summaryrefslogtreecommitdiff
path: root/jstests/auth/auth_schema_upgrade.js
blob: 001e5c04a1b7a401fbf81f89cf72f793587b161d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Standalone test of authSchemaUpgrade
load('./jstests/multiVersion/libs/auth_helpers.js');

var setupCRUsers = function(conn){
    jsTest.log("setting up legacy users");
    var adminDB = conn.getDB('admin');

    adminDB.system.version.update({_id:"authSchema"},{"currentVersion":3},{upsert:true})

    adminDB.createUser({user: 'user1', pwd: 'pass',
                        roles: jsTest.adminUserRoles});
    assert(adminDB.auth({mechanism: 'MONGODB-CR',
                         user: 'user1', pwd: 'pass'}));

    adminDB.createUser({user: 'user2', pwd: 'pass',
                        roles: jsTest.adminUserRoles});
    assert(adminDB.auth({mechanism: 'MONGODB-CR',
                         user: 'user2', pwd: 'pass'}));

    // Add $external no-op user to verify that it does not affect
    // authSchemaUpgrade SERVER-18475
    adminDB.getSiblingDB('$external').createUser({user: "evil", roles: []});

    jsTest.log("Verifying user documents before upgrading");

    // We haven't run authSchemaUpgrade so there shouldn't be
    // any stored SCRAM-SHA-1 credentials.
    verifyUserDoc(adminDB, 'user1', true, false);
    verifyUserDoc(adminDB, 'user2', true, false);
    verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);

    adminDB.updateUser('user1', {pwd: 'newpass',
                                 roles: jsTest.adminUserRoles});
    verifyAuth(adminDB, 'user1', 'newpass', true, true);

    verifyUserDoc(adminDB, 'user1', true, false);
}

var verifySchemaUpgrade = function(adminDB) {
    // All users should only have SCRAM credentials.
    verifyUserDoc(adminDB, 'user1', false, true);
    verifyUserDoc(adminDB, 'user2', false, true);
    verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);

    // After authSchemaUpgrade MONGODB-CR no longer works.
    verifyAuth(adminDB, 'user1', 'newpass', false, true);
    verifyAuth(adminDB, 'user2', 'pass', false, true);
}

var runAndVerifySchemaUpgrade = function(conn){
    jsTest.log("run authSchemaUpgrade");
    var adminDB = conn.getDB('admin');

    assert.commandWorked(adminDB.runCommand('authSchemaUpgrade'));
    verifySchemaUpgrade(adminDB);
}

var testAuthSchemaUpgrade = function(conn) {
    setupCRUsers(conn);
    runAndVerifySchemaUpgrade(conn);
}

// Test authSchemaUpgrade and upgrade shards
var testUpgradeShards = function(mongos, shard) {
    setupCRUsers(shard);

    assert.commandWorked(mongos.adminCommand({"authSchemaUpgrade":1,"upgradeShards":1}));
    verifySchemaUpgrade(shard.getDB('admin'));
}

jsTest.log('Test authSchemUpgrade standalone');
var conn = MongoRunner.runMongod();
testAuthSchemaUpgrade(conn);
MongoRunner.stopMongod(conn);

jsTest.log('Test authSchemUpgrade sharded');
var dopts = { smallfiles: "", nopreallocj: ""}
var st = new ShardingTest(
    { shards: 1,
      mongos: 1,
      config: 1,
      useHostname: false, // Needed when relying on the localhost exception
      other: { shardOptions: dopts, configOptions: dopts, mongosOptions: { verbose: 1 } } } );
testAuthSchemaUpgrade(st.s);
testUpgradeShards(st.s, st.shard0);
st.stop();