mirror
/
mongo
mirror of https://github.com/mongodb/mongo
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SERVER-111122 Label access_control module APIs (#44606) 

GitOrigin-RevId: 9cc50fc23b45b38ce7a25484d16a7bef0b0b88fb
This commit is contained in:
adam r 2025-12-10 18:23:09 -08:00 committed by MongoDB Bot
parent 615869f256
commit 0eb3f206cc
72 changed files with 180 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/mongo/db/auth/access_checks.idl
View File

@ -27,6 +27,7 @@
#
global:
cpp_namespace: "mongo"
mod_visibility: public
enums:
AccessCheck:

3
src/mongo/db/auth/action_set.h
View File

@ -32,6 +32,7 @@
#include "mongo/base/status.h"
#include "mongo/base/string_data.h"
#include "mongo/db/auth/action_type.h"
#include "mongo/util/modules.h"
#include <bitset>
#include <initializer_list>
@ -46,7 +47,7 @@ namespace mongo {
* If the special ActionType::anyAction is granted to this set, it automatically sets all bits
* in the bitmask, indicating that it contains all possible actions.
*/
class ActionSet {
class MONGO_MOD_PUBLIC ActionSet {
public:
ActionSet() = default;
ActionSet(std::initializer_list<ActionType> actions);

5
src/mongo/db/auth/action_type.h
View File

@ -33,6 +33,7 @@
#include "mongo/base/status_with.h"
#include "mongo/base/string_data.h"
#include "mongo/db/auth/action_type_gen.h"
#include "mongo/util/modules.h"
#include <array>
#include <cstdint>
@ -40,7 +41,7 @@
#include <string>
#include <vector>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
/**
* List describing the ActionTypes that should be created.
@ -56,4 +57,4 @@ StringData toStringData(ActionType a);
std::string toString(ActionType a);
std::ostream& operator<<(std::ostream& os, const ActionType& a);
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

1
src/mongo/db/auth/action_type.idl
View File

@ -34,6 +34,7 @@
# Actions marked "ID only" are not used for permission checks, but to identify events in logs.
global:
cpp_namespace: "mongo"
mod_visibility: public
imports:
- "mongo/db/basic_types.idl"

1
src/mongo/db/auth/address_restriction.h
View File

@ -40,6 +40,7 @@
#include "mongo/db/auth/restriction.h"
#include "mongo/db/auth/restriction_environment.h"
#include "mongo/db/auth/restriction_set.h"
#include "mongo/util/modules.h"
#include "mongo/util/net/cidr.h"
#include <memory>

5
src/mongo/db/auth/auth_name.h
View File

@ -37,6 +37,7 @@
#include "mongo/bson/bsonobjbuilder.h"
#include "mongo/db/database_name.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/modules.h"
#include "mongo/util/str.h"
#include <compare>
@ -60,7 +61,7 @@ namespace mongo {
* Consists of a general "name" part, and a "database name" part.
*/
template <typename T>
class AuthName {
class MONGO_MOD_PUBLIC AuthName {
public:
AuthName() = default;
@ -200,7 +201,7 @@ static inline Stream& operator<<(Stream& os, const AuthName<T>& name) {
* Iterator over an unspecified container of AuthName objects.
*/
template <typename T>
class AuthNameIterator {
class MONGO_MOD_PUBLIC AuthNameIterator {
public:
class Impl {
public:

3
src/mongo/db/auth/auth_op_observer.h
View File

@ -40,6 +40,7 @@
#include "mongo/db/session/logical_session_id.h"
#include "mongo/db/shard_role/shard_catalog/collection.h"
#include "mongo/db/shard_role/shard_catalog/collection_options.h"
#include "mongo/util/modules.h"
#include "mongo/util/uuid.h"
#include <cstdint>
@ -54,7 +55,7 @@ namespace mongo {
* OpObserver for authentication. Observes all secondary replication traffic and filters down to
* relevant entries for authentication.
*/
class AuthOpObserver final : public OpObserverNoop {
class MONGO_MOD_PUBLIC AuthOpObserver final : public OpObserverNoop {
AuthOpObserver(const AuthOpObserver&) = delete;
AuthOpObserver& operator=(const AuthOpObserver&) = delete;

1
src/mongo/db/auth/authentication_metrics.h
View File

@ -29,6 +29,7 @@
#pragma once
#include "mongo/util/modules.h"
#include "mongo/util/tick_source.h"
#include "mongo/util/timer.h"

3
src/mongo/db/auth/authentication_session.h
View File

@ -40,6 +40,7 @@
#include "mongo/db/operation_context.h"
#include "mongo/db/stats/counters.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/modules.h"
#include "mongo/util/timer.h"
#include <memory>
@ -68,7 +69,7 @@ private:
/**
* Type representing an ongoing authentication session.
*/
class AuthenticationSession {
class MONGO_MOD_PUBLIC AuthenticationSession {
AuthenticationSession(const AuthenticationSession&) = delete;
AuthenticationSession& operator=(const AuthenticationSession&) = delete;

