diff options
author | Adam Cooper <adam.cooper@mongodb.com> | 2020-08-17 15:37:42 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-08-20 22:20:55 +0000 |
commit | ad83ad71c3c65e0a7e8dcb0073069dbf6299b0bb (patch) | |
tree | 434438c6f3a9c5191642eabff503e211fd8b4047 /jstests/ssl | |
parent | 504dee509b57ba039bcfe1130054aabc13839fa9 (diff) | |
download | mongo-ad83ad71c3c65e0a7e8dcb0073069dbf6299b0bb.tar.gz |
SERVER-48693 Add network counter for cluster authentication
Diffstat (limited to 'jstests/ssl')
-rw-r--r-- | jstests/ssl/auth-counters.js | 65 | ||||
-rw-r--r-- | jstests/ssl/speculative-auth-replset.js | 11 | ||||
-rw-r--r-- | jstests/ssl/speculative-auth-sharding.js | 25 | ||||
-rw-r--r-- | jstests/ssl/speculative-authenticate.js | 32 |
4 files changed, 110 insertions, 23 deletions
diff --git a/jstests/ssl/auth-counters.js b/jstests/ssl/auth-counters.js index 6eaafa3735e..04274ef8578 100644 --- a/jstests/ssl/auth-counters.js +++ b/jstests/ssl/auth-counters.js @@ -3,11 +3,13 @@ (function() { 'use strict'; +const x509 = "MONGODB-X509"; const mongod = MongoRunner.runMongod({ auth: '', tlsMode: 'requireTLS', tlsCertificateKeyFile: 'jstests/libs/server.pem', tlsCAFile: 'jstests/libs/ca.pem', + clusterAuthMode: "x509", }); const admin = mongod.getDB('admin'); const external = mongod.getDB('$external'); @@ -20,46 +22,79 @@ external.createUser({user: X509USER, roles: []}); // This test ignores counters for SCRAM-SHA-*. // For those, see jstests/auth/auth-counters.js -const expected = { - received: 0, - successful: 0 -}; +const expected = assert.commandWorked(admin.runCommand({serverStatus: 1})) + .security.authentication.mechanisms[x509]; function assertStats() { const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) - .security.authentication.mechanisms['MONGODB-X509'] - .authenticate; - assert.eq(mechStats.received, expected.received); - assert.eq(mechStats.successful, expected.successful); + .security.authentication.mechanisms[x509]; + try { + assert.eq(mechStats.authenticate.received, expected.authenticate.received); + assert.eq(mechStats.authenticate.successful, expected.authenticate.successful); + assert.eq(mechStats.clusterAuthenticate.received, expected.clusterAuthenticate.received); + assert.eq(mechStats.clusterAuthenticate.successful, + expected.clusterAuthenticate.successful); + } catch (e) { + print("mechStats: " + tojson(mechStats)); + print("expected: " + tojson(expected)); + throw e; + } } function assertSuccess(creds) { assert.eq(external.auth(creds), true); external.logout(); - ++expected.received; - ++expected.successful; + ++expected.authenticate.received; + ++expected.authenticate.successful; assertStats(); } function assertFailure(creds) { assert.eq(external.auth(creds), false); - ++expected.received; + ++expected.authenticate.received; + assertStats(); +} + +function assertSuccessInternal() { + assert.eq(runMongoProgram("mongo", + "--tls", + "--port", + mongod.port, + "--tlsCertificateKeyFile", + "jstests/libs/server.pem", + "--tlsCAFile", + "jstests/libs/ca.pem", + "--authenticationDatabase", + "$external", + "--authenticationMechanism", + "MONGODB-X509", + "--eval", + ";"), + 0); + ++expected.authenticate.received; + ++expected.authenticate.successful; + ++expected.clusterAuthenticate.received; + ++expected.clusterAuthenticate.successful; assertStats(); } // User from certificate should work. -assertSuccess({mechanism: 'MONGODB-X509'}); +assertSuccess({mechanism: x509}); // Explicitly named user. -assertSuccess({user: X509USER, mechanism: 'MONGODB-X509'}); +assertSuccess({user: X509USER, mechanism: x509}); + +// Cluster auth counter checks. +// We can't test failures with the __system user without the handshake failing, +// which won't increment the counters. +assertSuccessInternal(); // Fails once the user no longer exists. external.dropUser(X509USER); -assertFailure({mechanism: 'MONGODB-X509'}); +assertFailure({mechanism: x509}); const finalStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms; MongoRunner.stopMongod(mongod); - printjson(finalStats); })(); diff --git a/jstests/ssl/speculative-auth-replset.js b/jstests/ssl/speculative-auth-replset.js index 3c10b53b678..51f9e2c8154 100644 --- a/jstests/ssl/speculative-auth-replset.js +++ b/jstests/ssl/speculative-auth-replset.js @@ -37,13 +37,16 @@ const mechStats = printjson(mechStats); assert(mechStats['MONGODB-X509'] !