4 files changed, 125 insertions, 50 deletions

diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js
index bbb66a619ae..f3f2af6a758 100644
--- a/jstests/auth/auth-counters.js
+++ b/jstests/auth/auth-counters.js
@@ -3,9 +3,15 @@
 (function() {
 'use strict';
 
-const mongod = MongoRunner.runMongod({auth: ''});
-const admin = mongod.getDB('admin');
-const test = mongod.getDB('test');
+const keyfile = 'jstests/libs/key1';
+const badKeyfile = 'jstests/libs/key2';
+let replTest = new ReplSetTest({nodes: 1, keyFile: keyfile, nodeOptions: {auth: ""}});
+replTest.startSet();
+replTest.initiate();
+let primary = replTest.getPrimary();
+
+const admin = primary.getDB('admin');
+const test = primary.getDB('test');
 
 admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root'], mechanisms: ['SCRAM-SHA-256']});
 admin.auth('admin', 'pwd');
@@ -15,21 +21,22 @@ test.createUser({user: 'user256', pwd: 'pwd', roles: [], mechanisms: ['SCRAM-SHA
 test.createUser(
     {user: 'user', pwd: 'pwd', roles: [], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']});
 
-// admin.auth() above provides an initial count for SCRAM-SHA-256
-const expected = {
-    'SCRAM-SHA-256': {
-        received: 1,
-        successful: 1,
-    },
-};
+// Count the number of authentications performed during setup
+const expected =
+    assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms;
 
 function assertStats() {
     const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                           .security.authentication.mechanisms;
     Object.keys(expected).forEach(function(mech) {
         try {
-            assert.eq(mechStats[mech].authenticate.received, expected[mech].received);
-            assert.eq(mechStats[mech].authenticate.successful, expected[mech].successful);
+            assert.eq(mechStats[mech].authenticate.received, expected[mech].authenticate.received);
+            assert.eq(mechStats[mech].authenticate.successful,
+                      expected[mech].authenticate.successful);
+            assert.eq(mechStats[mech].clusterAuthenticate.received,
+                      expected[mech].clusterAuthenticate.received);
+            assert.eq(mechStats[mech].clusterAuthenticate.successful,
+                      expected[mech].clusterAuthenticate.successful);
         } catch (e) {
             print("Mechanism: " + mech);
             print("mechStats: " + tojson(mechStats));
@@ -39,23 +46,42 @@ function assertStats() {
     });
 }
 
-function assertSuccess(creds, mech) {
-    if (expected[mech] === undefined) {
-        expected[mech] = {received: 0, successful: 0};
+function assertSuccess(creds, mech, db = test) {
+    assert.eq(db.auth(creds), true);
+    if (db !== admin) {
+        db.logout();
     }
-    assert.eq(test.auth(creds), true);
-    test.logout();
-    ++expected[mech].received;
-    ++expected[mech].successful;
+    ++expected[mech].authenticate.received;
+    ++expected[mech].authenticate.successful;
     assertStats();
 }
 
-function assertFailure(creds, mech) {
-    if (expected[mech] === undefined) {
-        expected[mech] = {received: 0, successful: 0};
-    }
-    assert.eq(test.auth(creds), false);
-    ++expected[mech].received;
+function assertFailure(creds, mech, db = test) {
+    assert.eq(db.auth(creds), false);
+    ++expected[mech].authenticate.received;
+    assertStats();
+}
+
+function assertSuccessInternal() {
+    const mech = "SCRAM-SHA-1";
+    // asCluster exiting cleanly indicates successful auth
+    assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true);
+    ++expected[mech].authenticate.received;
+    ++expected[mech].authenticate.successful;
+    ++expected[mech].clusterAuthenticate.received;
+    ++expected[mech].clusterAuthenticate.successful;
+    // we have to re-auth as admin to get stats, which are validated at the end of assertSuccess
+    assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin);
+}
+
+function assertFailureInternal() {
+    const mech = "SCRAM-SHA-1";
+    // If asCluster fails, it explodes.
+    assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]);
+    ++expected[mech].authenticate.received;
+    ++expected[mech].clusterAuthenticate.received;
+    // we have to re-auth as admin to get stats, which are validated at the end of assertSuccess
+    assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin);
     assertStats();
 }
 
