Revert "SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user

3 files changed, 12 insertions, 24 deletions

diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js
index b74fa531725..aa42042e0ef 100644
--- a/jstests/auth/auth-counters.js
+++ b/jstests/auth/auth-counters.js
@@ -64,7 +64,7 @@ function assertFailure(creds, mech, db = test) {
 }
 
 function assertSuccessInternal() {
-    const mech = "SCRAM-SHA-256";
+    const mech = "SCRAM-SHA-1";
     // asCluster exiting cleanly indicates successful auth
     assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true);
     ++expected[mech].authenticate.received;
@@ -75,11 +75,8 @@ function assertSuccessInternal() {
     assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin);
 }
 
-// Because authutil.asCluster utilizes SCRAM-SHA-256 as a default keyfile mechanism, we will attempt
-// to record this authentication with an invalid keyfile, and then verify that the # of
-// successful attempts made using the fallback (SCRAM-SHA-256) has NOT been incremented
 function assertFailureInternal() {
-    const mech = "SCRAM-SHA-256";
+    const mech = "SCRAM-SHA-1";
     // If asCluster fails, it explodes.
     assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]);
     ++expected[mech].authenticate.received;
diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js
index c0b8ef6c19a..576f567cc62 100644
--- a/jstests/auth/speculative-auth-replset.js
+++ b/jstests/auth/speculative-auth-replset.js
@@ -47,7 +47,6 @@ rst.awaitReplication();
 const admin = rst.getPrimary().getDB('admin');
 admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
 admin.auth('admin', 'pwd');
-
 assert.commandWorked(admin.setLogLevel(3, 'accessControl'));
 
 function getMechStats(db) {
@@ -56,13 +55,8 @@ function getMechStats(db) {
 }
 
 // Capture statistics after a fresh instantiation of a 1-node replica set.
-// initialMechStats contains stats state for the test setup (e.g. shell authentication) actions
-// that will have incremented the internal counters but are not relevant to the functionality under
-// test
 const initialMechStats = getMechStats(admin);
-
 printjson(initialMechStats);
-
 assert(initialMechStats['SCRAM-SHA-256'] !== undefined);
 
 // We've made no client connections for which speculation was possible,
@@ -72,6 +66,12 @@ Object.keys(initialMechStats).forEach(function(mech) {
     const specStats = initialMechStats[mech].speculativeAuthenticate;
     const clusterStats = initialMechStats[mech].clusterAuthenticate;
 
+    if (mech === 'SCRAM-SHA-256') {
+        // It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster
+        // stats from being incremented during test setup.
+        assert.eq(clusterStats.received, 0);
+    }
+
     // No speculation has occured
     assert.eq(specStats.received, 0);
 
@@ -110,19 +110,10 @@ Object.keys(initialMechStats).forEach(function(mech) {
     assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful,
               initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
 
-    // Speculative and cluster auth counts should align with the authentication events in the server
-    // log
     const logCounts = countAuthInLog(admin);
-
     assert.eq(logCounts.speculative,
               newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful);
-
-    // Subtract the initial mech stats for cluster authentication that were incremented
-    // during test setup, so we can assert on only the "real" cluster authetnication count
-    assert.eq(logCounts.cluster,
-              newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful -
-                  initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
-
+    assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
     assert.gt(logCounts.speculativeCluster,
               0,
               "Expected to observe at least one speculative cluster authentication attempt");
diff --git a/jstests/auth/system_user_exception.js b/jstests/auth/system_user_exception.js
index 78dff98a8a9..67814119541 100644
--- a/jstests/auth/system_user_exception.js
+++ b/jstests/auth/system_user_exception.js
@@ -7,13 +7,13 @@
 var m = MongoRunner.runMongod(
     {keyFile: "jstests/libs/key1", setParameter: "authenticationMechanisms=PLAIN"});
 
-// Verify that it's possible to use SCRAM-SHA-256 to authenticate as the __system@local user
+// Verify that it's possible to use SCRAM-SHA-1 to authenticate as the __system@local user
 assert.eq(1,
-          m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-256"}));
+          m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"}));
 
 // Verify that it is not possible to authenticate other users
 m.getDB("test").runCommand({createUser: "guest", pwd: "guest", roles: jsTest.readOnlyUserRoles});
-assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-256"}));
+assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-1"}));
 
 MongoRunner.stopMongod(m);
 })();