Revert "SERVER-97912: Replace MaybeImpersonatedUserMetadata decoration with AuditUserAttrs (#30344)" (#30798)

GitOrigin-RevId: c7f83ade7f3746c4092a2e024d546e77922adfa3

.github/CODEOWNERS

@@ -1863,10 +1863,6 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 # The following patterns are parsed from ./src/mongo/rpc/OWNERS.yml
 /src/mongo/rpc/**/* @10gen/server-networking-and-observability @svc-auto-approve-bot
 
-# The following patterns are parsed from ./src/mongo/rpc/metadata/OWNERS.yml
-/src/mongo/rpc/metadata/**/audit_user_attrs.h @10gen/server-security @svc-auto-approve-bot
-/src/mongo/rpc/metadata/**/impersonated_user_metadata.* @10gen/server-security @svc-auto-approve-bot
-
 # The following patterns are parsed from ./src/mongo/s/OWNERS.yml
 /src/mongo/s/**/*analyze_shard_key* @10gen/server-cluster-scalability @svc-auto-approve-bot
 /src/mongo/s/**/*move*collection* @10gen/server-cluster-scalability @svc-auto-approve-bot

BUILD.bazel

@@ -2806,6 +2806,11 @@ mongo_unittest_install(
     srcs = ["//src/mongo/db/modules/enterprise/src/audit:audit_test"],
 )
 
+mongo_unittest_install(
+    name = "audit_test-audit_client_attrs_test",
+    srcs = ["//src/mongo/db/modules/enterprise/src/audit:audit_test"],
+)
+
 mongo_unittest_install(
     name = "audit_test-audit_enc_comp_manager_test",
     srcs = ["//src/mongo/db/modules/enterprise/src/audit:audit_test"],
@@ -8525,8 +8530,3 @@ mongo_unittest_install(
     name = "db_query_test-gen_filter_test",
     srcs = ["//src/mongo/db/query:db_query_test"],
 )
-
-mongo_unittest_install(
-    name = "audit_test-audit_client_observer_test",
-    srcs = ["//src/mongo/db/modules/enterprise/src/audit:audit_test"],
-)

src/mongo/db/auth/impersonation_session.h

@@ -50,6 +50,7 @@ public:
     }
 
 private:
+    rpc::MaybeImpersonatedUserMetadata _oldImpersonationData;
     OperationContext* _opCtx;
     bool _active{false};
 };

src/mongo/rpc/BUILD.bazel

@@ -144,7 +144,6 @@ mongo_cc_library(
         "//src/mongo/rpc/metadata:impersonated_user_metadata.cpp",
     ],
     hdrs = [
-        "//src/mongo/rpc/metadata:audit_user_attrs.h",
         "//src/mongo/rpc/metadata:impersonated_user_metadata.h",
     ],
     deps = [
@@ -245,8 +244,10 @@ mongo_cc_unit_test(
         ":rewrite_state_change_errors",
         ":rpc",
         "//src/mongo/client:clientdriver_minimal",
+        "//src/mongo/db:server_base",
         "//src/mongo/db:service_context_non_d",
         "//src/mongo/db:service_context_test_fixture",
+        "//src/mongo/db/auth",
         "//src/mongo/db/auth:authmocks",
         "//src/mongo/idl:server_parameter_test_util",
         "//src/third_party/wiredtiger:wiredtiger_checksum",

src/mongo/rpc/metadata/OWNERS.yml

@@ -1,8 +0,0 @@
-version: 1.0.0
-filters:
-  - "audit_user_attrs.h":
-    approvers:
-      - 10gen/server-security
-  - "impersonated_user_metadata.*":
-    approvers:
-      - 10gen/server-security

src/mongo/rpc/metadata/audit_user_attrs.h

@@ -1,58 +0,0 @@
-/**
- *    Copyright (C) 2024-present MongoDB, Inc.
- *
- *    This program is free software: you can redistribute it and/or modify
- *    it under the terms of the Server Side Public License, version 1,
- *    as published by MongoDB, Inc.
- *
- *    This program is distributed in the hope that it will be useful,
- *    but WITHOUT ANY WARRANTY; without even the implied warranty of
- *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *    Server Side Public License for more details.
- *
- *    You should have received a copy of the Server Side Public License
- *    along with this program. If not, see
- *    <http://www.mongodb.com/licensing/server-side-public-license>.
- *
- *    As a special exception, the copyright holders give permission to link the
- *    code of portions of this program with the OpenSSL library under certain
- *    conditions as described in each individual source file and distribute
- *    linked combinations including the program with the OpenSSL library. You
- *    must comply with the Server Side Public License in all respects for
- *    all of the code used other than as permitted herein. If you modify file(s)
- *    with this exception, you may extend this exception to your version of the
- *    file(s), but you are not obligated to do so. If you do not wish to do so,
- *    delete this exception statement from your version. If you delete this
- *    exception statement from all source files in the program, then also delete
- *    it in the license file.
- */
-
-#pragma once
-
-#include <boost/optional.hpp>
-#include <vector>
-
-#include "mongo/db/auth/role_name.h"
-#include "mongo/db/auth/user_name.h"
-#include "mongo/db/operation_context.h"
-
-namespace mongo::rpc {
-
-/**
- * An OperationContext decoration that contains username and roles data for the currently
- * authenticated user or currently impersonated user. This is used to audit correct user
- * information for an operation.
- */
-class AuditUserAttrs {
-public:
-    AuditUserAttrs(boost::optional<UserName> userName, std::vector<RoleName> roleNames)
-        : userName(std::move(userName)), roleNames(std::move(roleNames)){};
-
-    static AuditUserAttrs* get(OperationContext* opCtx);
-    static void set(OperationContext* opCtx, std::unique_ptr<AuditUserAttrs> auditUserAttrs);
-
-    boost::optional<UserName> userName;
-    std::vector<RoleName> roleNames;
-};
-
-}  // namespace mongo::rpc

