diff options
Diffstat (limited to 'jstests/auth/user_management_commands.js')
-rw-r--r-- | jstests/auth/user_management_commands.js | 345 |
1 files changed, 187 insertions, 158 deletions
diff --git a/jstests/auth/user_management_commands.js b/jstests/auth/user_management_commands.js index 1a777a00e6b..e835aa4b348 100644 --- a/jstests/auth/user_management_commands.js +++ b/jstests/auth/user_management_commands.js @@ -12,23 +12,27 @@ function runTest(conn) { conn.getDB('admin').createUser({user: 'admin', pwd: 'pwd', roles: ['root']}); conn.getDB('admin').auth('admin', 'pwd'); - conn.getDB('admin').createUser({user: 'userAdmin', - pwd: 'pwd', - roles: ['userAdminAnyDatabase'], - customData: {userAdmin: true}}); + conn.getDB('admin').createUser({ + user: 'userAdmin', + pwd: 'pwd', + roles: ['userAdminAnyDatabase'], + customData: {userAdmin: true} + }); conn.getDB('admin').logout(); var userAdminConn = new Mongo(conn.host); userAdminConn.getDB('admin').auth('userAdmin', 'pwd'); var testUserAdmin = userAdminConn.getDB('test'); - testUserAdmin.createRole({role: 'testRole', - roles:[], - privileges:[{resource: {db: 'test', collection: ''}, - actions: ['viewRole']}],}); - userAdminConn.getDB('admin').createRole({role: 'adminRole', - roles:[], - privileges:[{resource: {cluster: true}, - actions: ['connPoolSync']}]}); + testUserAdmin.createRole({ + role: 'testRole', + roles: [], + privileges: [{resource: {db: 'test', collection: ''}, actions: ['viewRole']}], + }); + userAdminConn.getDB('admin').createRole({ + role: 'adminRole', + roles: [], + privileges: [{resource: {cluster: true}, actions: ['connPoolSync']}] + }); var db = conn.getDB('test'); @@ -40,182 +44,207 @@ function runTest(conn) { // various users and test that their access control is correct. (function testCreateUser() { - jsTestLog("Testing createUser"); - - testUserAdmin.createUser({user: "spencer", - pwd: "pwd", - customData: {zipCode: 10028}, - roles: ['readWrite', - 'testRole', - {role: 'adminRole', db: 'admin'}]}); - testUserAdmin.createUser({user: "andy", pwd: "pwd", roles: []}); - - var user = testUserAdmin.getUser('spencer'); - assert.eq(10028, user.customData.zipCode); - assert(db.auth('spencer', 'pwd')); - assert.writeOK(db.foo.insert({ a: 1 })); - assert.eq(1, db.foo.findOne().a); - assert.doesNotThrow(function() {db.getRole('testRole');}); - assert.commandWorked(db.adminCommand('connPoolSync')); - - db.logout(); - assert(db.auth('andy', 'pwd')); - hasAuthzError(db.foo.insert({ a: 1 })); - assert.throws(function() { db.foo.findOne();}); - assert.throws(function() {db.getRole('testRole');}); - })(); + jsTestLog("Testing createUser"); + + testUserAdmin.createUser({ + user: "spencer", + pwd: "pwd", + customData: {zipCode: 10028}, + roles: ['readWrite', 'testRole', {role: 'adminRole', db: 'admin'}] + }); + testUserAdmin.createUser({user: "andy", pwd: "pwd", roles: []}); + + var user = testUserAdmin.getUser('spencer'); + assert.eq(10028, user.customData.zipCode); + assert(db.auth('spencer', 'pwd')); + assert.writeOK(db.foo.insert({a: 1})); + assert.eq(1, db.foo.findOne().a); + assert.doesNotThrow(function() { + db.getRole('testRole'); + }); + assert.commandWorked(db.adminCommand('connPoolSync')); + + db.logout(); + assert(db.auth('andy', 'pwd')); + hasAuthzError(db.foo.insert({a: 1})); + assert.throws(function() { + db.foo.findOne(); + }); + assert.throws(function() { + db.getRole('testRole'); + }); + })(); (function