// Verify that speculative auth works with mongos.
// @tags: [requires_sharding]

(function() {
'use strict';

const CLIENT_NAME = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
const CLIENT_CERT = 'jstests/libs/client.pem';
const SERVER_CERT = 'jstests/libs/server.pem';
const CLUSTER_CERT = 'jstests/libs/cluster_cert.pem';
const CA_CERT = 'jstests/libs/ca.pem';

const options = {
    tlsMode: 'requireTLS',
    tlsCertificateKeyFile: SERVER_CERT,
    tlsCAFile: CA_CERT,
    tlsClusterFile: CLUSTER_CERT,
    tlsAllowInvalidHostnames: '',
    clusterAuthMode: 'x509',
};

const st = new ShardingTest({
    shards: 1,
    other: {
        enableBalancer: true,
        configOptions: options,
        mongosOptions: options,
        rsOptions: options,
        shardOptions: options
    }
});

const admin = st.s.getDB('admin');
admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
assert(admin.auth('admin', 'pwd'));

const external = st.s.getDB('$external');
external.createUser({user: CLIENT_NAME, roles: [{role: '__system', db: 'admin'}]});

const initialStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                         .security.authentication.mechanisms['MONGODB-X509'];
jsTest.log('Initial stats: ' + tojson(initialStats));

const uri = 'mongodb://' + st.s.host + '/admin?authMechanism=MONGODB-X509';
jsTest.log('Connecting to: ' + uri);
assert.eq(runMongoProgram('mongo',
                          uri,
                          '--tls',
                          '--tlsCertificateKeyFile',
                          CLIENT_CERT,
                          '--tlsCAFile',
                          CA_CERT,
                          '--tlsAllowInvalidHostnames',
                          '--eval',
                          ';'),
          0);
assert.eq(runMongoProgram('mongo',
                          uri,
                          '--tls',
                          '--tlsCertificateKeyFile',
                          SERVER_CERT,
                          '--tlsCAFile',
                          CA_CERT,
                          '--tlsAllowInvalidHostnames',
                          '--eval',
                          ';'),
          0);

const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                      .security.authentication.mechanisms['MONGODB-X509'];
jsTest.log('Authenticated stats: ' + tojson(authStats));

// Got and succeeded an additional speculation.
const initSpec = initialStats.speculativeAuthenticate;
const authSpec = authStats.speculativeAuthenticate;
assert.eq(authSpec.received, initSpec.received + 2);
assert.eq(authSpec.successful, initSpec.successful + 2);

// Got and succeeded an additional auth.
const initAuth = initialStats.authenticate;
const authAuth = authStats.authenticate;
assert.eq(authAuth.received, initAuth.received + 2);
assert.eq(authAuth.successful, initAuth.successful + 2);

// Got and succeeded intra-cluster auth.
const initCluster = initialStats.clusterAuthenticate;
const authCluster = authStats.clusterAuthenticate;
assert.eq(authCluster.received, initCluster.received + 1);
assert.eq(authCluster.successful, initCluster.successful + 1);

/////////////////////////////////////////////////////////////////////////////

jsTest.log('Shutting down');

// Authenticate csrs so ReplSetTest.stopSet() can do db hash check.
// It's possible the admin account hasn't replicated yet, so give it time.
if (st.configRS) {
    const nodes = st.configRS.nodes.map((x) => x);
    let node = nodes.pop();
    assert.soon(function() {
        if (node === undefined) {
            return true;
        }
        if (node.getDB('admin').auth('admin', 'pwd')) {
            node = nodes.pop();
        }
        return false;
    });
}

st.stop();
}());