== undefined); Object.keys(mechStats).forEach(function(mech) { - const stats = mechStats[mech].speculativeAuthenticate; + const specStats = mechStats[mech].speculativeAuthenticate; + const clusterStats = mechStats[mech].clusterAuthenticate; if (mech === 'MONGODB-X509') { - assert.gte(stats.received, 2); + assert.gte(specStats.received, 2); + assert.gte(clusterStats.received, 2); } else { - assert.eq(stats.received, 0); + assert.eq(specStats.received, 0); } - assert.eq(stats.received, stats.successful); + assert.eq(specStats.received, specStats.successful); + assert.gte(clusterStats.received, clusterStats.successful); }); admin.logout(); diff --git a/jstests/ssl/speculative-auth-sharding.js b/jstests/ssl/speculative-auth-sharding.js index 56af5fddaca..7a198c7983b 100644 --- a/jstests/ssl/speculative-auth-sharding.js +++ b/jstests/ssl/speculative-auth-sharding.js @@ -55,6 +55,17 @@ assert.eq(runMongoProgram('mongo', '--eval', ';'), 0); +assert.eq(runMongoProgram('mongo', + uri, + '--tls', + '--tlsCertificateKeyFile', + SERVER_CERT, + '--tlsCAFile', + CA_CERT, + '--tlsAllowInvalidHostnames', + '--eval', + ';'), + 0); const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms['MONGODB-X509']; @@ -63,14 +74,20 @@ jsTest.log('Authenticated stats: ' + tojson(authStats)); // Got and succeeded an additional speculation. const initSpec = initialStats.speculativeAuthenticate; const authSpec = authStats.speculativeAuthenticate; -assert.eq(authSpec.received, initSpec.received + 1); -assert.eq(authSpec.successful, initSpec.successful + 1); +assert.eq(authSpec.received, initSpec.received + 2); +assert.eq(authSpec.successful, initSpec.successful + 2); // Got and succeeded an additional auth. const initAuth = initialStats.authenticate; const authAuth = authStats.authenticate; -assert.eq(authAuth.received, initAuth.received + 1); -assert.eq(authAuth.successful, initAuth.successful + 1); +assert.eq(authAuth.received, initAuth.received + 2); +assert.eq(authAuth.successful, initAuth.successful + 2); + +// Got and succeeded intra-cluster auth. +const initCluster = initialStats.clusterAuthenticate; +const authCluster = authStats.clusterAuthenticate; +assert.eq(authCluster.received, initCluster.received + 1); +assert.eq(authCluster.successful, initCluster.successful + 1); ///////////////////////////////////////////////////////////////////////////// diff --git a/jstests/ssl/speculative-authenticate.js b/jstests/ssl/speculative-authenticate.js index 41b7139230f..492469466df 100644 --- a/jstests/ssl/speculative-authenticate.js +++ b/jstests/ssl/speculative-authenticate.js @@ -8,6 +8,7 @@ const mongod = MongoRunner.runMongod({ tlsMode: 'requireTLS', tlsCertificateKeyFile: 'jstests/libs/server.pem', tlsCAFile: 'jstests/libs/ca.pem', + clusterAuthMode: "x509", }); const admin = mongod.getDB('admin'); const external = mongod.getDB('$external'); @@ -32,6 +33,19 @@ function test(uri) { assert.eq(0, x509); } +function testInternal(uri) { + const x509 = runMongoProgram('mongo', + '--tls', + '--tlsCAFile', + 'jstests/libs/ca.pem', + '--tlsCertificateKeyFile', + 'jstests/libs/server.pem', + uri, + '--eval', + ';'); + assert.eq(0, x509); +} + function assertStats(cb) { const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms; @@ -64,5 +78,23 @@ assertStats(function(mechStats) { assert.eq(stats.successful, 1); }); +// We haven't done any cluster auth yet, so clusterAuthenticate counts should be 0 +assertStats(function(mechStats) { + const stats = mechStats['MONGODB-X509'].clusterAuthenticate; + assert.eq(stats.received, 0); + assert.eq(stats.successful, 0); +}); + +// Connect intra-cluster with speculation. +testInternal(baseURI + '?authMechanism=MONGODB-X509'); +assertStats(function(mechStats) { + const specStats = mechStats['MONGODB-X509'].speculativeAuthenticate; + const clusterStats = mechStats['MONGODB-X509'].clusterAuthenticate; + assert.eq(specStats.received, 2); + assert.eq(specStats.successful, 2); + assert.eq(clusterStats.received, 1); + assert.eq(clusterStats.successful, 1); +}); + MongoRunner.stopMongod(mongod); })(); |