testUpdateUser() { - jsTestLog("Testing updateUser"); - - testUserAdmin.updateUser('spencer', {pwd: 'password', customData: {}}); - var user = testUserAdmin.getUser('spencer'); - assert.eq(null, user.customData.zipCode); - assert(!db.auth('spencer', 'pwd')); - assert(db.auth('spencer', 'password')); - - testUserAdmin.updateUser('spencer', {customData: {zipCode: 10036}, - roles: ["read", "testRole"]}); - var user = testUserAdmin.getUser('spencer'); - assert.eq(10036, user.customData.zipCode); - hasAuthzError(db.foo.insert({ a: 1 })); - assert.eq(1, db.foo.findOne().a); - assert.eq(1, db.foo.count()); - assert.doesNotThrow(function() {db.getRole('testRole');}); - assert.commandFailedWithCode(db.adminCommand('connPoolSync'), authzErrorCode); - - testUserAdmin.updateUser('spencer', {roles: ["readWrite", - {role: 'adminRole', db:'admin'}]}); - assert.writeOK(db.foo.update({}, { $inc: { a: 1 }})); - assert.eq(2, db.foo.findOne().a); - assert.eq(1, db.foo.count()); - assert.throws(function() {db.getRole('testRole');}); - assert.commandWorked(db.adminCommand('connPoolSync')); - })(); + jsTestLog("Testing updateUser"); + + testUserAdmin.updateUser('spencer', {pwd: 'password', customData: {}}); + var user = testUserAdmin.getUser('spencer'); + assert.eq(null, user.customData.zipCode); + assert(!db.auth('spencer', 'pwd')); + assert(db.auth('spencer', 'password')); + + testUserAdmin.updateUser('spencer', + {customData: {zipCode: 10036}, roles: ["read", "testRole"]}); + var user = testUserAdmin.getUser('spencer'); + assert.eq(10036, user.customData.zipCode); + hasAuthzError(db.foo.insert({a: 1})); + assert.eq(1, db.foo.findOne().a); + assert.eq(1, db.foo.count()); + assert.doesNotThrow(function() { + db.getRole('testRole'); + }); + assert.commandFailedWithCode(db.adminCommand('connPoolSync'), authzErrorCode); + + testUserAdmin.updateUser('spencer', + {roles: ["readWrite", {role: 'adminRole', db: 'admin'}]}); + assert.writeOK(db.foo.update({}, {$inc: {a: 1}})); + assert.eq(2, db.foo.findOne().a); + assert.eq(1, db.foo.count()); + assert.throws(function() { + db.getRole('testRole'); + }); + assert.commandWorked(db.adminCommand('connPoolSync')); + })(); (function testGrantRolesToUser() { - jsTestLog("Testing grantRolesToUser"); + jsTestLog("Testing grantRolesToUser"); - assert.commandFailedWithCode(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true}), - authzErrorCode); + assert.commandFailedWithCode(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true}), + authzErrorCode); - testUserAdmin.grantRolesToUser('spencer', - ['readWrite', + testUserAdmin.grantRolesToUser('spencer', + [ + 'readWrite', 'dbAdmin', {role: 'readWrite', db: 'test'}, {role: 'testRole', db: 'test'}, - 'readWrite']); - - assert.commandWorked(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true})); - assert.writeOK(db.foo.update({}, { $inc: { a: 1 }})); - assert.eq(3, db.foo.findOne().a); - assert.eq(1, db.foo.count()); - assert.doesNotThrow(function() {db.getRole('testRole');}); - assert.commandWorked(db.adminCommand('connPoolSync')); - })(); + 'readWrite' + ]); + + assert.commandWorked(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true})); + assert.writeOK(db.foo.update({}, {$inc: {a: 1}})); + assert.eq(3, db.foo.findOne().a); + assert.eq(1, db.foo.count()); + assert.doesNotThrow(function() { + db.getRole('testRole'); + }); + assert.commandWorked(db.adminCommand('connPoolSync')); + })(); (function