jstests/noPassthrough/multi_user_forbidden.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

/**
 * Tests that apiStrict forbids authentication as multiple users.
 * @tags: [requires_auth]
 */
(function() {
"use strict";
load("jstests/libs/fail_point_util.js");
load("jstests/libs/parallel_shell_helpers.js");

function runTest(conn) {
    const db1 = "foo";
    const user1 = "alice";

    const db2 = "bar";
    const user2 = "bob";

    const db3 = "foo";
    const user3 = "carol";

    const pass = "pwd";

    conn.getDB(db1).createUser({user: user1, pwd: pass, roles: []});
    conn.getDB(db2).createUser({user: user2, pwd: pass, roles: []});
    conn.getDB(db3).createUser({user: user3, pwd: pass, roles: []});

    {
        jsTest.log("Testing the rainbow of auth with a vanilla connection");

        const vanillaConn = new Mongo(conn.host);
        assert(vanillaConn.getDB(db1).auth(user1, pass), "Initial authN should succeed");
        assert(vanillaConn.getDB(db2).auth(user2, pass), "AuthN on another db should succeed");
        assert(vanillaConn.getDB(db1).auth(user1, pass), "Re-authN as first user should succeed");
        assert(vanillaConn.getDB(db3).auth(user3, pass),
               "AuthN as a new user on the first database should succeed");
    }

    {
        jsTest.log("Testing the rainbow of auth with an { apiStrict: false } connection");

        const laxConn = new Mongo(conn.host, undefined, {api: {version: '1', strict: false}});
        assert(laxConn.getDB(db1).auth(user1, pass), "Initial authN should succeed");
        assert(laxConn.getDB(db2).auth(user2, pass), "AuthN on another db should succeed");
        assert(laxConn.getDB(db1).auth(user1, pass), "Re-authN as first user should succeed");
        assert(laxConn.getDB(db3).auth(user3, pass),
               "AuthN as a new user on the first database should succeed");
    }

    {
        jsTest.log("Testing the rainbow of auth with an { apiStrict: true } connection");

        const strictConn = new Mongo(conn.host, undefined, {api: {version: '1', strict: true}});
        assert(strictConn.getDB(db1).auth(user1, pass), "Initial authN should succeed");
        assert(!strictConn.getDB(db2).auth(user2, pass), "AuthN on another db should fail");
        assert(!strictConn.getDB(db1).auth(user1, pass), "Re-authN as first user should fail");
        assert(!strictConn.getDB(db3).auth(user3, pass),
               "AuthN as a new user on the first database should fail");
    }

    {
        jsTest.log("Testing the rainbow of auth with an { apiStrict: true } connection " +
                   "and the allowMultipleUsersWithApiStrict fail point");

        const fp = configureFailPoint(conn, "allowMultipleUsersWithApiStrict");
        const strictishConn = new Mongo(conn.host, undefined, {api: {version: '1', strict: true}});

        assert(strictishConn.getDB(db1).auth(user1, pass), "Initial authN should succeed");
        assert(strictishConn.getDB(db2).auth(user2, pass), "AuthN on another db should succeed");
        assert(strictishConn.getDB(db1).auth(user1, pass), "Re-authN as first user should succeed");
        assert(strictishConn.getDB(db3).auth(user3, pass),
               "AuthN as a new user on the first database should succeed");

        fp.off();
    }
}

{
    const conn = MongoRunner.runMongod();

    runTest(conn);

    MongoRunner.stopMongod(conn);
}
})();