diff options
Diffstat (limited to 'jstests/auth/authentication_restrictions.js')
| -rw-r--r-- | jstests/auth/authentication_restrictions.js | 428 |
1 files changed, 209 insertions, 219 deletions
diff --git a/jstests/auth/authentication_restrictions.js b/jstests/auth/authentication_restrictions.js index 1f08b3e6d6d..172db043770 100644 --- a/jstests/auth/authentication_restrictions.js +++ b/jstests/auth/authentication_restrictions.js @@ -4,224 +4,214 @@ */ (function() { - 'use strict'; - - // TODO SERVER-35447: Multiple users cannot be authenticated on one connection within a session. - TestData.disableImplicitSessions = true; - - function testConnection( - conn, eventuallyConsistentConn, sleepUntilUserDataPropagated, sleepUntilUserDataRefreshed) { - load("jstests/libs/host_ipaddr.js"); - - // Create a session which observes an eventually consistent view of user data - var eventualDb = eventuallyConsistentConn.getDB("admin"); - - // Create a session for modifying user data during the life of the test - var adminSession = new Mongo("localhost:" + conn.port); - var admin = adminSession.getDB("admin"); - assert.commandWorked(admin.runCommand( - {createUser: "admin", pwd: "admin", roles: [{role: "root", db: "admin"}]})); - assert(admin.auth("admin", "admin")); - - // Create a strongly consistent session for consuming user data - var db = conn.getDB("admin"); - - // Create a strongly consistent session for consuming user data, with a non-localhost - // source IP. - var externalMongo = new Mongo(get_ipaddr() + ":" + conn.port); - var externalDb = externalMongo.getDB("admin"); - - assert.commandWorked(admin.runCommand({ - createUser: "user2", - pwd: "user", - roles: [], - authenticationRestrictions: [{clientSource: ["127.0.0.1"]}] - })); - assert.commandWorked(admin.runCommand({createUser: "user3", pwd: "user", roles: []})); - assert.commandWorked(admin.runCommand( - {updateUser: "user3", authenticationRestrictions: [{serverAddress: ["127.0.0.1"]}]})); - - print("=== User creation tests"); - print( - "When a client creates users with empty authenticationRestrictions, the operation succeeds, though it has no effect"); - assert.commandWorked(admin.runCommand( - {createUser: "user4", pwd: "user", roles: [], authenticationRestrictions: []})); - assert(!Object.keys(admin.system.users.findOne({user: "user4"})) - .includes("authenticationRestrictions")); - - print( - "When a client updates a user's authenticationRestrictions to be empty, the operation succeeds, and removes the authenticationRestrictions field"); - assert.commandWorked(admin.runCommand({createUser: "user5", pwd: "user", roles: []})); - assert.commandWorked( - admin.runCommand({updateUser: "user5", authenticationRestrictions: []})); - assert(!Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - assert.commandWorked(admin.runCommand( - {updateUser: "user5", authenticationRestrictions: [{clientSource: ["127.0.0.1"]}]})); - assert(Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - assert.commandWorked( - admin.runCommand({updateUser: "user5", authenticationRestrictions: []})); - assert(!Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - - print( - "When a client updates a user's authenticationRestrictions to be null or undefined, the operation fails"); - assert.commandWorked(admin.runCommand( - {updateUser: "user5", authenticationRestrictions: [{clientSource: ["127.0.0.1"]}]})); - assert(Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - assert.commandFailed( - admin.runCommand({updateUser: "user5", authenticationRestrictions: null})); - assert(Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - assert.commandFailed( - admin.runCommand({updateUser: "user5", authenticationRestrictions: undefined})); - assert(Object.keys(admin.system.users.findOne({user: "user5"})) - .includes("authenticationRestrictions")); - - print( - "When a client creates users, it may use clientSource and serverAddress authenticationRestrictions"); - assert.commandWorked(admin.runCommand({ - createUser: "user6", - pwd: "user", - roles: [], - authenticationRestrictions: [{clientSource: ["127.0.0.1"]}] - })); - assert.commandWorked(admin.runCommand({ - createUser: "user7", - pwd: "user", - roles: [], - authenticationRestrictions: [{serverAddress: ["127.0.0.1"]}] - })); - assert.commandWorked(admin.runCommand({ - createUser: "user8", - pwd: "user", - roles: [], - authenticationRestrictions: - [{clientSource: ["127.0.0.1"], serverAddress: ["127.0.0.1"]}] - })); - assert.commandWorked(admin.runCommand({ - createUser: "user9", - pwd: "user", - roles: [], - authenticationRestrictions: - [{clientSource: ["127.0.0.1"]}, {serverAddress: ["127.0.0.1"]}] - })); - assert.commandFailed(admin.runCommand({ - createUser: "user10", - pwd: "user", - roles: [], - authenticationRestrictions: [{invalidRestriction: ["127.0.0.1"]}] - })); - - print("=== Localhost access tests"); - - print( - "When a client on the loopback authenticates to a user with {clientSource: \"127.0.0.1\"}, it will succeed"); - assert(db.auth("user6", "user")); - - print( - "When a client on the loopback authenticates to a user with {serverAddress: \"127.0.0.1\"}, it will succeed"); - assert(db.auth("user7", "user")); - - print( - "When a client on the loopback authenticates to a user with {clientSource: \"127.0.0.1\", serverAddress: \"127.0.0.1\"}, it will succeed"); - assert(db.auth("user8", "user")); - - print("=== Remote access tests"); - print( - "When a client on the external interface authenticates to a user with {clientSource: \"127.0.0.1\"}, it will fail"); - assert(!externalDb.auth("user6", "user")); - - print( - "When a client on the external interface authenticates to a user with {serverAddress: \"127.0.0.1\"}, it will fail"); - assert(!externalDb.auth("user7", "user")); - - print( - "When a client on the external interface authenticates to a user with {clientSource: \"127.0.0.1\", serverAddress: \"127.0.0.1\"}, it will fail"); - assert(!externalDb.auth("user8", "user")); - - print("=== Invalidation tests"); - print( - "When a client removes all authenticationRestrictions from a user, authentication will succeed"); - assert.commandWorked(admin.runCommand({ - createUser: "user11", - pwd: "user", - roles: [], - authenticationRestrictions: - [{clientSource: ["127.0.0.1"], serverAddress: ["127.0.0.1"]}] - })); - assert(!externalDb.auth("user11", "user")); - assert.commandWorked( - admin.runCommand({updateUser: "user11", authenticationRestrictions: []})); - assert(externalDb.auth("user11", "user")); - - print( - "When a client sets authenticationRestrictions on a user, authorization privileges are revoked"); - assert.commandWorked(admin.runCommand( - {createUser: "user12", pwd: "user", roles: [{role: "readWrite", db: "test"}]})); - - assert(db.auth("user12", "user")); - assert.commandWorked(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); - - sleepUntilUserDataPropagated(); - assert(eventualDb.auth("user12", "user")); - assert.commandWorked( - eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); - - assert.commandWorked(admin.runCommand( - {updateUser: "user12", authenticationRestrictions: [{clientSource: ["192.0.2.0"]}]})); - - assert.commandFailed(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); - - sleepUntilUserDataRefreshed(); - assert.commandFailed( - eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); - } - - print("Testing standalone"); - var conn = MongoRunner.runMongod({bind_ip_all: "", auth: ""}); - testConnection(conn, conn, function() {}, function() {}); - MongoRunner.stopMongod(conn); - - var keyfile = "jstests/libs/key1"; - - print("Testing replicaset"); - var rst = new ReplSetTest( - {name: 'testset', nodes: 2, nodeOptions: {bind_ip_all: "", auth: ""}, keyFile: keyfile}); - var nodes = rst.startSet(); - rst.initiate(); - rst.awaitSecondaryNodes(); - var awaitReplication = function() { - authutil.asCluster(nodes, "jstests/libs/key1", function() { - rst.awaitReplication(); - }); - }; - - testConnection(rst.getPrimary(), rst.getSecondary(), awaitReplication, awaitReplication); - rst.stopSet(); - - print("Testing sharded cluster"); - // TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. - var st = new ShardingTest({ - mongos: 2, - config: 3, - shard: 1, - keyFile: keyfile, - other: { - mongosOptions: {bind_ip_all: "", auth: null}, - configOptions: {auth: null}, - shardOptions: {auth: null}, - shardAsReplicaSet: false - } +'use strict'; + +// TODO SERVER-35447: Multiple users cannot be authenticated on one connection within a session. +TestData.disableImplicitSessions = true; + +function testConnection( + conn, eventuallyConsistentConn, sleepUntilUserDataPropagated, sleepUntilUserDataRefreshed) { + load("jstests/libs/host_ipaddr.js"); + + // Create a session which observes an eventually consistent view of user data + var eventualDb = eventuallyConsistentConn.getDB("admin"); + + // Create a session for modifying user data during the life of the test + var adminSession = new Mongo("localhost:" + conn.port); + var admin = adminSession.getDB("admin"); + assert.commandWorked(admin.runCommand( + {createUser: "admin", pwd: "admin", roles: [{role: "root", db: "admin"}]})); + assert(admin.auth("admin", "admin")); + + // Create a strongly consistent session for consuming user data + var db = conn.getDB("admin"); + + // Create a strongly consistent session for consuming user data, with a non-localhost + // source IP. + var externalMongo = new Mongo(get_ipaddr() + ":" + conn.port); + var externalDb = externalMongo.getDB("admin"); + + assert.commandWorked(admin.runCommand({ + createUser: "user2", + pwd: "user", + roles: [], + authenticationRestrictions: [{clientSource: ["127.0.0.1"]}] + })); + assert.commandWorked(admin.runCommand({createUser: "user3", pwd: "user", roles: []})); + assert.commandWorked(admin.runCommand( + {updateUser: "user3", authenticationRestrictions: [{serverAddress: ["127.0.0.1"]}]})); + + print("=== User creation tests"); + print( + "When a client creates users with empty authenticationRestrictions, the operation succeeds, though it has no effect"); + assert.commandWorked(admin.runCommand( + {createUser: "user4", pwd: "user", roles: [], authenticationRestrictions: []})); + assert(!Object.keys(admin.system.users.findOne({user: "user4"})) + .includes("authenticationRestrictions")); + + print( + "When a client updates a user's authenticationRestrictions to be empty, the operation succeeds, and removes the authenticationRestrictions field"); + assert.commandWorked(admin.runCommand({createUser: "user5", pwd: "user", roles: []})); + assert.commandWorked(admin.runCommand({updateUser: "user5", authenticationRestrictions: []})); + assert(!Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + assert.commandWorked(admin.runCommand( + {updateUser: "user5", authenticationRestrictions: [{clientSource: ["127.0.0.1"]}]})); + assert(Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + assert.commandWorked(admin.runCommand({updateUser: "user5", authenticationRestrictions: []})); + assert(!Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + + print( + "When a client updates a user's authenticationRestrictions to be null or undefined, the operation fails"); + assert.commandWorked(admin.runCommand( + {updateUser: "user5", authenticationRestrictions: [{clientSource: ["127.0.0.1"]}]})); + assert(Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + assert.commandFailed(admin.runCommand({updateUser: "user5", authenticationRestrictions: null})); + assert(Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + assert.commandFailed( + admin.runCommand({updateUser: "user5", authenticationRestrictions: undefined})); + assert(Object.keys(admin.system.users.findOne({user: "user5"})) + .includes("authenticationRestrictions")); + + print( + "When a client creates users, it may use clientSource and serverAddress authenticationRestrictions"); + assert.commandWorked(admin.runCommand({ + createUser: "user6", + pwd: "user", + roles: [], + authenticationRestrictions: [{clientSource: ["127.0.0.1"]}] + })); + assert.commandWorked(admin.runCommand({ + createUser: "user7", + pwd: "user", + roles: [], + authenticationRestrictions: [{serverAddress: ["127.0.0.1"]}] + })); + assert.commandWorked(admin.runCommand({ + createUser: "user8", + pwd: "user", + roles: [], + authenticationRestrictions: [{clientSource: ["127.0.0.1"], serverAddress: ["127.0.0.1"]}] + })); + assert.commandWorked(admin.runCommand({ + createUser: "user9", + pwd: "user", + roles: [], + authenticationRestrictions: [{clientSource: ["127.0.0.1"]}, {serverAddress: ["127.0.0.1"]}] + })); + assert.commandFailed(admin.runCommand({ + createUser: "user10", + pwd: "user", + roles: [], + authenticationRestrictions: [{invalidRestriction: ["127.0.0.1"]}] + })); + + print("=== Localhost access tests"); + + print( + "When a client on the loopback authenticates to a user with {clientSource: \"127.0.0.1\"}, it will succeed"); + assert(db.auth("user6", "user")); + + print( + "When a client on the loopback authenticates to a user with {serverAddress: \"127.0.0.1\"}, it will succeed"); + assert(db.auth("user7", "user")); + + print( + "When a client on the loopback authenticates to a user with {clientSource: \"127.0.0.1\", serverAddress: \"127.0.0.1\"}, it will succeed"); + assert(db.auth("user8", "user")); + + print("=== Remote access tests"); + print( + "When a client on the external interface authenticates to a user with {clientSource: \"127.0.0.1\"}, it will fail"); + assert(!externalDb.auth("user6", "user")); + + print( + "When a client on the external interface authenticates to a user with {serverAddress: \"127.0.0.1\"}, it will fail"); + assert(!externalDb.auth("user7", "user")); + + print( + "When a client on the external interface authenticates to a user with {clientSource: \"127.0.0.1\", serverAddress: \"127.0.0.1\"}, it will fail"); + assert(!externalDb.auth("user8", "user")); + + print("=== Invalidation tests"); + print( + "When a client removes all authenticationRestrictions from a user, authentication will succeed"); + assert.commandWorked(admin.runCommand({ + createUser: "user11", + pwd: "user", + roles: [], + authenticationRestrictions: [{clientSource: ["127.0.0.1"], serverAddress: ["127.0.0.1"]}] + })); + assert(!externalDb.auth("user11", "user")); + assert.commandWorked(admin.runCommand({updateUser: "user11", authenticationRestrictions: []})); + assert(externalDb.auth("user11", "user")); + + print( + "When a client sets authenticationRestrictions on a user, authorization privileges are revoked"); + assert.commandWorked(admin.runCommand( + {createUser: "user12", pwd: "user", roles: [{role: "readWrite", db: "test"}]})); + + assert(db.auth("user12", "user")); + assert.commandWorked(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); + + sleepUntilUserDataPropagated(); + assert(eventualDb.auth("user12", "user")); + assert.commandWorked(eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); + + assert.commandWorked(admin.runCommand( + {updateUser: "user12", authenticationRestrictions: [{clientSource: ["192.0.2.0"]}]})); + + assert.commandFailed(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); + + sleepUntilUserDataRefreshed(); + assert.commandFailed(eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); +} + +print("Testing standalone"); +var conn = MongoRunner.runMongod({bind_ip_all: "", auth: ""}); +testConnection(conn, conn, function() {}, function() {}); +MongoRunner.stopMongod(conn); + +var keyfile = "jstests/libs/key1"; + +print("Testing replicaset"); +var rst = new ReplSetTest( + {name: 'testset', nodes: 2, nodeOptions: {bind_ip_all: "", auth: ""}, keyFile: keyfile}); +var nodes = rst.startSet(); +rst.initiate(); +rst.awaitSecondaryNodes(); +var awaitReplication = function() { + authutil.asCluster(nodes, "jstests/libs/key1", function() { + rst.awaitReplication(); }); - testConnection(st.s0, - st.s1, - function() {}, - function() { - sleep(40 * 1000); // Wait for mongos user cache invalidation - }); - st.stop(); - +}; + +testConnection(rst.getPrimary(), rst.getSecondary(), awaitReplication, awaitReplication); +rst.stopSet(); + +print("Testing sharded cluster"); +// TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. +var st = new ShardingTest({ + mongos: 2, + config: 3, + shard: 1, + keyFile: keyfile, + other: { + mongosOptions: {bind_ip_all: "", auth: null}, + configOptions: {auth: null}, + shardOptions: {auth: null}, + shardAsReplicaSet: false + } +}); +testConnection(st.s0, + st.s1, + function() {}, + function() { + sleep(40 * 1000); // Wait for mongos user cache invalidation + }); +st.stop(); }()); |