SERVER-9518 Handle otherDBRoles when initializing User object from V1 privilege documents

Author: stbrody

jstests/auth/otherDBRoles.js

@@ -0,0 +1,46 @@
+var conn = MongoRunner.runMongod({auth : ""});
+
+function assertGLENotOK(status) {
+    assert(status.ok && status.err !== null,
+           "Expected not-OK status object; found " + tojson(status));
+}
+
+function assertGLEOK(status) {
+    assert(status.ok && status.err === null,
+           "Expected OK status object; found " + tojson(status));
+}
+
+var adminDB = conn.getDB("admin");
+var testDB = conn.getDB("test");
+var test2DB = conn.getDB("test2");
+
+// Can't use otherDBRoles outside of admin DB
+assert.throws(function() {
+                  testDB.addUser({user:'spencer',
+                                  pwd:'x',
+                                  roles:[],
+                                  otherDBRoles: {test2: ['readWrite']}});
+              });
+
+testDB.addUser({user: 'spencer', pwd: 'x', roles: ['readWrite']});
+
+adminDB.addUser({user:'spencer',
+                 userSource: 'test',
+                 roles:[],
+                 otherDBRoles: {test: ['dbAdmin'], test2: ['readWrite']}});
+
+testDB.auth('spencer', 'x');
+
+testDB.foo.insert({a:1});
+assertGLEOK(testDB.getLastErrorObj());
+assert.eq(1, testDB.foo.findOne().a);
+
+// Make sure user got the dbAdmin role
+assert.commandWorked(testDB.foo.runCommand("compact"));
+
+// Make sure the user got privileges on the test2 database.
+test2DB.foo.insert({a:1});
+assertGLEOK(test2DB.getLastErrorObj());
+assert.eq(1, test2DB.foo.findOne().a);
+
+assert.commandFailed(test2DB.foo.runCommand("compact"));

src/mongo/db/auth/authorization_manager.cpp

@@ -777,12 +777,21 @@ namespace {
         }
     }
 
-    Status _initializeUserRolesFromV1PrivilegeDocument(
-                User* user, const BSONObj& privDoc, const StringData& dbname) {
+    Status _initializeUserRolesFromV1RolesArray(User* user,
+                                                const BSONElement& rolesElement,
+                                                const StringData& dbname) {
         static const char privilegesTypeMismatchMessage[] =
-            "Roles in V1 user documents must be enumerated in an array of strings.";
+                "Roles in V1 user documents must be enumerated in an array of strings.";
+
+        if (dbname == PrivilegeSet::WILDCARD_RESOURCE) {
+            return Status(ErrorCodes::BadValue,
+                          PrivilegeSet::WILDCARD_RESOURCE + " is an invalid database name.");
+        }
+
+        if (rolesElement.type() != Array)
+            return Status(ErrorCodes::TypeMismatch, privilegesTypeMismatchMessage);
 
-        for (BSONObjIterator iter(privDoc["roles"].embeddedObject()); iter.more(); iter.next()) {
+        for (BSONObjIterator iter(rolesElement.embeddedObject()); iter.more(); iter.next()) {
             BSONElement roleElement = *iter;
             if (roleElement.type() != String)
                 return Status(ErrorCodes::TypeMismatch, privilegesTypeMismatchMessage);
@@ -792,6 +801,48 @@ namespace {
         return Status::OK();
     }
 
+    Status _initializeUserRolesFromV1PrivilegeDocument(
+                User* user, const BSONObj& privDoc, const StringData& dbname) {
+        Status status = _initializeUserRolesFromV1RolesArray(user,
+                                                             privDoc[ROLES_FIELD_NAME],
+                                                             dbname);
+        if (!status.isOK()) {
+            return status;
+        }
+
+        // If "dbname" is the admin database, handle the otherDBPrivileges field, which
+        // grants privileges on databases other than "dbname".
+        BSONElement otherDbPrivileges = privDoc[OTHER_DB_ROLES_FIELD_NAME];
+        if (dbname == ADMIN_DBNAME) {
+            switch (otherDbPrivileges.type()) {
+            case EOO:
+                break;
+            case Object: {
+                for (BSONObjIterator iter(otherDbPrivileges.embeddedObject());
+                     iter.more(); iter.next()) {
+
+                    BSONElement rolesElement = *iter;
+                    status = _initializeUserRolesFromV1RolesArray(user,
+                                                                  rolesElement,
+                                                                  rolesElement.fieldName());
+                    if (!status.isOK())
+                        return status;
+                }
+                break;
+            }
+            default:
+                return Status(ErrorCodes::TypeMismatch,
+                              "Field \"otherDBRoles\" must be an object, if present.");
+            }
+        }
+        else if (!otherDbPrivileges.eoo()) {
+            return Status(ErrorCodes::BadValue, "Only the admin database may contain a field "
+                          "called \"otherDBRoles\"");
+        }
+
+        return Status::OK();
+    }
+
     /**
      * Parses privDoc and initializes the user's "roles" field with the role list extracted
      * from the privilege document.