std::string AuthorizationSession::getAuthenticatedUserNamesToken() { std::string ret; for (UserNameIterator nameIter = getAuthenticatedUserNames(); nameIter.more(); nameIter.next()) { ret += '\0'; // Using a NUL byte which isn't valid in usernames to separate them. ret += nameIter->getFullName(); } return ret; }
bool run(const string&, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { AuthorizationSession* authSession = ClientBasic::getCurrent()->getAuthorizationSession(); BSONObjBuilder authInfo(result.subobjStart("authInfo")); { BSONArrayBuilder authenticatedUsers(authInfo.subarrayStart("authenticatedUsers")); UserNameIterator nameIter = authSession->getAuthenticatedUserNames(); for ( ; nameIter.more(); nameIter.next()) { BSONObjBuilder userInfoBuilder(authenticatedUsers.subobjStart()); userInfoBuilder.append(AuthorizationManager::USER_NAME_FIELD_NAME, nameIter->getUser()); userInfoBuilder.append(AuthorizationManager::USER_DB_FIELD_NAME, nameIter->getDB()); userInfoBuilder.doneFast(); } authenticatedUsers.doneFast(); } authInfo.doneFast(); return true; }
bool run(OperationContext* txn, const string&, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result) { AuthorizationSession* authSession = AuthorizationSession::get(ClientBasic::getCurrent()); bool showPrivileges; Status status = bsonExtractBooleanFieldWithDefault(cmdObj, "showPrivileges", false, &showPrivileges); if (!status.isOK()) { return appendCommandStatus(result, status); } BSONObjBuilder authInfo(result.subobjStart("authInfo")); { BSONArrayBuilder authenticatedUsers(authInfo.subarrayStart("authenticatedUsers")); UserNameIterator nameIter = authSession->getAuthenticatedUserNames(); for (; nameIter.more(); nameIter.next()) { BSONObjBuilder userInfoBuilder(authenticatedUsers.subobjStart()); userInfoBuilder.append(AuthorizationManager::USER_NAME_FIELD_NAME, nameIter->getUser()); userInfoBuilder.append(AuthorizationManager::USER_DB_FIELD_NAME, nameIter->getDB()); } } { BSONArrayBuilder authenticatedRoles(authInfo.subarrayStart("authenticatedUserRoles")); RoleNameIterator roleIter = authSession->getAuthenticatedRoleNames(); for (; roleIter.more(); roleIter.next()) { BSONObjBuilder roleInfoBuilder(authenticatedRoles.subobjStart()); roleInfoBuilder.append(AuthorizationManager::ROLE_NAME_FIELD_NAME, roleIter->getRole()); roleInfoBuilder.append(AuthorizationManager::ROLE_DB_FIELD_NAME, roleIter->getDB()); } } if (showPrivileges) { BSONArrayBuilder authenticatedPrivileges( authInfo.subarrayStart("authenticatedUserPrivileges")); // Create a unified map of resources to privileges, to avoid duplicate // entries in the connection status output. User::ResourcePrivilegeMap unifiedResourcePrivilegeMap; UserNameIterator nameIter = authSession->getAuthenticatedUserNames(); for (; nameIter.more(); nameIter.next()) { User* authUser = authSession->lookupUser(*nameIter); const User::ResourcePrivilegeMap& resourcePrivilegeMap = authUser->getPrivileges(); for (User::ResourcePrivilegeMap::const_iterator it = resourcePrivilegeMap.begin(); it != resourcePrivilegeMap.end(); ++it) { if (unifiedResourcePrivilegeMap.find(it->first) == unifiedResourcePrivilegeMap.end()) { unifiedResourcePrivilegeMap[it->first] = it->second; } else { unifiedResourcePrivilegeMap[it->first].addActions(it->second.getActions()); } } } for (User::ResourcePrivilegeMap::const_iterator it = unifiedResourcePrivilegeMap.begin(); it != unifiedResourcePrivilegeMap.end(); ++it) { authenticatedPrivileges << it->second.toBSON(); } } authInfo.doneFast(); return true; }
BSONObj rewriteCommandForListingOwnCollections(OperationContext* opCtx, const std::string& dbName, const BSONObj& cmdObj) { mutablebson::Document rewrittenCmdObj(cmdObj); mutablebson::Element ownCollections = mutablebson::findFirstChildNamed(rewrittenCmdObj.root(), "authorizedCollections"); AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); // We must strip $ownCollections from the delegated command. uassertStatusOK(ownCollections.remove()); BSONObj collectionFilter; // Extract and retain any previous filter mutablebson::Element oldFilter = mutablebson::findFirstChildNamed(rewrittenCmdObj.root(), "filter"); // Make a new filter, containing a $and array. mutablebson::Element newFilter = rewrittenCmdObj.makeElementObject("filter"); mutablebson::Element newFilterAnd = rewrittenCmdObj.makeElementArray("$and"); uassertStatusOK(newFilter.pushBack(newFilterAnd)); // Append a rule to the $and, which rejects system collections. mutablebson::Element systemCollectionsFilter = rewrittenCmdObj.makeElementObject( "", BSON("name" << BSON("$regex" << BSONRegEx("^(?!system\\.)")))); uassertStatusOK(newFilterAnd.pushBack(systemCollectionsFilter)); if (!authzSession->isAuthorizedForAnyActionOnResource( ResourcePattern::forDatabaseName(dbName))) { // We passed an auth check which said we might be able to render some collections, // but it doesn't seem like we should render all of them. We must filter. // Compute the set of collection names which would be permissible to return. std::set<std::string> collectionNames; for (UserNameIterator nameIter = authzSession->getAuthenticatedUserNames(); nameIter.more(); nameIter.next()) { User* authUser = authzSession->lookupUser(*nameIter); const User::ResourcePrivilegeMap& resourcePrivilegeMap = authUser->getPrivileges(); for (const std::pair<ResourcePattern, Privilege>& resourcePrivilege : resourcePrivilegeMap) { const auto& resource = resourcePrivilege.first; if (resource.isCollectionPattern() || (resource.isExactNamespacePattern() && resource.databaseToMatch() == dbName)) { collectionNames.emplace(resource.collectionToMatch().toString()); } } } // Construct a new filter predicate which returns only collections we were found to // have privileges for. BSONObjBuilder predicateBuilder; BSONObjBuilder nameBuilder(predicateBuilder.subobjStart("name")); BSONArrayBuilder setBuilder(nameBuilder.subarrayStart("$in")); // Load the de-duplicated set into a BSON array for (StringData collectionName : collectionNames) { setBuilder << collectionName; } setBuilder.done(); nameBuilder.done(); collectionFilter = predicateBuilder.obj(); // Filter the results by our collection names. mutablebson::Element newFilterAndIn = rewrittenCmdObj.makeElementObject("", collectionFilter); uassertStatusOK(newFilterAnd.pushBack(newFilterAndIn)); } // If there was a pre-existing filter, compose it with our new one. if (oldFilter.ok()) { uassertStatusOK(oldFilter.remove()); uassertStatusOK(newFilterAnd.pushBack(oldFilter)); } // Attach our new composite filter back onto the listCollections command object. uassertStatusOK(rewrittenCmdObj.root().pushBack(newFilter)); return rewrittenCmdObj.getObject(); }