2019-12-04 18:12:10 +01:00
|
|
|
// Verify that replica sets can speculatively authenticate
|
|
|
|
|
// to each other during intra-cluster communication.
|
|
|
|
|
// @tags: [requires_replication]
|
|
|
|
|
|
|
|
|
|
(function() {
|
|
|
|
|
'use strict';
|
|
|
|
|
|
2021-04-02 21:12:12 +02:00
|
|
|
const kAuthenticationSuccessfulLogId = 5286306;
|
|
|
|
|
const kAuthenticationFailedLogId = 5286307;
|
|
|
|
|
|
|
|
|
|
function countAuthInLog(conn) {
|
|
|
|
|
let logCounts = {speculative: 0, cluster: 0, speculativeCluster: 0};
|
|
|
|
|
|
|
|
|
|
checkLog.getGlobalLog(conn).forEach((line) => {
|
|
|
|
|
// Iterate through the log and verify our auth.
|
|
|
|
|
const entry = JSON.parse(line);
|
|
|
|
|
if (entry.id === kAuthenticationSuccessfulLogId) {
|
|
|
|
|
// Successful auth.
|
|
|
|
|
if (entry.attr.isSpeculative) {
|
|
|
|
|
logCounts.speculative += 1;
|
|
|
|
|
}
|
|
|
|
|
if (entry.attr.isClusterMember) {
|
|
|
|
|
logCounts.cluster += 1;
|
|
|
|
|
}
|
|
|
|
|
if (entry.attr.isSpeculative && entry.attr.isClusterMember) {
|
|
|
|
|
logCounts.speculativeCluster += 1;
|
|
|
|
|
}
|
|
|
|
|
} else if (entry.id === kAuthenticationFailedLogId) {
|
|
|
|
|
// Authentication can fail legitimately because the secondary abandons the connection
|
|
|
|
|
// during shutdown.
|
|
|
|
|
assert.eq(entry.attr.error.code, ErrorCodes.AuthenticationAbandoned);
|
|
|
|
|
} else {
|
|
|
|
|
// Irrelevant.
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
print(`Found log entries for authentication in the following amounts: ${tojson(logCounts)}`);
|
|
|
|
|
return logCounts;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-20 17:13:41 +01:00
|
|
|
const rst = new ReplSetTest({nodes: 1, keyFile: 'jstests/libs/key1'});
|
2019-12-04 18:12:10 +01:00
|
|
|
rst.startSet();
|
|
|
|
|
rst.initiate();
|
2021-03-22 17:43:47 +01:00
|
|
|
rst.awaitReplication();
|
2019-12-04 18:12:10 +01:00
|
|
|
|
|
|
|
|
const admin = rst.getPrimary().getDB('admin');
|
|
|
|
|
admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
|
|
|
|
|
admin.auth('admin', 'pwd');
|
2021-03-22 17:43:47 +01:00
|
|
|
assert.commandWorked(admin.setLogLevel(3, 'accessControl'));
|
2019-12-04 18:12:10 +01:00
|
|
|
|
2021-01-20 17:13:41 +01:00
|
|
|
function getMechStats(db) {
|
|
|
|
|
return assert.commandWorked(db.runCommand({serverStatus: 1}))
|
|
|
|
|
.security.authentication.mechanisms;
|
2019-12-04 18:12:10 +01:00
|
|
|
}
|
|
|
|
|
|
2021-01-20 17:13:41 +01:00
|
|
|
// Capture statistics after a fresh instantiation of a 1-node replica set.
|
|
|
|
|
const initialMechStats = getMechStats(admin);
|
|
|
|
|
printjson(initialMechStats);
|
|
|
|
|
assert(initialMechStats['SCRAM-SHA-256'] !== undefined);
|
|
|
|
|
|
2019-12-04 18:12:10 +01:00
|
|
|
// We've made no client connections for which speculation was possible,
|
2021-01-20 17:13:41 +01:00
|
|
|
// because we authenticated as `admin` using the shell helpers.
|
|
|
|
|
// Because of the simple cluster topology, we should have no intracluster authentication attempts.
