diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2019-03-29 16:15:10 +0000 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2019-05-17 20:10:40 +0000 |
commit | db19e7ce84cfd702a4ba9983ee2ea5019f470f82 (patch) | |
tree | b5848cac163edc036365ac62ecee1ea5deb4e292 /jstests | |
parent | a19bd8dae441feeea87b061066a53ad85e3aec9c (diff) | |
download | mongo-db19e7ce84cfd702a4ba9983ee2ea5019f470f82.tar.gz |
SERVER-38984 Validate unique User ID on UserCache hit
(cherry picked from commit e55d6e2292e5dbe2f97153251d8193d1cc89f5d7)
Diffstat (limited to 'jstests')
-rw-r--r-- | jstests/auth/deleted_recreated_user.js | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/jstests/auth/deleted_recreated_user.js b/jstests/auth/deleted_recreated_user.js new file mode 100644 index 00000000000..87517f48297 --- /dev/null +++ b/jstests/auth/deleted_recreated_user.js @@ -0,0 +1,74 @@ +// Test that sessions can not be resumed by deleted and recreated user. + +(function() { + 'use strict'; + + const kInvalidationIntervalSecs = 5; + + function runTest(s0, s1) { + assert(s0); + assert(s1); + const admin = s0.getDB('admin'); + + function checkIdType(username) { + const user = admin.system.users.find({user: username, db: 'admin'}).toArray()[0]; + const id = user._id; + const userId = user.userId; + assert.eq(typeof(id), 'string'); + assert.eq(id, 'admin.' + username); + assert.eq(typeof(userId), 'object'); + assert.eq(tojson(userId).substring(0, 5), 'UUID('); + } + + admin.createUser({user: 'admin', pwd: 'pass', roles: jsTest.adminUserRoles}); + assert(admin.auth('admin', 'pass')); + checkIdType('admin'); + + admin.createUser({user: 'user', pwd: 'pass', roles: jsTest.basicUserRoles}); + checkIdType('user'); + admin.logout(); + + // Connect as basic user and create a session. + assert(admin.auth('user', 'pass')); + assert.writeOK(admin.mycoll.insert({_id: "foo", data: "bar"})); + + // Perform administrative commands via separate shell. + function evalCmd(cmd) { + const uri = 'mongodb://admin:pass@localhost:' + s1.port + '/admin'; + const result = runMongoProgram('./mongo', uri, '--eval', cmd); + assert.eq(result, 0, "Command failed"); + } + evalCmd('db.dropUser("user"); '); + evalCmd('db.createUser({user: "user", pwd: "secret", roles: ["root"]});'); + + if (s0 !== s1) { + // Wait for twice the invalidation interval when sharding. + sleep(2 * kInvalidationIntervalSecs * 1000); + } + + // This should fail due to invalid user session. + const thrown = + assert.throws(() => admin.mycoll.find({}).toArray(), [], "Able to find after recreate"); + assert.eq(thrown.code, ErrorCodes.Unauthorized, "Threw something other than unauthorized"); + } + + const mongod = MongoRunner.runMongod({auth: ''}); + runTest(mongod, mongod); + MongoRunner.stopMongod(mongod); + + // TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. + const st = new ShardingTest({ + shards: 1, + mongos: 2, + config: 1, + other: { + keyFile: 'jstests/libs/key1', + shardAsReplicaSet: false, + mongosOptions: { + setParameter: 'userCacheInvalidationIntervalSecs=' + kInvalidationIntervalSecs, + }, + }, + }); + runTest(st.s0, st.s1); + st.stop(); +})(); |