diff options
author | Shane Harvey <shane.harvey@mongodb.com> | 2016-03-30 13:37:17 -0400 |
---|---|---|
committer | Shane Harvey <shane.harvey@mongodb.com> | 2016-04-13 14:01:18 -0400 |
commit | 0b490582031c2be63239ac0885801739946a2a78 (patch) | |
tree | 6533f2eb1b3b988dc1136be20a3744421ec2038b /jstests/core/connection_status.js | |
parent | 1fcf28a69c1d365806c56a9225c2acbe804680e0 (diff) | |
download | mongo-0b490582031c2be63239ac0885801739946a2a78.tar.gz |
SERVER-23184 Reduce listCollections privileges
Diffstat (limited to 'jstests/core/connection_status.js')
-rw-r--r-- | jstests/core/connection_status.js | 123 |
1 files changed, 70 insertions, 53 deletions
diff --git a/jstests/core/connection_status.js b/jstests/core/connection_status.js index 29b8999ccc8..2ecfb211b6d 100644 --- a/jstests/core/connection_status.js +++ b/jstests/core/connection_status.js @@ -1,67 +1,84 @@ // Tests the connectionStatus command +(function() { + var dbName = 'connection_status'; + var myDB = db.getSiblingDB(dbName); + myDB.dropAllUsers(); -var dbName = 'connection_status'; -var myDB = db.getSiblingDB(dbName); -myDB.dropAllUsers(); - -function test(userName) { - myDB.createUser({user: userName, pwd: "weak password", roles: [{db: "admin", role: "root"}]}); - myDB.auth(userName, "weak password"); - - var output = myDB.runCommand("connectionStatus"); - assert.commandWorked(output); - - // Test that authenticated users are properly returned. - var users = output.authInfo.authenticatedUsers; - - var matches = 0; - for (var i = 0; i < users.length; i++) { - if (users[i].db != dbName) - continue; - - assert.eq(users[i].user, userName); - matches++; - } - assert.eq(matches, 1); + function test(userName) { + myDB.createUser( + {user: userName, pwd: "weak password", roles: [{db: "admin", role: "root"}]}); + myDB.auth(userName, "weak password"); - // Test that authenticated roles are properly returned. - var roles = output.authInfo.authenticatedUserRoles; + var output = myDB.runCommand("connectionStatus"); + assert.commandWorked(output); - matches = 0; - for (var i = 0; i < roles.length; i++) { - if (roles[i].db != "admin") - continue; + // Test that authenticated users are properly returned. + var users = output.authInfo.authenticatedUsers; - assert.eq(roles[i].role, "root"); - matches++; - } - assert(matches >= 1); + var matches = 0; + for (var i = 0; i < users.length; i++) { + if (users[i].db != dbName) + continue; - // Test roles/ privileges for a non-root user. - myDB.createUser({user: "foo", pwd: "weak password", roles: [{db: "foo", role: "read"}]}); - myDB.logout(); - myDB.auth("foo", "weak password"); + assert.eq(users[i].user, userName); + matches++; + } + assert.eq(matches, 1); - output = myDB.runCommand({"connectionStatus": 1, "showPrivileges": 1}); - assert.commandWorked(output); + // Test that authenticated roles are properly returned. + var roles = output.authInfo.authenticatedUserRoles; - var privileges = output.authInfo.authenticatedUserPrivileges; + matches = 0; + for (var i = 0; i < roles.length; i++) { + if (roles[i].db != "admin") + continue; - matches = 0; - for (var i = 0; i < privileges.length; i++) { - if (privileges[i].resource.anyResource) { + assert.eq(roles[i].role, "root"); matches++; } - } - assert(matches >= 1); + assert(matches >= 1); + + // Test roles/ privileges for a non-root user. + myDB.createUser({user: "foo", pwd: "weak password", roles: [{db: "foo", role: "read"}]}); + myDB.logout(); + myDB.auth("foo", "weak password"); + + output = myDB.runCommand({"connectionStatus": 1, "showPrivileges": 1}); + assert.commandWorked(output); + + var users = output.authInfo.authenticatedUsers; + var authedAsSystem = false; + for (var i = 0; i < users.length; i++) { + var authed = users[i]; + if (authed.user === "__system" && authed.db === "local") { + authedAsSystem = true; + } + } - myDB.logout(); + var privileges = output.authInfo.authenticatedUserPrivileges; + + for (var i = 0; i < privileges.length; i++) { + if (privileges[i].resource.anyResource) { + if (authedAsSystem) { + assert.eq(["anyAction"], + privileges[i].actions, + "__system user should only have anyResource/anyAction privilege:" + + tojson(output)); + } else { + assert(false, + "read role should not have anyResource privileges:" + tojson(output)); + } + } + } - // Clean up. - myDB.auth(userName, "weak password"); - myDB.dropAllUsers(); - myDB.logout(); -} + myDB.logout(); + + // Clean up. + myDB.auth(userName, "weak password"); + myDB.dropAllUsers(); + myDB.logout(); + } -test("someone"); -test("someone else"); + test("someone"); + test("someone else"); +})(); |