SERVER-48693 Add network counter for cluster authentication

4 files changed, 110 insertions, 23 deletions

diff --git a/jstests/ssl/auth-counters.js b/jstests/ssl/auth-counters.js
index 6eaafa3735e..04274ef8578 100644
--- a/jstests/ssl/auth-counters.js
+++ b/jstests/ssl/auth-counters.js
@@ -3,11 +3,13 @@
 (function() {
 'use strict';
 
+const x509 = "MONGODB-X509";
 const mongod = MongoRunner.runMongod({
     auth: '',
     tlsMode: 'requireTLS',
     tlsCertificateKeyFile: 'jstests/libs/server.pem',
     tlsCAFile: 'jstests/libs/ca.pem',
+    clusterAuthMode: "x509",
 });
 const admin = mongod.getDB('admin');
 const external = mongod.getDB('$external');
@@ -20,46 +22,79 @@ external.createUser({user: X509USER, roles: []});
 
 // This test ignores counters for SCRAM-SHA-*.
 // For those, see jstests/auth/auth-counters.js
-const expected = {
-    received: 0,
-    successful: 0
-};
+const expected = assert.commandWorked(admin.runCommand({serverStatus: 1}))
+                     .security.authentication.mechanisms[x509];
 
 function assertStats() {
     const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
-                          .security.authentication.mechanisms['MONGODB-X509']
-                          .authenticate;
-    assert.eq(mechStats.received, expected.received);
-    assert.eq(mechStats.successful, expected.successful);
+                          .security.authentication.mechanisms[x509];
+    try {
+        assert.eq(mechStats.authenticate.received, expected.authenticate.received);
+        assert.eq(mechStats.authenticate.successful, expected.authenticate.successful);
+        assert.eq(mechStats.clusterAuthenticate.received, expected.clusterAuthenticate.received);
+        assert.eq(mechStats.clusterAuthenticate.successful,
+                  expected.clusterAuthenticate.successful);
+    } catch (e) {
+        print("mechStats: " + tojson(mechStats));
+        print("expected: " + tojson(expected));
+        throw e;
+    }
 }
 
 function assertSuccess(creds) {
     assert.eq(external.auth(creds), true);
     external.logout();
-    ++expected.received;
-    ++expected.successful;
+    ++expected.authenticate.received;
+    ++expected.authenticate.successful;
     assertStats();
 }
 
 function assertFailure(creds) {
     assert.eq(external.auth(creds), false);
-    ++expected.received;
+    ++expected.authenticate.received;
+    assertStats();
+}
+
+function assertSuccessInternal() {
+    assert.eq(runMongoProgram("mongo",
+                              "--tls",
+                              "--port",
+                              mongod.port,
+                              "--tlsCertificateKeyFile",
+                              "jstests/libs/server.pem",
+                              "--tlsCAFile",
+                              "jstests/libs/ca.pem",
+                              "--authenticationDatabase",
+                              "$external",
+                              "--authenticationMechanism",
+                              "MONGODB-X509",
+                              "--eval",
+                              ";"),
+              0);
+    ++expected.authenticate.received;
+    ++expected.authenticate.successful;
+    ++expected.clusterAuthenticate.received;
+    ++expected.clusterAuthenticate.successful;
     assertStats();
 }
 
 // User from certificate should work.
-assertSuccess({mechanism: 'MONGODB-X509'});
+assertSuccess({mechanism: x509});
 
 // Explicitly named user.
-assertSuccess({user: X509USER, mechanism: 'MONGODB-X509'});
+assertSuccess({user: X509USER, mechanism: x509});
+
+// Cluster auth counter checks.
+// We can't test failures with the __system user without the handshake failing,
+// which won't increment the counters.
+assertSuccessInternal();
 
 // Fails once the user no longer exists.
 external.dropUser(X509USER);
-assertFailure({mechanism: 'MONGODB-X509'});
+assertFailure({mechanism: x509});
 
 const finalStats =
     assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms;
 MongoRunner.stopMongod(mongod);
-
 printjson(finalStats);
 })();
diff --git a/jstests/ssl/speculative-auth-replset.js b/jstests/ssl/speculative-auth-replset.js
index 3c10b53b678..51f9e2c8154 100644
--- a/jstests/ssl/speculative-auth-replset.js
+++ b/jstests/ssl/speculative-auth-replset.js
@@ -37,13 +37,16 @@ const mechStats =
 printjson(mechStats);
 assert(mechStats['MONGODB-X509'] !== undefined);
 Object.keys(mechStats).forEach(function(mech) {
-    const stats = mechStats[mech].speculativeAuthenticate;
+    const specStats = mechStats[mech].speculativeAuthenticate;
+    const clusterStats = mechStats[mech].clusterAuthenticate;
     if (mech === 'MONGODB-X509') {
-        assert.gte(stats.received, 2);
+        assert.gte(specStats.received, 2);
+        assert.gte(clusterStats.received, 2);
     } else {
-        assert.eq(stats.received, 0);
+        assert.eq(specStats.received, 0);
     }
-    assert.eq(stats.received, stats.successful);
+    assert.eq(specStats.received, specStats.successful);
+    assert.gte(clusterStats.received, clusterStats.successful);
 });
 
