Status AuthorizationManager::checkAuthForUpdate(const std::string& ns, bool upsert) {
NamespaceString namespaceString(ns);
if (namespaceString.coll == "system.users") {
if (!checkAuthorization(ns, ActionType::userAdmin)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() <<
"not authorized to update user information for database " <<
namespaceString.db,
0);
}
}
else {
if (!checkAuthorization(ns, ActionType::update)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for update on " << ns,
0);
}
if (upsert && !checkAuthorization(ns, ActionType::insert)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for upsert on " << ns,
0);
}
}
return Status::OK();
}
Status AuthorizationManager::checkAuthForQuery(const std::string& ns) {
NamespaceString namespaceString(ns);
verify(!namespaceString.isCommand());
if (namespaceString.coll == "system.users") {
if (!checkAuthorization(ns, ActionType::userAdmin)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() <<
"unauthorized to read user information for database " <<
namespaceString.db,
0);
}
}
else if (namespaceString.coll == "system.profile") {
if (!checkAuthorization(ns, ActionType::profileRead)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "unauthorized to read " <<
namespaceString.db << ".system.profile",
0);
}
}
else {
if (!checkAuthorization(ns, ActionType::find)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "unauthorized for query on " << ns,
0);
}
}
return Status::OK();
}
Status AuthorizationSession::checkAuthForDelete(const std::string& ns, const BSONObj& query) {
NamespaceString namespaceString(ns);
if (!checkAuthorization(ns, ActionType::remove)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized to remove from " << ns,
0);
}
return Status::OK();
}
Status AuthorizationManager::checkAuthForInsert(const std::string& ns) {
NamespaceString namespaceString(ns);
if (!checkAuthorization(ns, ActionType::insert)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for insert on " << ns,
0);
}
return Status::OK();
}
Status AuthorizationSession::checkAuthForQuery(const std::string& ns, const BSONObj& query) {
NamespaceString namespaceString(ns);
verify(!namespaceString.isCommand());
if (!checkAuthorization(ns, ActionType::find)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for query on " << ns,
0);
}
return Status::OK();
}
Status AuthorizationManager::checkAuthForDelete(const std::string& ns) {
NamespaceString namespaceString(ns);
if (namespaceString.coll == "system.users") {
if (!checkAuthorization(ns, ActionType::userAdmin)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() <<
"not authorized to remove user from database " <<
namespaceString.db,
0);
}
}
else {
if (!checkAuthorization(ns, ActionType::remove)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized to remove from " << ns,
0);
}
}
return Status::OK();
}
Status AuthorizationManager::checkAuthForInsert(const std::string& ns) {
NamespaceString namespaceString(ns);
if (namespaceString.coll == "system.users") {
if (!checkAuthorization(ns, ActionType::userAdmin)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() <<
"unauthorized to create user for database " <<
namespaceString.db,
0);
}
}
else {
if (!checkAuthorization(ns, ActionType::insert)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "unauthorized for insert on " << ns,
0);
}
}
return Status::OK();
}
Status AuthorizationSession::checkAuthForInsert(const std::string& ns,
const BSONObj& document) {
NamespaceString namespaceString(ns);
if (namespaceString.coll() == StringData("system.indexes", StringData::LiteralTag())) {
std::string indexNS = document["ns"].String();
if (!checkAuthorization(indexNS, ActionType::ensureIndex)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized to create index on " <<
indexNS,
0);
}
} else {
if (!checkAuthorization(ns, ActionType::insert)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for insert on " << ns,
0);
}
}
return Status::OK();
}
Status AuthorizationManager::checkAuthForUpdate(const std::string& ns, bool upsert) {
NamespaceString namespaceString(ns);
if (!upsert) {
if (!checkAuthorization(ns, ActionType::update)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for update on " << ns,
0);
}
}
else {
ActionSet required;
required.addAction(ActionType::update);
required.addAction(ActionType::insert);
if (!checkAuthorization(ns, required)) {
return Status(ErrorCodes::Unauthorized,
mongoutils::str::stream() << "not authorized for upsert on " << ns,
0);
}
}
return Status::OK();
}
