1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
// Verify that speculative auth works with mongos.
// @tags: [requires_sharding]
(function() {
'use strict';
const CLIENT_NAME = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
const CLIENT_CERT = 'jstests/libs/client.pem';
const SERVER_CERT = 'jstests/libs/server.pem';
const CLUSTER_CERT = 'jstests/libs/cluster_cert.pem';
const CA_CERT = 'jstests/libs/ca.pem';
const options = {
tlsMode: 'requireTLS',
tlsCertificateKeyFile: SERVER_CERT,
tlsCAFile: CA_CERT,
tlsClusterFile: CLUSTER_CERT,
tlsAllowInvalidHostnames: '',
clusterAuthMode: 'x509',
};
const st = new ShardingTest({
shards: 1,
other: {
enableBalancer: true,
configOptions: options,
mongosOptions: options,
rsOptions: options,
shardOptions: options
}
});
const admin = st.s.getDB('admin');
admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
assert(admin.auth('admin', 'pwd'));
const external = st.s.getDB('$external');
external.createUser({user: CLIENT_NAME, roles: [{role: '__system', db: 'admin'}]});
const initialStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
.security.authentication.mechanisms['MONGODB-X509'];
jsTest.log('Initial stats: ' + tojson(initialStats));
const uri = 'mongodb://' + st.s.host + '/admin?authMechanism=MONGODB-X509';
jsTest.log('Connecting to: ' + uri);
assert.eq(runMongoProgram('mongo',
uri,
'--tls',
'--tlsCertificateKeyFile',
CLIENT_CERT,
'--tlsCAFile',
CA_CERT,
'--tlsAllowInvalidHostnames',
'--eval',
';'),
0);
assert.eq(runMongoProgram('mongo',
uri,
'--tls',
'--tlsCertificateKeyFile',
SERVER_CERT,
'--tlsCAFile',
CA_CERT,
'--tlsAllowInvalidHostnames',
'--eval',
';'),
0);
const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
.security.authentication.mechanisms['MONGODB-X509'];
jsTest.log('Authenticated stats: ' + tojson(authStats));
// Got and succeeded an additional speculation.
const initSpec = initialStats.speculativeAuthenticate;
const authSpec = authStats.speculativeAuthenticate;
assert.eq(authSpec.received, initSpec.received + 2);
assert.eq(authSpec.successful, initSpec.successful + 2);
// Got and succeeded an additional auth.
const initAuth = initialStats.authenticate;
const authAuth = authStats.authenticate;
assert.eq(authAuth.received, initAuth.received + 2);
assert.eq(authAuth.successful, initAuth.successful + 2);
// Got and succeeded intra-cluster auth.
const initCluster = initialStats.clusterAuthenticate;
const authCluster = authStats.clusterAuthenticate;
assert.eq(authCluster.received, initCluster.received + 1);
assert.eq(authCluster.successful, initCluster.successful + 1);
/////////////////////////////////////////////////////////////////////////////
jsTest.log('Shutting down');
// Authenticate csrs so ReplSetTest.stopSet() can do db hash check.
// It's possible the admin account hasn't replicated yet, so give it time.
if (st.configRS) {
const nodes = st.configRS.nodes.map((x) => x);
let node = nodes.pop();
assert.soon(function() {
if (node === undefined) {
return true;
}
if (node.getDB('admin').auth('admin', 'pwd')) {
node = nodes.pop();
}
return false;
});
}
// Orphan checks needs a privileged user to auth as.
st.shard0.getDB('$external')
.createUser({user: CLIENT_NAME, roles: [{role: '__system', db: 'admin'}]});
st.stop();
}());
|
