← Back to branch summary

~evarlast/ubuntu/utopic/mongodb/upstart-workaround-debian-bug-718702

« back to all changes in this revision

Viewing changes to jstests/auth/renameSystemCollections.js

  • Committer: Package Import Robot
  • Author(s): James Page, James Page, Robie Basak
  • Date: 2013-05-29 17:44:42 UTC
  • mfrom: (44.1.7 sid)
  • Revision ID: package-import@ubuntu.com-20130529174442-z0a4qmoww4y0t458
Tags: 1:2.4.3-1ubuntu1
[ James Page ]
* Merge from Debian unstable, remaining changes:
  - Enable SSL support:
    + d/control: Add libssl-dev to BD's.
    + d/rules: Enabled --ssl option.
    + d/mongodb.conf: Add example SSL configuration options.
  - d/mongodb-server.mongodb.upstart: Add upstart configuration.
  - d/rules: Don't strip binaries during scons build for Ubuntu.
  - d/control: Add armhf to target archs.
  - d/p/SConscript.client.patch: fixup install of client libraries.
  - d/p/0010-install-libs-to-usr-lib-not-usr-lib64-Closes-588557.patch:
    Install libraries to lib not lib64.
* Dropped changes:
  - d/p/arm-support.patch: Included in Debian.
  - d/p/double-alignment.patch: Included in Debian.
  - d/rules,control: Debian also builds with avaliable system libraries
    now.
* Fix FTBFS due to gcc and boost upgrades in saucy:
  - d/p/0008-ignore-unused-local-typedefs.patch: Add -Wno-unused-typedefs
    to unbreak building with g++-4.8.
  - d/p/0009-boost-1.53.patch: Fixup signed/unsigned casting issue.

[ Robie Basak ]
* d/p/0011-Use-a-signed-char-to-store-BSONType-enumerations.patch: Fixup
  build failure on ARM due to missing signed'ness of char cast.

Show diffs side-by-side

added added

removed removed

Lines of Context:
jstests/auth/renameSystemCollections.js
 
1
// SERVER-8623: Test that renameCollection can't be used to bypass auth checks on system namespaces
 
2
var conn = MongoRunner.runMongod({auth : ""});
 
3
 
 
4
var adminDB = conn.getDB("admin");
 
5
var testDB = conn.getDB("testdb");
 
6
var testDB2 = conn.getDB("testdb2");
 
7
 
 
8
testDB.addUser({user:'spencer',
 
9
                pwd:'password',
 
10
                roles:['readWrite']});
 
11
 
 
12
adminDB.addUser({user:'userAdmin',
 
13
                 pwd:'password',
 
14
                 roles:['userAdminAnyDatabase']});
 
15
 
 
16
var userAdminConn = new Mongo(conn.host);
 
17
userAdminConn.getDB('admin').auth('userAdmin', 'password');
 
18
userAdminConn.getDB('admin').addUser({user:'readWriteAdmin',
 
19
                                      pwd:'password',
 
20
                                      roles:['readWriteAnyDatabase']});
 
21
 
 
22
 
 
23
// Test that a readWrite user can't rename system.profile to something they can read.
 
24
testDB.auth('spencer', 'password');
 
25
res = testDB.system.profile.renameCollection("profile");
 
26
assert.eq(0, res.ok);
 
27
assert.eq("unauthorized", res.errmsg);
 
28
 
 
29
 
 
30
// Test that a readWrite user can't rename system.users to something they can read.
 
31
var res = testDB.system.users.renameCollection("users");
 
32
assert.eq(0, res.ok);
 
33
assert.eq("unauthorized", res.errmsg);
 
34
assert.eq(0, testDB.users.count());
 
35
 
 
36
 
 
37
// Test that a readWrite user can't use renameCollection to override system.users
 
38
testDB.users.insert({user:'backdoor',
 
39
                     pwd:'hashedpassword',
 
40
                     roles:'userAdmin'});
 
41
res = testDB.users.renameCollection("system.users", true);
 
42
assert.eq(0, res.ok);
 
43
assert.eq("unauthorized", res.errmsg);
 
44
assert.eq(null, userAdminConn.getDB('testdb').system.users.findOne({user:'backdoor'}));
 
45
 
 
46
 
 
47
// Test that a readWrite user can't create system.users using renameCollection
 
48
adminDB.auth('readWriteAdmin', 'password');
 
49
testDB2.users.insert({user:'backdoor',
 
50
                      pwd:'hashedpassword',
 
51
                      roles:'userAdmin'});
 
52
res = testDB2.users.renameCollection("system.users");
 
53
assert.eq(0, res.ok);
 
54
assert.eq("unauthorized", res.errmsg);
 
55
assert.eq(0, userAdminConn.getDB('testdb2').system.users.count());
 
56
 
 
57
 
 
58
// Test that you can't rename system.users across databases
 
59
testDB2.users.drop();
 
60
var res = adminDB.runCommand({renameCollection:'testdb.system.users', to:'testdb2.users'});
 
61
assert.eq(0, res.ok);
 
62
assert.eq("unauthorized", res.errmsg);
 
63
assert.eq(0, testDB2.users.count());
 
64
 
 
65
 
 
66
// Test that a userAdmin can't rename system.users without readWrite
 
67
testDB.users.drop();
 
68
var res = userAdminConn.getDB('testdb').system.users.renameCollection("users");
 
69
assert.eq(0, res.ok);
 
70
assert.eq("unauthorized", res.errmsg);
 
71
assert.eq(0, testDB.users.count());
 
72
 
 
73
 
 
74
// Test that with userAdmin AND dbAdmin you CAN rename to/from system.users
 
75
adminDB.auth('userAdmin', 'password');
 
76
var res = testDB.system.users.renameCollection("users");
 
77
assert.eq(1, res.ok);
 
78
assert.eq(1, testDB.users.count());
 
79
 
 
80
testDB.users.drop();
 
81
testDB.users.insert({user:'newUser',
 
82
                     pwd:'hashedPassword',
 
83
                     roles:['readWrite']});
 
84
var res = testDB.users.renameCollection("system.users");
 
85
assert.eq(1, res.ok);
 
86
assert.neq(null, testDB.system.users.findOne({user:'newUser'}));
 
87
assert.eq(null, testDB.system.users.findOne({user:'spencer'}));