jstests/auth/sasl_mechanism_discovery.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

// Tests that a client may discover a user's supported SASL mechanisms via isMaster.
// @tags: [requires_sharding]
(function() {
    "use strict";

    function runTest(conn) {
        var db = conn.getDB("admin");
        var externalDB = conn.getDB("$external");

        // Check that unknown or users produce the correct errors.
        assert.commandFailedWithCode(db.runCommand({isMaster: 1, saslSupportedMechs: "test.bogus"}),
                                     ErrorCodes.UserNotFound);

        assert.commandFailedWithCode(db.runCommand({isMaster: 1, saslSupportedMechs: "bogus"}),
                                     ErrorCodes.BadValue);

        // Enable SCRAM-SHA-256.
        assert.commandWorked(db.adminCommand({setFeatureCompatibilityVersion: "4.0"}));

        function checkMechs(userid, mechs) {
            const res =
                assert.commandWorked(db.runCommand({isMaster: 1, saslSupportedMechs: userid}));
            assert.eq(mechs.sort(), res.saslSupportedMechs.sort(), tojson(res));
        }

        // Make users.
        assert.commandWorked(db.runCommand({createUser: "user", pwd: "pwd", roles: []}));
        assert.commandWorked(externalDB.runCommand({createUser: "user", roles: []}));
        assert.commandWorked(db.runCommand(
            {createUser: "IX", pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-256"]}));

        // Internal users should support scram methods.
        checkMechs("admin.user", ["SCRAM-SHA-256", "SCRAM-SHA-1"]);

        // External users on enterprise should support PLAIN, but not scram methods.
        if (assert.commandWorked(db.runCommand({buildInfo: 1})).modules.includes("enterprise")) {
            checkMechs("$external.user", ["PLAIN"]);
        } else {
            checkMechs("$external.user", []);
        }

        // Check non-normalized name finds normalized user.
        const IXchar = "\u2168";
        const IXuserid = "admin." + IXchar;
        checkMechs(IXuserid, ["SCRAM-SHA-256"]);

        // Check that names with compatibility equivalence collide.
        assert.commandWorked(db.runCommand(
            {createUser: IXchar, pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-1"]}));
        assert.commandFailedWithCode(db.runCommand({isMaster: 1, saslSupportedMechs: IXuserid}),
                                     ErrorCodes.BadValue);
    }

    // Test standalone.
    var m = MongoRunner.runMongod(
        {setParameter: "authenticationMechanisms=SCRAM-SHA-1,SCRAM-SHA-256,PLAIN"});
    runTest(m);
    MongoRunner.stopMongod(m);

    // Test mongos.
    var st = new ShardingTest({
        shards: 0,
        other: {
            mongosOptions:
                {setParameter: "authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1"}
        }
    });
    runTest(st.s0);
    st.stop();
})();