|
|
|
|
|
Object.keys(initialMechStats).forEach(function(mech) {
|
|
|
|
|
const specStats = initialMechStats[mech].speculativeAuthenticate;
|
|
|
|
|
const clusterStats = initialMechStats[mech].clusterAuthenticate;
|
2019-12-04 18:12:10 +01:00
|
|
|
|
|
|
|
|
if (mech === 'SCRAM-SHA-256') {
|
2021-01-20 17:13:41 +01:00
|
|
|
// It appears that replication helpers use SCRAM-SHA-1, preventing SCRAM-SHA-256 cluster
|
|
|
|
|
// stats from being incremented during test setup.
|
|
|
|
|
assert.eq(clusterStats.received, 0);
|
2019-12-04 18:12:10 +01:00
|
|
|
}
|
2021-01-20 17:13:41 +01:00
|
|
|
|
|
|
|
|
// No speculation has occured
|
|
|
|
|
assert.eq(specStats.received, 0);
|
|
|
|
|
|
|
|
|
|
// Statistics should be consistent for all mechanisms
|
2020-08-17 21:37:42 +02:00
|
|
|
assert.eq(specStats.received, specStats.successful);
|
|
|
|
|
assert.eq(clusterStats.received, clusterStats.successful);
|
2019-12-04 18:12:10 +01:00
|
|
|
});
|
|
|
|
|
|
2021-01-20 17:13:41 +01:00
|
|
|
{
|
|
|
|
|
// Add and remove a node to force intra-cluster traffic, and authentication attempts.
|
|
|
|
|
// Removal will require force-reconfig because the original node will not constitute a
|
|
|
|
|
// "majority" of the resulting two node replicaset.
|
|
|
|
|
const singleNodeConfig = rst.getReplSetConfigFromNode();
|
|
|
|
|
|
|
|
|
|
const newNode = rst.add({});
|
|
|
|
|
rst.reInitiate();
|
|
|
|
|
rst.waitForState(newNode, ReplSetTest.State.SECONDARY);
|
2021-03-22 17:43:47 +01:00
|
|
|
rst.awaitReplication();
|
2021-01-20 17:13:41 +01:00
|
|
|
|
|
|
|
|
rst.stop(newNode);
|
|
|
|
|
rst.remove(newNode);
|
|
|
|
|
admin.auth('admin', 'pwd');
|
|
|
|
|
singleNodeConfig.version = rst.getReplSetConfigFromNode(0).version + 1;
|
|
|
|
|
assert.commandWorked(admin.runCommand({replSetReconfig: singleNodeConfig, force: true}));
|
2021-03-22 17:43:47 +01:00
|
|
|
rst.awaitReplication();
|
2021-01-20 17:13:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
// Capture new statistics, and assert that they're consistent.
|
|
|
|
|
const newMechStats = getMechStats(admin);
|
|
|
|
|
printjson(newMechStats);
|
|
|
|
|
|
|
|
|
|
// Speculative and cluster statistics should be incremented by intracluster auth.
|
2021-04-02 21:12:12 +02:00
|
|
|
assert.gt(newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful,
|
2021-01-20 17:13:41 +01:00
|
|
|
initialMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful);
|
2021-04-02 21:12:12 +02:00
|
|
|
assert.gt(newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful,
|
2021-01-20 17:13:41 +01:00
|
|
|
initialMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
|
2021-04-02 21:12:12 +02:00
|
|
|
|
|
|
|
|
const logCounts = countAuthInLog(admin);
|
|
|
|
|
assert.eq(logCounts.speculative,
|
|
|
|
|
newMechStats["SCRAM-SHA-256"].speculativeAuthenticate.successful);
|
|
|
|
|
assert.eq(logCounts.cluster, newMechStats["SCRAM-SHA-256"].clusterAuthenticate.successful);
|
|
|
|
|
assert.gt(logCounts.speculativeCluster,
|
|
|
|
|
0,
|
|
|
|
|
"Expected to observe at least one speculative cluster authentication attempt");
|
2021-01-20 17:13:41 +01:00
|
|
|
}
|
2019-12-04 18:12:10 +01:00
|
|
|
|
|
|
|
|
admin.logout();
|
|
|
|
|
rst.stopSet();
|
|
|
|
|
}());
|
