[SERVER-37527] Broken logic in ServerMechanismBase class. Created: 09/Oct/18  Updated: 29/Oct/23  Resolved: 29/Nov/18

Status: Closed
Project: Core Server
Component/s: Internal Code, Security
Affects Version/s: 4.0.0, 4.0.3, 4.1.3
Fix Version/s: 4.0.5, 4.1.6

Type: Bug Priority: Major - P3
Reporter: Igor Solodovnikov Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Duplicate
is duplicated by SERVER-38403 Could not create audit log for invali... Closed
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0
Sprint: Security 2018-11-05, Security 2018-11-19, Security 2018-12-03
Participants:

 Description   

The ServerMechanismBase class has isDone method. Comment in the source code of this method say:

 

    /**
     * Returns true if the conversation has completed.
     * Note that this does not mean authentication succeeded!
     * An error may have occurred.
     */

The problem is that if SASL error occurs isDone will never return true because of this code in ServerMechanismBase::step:

 

 

        auto result = stepImpl(opCtx, input);
        if (result.isOK()) {
            bool isDone;
            std::string responseMessage;
            std::tie(isDone, responseMessage) = result.getValue();
            _done = isDone;
            return responseMessage;
        }

As you can see _done variable is only assigned if step's result is OK.

 

 

This bug affects AuthenticationSession's lifecycle management implemented in CmdSaslStart::run and CmdSaslContinue::run methods. In case of authentication error (for example in case of the wrong password) those methods fail to destroy current client's AuthenticationSession instance because mechanism.isDone() returns false.



 Comments   
Comment by Githook User [ 01/Dec/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-37527 Fix lifecycle management and clarify isDone->isSuccess

(cherry picked from commit 662bec7c902c7e2eacdbeed0c8fca59563d73155)
Branch: v4.0
https://github.com/mongodb/mongo/commit/cf528c5f67177e9e84fafa064217f5f4e4be8a21

Comment by Githook User [ 01/Dec/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-37527 Test that auth failures are sent to audit.log

(cherry picked from commit 145966a7ce2a677cd697f842ae7c471b301fdf8d)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/c93b8333b8220c6d4f169c4c80c1206b18ac1bf6

Comment by Githook User [ 29/Nov/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-37527 Fix lifecycle management and clarify isDone->isSuccess
Branch: master
https://github.com/mongodb/mongo/commit/662bec7c902c7e2eacdbeed0c8fca59563d73155

Generated at Thu Feb 08 04:46:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.