1
src/mongo/db/auth/authorization_backend_local.h
View File

@ -31,6 +31,7 @@
#include "mongo/db/auth/authorization_backend_interface.h"
#include "mongo/db/auth/authorization_manager.h"
#include "mongo/db/shard_role/shard_catalog/db_raii.h"
#include "mongo/util/modules.h"
namespace mongo::auth {

3
src/mongo/db/auth/authorization_backend_mock.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/auth/authorization_manager.h"
#include "mongo/db/namespace_string.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
#include <functional>
#include <map>
@ -46,7 +47,7 @@
namespace mongo::auth {
class AuthorizationBackendMock : public AuthorizationBackendLocal {
class MONGO_MOD_PUBLIC AuthorizationBackendMock : public AuthorizationBackendLocal {
public:
/**
* Inserts the given user object into the "admin" database.

24
src/mongo/db/auth/authorization_checks.h
View File

@ -42,6 +42,7 @@
#include "mongo/db/query/write_ops/write_ops.h"
#include "mongo/db/query/write_ops/write_ops_parsers.h"
#include "mongo/db/shard_role/shard_catalog/collection_options.h"
#include "mongo/util/modules.h"
#include <boost/optional/optional.hpp>
@ -50,19 +51,21 @@ namespace mongo::auth {
// Checks if this connection has the privileges necessary to perform a find operation
// on the supplied namespace identifier.
Status checkAuthForFind(AuthorizationSession* authSession, const NamespaceString& ns, bool hasTerm);
MONGO_MOD_PUBLIC Status checkAuthForFind(AuthorizationSession* authSession,
const NamespaceString& ns,
bool hasTerm);
// Checks if this connection has the privileges necessary to perform a getMore operation on
// the identified cursor, supposing that cursor is associated with the supplied namespace
// identifier.
Status checkAuthForGetMore(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForGetMore(AuthorizationSession* authSession,
const NamespaceString& ns,
long long cursorID,
bool hasTerm);
// Checks if this connection has the privileges necessary to perform the given update on the
// given namespace.
Status checkAuthForUpdate(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForUpdate(AuthorizationSession* authSession,
OperationContext* opCtx,
const NamespaceString& ns,
const BSONObj& query,
@ -70,13 +73,13 @@ Status checkAuthForUpdate(AuthorizationSession* authSession,
bool upsert);
// Checks if this connection has the privileges necessary to insert to the given namespace.
Status checkAuthForInsert(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForInsert(AuthorizationSession* authSession,
OperationContext* opCtx,
const NamespaceString& ns);
// Checks if this connection has the privileges necessary to perform a delete on the given
// namespace.
Status checkAuthForDelete(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForDelete(AuthorizationSession* authSession,
OperationContext* opCtx,
const NamespaceString& ns,
const BSONObj& query);
@ -84,19 +87,20 @@ Status checkAuthForDelete(AuthorizationSession* authSession,
// Checks if this connection has the privileges necessary to perform a killCursor on
// the identified cursor, supposing that cursor is associated with the supplied namespace
// identifier.
Status checkAuthForKillCursors(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForKillCursors(AuthorizationSession* authSession,
const NamespaceString& cursorNss,
const boost::optional<UserName>& cursorOwner);
// Checks if this connection has the privileges necessary to perform a releaseMemory on
// the identified cursor, supposing that cursor is associated with the supplied namespace
// identifier.
Status checkAuthForReleaseMemory(AuthorizationSession* authSession,
MONGO_MOD_PUBLIC Status checkAuthForReleaseMemory(AuthorizationSession* authSession,
const NamespaceString& cursorNss);
// Attempts to get the privileges necessary to run the aggregation pipeline specified in
// 'request' on the namespace 'ns' either directly on mongoD or via mongoS.
StatusWith<PrivilegeVector> getPrivilegesForAggregate(OperationContext* opCtx,
MONGO_MOD_PUBLIC StatusWith<PrivilegeVector> getPrivilegesForAggregate(
OperationContext* opCtx,
AuthorizationSession* authSession,
const NamespaceString& ns,
const AggregateCommandRequest& request,
@ -104,14 +108,14 @@ StatusWith<PrivilegeVector> getPrivilegesForAggregate(OperationContext* opCtx,
// Checks if this connection has the privileges necessary to create 'ns' with the options
// supplied in 'cmdObj' either directly on mongoD or via mongoS.
Status checkAuthForCreate(OperationContext* opCtx,
MONGO_MOD_PUBLIC Status checkAuthForCreate(OperationContext* opCtx,
AuthorizationSession* authSession,
const CreateCommand& cmd,
bool isMongos);
// Checks if this connection has the privileges necessary to modify 'ns' with the options
// supplied in 'cmdObj' either directly on mongoD or via mongoS.
Status checkAuthForCollMod(OperationContext* opCtx,
MONGO_MOD_PUBLIC Status checkAuthForCollMod(OperationContext* opCtx,
AuthorizationSession* authSession,
const NamespaceString& ns,
const BSONObj& cmdObj,

