summaryrefslogtreecommitdiff
path: root/jstests
diff options
context:
space:
mode:
Diffstat (limited to 'jstests')
-rw-r--r--jstests/auth/commands_builtin_roles.js10
-rw-r--r--jstests/auth/commands_user_defined_roles.js19
-rw-r--r--jstests/auth/lib/commands_lib.js362
3 files changed, 374 insertions, 17 deletions
diff --git a/jstests/auth/commands_builtin_roles.js b/jstests/auth/commands_builtin_roles.js
index 2fb65de8663..9708c08e868 100644
--- a/jstests/auth/commands_builtin_roles.js
+++ b/jstests/auth/commands_builtin_roles.js
@@ -11,8 +11,10 @@ load("jstests/auth/lib/commands_lib.js");
var roles = [
{key: "read", role: "read", dbname: firstDbName},
+ {key: "readLocal", role: {role: "read", db: "local"}, dbname: adminDbName},
{key: "readAnyDatabase", role: "readAnyDatabase", dbname: adminDbName},
{key: "readWrite", role: "readWrite", dbname: firstDbName},
+ {key: "readWriteLocal", role: {role: "readWrite", db: "local"}, dbname: adminDbName},
{key: "readWriteAnyDatabase", role: "readWriteAnyDatabase", dbname: adminDbName},
{key: "userAdmin", role: "userAdmin", dbname: firstDbName},
{key: "userAdminAnyDatabase", role: "userAdminAnyDatabase", dbname: adminDbName},
@@ -47,10 +49,10 @@ function testProperAuthorization(conn, t, testcase, r) {
var runOnDb = conn.getDB(testcase.runOnDb);
authCommandsLib.setup(conn, t, runOnDb);
- assert(r.db.auth("user|" + r.role, "password"));
+ assert(r.db.auth("user|" + r.key, "password"));
var res = runOnDb.runCommand(t.command);
- if (testcase.roles[r.role]) {
+ if (testcase.roles[r.key]) {
if (res.ok == 0 && res.code == authErrCode) {
out = "expected authorization success" + " but received " + tojson(res) + " on db " +
testcase.runOnDb + " with role " + r.key;
@@ -104,7 +106,7 @@ function createUsers(conn) {
for (var i = 0; i < roles.length; i++) {
r = roles[i];
r.db = conn.getDB(r.dbname);
- r.db.createUser({user: "user|" + r.role, pwd: "password", roles: [r.role]});
+ r.db.createUser({user: "user|" + r.key, pwd: "password", roles: [r.role]});
}
adminDb.logout();
}
@@ -122,7 +124,7 @@ function checkForNonExistentRoles() {
for (role in testcase.roles) {
var roleExists = false;
for (var k = 0; k < roles.length; k++) {
- if (roles[k].role === role) {
+ if (roles[k].key === role) {
roleExists = true;
break;
}
diff --git a/jstests/auth/commands_user_defined_roles.js b/jstests/auth/commands_user_defined_roles.js
index dd6abc7d252..e54c9340e42 100644
--- a/jstests/auth/commands_user_defined_roles.js
+++ b/jstests/auth/commands_user_defined_roles.js
@@ -123,13 +123,26 @@ function runOneTest(conn, t) {
failures.push(t.testname + ": " + msg);
}
+ var specialResource = function(resource) {
+ if (!resource)
+ return true;
+
+ // Tests which use {db: "local", collection: "oplog.rs"} will not work with
+ // {db: "", collection: "oplog.rs"}. oplog.rs is special, and does not match with
+ // forDatabaseName or anyNormalResource ResourcePatterns. The same is true of
+ // oplog.$main, but oplog.$main is also an illegal collection name on any database
+ // other than local. The other collections checked for here in the local database have
+ // the same property as oplog.rs.
