db/security.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

// security.h

/**
*    Copyright (C) 2009 10gen Inc.
*
*    This program is free software: you can redistribute it and/or  modify
*    it under the terms of the GNU Affero General Public License, version 3,
*    as published by the Free Software Foundation.
*
*    This program is distributed in the hope that it will be useful,
*    but WITHOUT ANY WARRANTY; without even the implied warranty of
*    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*    GNU Affero General Public License for more details.
*
*    You should have received a copy of the GNU Affero General Public License
*    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#pragma once

#include "nonce.h"
#include "concurrency.h"
#include "security_common.h"
#include "../util/concurrency/spin_lock.h"

// this is used by both mongos and mongod

namespace mongo {

    /* 
     * for a particular db
     * levels
     *     0 : none
     *     1 : read
     *     2 : write
     */
    struct Auth {
        Auth() { level = 0; }
        int level;
        string user;
    };

    class AuthenticationInfo : boost::noncopyable {
    public:
        bool isLocalHost;
        
        AuthenticationInfo(){ isLocalHost = false; }
        ~AuthenticationInfo() {}

        // -- modifiers ----
        
        void logout(const string& dbname ) {
            scoped_spinlock lk(_lock);
            _dbs.erase(dbname);
        }
        void authorize(const string& dbname , const string& user ) {
            scoped_spinlock lk(_lock);
            _dbs[dbname].level = 2;
            _dbs[dbname].user = user;
        }
        void authorizeReadOnly(const string& dbname , const string& user ) {
            scoped_spinlock lk(_lock);
            _dbs[dbname].level = 1;
            _dbs[dbname].user = user;
        }
        
        // -- accessors ---

        bool isAuthorized(const string& dbname) const { 
            return _isAuthorized( dbname, 2 ); 
        }
        
        bool isAuthorizedReads(const string& dbname) const { 
            return _isAuthorized( dbname, 1 ); 
        }
        
        bool isAuthorizedForLock(const string& dbname, int lockType ) const { 
            return _isAuthorized( dbname , lockType > 0 ? 2 : 1 ); 
        }

        string getUser( const string& dbname ) const;

        void print() const;

    protected:
        /** takes a lock */
        bool _isAuthorized(const string& dbname, int level) const;

        bool _isAuthorizedSingle_inlock(const string& dbname, int level) const;
        
        /** cannot call this locked */
        bool _isAuthorizedSpecialChecks( const string& dbname ) const ;

    private:
        mutable SpinLock _lock;

        typedef map<string,Auth> MA;
        MA _dbs; // dbname -> auth

        static bool _warned;
    };

} // namespace mongo