diff options
Diffstat (limited to 'src/mongo/db/auth/authorization_session_test.cpp')
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index bbfb17f3f65..a6b54fc11f7 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -1379,6 +1379,257 @@ TEST_F(AuthorizationSessionTest, CanUseUUIDNamespacesWithPrivilege) { authzSession->verifyContract(&ac); } +class SystemBucketsTest : public AuthorizationSessionTest { +protected: + static constexpr auto sb_db_test = "sb_db_test"_sd; + static constexpr auto sb_db_other = "sb_db_other"_sd; + static constexpr auto sb_coll_test = "sb_coll_test"_sd; + + static const ResourcePattern testMissingSystemBucketResource; + static const ResourcePattern otherMissingSystemBucketResource; + static const ResourcePattern otherDbMissingSystemBucketResource; + + static const ResourcePattern testSystemBucketResource; + static const ResourcePattern otherSystemBucketResource; + static const ResourcePattern otherDbSystemBucketResource; + + static const ResourcePattern testBucketResource; + static const ResourcePattern otherBucketResource; + static const ResourcePattern otherDbBucketResource; +}; + +const ResourcePattern SystemBucketsTest::testMissingSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_test.sb_coll_test"))); +const ResourcePattern SystemBucketsTest::otherMissingSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_test.sb_coll_other"))); +const ResourcePattern SystemBucketsTest::otherDbMissingSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_other.sb_coll_test"))); + +const ResourcePattern SystemBucketsTest::testSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_test.system.buckets.sb_coll_test"))); +const ResourcePattern SystemBucketsTest::otherSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_test.system.buckets.sb_coll_other"))); +const ResourcePattern SystemBucketsTest::otherDbSystemBucketResource( + ResourcePattern::forExactNamespace(NamespaceString("sb_db_other.system.buckets.sb_coll_test"))); + +const ResourcePattern SystemBucketsTest::testBucketResource( + ResourcePattern::forExactSystemBucketsCollection("sb_db_test", "sb_coll_test")); +const ResourcePattern SystemBucketsTest::otherBucketResource( + ResourcePattern::forExactSystemBucketsCollection("sb_db_test", "sb_coll_other")); +const ResourcePattern SystemBucketsTest::otherDbBucketResource( + ResourcePattern::forExactSystemBucketsCollection("sb_db_other", "sb_coll_test")); + +TEST_F(SystemBucketsTest, CheckExactSystemBucketsCollection) { + // If we have a system_buckets exact priv + authzSession->assumePrivilegesForDB(Privilege(testBucketResource, ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, + ActionType::insert)); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); + + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testMissingSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherMissingSystemBucketResource, + ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbMissingSystemBucketResource, + ActionType::find)); +} + +TEST_F(SystemBucketsTest, CheckAnySystemBuckets) { + // If we have an any system_buckets priv + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forAnySystemBuckets(), ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, + ActionType::insert)); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); + + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testMissingSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherMissingSystemBucketResource, + ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbMissingSystemBucketResource, + ActionType::find)); +} + +TEST_F(SystemBucketsTest, CheckAnySystemBucketsInDatabase) { + // If we have a system_buckets in a db priv + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forAnySystemBucketsInDatabase("sb_db_test"), ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, + ActionType::insert)); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); + + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testMissingSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherMissingSystemBucketResource, + ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbMissingSystemBucketResource, + ActionType::find)); +} + +TEST_F(SystemBucketsTest, CheckforAnySystemBucketsInAnyDatabase) { + // If we have a system_buckets for a coll in any db priv + authzSession->assumePrivilegesForDB(Privilege( + ResourcePattern::forAnySystemBucketsInAnyDatabase("sb_coll_test"), ActionType::find)); + + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, + ActionType::insert)); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); + + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(testMissingSystemBucketResource, + ActionType::find)); + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherMissingSystemBucketResource, + ActionType::find)); + + ASSERT_FALSE(authzSession->isAuthorizedForActionsOnResource(otherDbMissingSystemBucketResource, + ActionType::find)); +} + +TEST_F(SystemBucketsTest, CanCheckIfHasAnyPrivilegeOnResourceForSystemBuckets) { + // If we have a system.buckets collection privilege, we have actions on that collection + authzSession->assumePrivilegesForDB(Privilege(testBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnResource(testSystemBucketResource)); + ASSERT_FALSE(authzSession->isAuthorizedForAnyActionOnResource( + ResourcePattern::forDatabaseName(sb_db_test))); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyNormalResource())); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyResource())); + + // If we have any buckets in a database privilege, we have actions on that database and all + // system.buckets collections it contains + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forAnySystemBucketsInDatabase(sb_db_test), ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnResource( + ResourcePattern::forAnySystemBucketsInDatabase(sb_db_test))); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnResource(testSystemBucketResource)); + ASSERT_FALSE(authzSession->isAuthorizedForAnyActionOnResource( + ResourcePattern::forDatabaseName(sb_db_test))); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyNormalResource())); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyResource())); + + // If we have a privilege on any systems buckets in any db, we have actions on all databases and + // system.buckets.<coll> they contain + authzSession->assumePrivilegesForDB(Privilege( + ResourcePattern::forAnySystemBucketsInAnyDatabase(sb_coll_test), ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnResource(testSystemBucketResource)); + ASSERT_FALSE(authzSession->isAuthorizedForAnyActionOnResource( + ResourcePattern::forDatabaseName(sb_db_test))); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyNormalResource())); + ASSERT_FALSE( + authzSession->isAuthorizedForAnyActionOnResource(ResourcePattern::forAnyResource())); +} + +TEST_F(SystemBucketsTest, CheckBuiltinRolesForSystemBuckets) { + // If we have readAnyDatabase, make sure we can read system.buckets anywhere + authzSession->assumePrivilegesForBuiltinRole(RoleName("readAnyDatabase", "admin")); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); + + // If we have readAnyDatabase, make sure we can read and write system.buckets anywhere + authzSession->assumePrivilegesForBuiltinRole(RoleName("readWriteAnyDatabase", "admin")); + + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + testSystemBucketResource, {ActionType::find, ActionType::insert})); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherSystemBucketResource, {ActionType::find, ActionType::insert})); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherDbSystemBucketResource, {ActionType::find, ActionType::insert})); + + // If we have readAnyDatabase, make sure we can do admin stuff on system.buckets anywhere + authzSession->assumePrivilegesForBuiltinRole(RoleName("dbAdminAnyDatabase", "admin")); + + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + testSystemBucketResource, ActionType::bypassDocumentValidation)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherSystemBucketResource, ActionType::bypassDocumentValidation)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherDbSystemBucketResource, ActionType::bypassDocumentValidation)); + + + // If we have readAnyDatabase, make sure we can do restore stuff on system.buckets anywhere + authzSession->assumePrivilegesForBuiltinRole(RoleName("restore", "admin")); + + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + testSystemBucketResource, ActionType::bypassDocumentValidation)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherSystemBucketResource, ActionType::bypassDocumentValidation)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource( + otherDbSystemBucketResource, ActionType::bypassDocumentValidation)); + + // If we have readAnyDatabase, make sure we can do restore stuff on system.buckets anywhere + authzSession->assumePrivilegesForBuiltinRole(RoleName("backup", "admin")); + + ASSERT_TRUE( + authzSession->isAuthorizedForActionsOnResource(testSystemBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherSystemBucketResource, + ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForActionsOnResource(otherDbSystemBucketResource, + ActionType::find)); +} + +TEST_F(SystemBucketsTest, CanCheckIfHasAnyPrivilegeInResourceDBForSystemBuckets) { + authzSession->assumePrivilegesForDB(Privilege(testBucketResource, ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_test)); + ASSERT_FALSE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_other)); + + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forAnySystemBucketsInDatabase(sb_db_test), ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_test)); + ASSERT_FALSE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_other)); + + authzSession->assumePrivilegesForDB(Privilege( + ResourcePattern::forAnySystemBucketsInAnyDatabase(sb_coll_test), ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_test)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_other)); + + authzSession->assumePrivilegesForDB( + Privilege(ResourcePattern::forAnySystemBuckets(), ActionType::find)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_test)); + ASSERT_TRUE(authzSession->isAuthorizedForAnyActionOnAnyResourceInDB(sb_db_other)); +} } // namespace } // namespace mongo |