SERVER-23503 Expand localhost exception to include role creation

1 files changed, 24 insertions, 0 deletions

diff --git a/jstests/auth/localhostAuthBypass.js b/jstests/auth/localhostAuthBypass.js
index fdaf4386794..6cb315650ef 100644
--- a/jstests/auth/localhostAuthBypass.js
+++ b/jstests/auth/localhostAuthBypass.js
@@ -15,6 +15,12 @@ var createUser = function(mongo) {
     mongo.getDB("admin").createUser({user: username, pwd: password, roles: jsTest.adminUserRoles});
 };
 
+var createRole = function(mongo) {
+    print("============ adding a role.");
+    mongo.getDB("admin").createRole(
+        {role: "roleAdministrator", roles: [{role: "userAdmin", db: "admin"}], privileges: []});
+};
+
 var assertCannotRunCommands = function(mongo) {
     print("============ ensuring that commands cannot be run.");
 
@@ -171,7 +177,25 @@ var runNonlocalTest = function(host) {
     shutdown(conn);
 };
 
+// Per SERVER-23503, the existence of roles in the admin database should disable the localhost
+// exception.
+// Start the server without auth. Create a role. Restart the server with auth. The exception is
+// now enabled.
+var runRoleTest = function() {
+    var conn = MongoRunner.runMongod({dbpath: dbpath});
+    var mongo = new Mongo("localhost:" + conn.port);
+    assertCanRunCommands(mongo);
+    createRole(mongo);
+    assertCanRunCommands(mongo);
+    MongoRunner.stopMongod(conn);
+    conn = MongoRunner.runMongod({auth: '', dbpath: dbpath, restart: true, cleanData: false});
+    mongo = new Mongo("localhost:" + conn.port);
+    assertCannotRunCommands(mongo);
+};
+
 runTest(false);
 runTest(true);
 
 runNonlocalTest(get_ipaddr());
+
+runRoleTest();