diff options
author | Adam Rayner <adam.rayner@gmail.com> | 2021-11-30 15:23:34 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-11-30 15:59:51 +0000 |
commit | 1f2653f7d2b6d82af56f70e63c79a7cc3ba91d6e (patch) | |
tree | bc40ce202887b1481493046d59ebd92fe529e4ab /jstests/auth | |
parent | 6d8e3308707eab46ebe98d3510e33ba44aa497e2 (diff) | |
download | mongo-1f2653f7d2b6d82af56f70e63c79a7cc3ba91d6e.tar.gz |
Revert "SERVER-46399 remove fallback SCRAM-SHA-1 for internalSecurity.user
Diffstat (limited to 'jstests/auth')
-rw-r--r-- | jstests/auth/auth-counters.js | 7 | ||||
-rw-r--r-- | jstests/auth/speculative-auth-replset.js | 23 | ||||
-rw-r--r-- | jstests/auth/system_user_exception.js | 6 |
3 files changed, 12 insertions, 24 deletions
diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js index b74fa531725..aa42042e0ef 100644 --- a/jstests/auth/auth-counters.js +++ b/jstests/auth/auth-counters.js @@ -64,7 +64,7 @@ function assertFailure(creds, mech, db = test) { } function assertSuccessInternal() { - const mech = "SCRAM-SHA-256"; + const mech = "SCRAM-SHA-1"; // asCluster exiting cleanly indicates successful auth assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true); ++expected[mech].authenticate.received; @@ -75,11 +75,8 @@ function assertSuccessInternal() { assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin); } -// Because authutil.asCluster utilizes SCRAM-SHA-256 as a default keyfile mechanism, we will attempt -// to record this authentication with an invalid keyfile, and then verify that the # of -// successful attempts made using the fallback (SCRAM-SHA-256) has NOT been incremented function assertFailureInternal() { - const mech = "SCRAM-SHA-256"; + const mech = "SCRAM-SHA-1"; // If asCluster fails, it explodes. assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]); ++expected[mech].authenticate.received; diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js index c0b8ef6c19a..576f567cc62 100644 --- a/jstests/auth/speculative-auth-replset.js +++ b/jstests/auth/speculative-auth-replset.js @@ -47,7 +47,6 @@ rst.awaitReplication(); const admin = rst.getPrimary().getDB('admin'); admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']}); admin.auth('admin', 'pwd'); - assert.commandWorked(admin.setLogLevel(3, 'accessControl')); function getMechStats(db) { @@ -56,13 +55,8 @@ function getMechStats(db) { } // Capture statistics after a fresh instantiation of a 1-node replica set. -// initialMechStats contains stats state for the test setup (e.g. shell authentication) actions -// that will have incremented the internal counters but are not relevant to the functionality under -// test const initialMechStats = getMechStats(admin); - printjson(initialMechStats); - assert(initialMechStats['SCRAM-SHA-256'] !== undefined); // We've made no client connections for which speculation was possible, @@ -72,6 +66,12 @@ Object.keys(initialMechStats).forEach(function(mech) { const specStats = initialMechStats[mech].speculativeAuthenticate; const clusterStats = initialMechStats[mech].clusterAuthenticate; + if (mech === 'SCRAM-SHA-256') { + // It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster + // stats from being incremented during test setup. + assert.eq(clusterStats.received, 0); + } + // No speculation has occured assert.eq(specStats.received, 0); @@ -110,19 +110,10 @@ Object.keys(initialMechStats).forEach(function(mech) { assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful, initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); - // Speculative and cluster auth counts should align with the authentication events in the server - // log const logCounts = countAuthInLog(admin); - assert.eq(logCounts.speculative, newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful); - - // Subtract the initial mech stats for cluster authentication that were incremented - // during test setup, so we can assert on only the "real" cluster authetnication count - assert.eq(logCounts.cluster, - newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful - - initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); - + assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful); assert.gt(logCounts.speculativeCluster, 0, "Expected to observe at least one speculative cluster authentication attempt"); diff --git a/jstests/auth/system_user_exception.js b/jstests/auth/system_user_exception.js index 78dff98a8a9..67814119541 100644 --- a/jstests/auth/system_user_exception.js +++ b/jstests/auth/system_user_exception.js @@ -7,13 +7,13 @@ var m = MongoRunner.runMongod( {keyFile: "jstests/libs/key1", setParameter: "authenticationMechanisms=PLAIN"}); -// Verify that it's possible to use SCRAM-SHA-256 to authenticate as the __system@local user +// Verify that it's possible to use SCRAM-SHA-1 to authenticate as the __system@local user assert.eq(1, - m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-256"})); + m.getDB("local").auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"})); // Verify that it is not possible to authenticate other users m.getDB("test").runCommand({createUser: "guest", pwd: "guest", roles: jsTest.readOnlyUserRoles}); -assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-256"})); +assert.eq(0, m.getDB("test").auth({user: "guest", pwd: "guest", mechanism: "SCRAM-SHA-1"})); MongoRunner.stopMongod(m); })(); |