status status = auth::parseCreateOrUpdateRoleCommands(cmdObj, "updateRole", dbname, &args);
if (!status.isOK()) {
return status;
}
// You don't know what roles or privileges you might be revoking, so require the ability
// to revoke any role (or privilege) in the system.
if (!authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forAnyNormalResource(),
ActionType::revokeRole)) {
return Status(ErrorCodes::Unauthorized,
"updateRole command required the ability to revoke any role in the "
"system");
}
status = checkAuthorizedToGrantRoles(authzSession, args.roles);
if (!status.isOK()) {
return status;
}
return checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
}
Status checkAuthForCreateRoleCommand(Client* client,
const std::string& dbname,
const BSONObj& cmdObj) {
AuthorizationSession* authzSession = AuthorizationSession::get(client);
auth::CreateOrUpdateRoleArgs args;
Status status = auth::parseCreateOrUpdateRoleCommands(cmdObj, "createRole", dbname, &args);
if (!status.isOK()) {
return status;
}
if (!authzSession->isAuthorizedToCreateRole(args)) {
return Status(ErrorCodes::Unauthorized,
str::stream() << "Not authorized to create roles on db: "
<< args.roleName.getDB());
}
status = checkAuthorizedToGrantRoles(authzSession, args.roles);
if (!status.isOK()) {
return status;
}
status = checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
if (!status.isOK()) {
return status;
}
status = checkAuthorizedToSetRestrictions(
authzSession, static_cast<bool>(args.authenticationRestrictions), args.roleName.getDB());
if (!status.isOK()) {
return status;
}
return Status::OK();
}
Status checkAuthForGrantPrivilegesToRoleCommand(Client* client,
const std::string& dbname,
const BSONObj& cmdObj) {
AuthorizationSession* authzSession = AuthorizationSession::get(client);
PrivilegeVector privileges;
RoleName unusedRoleName;
Status status = auth::parseAndValidateRolePrivilegeManipulationCommands(
cmdObj, "grantPrivilegesToRole", dbname, &unusedRoleName, &privileges);
if (!status.isOK()) {
return status;
}
return checkAuthorizedToGrantPrivileges(authzSession, privileges);
}
Status checkAuthForCreateRoleCommand(ClientBasic* client,
const std::string& dbname,
const BSONObj& cmdObj) {
AuthorizationSession* authzSession = AuthorizationSession::get(client);
auth::CreateOrUpdateRoleArgs args;
Status status = auth::parseCreateOrUpdateRoleCommands(cmdObj, "createRole", dbname, &args);
if (!status.isOK()) {
return status;
}
if (!authzSession->isAuthorizedForActionsOnResource(
ResourcePattern::forDatabaseName(args.roleName.getDB()), ActionType::createRole)) {
return Status(ErrorCodes::Unauthorized,
str::stream()
<< "Not authorized to create roles on db: " << args.roleName.getDB());
}
status = checkAuthorizedToGrantRoles(authzSession, args.roles);
if (!status.isOK()) {
return status;
}
return checkAuthorizedToGrantPrivileges(authzSession, args.privileges);
}