src/mongo/rpc/metadata/impersonated_user_metadata.cpp

@@ -41,10 +41,12 @@
 #include "mongo/bson/bsontypes.h"
 #include "mongo/db/auth/auth_name.h"
 #include "mongo/db/auth/authorization_session.h"
+#include "mongo/db/auth/role_name.h"
+#include "mongo/db/auth/user_name.h"
 #include "mongo/db/generic_argument_util.h"
 #include "mongo/idl/idl_parser.h"
-#include "mongo/rpc/metadata/audit_user_attrs.h"
 #include "mongo/rpc/metadata/impersonated_user_metadata.h"
+#include "mongo/rpc/metadata/impersonated_user_metadata_gen.h"
 #include "mongo/util/assert_util.h"
 #include "mongo/util/decorable.h"
 #include "mongo/util/synchronized_value.h"
@@ -52,51 +54,30 @@
 namespace mongo {
 namespace rpc {
 namespace {
-const auto auditUserAttrsDecoration =
-    OperationContext::declareDecoration<std::unique_ptr<AuditUserAttrs>>();
+
+static const auto getForOpCtx =
+    OperationContext::declareDecoration<synchronized_value<MaybeImpersonatedUserMetadata>>();
 }  // namespace
 
-AuditUserAttrs* AuditUserAttrs::get(OperationContext* opCtx) {
-    return auditUserAttrsDecoration(opCtx).get();
-}
-
-void AuditUserAttrs::set(OperationContext* opCtx, std::unique_ptr<AuditUserAttrs> auditUserAttrs) {
-    auditUserAttrsDecoration(opCtx) = std::move(auditUserAttrs);
-}
-
-boost::optional<ImpersonatedUserMetadata> getImpersonatedUserMetadata(OperationContext* opCtx) {
-    if (!opCtx) {
-        return boost::none;
-    }
-    auto* auditUserAttrs = AuditUserAttrs::get(opCtx);
-    if (!auditUserAttrs) {
-        return boost::none;
-    }
-    auto userName = auditUserAttrs->userName;
-    auto roleNames = auditUserAttrs->roleNames;
-    if (!userName && roleNames.empty()) {
-        return boost::none;
-    }
-    ImpersonatedUserMetadata metadata;
-    if (userName) {
-        metadata.setUser(userName.value());
-    }
-    metadata.setRoles(std::move(roleNames));
-    return metadata;
+MaybeImpersonatedUserMetadata getImpersonatedUserMetadata(OperationContext* opCtx) {
+    return opCtx ? getForOpCtx(opCtx).get() : boost::none;
 }
 
 void setImpersonatedUserMetadata(OperationContext* opCtx,
                                  const boost::optional<ImpersonatedUserMetadata>& data) {
-    if (!data) {
-        // Reset username / rolenames to boost::none / empty vector if data is absent.
-        AuditUserAttrs::set(opCtx,
-                            std::make_unique<AuditUserAttrs>(boost::none, std::vector<RoleName>()));
-        return;
+    // Always reset the current impersonation data to boost::none.
+    boost::optional<ImpersonatedUserMetadata> newData;
+    if (data) {
+        auto newImpersonatedUser = data->getUser();
+
+        // Set the impersonation data only if there are actually impersonated
+        // users/roles.
+        if (newImpersonatedUser.has_value() || !data->getRoles().empty()) {
+            newData = data;
+        }
     }
-    auto userName = data->getUser();
-    auto roleNames = data->getRoles();
-    AuditUserAttrs::set(
-        opCtx, std::make_unique<AuditUserAttrs>(std::move(userName), std::move(roleNames)));
+
+    *getForOpCtx(opCtx) = std::move(newData);
 }
 
 boost::optional<ImpersonatedUserMetadata> getAuthDataToImpersonatedUserMetadata(

src/mongo/rpc/metadata/impersonated_user_metadata.h

@@ -30,12 +30,14 @@
 #pragma once
 
 #include <boost/move/utility_core.hpp>
+#include <boost/optional.hpp>
 #include <boost/optional/optional.hpp>
 #include <cstddef>
 
 #include "mongo/base/string_data.h"
 #include "mongo/bson/bsonelement.h"
 #include "mongo/bson/bsonobjbuilder.h"
+#include "mongo/db/operation_context.h"
 #include "mongo/rpc/metadata/impersonated_user_metadata_gen.h"
 
 namespace mongo {
@@ -53,11 +55,16 @@ namespace rpc {
  */
 static constexpr auto kImpersonationMetadataSectionName = "$audit"_sd;
 
+/*
+ * A type that maybe contains parsed ImpersonationUserMetadata
+ */
+using MaybeImpersonatedUserMetadata = boost::optional<ImpersonatedUserMetadata>;
+
 /*
  * Gets the current impersonation data from the OpCtx (assumes readImpersonatedUserMetadata
  * has already been called)
  */
-boost::optional<ImpersonatedUserMetadata> getImpersonatedUserMetadata(OperationContext* opCtx);
+MaybeImpersonatedUserMetadata getImpersonatedUserMetadata(OperationContext* opCtx);
 
 /*
  * Sets the provided impersonated user metadata on the opCtx only if there are actually impersonated