forked from Tokutek/tokumxse
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added external_auth unit tests and setup scripts.
Author: David Bennett <david.bennett@percona.com> (cherry picked from commit f8c12ee) (cherry picked from commit b6cf082)
- Loading branch information
David Bennett
authored and
Denis Protyvenskyi
committed
May 16, 2016
1 parent
5a550e9
commit 2618824
Showing
35 changed files
with
1,571 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Percona Server for MongoDB LDAP test suite | ||
|
||
This script assumes you have deployed the LDAP and SASL packages from the | ||
/setup directory. | ||
|
||
In order to run this tests, you must first build the Percona Server for | ||
MongoDB with SASL authentication support and install. | ||
|
||
Set the MONGODB_HOME shell variable to the directory you install into | ||
and execute the ./run.sh | ||
|
||
example: | ||
|
||
cd support-files/ldap-sasl | ||
./deploy_ldap_and_sasl.sh | ||
cd ../jstests/external_auth | ||
export MONGODB_HOME=/opt/percona-server-for-mongodb-3.x | ||
./run.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,210 @@ | ||
// functions used by the external authentication tests | ||
|
||
// random word | ||
|
||
// from linuxask.com | ||
|
||
function randomString(len) { | ||
var chars = "abcdefghiklmnopqrstuvwxyz"; | ||
var randomstring = ''; | ||
var string_length = len; | ||
for (var i=0; i<string_length; i++) { | ||
var rnum = Math.floor(Math.random() * chars.length); | ||
randomstring += chars.substring(rnum,rnum+1); | ||
} | ||
return randomstring; | ||
} | ||
|
||
var toType = function(obj) { | ||
return ({}).toString.call(obj).match(/\s([a-zA-Z]+)/)[1].toLowerCase() | ||
} | ||
|
||
// this should be run against db to which the user has read (only) access | ||
|
||
function authuser_assertro(d) { | ||
|
||
print( "\tDatabase: " + d.getName() ) | ||
|
||
// test query | ||
|
||
print( "\tTesting query in read privilege" ) | ||
|
||
var q = d.query1; | ||
|
||
assert( q.count() == 1 ) | ||
|
||
// test insert | ||
|
||
print( "\tTesting insert for read privilege" ) | ||
|
||
var insVal = Random.randInt( 16536 ) | ||
|
||
c = d.collection1; | ||
|
||
c.insert( { a : insVal } ); | ||
|
||
assert ( c.count( { a : insVal } ) == 0 ) | ||
|
||
// test update | ||
|
||
print( "\tTesting update for read privilege" ) | ||
|
||
c.update( { a : insVal }, { $inc: { a: +1} } ) | ||
|
||
assert ( c.count( { a : insVal } ) == 0 ) | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 0 ) | ||
|
||
// test remove | ||
|
||
print( "\tTesting remove for read privilege" ) | ||
|
||
c.remove( { a : insVal+1 } ); | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 0 ) | ||
} | ||
|
||
// this should be run against db to which the user has readWrite access | ||
|
||
function authuser_assertrw(d) { | ||
|
||
db = d | ||
|
||
print( "\tDatabase: " + d.getName() ) | ||
|
||
// test query | ||
|
||
print( "\tTesting query for readWrite privilege" ) | ||
|
||
var q = d.query1; | ||
|
||
assert( q.count() == 1 ) | ||
|
||
// test insert | ||
|
||
print( "\tTesting insert for readWrite privilege" ) | ||
|
||
var insVal = Random.randInt( 16536 ) | ||
|
||
c = d.collection1; | ||
|
||
c.insert( { a : insVal } ); | ||
|
||
assert ( c.count( { a : insVal } ) == 1 ) | ||
|
||
// test update | ||
|
||
print( "\tTesting update for readWrite privilege" ) | ||
|
||
c.update( { a : insVal }, { $inc: { a: +1} } ) | ||
|
||
assert ( c.count( { a : insVal } ) == 0 ) | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 1 ) | ||
|
||
// test remove | ||
|
||
print( "\tTesting remove for readWrite privilege" ) | ||
|
||
c.remove( { a : insVal+1 } ); | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 0 ) | ||
|
||
} | ||
|
||
|
||
// this should be run against db to which the user has no access | ||
|
||
function authuser_assertnone(d) { | ||
|
||
db = d | ||
|
||
print( "\tDatabase: " + d.getName() ) | ||
|
||
try { | ||
|
||
// test query | ||
|
||
print( "\tTesting query for no privileges" ) | ||
|
||
var q = d.query1; | ||
|
||
assert( q.count() == 0 ) | ||
|
||
} catch (e) { | ||
|
||
if (e.message.match(/not authorized/)) { | ||
print( "\tnot authorized exception thrown (expected)" ) | ||
} | ||
|
||
assert ( e.message.match(/not authorized/) ) | ||
|
||
} | ||
|
||
try { | ||
|
||
// test insert | ||
|
||