@@ -86,9 +112,16 @@ assertFailure({user: 'user', pwd: 'haxx', mechanism: 'SCRAM-SHA-1'}, 'SCRAM-SHA-
 assertFailure({user: 'user1', pwd: 'pwd', mechanism: 'SCRAM-SHA-256'}, 'SCRAM-SHA-256');
 assertFailure({user: 'user256', pwd: 'pwd', mechanism: 'SCRAM-SHA-1'}, 'SCRAM-SHA-1');
 
+// Cluster auth counter checks.
+assertSuccessInternal();
+assertFailureInternal();
+
+// Need to auth as admin one more time to get final stats.
+admin.auth('admin', 'pwd');
+
 const finalStats =
     assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms;
-MongoRunner.stopMongod(mongod);
+replTest.stopSet();
 
 printjson(finalStats);
 })();
diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js
index dfa985321a3..d6f9a52c03a 100644
--- a/jstests/auth/speculative-auth-replset.js
+++ b/jstests/auth/speculative-auth-replset.js
@@ -39,14 +39,17 @@ const mechStats =
 printjson(mechStats);
 assert(mechStats['SCRAM-SHA-256'] !== undefined);
 Object.keys(mechStats).forEach(function(mech) {
-    const stats = mechStats[mech].speculativeAuthenticate;
+    const specStats = mechStats[mech].speculativeAuthenticate;
+    const clusterStats = mechStats[mech].clusterAuthenticate;
 
     if (mech === 'SCRAM-SHA-256') {
-        assert.gte(stats.received, 2);
+        assert.gte(specStats.received, 2);
+        assert.gte(clusterStats.received, 2);
     } else {
-        assert.eq(stats.received, 0);
+        assert.eq(specStats.received, 0);
     }
-    assert.eq(stats.received, stats.successful);
+    assert.eq(specStats.received, specStats.successful);
+    assert.eq(clusterStats.received, clusterStats.successful);
 });
 
 test(baseURI);
diff --git a/jstests/auth/speculative-auth-sharding.js b/jstests/auth/speculative-auth-sharding.js
index 008eafac08d..d8bcae94ed9 100644
--- a/jstests/auth/speculative-auth-sharding.js
+++ b/jstests/auth/speculative-auth-sharding.js
@@ -20,26 +20,37 @@ let lastStats =
     assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms;
 jsTest.log('Inintial stats: ' + lastStats);
 
-function test(uri, incrMech) {
+function test(uri, incrMech, isClusterAuth = false) {
     jsTest.log('Connecting to: ' + uri);
     assert.eq(runMongoProgram('mongo', uri, '--eval', ';'), 0);
 
     const stats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                       .security.authentication.mechanisms;
-    assert.eq(Object.keys(lastStats).length, Object.keys(stats).length);
-    Object.keys(lastStats).forEach(function(mech) {
-        const inc = (mech == incrMech) ? 1 : 0;
-
-        const specBefore = lastStats[mech].speculativeAuthenticate;
-        const specAfter = stats[mech].speculativeAuthenticate;
-        assert.eq(specAfter.received, specBefore.received + inc);
-        assert.eq(specAfter.successful, specBefore.successful + inc);
-
-        const allBefore = lastStats[mech].authenticate;
-        const allAfter = stats[mech].authenticate;
-        assert.eq(allAfter.received, allBefore.received + inc);
-        assert.eq(allAfter.successful, allBefore.successful + inc);
-    });
+    try {
+        assert.eq(Object.keys(lastStats).length, Object.keys(stats).length);
+        Object.keys(lastStats).forEach(function(mech) {
+            const inc = (mech === incrMech) ? 1 : 0;
+            const clusterInc = (mech === incrMech && isClusterAuth) ? 1 : 0;
+
+            const specBefore = lastStats[mech].speculativeAuthenticate;
+            const specAfter = stats[mech].speculativeAuthenticate;
+            assert.eq(specAfter.received, specBefore.received + inc);
+            assert.eq(specAfter.successful, specBefore.successful + inc);
+
+            const clusterBefore = lastStats[mech].clusterAuthenticate;
+            const clusterAfter = stats[mech].clusterAuthenticate;
+            assert.eq(clusterAfter.received, clusterBefore.received + clusterInc);
+            assert.eq(clusterAfter.successful, clusterBefore.successful + clusterInc);
+
+            const allBefore = lastStats[mech].authenticate;
+            const allAfter = stats[mech].authenticate;
+            assert.eq(allAfter.received, allBefore.received + inc);
+            assert.eq(allAfter.successful, allBefore.successful + inc);
+        });
+    } catch (e) {
+        print("Stats: " + tojson(stats));
+        throw e;
+    }
     lastStats = stats;
 }
 
