mongodb/db/security_commands.cpp

// security_commands.cpp
/*
 *    Copyright (C) 2010 10gen Inc.
 *
 *    This program is free software: you can redistribute it and/or  modify
 *    it under the terms of the GNU Affero General Public License, version 3,
 *    as published by the Free Software Foundation.
 *
 *    This program is distributed in the hope that it will be useful,
 *    but WITHOUT ANY WARRANTY; without even the implied warranty of
 *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *    GNU Affero General Public License for more details.
 *
 *    You should have received a copy of the GNU Affero General Public License
 *    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

// security.cpp links with both dbgrid and db.  this file db only -- at least for now.

// security.cpp

#include "stdafx.h"
#include "security.h"
#include "../util/md5.hpp"
#include "json.h" 
#include "pdfile.h"
#include "db.h"
#include "dbhelpers.h"
#include "commands.h"
#include "jsobj.h"
#include "client.h"

namespace mongo {

/* authentication

   system.users contains 
     { user : <username>, pwd : <pwd_digest>, ... }

   getnonce sends nonce to client

   client then sends { authenticate:1, nonce:<nonce_str>, user:<username>, key:<key> }

   where <key> is md5(<nonce_str><username><pwd_digest_str>) as a string
*/

    boost::thread_specific_ptr<nonce> lastNonce;

    class CmdGetNonce : public Command {
    public:
        virtual bool requiresAuth() { return false; }
        virtual bool logTheOp() {
            return false;
        }
        virtual bool slaveOk() {
            return true;
        }
        virtual LockType locktype(){ return NONE; }
        CmdGetNonce() : Command("getnonce") {}
        bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
            nonce *n = new nonce(security.getNonce());
            stringstream ss;
            ss << hex << *n;
            result.append("nonce", ss.str() );
            lastNonce.reset(n);
            return true;
        }
    } cmdGetNonce;

    class CmdLogout : public Command {
    public:
        virtual bool logTheOp() {
            return false;
        }
        virtual bool slaveOk() {
            return true;
        }
        virtual LockType locktype(){ return NONE; }
        CmdLogout() : Command("logout") {}
        bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
            // database->name is the one we are logging out...
            Client& client = cc();
            AuthenticationInfo *ai = client.getAuthenticationInfo();
            ai->logout(client.database()->name.c_str());
            return true;
        }
    } cmdLogout;
    
    class CmdAuthenticate : public Command {
    public:
        virtual bool requiresAuth() { return false; }
        virtual bool logTheOp() {
            return false;
        }
        virtual bool slaveOk() {
            return true;
        }
        virtual LockType locktype(){ return WRITE; } // TODO: make this READ
        CmdAuthenticate() : Command("authenticate") {}
        bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
            log(1) << " authenticate: " << cmdObj << endl;

            string user = cmdObj.getStringField("user");
            string key = cmdObj.getStringField("key");
            string received_nonce = cmdObj.getStringField("nonce");
            
            if( user.empty() || key.empty() || received_nonce.empty() ) { 
                log() << "field missing/wrong type in received authenticate command " 
                    << cc().database()->name
                    << '\n';               
                errmsg = "auth fails";
                sleepmillis(10);
                return false;
            }
            
            stringstream digestBuilder;

            {
                bool reject = false;
                nonce *ln = lastNonce.release();
                if ( ln == 0 ) {
                    reject = true;
                } else {
                    digestBuilder << hex << *ln;
                    reject = digestBuilder.str() != received_nonce;
                }
                    
                if ( reject ) {
                    log() << "auth: bad nonce received or getnonce not called. could be a driver bug or a security attack. db:" << cc().database()->name << '\n';
                    errmsg = "auth fails";
                    sleepmillis(30);
                    return false;
                }
            }

            static BSONObj userPattern = fromjson("{\"user\":1}");
            string systemUsers = cc().database()->name + ".system.users";
            OCCASIONALLY Helpers::ensureIndex(systemUsers.c_str(), userPattern, false, "user_1");

            BSONObj userObj;
            {
                BSONObjBuilder b;
                b << "user" << user;
                BSONObj query = b.done();
                if( !Helpers::findOne(systemUsers.c_str(), query, userObj) ) { 
                    log() << "auth: couldn't find user " << user << ", " << systemUsers << '\n';
                    errmsg = "auth fails";
                    return false;
                }
            }
            
            md5digest d;
            {
                
                string pwd = userObj.getStringField("pwd");
                digestBuilder << user << pwd;
                string done = digestBuilder.str();
                
                md5_state_t st;
                md5_init(&st);
                md5_append(&st, (const md5_byte_t *) done.c_str(), done.size());
                md5_finish(&st, d);
            }
            
            string computed = digestToString( d );
            
            if ( key != computed ){
                log() << "auth: key mismatch " << user << ", ns:" << ns << '\n';
                errmsg = "auth fails";
                return false;
            }

