diff options
Diffstat (limited to 'jstests/auth/builtin_roles.js')
-rw-r--r-- | jstests/auth/builtin_roles.js | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/jstests/auth/builtin_roles.js b/jstests/auth/builtin_roles.js new file mode 100644 index 00000000000..f99fca2061b --- /dev/null +++ b/jstests/auth/builtin_roles.js @@ -0,0 +1,120 @@ +// Check that builtin roles contain valid permissions. + +(function() { +'use strict'; + +function assertIsBuiltinRole(def, name, expectPrivs = false, expectAuthRest = false) { + jsTest.log(tojson(def)); + assert.eq(def.db, name.db); + assert.eq(def.role, name.role); + assert.eq(def.isBuiltin, true); + assert.eq(def.roles.length, 0); + assert.eq(def.inheritedRoles.length, 0); + if (expectPrivs === false) { + assert(def.privileges === undefined); + assert(def.inheritedPrivileges === undefined); + } else if (expectPrivs === true) { + assert.gt(def.privileges.length, 0); + assert.eq(bsonWoCompare(def.privileges, def.inheritedPrivileges), 0); + } else { + assert.eq(bsonWoCompare(def.privileges, expectPrivs), 0); + assert.eq(bsonWoCompare(def.privileges, def.inheritedPrivileges), 0); + } + if (expectAuthRest === false) { + assert(def.authenticationRestrictions === undefined); + assert(def.inheritedAuthenticationRestrictions === undefined); + } else if (expectAuthRest === true) { + assert.eq(def.authenticationRestrictions.length, 0); + assert.eq(def.inheritedAuthenticationRestrictions.length, 0); + } else { + // Builtin roles never have authentication restrictions. + assert(false); + } +} + +function runTest(mongo) { + const admin = mongo.getDB('admin'); + const test = mongo.getDB('test'); + + function rolesInfo(db, role, basic = false) { + const cmd = { + rolesInfo: role, + showPrivileges: !basic, + showAuthenticationRestrictions: !basic, + showBuiltinRoles: !basic, + }; + return assert.commandWorked(db.runCommand(cmd)) + .roles.sort((a, b) => (a.role + '.' + a.db).localeCompare(b.role + '.' + b.db, 'en')); + } + + const kTestReadRole = {role: 'read', db: 'test'}; + const kAdminReadRole = {role: 'read', db: 'admin'}; + const kReadRoleActions = [ + 'changeStream', + 'collStats', + 'dbHash', + 'dbStats', + 'find', + 'killCursors', + 'listCollections', + 'listIndexes', + 'planCacheRead' + ]; + const kAdminReadPrivs = [ + {resource: {db: 'admin', collection: ''}, actions: kReadRoleActions}, + {resource: {db: 'admin', collection: 'system.js'}, actions: kReadRoleActions}, + ]; + const kTestReadPrivs = [ + {resource: {db: 'test', collection: ''}, actions: kReadRoleActions}, + {resource: {db: 'test', collection: 'system.js'}, actions: kReadRoleActions}, + ]; + + const adminReadBasic = rolesInfo(admin, 'read', true); + assert.eq(adminReadBasic.length, 1); + assertIsBuiltinRole(adminReadBasic[0], kAdminReadRole, false, false); + + const adminRead = rolesInfo(admin, 'read'); + assert.eq(adminRead.length, 1); + assertIsBuiltinRole(adminRead[0], kAdminReadRole, true, true); + assertIsBuiltinRole(adminRead[0], kAdminReadRole, kAdminReadPrivs, true); + + const testRead = rolesInfo(admin, kTestReadRole); + assert.eq(testRead.length, 1); + assertIsBuiltinRole(testRead[0], kTestReadRole, true, true); + assertIsBuiltinRole(testRead[0], kTestReadRole, kTestReadPrivs, true); + + const testMulti = rolesInfo(admin, ['read', kTestReadRole]); + assert.eq(testMulti.length, 2); + assertIsBuiltinRole(testMulti[0], kAdminReadRole, kAdminReadPrivs, true); + assertIsBuiltinRole(testMulti[1], kTestReadRole, kTestReadPrivs, true); + + const testRole1Privs = [{resource: {db: 'test', collection: ''}, actions: ['insert']}]; + assert.commandWorked( + test.runCommand({createRole: 'role1', roles: ['read'], privileges: testRole1Privs})); + + const testRoles = rolesInfo(test, 1); + const testUserRoles = testRoles.filter((r) => !r.isBuiltin); + assert.eq(testUserRoles.length, 1); + const testUserRole1 = testUserRoles[0]; + jsTest.log('testUserRole1: ' + tojson(testUserRole1)); + assert.eq(testUserRole1.db, 'test'); + assert.eq(testUserRole1.role, 'role1'); + assert.eq(testUserRole1.roles, [kTestReadRole]); + assert.eq(testUserRole1.inheritedRoles, [kTestReadRole]); + assert.eq(testUserRole1.privileges, testRole1Privs); + assert.eq(testUserRole1.inheritedPrivileges, testRole1Privs.concat(kTestReadPrivs)); + + const testRolesReadRole = testRoles.filter((r) => r.role === 'read'); + assert.eq(testRolesReadRole.length, 1); + assertIsBuiltinRole(testRolesReadRole[0], kTestReadRole, kTestReadPrivs, true); +} + +// Standalone +const mongod = MongoRunner.runMongod(); +runTest(mongod); +MongoRunner.stopMongod(mongod); + +const st = new ShardingTest({shards: 1, mongos: 1, config: 1, other: {shardAsReplicaSet: false}}); +runTest(st.s0); +st.stop(); +})(); |