SERVER-19318 Allow $currentOp aggregations to be run on mongoS

author: Bernard Gorman <bernard.gorman@gmail.com> 2017-06-16 11:10:59 +0100
committer: Bernard Gorman <bernard.gorman@gmail.com> 2017-06-16 22:57:40 +0100
commit: 69fd148aafff5bc9c33596b75560f05a6a260f7a (patch)
tree: cdfacbaafae55ea7741766516130eeba5a8da181 /src/mongo/db/auth/authorization_session_test.cpp
parent: e5eb1981a68bfc3250b72ca14a9131e2749b4cf7 (diff)
download: mongo-69fd148aafff5bc9c33596b75560f05a6a260f7a.tar.gz
1 files changed, 110 insertions, 37 deletions
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp
index 806bc3795e8..71b7f00ee51 100644
--- a/src/mongo/db/auth/authorization_session_test.cpp
+++ b/src/mongo/db/auth/authorization_session_test.cpp
@@ -40,6 +40,7 @@
 #include "mongo/db/json.h"
 #include "mongo/db/namespace_string.h"
 #include "mongo/db/operation_context_noop.h"
+#include "mongo/s/is_mongos.h"
 #include "mongo/stdx/memory.h"
 #include "mongo/unittest/unittest.h"
 #include "mongo/util/map_util.h"
@@ -541,39 +542,40 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
 TEST_F(AuthorizationSessionTest, CheckAuthForAggregateFailsIfPipelineIsNotAnArray) {
     BSONObj cmdObjIntPipeline = BSON("aggregate" << testFooNss.coll() << "pipeline" << 7);
     ASSERT_EQ(ErrorCodes::TypeMismatch,
-              authzSession->checkAuthForAggregate(testFooNss, cmdObjIntPipeline));
+              authzSession->checkAuthForAggregate(testFooNss, cmdObjIntPipeline, false));
 
     BSONObj cmdObjObjPipeline = BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONObj());
     ASSERT_EQ(ErrorCodes::TypeMismatch,
-              authzSession->checkAuthForAggregate(testFooNss, cmdObjObjPipeline));
+              authzSession->checkAuthForAggregate(testFooNss, cmdObjObjPipeline, false));
 
     BSONObj cmdObjNoPipeline = BSON("aggregate" << testFooNss.coll());
     ASSERT_EQ(ErrorCodes::TypeMismatch,
-              authzSession->checkAuthForAggregate(testFooNss, cmdObjNoPipeline));
+              authzSession->checkAuthForAggregate(testFooNss, cmdObjNoPipeline, false));
 }
 
 TEST_F(AuthorizationSessionTest, CheckAuthForAggregateFailsIfPipelineFirstStageIsNotAnObject) {
     BSONObj cmdObjFirstStageInt =
         BSON("aggregate" << testFooNss.coll() << "pipeline" << BSON_ARRAY(7));
     ASSERT_EQ(ErrorCodes::TypeMismatch,
-              authzSession->checkAuthForAggregate(testFooNss, cmdObjFirstStageInt));
+              authzSession->checkAuthForAggregate(testFooNss, cmdObjFirstStageInt, false));
 
     BSONObj cmdObjFirstStageArray =
         BSON("aggregate" << testFooNss.coll() << "pipeline" << BSON_ARRAY(BSONArray()));
     ASSERT_EQ(ErrorCodes::TypeMismatch,
-              authzSession->checkAuthForAggregate(testFooNss, cmdObjFirstStageArray));
+              authzSession->checkAuthForAggregate(testFooNss, cmdObjFirstStageArray, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateEmptyPipelineWithoutFindAction) {
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray());
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateEmptyPipelineWithFindAction) {
     authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
 
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << BSONArray());
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateWithoutFindActionIfFirstStageNotIndexOrCollStats) {
@@ -583,7 +585,8 @@ TEST_F(AuthorizationSessionTest, CannotAggregateWithoutFindActionIfFirstStageNot
     BSONArray pipeline = BSON_ARRAY(BSON("$limit" << 1) << BSON("$collStats" << BSONObj())
                                                         << BSON("$indexStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateWithFindActionIfFirstStageNotIndexOrCollStats) {
@@ -592,7 +595,7 @@ TEST_F(AuthorizationSessionTest, CanAggregateWithFindActionIfFirstStageNotIndexO
     BSONArray pipeline = BSON_ARRAY(BSON("$limit" << 1) << BSON("$collStats" << BSONObj())
                                                         << BSON("$indexStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateCollStatsWithoutCollStatsAction) {
@@ -600,7 +603,8 @@ TEST_F(AuthorizationSessionTest, CannotAggregateCollStatsWithoutCollStatsAction)
 
