diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2019-01-29 17:55:46 -0500 |
---|---|---|
committer | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2019-02-04 14:33:43 -0500 |
commit | 1b1cf52e94c49ca4c6d8ba693e949c2b655e74b5 (patch) | |
tree | 4b1207bf363fa5ebde769e30030b3a8452bee360 /jstests/auth | |
parent | f06d8bc5b4c1e7b167a93d57930ad919ec4760b9 (diff) | |
download | mongo-1b1cf52e94c49ca4c6d8ba693e949c2b655e74b5.tar.gz |
SERVER-39056 Further refine readWriteAnyDatabase
Diffstat (limited to 'jstests/auth')
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 18 | ||||
-rw-r--r-- | jstests/auth/renameRestrictedCollections.js | 109 | ||||
-rw-r--r-- | jstests/auth/renameSystemCollections.js | 78 |
3 files changed, 127 insertions, 78 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index c991c5c63e0..6899d0646aa 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -3826,6 +3826,24 @@ var authCommandsLib = { ] }, { + testname: "dbstats_on_local", + command: {dbStats: 1}, + skipSharded: true, + testcases: [ + { + runOnDb: "local", + roles: { + "readLocal": 1, + "readWriteLocal": 1, + "clusterAdmin": 1, + "clusterMonitor": 1, + "root": 1, + "__system": 1, + }, + }, + ] + }, + { testname: "find_config_changelog", command: {find: "changelog"}, testcases: [ diff --git a/jstests/auth/renameRestrictedCollections.js b/jstests/auth/renameRestrictedCollections.js new file mode 100644 index 00000000000..1105da4eb3d --- /dev/null +++ b/jstests/auth/renameRestrictedCollections.js @@ -0,0 +1,109 @@ +(function() { + 'use strict'; + + // SERVER-8623: Test that renameCollection can't be used to bypass auth checks on system + // namespaces + const conn = MongoRunner.runMongod({auth: ""}); + + const adminDB = conn.getDB("admin"); + const configDB = conn.getDB("config"); + const localDB = conn.getDB("local"); + const CodeUnauthorized = 13; + + const backdoorUserDoc = {user: 'backdoor', db: 'admin', pwd: 'hashed', roles: ['root']}; + + adminDB.createUser({user: 'userAdmin', pwd: 'password', roles: ['userAdminAnyDatabase']}); + + adminDB.auth('userAdmin', 'password'); + adminDB.createUser({user: 'readWriteAdmin', pwd: 'password', roles: ['readWriteAnyDatabase']}); + adminDB.createUser({ + user: 'readWriteAndUserAdmin', + pwd: 'password', + roles: ['readWriteAnyDatabase', 'userAdminAnyDatabase'] + }); + adminDB.createUser({user: 'root', pwd: 'password', roles: ['root']}); + adminDB.createUser({user: 'rootier', pwd: 'password', roles: ['__system']}); + adminDB.logout(); + + jsTestLog("Test that a readWrite user can't rename system.profile to something they can read"); + adminDB.auth('readWriteAdmin', 'password'); + var res = adminDB.system.profile.renameCollection("profile"); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + + jsTestLog("Test that a readWrite user can't rename system.users to something they can read"); + res = adminDB.system.users.renameCollection("users"); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + assert.eq(0, adminDB.users.count()); + + jsTestLog("Test that a readWrite user can't use renameCollection to override system.users"); + adminDB.users.insert(backdoorUserDoc); + res = adminDB.users.renameCollection("system.users", true); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + adminDB.users.drop(); + + jsTestLog("Test that a userAdmin can't rename system.users without readWrite"); + adminDB.logout(); + adminDB.auth('userAdmin', 'password'); + res = adminDB.system.users.renameCollection("users"); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + assert.eq(5, adminDB.system.users.count()); + + adminDB.auth('readWriteAndUserAdmin', 'password'); + assert.eq(0, adminDB.users.count()); + + jsTestLog("Test that even with userAdmin AND dbAdmin you CANNOT rename to/from system.users"); + res = adminDB.system.users.renameCollection("users"); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + assert.eq(5, adminDB.system.users.count()); + + adminDB.users.drop(); + adminDB.users.insert(backdoorUserDoc); + res = adminDB.users.renameCollection("system.users"); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + + assert.eq(null, adminDB.system.users.findOne({user: backdoorUserDoc.user})); + assert.neq(null, adminDB.system.users.findOne({user: 'userAdmin'})); + + adminDB.auth('rootier', 'password'); + + jsTestLog("Test that with __system you CAN rename to/from system.users"); + res = adminDB.system.users.renameCollection("users", true); + assert.eq(1, res.ok, tojson(res)); + + // Test permissions against the configDB and localDB + + // Start with test against inserting to and renaming