2009-01-19 01:13:12 +01:00
|
|
|
// security.h
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Copyright (C) 2009 10gen Inc.
|
|
|
|
|
*
|
2009-01-10 00:15:30 +01:00
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
|
* as published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
2009-01-14 23:17:24 +01:00
|
|
|
|
|
|
|
|
#pragma once
|
|
|
|
|
|
|
|
|
|
#include <boost/thread/tss.hpp>
|
2009-05-15 23:27:31 +02:00
|
|
|
#undef assert
|
|
|
|
|
#define assert xassert
|
2009-10-15 22:47:35 +02:00
|
|
|
|
2009-01-23 17:28:29 +01:00
|
|
|
#include "nonce.h"
|
2010-02-04 16:49:19 +01:00
|
|
|
#include "concurrency.h"
|
2009-01-14 23:09:51 +01:00
|
|
|
|
|
|
|
|
namespace mongo {
|
|
|
|
|
|
2009-01-19 02:31:33 +01:00
|
|
|
// --noauth cmd line option
|
|
|
|
|
extern bool noauth;
|
|
|
|
|
|
2009-01-18 23:48:44 +01:00
|
|
|
/* for a particular db */
|
|
|
|
|
struct Auth {
|
2009-01-19 02:31:33 +01:00
|
|
|
Auth() { level = 0; }
|
2009-01-18 23:48:44 +01:00
|
|
|
int level;
|
|
|
|
|
};
|
|
|
|
|
|
2009-01-15 16:17:11 +01:00
|
|
|
class AuthenticationInfo : boost::noncopyable {
|
2009-01-19 01:01:51 +01:00
|
|
|
map<string, Auth> m; // dbname -> auth
|
2009-01-21 23:26:16 +01:00
|
|
|
static int warned;
|
2009-01-15 16:17:11 +01:00
|
|
|
public:
|
2009-01-21 23:26:16 +01:00
|
|
|
bool isLocalHost;
|
|
|
|
|
AuthenticationInfo() { isLocalHost = false; }
|
2010-02-04 16:49:19 +01:00
|
|
|
~AuthenticationInfo() {
|
2009-01-15 16:17:11 +01:00
|
|
|
}
|
2010-02-04 16:49:19 +01:00
|
|
|
void logout(const string& dbname ) {
|
|
|
|
|
assertInWriteLock(); // TODO: can we get rid of this? only 1 thread should be looking at an AuthenticationInfo
|
2009-01-21 23:26:16 +01:00
|
|
|
m.erase(dbname);
|
|
|
|
|
}
|
2010-02-04 16:49:19 +01:00
|
|
|
void authorize(const string& dbname ) {
|
2009-10-14 22:29:32 +02:00
|
|
|
assertInWriteLock();
|
2009-01-19 02:31:33 +01:00
|
|
|
m[dbname].level = 2;
|
|
|
|
|
}
|
2010-02-04 16:49:19 +01:00
|
|
|
void authorizeReadOnly(const string& dbname) {
|
2010-01-27 02:04:09 +01:00
|
|
|
assertInWriteLock();
|
|
|
|
|
m[dbname].level = 1;
|
|
|
|
|
}
|
2010-02-04 16:49:19 +01:00
|
|
|
bool isAuthorized(const string& dbname) { return _isAuthorized( dbname, 2 ); }
|
|
|
|
|
bool isAuthorizedReads(const string& dbname) { return _isAuthorized( dbname, 1 ); }
|
|
|
|
|
bool isAuthorizedForLock(const string& dbname, int lockType ) { return _isAuthorized( dbname , lockType > 0 ? 2 : 1 ); }
|
|
|
|
|
|
|
|
|
|
void print();
|
|
|
|
|
|
2010-01-27 02:04:09 +01:00
|
|
|
protected:
|
2010-02-04 16:49:19 +01:00
|
|
|
bool _isAuthorized(const string& dbname, int level) {
|
2010-01-27 02:04:09 +01:00
|
|
|
if( m[dbname].level >= level ) return true;
|
2009-01-21 23:26:16 +01:00
|
|
|
if( noauth ) return true;
|
2010-01-27 02:04:09 +01:00
|
|
|
if( m["admin"].level >= level ) return true;
|
|
|
|
|
if( m["local"].level >= level ) return true;
|
2010-02-04 16:49:19 +01:00
|
|
|
return _isAuthorizedSpecialChecks( dbname );
|
2009-01-19 02:31:33 +01:00
|
|
|
}
|
2010-02-04 16:49:19 +01:00
|
|
|
|
|
|
|
|
bool _isAuthorizedSpecialChecks( const string& dbname );
|
2009-01-15 16:17:11 +01:00
|
|
|
};
|
2009-01-14 23:17:24 +01:00
|
|
|
|
|
|
|
|
} // namespace mongo
|
