summaryrefslogtreecommitdiff
path: root/jstests/auth/explain_auth.js
blob: 705703242605c98505f1d369c08625a3de2360ed (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// Test auth of the explain command.

var conn = MongoRunner.runMongod({auth: ""});
var authzErrorCode = 13;

var admin = conn.getDB("admin");
admin.createUser({user: "adminUser", pwd: "pwd", roles: ["root"]});
admin.auth({user: "adminUser", pwd: "pwd"});

var db = conn.getDB("explain_auth_db");
var coll = db.explain_auth_coll;

assert.writeOK(coll.insert({_id: 1, a: 1}));

/**
 * Runs explains of find, count, group, remove, and update. Checks that they either succeed or
 * fail with "not authorized".
 *
 * Takes as input a document 'authSpec' with the following format:
 *   {
 *      find: <bool>,
 *      count: <bool>,
 *      group: <bool>,
 *      remove: <bool>,
 *      update: <bool>
 *   }
 *
 * A true value indicates that the corresponding explain should succeed, whereas a false value
 * indicates that the explain command should not be authorized.
 */
function testExplainAuth(authSpec) {
    var cmdResult;

    function assertCmdResult(result, expectSuccess) {
        if (expectSuccess) {
            assert.commandWorked(result);
        } else {
            assert.commandFailedWithCode(result, 13);
        }
    }

    // .find()
    cmdResult = db.runCommand({explain: {find: coll.getName()}});
    assertCmdResult(cmdResult, authSpec.find);

    // .count()
    cmdResult = db.runCommand({explain: {count: coll.getName()}});
    assertCmdResult(cmdResult, authSpec.count);

    // .group()
    cmdResult = db.runCommand(
        {explain: {group: {ns: coll.getName(), key: "a", $reduce: function() {}, initial: {}}}});
    assertCmdResult(cmdResult, authSpec.group);

    // .remove()
    cmdResult =
        db.runCommand({explain: {delete: coll.getName(), deletes: [{q: {a: 1}, limit: 1}]}});
    assertCmdResult(cmdResult, authSpec.remove);

    // .update()
    cmdResult = db.runCommand(
        {explain: {update: coll.getName(), updates: [{q: {a: 1}, u: {$set: {b: 1}}}]}});
    assertCmdResult(cmdResult, authSpec.update);
}

// Create some user-defined roles which we will grant to the users below.
db.createRole({
    role: "findOnly",
    privileges: [{resource: {db: db.getName(), collection: coll.getName()}, actions: ["find"]}],
    roles: []
});
db.createRole({
    role: "updateOnly",
    privileges: [{resource: {db: db.getName(), collection: coll.getName()}, actions: ["update"]}],
    roles: []
});
db.createRole({
    role: "removeOnly",
    privileges: [{resource: {db: db.getName(), collection: coll.getName()}, actions: ["remove"]}],
    roles: []
});

// Create three users:
//  -- user defined role with just "find"
//  -- user defined role with just "update"
//  -- user defined role with just "remove"
db.createUser({user: "findOnly", pwd: "pwd", roles: ["findOnly"]});
db.createUser({user: "updateOnly", pwd: "pwd", roles: ["updateOnly"]});
db.createUser({user: "removeOnly", pwd: "pwd", roles: ["removeOnly"]});

// We're done doing test setup, so admin user should no longer be logged in.
admin.logout();

// The "find" action allows explain of read operations.
db.auth("findOnly", "pwd");
testExplainAuth({find: true, count: true, group: true, remove: false, update: false});
db.logout();

db.auth("updateOnly", "pwd");
testExplainAuth({find: false, count: false, group: false, remove: false, update: true});
db.logout();

db.auth("removeOnly", "pwd");
testExplainAuth({find: false, count: false, group: false, remove: true, update: false});
db.logout();