@@ -48,6 +59,10 @@ const baseURI = 'mongodb://admin:pwd@' + st.s.host + '/admin';
 test(baseURI, fallbackMech);
 test(baseURI + '?authMechanism=SCRAM-SHA-1', 'SCRAM-SHA-1');
 test(baseURI + '?authMechanism=SCRAM-SHA-256', 'SCRAM-SHA-256');
+const systemPass = cat(keyfile).replace(/\s/g, '');
+test('mongodb://__system:' + systemPass + '@' + st.s.host + '/admin?authMechanisms=SCRAM-SHA-256',
+     'SCRAM-SHA-256',
+     true);
 
 admin.logout();
 st.stop();
diff --git a/jstests/auth/speculative-sasl-start.js b/jstests/auth/speculative-sasl-start.js
index 8db5d03dcb7..1518cceeb01 100644
--- a/jstests/auth/speculative-sasl-start.js
+++ b/jstests/auth/speculative-sasl-start.js
@@ -3,7 +3,8 @@
 (function() {
 'use strict';
 
-const mongod = MongoRunner.runMongod({auth: ''});
+const keyFile = 'jstests/libs/key1';
+const mongod = MongoRunner.runMongod({auth: '', keyFile: keyFile});
 const admin = mongod.getDB('admin');
 
 admin.createUser(
@@ -35,10 +36,22 @@ assertStats(function(mechStats) {
     });
 });
 
-function expectN(mechStats, mech, N, M) {
-    const stats = mechStats[mech].speculativeAuthenticate;
-    assert.eq(N, stats.received);
-    assert.eq(M, stats.successful);
+// No "intra-cluster" auth attempts yet.
+assertStats(function(mechStats) {
+    Object.keys(mechStats).forEach(function(mech) {
+        const stats = mechStats[mech].clusterAuthenticate;
+        assert.eq(stats.received, 0);
+        assert.eq(stats.successful, 0);
+    });
+});
+
+function expectN(mechStats, mech, N1, M1, N2 = 0, M2 = 0) {
+    const specStats = mechStats[mech].speculativeAuthenticate;
+    const clusterStats = mechStats[mech].clusterAuthenticate;
+    assert.eq(N1, specStats.received);
+    assert.eq(M1, specStats.successful);
+    assert.eq(N2, clusterStats.received);
+    assert.eq(M2, clusterStats.successful);
 }
 
 const baseOKURI = 'mongodb://admin:pwd@localhost:' + mongod.port + '/admin';
@@ -97,5 +110,16 @@ mongod.getDB('test').createUser({user: 'alice', pwd: 'secret', roles: []});
 test('mongodb://alice:secret@localhost:' + mongod.port + '/test', true);
 assertStats((s) => expectN(s, 'SCRAM-SHA-256', 7, 3));
 
+// Test "intra-cluster" speculative authentication.
+const systemPass = cat(keyFile).replace(/\s/g, '');
+test('mongodb://__system:' + systemPass + '@localhost:' + mongod.port + '/admin' +
+         '?authMechanism=SCRAM-SHA-256',
+     true);
+assertStats((s) => expectN(s, 'SCRAM-SHA-256', 8, 4, 1, 1));
+test('mongodb://__system:hunter2@localhost:' + mongod.port + '/admin' +
+         '?authMechanism=SCRAM-SHA-256',
+     false);
+assertStats((s) => expectN(s, 'SCRAM-SHA-256', 9, 4, 3, 1));
+
 MongoRunner.stopMongod(mongod);
 })();