SERVER-33935 add clusterAuthMode option to TestData

(cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975)
author: Robert Guo <robert.guo@10gen.com> 2018-03-17 09:35:21 -0400
committer: Robert Guo <robert.guo@10gen.com> 2018-03-24 11:38:28 -0400
commit: de0d0ebfd6365481f41bddda3ff33fd984d65dc6 (patch)
tree: 4c7b4f99bbd6f15f3df50f6b52166be151364610
parent: 28602b519c026df57bf9137d1fb795e6043de5ed (diff)
download: mongo-de0d0ebfd6365481f41bddda3ff33fd984d65dc6.tar.gz
3 files changed, 103 insertions, 8 deletions
diff --git a/jstests/ssl/shell_x509_system_user.js b/jstests/ssl/shell_x509_system_user.js
new file mode 100644
index 00000000000..713c0453990
--- /dev/null
+++ b/jstests/ssl/shell_x509_system_user.js
@@ -0,0 +1,76 @@
+// Check that the shell can authenticate as the __system user using X509, which is a use case for
+// our auth performance tests (through the dbhash hook).
+
+(function() {
+    'use strict';
+
+    // The mongo shell cannot authenticate as the internal __system user in tests that use x509 for
+    // cluster authentication. Choosing the default value for wcMajorityJournalDefault in
+    // ReplSetTest cannot be done automatically without the shell performing such authentication, so
+    // in this test we must make the choice explicitly, based on the global test options.
+    let wcMajorityJournalDefault;
+    if (jsTestOptions().noJournal || jsTestOptions().storageEngine == "ephemeralForTest" ||
+        jsTestOptions().storageEngine == "inMemory") {
+        wcMajorityJournalDefault = false;
+    } else {
+        wcMajorityJournalDefault = true;
+    }
+
+    const x509Options = {
+        clusterAuthMode: 'x509',
+        sslMode: 'requireSSL',
+        sslPEMKeyFile: 'jstests/libs/server.pem',
+        sslCAFile: 'jstests/libs/ca.pem',
+        sslAllowInvalidCertificates: '',
+    };
+
+    const rst = new ReplSetTest({nodes: 1, nodeOptions: x509Options, waitForKeys: false});
+
+    rst.startSet();
+
+    // ReplSetTest.initiate() requires all nodes to be to be authorized to run replSetGetStatus.
+    // TODO(SERVER-14017): Remove this in favor of using initiate() everywhere.
+    rst.initiateWithAnyNodeAsPrimary(Object.extend(
+        rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: wcMajorityJournalDefault}));
+
+    const primaryConnString = rst.getPrimary().host;
+
+    const subShellCommands = function() {
+        TestData = {
+            authUser: 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=server',
+            authenticationDatabase: '$external',
+            keyFile: 'dummyKeyFile',
+            clusterAuthMode: 'x509',
+
+        };
+        // Explicitly check asCluster can succeed.
+        authutil.asCluster(db.getMongo(), 'dummyKeyFile', function() {
+            // No need to do anything here. We just need to check we don't error out in the
+            // previous auth step.
+        });
+
+        // Indirectly check that ReplSetTest can successfully call asCluster.
+        const rst = new ReplSetTest(db.getMongo().host);
+
+        // Directly check that the use case for our auth perf tests can succeed.
+        load("jstests/hooks/run_check_repl_dbhash.js");
+    };
+
+    const subShellArgs = [
+        'mongo',
+        '--ssl',
+        '--sslCAFile=jstests/libs/ca.pem',
+        '--sslPEMKeyFile=jstests/libs/server.pem',
+        '--sslAllowInvalidHostnames',
+        '--authenticationDatabase=$external',
+        '--authenticationMechanism=MONGODB-X509',
+        primaryConnString,
+        '--eval',
+        `(${subShellCommands.toString()})();`
+    ];
+
+    const retVal = _runMongoProgram(...subShellArgs);
+    assert.eq(retVal, 0, 'mongo shell did not succeed with exit code 0');
+
+    rst.stopSet();
+})();
diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js
index 148eacc1c89..f8ed9b64ee3 100644
--- a/src/mongo/shell/utils.js
+++ b/src/mongo/shell/utils.js
@@ -220,11 +220,15 @@ jsTestOptions = function() {
             noJournal: TestData.noJournal,
             noJournalPrealloc: TestData.noJournalPrealloc,
             auth: TestData.auth,
+            // Note: keyFile is also used as a flag to indicate cluster auth is turned on, set it
+            // to a truthy value if you'd like to do cluster auth, even if it's not keyFile auth.
+            // Use clusterAuthMode to specify the actual auth mode you want to use.
             keyFile: TestData.keyFile,
             authUser: TestData.authUser || "__system",
             authPassword: TestData.keyFileData,
             authenticationDatabase: TestData.authenticationDatabase || "admin",
             authMechanism: TestData.authMechanism,
+            clusterAuthMode: TestData.clusterAuthMode || "keyFile",
             adminUser: TestData.adminUser || "admin",
             adminPassword: TestData.adminPassword || "password",
             useLegacyConfigServers: TestData.useLegacyConfigServers || false,
diff --git a/src/mongo/shell/utils_auth.js b/src/mongo/shell/utils_auth.js
index b105164ea50..b0437f50bf3 100644
--- a/src/mongo/shell/utils_auth.js
+++ b/src/mongo/shell/utils_auth.js
@@ -13,7 +13,8 @@ var authutil;
             conn = [conn];
         }
         for (i = 0; i < conn.length; ++i) {
-            conn[i].getDB(dbname).logout();
+            var curDB = new DB(conn[i], dbname);
+            curDB.logout();
         }
     };
 