+ return !resource.db || !resource.collection ||
+ resource.collection.startsWith("system.") || resource.db == "local";
+ };
+
// Test for proper authorization with the test case's privileges where non-system
// collections are modified to be the empty string.
msg = testProperAuthorization(conn, t, testcase, testcase.privileges.map(function(priv) {
// Make a copy of the privilege so as not to modify the original array.
var modifiedPrivilege = Object.extend({}, priv, true);
- if (modifiedPrivilege.resource.collection &&
- !modifiedPrivilege.resource.collection.startsWith('system.')) {
+ if (modifiedPrivilege.resource.collection && !specialResource(priv.resource)) {
modifiedPrivilege.resource.collection = "";
}
return modifiedPrivilege;
@@ -143,7 +156,7 @@ function runOneTest(conn, t) {
msg = testProperAuthorization(conn, t, testcase, testcase.privileges.map(function(priv) {
// Make a copy of the privilege so as not to modify the original array.
var modifiedPrivilege = Object.extend({}, priv, true);
- if (modifiedPrivilege.resource.db) {
+ if (!specialResource(priv.resource)) {
modifiedPrivilege.resource.db = "";
}
return modifiedPrivilege;
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index daea8325abb..e58836ebf05 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -142,8 +142,10 @@ var roles_hostManager = {hostManager: 1, clusterAdmin: 1, root: 1, __system: 1};
var roles_clusterManager = {clusterManager: 1, clusterAdmin: 1, root: 1, __system: 1};
var roles_all = {
read: 1,
+ readLocal: 1,
readAnyDatabase: 1,
readWrite: 1,
+ readWriteLocal: 1,
readWriteAnyDatabase: 1,
userAdmin: 1,
userAdminAnyDatabase: 1,
@@ -195,7 +197,7 @@ var authCommandsLib = {
skipStandalone: true,
testcases: [{
runOnDb: "config",
- roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager)
+ roles: roles_clusterManager,
}]
},
@@ -2354,6 +2356,169 @@ var authCommandsLib = {
]
},
{
+ testname: "find_config_changelog",
+ command: {find: "changelog"},
+ testcases: [
+ {
+ runOnDb: "config",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "clusterMonitor": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "config", collection: "changelog"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_local_me",
+ skipSharded: true,
+ command: {find: "me"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges: [{resource: {db: "local", collection: "me"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_oplog_main",
+ skipSharded: true,
+ command: {find: "oplog.$main"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "oplog.$main"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_oplog_rs",
+ skipSharded: true,
+ command: {find: "oplog.rs"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges: [{resource: {db: "local", collection: "oplog.rs"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_replset_election",
+ skipSharded: true,
+ command: {find: "replset.election"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "replset.election"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_replset_minvalid",
+ skipSharded: true,
+ command: {find: "replset.minvalid"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "replset.minvalid"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_sources",
+ skipSharded: true,
+ command: {find: "sources"},
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges: [{resource: {db: "local", collection: "sources"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
+ testname: "find_startup_log",
+ command: {find: "startup_log"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterMonitor": 1,
+ "readLocal": 1,
+ "readWriteLocal": 1,
+ "backup": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "startup_log"}, actions: ["find"]}]
+ },
+ ]
+ },
+ {
testname: "find_views",
setup: function(db) {
db.createView("view", "collection", [{$match: {}}]);
@@ -2713,6 +2878,189 @@ var authCommandsLib = {
]
},
{
+ testname: "insert",
+ command: {insert: "foo", documents: [{data: 5}]},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_write,
+ privileges: [{resource: {db: firstDbName, collection: "foo"}, actions: ["insert"]}],
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {"readWriteAnyDatabase": 1, "root": 1, "__system": 1, "restore": 1},
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["insert"]}],
+ }
+
+ ]
+ },
+ {
+ testname: "insert_config_changelog",
+ command: {insert: "changelog", documents: [{data: 5}]},
+ testcases: [{
+ runOnDb: "config",
