1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
// Test for speculativeSaslStart during isMaster.
(function() {
'use strict';
const keyFile = 'jstests/libs/key1';
const mongod = MongoRunner.runMongod({auth: '', keyFile: keyFile});
const admin = mongod.getDB('admin');
admin.createUser(
{user: 'admin', pwd: 'pwd', roles: ['root'], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']});
admin.auth('admin', 'pwd');
function test(uri, succeed) {
const shell = runMongoProgram('mongo', uri, '--eval', ';');
if (succeed) {
assert.eq(0, shell);
} else {
assert.neq(0, shell);
}
}
function assertStats(cb) {
const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
.security.authentication.mechanisms;
cb(mechStats);
}
// No speculative auth attempts yet.
assertStats(function(mechStats) {
Object.keys(mechStats).forEach(function(mech) {
const stats = mechStats[mech].speculativeAuthenticate;
assert.eq(stats.received, 0);
assert.eq(stats.successful, 0);
});
});
// No "intra-cluster" auth attempts yet.
assertStats(function(mechStats) {
Object.keys(mechStats).forEach(function(mech) {
const stats = mechStats[mech].clusterAuthenticate;
assert.eq(stats.received, 0);
assert.eq(stats.successful, 0);
});
});
function expectN(mechStats, mech, N1, M1, N2 = 0, M2 = 0) {
const specStats = mechStats[mech].speculativeAuthenticate;
const clusterStats = mechStats[mech].clusterAuthenticate;
assert.eq(N1, specStats.received);
assert.eq(M1, specStats.successful);
assert.eq(N2, clusterStats.received);
assert.eq(M2, clusterStats.successful);
}
const baseOKURI = 'mongodb://admin:pwd@localhost:' + mongod.port + '/admin';
// Speculate SCRAM-SHA-1
test(baseOKURI + '?authMechanism=SCRAM-SHA-1', true);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 1, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 0, 0));
// Speculate SCRAM-SHA-256
test(baseOKURI + '?authMechanism=SCRAM-SHA-256', true);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 1, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 1, 1));
// Fallback should speculate SCRAM-SHA-256
test(baseOKURI, true);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 1, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 2, 2));
const baseFAILURI = 'mongodb://admin:haxx@localhost:' + mongod.port + '/admin';
// Invalid password should never connect regardless of speculative auth.
test(baseFAILURI + '?authMechanism=SCRAM-SHA-1', false);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 2, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 2, 2));
test(baseFAILURI + '?authMechanism=SCRAM-SHA-256', false);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 2, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 3, 2));
test(baseFAILURI, false);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 2, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 4, 2));
// Update admin use to only allow SCRAM-SHA-1
admin.updateUser('admin', {mechanisms: ['SCRAM-SHA-1']});
// Fallback (SCRAM-SHA-256) should fail to speculate.
test(baseOKURI, true);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 2, 1));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 5, 2));
// Explicit SCRAM-SHA-1 should successfully speculate.
test(baseOKURI + '?authMechanism=SCRAM-SHA-1', true);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 3, 2));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 5, 2));
// Explicit SCRAM-SHA-256 should fail to speculate or connect at all.
test(baseOKURI + '?authMechanism=SCRAM-SHA-256', false);
assertStats((s) => expectN(s, 'SCRAM-SHA-1', 3, 2));
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 6, 2));
// Test that a user not in the admin DB can speculate
mongod.getDB('test').createUser({user: 'alice', pwd: 'secret', roles: []});
test('mongodb://alice:secret@localhost:' + mongod.port + '/test', true);
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 7, 3));
// Test "intra-cluster" speculative authentication.
const systemPass = cat(keyFile).replace(/\s/g, '');
test('mongodb://__system:' + systemPass + '@localhost:' + mongod.port + '/admin' +
'?authMechanism=SCRAM-SHA-256',
true);
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 8, 4, 1, 1));
test('mongodb://__system:hunter2@localhost:' + mongod.port + '/admin' +
'?authMechanism=SCRAM-SHA-256',
false);
assertStats((s) => expectN(s, 'SCRAM-SHA-256', 9, 4, 3, 1));
MongoRunner.stopMongod(mongod);
})();
|