collections in config and local + // as userAdminAnyDatabase. + assert.writeOK(configDB.test.insert({'a': 1})); + assert.commandWorked(configDB.test.renameCollection('test2')); + + assert.writeOK(localDB.test.insert({'a': 1})); + assert.commandWorked(localDB.test.renameCollection('test2')); + adminDB.logout(); + + // Test renaming collection in config with readWriteAnyDatabase + assert(adminDB.auth('readWriteAdmin', 'password')); + res = configDB.test2.insert({'b': 2}); + assert.writeError(res, 13, "not authorized on config to execute command"); + res = configDB.test2.renameCollection('test'); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + + // Test renaming collection in local with readWriteAnyDatabase + res = localDB.test2.insert({'b': 2}); + assert.writeError(res, 13, "not authorized on config to execute command"); + res = localDB.test2.renameCollection('test'); + assert.eq(0, res.ok); + assert.eq(CodeUnauthorized, res.code); + + // At this point, all the user documents are gone, so further activity may be unauthorized, + // depending on cluster configuration. So, this is the end of the test. + MongoRunner.stopMongod(conn, {user: 'userAdmin', pwd: 'password'}); + +})();
\ No newline at end of file diff --git a/jstests/auth/renameSystemCollections.js b/jstests/auth/renameSystemCollections.js deleted file mode 100644 index 212287becb7..00000000000 --- a/jstests/auth/renameSystemCollections.js +++ /dev/null @@ -1,78 +0,0 @@ -// SERVER-8623: Test that renameCollection can't be used to bypass auth checks on system namespaces -var conn = MongoRunner.runMongod({auth: ""}); - -var adminDB = conn.getDB("admin"); -var testDB = conn.getDB("testdb"); -var testDB2 = conn.getDB("testdb2"); - -var CodeUnauthorized = 13; - -var backdoorUserDoc = {user: 'backdoor', db: 'admin', pwd: 'hashed', roles: ['root']}; - -adminDB.createUser({user: 'userAdmin', pwd: 'password', roles: ['userAdminAnyDatabase']}); - -adminDB.auth('userAdmin', 'password'); -adminDB.createUser({user: 'readWriteAdmin', pwd: 'password', roles: ['readWriteAnyDatabase']}); -adminDB.createUser({ - user: 'readWriteAndUserAdmin', - pwd: 'password', - roles: ['readWriteAnyDatabase', 'userAdminAnyDatabase'] -}); -adminDB.createUser({user: 'root', pwd: 'password', roles: ['root']}); -adminDB.createUser({user: 'rootier', pwd: 'password', roles: ['__system']}); -adminDB.logout(); - -jsTestLog("Test that a readWrite user can't rename system.profile to something they can read"); -adminDB.auth('readWriteAdmin', 'password'); -res = adminDB.system.profile.renameCollection("profile"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); - -jsTestLog("Test that a readWrite user can't rename system.users to something they can read"); -var res = adminDB.system.users.renameCollection("users"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -assert.eq(0, adminDB.users.count()); - -jsTestLog("Test that a readWrite user can't use renameCollection to override system.users"); -adminDB.users.insert(backdoorUserDoc); -res = adminDB.users.renameCollection("system.users", true); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -adminDB.users.drop(); - -jsTestLog("Test that a userAdmin can't rename system.users without readWrite"); -adminDB.logout(); -adminDB.auth('userAdmin', 'password'); -var res = adminDB.system.users.renameCollection("users"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -assert.eq(5, adminDB.system.users.count()); - -adminDB.auth('readWriteAndUserAdmin', 'password'); -assert.eq(0, adminDB.users.count()); - -jsTestLog("Test that even with userAdmin AND dbAdmin you CANNOT rename to/from system.users"); -var res = adminDB.system.users.renameCollection("users"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -assert.eq(5, adminDB.system.users.count()); - -adminDB.users.drop(); -adminDB.users.insert(backdoorUserDoc); -var res = adminDB.users.renameCollection("system.users"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); - -assert.eq(null, adminDB.system.users.findOne({user: backdoorUserDoc.user})); -assert.neq(null, adminDB.system.users.findOne({user: 'userAdmin'})); - -adminDB.auth('rootier', 'password'); - -jsTestLog("Test that with __system you CAN rename to/from system.users"); -var res = adminDB.system.users.renameCollection("users", true); -assert.eq(1, res.ok, tojson(res)); - -// At this point, all the user documents are gone, so further activity may be unauthorized, -// depending on cluster configuration. So, this is the end of the test. -MongoRunner.stopMongod(conn, {user: 'userAdmin', pwd: 'password'});
\ No newline at end of file |