print( "\tTesting insert for no privileges" ) | ||
|
||
var insVal = Random.randInt( 16536 ) | ||
|
||
c = d.collection1; | ||
|
||
c.insert( { a : insVal } ); | ||
|
||
assert ( c.count( { a : insVal } ) == 0 ) | ||
|
||
} catch (e) { | ||
|
||
if (e.message.match(/not authorized/)) { | ||
print( "\tnot authorized exception thrown (expected)" ) | ||
} | ||
|
||
assert ( e.message.match(/not authorized/) ) | ||
|
||
} | ||
|
||
try { | ||
|
||
// test update | ||
|
||
print( "\tTesting update for no privileges" ) | ||
|
||
c.update( { a : insVal }, { $inc: { a: +1} } ) | ||
|
||
assert ( c.count( { a : insVal } ) == 0 ) | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 0 ) | ||
|
||
} catch (e) { | ||
|
||
if (e.message.match(/not authorized/)) { | ||
print( "\tnot authorized exception thrown (expected)" ) | ||
} | ||
|
||
assert ( e.message.match(/not authorized/) ) | ||
|
||
} | ||
|
||
try { | ||
|
||
// test remove | ||
|
||
print( "\tTesting remove for no privileges" ) | ||
|
||
c.remove( { a : insVal+1 } ); | ||
|
||
assert ( c.count( { a : insVal+1 } ) == 0 ) | ||
|
||
} catch (e) { | ||
|
||
if (e.message.match(/not authorized/)) { | ||
print( "\tnot authorized exception thrown (expected)" ) | ||
} | ||
|
||
assert ( e.message.match(/not authorized/) ) | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
// name: Add External Users | ||
// mode: auth | ||
// sequence: 20 | ||
|
||
db = db.getSiblingDB( 'admin' ) | ||
|
||
assert( db.auth( 'localadmin' , 'localadmin9a5S' ) ) | ||
|
||
// user counters | ||
var exttest=0 | ||
var extother=0 | ||
|
||
// exttestro has only read on test database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'exttestro', | ||
roles: [ | ||
{ role: 'read', db: 'test' } | ||
] | ||
}) | ||
exttest++; | ||
|
||
// exttestrw has create and write on test database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'exttestrw', | ||
roles: [ | ||
{ role: 'readWrite', db: 'test' } | ||
] | ||
}) | ||
exttest++; | ||
|
||
// extotherro has read on other database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'extotherro', | ||
roles: [ | ||
{ role: 'read', db: 'other' } | ||
] | ||
}) | ||
extother++; | ||
|
||
// extotherrw has | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'extotherrw', | ||
roles: [ | ||
{ role: 'readWrite', db: 'other' } | ||
] | ||
}) | ||
extother++ | ||
|
||
// extbothro has read on test and other database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'extbothro', | ||
roles: [ | ||
{ role: 'read', db: 'test' }, | ||
{ role: 'read', db: 'other' } | ||
] | ||
}) | ||
exttest++ | ||
extother++ | ||
|
||
// extotherrw has readWrite on test and other database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'extbothrw', | ||
roles: [ | ||
{ role: 'readWrite', db: 'test' }, | ||
{ role: 'readWrite', db: 'other' } | ||
] | ||
}) | ||
exttest++ | ||
extother++ | ||
|
||
// exttestrwotherro has readWrite on test and read on other database | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'exttestrwotherro', | ||
roles: [ | ||
{ role: 'readWrite', db: 'test' }, | ||
{ role: 'read', db: 'other' } | ||
] | ||
}) | ||
exttest++ | ||
extother++ | ||
|
||
// exttestrootherrw and read on test and readWrite on other | ||
db.getSiblingDB( '$external' ).createUser({ | ||
user: 'exttestrootherrw', | ||
roles: [ | ||
{ role: 'read', db: 'test' }, | ||
{ role: 'readWrite', db: 'other' } | ||
] | ||
}) | ||
exttest++ | ||
extother++ | ||
|
||
// display users from test database | ||
|
||
print( 'test database:' ) | ||
print( '--------------' ) | ||
|
||
var findtest=0 | ||
db.getSiblingDB( 'admin' ).system.users.find( | ||
{ '$and': [ | ||
{ user: /ext.*/ }, | ||
{ roles: { '$elemMatch': {db: 'test'} } } ] | ||
}).forEach( | ||
function(u) { | ||
print( "user: " + u.user ); | ||
findtest++; | ||
} | ||
) | ||
assert ( exttest == findtest ) | ||
|
||
|
||
// display users from other database | ||
|
||
print( '' ) | ||
print( 'other database:' ) | ||
print( '--------------' ) | ||
|
||
var findother=0 | ||
db.getSiblingDB( 'admin' ).system.users.find( | ||
{ '$and': [ | ||
{ user: /ext.*/ }, | ||
{ roles: { '$elemMatch': {db: 'other'} } } ] | ||
}).forEach( | ||
function(u) { | ||
print( "user: " + u.user ); | ||
findother++; | ||
} | ||
) | ||
assert ( extother == findother ) |
Oops, something went wrong.