1
src/mongo/db/auth/authorization_client_handle.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/database_name.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
namespace mongo {

1
src/mongo/db/auth/authorization_client_handle_router.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/auth/authz_session_external_state_router.h"
#include "mongo/db/database_name.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {

1
src/mongo/db/auth/authorization_client_handle_shard.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/database_name.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
namespace mongo {

3
src/mongo/db/auth/authorization_contract.h
View File

@ -36,6 +36,7 @@
#include "mongo/db/auth/privilege.h"
#include "mongo/stdx/mutex.h"
#include "mongo/util/concurrency/with_lock.h"
#include "mongo/util/modules.h"
#include <array>
#include <bitset>
@ -59,7 +60,7 @@ namespace mongo {
* When commands execute other commands via DBDirectClient, we only want
* the top-level command to accumulate authorization checks.
*/
class AuthorizationContract {
class MONGO_MOD_PUBLIC AuthorizationContract {
public:
AuthorizationContract() = default;
AuthorizationContract(bool isTestModeEnabled) : _isTestModeEnabled(isTestModeEnabled) {};

3
src/mongo/db/auth/authorization_contract_guard.h
View File

@ -30,10 +30,11 @@
#pragma once
#include "mongo/db/auth/authorization_session.h"
#include "mongo/util/modules.h"
namespace mongo {
class AuthorizationContractGuard {
class MONGO_MOD_PUBLIC AuthorizationContractGuard {
public:
explicit AuthorizationContractGuard(AuthorizationSession* authSession)
: _authSession(authSession) {

10
src/mongo/db/auth/authorization_manager.h
View File

@ -52,6 +52,7 @@
#include "mongo/db/service_context.h"
#include "mongo/db/tenant_id.h"
#include "mongo/stdx/unordered_set.h"
#include "mongo/util/modules.h"
#include <cstdint>
#include <memory>
@ -60,7 +61,7 @@
#include <boost/optional.hpp>
#include <boost/optional/optional.hpp>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
class AuthorizationSession;
class Client;
@ -70,7 +71,7 @@ class ServiceContext;
/**
* Internal secret key info.
*/
struct SystemAuthInfo {
struct MONGO_MOD_NEEDS_REPLACEMENT SystemAuthInfo {
std::shared_ptr<UserHandle> getUser() {
return std::atomic_load(&_user); // NOLINT
}
@ -86,12 +87,13 @@ struct SystemAuthInfo {
private:
std::shared_ptr<UserHandle> _user;
};
extern SystemAuthInfo internalSecurity;
/**
* How user management functions should structure the BSON representation of privileges and roles.
*/
enum class AuthenticationRestrictionsFormat {
enum class MONGO_MOD_PRIVATE AuthenticationRestrictionsFormat {
kOmit, // AuthenticationRestrictions should not be included in the BSON representation.
kShow, // AuthenticationRestrictions should be included in the BSON representation.
};
@ -265,4 +267,4 @@ public:
* Otherwise, they will be equal to boost::none.
*/
};
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

5
src/mongo/db/auth/authorization_manager_factory.h
View File

@ -35,8 +35,9 @@
#include "mongo/db/auth/authorization_manager.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
/**
* Factory class for generating the correct authorization manager for the
@ -62,4 +63,4 @@ public:
extern std::unique_ptr<AuthorizationManagerFactory> globalAuthzManagerFactory;
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

1
src/mongo/db/auth/authorization_manager_factory_impl.h
View File

@ -32,6 +32,7 @@
#include "mongo/db/auth/authorization_manager.h"
#include "mongo/db/auth/authorization_manager_factory.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
namespace mongo {

4
src/mongo/db/auth/authorization_manager_factory_mock.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/auth/authorization_manager_factory.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
namespace mongo {
@ -44,7 +45,8 @@ namespace mongo {
* based on the arguments provided.
*/
class AuthorizationManagerFactoryMock : public AuthorizationManagerFactory {
class MONGO_MOD_PUBLIC_FOR_TECHNICAL_REASONS AuthorizationManagerFactoryMock
: public AuthorizationManagerFactory {
public:
std::unique_ptr<AuthorizationManager> createRouter(Service* service) override;

1
src/mongo/db/auth/authorization_manager_impl.h
View File

@ -56,6 +56,7 @@
#include "mongo/util/concurrency/thread_pool.h"
#include "mongo/util/concurrency/thread_pool_interface.h"
#include "mongo/util/invalidating_lru_cache.h"
#include "mongo/util/modules.h"
#include "mongo/util/read_through_cache.h"
#include <map>

