SERVER-9983 Test verifying that internal user privileges do not mask those of similarly named users.

1 files changed, 101 insertions, 0 deletions

diff --git a/jstests/auth/system_user_privileges.js b/jstests/auth/system_user_privileges.js
new file mode 100644
index 00000000000..6d397e70999
--- /dev/null
+++ b/jstests/auth/system_user_privileges.js
@@ -0,0 +1,101 @@
+/*
+ * Regression test for SECURITY-27.
+ *
+ * Verifies that creating a user named "__system" in any database does not get internal system
+ * privileges.
+ *
+ * Operates by creating an "admin" user for set-up, then creating __system users in the "test",
+ * "admin" and "local" databases.  Then, it verifies that the __system@local user is shadowed for
+ * password and privilege purposes by the keyfile.  It then procedes to verify that the
+ * __system@test and __system@admin users are _not_ shadowed in any way by the keyfile user.
+ */
+
+(function() {
+
+    "use strict";
+
+    // Runs the "count" command on a database in a way that returns the result document, for easier
+    // inspection of the errmsg.
+    function runCountCommand(conn, dbName, collectionName) {
+        return conn.getDB(dbName).runCommand({ count: collectionName });
+    }
+
+    // Asserts that on the given "conn", "dbName"."collectionName".count() fails as unauthorized.
+    function assertCountUnauthorized(conn, dbName, collectionName) {
+        assert.eq(runCountCommand(conn, dbName, collectionName).errmsg,
+                  "unauthorized",
+                  "On " + dbName + "." + collectionName);
+    }
+
+    var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" });
+
+    var admin = conn.getDB('admin');
+    var test = conn.getDB('test');
+    var local = conn.getDB('local');
+
+    //
+    // Preliminary set up.
+    //
+    admin.addUser('admin', 'a');
+    admin.auth('admin', 'a');
+
+    //
+    // Add users named "__system" with no privileges on "test", "admin" and "local".  The one in
+    // "local" is shadowed by the keyfile.
+    //
+
+    test.addUser({user: '__system', pwd: 'a', roles: []});
+    admin.addUser({user: '__system', pwd: 'a', roles: []});
+    local.addUser({user: '__system', pwd: 'a', roles: []});
+
+    //
+    // Add some data to count.
+    //
+
+    admin.foo.insert({_id: 1});
+    test.foo.insert({_id: 2});
+    local.foo.insert({_id: 3});
+
+
+    admin.logout();
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+    //
+    // Validate that you cannot even log in as __system@local with the supplied password; you _must_
+    // use the password from the keyfile.
+    //
+    assert(!local.auth('__system', 'a'))
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+    //
+    // Validate that __system@test is not shadowed by the keyfile __system user.
+    //
+    test.auth('__system', 'a');
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+    test.logout();
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+    //
+    // Validate that __system@test is not shadowed by the keyfile __system user.
+    //
+    admin.auth('__system', 'a');
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+    admin.logout();
+    assertCountUnauthorized(conn, "admin", "foo");
+    assertCountUnauthorized(conn, "local", "foo");
+    assertCountUnauthorized(conn, "test", "foo");
+
+})();
+