SERVER-29259: Ensure creation of authorization indexes

2 files changed, 68 insertions, 0 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index 7dfef950adf..5ac0a0c717f 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -3054,12 +3054,17 @@ var authCommandsLib = {
         {
           testname: "insert_system_users",
           command: {insert: "system.users", documents: [{data: 5}]},
+          setup: function(db) {
+              // Ensure unique indexes consistently cause insertion failure
+              db.system.users.insert({data: 5});
+          },
           testcases: [
               {
                 runOnDb: "admin",
                 roles: {"root": 1, "__system": 1, "restore": 1},
                 privileges:
                     [{resource: {db: "admin", collection: "system.users"}, actions: ["insert"]}],
+                expectFail: true,
               },
           ]
         },
diff --git a/jstests/auth/system_authorization_indexes.js b/jstests/auth/system_authorization_indexes.js
new file mode 100644
index 00000000000..75c7b098916
--- /dev/null
+++ b/jstests/auth/system_authorization_indexes.js
@@ -0,0 +1,63 @@
+/** Ensure that authorization system collections' indexes are correctly generated.
+ */
+
+(function() {
+    let conn = MongoRunner.runMongod({smallfiles: ""});
+    let db = conn.getDB("admin");
+
+    // TEST: User and role collections start off with no indexes
+    assert.eq(0, db.system.users.getIndexes().length);
+    assert.eq(0, db.system.roles.getIndexes().length);
+
+    // TEST: User and role creation generates indexes
+    db.createUser({user: "user", pwd: "pwd", roles: []});
+    assert.eq(2, db.system.users.getIndexes().length);
+
+    db.createRole({role: "role", privileges: [], roles: []});
+    assert.eq(2, db.system.roles.getIndexes().length);
+
+    // TEST: Destroying admin.system.users index and restarting will recreate it
+    assert.commandWorked(db.system.users.dropIndexes());
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({restart: conn, cleanData: false});
+    db = conn.getDB("admin");
+    assert.eq(2, db.system.users.getIndexes().length);
+    assert.eq(2, db.system.roles.getIndexes().length);
+
+    // TEST: Destroying admin.system.roles index and restarting will recreate it
+    assert.commandWorked(db.system.roles.dropIndexes());
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({restart: conn, cleanData: false});
+    db = conn.getDB("admin");
+    assert.eq(2, db.system.users.getIndexes().length);
+    assert.eq(2, db.system.roles.getIndexes().length);
+
+    // TEST: Destroying both authorization indexes and restarting will recreate them
+    assert.commandWorked(db.system.users.dropIndexes());
+    assert.commandWorked(db.system.roles.dropIndexes());
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({restart: conn, cleanData: false});
+    db = conn.getDB("admin");
+    assert.eq(2, db.system.users.getIndexes().length);
+    assert.eq(2, db.system.roles.getIndexes().length);
+
+    // TEST: Destroying the admin.system.users index and restarting will recreate it, even if
+    // admin.system.roles does not exist
+    db.dropDatabase();
+    db.createUser({user: "user", pwd: "pwd", roles: []});
+    assert.commandWorked(db.system.users.dropIndexes());
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({restart: conn, cleanData: false});
+    db = conn.getDB("admin");
+    assert.eq(2, db.system.users.getIndexes().length);
+
+    // TEST: Destroying the admin.system.roles index and restarting will recreate it, even if
+    // admin.system.users does not exist
+    db.dropDatabase();
+    db.createRole({role: "role", privileges: [], roles: []});
+    assert.commandWorked(db.system.roles.dropIndexes());
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({restart: conn, cleanData: false});
+    db = conn.getDB("admin");
+    assert.eq(2, db.system.roles.getIndexes().length);
+})();