3
src/mongo/db/auth/authorization_router.h
View File

@ -30,12 +30,13 @@
#pragma once
#include "mongo/db/auth/user.h"
#include "mongo/util/modules.h"
namespace mongo {
class AuthorizationManager;
class AuthzSessionExternalState;
class AuthorizationRouter {
class MONGO_MOD_PUBLIC AuthorizationRouter {
public:
AuthorizationRouter(const AuthorizationRouter&) = delete;
AuthorizationRouter& operator=(const AuthorizationRouter&) = delete;

1
src/mongo/db/auth/authorization_router_impl.h
View File

@ -32,6 +32,7 @@
#include "mongo/db/auth/authorization_client_handle.h"
#include "mongo/db/auth/authorization_router.h"
#include "mongo/util/concurrency/thread_pool.h"
#include "mongo/util/modules.h"
namespace mongo {
class AuthorizationRouterImpl : public AuthorizationRouter {

1
src/mongo/db/auth/authorization_router_impl_for_test.h
View File

@ -31,6 +31,7 @@
#include "mongo/db/auth/authorization_router_impl.h"
#include "mongo/unittest/unittest.h"
#include "mongo/util/modules.h"
namespace mongo {

7
src/mongo/db/auth/authorization_session.h
View File

@ -51,6 +51,7 @@
#include "mongo/db/session/logical_session_id_gen.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/concurrency/with_lock.h"
#include "mongo/util/modules.h"
#include "mongo/util/time_support.h"
#include <memory>
@ -82,7 +83,7 @@ class ListCollections;
* every operation looks at one consistent view of each user for every auth check required over
* the lifetime of the operation.
*/
class AuthorizationSession {
class MONGO_MOD_PUBLIC AuthorizationSession {
AuthorizationSession(const AuthorizationSession&) = delete;
AuthorizationSession& operator=(const AuthorizationSession&) = delete;
@ -314,8 +315,8 @@ public:
// access a cursor in the specified `cursorSessionId` parameter. Returns `Status::OK()`, when the
// session is accessible. Returns a `mongo::Status` with information regarding the nature of
// session inaccessibility when the session is not accessible.
inline Status checkCursorSessionPrivilege(OperationContext* const opCtx,
const boost::optional<LogicalSessionId> cursorSessionId) {
MONGO_MOD_PUBLIC inline Status checkCursorSessionPrivilege(
OperationContext* const opCtx, const boost::optional<LogicalSessionId> cursorSessionId) {
if (!AuthorizationSession::exists(opCtx->getClient())) {
return Status::OK();
}

1
src/mongo/db/auth/authorization_session_for_test.h
View File

@ -36,6 +36,7 @@
#include "mongo/db/auth/role_name.h"
#include "mongo/db/auth/user.h"
#include "mongo/db/database_name.h"
#include "mongo/util/modules.h"
#include <memory>
#include <vector>

1
src/mongo/db/auth/authorization_session_impl.h
View File

@ -51,6 +51,7 @@
#include "mongo/db/session/logical_session_id_gen.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/concurrency/with_lock.h"
#include "mongo/util/modules.h"
#include "mongo/util/time_support.h"
#include <memory>

1
src/mongo/db/auth/authorization_session_test_fixture.h
View File

@ -38,6 +38,7 @@
#include "mongo/db/service_context_d_test_fixture.h"
#include "mongo/transport/transport_layer_mock.h"
#include "mongo/util/clock_source_mock.h"
#include "mongo/util/modules.h"
#include <vector>

1
src/mongo/db/auth/authz_session_external_state.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/auth/user_name.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
#include <memory>
#include <string>

1
src/mongo/db/auth/authz_session_external_state_mock.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/auth/authz_session_external_state.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {

1
src/mongo/db/auth/authz_session_external_state_router.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/auth/authz_session_external_state_server_common.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {

1
src/mongo/db/auth/authz_session_external_state_server_common.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/auth/authz_session_external_state.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {

1
src/mongo/db/auth/authz_session_external_state_shard.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/auth/authz_session_external_state_server_common.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {

11
src/mongo/db/auth/builtin_roles.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/database_name.h"
#include "mongo/db/tenant_id.h"
#include "mongo/stdx/unordered_set.h"
#include "mongo/util/modules.h"
#include <boost/optional.hpp>
#include <boost/optional/optional.hpp>
@ -47,22 +48,24 @@ namespace auth {
* "privileges". Addition of new privileges is done as with
* Privilege::addPrivilegeToPrivilegeVector.
*/
bool addPrivilegesForBuiltinRole(const RoleName& role, PrivilegeVector* privileges);
MONGO_MOD_PUBLIC bool addPrivilegesForBuiltinRole(const RoleName& role,
PrivilegeVector* privileges);
/**
* Ennumerate all builtin RoleNames for the given database.
*/
stdx::unordered_set<RoleName> getBuiltinRoleNamesForDB(const DatabaseName& dbname);
MONGO_MOD_PUBLIC stdx::unordered_set<RoleName> getBuiltinRoleNamesForDB(const DatabaseName& dbname);
/**
* Adds to "privileges" the necessary privileges to do absolutely anything on the system.
*/
void generateUniversalPrivileges(PrivilegeVector* privileges, const boost::optional<TenantId>&);
MONGO_MOD_PUBLIC void generateUniversalPrivileges(PrivilegeVector* privileges,
const boost::optional<TenantId>&);
/**
* Returns whether the given role corresponds to a built-in role.
*/
bool isBuiltinRole(const RoleName& role);
MONGO_MOD_PUBLIC bool isBuiltinRole(const RoleName& role);
} // namespace auth
} // namespace mongo

