jstests/auth/sasl_mechanism_discovery.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

// Tests that a client may discover a user's supported SASL mechanisms via isMaster.
// @tags: [requires_sharding]
(function() {
    "use strict";

    function runTest(conn) {
        function checkMechs(userid, mechs) {
            const res =
                assert.commandWorked(db.runCommand({isMaster: 1, saslSupportedMechs: userid}));
            assert.eq(mechs.sort(), res.saslSupportedMechs.sort(), tojson(res));
        }

        var db = conn.getDB("admin");
        var externalDB = conn.getDB("$external");

        assert.commandWorked(db.runCommand(
            {createUser: "userAdmin", pwd: "userAdmin", roles: ["userAdminAnyDatabase"]}));
        db.auth("userAdmin", "userAdmin");

        // Check that unknown users do not interrupt isMaster
        let res =
            assert.commandWorked(db.runCommand({isMaster: 1, saslSupportedMechs: "test.bogus"}));
        assert.eq(undefined, res.saslSupportedMechs);

        // Check that invalid usernames produce the correct error code
        assert.commandFailedWithCode(db.runCommand({isMaster: 1, saslSupportedMechs: "bogus"}),
                                     ErrorCodes.BadValue);

        assert.commandWorked(db.runCommand({createUser: "user", pwd: "pwd", roles: []}));
        assert.commandWorked(externalDB.runCommand({createUser: "user", roles: []}));

        // Internal users should support scram methods.
        checkMechs("admin.user", ["SCRAM-SHA-256", "SCRAM-SHA-1"]);

        // External users on enterprise should support PLAIN, but not scram methods.
        if (assert.commandWorked(db.runCommand({buildInfo: 1})).modules.includes("enterprise")) {
            checkMechs("$external.user", ["PLAIN"]);
        } else {
            checkMechs("$external.user", []);
        }

        // Users with explicit mechs should only support those mechanisms
        assert.commandWorked(db.runCommand(
            {createUser: "256Only", pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-256"]}));
        checkMechs("admin.256Only", ["SCRAM-SHA-256"]);
        assert.commandWorked(db.runCommand(
            {createUser: "1Only", pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-1"]}));
        checkMechs("admin.1Only", ["SCRAM-SHA-1"]);

        // Users with normalized and unnormalized names do not conflict
        assert.commandWorked(db.runCommand({createUser: "IX", pwd: "pwd", roles: []}));
        checkMechs("admin.IX", ["SCRAM-SHA-1", "SCRAM-SHA-256"]);
        assert.commandWorked(db.runCommand({createUser: "\u2168", pwd: "pwd", roles: []}));
        checkMechs("admin.\u2168", ["SCRAM-SHA-1", "SCRAM-SHA-256"]);

        // __system's mechanisms can be queried on local and admin if the server is in test mode
        checkMechs("local.__system", ["SCRAM-SHA-1", "SCRAM-SHA-256"]);
        checkMechs("admin.__system", ["SCRAM-SHA-1", "SCRAM-SHA-256"]);
    }

    // Test standalone.
    var m = MongoRunner.runMongod({
        keyFile: 'jstests/libs/key1',
        setParameter: "authenticationMechanisms=SCRAM-SHA-1,SCRAM-SHA-256,PLAIN"
    });
    runTest(m);
    MongoRunner.stopMongod(m);

    // Test mongos.
    var st = new ShardingTest({
        keyFile: 'jstests/libs/key1',
        shards: 0,
        other: {
            mongosOptions:
                {setParameter: "authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1"}
        }
    });
    runTest(st.s0);
    st.stop();
})();