0
0
mirror of https://github.com/mongodb/mongo.git synced 2024-12-01 01:21:03 +01:00
mongodb/jstests/auth/user_defined_roles.js
2019-07-27 11:02:23 -04:00

153 lines
6.5 KiB
JavaScript

/**
* This tests that user defined roles actually grant users the ability to perform the actions they
* should, and that changing the privileges assigned to roles changes the access granted to the user
* @tags: [requires_sharding]
*/
function runTest(conn) {
var authzErrorCode = 13;
var hasAuthzError = function(result) {
assert(result instanceof WriteCommandError);
assert.eq(authzErrorCode, result.code);
};
conn.getDB('admin').createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
conn.getDB('admin').auth('admin', 'pwd');
conn.getDB('admin').createUser(
{user: 'userAdmin', pwd: 'pwd', roles: ['userAdminAnyDatabase']});
conn.getDB('admin').logout();
var userAdminConn = new Mongo(conn.host);
var adminUserAdmin = userAdminConn.getDB('admin');
adminUserAdmin.auth('userAdmin', 'pwd');
adminUserAdmin.createRole({role: 'adminRole', privileges: [], roles: []});
var testUserAdmin = userAdminConn.getDB('test');
testUserAdmin.createRole({role: 'testRole1', privileges: [], roles: []});
testUserAdmin.createRole({role: 'testRole2', privileges: [], roles: ['testRole1']});
testUserAdmin.createUser(
{user: 'testUser', pwd: 'pwd', roles: ['testRole2', {role: 'adminRole', db: 'admin'}]});
var testDB = conn.getDB('test');
assert(testDB.auth('testUser', 'pwd'));
// At this point there are 3 db handles in use. testUserAdmin and adminUserAdmin are handles to
// the "test" and "admin" dbs respectively. Both testUserAdmin and adminUserAdmin are on the
// same connection (userAdminConn) which has been auth'd as a user with the
// 'userAdminAnyDatabase' role. Those will be used for manipulating the user defined roles
// used in the test. "testDB" is a handle to the test database on a connection that has been
// auth'd as 'testUser@test' - this is the connection that will be used to test how privilege
// enforcement works.
// test CRUD
hasAuthzError(testDB.foo.insert({a: 1}));
assert.throws(function() {
testDB.foo.findOne();
});
testUserAdmin.grantPrivilegesToRole(
'testRole1', [{resource: {db: 'test', collection: ''}, actions: ['find']}]);
hasAuthzError(testDB.foo.insert({a: 1}));
assert.doesNotThrow(function() {
testDB.foo.findOne();
});
assert.eq(0, testDB.foo.count());
assert.eq(0, testDB.foo.find().itcount());
testUserAdmin.grantPrivilegesToRole(
'testRole1', [{resource: {db: 'test', collection: 'foo'}, actions: ['insert']}]);
assert.writeOK(testDB.foo.insert({a: 1}));
assert.eq(1, testDB.foo.findOne().a);
assert.eq(1, testDB.foo.count());
assert.eq(1, testDB.foo.find().itcount());
hasAuthzError(testDB.foo.update({a: 1}, {$inc: {a: 1}}));
assert.eq(1, testDB.foo.findOne().a);
hasAuthzError(testDB.bar.insert({a: 1}));
assert.eq(0, testDB.bar.count());
adminUserAdmin.grantPrivilegesToRole(
'adminRole', [{resource: {db: '', collection: 'foo'}, actions: ['update']}]);
assert.writeOK(testDB.foo.update({a: 1}, {$inc: {a: 1}}));
assert.eq(2, testDB.foo.findOne().a);
assert.writeOK(testDB.foo.update({b: 1}, {$inc: {b: 1}}, true)); // upsert
assert.eq(2, testDB.foo.count());
assert.eq(2, testDB.foo.findOne({b: {$exists: true}}).b);
hasAuthzError(testDB.foo.remove({b: 2}));
assert.eq(2, testDB.foo.count());
adminUserAdmin.grantPrivilegesToRole(
'adminRole', [{resource: {db: '', collection: ''}, actions: ['remove']}]);
assert.writeOK(testDB.foo.remove({b: 2}));
assert.eq(1, testDB.foo.count());
// Test revoking privileges
testUserAdmin.revokePrivilegesFromRole(
'testRole1', [{resource: {db: 'test', collection: 'foo'}, actions: ['insert']}]);
hasAuthzError(testDB.foo.insert({a: 1}));
assert.eq(1, testDB.foo.count());
assert.writeOK(testDB.foo.update({a: 2}, {$inc: {a: 1}}));
assert.eq(3, testDB.foo.findOne({a: {$exists: true}}).a);
hasAuthzError(testDB.foo.update({c: 1}, {$inc: {c: 1}}, true)); // upsert should fail
assert.eq(1, testDB.foo.count());
// Test changeOwnPassword/changeOwnCustomData
assert.throws(function() {
testDB.changeUserPassword('testUser', 'password');
});
assert.throws(function() {
testDB.updateUser('testUser', {customData: {zipCode: 10036}});
});
assert.eq(null, testDB.getUser('testUser').customData);
testUserAdmin.grantPrivilegesToRole('testRole1', [{
resource: {db: 'test', collection: ''},
actions: ['changeOwnPassword', 'changeOwnCustomData']
}]);
testDB.changeUserPassword('testUser', 'password');
assert(!testDB.auth('testUser', 'pwd'));
assert(testDB.auth('testUser', 'password'));
testDB.updateUser('testUser', {customData: {zipCode: 10036}});
assert.eq(10036, testDB.getUser('testUser').customData.zipCode);
testUserAdmin.revokeRolesFromRole('testRole2', ['testRole1']);
assert.throws(function() {
testDB.changeUserPassword('testUser', 'pwd');
});
assert.throws(function() {
testDB.foo.findOne();
});
assert.throws(function() {
testDB.updateUser('testUser', {customData: {zipCode: 10028}});
});
assert.eq(10036, testDB.getUser('testUser').customData.zipCode);
// Test changeAnyPassword/changeAnyCustomData
testUserAdmin.grantPrivilegesToRole('testRole2', [
{resource: {db: 'test', collection: ''}, actions: ['changePassword', 'changeCustomData']}
]);
testDB.changeUserPassword('testUser', 'pwd');
assert(!testDB.auth('testUser', 'password'));
assert(testDB.auth('testUser', 'pwd'));
testDB.updateUser('testUser', {customData: {zipCode: 10028}});
assert.eq(10028, testDB.getUser('testUser').customData.zipCode);
// Test privileges on the cluster resource
assert.commandFailed(testDB.runCommand({serverStatus: 1}));
adminUserAdmin.grantPrivilegesToRole('adminRole',
[{resource: {cluster: true}, actions: ['serverStatus']}]);
assert.commandWorked(testDB.serverStatus());
}
jsTest.log('Test standalone');
var conn = MongoRunner.runMongod({auth: ''});
runTest(conn);
MongoRunner.stopMongod(conn);
jsTest.log('Test sharding');
// TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed.
var st = new ShardingTest(
{shards: 2, config: 3, keyFile: 'jstests/libs/key1', other: {shardAsReplicaSet: false}});
runTest(st.s);
st.stop();