3
src/mongo/db/auth/cluster_auth_mode.h
View File

@ -31,6 +31,7 @@
#include "mongo/base/status_with.h"
#include "mongo/base/string_data.h"
#include "mongo/util/modules.h"
namespace mongo {
@ -39,7 +40,7 @@ class ServiceContext;
/**
* ClusterAuthMode is a thin wrapper around an enum for decorated storage and semantic utility.
*/
class ClusterAuthMode {
class MONGO_MOD_PUBLIC ClusterAuthMode {
enum class Value {
kUndefined,
/**

3
src/mongo/db/auth/ldap_cumulative_operation_stats.h
View File

@ -34,6 +34,7 @@
#include "mongo/bson/util/builder_fwd.h"
#include "mongo/stdx/mutex.h"
#include "mongo/util/duration.h"
#include "mongo/util/modules.h"
#include "mongo/util/tick_source.h"
#include <cstdint>
@ -47,7 +48,7 @@ class LDAPOperationStats;
* Class used to track statistics associated with LDAP operations for a specfic
* UserAcquisitionStats object.
*/
class LDAPCumulativeOperationStats {
class MONGO_MOD_PUBLIC LDAPCumulativeOperationStats {
public:
LDAPCumulativeOperationStats() = default;
~LDAPCumulativeOperationStats() = default;

5
src/mongo/db/auth/ldap_operation_stats.h
View File

@ -36,6 +36,7 @@
#include "mongo/db/service_context.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/duration.h"
#include "mongo/util/modules.h"
#include "mongo/util/modules_incompletely_marked_header.h"
#include "mongo/util/tick_source.h"
@ -49,7 +50,7 @@ namespace mongo {
* UserAcquisitionStats object. All methods must be called while holding that UserAcquisitionStats'
* lock.
*/
class LDAPOperationStats {
class MONGO_MOD_PUBLIC LDAPOperationStats {
public:
LDAPOperationStats() = default;
~LDAPOperationStats() = default;
@ -156,6 +157,6 @@ private:
* Metrics associated with binding and search/querying an LDAP server.
*/
Stats _bindStats;
MONGO_MOD_NEEDS_REPLACEMENT Stats _searchStats; // Used by a friend-ed test.
Stats _searchStats; // Used by a friend-ed test.
};
} // namespace mongo

3
src/mongo/db/auth/oauth_discovery_factory.h
View File

@ -31,6 +31,7 @@
#include "mongo/base/string_data.h"
#include "mongo/db/auth/oauth_authorization_server_metadata_gen.h"
#include "mongo/util/modules.h"
#include "mongo/util/net/http_client.h"
#include <memory>
@ -42,7 +43,7 @@ namespace mongo {
/**
* Uses RFC8414 to acquire Authorization Server metadata for an issuer.
*/
class OAuthDiscoveryFactory {
class MONGO_MOD_PUBLIC OAuthDiscoveryFactory {
public:
OAuthDiscoveryFactory(std::unique_ptr<HttpClient> client) : _client(std::move(client)) {}

1
src/mongo/db/auth/parsed_privilege.idl
View File

@ -28,6 +28,7 @@
global:
cpp_namespace: "mongo::auth"
mod_visibility: public
imports:
- "mongo/db/basic_types.idl"

5
src/mongo/db/auth/privilege.h
View File

@ -36,6 +36,7 @@
#include "mongo/db/auth/resource_pattern.h"
#include "mongo/db/exec/mutable_bson/element.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/modules.h"
#include <string>
#include <vector>
@ -43,7 +44,7 @@
#include <boost/optional.hpp>
#include <boost/optional/optional.hpp>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
class Privilege;
class TenantId;
@ -137,4 +138,4 @@ inline bool operator==(const Privilege& lhs, const Privilege& rhs) {
lhs.getActions() == rhs.getActions();
}
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

1
src/mongo/db/auth/privilege_format.h
View File

@ -32,6 +32,7 @@
#include "mongo/base/string_data.h"
#include "mongo/bson/bsonelement.h"
#include "mongo/bson/bsonobjbuilder.h"
#include "mongo/util/modules.h"
namespace mongo {

