Added external_auth unit tests and setup scripts.

Author: David Bennett <david.bennett@percona.com> (cherry picked from commit f8c12ee) (cherry picked from commit b6cf082)
percona · May 16, 2016 · 2618824 · 2618824
1 parent 5a550e9
commit 2618824
Show file tree

Hide file tree

Showing 35 changed files with 1,571 additions and 0 deletions.
diff --git a/jstests/external_auth/README.md b/jstests/external_auth/README.md
@@ -0,0 +1,18 @@
+# Percona Server for MongoDB LDAP test suite
+
+This script assumes you have deployed the LDAP and SASL packages from the
+/setup directory.
+
+In order to run this tests, you must first build the Percona Server for
+MongoDB with SASL authentication support and install.
+
+Set the MONGODB_HOME shell variable to the directory you install into 
+and execute the ./run.sh
+
+example:
+
+        cd support-files/ldap-sasl
+        ./deploy_ldap_and_sasl.sh
+        cd ../jstests/external_auth
+        export MONGODB_HOME=/opt/percona-server-for-mongodb-3.x
+        ./run.sh
diff --git a/jstests/external_auth/_functions.js b/jstests/external_auth/_functions.js
@@ -0,0 +1,210 @@
+// functions used by the external authentication tests
+
+// random word
+
+// from linuxask.com
+
+function randomString(len) { 
+  var chars = "abcdefghiklmnopqrstuvwxyz"; 
+  var randomstring = ''; 
+  var string_length = len;
+  for (var i=0; i<string_length; i++) { 
+    var rnum = Math.floor(Math.random() * chars.length); 
+    randomstring += chars.substring(rnum,rnum+1); 
+  } 
+  return randomstring; 
+} 
+
+var toType = function(obj) {
+  return ({}).toString.call(obj).match(/\s([a-zA-Z]+)/)[1].toLowerCase()
+}
+
+// this should be run against db to which the user has read (only) access
+
+function authuser_assertro(d) {
+
+  print( "\tDatabase: " + d.getName() )
+
+  // test query
+
+  print( "\tTesting query in read privilege" )
+
+  var q = d.query1;
+
+  assert( q.count() == 1 )  
+
+  // test insert
+
+  print( "\tTesting insert for read privilege" )
+
+  var insVal = Random.randInt( 16536 )
+
+  c = d.collection1;
+
+  c.insert( { a : insVal } );
+
+  assert ( c.count( { a : insVal } ) == 0 )
+
+  // test update
+
+  print( "\tTesting update for read privilege" )
+
+  c.update( { a : insVal }, { $inc: { a: +1} } )
+
+  assert ( c.count( { a : insVal } ) == 0 )
+
+  assert ( c.count( { a : insVal+1 } ) == 0 )
+
+  // test remove 
+
+  print( "\tTesting remove for read privilege" )
+
+  c.remove( { a : insVal+1 } );
+
+  assert ( c.count( { a : insVal+1 } ) == 0 )
+}
+
+// this should be run against db to which the user has readWrite access
+
+function authuser_assertrw(d) {
+
+  db = d
+
+  print( "\tDatabase: " + d.getName() )
+
+  // test query
+
+  print( "\tTesting query for readWrite privilege" )
+
+  var q = d.query1;
+
+  assert( q.count() == 1 )  
+
+  // test insert
+
+  print( "\tTesting insert for readWrite privilege" )
+
+  var insVal = Random.randInt( 16536 )
+
+  c = d.collection1;
+
+  c.insert( { a : insVal } );
+
+  assert ( c.count( { a : insVal } ) == 1 )
+
+  // test update
+
+  print( "\tTesting update for readWrite privilege" )
+
+  c.update( { a : insVal }, { $inc: { a: +1} } )
+
+  assert ( c.count( { a : insVal } ) == 0 )
+
+  assert ( c.count( { a : insVal+1 } ) == 1 )
+
+  // test remove 
+
+  print( "\tTesting remove for readWrite privilege" )
+
+  c.remove( { a : insVal+1 } );
+
+  assert ( c.count( { a : insVal+1 } ) == 0 )
+
+}
+
+
+// this should be run against db to which the user has no access
+
+function authuser_assertnone(d) {
+
+  db = d
+
+  print( "\tDatabase: " + d.getName() )
+
+  try {
+
+    // test query
+
+    print( "\tTesting query for no privileges" )
+
+    var q = d.query1;
+
+    assert( q.count() == 0 )  
+
+  } catch (e) {
+
+    if (e.message.match(/not authorized/)) {
+      print( "\tnot authorized exception thrown (expected)" )
+    }
+
+    assert ( e.message.match(/not authorized/) )
+
+  }
+
+  try {
+
+    // test insert
+
+    print( "\tTesting insert for no privileges" )
