Skip to content

Commit

Permalink
SERVER-30113: Add auth restriction unittests to AuthorizationSession
Browse files Browse the repository at this point in the history
  • Loading branch information
@spencerjackson
spencerjackson committed Jul 14, 2017
1 parent ebd0ca5 commit 9b63b78
Showing 1 changed file with 85 additions and 0 deletions.
85 changes: 85 additions & 0 deletions src/mongo/db/auth/authorization_session_test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,91 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::insert));
}

TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRestrictions) {
ASSERT_OK(managerState->insertPrivilegeDocument(
_opCtx.get(),
BSON("user"
<< "spencer"
<< "db"
<< "test"
<< "credentials"
<< BSON("MONGODB-CR"
<< "a")
<< "roles"
<< BSON_ARRAY(BSON("role"
<< "readWrite"
<< "db"
<< "test"))
<< "authenticationRestrictions"
<< BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("192.168.0.0/24"
<< "192.168.2.10")
<< "serverAddress"
<< BSON_ARRAY("192.168.0.2"))
<< BSON("clientSource" << BSON_ARRAY("2001:DB8::1") << "serverAddress"
<< BSON_ARRAY("2001:DB8::2"))
<< BSON("clientSource" << BSON_ARRAY("127.0.0.1"
<< "::1")
<< "serverAddress"
<< BSON_ARRAY("127.0.0.1"
<< "::1")))),
BSONObj()));


auto assertWorks = [this](StringData clientSource, StringData serverAddress) {
RestrictionEnvironment::set(
session,
stdx::make_unique<RestrictionEnvironment>(SockAddr(clientSource, 5555, AF_UNSPEC),
SockAddr(serverAddress, 27017, AF_UNSPEC)));
ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
};

auto assertFails = [this](StringData clientSource, StringData serverAddress) {
RestrictionEnvironment::set(
session,
stdx::make_unique<RestrictionEnvironment>(SockAddr(clientSource, 5555, AF_UNSPEC),
SockAddr(serverAddress, 27017, AF_UNSPEC)));
ASSERT_NOT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));
};

// The empty RestrictionEnvironment will cause addAndAuthorizeUser to fail.
ASSERT_NOT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test")));

// A clientSource from the 192.168.0.0/24 block will succeed in connecting to a server
// listening on 192.168.0.2.
assertWorks("192.168.0.6", "192.168.0.2");
assertWorks("192.168.0.12", "192.168.0.2");

// A client connecting from the explicitly whitelisted addresses can connect to a
// server listening on 192.168.0.2
assertWorks("192.168.2.10", "192.168.0.2");

// A client from either of these sources must connect to the server via the serverAddress
// expressed in the restriction.
assertFails("192.168.0.12", "127.0.0.1");
assertFails("192.168.2.10", "127.0.0.1");
assertFails("192.168.0.12", "192.168.1.3");
assertFails("192.168.2.10", "192.168.1.3");

// A client outside of these two sources cannot connect to the server.
assertFails("192.168.1.12", "192.168.0.2");
assertFails("192.168.1.10", "192.168.0.2");


// An IPv6 client from the correct address may use the IPv6 restriction to connect to the
// server.
assertWorks("2001:DB8::1", "2001:DB8::2");
assertFails("2001:DB8::1", "2001:DB8::3");
assertFails("2001:DB8::2", "2001:DB8::1");

// A localhost client can connect to a localhost server, using the second addressRestriction
assertWorks("127.0.0.1", "127.0.0.1");
assertWorks("::1", "::1");
assertWorks("::1", "127.0.0.1"); // Silly case
assertWorks("127.0.0.1", "::1"); // Silly case
assertFails("192.168.0.6", "127.0.0.1");
assertFails("127.0.0.1", "192.168.0.2");
}

TEST_F(AuthorizationSessionTest, CheckAuthForAggregateFailsIfPipelineIsNotAnArray) {
BSONObj cmdObjIntPipeline = BSON("aggregate" << testFooNss.coll() << "pipeline" << 7);
ASSERT_EQ(ErrorCodes::TypeMismatch,
Expand Down

0 comments on commit 9b63b78

Please sign in to comment.