2
src/mongo/db/auth/resolve_role_option.h
View File

@ -53,6 +53,8 @@
#pragma once
#include "mongo/util/modules.h"
#include <cstdint>
namespace mongo::auth {

5
src/mongo/db/auth/resource_pattern.h
View File

@ -36,6 +36,7 @@
#include "mongo/db/namespace_string.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/modules.h"
#include <iosfwd>
#include <string>
@ -58,7 +59,7 @@ namespace mongo {
* part of the access control system. See buildResourceSearchList() in
* authorization_session.cpp for details.
*/
class ResourcePattern {
class MONGO_MOD_PUBLIC ResourcePattern {
friend class AuthorizationContract;
public:
@ -304,6 +305,6 @@ private:
NamespaceString _ns;
};
std::ostream& operator<<(std::ostream& os, const ResourcePattern& pattern);
MONGO_MOD_FILE_PRIVATE std::ostream& operator<<(std::ostream& os, const ResourcePattern& pattern);
} // namespace mongo

1
src/mongo/db/auth/resource_pattern_search_list.h
View File

@ -33,6 +33,7 @@
#include "mongo/db/auth/resource_pattern.h"
#include "mongo/db/namespace_string.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/modules.h"
#include "mongo/util/namespace_string_util.h"
#include <array>

1
src/mongo/db/auth/restriction.h
View File

@ -35,6 +35,7 @@
#include "mongo/bson/util/builder.h"
#include "mongo/bson/util/builder_fwd.h"
#include "mongo/db/auth/restriction_environment.h"
#include "mongo/util/modules.h"
#include <sstream>
#include <string>

3
src/mongo/db/auth/restriction_environment.h
View File

@ -31,6 +31,7 @@
#include "mongo/base/status.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/modules.h"
#include "mongo/util/net/sockaddr.h"
#include <memory>
@ -53,7 +54,7 @@ inline Status validateClientSourceAuthenticationRestrictionMode(StringData mode,
// It must be constructed and attached to a Client object while a server is accepting a connection.
// Clients created by internal server operations may not have a RestrictionEnvironment. Clients
// which attempt to perform authentication or authorization must have a RestrictionEnvironment.
class RestrictionEnvironment {
class MONGO_MOD_PUBLIC RestrictionEnvironment {
public:
RestrictionEnvironment() = default;
RestrictionEnvironment(SockAddr clientSource, SockAddr serverAddress)

3
src/mongo/db/auth/restriction_mock.h
View File

@ -31,12 +31,13 @@
#include "mongo/base/status.h"
#include "mongo/db/auth/restriction.h"
#include "mongo/util/modules.h"
#include <string>
namespace mongo {
class RestrictionMock : public UnnamedRestriction {
class MONGO_MOD_FILE_PRIVATE RestrictionMock : public UnnamedRestriction {
public:
explicit RestrictionMock(bool shouldPass) : _shouldPass(shouldPass) {}

1
src/mongo/db/auth/restriction_set.h
View File

@ -30,6 +30,7 @@
#pragma once
#include "mongo/db/auth/restriction.h"
#include "mongo/util/modules.h"
#include <memory>
#include <vector>

5
src/mongo/db/auth/role_name.h
View File

@ -30,8 +30,9 @@
#pragma once
#include "mongo/db/auth/auth_name.h"
#include "mongo/util/modules.h"
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
/**
* Representation of a name of a role in a MongoDB system.
@ -75,4 +76,4 @@ Container roleNameIteratorToContainer(RoleNameIterator it) {
return container;
}
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

1
src/mongo/db/auth/role_name_or_string.h
View File

@ -34,6 +34,7 @@
#include "mongo/bson/bsonobjbuilder.h"
#include "mongo/db/auth/role_name.h"
#include "mongo/db/database_name.h"
#include "mongo/util/modules.h"
#include <string>
#include <type_traits>

5
src/mongo/db/auth/sasl_commands.h
View File

@ -33,12 +33,13 @@
#include "mongo/bson/bsonobjbuilder.h"
#include "mongo/db/auth/authentication_session.h"
#include "mongo/db/auth/sasl_commands_gen.h"
#include "mongo/util/modules.h"
namespace mongo {
class OperationContext;
namespace auth {
SaslReply runSaslStart(OperationContext* opCtx,
MONGO_MOD_PUBLIC SaslReply runSaslStart(OperationContext* opCtx,
AuthenticationSession* session,
const SaslStartCommand& request);
@ -48,7 +49,7 @@ SaslReply runSaslStart(OperationContext* opCtx,
/**
* Handle hello: { speculativeAuthenticate: {...} }
*/
void doSpeculativeSaslStart(OperationContext* opCtx,
MONGO_MOD_PUBLIC void doSpeculativeSaslStart(OperationContext* opCtx,
const BSONObj& sourceObj,
BSONObjBuilder* result);
} // namespace mongo

