diff options
Diffstat (limited to 'jstests/auth/resource_pattern_matching.js')
-rw-r--r-- | jstests/auth/resource_pattern_matching.js | 245 |
1 files changed, 127 insertions, 118 deletions
diff --git a/jstests/auth/resource_pattern_matching.js b/jstests/auth/resource_pattern_matching.js index 7acad4f5f1f..5a4da66871c 100644 --- a/jstests/auth/resource_pattern_matching.js +++ b/jstests/auth/resource_pattern_matching.js @@ -17,17 +17,9 @@ function setup_users(granter) { admindb.auth("admin", "admin"); - printjson(admindb.runCommand({ - createRole: "test_role", - privileges: [], - roles: [] - })); - - printjson(admindb.runCommand({ - createUser: "test_user", - pwd: "password", - roles: [ "test_role" ] - })); + printjson(admindb.runCommand({createRole: "test_role", privileges: [], roles: []})); + + printjson(admindb.runCommand({createUser: "test_user", pwd: "password", roles: ["test_role"]})); } function setup_dbs_and_cols(db) { @@ -54,7 +46,7 @@ function grant_privileges(granter, privileges) { var result = admindb.runCommand({ grantPrivilegesToRole: "test_role", privileges: privileges, - writeConcern: { w: 'majority'} + writeConcern: {w: 'majority'} }); admindb.logout(); @@ -70,7 +62,7 @@ function revoke_privileges(granter, privileges) { var result = admindb.runCommand({ revokePrivilegesFromRole: "test_role", privileges: privileges, - writeConcern: { w: 'majority'} + writeConcern: {w: 'majority'} }); admindb.logout(); @@ -107,118 +99,135 @@ function run_test(name, granter, verifier, privileges, collections) { } function run_test_bad_resource(name, granter, resource) { - print("\n=== testing resource fail " + name + "() ===\n"); - var admindb = granter.getSiblingDB("admin"); - assert.commandFailed( - grant_privileges(granter, [{ resource: resource, actions: [ "find" ] }]) - ); + print("\n=== testing resource fail " + name + "() ===\n"); + var admindb = granter.getSiblingDB("admin"); + assert.commandFailed(grant_privileges(granter, [{resource: resource, actions: ["find"]}])); } function should_insert(testdb, testcol) { - assert.doesNotThrow(function() { testcol.insert({ a : "b" }); }); + assert.doesNotThrow(function() { + testcol.insert({a: "b"}); + }); } function should_fail_insert(testdb, testcol) { - assert.throws(function() { testcol.insert({ a : "b" }); }); + assert.throws(function() { + testcol.insert({a: "b"}); + }); } function should_find(testdb, testcol) { - assert.doesNotThrow(function() { testcol.findOne(); }); + assert.doesNotThrow(function() { + testcol.findOne(); + }); } function should_fail_find(testdb, testcol) { - assert.throws(function() { testcol.findOne(); }); + assert.throws(function() { + testcol.findOne(); + }); } function run_tests(granter, verifier) { setup_users(granter); setup_dbs_and_cols(granter); - run_test("specific", granter, verifier, - [ { resource: { db: "a", collection: "a" }, actions: [ "find" ]} ], - { - "a.a" : should_find, - "a.b" : should_fail_find, - "b.a" : should_fail_find, - "b.b" : should_fail_find - } - ); - - run_test("glob_collection", granter, verifier, - [ { resource: { db: "a", collection: "" }, actions: [ "find" ]} ], - { - "a.a" : should_find, - "a.b" : should_find, - "b.a" : should_fail_find, - "b.b" : should_fail_find - } - ); - - run_test("glob_database", granter, verifier, - [ { resource: { db: "", collection: "a" }, actions: [ "find" ]} ], - { - "a.a" : should_find, - "a.b" : should_fail_find, - "b.a" : should_find, - "b.b" : should_fail_find - } - ); - - run_test("glob_all", granter, verifier, - [ { resource: { db: "", collection: "" }, actions: [ "find" ]} ], - { - "a.a" : should_find, - "a.b" : should_find, - "b.a" : should_find, - "b.b" : should_find - } - ); - - run_test("any_resource", granter, verifier, - [ { resource: { anyResource: true }, actions: [ "find" ]} ], - { - "a.a" : should_find, - "a.b" : should_find, - "b.a" : should_find, - "b.b" : should_find, - "c.a" : should_find - } - ); - - run_test("no_global_access", granter, verifier, - [ { resource: { db: "$", collection: "cmd" }, actions: [ "find" ]} ], - { - "a.a" : function (testdb, testcol) { - var r = testdb.stats(); - - if (r["ok"]) throw ("db.