+
+    var insVal = Random.randInt( 16536 )
+
+    c = d.collection1;
+
+    c.insert( { a : insVal } );
+
+    assert ( c.count( { a : insVal } ) == 0 )
+
+  } catch (e) {
+
+    if (e.message.match(/not authorized/)) {
+      print( "\tnot authorized exception thrown (expected)" )
+    }
+
+    assert ( e.message.match(/not authorized/) )
+
+  }
+
+  try {
+
+    // test update
+
+    print( "\tTesting update for no privileges" )
+
+    c.update( { a : insVal }, { $inc: { a: +1} } )
+
+    assert ( c.count( { a : insVal } ) == 0 )
+
+    assert ( c.count( { a : insVal+1 } ) == 0 )
+
+  } catch (e) {
+
+    if (e.message.match(/not authorized/)) {
+      print( "\tnot authorized exception thrown (expected)" )
+    }
+
+    assert ( e.message.match(/not authorized/) )
+
+  }
+
+  try {
+
+    // test remove 
+
+    print( "\tTesting remove for no privileges" )
+
+    c.remove( { a : insVal+1 } );
+
+    assert ( c.count( { a : insVal+1 } ) == 0 )
+
+  } catch (e) {
+
+    if (e.message.match(/not authorized/)) {
+      print( "\tnot authorized exception thrown (expected)" )
+    }
+
+    assert ( e.message.match(/not authorized/) )
+
+  }
+
+}
diff --git a/jstests/external_auth/addExtUsers.js b/jstests/external_auth/addExtUsers.js
@@ -0,0 +1,129 @@
+// name: Add External Users
+// mode: auth
+// sequence: 20
+
+db = db.getSiblingDB( 'admin' )
+
+assert( db.auth( 'localadmin' , 'localadmin9a5S' ) )
+
+// user counters
+var exttest=0
+var extother=0
+
+// exttestro has only read on test database
+db.getSiblingDB( '$external' ).createUser({
+  user: 'exttestro',
+  roles: [
+    { role: 'read',  db: 'test' }
+  ]
+})
+exttest++;
+
+// exttestrw has create and write on test database
+db.getSiblingDB( '$external' ).createUser({
+  user: 'exttestrw',
+  roles: [
+    { role: 'readWrite', db: 'test' }
+  ]
+})
+exttest++;
+
+// extotherro has read on other database
+db.getSiblingDB( '$external' ).createUser({
+  user: 'extotherro',
+  roles: [
+    { role: 'read', db: 'other' }
+  ]
+})
+extother++;
+
+// extotherrw has 
+db.getSiblingDB( '$external' ).createUser({
+  user: 'extotherrw',
+  roles: [
+    { role: 'readWrite', db: 'other' }
+  ]
+})
+extother++
+
+// extbothro has read on test and other database
+db.getSiblingDB( '$external' ).createUser({
+  user: 'extbothro',
+  roles: [
+    { role: 'read', db: 'test' },
+    { role: 'read', db: 'other' }
+  ]
+})
+exttest++
+extother++
+
+// extotherrw has readWrite on test and other database 
+db.getSiblingDB( '$external' ).createUser({
+  user: 'extbothrw',
+  roles: [
+    { role: 'readWrite', db: 'test' },
+    { role: 'readWrite', db: 'other' }
+  ]
+})
+exttest++
+extother++
+
+// exttestrwotherro has readWrite on test and read on other database
+db.getSiblingDB( '$external' ).createUser({
+  user: 'exttestrwotherro',
+  roles: [
+    { role: 'readWrite', db: 'test' },
+    { role: 'read', db: 'other' }
+  ]
+})
+exttest++
+extother++
+
+// exttestrootherrw and read on test and readWrite on other 
+db.getSiblingDB( '$external' ).createUser({
+  user: 'exttestrootherrw',
+  roles: [
+    { role: 'read', db: 'test' },
+    { role: 'readWrite', db: 'other' }
+  ]
+})
+exttest++
+extother++
+
+// display users from test database
+
+print( 'test database:' )
+print( '--------------' )
+
+var findtest=0
+db.getSiblingDB( 'admin' ).system.users.find(
+  { '$and': [
+    { user: /ext.*/ },
+    { roles: { '$elemMatch': {db: 'test'} } } ]
+  }).forEach(
+    function(u) {
+      print( "user: " + u.user );
+      findtest++;
+    }
+)
+assert ( exttest == findtest )
+
+
+// display users from other database
+
+print( '' )
+print( 'other database:' )
+print( '--------------' )
+
+var findother=0
+db.getSiblingDB( 'admin' ).system.users.find(
+  { '$and': [
+    { user: /ext.*/ },
+    { roles: { '$elemMatch': {db: 'other'} } } ]
+  }).forEach(
+    function(u) {
+      print( "user: " + u.user );
+      findother++;
+    }
+)
+assert ( extother == findother )