diff options
author | Robert Guo <robert.guo@10gen.com> | 2018-03-17 09:35:21 -0400 |
---|---|---|
committer | Robert Guo <robert.guo@10gen.com> | 2018-03-24 11:38:28 -0400 |
commit | de0d0ebfd6365481f41bddda3ff33fd984d65dc6 (patch) | |
tree | 4c7b4f99bbd6f15f3df50f6b52166be151364610 | |
parent | 28602b519c026df57bf9137d1fb795e6043de5ed (diff) | |
download | mongo-de0d0ebfd6365481f41bddda3ff33fd984d65dc6.tar.gz |
SERVER-33935 add clusterAuthMode option to TestData
(cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975)
-rw-r--r-- | jstests/ssl/shell_x509_system_user.js | 76 | ||||
-rw-r--r-- | src/mongo/shell/utils.js | 4 | ||||
-rw-r--r-- | src/mongo/shell/utils_auth.js | 31 |
3 files changed, 103 insertions, 8 deletions
diff --git a/jstests/ssl/shell_x509_system_user.js b/jstests/ssl/shell_x509_system_user.js new file mode 100644 index 00000000000..713c0453990 --- /dev/null +++ b/jstests/ssl/shell_x509_system_user.js @@ -0,0 +1,76 @@ +// Check that the shell can authenticate as the __system user using X509, which is a use case for +// our auth performance tests (through the dbhash hook). + +(function() { + 'use strict'; + + // The mongo shell cannot authenticate as the internal __system user in tests that use x509 for + // cluster authentication. Choosing the default value for wcMajorityJournalDefault in + // ReplSetTest cannot be done automatically without the shell performing such authentication, so + // in this test we must make the choice explicitly, based on the global test options. + let wcMajorityJournalDefault; + if (jsTestOptions().noJournal || jsTestOptions().storageEngine == "ephemeralForTest" || + jsTestOptions().storageEngine == "inMemory") { + wcMajorityJournalDefault = false; + } else { + wcMajorityJournalDefault = true; + } + + const x509Options = { + clusterAuthMode: 'x509', + sslMode: 'requireSSL', + sslPEMKeyFile: 'jstests/libs/server.pem', + sslCAFile: 'jstests/libs/ca.pem', + sslAllowInvalidCertificates: '', + }; + + const rst = new ReplSetTest({nodes: 1, nodeOptions: x509Options, waitForKeys: false}); + + rst.startSet(); + + // ReplSetTest.initiate() requires all nodes to be to be authorized to run replSetGetStatus. + // TODO(SERVER-14017): Remove this in favor of using initiate() everywhere. + rst.initiateWithAnyNodeAsPrimary(Object.extend( + rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: wcMajorityJournalDefault})); + + const primaryConnString = rst.getPrimary().host; + + const subShellCommands = function() { + TestData = { + authUser: 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=server', + authenticationDatabase: '$external', + keyFile: 'dummyKeyFile', + clusterAuthMode: 'x509', + + }; + // Explicitly check asCluster can succeed. + authutil.asCluster(db.getMongo(), 'dummyKeyFile', function() { + // No need to do anything here. We just need to check we don't error out in the + // previous auth step. + }); + + // Indirectly check that ReplSetTest can successfully call asCluster. + const rst = new ReplSetTest(db.getMongo().host); + + // Directly check that the use case for our auth perf tests can succeed. + load("jstests/hooks/run_check_repl_dbhash.js"); + }; + + const subShellArgs = [ + 'mongo', + '--ssl', + '--sslCAFile=jstests/libs/ca.pem', + '--sslPEMKeyFile=jstests/libs/server.pem', + '--sslAllowInvalidHostnames', + '--authenticationDatabase=$external', + '--authenticationMechanism=MONGODB-X509', + primaryConnString, + '--eval', + `(${subShellCommands.toString()})();` + ]; + + const retVal = _runMongoProgram(...subShellArgs); + assert.eq(retVal, 0, 'mongo shell did not succeed with exit code 0'); + + rst.stopSet(); +})(); diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js index 148eacc1c89..f8ed9b64ee3 100644 --- a/src/mongo/shell/utils.js +++ b/src/mongo/shell/utils.js @@ -220,11 +220,15 @@ jsTestOptions = function() { noJournal: TestData.noJournal, noJournalPrealloc: TestData.noJournalPrealloc, auth: TestData.auth, + // Note: keyFile is also used as a flag to indicate cluster auth is turned on, set it + // to a truthy value if you'd like to do cluster auth, even if it's not keyFile auth. + // Use clusterAuthMode to specify the actual auth mode you want to use. keyFile: TestData.keyFile, authUser: TestData.authUser || "__system", authPassword: TestData.keyFileData, authenticationDatabase: TestData.authenticationDatabase || "admin", authMechanism: TestData.authMechanism, + clusterAuthMode: TestData.clusterAuthMode || "keyFile", adminUser: TestData.adminUser || "admin", adminPassword: TestData.adminPassword || "password", useLegacyConfigServers: TestData.useLegacyConfigServers || false, diff --git a/src/mongo/shell/utils_auth.js b/src/mongo/shell/utils_auth.js index b105164ea50..b0437f50bf3 100644 --- a/src/mongo/shell/utils_auth.js +++ b/src/mongo/shell/utils_auth.js @@ -13,7 +13,8 @@ var authutil; conn = [conn]; } for (i = 0; i < conn.length; ++i) { - conn[i].getDB(dbname).logout(); + var curDB = new DB(conn[i], dbname); + curDB.logout(); } }; @@ -31,7 +32,9 @@ var authutil; try { for (i = 0; i < conns.length; ++i) { conn = conns[i]; - assert(conn.getDB(dbName).auth(authParams), + // Bypass the implicit auth call in getDB(); + var db = new DB(conn, dbName); + assert(db.auth(authParams), "Failed to authenticate " + conn + " to " + dbName + " using parameters " + tojson(authParams)); } @@ -55,7 +58,9 @@ var authutil; for (i = 0; i < conns.length; ++i) { conn = conns[i]; - assert(!conn.getDB(dbName).auth(authParams), + // Bypass the implicit auth call in getDB(); + var db = new DB(conn, dbName); + assert(!db.auth(authParams), "Unexpectedly authenticated " + conn + " to " + dbName + " using parameters " + tojson(authParams)); } @@ -67,11 +72,21 @@ var authutil; */ authutil.asCluster = function(conn, keyfile, action) { var ex; - authutil.assertAuthenticate(conn, 'admin', { - user: '__system', - mechanism: 'SCRAM-SHA-1', - pwd: cat(keyfile).replace(/[\011-\015\040]/g, '') - }); + const authMode = jsTest.options().clusterAuthMode; + + if (authMode === 'keyFile') { + authutil.assertAuthenticate(conn, 'admin', { + user: '__system', + mechanism: 'SCRAM-SHA-1', + pwd: cat(keyfile).replace(/[\011-\015\040]/g, '') + }); + } else if (authMode === 'x509') { + authutil.assertAuthenticate(conn, '$external', { + mechanism: 'MONGODB-X509', + }); + } else { + throw new Error('clusterAuthMode ' + authMode + ' is currently unsupported'); + } try { return action(); |