jstests/core/user_management_helpers.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

// @tags: [
//   assumes_superuser_permissions,
//   assumes_write_concern_unchanged,
//   creates_and_authenticates_user,
//   requires_auth,
//   requires_non_retryable_commands,
// ]

// This test is a basic sanity check of the shell helpers for manipulating user objects
// It is not a comprehensive test of the functionality of the user manipulation commands
function assertHasRole(rolesArray, roleName, roleDB) {
    for (i in rolesArray) {
        var curRole = rolesArray[i];
        if (curRole.role == roleName && curRole.db == roleDB) {
            return;
        }
    }
    assert(false, "role " + roleName + "@" + roleDB + " not found in array: " + tojson(rolesArray));
}

function runTest(db) {
    var db = db.getSiblingDB("user_management_helpers");
    db.dropDatabase();
    db.dropAllUsers();

    db.createUser({user: "spencer", pwd: "password", roles: ['readWrite']});
    db.createUser({user: "andy", pwd: "password", roles: ['readWrite']});

    // Test getUser
    var userObj = db.getUser('spencer');
    assert.eq(1, userObj.roles.length);
    assertHasRole(userObj.roles, "readWrite", db.getName());

    // Test getUsers
    var users = db.getUsers();
    assert.eq(2, users.length);
    assert(users[0].user == 'spencer' || users[1].user == 'spencer');
    assert(users[0].user == 'andy' || users[1].user == 'andy');
    assert.eq(1, users[0].roles.length);
    assert.eq(1, users[1].roles.length);
    assertHasRole(users[0].roles, "readWrite", db.getName());
    assertHasRole(users[1].roles, "readWrite", db.getName());

    // Granting roles to nonexistent user fails
    assert.throws(function() {
        db.grantRolesToUser("fakeUser", ['dbAdmin']);
    });
    // Granting non-existant role fails
    assert.throws(function() {
        db.grantRolesToUser("spencer", ['dbAdmin', 'fakeRole']);
    });

    userObj = db.getUser('spencer');
    assert.eq(1, userObj.roles.length);
    assertHasRole(userObj.roles, "readWrite", db.getName());

    // Granting a role you already have is no problem
    db.grantRolesToUser("spencer", ['readWrite', 'dbAdmin']);
    userObj = db.getUser('spencer');
    assert.eq(2, userObj.roles.length);
    assertHasRole(userObj.roles, "readWrite", db.getName());
    assertHasRole(userObj.roles, "dbAdmin", db.getName());

    // Revoking roles the user doesn't have is fine
    db.revokeRolesFromUser("spencer", ['dbAdmin', 'read']);
    userObj = db.getUser('spencer');
    assert.eq(1, userObj.roles.length);
    assertHasRole(userObj.roles, "readWrite", db.getName());

    // Update user
    db.updateUser("spencer", {customData: {hello: 'world'}, roles: ['read']});
    userObj = db.getUser('spencer');
    assert.eq('world', userObj.customData.hello);
    assert.eq(1, userObj.roles.length);
    assertHasRole(userObj.roles, "read", db.getName());

    // Test dropUser
    db.dropUser('andy');
    assert.eq(null, db.getUser('andy'));

    // Test dropAllUsers
    db.dropAllUsers();
    assert.eq(0, db.getUsers().length);

    // Test password digestion
    assert.throws(function() {
        db.createUser({user: 'user1', pwd: 'x', roles: [], digestPassword: true});
    });
    assert.throws(function() {
        db.createUser({user: 'user1', pwd: 'x', roles: [], digestPassword: false});
    });
    assert.throws(function() {
        db.createUser({user: 'user1', pwd: 'x', roles: [], passwordDigestor: 'foo'});
    });
    db.createUser({user: 'user1', pwd: 'x', roles: [], passwordDigestor: "server"});
    db.createUser({user: 'user2', pwd: 'x', roles: [], passwordDigestor: "client"});
    assert(db.auth('user1', 'x'));
    assert(db.auth('user2', 'x'));

    assert.throws(function() {
        db.updateUser('user1', {pwd: 'y', digestPassword: true});
    });
    assert.throws(function() {
        db.updateUser('user1', {pwd: 'y', digestPassword: false});
    });
    assert.throws(function() {
        db.updateUser('user1', {pwd: 'y', passwordDigestor: 'foo'});
    });
    db.updateUser('user1', {pwd: 'y', passwordDigestor: 'server'});
    db.updateUser('user2', {pwd: 'y', passwordDigestor: 'client'});
    assert(db.auth('user1', 'y'));
    assert(db.auth('user2', 'y'));

    // Test createUser requires 'user' field
    assert.throws(function() {
        db.createUser({pwd: 'x', roles: ['dbAdmin']});
    });

    // Test createUser disallows 'createUser' field
    assert.throws(function() {
        db.createUser({createUser: 'ben', pwd: 'x', roles: ['dbAdmin']});
    });
}

try {
    runTest(db);
} catch (x) {
    // BF-836 Print current users on failure to aid debugging
    db.getSiblingDB('admin').system.users.find().forEach(printjson);
    throw x;
}