From 3e6a04652806e752c0c004fa72bc95025c3a9d54 Mon Sep 17 00:00:00 2001 From: Spencer Jackson Date: Thu, 21 Apr 2016 18:49:20 -0400 Subject: SERVER-23503 Expand localhost exception to include role creation --- jstests/auth/localhostAuthBypass.js | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'jstests/auth') diff --git a/jstests/auth/localhostAuthBypass.js b/jstests/auth/localhostAuthBypass.js index fdaf4386794..6cb315650ef 100644 --- a/jstests/auth/localhostAuthBypass.js +++ b/jstests/auth/localhostAuthBypass.js @@ -15,6 +15,12 @@ var createUser = function(mongo) { mongo.getDB("admin").createUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); }; +var createRole = function(mongo) { + print("============ adding a role."); + mongo.getDB("admin").createRole( + {role: "roleAdministrator", roles: [{role: "userAdmin", db: "admin"}], privileges: []}); +}; + var assertCannotRunCommands = function(mongo) { print("============ ensuring that commands cannot be run."); @@ -171,7 +177,25 @@ var runNonlocalTest = function(host) { shutdown(conn); }; +// Per SERVER-23503, the existence of roles in the admin database should disable the localhost +// exception. +// Start the server without auth. Create a role. Restart the server with auth. The exception is +// now enabled. +var runRoleTest = function() { + var conn = MongoRunner.runMongod({dbpath: dbpath}); + var mongo = new Mongo("localhost:" + conn.port); + assertCanRunCommands(mongo); + createRole(mongo); + assertCanRunCommands(mongo); + MongoRunner.stopMongod(conn); + conn = MongoRunner.runMongod({auth: '', dbpath: dbpath, restart: true, cleanData: false}); + mongo = new Mongo("localhost:" + conn.port); + assertCannotRunCommands(mongo); +}; + runTest(false); runTest(true); runNonlocalTest(get_ipaddr()); + +runRoleTest(); -- cgit v1.2.1