1 2 /** 3 * Copyright (C) 2018-present MongoDB, Inc. 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the Server Side Public License, version 1, 7 * as published by MongoDB, Inc. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * Server Side Public License for more details. 13 * 14 * You should have received a copy of the Server Side Public License 15 * along with this program. If not, see 16 * <http://www.mongodb.com/licensing/server-side-public-license>. 17 * 18 * As a special exception, the copyright holders give permission to link the 19 * code of portions of this program with the OpenSSL library under certain 20 * conditions as described in each individual source file and distribute 21 * linked combinations including the program with the OpenSSL library. You 22 * must comply with the Server Side Public License in all respects for 23 * all of the code used other than as permitted herein. If you modify file(s) 24 * with this exception, you may extend this exception to your version of the 25 * file(s), but you are not obligated to do so. If you do not wish to do so, 26 * delete this exception statement from your version. If you delete this 27 * exception statement from all source files in the program, then also delete 28 * it in the license file. 29 */ 30 31 #pragma once 32 33 #include <string> 34 #include <vector> 35 36 #include "mongo/bson/mutable/element.h" 37 #include "mongo/db/auth/privilege.h" 38 #include "mongo/db/auth/role_name.h" 39 #include "mongo/db/auth/user_name.h" 40 41 namespace mongo { 42 43 class AuthorizationManager; 44 class AuthorizationSession; 45 struct BSONArray; 46 class BSONObj; 47 class Client; 48 class OperationContext; 49 50 namespace auth { 51 52 /** 53 * Looks for a field name "pwd" in the given BSONObj and if found replaces its contents with the 54 * string "xxx" so that password data on the command object used in executing a user management 55 * command isn't exposed in the logs. 56 */ 57 void redactPasswordData(mutablebson::Element parent); 58 59 // 60 // checkAuthorizedTo* methods 61 // 62 63 Status checkAuthorizedToGrantRoles(AuthorizationSession* authzSession, 64 const std::vector<RoleName>& roles); 65 66 Status checkAuthorizedToGrantPrivileges(AuthorizationSession* authzSession, 67 const PrivilegeVector& privileges); 68 69 Status checkAuthorizedToRevokeRoles(AuthorizationSession* authzSession, 70 const std::vector<RoleName>& roles); 71 72 Status checkAuthorizedToRevokePrivileges(AuthorizationSession* authzSession, 73 const PrivilegeVector& privileges); 74 75 // 76 // checkAuthFor*Command methods 77 // 78 79 Status checkAuthForCreateUserCommand(Client* client, 80 const std::string& dbname, 81 const BSONObj& cmdObj); 82 83 Status checkAuthForUpdateUserCommand(Client* client, 84 const std::string& dbname, 85 const BSONObj& cmdObj); 86 87 Status checkAuthForGrantRolesToUserCommand(Client* client, 88 const std::string& dbname, 89 const BSONObj& cmdObj); 90 91 Status checkAuthForCreateRoleCommand(Client* client, 92 const std::string& dbname, 93 const BSONObj& cmdObj); 94 95 Status checkAuthForUpdateRoleCommand(Client* client, 96 const std::string& dbname, 97 const BSONObj& cmdObj); 98 99 Status checkAuthForGrantRolesToRoleCommand(Client* client, 100 const std::string& dbname, 101 const BSONObj& cmdObj); 102 103 Status checkAuthForGrantPrivilegesToRoleCommand(Client* client, 104 const std::string& dbname, 105 const BSONObj& cmdObj); 106 107 Status checkAuthForDropAllUsersFromDatabaseCommand(Client* client, const std::string& dbname); 108 109 Status checkAuthForRevokeRolesFromUserCommand(Client* client, 110 const std::string& dbname, 111 const BSONObj& cmdObj); 112 113 Status checkAuthForRevokeRolesFromRoleCommand(Client* client, 114 const std::string& dbname, 115 const BSONObj& cmdObj); 116 117 Status checkAuthForDropUserCommand(Client* client, 118 const std::string& dbname, 119 const BSONObj& cmdObj); 120 121 Status checkAuthForDropRoleCommand(Client* client, 122 const std::string& dbname, 123 const BSONObj& cmdObj); 124 125 126 Status checkAuthForUsersInfoCommand(Client* client, 127 const std::string& dbname, 128 const BSONObj& cmdObj); 129 130 Status checkAuthForRevokePrivilegesFromRoleCommand(Client* client, 131 const std::string& dbname, 132 const BSONObj& cmdObj); 133 134 Status checkAuthForDropAllRolesFromDatabaseCommand(Client* client, const std::string& dbname); 135 136 Status checkAuthForRolesInfoCommand(Client* client, 137 const std::string& dbname, 138 const BSONObj& cmdObj); 139 140 Status checkAuthForInvalidateUserCacheCommand(Client* client); 141 142 Status checkAuthForGetUserCacheGenerationCommand(Client* client); 143 144 Status checkAuthForMergeAuthzCollectionsCommand(Client* client, const BSONObj& cmdObj); 145 146 Status checkAuthForAuthSchemaUpgradeCommand(Client* client); 147 148 } // namespace auth 149 } // namespace mongo 150