SERVER-30298 Add UserDigest LogicalSessionID

Inclusion of a sha256 digest of the full username to the logical session
id (in addition to the current guid) is necessary to fully disambiguate
logical sessions in degraded clusters (when the authoritative record for
a session is unreachable).

Semantics for the uid are as follows:

session creation via startSession()
* Sessions can only be created with one, and only one, user authenticated
* The composite key is created from a guid created on the spot, as well
  as the digest of the currently auth'd username
* Only the session guid is returned to the user
  * This prevents outside users from attempting to send back a value
    we'd have to check.  It's preferable to decorate the guid with the
    user digest per command, rather than having to check a value the user
    might send.

session use for a command
* Sessions are passed via the lsid top level field in any command
* Sessions are only meaningful for commands which requireAuth.  For
  sessions which don't require auth, we strip session information from the
  command at parse time
* Session ids are passed as an object, which can optionally include the
  username digest
  * It is illegal to pass the username digest unless the currently
    auth'd user has the impersonate privilege (the __system user does).
    This enables sessions on shard servers via mongos

Author: hanumantmk

jstests/sharding/session_info_in_oplog.js

@@ -7,6 +7,17 @@
 
     var checkOplog = function(mainConn, priConn) {
         var lsid = UUID();
+        var uid = function() {
+            var user = mainConn.getDB("admin")
+                           .runCommand({connectionStatus: 1})
+                           .authInfo.authenticatedUsers[0];
+
+            if (user) {
+                return computeSHA256Block(user.user + "@" + user.db);
+            } else {
+                return computeSHA256Block("");
+            }
+        }();
 
         ////////////////////////////////////////////////////////////////////////
         // Test insert command
@@ -15,7 +26,7 @@
             insert: 'user',
             documents: [{_id: 10}, {_id: 30}],
             ordered: false,
-            lsid: {id: {uuid: lsid}},
+            lsid: {id: lsid},
             txnNumber: NumberLong(34),
         };
 
@@ -26,14 +37,16 @@
         var firstDoc = oplog.findOne({ns: 'test.user', 'o._id': 10});
         assert(firstDoc != null);
         assert(firstDoc.lsid != null);
-        assert.eq(lsid, firstDoc.lsid.id.uuid);
+        assert.eq(lsid, firstDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(34), firstDoc.txnNumber);
         assert.eq(0, firstDoc.stmtId);
 
         var secondDoc = oplog.findOne({ns: 'test.user', 'o._id': 30});
         assert(secondDoc != null);
         assert(secondDoc.lsid != null);
-        assert.eq(lsid, secondDoc.lsid.id.uuid);
+        assert.eq(lsid, secondDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(34), secondDoc.txnNumber);
         assert.eq(1, secondDoc.stmtId);
 
@@ -48,7 +61,7 @@
                 {q: {_id: 30}, u: {z: 1}}  // replacement
             ],
             ordered: false,
-            lsid: {id: {uuid: lsid}},
+            lsid: {id: lsid},
             txnNumber: NumberLong(35),
         };
 
@@ -57,21 +70,24 @@
         firstDoc = oplog.findOne({ns: 'test.user', op: 'u', 'o2._id': 10});
         assert(firstDoc != null);
         assert(firstDoc.lsid != null);
-        assert.eq(lsid, firstDoc.lsid.id.uuid);
+        assert.eq(lsid, firstDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(35), firstDoc.txnNumber);
         assert.eq(0, firstDoc.stmtId);
 
         secondDoc = oplog.findOne({ns: 'test.user', op: 'i', 'o._id': 20});
         assert(secondDoc != null);
         assert(secondDoc.lsid != null);
-        assert.eq(lsid, secondDoc.lsid.id.uuid);
+        assert.eq(lsid, secondDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(35), secondDoc.txnNumber);
         assert.eq(1, secondDoc.stmtId);
 
         var thirdDoc = oplog.findOne({ns: 'test.user', op: 'u', 'o2._id': 30});
         assert(thirdDoc != null);
         assert(thirdDoc.lsid != null);
-        assert.eq(lsid, thirdDoc.lsid.id.uuid);
+        assert.eq(lsid, thirdDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(35), thirdDoc.txnNumber);
         assert.eq(2, thirdDoc.stmtId);
 
@@ -82,7 +98,7 @@
             delete: 'user',
             deletes: [{q: {_id: 10}, limit: 1}, {q: {_id: 20}, limit: 1}],
             ordered: false,
-            lsid: {id: {uuid: lsid}},
+            lsid: {id: lsid},
             txnNumber: NumberLong(36),
         };
 
