jstests/ssl/speculative-authenticate.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

// Test for speculativeAuthenticate during isMaster.

(function() {
'use strict';

const mongod = MongoRunner.runMongod({
    auth: '',
    tlsMode: 'requireTLS',
    tlsCertificateKeyFile: 'jstests/libs/server.pem',
    tlsCAFile: 'jstests/libs/ca.pem',
    clusterAuthMode: "x509",
});
const admin = mongod.getDB('admin');
const external = mongod.getDB('$external');

admin.createUser(
    {user: 'admin', pwd: 'pwd', roles: ['root'], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']});
admin.auth('admin', 'pwd');

const X509USER = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
external.createUser({user: X509USER, roles: [{role: 'root', db: 'admin'}]});

function test(uri) {
    const x509 = runMongoProgram('mongo',
                                 '--tls',
                                 '--tlsCAFile',
                                 'jstests/libs/ca.pem',
                                 '--tlsCertificateKeyFile',
                                 'jstests/libs/client.pem',
                                 uri,
                                 '--eval',
                                 ';');
    assert.eq(0, x509);
}

function testInternal(uri) {
    const x509 = runMongoProgram('mongo',
                                 '--tls',
                                 '--tlsCAFile',
                                 'jstests/libs/ca.pem',
                                 '--tlsCertificateKeyFile',
                                 'jstests/libs/server.pem',
                                 uri,
                                 '--eval',
                                 ';');
    assert.eq(0, x509);
}

function assertStats(cb) {
    const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
                          .security.authentication.mechanisms;
    cb(mechStats);
}

// No speculative auth attempts yet.
assertStats(function(mechStats) {
    Object.keys(mechStats).forEach(function(mech) {
        const stats = mechStats[mech].speculativeAuthenticate;
        assert.eq(stats.received, 0);
        assert.eq(stats.successful, 0);
    });
});

// Connect with speculation and have 1/1 result.
const baseURI = 'mongodb://localhost:' + mongod.port + '/admin';
test(baseURI + '?authMechanism=MONGODB-X509');
assertStats(function(mechStats) {
    const stats = mechStats['MONGODB-X509'].speculativeAuthenticate;
    assert.eq(stats.received, 1);
    assert.eq(stats.successful, 1);
});

// Connect without speculation and still have 1/1 result.
test(baseURI);
assertStats(function(mechStats) {
    const stats = mechStats['MONGODB-X509'].speculativeAuthenticate;
    assert.eq(stats.received, 1);
    assert.eq(stats.successful, 1);
});

// We haven't done any cluster auth yet, so clusterAuthenticate counts should be 0
assertStats(function(mechStats) {
    const stats = mechStats['MONGODB-X509'].clusterAuthenticate;
    assert.eq(stats.received, 0);
    assert.eq(stats.successful, 0);
});

// Connect intra-cluster with speculation.
testInternal(baseURI + '?authMechanism=MONGODB-X509');
assertStats(function(mechStats) {
    const specStats = mechStats['MONGODB-X509'].speculativeAuthenticate;
    const clusterStats = mechStats['MONGODB-X509'].clusterAuthenticate;
    assert.eq(specStats.received, 2);
    assert.eq(specStats.successful, 2);
    assert.eq(clusterStats.received, 1);
    assert.eq(clusterStats.successful, 1);
});

MongoRunner.stopMongod(mongod);
})();