summaryrefslogtreecommitdiff
path: root/jstests/auth
diff options
context:
space:
mode:
Diffstat (limited to 'jstests/auth')
-rw-r--r--jstests/auth/authz_cache_on_system_modification.js67
-rw-r--r--jstests/auth/renameRestrictedCollections.js19
2 files changed, 76 insertions, 10 deletions
diff --git a/jstests/auth/authz_cache_on_system_modification.js b/jstests/auth/authz_cache_on_system_modification.js
new file mode 100644
index 00000000000..8fe9d116408
--- /dev/null
+++ b/jstests/auth/authz_cache_on_system_modification.js
@@ -0,0 +1,67 @@
+/**
+ * This tests that the user cache is invalidated after any changes are made to system collections
+ */
+
+(function() {
+ "use strict";
+
+ const conn = MongoRunner.runMongod({auth: ''});
+ let db = conn.getDB('admin');
+ const authzErrorCode = 13;
+
+ // creates a root user
+ assert.commandWorked(db.runCommand({createUser: 'root', pwd: 'pwd', roles: ['__system']}),
+ "Could not create user 'admin'");
+
+ db = (new Mongo(conn.host)).getDB('admin');
+ db.auth('root', 'pwd');
+
+ // creates a unique role, a user who has that role, and a collection upon which they can
+ // exercise that role
+ assert.commandWorked(db.createCollection("admin.test", {}),
+ "Could not create test collection in admin db");
+ assert.commandWorked(db.runCommand({
+ createRole: 'writeCustom',
+ roles: [],
+ privileges: [{resource: {db: "admin", collection: "admin.test"}, actions: ["insert"]}]
+ }),
+ "Could not create custom role");
+ assert.commandWorked(db.runCommand({createUser: 'custom', pwd: 'pwd', roles: ['writeCustom']}),
+ "Could not create new user with custom role");
+
+ // tests that a user does not retain their privileges after the system.roles collection is
+ // modified
+ (function testModifySystemRolesCollection() {
+ jsTestLog("Testing authz cache invalidation on system.roles collection modification");
+ assert(db.auth('custom', 'pwd'));
+ assert.commandWorked(db.runCommand({insert: "admin.test", documents: [{foo: "bar"}]}),
+ "Could not insert to test collection with 'custom' user");
+ assert(db.auth('root', 'pwd'));
+ assert.commandWorked(
+ db.runCommand({renameCollection: "admin.system.roles", to: "admin.wolez"}),
+ "Could not rename system.roles collection with root user");
+ assert(db.auth('custom', 'pwd'));
+ assert.commandFailedWithCode(
+ db.runCommand({insert: "admin.test", documents: [{woo: "mar"}]}),
+ authzErrorCode,
+ "Privileges retained after modification to system.roles collections");
+ })();
+
+ // tests that a user does not retain their privileges after the system.users colleciton is
+ // modified
+ (function testModifySystemUsersCollection() {
+ jsTestLog("Testing authz cache invalidation on system.users collection modification");
+ assert(db.auth('root', 'pwd'));
+ assert.commandWorked(db.createCollection("scratch", {}),
+ "Collection not created with root user");
+ assert.commandWorked(
+ db.runCommand({renameCollection: 'admin.system.users', to: 'admin.foo'}),
+ "System collection could not be renamed with root user");
+ assert.commandFailedWithCode(
+ db.runCommand({renameCollection: 'admin.scratch', to: 'admin.system.users'}),
+ authzErrorCode,
+ "User cache not invalidated after modification to system collection");
+ })();
+
+ MongoRunner.stopMongod(conn);
+})(); \ No newline at end of file
diff --git a/jstests/auth/renameRestrictedCollections.js b/jstests/auth/renameRestrictedCollections.js
index 23a0ebc86e9..bc2f4c658ed 100644
--- a/jstests/auth/renameRestrictedCollections.js
+++ b/jstests/auth/renameRestrictedCollections.js
@@ -72,39 +72,38 @@
adminDB.auth('rootier', 'password');
- jsTestLog("Test that with __system you CAN rename to/from system.users");
- res = adminDB.system.users.renameCollection("users", true);
- assert.eq(1, res.ok, tojson(res));
-
// Test permissions against the configDB and localDB
// Start with test against inserting to and renaming collections in config and local
- // as userAdminAnyDatabase.
+ // as __system.
assert.writeOK(configDB.test.insert({'a': 1}));
assert.commandWorked(configDB.test.renameCollection('test2'));
- assert.writeOK(localDB.test.insert({'a': 1}));
+ assert.writeOK(localDB.test.insert({'b': 2}));
assert.commandWorked(localDB.test.renameCollection('test2'));
- adminDB.createUser({user: 'readWriteAdmin', pwd: 'password', roles: ['readWriteAnyDatabase']});
adminDB.logout();
// Test renaming collection in config with readWriteAnyDatabase
assert(adminDB.auth('readWriteAdmin', 'password'));
- res = configDB.test2.insert({'b': 2});
+ res = configDB.test2.insert({'c': 3});
assert.writeError(res, 13, "not authorized on config to execute command");
res = configDB.test2.renameCollection('test');
assert.eq(0, res.ok);
assert.eq(CodeUnauthorized, res.code);
// Test renaming collection in local with readWriteAnyDatabase
- res = localDB.test2.insert({'b': 2});
+ res = localDB.test2.insert({'d': 4});
assert.writeError(res, 13, "not authorized on config to execute command");
res = localDB.test2.renameCollection('test');
assert.eq(0, res.ok);
assert.eq(CodeUnauthorized, res.code);
+ // Test renaming system.users collection with __system
+ assert(adminDB.auth('rootier', 'password'));
+ jsTestLog("Test that with __system you CAN rename to/from system.users");
+ res = adminDB.system.users.renameCollection("users", true);
+ assert.eq(1, res.ok, tojson(res));
// At this point, all the user documents are gone, so further activity may be unauthorized,
// depending on cluster configuration. So, this is the end of the test.
MongoRunner.stopMongod(conn, {user: 'userAdmin', pwd: 'password'});
-
})(); \ No newline at end of file
View Lorry Controller Status