@@ -91,14 +107,16 @@
         firstDoc = oplog.findOne({ns: 'test.user', op: 'd', 'o._id': 10});
         assert(firstDoc != null);
         assert(firstDoc.lsid != null);
-        assert.eq(lsid, firstDoc.lsid.id.uuid);
+        assert.eq(lsid, firstDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(36), firstDoc.txnNumber);
         assert.eq(0, firstDoc.stmtId);
 
         secondDoc = oplog.findOne({ns: 'test.user', op: 'd', 'o._id': 20});
         assert(secondDoc != null);
         assert(secondDoc.lsid != null);
-        assert.eq(lsid, secondDoc.lsid.id.uuid);
+        assert.eq(lsid, secondDoc.lsid.id);
+        assert.eq(uid, firstDoc.lsid.uid);
         assert.eq(NumberLong(36), secondDoc.txnNumber);
         assert.eq(1, secondDoc.stmtId);
     };

src/mongo/SConscript

@@ -411,6 +411,7 @@ if not has_option('noshell') and usemozjs:
                     "shell/shell_utils_launcher.cpp",
                 ],
                 LIBDEPS=[
+                    'db/logical_session_id_helpers',
                     'db/catalog/index_key_validate',
                     'db/index/external_key_generator',
                     'db/query/command_request_response',

src/mongo/db/SConscript

@@ -206,6 +206,7 @@ env.CppUnitTest(
     ],
     LIBDEPS=[
         'logical_session_id',
+        'logical_session_id_helpers',
         'service_context',
         '$BUILD_DIR/mongo/db/auth/authorization_manager_mock_init',
         '$BUILD_DIR/mongo/db/service_context_noop_init',
@@ -872,74 +873,41 @@ env.Library(
         'logical_session_id.cpp',
         env.Idlc('logical_session_id.idl')[0],
     ],
-    LIBDEPS=[
-        '$BUILD_DIR/mongo/idl/idl_parser',
-        '$BUILD_DIR/mongo/util/uuid',
-        '$BUILD_DIR/mongo/base',
-    ],
-)
-
-env.CppUnitTest(
-    target='logical_session_id_test',
-    source=[
-        'logical_session_id_test.cpp',
-    ],
-    LIBDEPS=[
-        '$BUILD_DIR/mongo/base',
-        'logical_session_id'
-    ],
-)
-
-env.Library(
-    target='signed_logical_session_id',
-    source=[
-        'signed_logical_session_id.cpp',
-        env.Idlc('signed_logical_session_id.idl')[0],
-    ],
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
-        '$BUILD_DIR/mongo/crypto/sha1_block',
+        '$BUILD_DIR/mongo/crypto/sha256_block',
+        '$BUILD_DIR/mongo/crypto/sha_block_${MONGO_CRYPTO}',
         '$BUILD_DIR/mongo/idl/idl_parser',
         '$BUILD_DIR/mongo/util/uuid',
-        'logical_session_id'
-    ],
-)
-
-env.CppUnitTest(
-    target='signed_logical_session_id_test',
-    source=[
-        'signed_logical_session_id_test.cpp',
-    ],
-    LIBDEPS=[
-        '$BUILD_DIR/mongo/base',
-        'signed_logical_session_id',
     ],
 )
 
 env.Library(
-    target='logical_session_record',
+    target='logical_session_id_helpers',
     source=[
-        'logical_session_record.cpp',
-        env.Idlc('logical_session_record.idl')[0],
+        'logical_session_id_helpers.cpp',
     ],
     LIBDEPS=[
-        '$BUILD_DIR/mongo/base',
-        '$BUILD_DIR/mongo/db/auth/user_name',
-        '$BUILD_DIR/mongo/idl/idl_parser',
         'logical_session_id',
-        'signed_logical_session_id',
+        'logical_session_cache',
+        '$BUILD_DIR/mongo/db/auth/authcore',
     ],
 )
 
 env.CppUnitTest(
-    target='logical_session_record_test',
+    target='logical_session_id_test',
     source=[
-        'logical_session_record_test.cpp',
+        'logical_session_id_test.cpp',
     ],
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
+        '$BUILD_DIR/mongo/db/service_context_noop_init',
+        '$BUILD_DIR/mongo/transport/transport_layer_mock',
+        '$BUILD_DIR/mongo/db/auth/authcore',
+        '$BUILD_DIR/mongo/db/auth/authmocks',
+        '$BUILD_DIR/mongo/db/auth/authorization_session_for_test',
         'logical_session_id',
-        'logical_session_record',
+        'logical_session_id_helpers',
     ],
 )
 
@@ -954,7 +922,6 @@ env.Library(
         'keys_collection_manager',
         'keys_collection_manager_zero',
         'logical_clock',
-        'signed_logical_session_id',
     ],
 )
 
