1 
2 /**
3  *    Copyright (C) 2018-present MongoDB, Inc.
4  *
5  *    This program is free software: you can redistribute it and/or modify
6  *    it under the terms of the Server Side Public License, version 1,
7  *    as published by MongoDB, Inc.
8  *
9  *    This program is distributed in the hope that it will be useful,
10  *    but WITHOUT ANY WARRANTY; without even the implied warranty of
11  *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  *    Server Side Public License for more details.
13  *
14  *    You should have received a copy of the Server Side Public License
15  *    along with this program. If not, see
16  *    <http://www.mongodb.com/licensing/server-side-public-license>.
17  *
18  *    As a special exception, the copyright holders give permission to link the
19  *    code of portions of this program with the OpenSSL library under certain
20  *    conditions as described in each individual source file and distribute
21  *    linked combinations including the program with the OpenSSL library. You
22  *    must comply with the Server Side Public License in all respects for
23  *    all of the code used other than as permitted herein. If you modify file(s)
24  *    with this exception, you may extend this exception to your version of the
25  *    file(s), but you are not obligated to do so. If you do not wish to do so,
26  *    delete this exception statement from your version. If you delete this
27  *    exception statement from all source files in the program, then also delete
28  *    it in the license file.
29  */
30 
31 #pragma once
32 
33 #include "mongo/base/status.h"
34 #include "mongo/bson/bsontypes.h"
35 #include "mongo/client/authenticate.h"
36 #include "mongo/executor/remote_command_request.h"
37 #include "mongo/executor/remote_command_response.h"
38 
39 namespace mongo {
40 class BSONObj;
41 
42 /**
43  * Attempts to authenticate "client" using the SASL protocol.
44  *
45  * Do not use directly in client code.  Use the auth::authenticateClient() method, instead.
46  *
47  * Test against NULL for availability.  Client driver must be compiled with SASL support _and_
48  * client application must have successfully executed mongo::runGlobalInitializersOrDie() or its
49  * ilk to make this functionality available.
50  *
51  * The "saslParameters" BSONObj should be initialized with zero or more of the
52  * fields below.  Which fields are required depends on the mechanism.  Consult the
53  * relevant IETF standards.
54  *
55  *     "mechanism": The std::string name of the sasl mechanism to use.  Mandatory.
56  *     "autoAuthorize": Truthy values tell the server to automatically acquire privileges on
57  *         all resources after successful authentication, which is the default.  Falsey values
58  *         instruct the server to await separate privilege-acquisition commands.
59  *     "user": The std::string name of the user to authenticate.
60  *     "db": The database target of the auth command, which identifies the location
61  *         of the credential information for the user.  May be "$external" if credential
62  *         information is stored outside of the mongo cluster.
63  *     "pwd": The password.
64  *     "serviceName": The GSSAPI service name to use.  Defaults to "mongodb".
65  *     "serviceHostname": The GSSAPI hostname to use.  Defaults to the name of the remote host.
66  *
67  * Other fields in saslParameters are silently ignored.
68  *
69  * Returns an OK status on success, and ErrorCodes::AuthenticationFailed if authentication is
70  * rejected.  Other failures, all of which are tantamount to authentication failure, may also be
71  * returned.
72  */
73 extern void (*saslClientAuthenticate)(auth::RunCommandHook runCommand,
74                                       const HostAndPort& hostname,
75                                       const BSONObj& saslParameters,
76                                       auth::AuthCompletionHandler handler);
77 
78 /**
79  * Extracts the payload field from "cmdObj", and store it into "*payload".
80  *
81  * Sets "*type" to the BSONType of the payload field in cmdObj.
82  *
83  * If the type of the payload field is String, the contents base64 decodes and
84  * stores into "*payload".  If the type is BinData, the contents are stored directly
85  * into "*payload".  In all other cases, returns
86  */
87 Status saslExtractPayload(const BSONObj& cmdObj, std::string* payload, BSONType* type);
88 
89 // Constants
90 
91 /// std::string name of the saslStart command.
92 extern const char* const saslStartCommandName;
93 
94 /// std::string name of the saslContinue command.
95 extern const char* const saslContinueCommandName;
96 
97 /// Name of the saslStart parameter indicating that the server should automatically grant the
98 /// connection all privileges associated with the user after successful authentication.
99 extern const char* const saslCommandAutoAuthorizeFieldName;
100 
101 /// Name of the field contain the status code in responses from the server.
102 extern const char* const saslCommandCodeFieldName;
103 
104 /// Name of the field containing the conversation identifier in server respones and saslContinue
105 /// commands.
106 extern const char* const saslCommandConversationIdFieldName;
107 
108 /// Name of the field that indicates whether or not the server believes authentication has
109 /// completed successfully.
110 extern const char* const saslCommandDoneFieldName;
111 
112 /// Field in which  to store error messages associated with non-success return codes.
113 extern const char* const saslCommandErrmsgFieldName;
114 
115 /// Name of parameter to saslStart command indiciating the client's desired sasl mechanism.
116 extern const char* const saslCommandMechanismFieldName;
117 
118 /// In the event that saslStart supplies an unsupported mechanism, the server responds with a
119 /// field by this name, with a list of supported mechanisms.
120 extern const char* const saslCommandMechanismListFieldName;
121 
122 /// Field containing password information for saslClientAuthenticate().
123 extern const char* const saslCommandPasswordFieldName;
124 
125 /// Field containing sasl payloads passed to and from the server.
126 extern const char* const saslCommandPayloadFieldName;
127 
128 /// Field containing the std::string identifier of the user to authenticate in
129 /// saslClientAuthenticate().
130 extern const char* const saslCommandUserFieldName;
131 
132 /// Field containing the std::string identifier of the database containing credential information,
133 /// or "$external" if the credential information is stored outside of the mongo cluster.
134 extern const char* const saslCommandUserDBFieldName;
135 
136 /// Field overriding the FQDN of the hostname hosting the mongodb srevice in
137 /// saslClientAuthenticate().
138 extern const char* const saslCommandServiceHostnameFieldName;
139 
140 /// Field overriding the name of the mongodb service saslClientAuthenticate().
141 extern const char* const saslCommandServiceNameFieldName;
142 
143 /// Default database against which sasl authentication commands should run.
144 extern const char* const saslDefaultDBName;
145 
146 /// Default sasl service name, "mongodb".
147 extern const char* const saslDefaultServiceName;
148 
149 // Field whose value should be set to true if the field in saslCommandPasswordFieldName needs to
150 // be digested.
151 extern const char* const saslCommandDigestPasswordFieldName;
152 }
153