mirror of https://github.com/mongodb/mongo
120 lines
3.4 KiB
JavaScript
120 lines
3.4 KiB
JavaScript
// Verify that speculative auth works with mongos.
|
|
// @tags: [requires_sharding]
|
|
|
|
import {ShardingTest} from "jstests/libs/shardingtest.js";
|
|
|
|
const CLIENT_NAME = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
|
|
const CLIENT_CERT = "jstests/libs/client.pem";
|
|
const SERVER_CERT = "jstests/libs/server.pem";
|
|
const CLUSTER_CERT = "jstests/libs/cluster_cert.pem";
|
|
const CA_CERT = "jstests/libs/ca.pem";
|
|
|
|
const options = {
|
|
tlsMode: "requireTLS",
|
|
tlsCertificateKeyFile: SERVER_CERT,
|
|
tlsCAFile: CA_CERT,
|
|
tlsClusterFile: CLUSTER_CERT,
|
|
tlsAllowInvalidHostnames: "",
|
|
clusterAuthMode: "x509",
|
|
};
|
|
|
|
const st = new ShardingTest({
|
|
shards: 1,
|
|
other: {
|
|
enableBalancer: true,
|
|
configOptions: options,
|
|
mongosOptions: options,
|
|
rsOptions: options,
|
|
},
|
|
});
|
|
|
|
const admin = st.s.getDB("admin");
|
|
admin.createUser({user: "admin", pwd: "pwd", roles: ["root"]});
|
|
assert(admin.auth("admin", "pwd"));
|
|
|
|
const external = st.s.getDB("$external");
|
|
external.createUser({user: CLIENT_NAME, roles: [{role: "__system", db: "admin"}]});
|
|
|
|
const initialStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms[
|
|
"MONGODB-X509"
|
|
];
|
|
jsTest.log("Initial stats: " + tojson(initialStats));
|
|
|
|
const uri = "mongodb://" + st.s.host + "/admin?authMechanism=MONGODB-X509";
|
|
jsTest.log("Connecting to: " + uri);
|
|
assert.eq(
|
|
runMongoProgram(
|
|
"mongo",
|
|
uri,
|
|
"--tls",
|
|
"--tlsCertificateKeyFile",
|
|
CLIENT_CERT,
|
|
"--tlsCAFile",
|
|
CA_CERT,
|
|
"--tlsAllowInvalidHostnames",
|
|
"--eval",
|
|
";",
|
|
),
|
|
0,
|
|
);
|
|
assert.eq(
|
|
runMongoProgram(
|
|
"mongo",
|
|
uri,
|
|
"--tls",
|
|
"--tlsCertificateKeyFile",
|
|
SERVER_CERT,
|
|
"--tlsCAFile",
|
|
CA_CERT,
|
|
"--tlsAllowInvalidHostnames",
|
|
"--eval",
|
|
";",
|
|
),
|
|
0,
|
|
);
|
|
|
|
const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms[
|
|
"MONGODB-X509"
|
|
];
|
|
jsTest.log("Authenticated stats: " + tojson(authStats));
|
|
|
|
// Got and succeeded an additional speculation.
|
|
const initSpec = initialStats.speculativeAuthenticate;
|
|
const authSpec = authStats.speculativeAuthenticate;
|
|
assert.eq(authSpec.received, initSpec.received + 2);
|
|
assert.eq(authSpec.successful, initSpec.successful + 2);
|
|
|
|
// Got and succeeded an additional auth.
|
|
const initAuth = initialStats.authenticate;
|
|
const authAuth = authStats.authenticate;
|
|
assert.eq(authAuth.received, initAuth.received + 2);
|
|
assert.eq(authAuth.successful, initAuth.successful + 2);
|
|
|
|
// Got and succeeded intra-cluster auth.
|
|
const initCluster = initialStats.clusterAuthenticate;
|
|
const authCluster = authStats.clusterAuthenticate;
|
|
assert.eq(authCluster.received, initCluster.received + 1);
|
|
assert.eq(authCluster.successful, initCluster.successful + 1);
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
jsTest.log("Shutting down");
|
|
|
|
// Authenticate csrs so ReplSetTest.stopSet() can do db hash check.
|
|
// It's possible the admin account hasn't replicated yet, so give it time.
|
|
if (st.configRS) {
|
|
const nodes = st.configRS.nodes.map((x) => x);
|
|
let node = nodes.pop();
|
|
assert.soon(function () {
|
|
if (node === undefined) {
|
|
return true;
|
|
}
|
|
if (node.getDB("admin").auth("admin", "pwd")) {
|
|
node = nodes.pop();
|
|
}
|
|
return false;
|
|
});
|
|
}
|
|
|
|
st.stop();
|