$.cmd shouldn't give a.stats()"); - } - } - ); - - run_test_bad_resource("empty_resource", granter, { }); - run_test_bad_resource("users_collection_any_db", granter, { collection: "users" }); - run_test_bad_resource("bad_key", granter, { myResource: "users" }); - run_test_bad_resource("extra_key", granter, { db: "test", collection: "users", cluster: true }); - run_test_bad_resource("bad_value_type", granter, { cluster: "false" }); - run_test_bad_resource("bad_collection", granter, { db: "test", collection: "$$$$" }); - - run_test("mixed_find_write", granter, verifier, - [ - { resource: { db: "a", collection: "a" }, actions: [ "find" ]}, - { resource: { db: "", collection: "" }, actions: [ "insert" ]} - ], - { - "a.a" : function(testdb, testcol) { should_insert(testdb, testcol); - should_find(testdb, testcol); }, - "a.b" : function(testdb, testcol) { should_insert(testdb, testcol); - should_fail_find(testdb, testcol); }, - "b.a" : function(testdb, testcol) { should_insert(testdb, testcol); - should_fail_find(testdb, testcol); }, - "b.b" : function(testdb, testcol) { should_insert(testdb, testcol); - should_fail_find(testdb, testcol); }, - } - ); + run_test("specific", + granter, + verifier, + [{resource: {db: "a", collection: "a"}, actions: ["find"]}], + { + "a.a": should_find, + "a.b": should_fail_find, + "b.a": should_fail_find, + "b.b": should_fail_find + }); + + run_test("glob_collection", + granter, + verifier, + [{resource: {db: "a", collection: ""}, actions: ["find"]}], + { + "a.a": should_find, + "a.b": should_find, + "b.a": should_fail_find, + "b.b": should_fail_find + }); + + run_test("glob_database", + granter, + verifier, + [{resource: {db: "", collection: "a"}, actions: ["find"]}], + { + "a.a": should_find, + "a.b": should_fail_find, + "b.a": should_find, + "b.b": should_fail_find + }); + + run_test("glob_all", + granter, + verifier, + [{resource: {db: "", collection: ""}, actions: ["find"]}], + {"a.a": should_find, "a.b": should_find, "b.a": should_find, "b.b": should_find}); + + run_test("any_resource", + granter, + verifier, + [{resource: {anyResource: true}, actions: ["find"]}], + { + "a.a": should_find, + "a.b": should_find, + "b.a": should_find, + "b.b": should_find, + "c.a": should_find + }); + + run_test("no_global_access", + granter, + verifier, + [{resource: {db: "$", collection: "cmd"}, actions: ["find"]}], + { + "a.a": function(testdb, testcol) { + var r = testdb.stats(); + + if (r["ok"]) + throw("db.$.cmd shouldn't give a.stats()"); + } + }); + + run_test_bad_resource("empty_resource", granter, {}); + run_test_bad_resource("users_collection_any_db", granter, {collection: "users"}); + run_test_bad_resource("bad_key", granter, {myResource: "users"}); + run_test_bad_resource("extra_key", granter, {db: "test", collection: "users", cluster: true}); + run_test_bad_resource("bad_value_type", granter, {cluster: "false"}); + run_test_bad_resource("bad_collection", granter, {db: "test", collection: "$$$$"}); + + run_test("mixed_find_write", + granter, + verifier, + [ + {resource: {db: "a", collection: "a"}, actions: ["find"]}, + {resource: {db: "", collection: ""}, actions: ["insert"]} + ], + { + "a.a": function(testdb, testcol) { + should_insert(testdb, testcol); + should_find(testdb, testcol); + }, + "a.b": function(testdb, testcol) { + should_insert(testdb, testcol); + should_fail_find(testdb, testcol); + }, + "b.a": function(testdb, testcol) { + should_insert(testdb, testcol); + should_fail_find(testdb, testcol); + }, + "b.b": function(testdb, testcol) { + should_insert(testdb, testcol); + should_fail_find(testdb, testcol); + }, + }); } var keyfile = "jstests/libs/key1"; @@ -231,9 +240,9 @@ print('--- done standalone node test ---'); print('--- replica set test ---'); var rst = new ReplSetTest({ - name: 'testset', - nodes: 2, - nodeOptions: { 'auth': null, 'httpinterface': null, 'keyFile': keyfile } + name: 'testset', + nodes: 2, + nodeOptions: {'auth': null, 'httpinterface': null, 'keyFile': keyfile} }); rst.startSet(); @@ -247,14 +256,14 @@ print('--- done with the rs tests ---'); print('--- sharding test ---'); var st = new ShardingTest({ - mongos: 2, - shard: 1, - keyFile: keyfile, - other: { - mongosOptions: { 'auth': null, 'httpinterface': null }, - configOptions: { 'auth': null, 'httpinterface': null }, - shardOptions: { 'auth': null, 'httpinterface': null } - } + mongos: 2, + shard: 1, + keyFile: keyfile, + other: { + mongosOptions: {'auth': null, 'httpinterface': null}, + configOptions: {'auth': null, 'httpinterface': null}, + shardOptions: {'auth': null, 'httpinterface': null} + } }); run_tests(st.s0.getDB('admin'), st.s1.getDB('admin')); st.stop(); |