     BSONArray pipeline = BSON_ARRAY(BSON("$collStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateCollStatsWithCollStatsAction) {
@@ -608,7 +612,7 @@ TEST_F(AuthorizationSessionTest, CanAggregateCollStatsWithCollStatsAction) {
 
     BSONArray pipeline = BSON_ARRAY(BSON("$collStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateIndexStatsWithoutIndexStatsAction) {
@@ -616,7 +620,8 @@ TEST_F(AuthorizationSessionTest, CannotAggregateIndexStatsWithoutIndexStatsActio
 
     BSONArray pipeline = BSON_ARRAY(BSON("$indexStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateIndexStatsWithIndexStatsAction) {
@@ -624,38 +629,96 @@ TEST_F(AuthorizationSessionTest, CanAggregateIndexStatsWithIndexStatsAction) {
 
     BSONArray pipeline = BSON_ARRAY(BSON("$indexStats" << BSONObj()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
-TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersFalseWithoutInprogAction) {
+TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersFalseWithoutInprogActionOnMongoD) {
     authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
 
     BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false)));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
-TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseIfNotAuthenticated) {
+TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseWithoutInprogActionOnMongoS) {
+    authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
+
+    BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, true));
+}
+
+TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseIfNotAuthenticatedOnMongoD) {
     BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false)));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
-TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersTrueWithoutInprogAction) {
+TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersFalseIfNotAuthenticatedOnMongoS) {
+    BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, true));
+}
+
+TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersTrueWithoutInprogActionOnMongoD) {
     authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
 
     BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true)));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
+}
+
+TEST_F(AuthorizationSessionTest, CannotAggregateCurrentOpAllUsersTrueWithoutInprogActionOnMongoS) {
+    authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
+
+    BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, true));
+}
+
+TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersTrueWithInprogActionOnMongoD) {
+    authzSession->assumePrivilegesForDB(
+        Privilege(ResourcePattern::forClusterResource(), {ActionType::inprog}));
+
+    BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
-TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersTrueWithInprogAction) {
+TEST_F(AuthorizationSessionTest, CanAggregateCurrentOpAllUsersTrueWithInprogActionOnMongoS) {
     authzSession->assumePrivilegesForDB(
         Privilege(ResourcePattern::forClusterResource(), {ActionType::inprog}));
 
     BSONArray pipeline = BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << true)));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, true));
+}
+
+TEST_F(AuthorizationSessionTest, CannotSpoofAllUsersTrueWithoutInprogActionOnMongoD) {
+    authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
+
+    BSONArray pipeline =
+        BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false << "allUsers" << true)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
+}
+
+TEST_F(AuthorizationSessionTest, CannotSpoofAllUsersTrueWithoutInprogActionOnMongoS) {
+    authzSession->assumePrivilegesForDB(Privilege(testFooCollResource, {ActionType::find}));
+
+    BSONArray pipeline =
+        BSON_ARRAY(BSON("$currentOp" << BSON("allUsers" << false << "allUsers" << true)));
+    BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, true));
 }
 
 TEST_F(AuthorizationSessionTest, AddPrivilegesForStageFailsIfOutNamespaceIsNotValid) {
@@ -663,7 +726,7 @@ TEST_F(AuthorizationSessionTest, AddPrivilegesForStageFailsIfOutNamespaceIsNotVa
                                          << ""));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
     ASSERT_THROWS_CODE(
-        authzSession->checkAuthForAggregate(testFooNss, cmdObj), UserException, 17139);
+        authzSession->checkAuthForAggregate(testFooNss, cmdObj, false), UserException, 17139);
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateOutWithoutInsertAndRemoveOnTargetNamespace) {
@@ -672,17 +735,20 @@ TEST_F(AuthorizationSessionTest, CannotAggregateOutWithoutInsertAndRemoveOnTarge
 
     BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 
     // We have insert but not remove on the $out namespace.
     authzSession->assumePrivilegesForDB({Privilege(testFooCollResource, {ActionType::find}),
                                          Privilege(testBarCollResource, {ActionType::insert})});
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 
     // We have remove but not insert on the $out namespace.
     authzSession->assumePrivilegesForDB({Privilege(testFooCollResource, {ActionType::find}),
                                          Privilege(testBarCollResource, {ActionType::remove})});
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateOutWithInsertAndRemoveOnTargetNamespace) {
@@ -692,12 +758,13 @@ TEST_F(AuthorizationSessionTest, CanAggregateOutWithInsertAndRemoveOnTargetNames
 