testRevokeRolesFromUser() { - jsTestLog("Testing revokeRolesFromUser"); - - testUserAdmin.revokeRolesFromUser('spencer', - ['readWrite', - {role: 'dbAdmin', db: 'test2'}, // role user doesnt have - "testRole"]); - - assert.commandWorked(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true})); - hasAuthzError(db.foo.update({}, { $inc: { a: 1 }})); - assert.throws(function() { db.foo.findOne();}); - assert.throws(function() {db.getRole('testRole');}); - assert.commandWorked(db.adminCommand('connPoolSync')); - - - testUserAdmin.revokeRolesFromUser('spencer', [{role: 'adminRole', db: 'admin'}]); - - hasAuthzError(db.foo.update({}, { $inc: { a: 1 }})); - assert.throws(function() { db.foo.findOne();}); - assert.throws(function() {db.getRole('testRole');}); - assert.commandFailedWithCode(db.adminCommand('connPoolSync'), authzErrorCode); - - })(); + jsTestLog("Testing revokeRolesFromUser"); + + testUserAdmin.revokeRolesFromUser( + 'spencer', + [ + 'readWrite', + {role: 'dbAdmin', db: 'test2'}, // role user doesnt have + "testRole" + ]); + + assert.commandWorked(db.runCommand({collMod: 'foo', usePowerOf2Sizes: true})); + hasAuthzError(db.foo.update({}, {$inc: {a: 1}})); + assert.throws(function() { + db.foo.findOne(); + }); + assert.throws(function() { + db.getRole('testRole'); + }); + assert.commandWorked(db.adminCommand('connPoolSync')); + + testUserAdmin.revokeRolesFromUser('spencer', [{role: 'adminRole', db: 'admin'}]); + + hasAuthzError(db.foo.update({}, {$inc: {a: 1}})); + assert.throws(function() { + db.foo.findOne(); + }); + assert.throws(function() { + db.getRole('testRole'); + }); + assert.commandFailedWithCode(db.adminCommand('connPoolSync'), authzErrorCode); + + })(); (function testUsersInfo() { - jsTestLog("Testing usersInfo"); - - var res = testUserAdmin.runCommand({usersInfo: 'spencer'}); - printjson(res); - assert.eq(1, res.users.length); - assert.eq(10036, res.users[0].customData.zipCode); - - res = testUserAdmin.runCommand({usersInfo: {user: 'spencer', db: 'test'}}); - assert.eq(1, res.users.length); - assert.eq(10036, res.users[0].customData.zipCode); - - res = testUserAdmin.runCommand({usersInfo: ['spencer', {user: 'userAdmin', db: 'admin'}]}); - printjson(res); - assert.eq(2, res.users.length); - if (res.users[0].user == "spencer") { - assert.eq(10036, res.users[0].customData.zipCode); - assert(res.users[1].customData.userAdmin); - } else if (res.users[0].user == "userAdmin") { - assert.eq(10036, res.users[1].customData.zipCode); - assert(res.users[0].customData.userAdmin); - } else { - doassert("Expected user names returned by usersInfo to be either 'userAdmin' or 'spencer', " - + "but got: " + res.users[0].user); - } - - - res = testUserAdmin.runCommand({usersInfo: 1}); - assert.eq(2, res.users.length); - if (res.users[0].user == "spencer") { - assert.eq("andy", res.users[1].user); - assert.eq(10036, res.users[0].customData.zipCode); - assert(!res.users[1].customData); - } else if (res.users[0].user == "andy") { - assert.eq("spencer", res.users[1].user); - assert(!res.users[0].customData); - assert.eq(10036, res.users[1].customData.zipCode); - } else { - doassert("Expected user names returned by usersInfo to be either 'andy' or 'spencer', " - + "but got: " + res.users[0].user); - } - - })(); + jsTestLog("Testing usersInfo"); + + var