summaryrefslogtreecommitdiff
path: root/src/mongo/shell/utils_auth.js
blob: d526a1004a059bb9d55ef1a99e45ffb7b8b2944e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
var authutil;

(function() {
assert(!authutil);
authutil = {};

/**
 * Logs out all connections "conn" from database "dbname".
 */
authutil.logout = function(conn, dbname) {
    var i;
    if (null == conn.length) {
        conn = [conn];
    }
    for (i = 0; i < conn.length; ++i) {
        var curDB = new DB(conn[i], dbname);
        curDB.logout();
    }
};

/**
 * Authenticates all connections in "conns" using "authParams" on database "dbName".
 *
 * Raises an exception if any authentication fails, and tries to leave all connnections
 * in "conns" in the logged-out-of-dbName state.
 */
authutil.assertAuthenticate = function(conns, dbName, authParams) {
    var conn, i, ex, ex2;
    if (conns.length == null)
        conns = [conns];

    try {
        for (i = 0; i < conns.length; ++i) {
            conn = conns[i];
            // Bypass the implicit auth call in getDB();
            const db = new DB(conn, dbName);
            try {
                retryOnNetworkError(db._authOrThrow.bind(db, authParams));
            } catch (ex3) {
                doassert("assert failed : " +
                         "Failed to authenticate " + conn + " to " + dbName + " using parameters " +
                         tojson(authParams) + " : " + ex3);
            }
        }
    } catch (ex) {
        try {
            authutil.logout(conns, dbName);
        } catch (ex2) {
        }
        throw ex;
    }
};

/**
 * Authenticates all connections in "conns" using "authParams" on database "dbName".
 * Raises in exception if any of the authentications succeed.
 */
authutil.assertAuthenticateFails = function(conns, dbName, authParams) {
    var conn, i;
    if (conns.length == null)
        conns = [conns];

    for (i = 0; i < conns.length; ++i) {
        conn = conns[i];
        // Bypass the implicit auth call in getDB();
        const db = new DB(conn, dbName);
        const ex = assert.throws(retryOnNetworkError,
                                 [db._authOrThrow.bind(db, authParams)],
                                 "Unexpectedly authenticated " + conn + " to " + dbName +
                                     " using parameters " + tojson(authParams));
        if (isNetworkError(ex)) {
            throw ex;
        }
    }
};

/**
 * Executes action() after authenticating the keyfile user on "conn", then logs out the keyfile
 * user.
 */
authutil.asCluster = function(conn, keyfile, action) {
    var ex;

    // put a connection in an array for uniform processing.
    let connArray = conn;
    if (conn.length == null)
        connArray = [conn];

    const connOptions = connArray[0].fullOptions || {};
    const authMode = connOptions.clusterAuthMode || connArray[0].clusterAuthMode ||
        jsTest.options().clusterAuthMode;

    let clusterTimes = connArray.map(connElem => {
        const connClusterTime = connElem.getClusterTime();
        const sessionClusterTime = connElem._getDefaultSession().getClusterTime();
        const operationTime = connElem._getDefaultSession().getOperationTime();

        connElem.resetClusterTime_forTesting();
        connElem._getDefaultSession().resetClusterTime_forTesting();
        connElem._getDefaultSession().resetOperationTime_forTesting();

        return {connClusterTime, sessionClusterTime, operationTime};
    });

    let authDB = 'admin';
    if ((authMode === 'keyFile') || (authMode === 'sendKeyFile') ||
        (authMode === 'sendX509' && keyfile !== undefined)) {
        if (keyfile === undefined) {
            keyfile = connOptions.keyFile || connArray[0].keyFile;
            assert(keyfile !== undefined,
                   `Cannot find a keyfile to use for authentication from the connection: ${
                       tojson(connOptions)} ==== ${tojson(connArray[0])}`);
        }

        authutil.assertAuthenticate(conn, 'admin', {
            user: '__system',
            mechanism: 'SCRAM-SHA-256',
            pwd: cat(keyfile).replace(/[\011-\015\040]/g, '')
        });
    } else if (authMode === 'x509' || authMode === 'sendX509') {
        // When we login as __system, it gets registered internally as __system@local as the user
        // name
        authDB = 'local';
        authutil.assertAuthenticate(conn, '$external', {
            mechanism: 'MONGODB-X509',
        });
    } else {
        throw new Error('clusterAuthMode ' + authMode + ' is currently unsupported');
    }

    try {
        return action();
    } finally {
        try {
            authutil.logout(conn, authDB);
            let connArray = conn;
            if (conn.length == null)
                connArray = [conn];

            for (let i = 0; i < connArray.length; i++) {
                let connElem = connArray[i];
                connElem.resetClusterTime_forTesting();
                connElem._getDefaultSession().resetClusterTime_forTesting();
                connElem._getDefaultSession().resetOperationTime_forTesting();
                if (clusterTimes[i].connClusterTime) {
                    connElem.advanceClusterTime(clusterTimes[i].connClusterTime);
                }
                if (clusterTimes[i].sessionClusterTime) {
                    connElem._getDefaultSession().advanceClusterTime(
                        clusterTimes[i].sessionClusterTime);
                }
                if (clusterTimes[i].operationTime) {
                    connElem._getDefaultSession().advanceOperationTime(
                        clusterTimes[i].operationTime);
                }
            }
        } catch (ex) {
        }
    }
};
}());