@@ -1032,7 +999,6 @@ env.Library(
     ],
     LIBDEPS=[
         'logical_session_id',
-        'logical_session_record',
         'sessions_collection',
         'server_parameters',
         'service_liason',
@@ -1050,10 +1016,10 @@ envWithAsio.CppUnitTest(
         'keys_collection_manager',
         'keys_collection_document',
         'logical_clock',
+        'logical_session_id_helpers',
         'logical_session_cache',
         'service_liason_mock',
         'sessions_collection_mock',
-        'signed_logical_session_id',
     ],
 )
 

src/mongo/db/auth/sasl_commands.cpp

@@ -85,7 +85,7 @@ class CmdSaslStart : public BasicCommand {
     virtual bool slaveOk() const {
         return true;
     }
-    virtual bool requiresAuth() {
+    bool requiresAuth() const override {
         return false;
     }
 };
@@ -111,7 +111,7 @@ class CmdSaslContinue : public BasicCommand {
     virtual bool slaveOk() const {
         return true;
     }
-    virtual bool requiresAuth() {
+    bool requiresAuth() const override {
         return false;
     }
 };

src/mongo/db/auth/user.cpp

@@ -41,7 +41,22 @@
 
 namespace mongo {
 
-User::User(const UserName& name) : _name(name), _id(), _refCount(0), _isValid(1) {}
+namespace {
+
+SHA256Block computeDigest(const UserName& name, const boost::optional<OID>& id) {
+    const auto& fn = name.getFullName();
+
+    if (id) {
+        return SHA256Block::computeHash({id->toCDR(), ConstDataRange(fn.c_str(), fn.size())});
+    } else {
+        return SHA256Block::computeHash({ConstDataRange(fn.c_str(), fn.size())});
+    }
+};
+
+}  // namespace
+
+User::User(const UserName& name)
+    : _name(name), _id(), _digest(computeDigest(_name, _id)), _refCount(0), _isValid(1) {}
 
 User::~User() {
     dassert(_refCount == 0);
@@ -55,6 +70,10 @@ const boost::optional<OID>& User::getID() const {
     return _id;
 }
 
+const SHA256Block& User::getDigest() const {
+    return _digest;
+}
+
 RoleNameIterator User::getRoles() const {
     return makeRoleNameIteratorForContainer(_roles);
 }
@@ -87,17 +106,9 @@ const ActionSet User::getActionsForResource(const ResourcePattern& resource) con
     return it->second.getActions();
 }
 
-User* User::clone() const {
-    std::unique_ptr<User> result(new User(_name));
-    result->_id = _id;
-    result->_privileges = _privileges;
-    result->_roles = _roles;
-    result->_credentials = _credentials;
-    return result.release();
-}
-
 void User::setID(boost::optional<OID> id) {
     _id = std::move(id);
+    _digest = computeDigest(_name, _id);
 }
 
 void User::setCredentials(const CredentialData& credentials) {

src/mongo/db/auth/user.h

@@ -32,6 +32,7 @@
 
 #include "mongo/base/disallow_copying.h"
 #include "mongo/bson/oid.h"
+#include "mongo/crypto/sha256_block.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/resource_pattern.h"
 #include "mongo/db/auth/restriction_set.h"
@@ -92,6 +93,11 @@ class User {
      */
     const boost::optional<OID>& getID() const;
 
+    /**
+     * Returns a digest of the user's identity
+     */
+    const SHA256Block& getDigest() const;
+
     /**
      * Returns an iterator over the names of the user's direct roles
      */
@@ -137,11 +143,6 @@ class User {
      */
     uint32_t getRefCount() const;
 
-    /**
-     * Clones this user into a new, valid User object with refcount of 0.
-     */
-    User* clone() const;
-
     // Mutators below.  Mutation functions should *only* be called by the AuthorizationManager
 
     /**
@@ -237,6 +238,9 @@ class User {
     // an unset _id field to be a distinct value that will fail to compare to any other id value.
     boost::optional<OID> _id;
 
+    // Digest of the full username
+    SHA256Block _digest;
+
     // Maps resource name to privilege on that resource
     ResourcePrivilegeMap _privileges;
 

src/mongo/db/commands.h

@@ -147,6 +147,11 @@ class CommandInterface {
      */
     virtual bool shouldAffectCommandCounter() const = 0;
 
+    /**
+     * Return true if the command requires auth.
+    */
+    virtual bool requiresAuth() const = 0;
+
     /**
      * Generates help text for this command.
      */
@@ -302,6 +307,10 @@ class Command : public CommandInterface {
         return true;
     }
 
+    bool requiresAuth() const override {
+        return true;
+    }
+
     void help(std::stringstream& help) const override;
 
     Status explain(OperationContext* opCtx,

src/mongo/db/commands/SConscript

@@ -85,7 +85,8 @@ env.Library(
         '$BUILD_DIR/mongo/db/lasterror',
         '$BUILD_DIR/mongo/db/log_process_details',
         '$BUILD_DIR/mongo/db/logical_session_cache',
-        '$BUILD_DIR/mongo/db/logical_session_record',
+        '$BUILD_DIR/mongo/db/logical_session_id',
+        '$BUILD_DIR/mongo/db/logical_session_id_helpers',
         '$BUILD_DIR/mongo/db/matcher/expressions',
         '$BUILD_DIR/mongo/db/repl/isself',
         '$BUILD_DIR/mongo/db/repl/repl_coordinator_global',

src/mongo/db/commands/shutdown.h

@@ -39,7 +39,7 @@ class CmdShutdown : public BasicCommand {
 public:
     CmdShutdown() : BasicCommand("shutdown") {}
 
-    virtual bool requiresAuth() {
+    bool requiresAuth() const override {
         return true;
     }
     virtual bool adminOnly() const {