1 2 /** 3 * Copyright (C) 2018-present MongoDB, Inc. 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the Server Side Public License, version 1, 7 * as published by MongoDB, Inc. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * Server Side Public License for more details. 13 * 14 * You should have received a copy of the Server Side Public License 15 * along with this program. If not, see 16 * <http://www.mongodb.com/licensing/server-side-public-license>. 17 * 18 * As a special exception, the copyright holders give permission to link the 19 * code of portions of this program with the OpenSSL library under certain 20 * conditions as described in each individual source file and distribute 21 * linked combinations including the program with the OpenSSL library. You 22 * must comply with the Server Side Public License in all respects for 23 * all of the code used other than as permitted herein. If you modify file(s) 24 * with this exception, you may extend this exception to your version of the 25 * file(s), but you are not obligated to do so. If you do not wish to do so, 26 * delete this exception statement from your version. If you delete this 27 * exception statement from all source files in the program, then also delete 28 * it in the license file. 29 */ 30 31 #pragma once 32 33 #include "mongo/base/status.h" 34 #include "mongo/bson/bsontypes.h" 35 #include "mongo/client/authenticate.h" 36 #include "mongo/executor/remote_command_request.h" 37 #include "mongo/executor/remote_command_response.h" 38 39 namespace mongo { 40 class BSONObj; 41 42 /** 43 * Attempts to authenticate "client" using the SASL protocol. 44 * 45 * Do not use directly in client code. Use the auth::authenticateClient() method, instead. 46 * 47 * Test against NULL for availability. Client driver must be compiled with SASL support _and_ 48 * client application must have successfully executed mongo::runGlobalInitializersOrDie() or its 49 * ilk to make this functionality available. 50 * 51 * The "saslParameters" BSONObj should be initialized with zero or more of the 52 * fields below. Which fields are required depends on the mechanism. Consult the 53 * relevant IETF standards. 54 * 55 * "mechanism": The std::string name of the sasl mechanism to use. Mandatory. 56 * "autoAuthorize": Truthy values tell the server to automatically acquire privileges on 57 * all resources after successful authentication, which is the default. Falsey values 58 * instruct the server to await separate privilege-acquisition commands. 59 * "user": The std::string name of the user to authenticate. 60 * "db": The database target of the auth command, which identifies the location 61 * of the credential information for the user. May be "$external" if credential 62 * information is stored outside of the mongo cluster. 63 * "pwd": The password. 64 * "serviceName": The GSSAPI service name to use. Defaults to "mongodb". 65 * "serviceHostname": The GSSAPI hostname to use. Defaults to the name of the remote host. 66 * 67 * Other fields in saslParameters are silently ignored. 68 * 69 * Returns an OK status on success, and ErrorCodes::AuthenticationFailed if authentication is 70 * rejected. Other failures, all of which are tantamount to authentication failure, may also be 71 * returned. 72 */ 73 extern void (*saslClientAuthenticate)(auth::RunCommandHook runCommand, 74 const HostAndPort& hostname, 75 const BSONObj& saslParameters, 76 auth::AuthCompletionHandler handler); 77 78 /** 79 * Extracts the payload field from "cmdObj", and store it into "*payload". 80 * 81 * Sets "*type" to the BSONType of the payload field in cmdObj. 82 * 83 * If the type of the payload field is String, the contents base64 decodes and 84 * stores into "*payload". If the type is BinData, the contents are stored directly 85 * into "*payload". In all other cases, returns 86 */ 87 Status saslExtractPayload(const BSONObj& cmdObj, std::string* payload, BSONType* type); 88 89 // Constants 90 91 /// std::string name of the saslStart command. 92 extern const char* const saslStartCommandName; 93 94 /// std::string name of the saslContinue command. 95 extern const char* const saslContinueCommandName; 96 97 /// Name of the saslStart parameter indicating that the server should automatically grant the 98 /// connection all privileges associated with the user after successful authentication. 99 extern const char* const saslCommandAutoAuthorizeFieldName; 100 101 /// Name of the field contain the status code in responses from the server. 102 extern const char* const saslCommandCodeFieldName; 103 104 /// Name of the field containing the conversation identifier in server respones and saslContinue 105 /// commands. 106 extern const char* const saslCommandConversationIdFieldName; 107 108 /// Name of the field that indicates whether or not the server believes authentication has 109 /// completed successfully. 110 extern const char* const saslCommandDoneFieldName; 111 112 /// Field in which to store error messages associated with non-success return codes. 113 extern const char* const saslCommandErrmsgFieldName; 114 115 /// Name of parameter to saslStart command indiciating the client's desired sasl mechanism. 116 extern const char* const saslCommandMechanismFieldName; 117 118 /// In the event that saslStart supplies an unsupported mechanism, the server responds with a 119 /// field by this name, with a list of supported mechanisms. 120 extern const char* const saslCommandMechanismListFieldName; 121 122 /// Field containing password information for saslClientAuthenticate(). 123 extern const char* const saslCommandPasswordFieldName; 124 125 /// Field containing sasl payloads passed to and from the server. 126 extern const char* const saslCommandPayloadFieldName; 127 128 /// Field containing the std::string identifier of the user to authenticate in 129 /// saslClientAuthenticate(). 130 extern const char* const saslCommandUserFieldName; 131 132 /// Field containing the std::string identifier of the database containing credential information, 133 /// or "$external" if the credential information is stored outside of the mongo cluster. 134 extern const char* const saslCommandUserDBFieldName; 135 136 /// Field overriding the FQDN of the hostname hosting the mongodb srevice in 137 /// saslClientAuthenticate(). 138 extern const char* const saslCommandServiceHostnameFieldName; 139 140 /// Field overriding the name of the mongodb service saslClientAuthenticate(). 141 extern const char* const saslCommandServiceNameFieldName; 142 143 /// Default database against which sasl authentication commands should run. 144 extern const char* const saslDefaultDBName; 145 146 /// Default sasl service name, "mongodb". 147 extern const char* const saslDefaultServiceName; 148 149 // Field whose value should be set to true if the field in saslCommandPasswordFieldName needs to 150 // be digested. 151 extern const char* const saslCommandDigestPasswordFieldName; 152 } 153