@@ -31,7 +32,9 @@ var authutil;
         try {
             for (i = 0; i < conns.length; ++i) {
                 conn = conns[i];
-                assert(conn.getDB(dbName).auth(authParams),
+                // Bypass the implicit auth call in getDB();
+                var db = new DB(conn, dbName);
+                assert(db.auth(authParams),
                        "Failed to authenticate " + conn + " to " + dbName + " using parameters " +
                            tojson(authParams));
             }
@@ -55,7 +58,9 @@ var authutil;
 
         for (i = 0; i < conns.length; ++i) {
             conn = conns[i];
-            assert(!conn.getDB(dbName).auth(authParams),
+            // Bypass the implicit auth call in getDB();
+            var db = new DB(conn, dbName);
+            assert(!db.auth(authParams),
                    "Unexpectedly authenticated " + conn + " to " + dbName + " using parameters " +
                        tojson(authParams));
         }
@@ -67,11 +72,21 @@ var authutil;
      */
     authutil.asCluster = function(conn, keyfile, action) {
         var ex;
-        authutil.assertAuthenticate(conn, 'admin', {
-            user: '__system',
-            mechanism: 'SCRAM-SHA-1',
-            pwd: cat(keyfile).replace(/[\011-\015\040]/g, '')
-        });
+        const authMode = jsTest.options().clusterAuthMode;
+
+        if (authMode === 'keyFile') {
+            authutil.assertAuthenticate(conn, 'admin', {
+                user: '__system',
+                mechanism: 'SCRAM-SHA-1',
+                pwd: cat(keyfile).replace(/[\011-\015\040]/g, '')
+            });
+        } else if (authMode === 'x509') {
+            authutil.assertAuthenticate(conn, '$external', {
+                mechanism: 'MONGODB-X509',
+            });
+        } else {
+            throw new Error('clusterAuthMode ' + authMode + ' is currently unsupported');
+        }
 
         try {
             return action();
author	Robert Guo <robert.guo@10gen.com>	2018-03-17 09:35:21 -0400
committer	Robert Guo <robert.guo@10gen.com>	2018-03-24 11:38:28 -0400
commit	de0d0ebfd6365481f41bddda3ff33fd984d65dc6 (patch)
tree	4c7b4f99bbd6f15f3df50f6b52166be151364610
parent	28602b519c026df57bf9137d1fb795e6043de5ed (diff)
download	mongo-de0d0ebfd6365481f41bddda3ff33fd984d65dc6.tar.gz