1
src/mongo/db/auth/sasl_mechanism_policies.h
View File

@ -32,6 +32,7 @@
#include "mongo/base/string_data.h"
#include "mongo/crypto/hash_block.h"
#include "mongo/db/auth/sasl_mechanism_registry.h"
#include "mongo/util/modules.h"
namespace mongo {

3
src/mongo/db/auth/sasl_mechanism_registry.h
View File

@ -45,6 +45,7 @@
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/modules.h"
#include "mongo/util/time_support.h"
#include <algorithm>
@ -362,7 +363,7 @@ public:
* mechanism from. Also capable of producing a list of mechanisms which would be valid for a
* particular user.
*/
class SASLServerMechanismRegistry {
class MONGO_MOD_PUBLIC SASLServerMechanismRegistry {
public:
static SASLServerMechanismRegistry& get(Service* service);
static void set(Service* service, std::unique_ptr<SASLServerMechanismRegistry> registry);

9
src/mongo/db/auth/sasl_options.h
View File

@ -31,12 +31,13 @@
#include "mongo/base/status.h"
#include "mongo/platform/atomic_word.h"
#include "mongo/util/modules.h"
#include <atomic>
#include <string>
#include <vector>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
namespace optionenvironment {
class OptionSection;
@ -95,8 +96,8 @@ struct SASLGlobalParams {
Atomic<int> numTimesScramSHA256IterationCountSet;
};
Status addSASLOptions(moe::OptionSection* options);
MONGO_MOD_PRIVATE Status addSASLOptions(moe::OptionSection* options);
Status storeSASLOptions(const moe::Environment& params);
MONGO_MOD_PRIVATE Status storeSASLOptions(const moe::Environment& params);
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

1
src/mongo/db/auth/sasl_options.idl
View File

@ -27,6 +27,7 @@
#
global:
mod_visibility: public
cpp_namespace: "mongo"
cpp_includes:
- "mongo/db/auth/sasl_options.h"

1
src/mongo/db/auth/sasl_payload.h
View File

@ -32,6 +32,7 @@
#include "mongo/base/string_data.h"
#include "mongo/bson/bsonelement.h"
#include "mongo/bson/bsonobjbuilder.h"
#include "mongo/util/modules.h"
#include <string>
#include <utility>

1
src/mongo/db/auth/sasl_plain_server_conversation.h
View File

@ -38,6 +38,7 @@
#include "mongo/db/auth/user.h"
#include "mongo/db/operation_context.h"
#include "mongo/db/service_context.h"
#include "mongo/util/modules.h"
#include <string>
#include <tuple>

1
src/mongo/db/auth/sasl_scram_server_conversation.h
View File

@ -40,6 +40,7 @@
#include "mongo/db/auth/user.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/icu.h"
#include "mongo/util/modules.h"
#include <algorithm>
#include <cstring>

1
src/mongo/db/auth/sasl_x509_server_conversation.h
View File

@ -31,6 +31,7 @@
#include "mongo/db/auth/sasl_mechanism_policies.h"
#include "mongo/db/auth/sasl_mechanism_registry.h"
#include "mongo/util/modules.h"
namespace mongo::auth {

6
src/mongo/db/auth/security_file.h
View File

@ -29,6 +29,8 @@
#pragma once
#include "mongo/util/modules.h"
#include <string>
#include <vector>
@ -45,7 +47,9 @@ class StatusWith;
* Whitespace within each key will be stripped from the final keys (e.g. "key 1" = "key1").
*
* This will return an error if the file was empty or contained invalid characters.
*
*
*/
StatusWith<std::vector<std::string>> readSecurityFile(const std::string& filename);
MONGO_MOD_PUBLIC StatusWith<std::vector<std::string>> readSecurityFile(const std::string& filename);
} // namespace mongo

1
src/mongo/db/auth/security_key.h
View File

@ -30,6 +30,7 @@
#pragma once
#include "mongo/db/auth/cluster_auth_mode.h"
#include "mongo/util/modules.h"
#include <string>

3
src/mongo/db/auth/security_token_authentication_guard.h
View File

@ -32,6 +32,7 @@
#include "mongo/db/auth/validated_tenancy_scope.h"
#include "mongo/db/client.h"
#include "mongo/db/operation_context.h"
#include "mongo/util/modules.h"
namespace mongo {
namespace auth {
@ -41,7 +42,7 @@ namespace auth {
* that user will be authenticated against the client until this guard dies.
* This is used in ServiceEntryPoint to scope authentication to a single operation.
*/
class SecurityTokenAuthenticationGuard {
class MONGO_MOD_PUBLIC SecurityTokenAuthenticationGuard {
public:
SecurityTokenAuthenticationGuard() = delete;
SecurityTokenAuthenticationGuard(OperationContext*, const ValidatedTenancyScope&);