+ roles:
+ {"clusterAdmin": 1, "clusterManager": 1, "root": 1, "__system": 1, "restore": 1},
+ privileges:
+ [{resource: {db: "config", collection: "changelog"}, actions: ["insert"]}],
+ }]
+ },
+ {
+ testname: "insert_me",
+ command: {insert: "me", documents: [{data: 5}]},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "root": 1,
+ "__system": 1,
+ "restore": 1
+ },
+ privileges: [{resource: {db: "local", collection: "me"}, actions: ["insert"]}],
+ }]
+ },
+ /* Untestable, because insert to oplog.$main will always fail
+ {
+ testname: "insert_oplog_main",
+ command: {insert: "oplog.$main", documents: [{ts: Timestamp()}]},
+ skipSharded: true,
+ setup: function(db) {
+ db.createCollection("oplog.$main", {capped: true, size: 10000});
+ },
+ teardown: function(db) {
+ db.oplog.$main.drop();
+ },
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {"clusterAdmin": 1, "clusterMonitor": 1, "readWriteLocal": 1, "restore": 1,
+ "root": 1, "__system": 1},
+ privileges:
+ [{resource: {db: "local", collection: "oplog.$main"}, actions: ["insert"]}],
+ },
+
+ ]
+ },*/
+ {
+ testname: "insert_oplog_rs",
+ command: {insert: "oplog.rs", documents: [{ts: Timestamp()}]},
+ skipSharded: true,
+ setup: function(db) {
+ db.createCollection("oplog.rs", {capped: true, size: 10000});
+ },
+ teardown: function(db) {
+ db.oplog.rs.drop();
+ },
+ testcases: [
+ {
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "restore": 1,
+ "root": 1,
+ "__system": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "oplog.rs"}, actions: ["insert"]}],
+ },
+
+ ]
+ },
+
+ {
+ testname: "insert_replset_election",
+ command: {insert: "replset.election", documents: [{data: 5}]},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "root": 1,
+ "__system": 1,
+ "restore": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "replset.election"}, actions: ["insert"]}],
+ }
+
+ ]
+ },
+ {
+ testname: "insert_replset_minvalid",
+ command: {insert: "replset.minvalid", documents: [{data: 5}]},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "root": 1,
+ "__system": 1,
+ "restore": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "replset.minvalid"}, actions: ["insert"]}],
+ }
+
+ ]
+ },
+ {
+ testname: "insert_system_users",
+ command: {insert: "system.users", documents: [{data: 5}]},
+ testcases: [
+ {
+ runOnDb: "admin",
+ roles: {"root": 1, "__system": 1, "restore": 1},
+ privileges:
+ [{resource: {db: "admin", collection: "system.users"}, actions: ["insert"]}],
+ },
+ ]
+ },
+ {
+ testname: "insert_sources",
+ command: {insert: "sources", documents: [{data: 5}]},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "root": 1,
+ "__system": 1,
+ "restore": 1
+ },
+ privileges: [{resource: {db: "local", collection: "sources"}, actions: ["insert"]}],
+ }]
+ },
+ {
+ testname: "insert_startup_log",
+ command: {insert: "startup_log", documents: [{data: 5}]},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: "local",
+ roles: {
+ "clusterAdmin": 1,
+ "clusterManager": 1,
+ "readWriteLocal": 1,
+ "root": 1,
+ "__system": 1,
+ "restore": 1
+ },
+ privileges:
+ [{resource: {db: "local", collection: "startup_log"}, actions: ["insert"]}],
+ }]
+ },
+ {
testname: "isMaster",
command: {isMaster: 1},
testcases: [
@@ -3909,9 +4257,7 @@ var authCommandsLib = {
testcases: [
{
runOnDb: adminDbName,
- // addShardToZone only checks that you can write to config.shards,
- // that's why readWriteAnyDatabase passes.
- roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager),
+ roles: roles_clusterManager,
privileges: [{resource: {db: 'config', collection: 'shards'}, actions: ['update']}],
},
]
@@ -3931,9 +4277,7 @@ var authCommandsLib = {
testcases: [
{
runOnDb: adminDbName,
- // removeShardZone only checks that you can write to config.shards,
- // that's why readWriteAnyDatabase passes.
- roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager),
+ roles: roles_clusterManager,
privileges: [
{resource: {db: 'config', collection: 'shards'}, actions: ['update']},
{resource: {db: 'config', collection: 'tags'}, actions: ['find']}
@@ -3956,9 +4300,7 @@ var authCommandsLib = {
testcases: [
{
runOnDb: adminDbName,
- // updateZoneKeyRange only checks that you can write on config.tags,
- // that's why readWriteAnyDatabase passes.
- roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager),
+ roles: roles_clusterManager,
privileges: [
{resource: {db: 'config', collection: 'shards'}, actions: ['find']},
{
View Lorry Controller Status