 admin.logout();
diff --git a/jstests/ssl/speculative-auth-sharding.js b/jstests/ssl/speculative-auth-sharding.js
index 56af5fddaca..7a198c7983b 100644
--- a/jstests/ssl/speculative-auth-sharding.js
+++ b/jstests/ssl/speculative-auth-sharding.js
@@ -55,6 +55,17 @@ assert.eq(runMongoProgram('mongo',
                           '--eval',
                           ';'),
           0);
+assert.eq(runMongoProgram('mongo',
+                          uri,
+                          '--tls',
+                          '--tlsCertificateKeyFile',
+                          SERVER_CERT,
+                          '--tlsCAFile',
+                          CA_CERT,
+                          '--tlsAllowInvalidHostnames',
+                          '--eval',
+                          ';'),
+          0);
 
 const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                       .security.authentication.mechanisms['MONGODB-X509'];
@@ -63,14 +74,20 @@ jsTest.log('Authenticated stats: ' + tojson(authStats));
 // Got and succeeded an additional speculation.
 const initSpec = initialStats.speculativeAuthenticate;
 const authSpec = authStats.speculativeAuthenticate;
-assert.eq(authSpec.received, initSpec.received + 1);
-assert.eq(authSpec.successful, initSpec.successful + 1);
+assert.eq(authSpec.received, initSpec.received + 2);
+assert.eq(authSpec.successful, initSpec.successful + 2);
 
 // Got and succeeded an additional auth.
 const initAuth = initialStats.authenticate;
 const authAuth = authStats.authenticate;
-assert.eq(authAuth.received, initAuth.received + 1);
-assert.eq(authAuth.successful, initAuth.successful + 1);
+assert.eq(authAuth.received, initAuth.received + 2);
+assert.eq(authAuth.successful, initAuth.successful + 2);
+
+// Got and succeeded intra-cluster auth.
+const initCluster = initialStats.clusterAuthenticate;
+const authCluster = authStats.clusterAuthenticate;
+assert.eq(authCluster.received, initCluster.received + 1);
+assert.eq(authCluster.successful, initCluster.successful + 1);
 
 /////////////////////////////////////////////////////////////////////////////
 
diff --git a/jstests/ssl/speculative-authenticate.js b/jstests/ssl/speculative-authenticate.js
index 41b7139230f..492469466df 100644
--- a/jstests/ssl/speculative-authenticate.js
+++ b/jstests/ssl/speculative-authenticate.js
@@ -8,6 +8,7 @@ const mongod = MongoRunner.runMongod({
     tlsMode: 'requireTLS',
     tlsCertificateKeyFile: 'jstests/libs/server.pem',
     tlsCAFile: 'jstests/libs/ca.pem',
+    clusterAuthMode: "x509",
 });
 const admin = mongod.getDB('admin');
 const external = mongod.getDB('$external');
@@ -32,6 +33,19 @@ function test(uri) {
     assert.eq(0, x509);
 }
 
+function testInternal(uri) {
+    const x509 = runMongoProgram('mongo',
+                                 '--tls',
+                                 '--tlsCAFile',
+                                 'jstests/libs/ca.pem',
+                                 '--tlsCertificateKeyFile',
+                                 'jstests/libs/server.pem',
+                                 uri,
+                                 '--eval',
+                                 ';');
+    assert.eq(0, x509);
+}
+
 function assertStats(cb) {
     const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                           .security.authentication.mechanisms;
@@ -64,5 +78,23 @@ assertStats(function(mechStats) {
     assert.eq(stats.successful, 1);
 });
 
+// We haven't done any cluster auth yet, so clusterAuthenticate counts should be 0
+assertStats(function(mechStats) {
+    const stats = mechStats['MONGODB-X509'].clusterAuthenticate;
+    assert.eq(stats.received, 0);
+    assert.eq(stats.successful, 0);
+});
+
+// Connect intra-cluster with speculation.
+testInternal(baseURI + '?authMechanism=MONGODB-X509');
+assertStats(function(mechStats) {
+    const specStats = mechStats['MONGODB-X509'].speculativeAuthenticate;
+    const clusterStats = mechStats['MONGODB-X509'].clusterAuthenticate;
+    assert.eq(specStats.received, 2);
+    assert.eq(specStats.successful, 2);
+    assert.eq(clusterStats.received, 1);
+    assert.eq(clusterStats.successful, 1);
+});
+
 MongoRunner.stopMongod(mongod);
 })();