mirror of
https://github.com/mongodb/mongo.git
synced 2024-11-24 16:46:00 +01:00
109 lines
3.7 KiB
JavaScript
109 lines
3.7 KiB
JavaScript
// Verify that speculative auth works with mongos.
|
|
// @tags: [requires_sharding]
|
|
|
|
import {ShardingTest} from "jstests/libs/shardingtest.js";
|
|
|
|
const CLIENT_NAME = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
|
|
const CLIENT_CERT = 'jstests/libs/client.pem';
|
|
const SERVER_CERT = 'jstests/libs/server.pem';
|
|
const CLUSTER_CERT = 'jstests/libs/cluster_cert.pem';
|
|
const CA_CERT = 'jstests/libs/ca.pem';
|
|
|
|
const options = {
|
|
tlsMode: 'requireTLS',
|
|
tlsCertificateKeyFile: SERVER_CERT,
|
|
tlsCAFile: CA_CERT,
|
|
tlsClusterFile: CLUSTER_CERT,
|
|
tlsAllowInvalidHostnames: '',
|
|
clusterAuthMode: 'x509',
|
|
};
|
|
|
|
const st = new ShardingTest({
|
|
shards: 1,
|
|
other: {
|
|
enableBalancer: true,
|
|
configOptions: options,
|
|
mongosOptions: options,
|
|
rsOptions: options,
|
|
}
|
|
});
|
|
|
|
const admin = st.s.getDB('admin');
|
|
admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
|
|
assert(admin.auth('admin', 'pwd'));
|
|
|
|
const external = st.s.getDB('$external');
|
|
external.createUser({user: CLIENT_NAME, roles: [{role: '__system', db: 'admin'}]});
|
|
|
|
const initialStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
|
|
.security.authentication.mechanisms['MONGODB-X509'];
|
|
jsTest.log('Initial stats: ' + tojson(initialStats));
|
|
|
|
const uri = 'mongodb://' + st.s.host + '/admin?authMechanism=MONGODB-X509';
|
|
jsTest.log('Connecting to: ' + uri);
|
|
assert.eq(runMongoProgram('mongo',
|
|
uri,
|
|
'--tls',
|
|
'--tlsCertificateKeyFile',
|
|
CLIENT_CERT,
|
|
'--tlsCAFile',
|
|
CA_CERT,
|
|
'--tlsAllowInvalidHostnames',
|
|
'--eval',
|
|
';'),
|
|
0);
|
|
assert.eq(runMongoProgram('mongo',
|
|
uri,
|
|
'--tls',
|
|
'--tlsCertificateKeyFile',
|
|
SERVER_CERT,
|
|
'--tlsCAFile',
|
|
CA_CERT,
|
|
'--tlsAllowInvalidHostnames',
|
|
'--eval',
|
|
';'),
|
|
0);
|
|
|
|
const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1}))
|
|
.security.authentication.mechanisms['MONGODB-X509'];
|
|
jsTest.log('Authenticated stats: ' + tojson(authStats));
|
|
|
|
// Got and succeeded an additional speculation.
|
|
const initSpec = initialStats.speculativeAuthenticate;
|
|
const authSpec = authStats.speculativeAuthenticate;
|
|
assert.eq(authSpec.received, initSpec.received + 2);
|
|
assert.eq(authSpec.successful, initSpec.successful + 2);
|
|
|
|
// Got and succeeded an additional auth.
|
|
const initAuth = initialStats.authenticate;
|
|
const authAuth = authStats.authenticate;
|
|
assert.eq(authAuth.received, initAuth.received + 2);
|
|
assert.eq(authAuth.successful, initAuth.successful + 2);
|
|
|
|
// Got and succeeded intra-cluster auth.
|
|
const initCluster = initialStats.clusterAuthenticate;
|
|
const authCluster = authStats.clusterAuthenticate;
|
|
assert.eq(authCluster.received, initCluster.received + 1);
|
|
assert.eq(authCluster.successful, initCluster.successful + 1);
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
jsTest.log('Shutting down');
|
|
|
|
// Authenticate csrs so ReplSetTest.stopSet() can do db hash check.
|
|
// It's possible the admin account hasn't replicated yet, so give it time.
|
|
if (st.configRS) {
|
|
const nodes = st.configRS.nodes.map((x) => x);
|
|
let node = nodes.pop();
|
|
assert.soon(function() {
|
|
if (node === undefined) {
|
|
return true;
|
|
}
|
|
if (node.getDB('admin').auth('admin', 'pwd')) {
|
|
node = nodes.pop();
|
|
}
|
|
return false;
|
|
});
|
|
}
|
|
|
|
st.stop(); |