SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user

5 files changed, 26 insertions, 17 deletions

diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js
index aa42042e0ef..b74fa531725 100644
--- a/jstests/auth/auth-counters.js
+++ b/jstests/auth/auth-counters.js
@@ -64,7 +64,7 @@ function assertFailure(creds, mech, db = test) {
 }
 
 function assertSuccessInternal() {
-    const mech = "SCRAM-SHA-1";
+    const mech = "SCRAM-SHA-256";
     // asCluster exiting cleanly indicates successful auth
     assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true);
     ++expected[mech].authenticate.received;
@@ -75,8 +75,11 @@ function assertSuccessInternal() {
     assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin);
 }
 
+// Because authutil.asCluster utilizes SCRAM-SHA-256 as a default keyfile mechanism, we will attempt
+// to record this authentication with an invalid keyfile, and then verify that the # of
+// successful attempts made using the fallback (SCRAM-SHA-256) has NOT been incremented
 function assertFailureInternal() {
-    const mech = "SCRAM-SHA-1";
+    const mech = "SCRAM-SHA-256";
     // If asCluster fails, it explodes.
     assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]);
     ++expected[mech].authenticate.received;
diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js
index 576f567cc62..c0b8ef6c19a 100644
--- a/jstests/auth/speculative-auth-replset.js
+++ b/jstests/auth/speculative-auth-replset.js
@@ -47,6 +47,7 @@ rst.awaitReplication();
 const admin = rst.getPrimary().getDB('admin');
 admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
 admin.auth('admin', 'pwd');
+
 assert.commandWorked(admin.setLogLevel(3, 'accessControl'));
 
 function getMechStats(db) {
@@ -55,8 +56,13 @@ function getMechStats(db) {
 }
 
 // Capture statistics after a fresh instantiation of a 1-node replica set.
+// initialMechStats contains stats state for the test setup (e.g. shell authentication) actions
+// that will have incremented the internal counters but are not relevant to the functionality under
+// test
 const initialMechStats = getMechStats(admin);
+
 printjson(initialMechStats);
+
 assert(initialMechStats['SCRAM-SHA-256'] !== undefined);
 
 // We've made no client connections for which speculation was possible,
@@ -66,12 +72,6 @@ Object.keys(initialMechStats).forEach(function(mech) {
     const specStats = initialMechStats[mech].speculativeAuthenticate;
     const clusterStats = initialMechStats[mech].clusterAuthenticate;
 
-    if (mech === 'SCRAM-SHA-256') {
-        // It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster
-        // stats from being incremented during test setup.
-        assert.eq(clusterStats.received, 0);
-    }
-
     // No speculation has occured
     assert.eq(specStats.received, 0);
 
@@ -110,10 +110,19 @@ Object.keys(initialMechStats).forEach(function(mech) {
     assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful,
               initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
 
+    // Speculative and cluster auth counts should align with the authentication events in the server
+    // log
     const logCounts = countAuthInLog(admin);
+
     assert.eq(logCounts.speculative,
               newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful);
-    assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
+
+    // Subtract the initial mech stats for cluster authentication that were incremented
+    // during test setup, so we can assert on only the "real" cluster authetnication count
+    assert.eq(logCounts.cluster,
+              newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful -
+                  initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
+
     assert.gt(logCounts.speculativeCluster,
               0,
               "Expected to observe at least one speculative cluster authentication attempt");
diff --git a/jstests/auth/system_user_exception.js b/jstests/auth/system_user_exception.js
index 67814119541..78dff98a8a9 100644
--- a/jstests/auth/system_user_exception.js
+++ b/jstests/auth/system_user_exception.js
@@ -7,13 +7,13 @@
 var m = MongoRunner.runMongod(
     {keyFile: "jstests/libs/key1", setParameter: "authenticationMechanisms=PLAIN"});
 
-// Verify that it's possible to use SCRAM-SHA-1 to authenticate as the __system@local user
+// Verify that it's possible to use SCRAM-SHA-256 to authenticate as the __system@local user
 assert.eq(1,
-          m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"}));
+          m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-256"}));
 
 // Verify that it is not possible to authenticate other users
 m.getDB("test").runCommand({createUser: "guest", pwd: "guest", roles: jsTest.readOnlyUserRoles});
-assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-1"}));
+assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-256"}));
 
 MongoRunner.stopMongod(m);
 })();
diff --git a/src/mongo/db/stats/counters.cpp b/src/mongo/db/stats/counters.cpp
index d1a0640315a..79ab8fe1a1b 100644
--- a/src/mongo/db/stats/counters.cpp
+++ b/src/mongo/db/stats/counters.cpp
@@ -226,11 +226,8 @@ void AuthCounter::initializeMechanismMap(const std::vector<std::string>& mechani
     // Ensure it's always included in counts.
     addMechanism(auth::kMechanismMongoX509.toString());
 
-    // SERVER-46399 Use only configured SASL mechanisms for intra-cluster auth.
-    // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-1/256
+    // It's possible for intracluster auth to use a default fallback mechanism of SCRAM-SHA-256
     // even if it's not configured to do so.
-    // Explicitly add these to the map for now so that they can be incremented if this happens.
-    addMechanism(auth::kMechanismScramSha1.toString());
     addMechanism(auth::kMechanismScramSha256.toString());
 }
 
diff --git a/src/mongo/shell/utils_auth.js b/src/mongo/shell/utils_auth.js
index 9ad340e950b..e1313bbad73 100644
--- a/src/mongo/shell/utils_auth.js
+++ b/src/mongo/shell/utils_auth.js
@@ -114,7 +114,7 @@ authutil.asCluster = function(conn, keyfile, action) {
 
         authutil.assertAuthenticate(conn, 'admin', {
             user: '__system',
-            mechanism: 'SCRAM-SHA-1',
+            mechanism: 'SCRAM-SHA-256',  // SERVER-46399: only SCRAM-SHA-256 supported as fallback
             pwd: cat(keyfile).replace(/[\011-\015\040]/g, '')
         });
     } else if (authMode === 'x509' || authMode === 'sendX509') {