src/mongo/shell/utils_auth.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

var authutil;

(function() {
assert(!authutil);
authutil = {};

/**
 * Logs out all connections "conn" from database "dbname".
 */
authutil.logout = function(conn, dbname) {
    var i;
    if (null == conn.length) {
        conn = [conn];
    }
    for (i = 0; i < conn.length; ++i) {
        var curDB = new DB(conn[i], dbname);
        curDB.logout();
    }
};

/**
 * Authenticates all connections in "conns" using "authParams" on database "dbName".
 *
 * Raises an exception if any authentication fails, and tries to leave all connnections
 * in "conns" in the logged-out-of-dbName state.
 */
authutil.assertAuthenticate = function(conns, dbName, authParams) {
    var conn, i, ex, ex2;
    if (conns.length == null)
        conns = [conns];

    try {
        for (i = 0; i < conns.length; ++i) {
            conn = conns[i];
            // Bypass the implicit auth call in getDB();
            var db = new DB(conn, dbName);
            try {
                retryOnNetworkError(db._authOrThrow.bind(db, authParams));
            } catch (ex3) {
                doassert("assert failed : " +
                         "Failed to authenticate " + conn + " to " + dbName + " using parameters " +
                         tojson(authParams) + " : " + ex3);
            }
        }
    } catch (ex) {
        try {
            authutil.logout(conns, dbName);
        } catch (ex2) {
        }
        throw ex;
    }
};

/**
 * Authenticates all connections in "conns" using "authParams" on database "dbName".
 * Raises in exception if any of the authentications succeed.
 */
authutil.assertAuthenticateFails = function(conns, dbName, authParams) {
    var conn, i;
    if (conns.length == null)
        conns = [conns];

    for (i = 0; i < conns.length; ++i) {
        conn = conns[i];
        // Bypass the implicit auth call in getDB();
        var db = new DB(conn, dbName);
        const ex = assert.throws(retryOnNetworkError,
                                 [db._authOrThrow.bind(db, authParams)],
                                 "Unexpectedly authenticated " + conn + " to " + dbName +
                                     " using parameters " + tojson(authParams));
        if (isNetworkError(ex)) {
            throw ex;
        }
    }
};

/**
 * Executes action() after authenticating the keyfile user on "conn", then logs out the keyfile
 * user.
 */
authutil.asCluster = function(conn, keyfile, action) {
    var ex;

    const connOptions = conn.fullOptions || {};
    const authMode = connOptions.clusterAuthMode || jsTest.options().clusterAuthMode;

    // put a connection in an array for uniform processing.
    let connArray = conn;
    if (conn.length == null)
        connArray = [conn];

    let clusterTimes = connArray.map(connElem => {
        const connClusterTime = connElem.getClusterTime();
        const sessionClusterTime = connElem._getDefaultSession().getClusterTime();
        const operationTime = connElem._getDefaultSession().getOperationTime();

        connElem.resetClusterTime_forTesting();
        connElem._getDefaultSession().resetClusterTime_forTesting();
        connElem._getDefaultSession().resetOperationTime_forTesting();

        return {connClusterTime, sessionClusterTime, operationTime};
    });

    let authDB = 'admin';
    if ((authMode === 'keyFile') || (authMode === 'sendKeyFile') || (authMode === 'sendX509')) {
        authutil.assertAuthenticate(conn, 'admin', {
            user: '__system',
            mechanism: 'SCRAM-SHA-1',
            pwd: cat(keyfile).replace(/[\011-\015\040]/g, '')
        });
    } else if (authMode === 'x509') {
        authDB = '$external';
        authutil.assertAuthenticate(conn, '$external', {
            mechanism: 'MONGODB-X509',
        });
    } else {
        throw new Error('clusterAuthMode ' + authMode + ' is currently unsupported');
    }

    try {
        return action();
    } finally {
        try {
            authutil.logout(conn, authDB);
            let connArray = conn;
            if (conn.length == null)
                connArray = [conn];

            for (let i = 0; i < connArray.length; i++) {
                let connElem = connArray[i];
                connElem.resetClusterTime_forTesting();
                connElem._getDefaultSession().resetClusterTime_forTesting();
                connElem._getDefaultSession().resetOperationTime_forTesting();
                if (clusterTimes[i].connClusterTime) {
                    connElem.advanceClusterTime(clusterTimes[i].connClusterTime);
                }
                if (clusterTimes[i].sessionClusterTime) {
                    connElem._getDefaultSession().advanceClusterTime(
                        clusterTimes[i].sessionClusterTime);
                }
                if (clusterTimes[i].operationTime) {
                    connElem._getDefaultSession().advanceOperationTime(
                        clusterTimes[i].operationTime);
                }
            }
        } catch (ex) {
        }
    }
};
}());