SERVER-34653 Add 'AuthorizationSession::isAuthenticated()'

2024-12-01 09:32:32 +01:00 · 2018-05-02 15:13:10 -04:00 · 2018-05-02 15:13:10 -04:00 · dbbd060edc
commit dbbd060edc
parent fd9eef9377
5 changed files with 16 additions and 14 deletions
--- a/src/mongo/db/auth/authorization_session.cpp
+++ b/src/mongo/db/auth/authorization_session.cpp
@ -218,6 +218,10 @@ void AuthorizationSession::logoutDatabase(const std::string& dbname) {
    _buildAuthenticatedRolesVector();
 }

+bool AuthorizationSession::isAuthenticated() {
+    return _authenticatedUsers.begin() != _authenticatedUsers.end();
+}
+
 UserNameIterator AuthorizationSession::getAuthenticatedUserNames() {
    return _authenticatedUsers.getNames();
 }
@ -300,7 +304,7 @@ Status AuthorizationSession::checkAuthForAggregate(const NamespaceString& nss,
    }

    // We require at least one authenticated user when running aggregate with auth enabled.
-    if (!getAuthenticatedUserNames().more()) {
+    if (!isAuthenticated()) {
        return Status(ErrorCodes::Unauthorized, "unauthorized");
    }

@ -382,7 +386,7 @@ Status AuthorizationSession::checkAuthForGetMore(const NamespaceString& ns,
                                                 bool hasTerm) {
    // Since users can only getMore their own cursors, we verify that a user either is authenticated
    // or does not need to be.
-    if (!_externalState->shouldIgnoreAuthChecks() && !getAuthenticatedUserNames().more()) {
+    if (!_externalState->shouldIgnoreAuthChecks() && !isAuthenticated()) {
        return Status(ErrorCodes::Unauthorized,
                      str::stream() << "not authorized for getMore on " << ns.db());
    }
@ -974,7 +978,7 @@ bool AuthorizationSession::isCoauthorizedWith(UserNameIterator userNameIter) {
    if (!getAuthorizationManager().isAuthEnabled()) {
        return true;
    }
-    if (!userNameIter.more() && !getAuthenticatedUserNames().more()) {
+    if (!userNameIter.more() && !isAuthenticated()) {
        return true;
    }

@ -1025,10 +1029,6 @@ auto mongo::checkCursorSessionPrivilege(OperationContext* const opCtx,
    }
    auto* const authSession = AuthorizationSession::get(opCtx->getClient());

-    auto nobodyIsLoggedIn = [authSession] {
-        return !authSession->getAuthenticatedUserNames().more();
-    };
-
    auto authHasImpersonatePrivilege = [authSession] {
        return authSession->isAuthorizedForPrivilege(
            Privilege(ResourcePattern::forClusterResource(), ActionType::impersonate));
@ -1057,8 +1057,9 @@ auto mongo::checkCursorSessionPrivilege(OperationContext* const opCtx,
                                                            // the Operation Context's session, then
                                                            // we should forbid the operation even
                                                            // when the cursor has no session.
-        !nobodyIsLoggedIn() &&          // Unless, for some reason a user isn't actually using this
-                                        // Operation Context (which implies a background job
+        authSession->isAuthenticated() &&  // Unless, for some reason a user isn't actually using
+                                           // this Operation Context (which implies a background
+                                           // job)
        !authHasImpersonatePrivilege()  // Or if the user has an impersonation privilege, in which
                                        // case, the user gets to sidestep certain checks.
        ) {
--- a/src/mongo/db/auth/authorization_session.h
+++ b/src/mongo/db/auth/authorization_session.h
@ -144,6 +144,9 @@ public:
    // multiple users are authenticated, this method will throw an exception.
    User* getSingleUser();

+    // Is authenticated as at least one user.
+    bool isAuthenticated();
+
    // Gets an iterator over the names of all authenticated users stored in this manager.
    UserNameIterator getAuthenticatedUserNames();

--- a/src/mongo/db/commands/current_op.cpp
+++ b/src/mongo/db/commands/current_op.cpp
@ -55,8 +55,7 @@ public:
            return Status::OK();
        }

-        bool isAuthenticated = authzSession->getAuthenticatedUserNames().more();
-        if (isAuthenticated && cmdObj["$ownOps"].trueValue()) {
+        if (authzSession->isAuthenticated() && cmdObj["$ownOps"].trueValue()) {
            return Status::OK();
        }

--- a/src/mongo/db/commands/kill_op_cmd_base.cpp
+++ b/src/mongo/db/commands/kill_op_cmd_base.cpp
@ -51,8 +51,7 @@ Status KillOpCmdBase::checkAuthForCommand(Client* client,
        return Status::OK();
    }

-    bool isAuthenticated = AuthorizationSession::get(client)->getAuthenticatedUserNames().more();
-    if (isAuthenticated && isKillingLocalOp(cmdObj.getField("op"))) {
+    if (authzSession->isAuthenticated() && isKillingLocalOp(cmdObj.getField("op"))) {
        // Look up the OperationContext and see if we have permission to kill it. This is done once
        // here and again in the command body. The check here in the checkAuthForCommand() function
        // is necessary because if the check fails, it will be picked up by the auditing system.
--- a/src/mongo/db/initialize_operation_session_info.cpp
+++ b/src/mongo/db/initialize_operation_session_info.cpp
@ -54,7 +54,7 @@ boost::optional<OperationSessionInfoFromClient> initializeOperationSessionInfo(
        // or as an externally authorized user.
        AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
        if (authSession && authSession->isUsingLocalhostBypass() &&
-            !authSession->getAuthenticatedUserNames().more()) {
+            !authSession->isAuthenticated()) {
            return boost::none;
        }
    }