     BSONArray pipeline = BSON_ARRAY(BSON("$out" << testBarNss.coll()));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 
     BSONObj cmdObjNoBypassDocumentValidation = BSON(
         "aggregate" << testFooNss.coll() << "pipeline" << pipeline << "bypassDocumentValidation"
                     << false);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObjNoBypassDocumentValidation));
+    ASSERT_OK(
+        authzSession->checkAuthForAggregate(testFooNss, cmdObjNoBypassDocumentValidation, false));
 }
 
 TEST_F(AuthorizationSessionTest,
@@ -710,7 +777,8 @@ TEST_F(AuthorizationSessionTest,
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline
                                       << "bypassDocumentValidation"
                                       << true);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest,
@@ -725,7 +793,7 @@ TEST_F(AuthorizationSessionTest,
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline
                                       << "bypassDocumentValidation"
                                       << true);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateLookupWithoutFindOnJoinedNamespace) {
@@ -733,7 +801,8 @@ TEST_F(AuthorizationSessionTest, CannotAggregateLookupWithoutFindOnJoinedNamespa
 
     BSONArray pipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testBarNss.coll())));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateLookupWithFindOnJoinedNamespace) {
@@ -742,7 +811,7 @@ TEST_F(AuthorizationSessionTest, CanAggregateLookupWithFindOnJoinedNamespace) {
 
     BSONArray pipeline = BSON_ARRAY(BSON("$lookup" << BSON("from" << testBarNss.coll())));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CannotAggregateGraphLookupWithoutFindOnJoinedNamespace) {
@@ -750,7 +819,8 @@ TEST_F(AuthorizationSessionTest, CannotAggregateGraphLookupWithoutFindOnJoinedNa
 
     BSONArray pipeline = BSON_ARRAY(BSON("$graphLookup" << BSON("from" << testBarNss.coll())));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, CanAggregateGraphLookupWithFindOnJoinedNamespace) {
@@ -759,7 +829,7 @@ TEST_F(AuthorizationSessionTest, CanAggregateGraphLookupWithFindOnJoinedNamespac
 
     BSONArray pipeline = BSON_ARRAY(BSON("$graphLookup" << BSON("from" << testBarNss.coll())));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest,
@@ -771,17 +841,20 @@ TEST_F(AuthorizationSessionTest,
         BSON_ARRAY(fromjson("{$facet: {lookup: [{$lookup: {from: 'bar'}}], graphLookup: "
                             "[{$graphLookup: {from: 'qux'}}]}}"));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 
     // We have find on the $lookup namespace but not on the $graphLookup namespace.
     authzSession->assumePrivilegesForDB({Privilege(testFooCollResource, {ActionType::find}),
                                          Privilege(testBarCollResource, {ActionType::find})});
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 
     // We have find on the $graphLookup namespace but not on the $lookup namespace.
     authzSession->assumePrivilegesForDB({Privilege(testFooCollResource, {ActionType::find}),
                                          Privilege(testQuxCollResource, {ActionType::find})});
-    ASSERT_EQ(ErrorCodes::Unauthorized, authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_EQ(ErrorCodes::Unauthorized,
+              authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest,
@@ -794,7 +867,7 @@ TEST_F(AuthorizationSessionTest,
         BSON_ARRAY(fromjson("{$facet: {lookup: [{$lookup: {from: 'bar'}}], graphLookup: "
                             "[{$graphLookup: {from: 'qux'}}]}}"));
     BSONObj cmdObj = BSON("aggregate" << testFooNss.coll() << "pipeline" << pipeline);
-    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj));
+    ASSERT_OK(authzSession->checkAuthForAggregate(testFooNss, cmdObj, false));
 }
 
 TEST_F(AuthorizationSessionTest, UnauthorizedSessionIsCoauthorizedWithEmptyUserSet) {
author	Bernard Gorman <bernard.gorman@gmail.com>	2017-06-16 11:10:59 +0100
committer	Bernard Gorman <bernard.gorman@gmail.com>	2017-06-16 22:57:40 +0100
commit	69fd148aafff5bc9c33596b75560f05a6a260f7a (patch)
tree	cdfacbaafae55ea7741766516130eeba5a8da181 /src/mongo/db/auth/authorization_session_test.cpp
parent	e5eb1981a68bfc3250b72ca14a9131e2749b4cf7 (diff)
download	mongo-69fd148aafff5bc9c33596b75560f05a6a260f7a.tar.gz