res = testUserAdmin.runCommand({usersInfo: 'spencer'}); + printjson(res); + assert.eq(1, res.users.length); + assert.eq(10036, res.users[0].customData.zipCode); + + res = testUserAdmin.runCommand({usersInfo: {user: 'spencer', db: 'test'}}); + assert.eq(1, res.users.length); + assert.eq(10036, res.users[0].customData.zipCode); + + res = testUserAdmin.runCommand({usersInfo: ['spencer', {user: 'userAdmin', db: 'admin'}]}); + printjson(res); + assert.eq(2, res.users.length); + if (res.users[0].user == "spencer") { + assert.eq(10036, res.users[0].customData.zipCode); + assert(res.users[1].customData.userAdmin); + } else if (res.users[0].user == "userAdmin") { + assert.eq(10036, res.users[1].customData.zipCode); + assert(res.users[0].customData.userAdmin); + } else { + doassert( + "Expected user names returned by usersInfo to be either 'userAdmin' or 'spencer', " + + "but got: " + res.users[0].user); + } + + res = testUserAdmin.runCommand({usersInfo: 1}); + assert.eq(2, res.users.length); + if (res.users[0].user == "spencer") { + assert.eq("andy", res.users[1].user); + assert.eq(10036, res.users[0].customData.zipCode); + assert(!res.users[1].customData); + } else if (res.users[0].user == "andy") { + assert.eq("spencer", res.users[1].user); + assert(!res.users[0].customData); + assert.eq(10036, res.users[1].customData.zipCode); + } else { + doassert( + "Expected user names returned by usersInfo to be either 'andy' or 'spencer', " + + "but got: " + res.users[0].user); + } + + })(); (function testDropUser() { - jsTestLog("Testing dropUser"); + jsTestLog("Testing dropUser"); - assert(db.auth('spencer', 'password')); - assert(db.auth('andy', 'pwd')); + assert(db.auth('spencer', 'password')); + assert(db.auth('andy', 'pwd')); - assert.commandWorked(testUserAdmin.runCommand({dropUser: 'spencer'})); + assert.commandWorked(testUserAdmin.runCommand({dropUser: 'spencer'})); - assert(!db.auth('spencer', 'password')); - assert(db.auth('andy', 'pwd')); + assert(!db.auth('spencer', 'password')); + assert(db.auth('andy', 'pwd')); - assert.eq(1, testUserAdmin.getUsers().length); - })(); + assert.eq(1, testUserAdmin.getUsers().length); + })(); (function testDropAllUsersFromDatabase() { - jsTestLog("Testing dropAllUsersFromDatabase"); + jsTestLog("Testing dropAllUsersFromDatabase"); - assert.eq(1, testUserAdmin.getUsers().length); - assert(db.auth('andy', 'pwd')); + assert.eq(1, testUserAdmin.getUsers().length); + assert(db.auth('andy', 'pwd')); - assert.commandWorked(testUserAdmin.runCommand({dropAllUsersFromDatabase: 1})); + assert.commandWorked(testUserAdmin.runCommand({dropAllUsersFromDatabase: 1})); - assert(!db.auth('andy', 'pwd')); - assert.eq(0, testUserAdmin.getUsers().length); - })(); + assert(!db.auth('andy', 'pwd')); + assert.eq(0, testUserAdmin.getUsers().length); + })(); } jsTest.log('Test standalone'); -var conn = MongoRunner.runMongod({ auth: '' }); -conn.getDB('admin').runCommand({setParameter:1, newCollectionsUsePowerOf2Sizes: false}); +var conn = MongoRunner.runMongod({auth: ''}); +conn.getDB('admin').runCommand({setParameter: 1, newCollectionsUsePowerOf2Sizes: false}); runTest(conn); MongoRunner.stopMongod(conn.port); jsTest.log('Test sharding'); -var st = new ShardingTest({ shards: 2, config: 3, keyFile: 'jstests/libs/key1' }); +var st = new ShardingTest({shards: 2, config: 3, keyFile: 'jstests/libs/key1'}); runTest(st.s); st.stop(); |