diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-09-27 16:06:45 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-09-29 11:54:59 -0400 |
commit | fb4b207cddb61a9b1c5e010be693ba41156e7f58 (patch) | |
tree | a9a0fc28e23976c2184fe69c0b35252cd4f73410 /src/mongo/db/auth/authorization_session_test.cpp | |
parent | 2fc2b3fbde6adbeb43a7b8df70e26000cedf01d5 (diff) | |
download | mongo-fb4b207cddb61a9b1c5e010be693ba41156e7f58.tar.gz |
SERVER-31248: Use of UUID in command requires privilege
Diffstat (limited to 'src/mongo/db/auth/authorization_session_test.cpp')
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 308156c31ee..0ec66e94598 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -1278,5 +1278,34 @@ TEST_F(AuthorizationSessionTest, CanListCollectionsWithListCollectionsPrivilege) ASSERT_TRUE(authzSession->isAuthorizedToListCollections(testQuxNss.db())); } +TEST_F(AuthorizationSessionTest, CanUseUUIDNamespacesWithPrivilege) { + BSONObj stringObj = BSON("a" + << "string"); + BSONObj uuidObj = BSON("a" << UUID::gen()); + BSONObj invalidObj = BSON("a" << 12); + + // Strings require no privileges + ASSERT_TRUE(authzSession->isAuthorizedToParseNamespaceElement(stringObj.firstElement())); + + // UUIDs cannot be parsed with default privileges + ASSERT_FALSE(authzSession->isAuthorizedToParseNamespaceElement(uuidObj.firstElement())); + + // Element must be either a string, or a UUID + ASSERT_THROWS_CODE(authzSession->isAuthorizedToParseNamespaceElement(invalidObj.firstElement()), + AssertionException, + ErrorCodes::InvalidNamespace); + + // The useUUID privilege allows UUIDs to be parsed + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forClusterResource(), {ActionType::useUUID})); + + ASSERT_TRUE(authzSession->isAuthorizedToParseNamespaceElement(stringObj.firstElement())); + ASSERT_TRUE(authzSession->isAuthorizedToParseNamespaceElement(uuidObj.firstElement())); + ASSERT_THROWS_CODE(authzSession->isAuthorizedToParseNamespaceElement(invalidObj.firstElement()), + AssertionException, + ErrorCodes::InvalidNamespace); +} + + } // namespace } // namespace mongo |