3
src/mongo/db/auth/umc_info_command_arg.h
View File

@ -35,6 +35,7 @@
#include "mongo/db/auth/role_name.h"
#include "mongo/db/auth/user_name.h"
#include "mongo/db/database_name.h"
#include "mongo/util/modules.h"
#include "mongo/util/serialization_context.h"
#include <string>
@ -58,7 +59,7 @@ namespace auth {
* Then use getElements(dbname) for isExact() form to get list of T names.
*/
template <typename T, bool enableForAllDBs>
class UMCInfoCommandArg {
class MONGO_MOD_PUBLIC UMCInfoCommandArg {
public:
UMCInfoCommandArg() : UMCInfoCommandArg(AllOnCurrentDB{}) {}
static_assert(std::is_same<UserName, T>::value || std::is_same<RoleName, T>::value,

5
src/mongo/db/auth/user.h
View File

@ -47,6 +47,7 @@
#include "mongo/stdx/unordered_set.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/base64.h"
#include "mongo/util/modules.h"
#include "mongo/util/read_through_cache.h"
#include <algorithm>
@ -62,7 +63,7 @@
#include <boost/optional/optional.hpp>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
/**
* Represents the properties required to request a UserHandle.
@ -495,4 +496,4 @@ using UserCache = ReadThroughCache<UserRequest::UserRequestCacheKey,
SharedUserAcquisitionStats>;
using UserHandle = UserCache::ValueHandle;
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

5
src/mongo/db/auth/user_acquisition_stats.h
View File

@ -36,11 +36,12 @@
#include "mongo/db/client.h"
#include "mongo/stdx/mutex.h"
#include "mongo/util/duration.h"
#include "mongo/util/modules.h"
#include "mongo/util/tick_source.h"
#include <memory>
namespace mongo {
namespace MONGO_MOD_PUBLIC mongo {
enum UserAcquisitionOpType { kCache, kBind, kSearch, kSuccessfulReferral, kFailedReferral };
/**
@ -286,4 +287,4 @@ private:
TickSource* _tickSource;
UserAcquisitionOpType _type;
};
} // namespace mongo
} // namespace MONGO_MOD_PUBLIC mongo

3
src/mongo/db/auth/user_cache_access_stats.h
View File

@ -34,6 +34,7 @@
#include "mongo/db/client.h"
#include "mongo/util/assert_util.h"
#include "mongo/util/duration.h"
#include "mongo/util/modules.h"
#include "mongo/util/tick_source.h"
#include <cstdint>
@ -46,7 +47,7 @@ namespace mongo {
* Tracks and stores statistics related to user cache access on a per-operation
* basis. These statistics are tracked and reported from within CurOp.
*/
class UserCacheAccessStats {
class MONGO_MOD_PUBLIC UserCacheAccessStats {
using AccessInterval = std::pair<Microseconds, Microseconds>;
public:

3
src/mongo/db/auth/user_cache_invalidator_job.h
View File

@ -33,6 +33,7 @@
#include "mongo/bson/timestamp.h"
#include "mongo/db/service_context.h"
#include "mongo/util/duration.h"
#include "mongo/util/modules.h"
#include "mongo/util/periodic_runner.h"
#include <memory>
@ -49,7 +50,7 @@ class OperationContext;
* AuthorizationManager to throw out its in-memory cache of User objects (which contains the
* users' credentials, roles, privileges, etc).
*/
class UserCacheInvalidator {
class MONGO_MOD_PUBLIC UserCacheInvalidator {
public:
using OIDorTimestamp = std::variant<OID, Timestamp>;

1
src/mongo/db/auth/user_document_parser.h
View File

@ -33,6 +33,7 @@
#include "mongo/bson/bsonobj.h"
#include "mongo/db/auth/user.h"
#include "mongo/db/tenant_id.h"
#include "mongo/util/modules.h"
#include <utility>

1
src/mongo/db/auth/user_management_commands_parser.h
View File

@ -37,6 +37,7 @@
#include "mongo/db/auth/role_name.h"
#include "mongo/db/auth/user.h"
#include "mongo/db/auth/user_name.h"
#include "mongo/util/modules.h"
#include <string>
#include <vector>

3
src/mongo/db/auth/user_name.h
View File

@ -30,10 +30,11 @@
#pragma once
#include "mongo/db/auth/auth_name.h"
#include "mongo/util/modules.h"
namespace mongo {
class UserName : public AuthName<UserName> {
class MONGO_MOD_PUBLIC UserName : public AuthName<UserName> {
public:
static constexpr auto kName = "UserName"_sd;
static constexpr auto kFieldName = "user"_sd;

1
src/mongo/db/auth/user_request_x509.h
View File

@ -32,6 +32,7 @@
#include "mongo/db/auth/user.h"
#include "mongo/db/auth/user_name.h"
#include "mongo/util/modules.h"
#include "mongo/util/net/ssl_peer_info.h"
#include <boost/optional.hpp>