diff options
author | Adam Rayner <adam.rayner@gmail.com> | 2021-11-29 17:52:30 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-11-29 18:49:38 +0000 |
commit | 7fa11ee0e0d8d283cc12bdebdd4940731d1536f1 (patch) | |
tree | 2c613de8ae377bd2e6a9c8b1b8652bb90481289b | |
parent | f64c8ccebbae5ce9071497fae7efeffe5b0c6169 (diff) | |
download | mongo-7fa11ee0e0d8d283cc12bdebdd4940731d1536f1.tar.gz |
SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user
-rw-r--r-- | jstests/auth/auth-counters.js | 7 | ||||
-rw-r--r-- | jstests/auth/speculative-auth-replset.js | 23 | ||||
-rw-r--r-- | jstests/auth/system_user_exception.js | 6 | ||||
-rw-r--r-- | src/mongo/db/stats/counters.cpp | 5 | ||||
-rw-r--r-- | src/mongo/shell/utils_auth.js | 2 |
5 files changed, 26 insertions, 17 deletions
diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js index aa42042e0ef..b74fa531725 100644 --- a/jstests/auth/auth-counters.js +++ b/jstests/auth/auth-counters.js @@ -64,7 +64,7 @@ function assertFailure(creds, mech, db = test) { } function assertSuccessInternal() { - const mech = "SCRAM-SHA-1"; + const mech = "SCRAM-SHA-256"; // asCluster exiting cleanly indicates successful auth assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true); ++expected[mech].authenticate.received; @@ -75,8 +75,11 @@ function assertSuccessInternal() { assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin); } +// Because authutil.asCluster utilizes SCRAM-SHA-256 as a default keyfile mechanism, we will attempt +// to record this authentication with an invalid keyfile, and then verify that the # of +// successful attempts made using the fallback (SCRAM-SHA-256) has NOT been incremented function assertFailureInternal() { - const mech = "SCRAM-SHA-1"; + const mech = "SCRAM-SHA-256"; // If asCluster fails, it explodes. assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]); ++expected[mech].authenticate.received; diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js index 576f567cc62..c0b8ef6c19a 100644 --- a/jstests/auth/speculative-auth-replset.js +++ b/jstests/auth/speculative-auth-replset.js @@ -47,6 +47,7 @@ rst.awaitReplication(); const admin = rst.getPrimary().getDB('admin'); admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']}); admin.auth('admin', 'pwd'); + assert.commandWorked(admin.setLogLevel(3, 'accessControl')); function getMechStats(db) { @@ -55,8 +56,13 @@ function getMechStats(db) { } // Capture statistics after a fresh instantiation of a 1-node replica set. +// initialMechStats contains stats state for the test setup (e.g. shell authentication) actions +// that will have incremented the internal counters but are not relevant to the functionality under +// test const initialMechStats = getMechStats(admin); + printjson(initialMechStats); + assert(initialMechStats['SCRAM-SHA-256'] !== undefined); // We've made no client connections for which speculation was possible, @@ -66,12 +72,6 @@ Object.keys(initialMechStats).forEach(function(mech) { const specStats = initialMechStats[mech].speculativeAuthenticate; const clusterStats = initialMechStats[mech].clusterAuthenticate; - if (mech === 'SCRAM-SHA-256') { - // It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster - // stats from being incremented during test setup. - assert.eq(clusterStats.received, 0); - } - // No speculation has occured assert.eq(specStats.received, 0); @@ -110,10 +110,19 @@ Object.keys(initialMechStats).forEach(function(mech) { assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful, initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + // Speculative and cluster auth counts should align with the authentication events in the server + // log const logCounts = countAuthInLog(admin); + assert.eq(logCounts.speculative, newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful); - assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + + // Subtract the initial mech stats for cluster authentication that were incremented + // during test setup, so we can assert on only the "real" cluster authetnication count + assert.eq(logCounts.cluster, + newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful - + initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); + assert.gt(logCounts.speculativeCluster, 0, "Expected to observe at least one speculative cluster authentication attempt"); diff --git a/jstests/auth/system_user_exception.js b/jstests/auth/system_user_exception.js index 67814119541..78dff98a8a9 100644 --- a/jstests/auth/system_user_exception.js +++ b/jstests/auth/system_user_exception.js @@ -7,13 +7,13 @@ var m = MongoRunner.runMongod( {keyFile: "jstests/libs/key1", setParameter: "authenticationMechanisms=PLAIN"}); -// Verify that it's possible to use SCRAM-SHA-1 to authenticate as the __system@local user +// Verify that it's possible to use SCRAM-SHA-256 to authenticate as the __system@local user assert.eq(1, - m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"})); + m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-256"})); // Verify that it is not possible to authenticate other users m.getDB("test").runCommand({createUser: "guest", pwd: "guest", roles: jsTest.readOnlyUserRoles}); -assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-1"})); +assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-256"})); MongoRunner.stopMongod(m); })(); diff --git a/src/mongo/db/stats/counters.cpp b/src/mongo/db/stats/counters.cpp index d1a0640315a..79ab8fe1a1b 100644 --- a/src/mongo/db/stats/counters.cpp +++ b/src/mongo/db/stats/counters.cpp @@ -226,11 +226,8 @@ void AuthCounter::initializeMechanismMap(const std::vector<std::string>& mechani // Ensure it's always included in counts. addMechanism(auth::kMechanismMongoX509.toString()); - // SERVER-46399 Use only configured SASL mechanisms for intra-cluster auth. - // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-1/256 + // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-256 // even if it's not configured to do so. - // Explicitly add these to the map for now so that they can be incremented if this happens. - addMechanism(auth::kMechanismScramSha1.toString()); addMechanism(auth::kMechanismScramSha256.toString()); } diff --git a/src/mongo/shell/utils_auth.js b/src/mongo/shell/utils_auth.js index 9ad340e950b..e1313bbad73 100644 --- a/src/mongo/shell/utils_auth.js +++ b/src/mongo/shell/utils_auth.js @@ -114,7 +114,7 @@ authutil.asCluster = function(conn, keyfile, action) { authutil.assertAuthenticate(conn, 'admin', { user: '__system', - mechanism: 'SCRAM-SHA-1', + mechanism: 'SCRAM-SHA-256', // SERVER-46399: only SCRAM-SHA-256 supported as fallback pwd: cat(keyfile).replace(/[\011-\015\040]/g, '') }); } else if (authMode === 'x509' || authMode === 'sendX509') { |