summaryrefslogtreecommitdiff
path: root/jstests/auth/auth_schema_upgrade.js
blob: b63eea3478890daa04013519dafb32c2447d6f1d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// Standalone test of authSchemaUpgrade
load('./jstests/multiVersion/libs/auth_helpers.js');

var setupCRUsers = function(conn) {
    jsTest.log("setting up legacy users");
    var adminDB = conn.getDB('admin');

    adminDB.system.version.update({_id: "authSchema"}, {"currentVersion": 3}, {upsert: true});

    adminDB.createUser({user: 'user1', pwd: 'pass', roles: jsTest.adminUserRoles});
    assert(adminDB.auth({mechanism: 'MONGODB-CR', user: 'user1', pwd: 'pass'}));

    adminDB.createUser({user: 'user2', pwd: 'pass', roles: jsTest.adminUserRoles});
    assert(adminDB.auth({mechanism: 'MONGODB-CR', user: 'user2', pwd: 'pass'}));

    // Add $external no-op user to verify that it does not affect
    // authSchemaUpgrade SERVER-18475
    adminDB.getSiblingDB('$external').createUser({user: "evil", roles: []});

    jsTest.log("Verifying user documents before upgrading");

    // We haven't run authSchemaUpgrade so there shouldn't be
    // any stored SCRAM-SHA-1 credentials.
    verifyUserDoc(adminDB, 'user1', true, false);
    verifyUserDoc(adminDB, 'user2', true, false);
    verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);

    adminDB.updateUser('user1', {pwd: 'newpass', roles: jsTest.adminUserRoles});
    verifyAuth(adminDB, 'user1', 'newpass', true, true);

    verifyUserDoc(adminDB, 'user1', true, false);
};

var verifySchemaUpgrade = function(adminDB) {
    // All users should only have SCRAM credentials.
    verifyUserDoc(adminDB, 'user1', false, true);
    verifyUserDoc(adminDB, 'user2', false, true);
    verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);

    // After authSchemaUpgrade MONGODB-CR no longer works.
    verifyAuth(adminDB, 'user1', 'newpass', false, true);
    verifyAuth(adminDB, 'user2', 'pass', false, true);
};

var runAndVerifySchemaUpgrade = function(conn) {
    jsTest.log("run authSchemaUpgrade");
    var adminDB = conn.getDB('admin');

    assert.commandWorked(adminDB.runCommand('authSchemaUpgrade'));
    verifySchemaUpgrade(adminDB);
};

var testAuthSchemaUpgrade = function(conn) {
    setupCRUsers(conn);
    runAndVerifySchemaUpgrade(conn);
};

// Test authSchemaUpgrade and upgrade shards
var testUpgradeShards = function(mongos, shard) {
    setupCRUsers(shard);

    assert.commandWorked(mongos.adminCommand({"authSchemaUpgrade": 1, "upgradeShards": 1}));
    verifySchemaUpgrade(shard.getDB('admin'));
};

jsTest.log('Test authSchemUpgrade standalone');
var conn = MongoRunner.runMongod();
testAuthSchemaUpgrade(conn);
MongoRunner.stopMongod(conn);

jsTest.log('Test authSchemUpgrade sharded');
var dopts = {smallfiles: "", nopreallocj: ""};
var st = new ShardingTest({
    shards: 1,
    mongos: 1,
    config: 1,
    useHostname: false,  // Needed when relying on the localhost exception
    other: {shardOptions: dopts, configOptions: dopts, mongosOptions: {verbose: 1}}
});
testAuthSchemaUpgrade(st.s);
testUpgradeShards(st.s, st.shard0);
st.stop();