            AuthenticationInfo *ai = cc().getAuthenticationInfo();
            
            if ( userObj[ "readOnly" ].isBoolean() && userObj[ "readOnly" ].boolean() ) {
                if ( readLockSupported() ){
                    ai->authorizeReadOnly( cc().database()->name.c_str() );
                }
                else {
                    log() << "warning: old version of boost, read-only users not supported" << endl;
                    ai->authorize( cc().database()->name.c_str() );
                }
            } else {
                ai->authorize( cc().database()->name.c_str() );
            }
            return true;
        }
    } cmdAuthenticate;
    
} // namespace mongo
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`// security_commands.cpp`
Add license headers to .cpp & .h files that lacked them. MINOR 2010-02-09 22:48:21 +01:00			`/*`
			`* Copyright (C) 2010 10gen Inc.`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`// security.cpp links with both dbgrid and db. this file db only -- at least for now.`

			`// security.cpp`

			`#include "stdafx.h"`
			`#include "security.h"`
			`#include "../util/md5.hpp"`
			`#include "json.h"`
			`#include "pdfile.h"`
			`#include "db.h"`
			`#include "dbhelpers.h"`
			`#include "commands.h"`
			`#include "jsobj.h"`
make lasterror threadsafe rename Connection -> Client lasterror code easier to read bunch of windows warnings eliminated 2009-10-12 21:12:16 +02:00			`#include "client.h"`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
			`namespace mongo {`

			`/* authentication`

			`system.users contains`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`{ user : <username>, pwd : <pwd_digest>, ... }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
			`getnonce sends nonce to client`

getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`client then sends { authenticate:1, nonce:<nonce_str>, user:<username>, key:<key> }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`where <key> is md5(<nonce_str><username><pwd_digest_str>) as a string`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`*/`

getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`boost::thread_specific_ptr<nonce> lastNonce;`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
			`class CmdGetNonce : public Command {`
			`public:`
basic security 2009-01-19 02:31:33 +01:00			`virtual bool requiresAuth() { return false; }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`virtual bool logTheOp() {`
			`return false;`
			`}`
			`virtual bool slaveOk() {`
			`return true;`
			`}`
change Command locking config 2010-02-26 20:38:51 +01:00			`virtual LockType locktype(){ return NONE; }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`CmdGetNonce() : Command("getnonce") {}`
			`bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`nonce *n = new nonce(security.getNonce());`
using strings 2009-01-20 17:37:15 +01:00			`stringstream ss;`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`ss << hex << *n;`
using strings 2009-01-20 17:37:15 +01:00			`result.append("nonce", ss.str() );`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`lastNonce.reset(n);`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`return true;`
			`}`
			`} cmdGetNonce;`

			`class CmdLogout : public Command {`
			`public:`
			`virtual bool logTheOp() {`
			`return false;`
			`}`
			`virtual bool slaveOk() {`
			`return true;`
			`}`
change Command locking config 2010-02-26 20:38:51 +01:00			`virtual LockType locktype(){ return NONE; }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`CmdLogout() : Command("logout") {}`
			`bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {`
			`// database->name is the one we are logging out...`
move the var 'database' inside Client object 2009-10-14 20:34:38 +02:00			`Client& client = cc();`
cleaning up security - moving to centralized location 2010-02-04 16:49:19 +01:00			`AuthenticationInfo *ai = client.getAuthenticationInfo();`
move the var 'database' inside Client object 2009-10-14 20:34:38 +02:00			`ai->logout(client.database()->name.c_str());`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`return true;`
			`}`
			`} cmdLogout;`
changed verbose to logLevel and added log(int) 2009-01-20 20:30:59 +01:00
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`class CmdAuthenticate : public Command {`
			`public:`
basic security 2009-01-19 02:31:33 +01:00			`virtual bool requiresAuth() { return false; }`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`virtual bool logTheOp() {`
			`return false;`
			`}`
			`virtual bool slaveOk() {`
			`return true;`
			`}`
change Command locking config 2010-02-26 20:38:51 +01:00			`virtual LockType locktype(){ return WRITE; } // TODO: make this READ`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`CmdAuthenticate() : Command("authenticate") {}`
			`bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {`
changed verbose to logLevel and added log(int) 2009-01-20 20:30:59 +01:00			`log(1) << " authenticate: " << cmdObj << endl;`

suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`string user = cmdObj.getStringField("user");`
using strings 2009-01-20 17:37:15 +01:00			`string key = cmdObj.getStringField("key");`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`string received_nonce = cmdObj.getStringField("nonce");`
using strings 2009-01-20 17:37:15 +01:00
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`if( user.empty() \|\| key.empty() \|\| received_nonce.empty() ) {`
move the var 'database' inside Client object 2009-10-14 20:34:38 +02:00			`log() << "field missing/wrong type in received authenticate command "`
			`<< cc().database()->name`
			`<< '\n';`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`errmsg = "auth fails";`
			`sleepmillis(10);`
			`return false;`
			`}`
using strings 2009-01-20 17:37:15 +01:00
			`stringstream digestBuilder;`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
			`{`
SERVER-469 don't crash when authenticate called before getnonce 2009-12-09 23:00:14 +01:00			`bool reject = false;`
getnonce now returns a prettier nonce string -- hex digits as a string instead of double as a string. 2009-01-21 21:06:13 +01:00			`nonce *ln = lastNonce.release();`
SERVER-469 don't crash when authenticate called before getnonce 2009-12-09 23:00:14 +01:00			`if ( ln == 0 ) {`
			`reject = true;`
			`} else {`
			`digestBuilder << hex << *ln;`
			`reject = digestBuilder.str() != received_nonce;`
			`}`

			`if ( reject ) {`
			`log() << "auth: bad nonce received or getnonce not called. could be a driver bug or a security attack. db:" << cc().database()->name << '\n';`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`errmsg = "auth fails";`
			`sleepmillis(30);`
			`return false;`
			`}`
			`}`

			`static BSONObj userPattern = fromjson("{\"user\":1}");`
move the var 'database' inside Client object 2009-10-14 20:34:38 +02:00			`string systemUsers = cc().database()->name + ".system.users";`
add 'unique' option to helpers' ensureIndex 2009-04-24 17:36:42 +02:00			`OCCASIONALLY Helpers::ensureIndex(systemUsers.c_str(), userPattern, false, "user_1");`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00
			`BSONObj userObj;`
			`{`
			`BSONObjBuilder b;`
			`b << "user" << user;`
			`BSONObj query = b.done();`
			`if( !Helpers::findOne(systemUsers.c_str(), query, userObj) ) {`
			`log() << "auth: couldn't find user " << user << ", " << systemUsers << '\n';`
			`errmsg = "auth fails";`
			`return false;`
			`}`
			`}`
using strings 2009-01-20 17:37:15 +01:00
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`md5digest d;`
			`{`
using strings 2009-01-20 17:37:15 +01:00
			`string pwd = userObj.getStringField("pwd");`
			`digestBuilder << user << pwd;`
			`string done = digestBuilder.str();`

suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`md5_state_t st;`
			`md5_init(&st);`
using strings 2009-01-20 17:37:15 +01:00			`md5_append(&st, (const md5_byte_t *) done.c_str(), done.size());`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`md5_finish(&st, d);`
			`}`
using strings 2009-01-20 17:37:15 +01:00
			`string computed = digestToString( d );`

			`if ( key != computed ){`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`log() << "auth: key mismatch " << user << ", ns:" << ns << '\n';`
			`errmsg = "auth fails";`
			`return false;`
			`}`

cleaning up security - moving to centralized location 2010-02-04 16:49:19 +01:00			`AuthenticationInfo *ai = cc().getAuthenticationInfo();`
SERVER-258 add readOnly auth mode 2010-01-27 02:04:09 +01:00
			`if ( userObj[ "readOnly" ].isBoolean() && userObj[ "readOnly" ].boolean() ) {`
check for read lock and read only doesn't work on old versions of boost 2010-02-05 18:44:08 +01:00			`if ( readLockSupported() ){`
			`ai->authorizeReadOnly( cc().database()->name.c_str() );`
			`}`
			`else {`
			`log() << "warning: old version of boost, read-only users not supported" << endl;`
			`ai->authorize( cc().database()->name.c_str() );`
			`}`
SERVER-258 add readOnly auth mode 2010-01-27 02:04:09 +01:00			`} else {`
			`ai->authorize( cc().database()->name.c_str() );`
			`}`
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`return true;`
			`}`
			`} cmdAuthenticate;`
using strings 2009-01-20 17:37:15 +01:00
suppress a couple compiler warnings 2009-01-19 01:13:12 +01:00			`} // namespace mongo`