diff options
Diffstat (limited to 'jstests/auth/system_user_privileges.js')
| -rw-r--r-- | jstests/auth/system_user_privileges.js | 174 |
1 files changed, 87 insertions, 87 deletions
diff --git a/jstests/auth/system_user_privileges.js b/jstests/auth/system_user_privileges.js index 164ba9bd2e4..40619ba307c 100644 --- a/jstests/auth/system_user_privileges.js +++ b/jstests/auth/system_user_privileges.js @@ -12,91 +12,91 @@ (function() { - "use strict"; - - // Runs the "count" command on a database in a way that returns the result document, for easier - // inspection of the errmsg. - function runCountCommand(conn, dbName, collectionName) { - return conn.getDB(dbName).runCommand({count: collectionName}); - } - - // Asserts that on the given "conn", "dbName"."collectionName".count() fails as unauthorized. - function assertCountUnauthorized(conn, dbName, collectionName) { - assert.eq(runCountCommand(conn, dbName, collectionName).code, - 13, - "On " + dbName + "." + collectionName); - } - - var conn = MongoRunner.runMongod({auth: ""}); - - var admin = conn.getDB('admin'); - var test = conn.getDB('test'); - var local = conn.getDB('local'); - - // - // Preliminary set up. - // - admin.createUser({user: 'admin', pwd: 'a', roles: jsTest.adminUserRoles}); - admin.auth('admin', 'a'); - - // - // Add users named "__system" with no privileges on "test" and "admin", and make sure you can't - // add one on "local" - // - - test.createUser({user: '__system', pwd: 'a', roles: []}); - admin.createUser({user: '__system', pwd: 'a', roles: []}); - assert.throws(function() { - local.createUser({user: '__system', pwd: 'a', roles: []}); - }); - - // - // Add some data to count. - // - - admin.foo.insert({_id: 1}); - test.foo.insert({_id: 2}); - local.foo.insert({_id: 3}); - - admin.logout(); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - // - // Validate that you cannot even log in as __system@local with the supplied password; you _must_ - // use the password from the keyfile. - // - assert(!local.auth('__system', 'a')); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - // - // Validate that __system@test is not shadowed by the keyfile __system user. - // - test.auth('__system', 'a'); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - test.logout(); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - // - // Validate that __system@admin is not shadowed by the keyfile __system user. - // - admin.auth('__system', 'a'); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - admin.logout(); - assertCountUnauthorized(conn, "admin", "foo"); - assertCountUnauthorized(conn, "local", "foo"); - assertCountUnauthorized(conn, "test", "foo"); - - MongoRunner.stopMongod(conn, null, {user: 'admin', pwd: 'a'}); +"use strict"; + +// Runs the "count" command on a database in a way that returns the result document, for easier +// inspection of the errmsg. +function runCountCommand(conn, dbName, collectionName) { + return conn.getDB(dbName).runCommand({count: collectionName}); +} + +// Asserts that on the given "conn", "dbName"."collectionName".count() fails as unauthorized. +function assertCountUnauthorized(conn, dbName, collectionName) { + assert.eq(runCountCommand(conn, dbName, collectionName).code, + 13, + "On " + dbName + "." + collectionName); +} + +var conn = MongoRunner.runMongod({auth: ""}); + +var admin = conn.getDB('admin'); +var test = conn.getDB('test'); +var local = conn.getDB('local'); + +// +// Preliminary set up. +// +admin.createUser({user: 'admin', pwd: 'a', roles: jsTest.adminUserRoles}); +admin.auth('admin', 'a'); + +// +// Add users named "__system" with no privileges on "test" and "admin", and make sure you can't +// add one on "local" +// + +test.createUser({user: '__system', pwd: 'a', roles: []}); +admin.createUser({user: '__system', pwd: 'a', roles: []}); +assert.throws(function() { + local.createUser({user: '__system', pwd: 'a', roles: []}); +}); + +// +// Add some data to count. +// + +admin.foo.insert({_id: 1}); +test.foo.insert({_id: 2}); +local.foo.insert({_id: 3}); + +admin.logout(); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +// +// Validate that you cannot even log in as __system@local with the supplied password; you _must_ +// use the password from the keyfile. +// +assert(!local.auth('__system', 'a')); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +// +// Validate that __system@test is not shadowed by the keyfile __system user. +// +test.auth('__system', 'a'); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +test.logout(); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +// +// Validate that __system@admin is not shadowed by the keyfile __system user. +// +admin.auth('__system', 'a'); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +admin.logout(); +assertCountUnauthorized(conn, "admin", "foo"); +assertCountUnauthorized(conn, "local", "foo"); +assertCountUnauthorized(conn, "test", "foo"); + +MongoRunner.stopMongod(conn, null, {user: 'admin', pwd: 'a'}); })(); |