mongo 1.10.0.rc0 → 1.10.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/VERSION +1 -1
- data/lib/mongo/bulk_write_collection_view.rb +31 -3
- data/lib/mongo/collection.rb +69 -25
- data/lib/mongo/collection_writer.rb +3 -2
- data/lib/mongo/connection/node.rb +5 -0
- data/lib/mongo/cursor.rb +4 -1
- data/lib/mongo/db.rb +23 -41
- data/lib/mongo/functional.rb +2 -0
- data/lib/mongo/functional/authentication.rb +18 -3
- data/lib/mongo/functional/sasl_java.rb +48 -0
- data/lib/mongo/functional/uri_parser.rb +62 -50
- data/lib/mongo/mongo_client.rb +24 -9
- data/lib/mongo/mongo_replica_set_client.rb +16 -5
- data/lib/mongo/networking.rb +3 -3
- data/lib/mongo/utils/conversions.rb +2 -1
- data/test/functional/authentication_test.rb +6 -1
- data/test/functional/bulk_api_stress_test.rb +133 -0
- data/test/functional/bulk_write_collection_view_test.rb +573 -226
- data/test/functional/client_test.rb +3 -1
- data/test/functional/collection_test.rb +336 -17
- data/test/functional/conversions_test.rb +32 -0
- data/test/functional/cursor_test.rb +3 -3
- data/test/functional/db_api_test.rb +2 -2
- data/test/functional/db_test.rb +24 -0
- data/test/functional/uri_test.rb +49 -32
- data/test/helpers/test_unit.rb +8 -0
- data/test/replica_set/authentication_test.rb +5 -1
- data/test/replica_set/client_test.rb +5 -4
- data/test/replica_set/max_values_test.rb +6 -0
- data/test/shared/authentication/basic_auth_shared.rb +101 -30
- data/test/shared/authentication/bulk_api_auth_shared.rb +259 -0
- data/test/shared/authentication/gssapi_shared.rb +164 -0
- data/test/shared/ssl_shared.rb +49 -27
- data/test/unit/client_test.rb +4 -2
- data/test/unit/connection_test.rb +4 -2
- data/test/unit/cursor_test.rb +12 -0
- data/test/unit/db_test.rb +6 -0
- metadata +27 -20
- metadata.gz.sig +0 -0
@@ -0,0 +1,259 @@
|
|
1
|
+
# Copyright (C) 2009-2013 MongoDB, Inc.
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License")
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0x
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
module BulkAPIAuthTests
|
16
|
+
|
17
|
+
include Mongo
|
18
|
+
|
19
|
+
def init_auth_bulk
|
20
|
+
# enable authentication
|
21
|
+
@admin = @client["admin"]
|
22
|
+
@admin.add_user('admin', 'password', nil, :roles => ['readWriteAnyDatabase',
|
23
|
+
'userAdminAnyDatabase',
|
24
|
+
'dbAdminAnyDatabase'])
|
25
|
+
@admin.authenticate('admin', 'password')
|
26
|
+
|
27
|
+
# Set up the test db
|
28
|
+
@collection = @db["bulk-api-auth-tests"]
|
29
|
+
|
30
|
+
# db user can insert but not remove
|
31
|
+
res = BSON::OrderedHash.new
|
32
|
+
res[:db] = TEST_DB
|
33
|
+
res[:collection] = ""
|
34
|
+
|
35
|
+
cmd = BSON::OrderedHash.new
|
36
|
+
cmd[:createRole] = "insertOnly"
|
37
|
+
cmd[:privileges] = [{:resource => res, :actions => [ "insert", "find" ]}]
|
38
|
+
cmd[:roles] = []
|
39
|
+
@db.command(cmd)
|
40
|
+
@db.add_user('insertOnly', 'password', nil, :roles => ['insertOnly'])
|
41
|
+
|
42
|
+
# db user can insert and remove
|
43
|
+
cmd = BSON::OrderedHash.new
|
44
|
+
cmd[:createRole] = "insertAndRemove"
|
45
|
+
cmd[:privileges] = [{:resource => res, :actions => [ "insert", "remove", "find" ]}]
|
46
|
+
cmd[:roles] = []
|
47
|
+
@db.command(cmd)
|
48
|
+
@db.add_user('insertAndRemove', 'password', nil, :roles => ['insertAndRemove'])
|
49
|
+
|
50
|
+
# for 2.4 cleanup etc.
|
51
|
+
@db.add_user('admin', 'password', nil, :roles => ['readWrite',
|
52
|
+
'userAdmin',
|
53
|
+
'dbAdmin'])
|
54
|
+
@admin.logout
|
55
|
+
end
|
56
|
+
|
57
|
+
def teardown_bulk
|
58
|
+
remove_all_users_and_roles(@db, 'admin', 'password')
|
59
|
+
remove_all_users_and_roles(@admin, 'admin', 'password')
|
60
|
+
end
|
61
|
+
|
62
|
+
def clear_collection(collection)
|
63
|
+
@admin.authenticate('admin', 'password')
|
64
|
+
collection.remove
|
65
|
+
@admin.logout
|
66
|
+
end
|
67
|
+
|
68
|
+
def remove_all_users_and_roles(database, username, password)
|
69
|
+
@admin.authenticate('admin', 'password')
|
70
|
+
if @version < '2.5.3'
|
71
|
+
database['system.users'].remove
|
72
|
+
else
|
73
|
+
database.command({:dropAllRolesFromDatabase => 1})
|
74
|
+
database.command({:dropAllUsersFromDatabase => 1})
|
75
|
+
end
|
76
|
+
@admin.logout
|
77
|
+
end
|
78
|
+
|
79
|
+
def test_auth_no_error
|
80
|
+
return unless @version >= '2.5.3'
|
81
|
+
init_auth_bulk
|
82
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
83
|
+
clear_collection(@collection)
|
84
|
+
@db.authenticate('insertAndRemove', 'password')
|
85
|
+
bulk = @collection.initialize_ordered_bulk_op
|
86
|
+
bulk.insert({:a => 1})
|
87
|
+
bulk.find({:a => 1}).remove_one
|
88
|
+
|
89
|
+
result = bulk.execute
|
90
|
+
assert_match_document(
|
91
|
+
{
|
92
|
+
"ok" => 1,
|
93
|
+
"nInserted" => 1,
|
94
|
+
"nRemoved" => 1
|
95
|
+
}, result, "wire_version:#{wire_version}")
|
96
|
+
assert_equal 0, @collection.count
|
97
|
+
@db.logout
|
98
|
+
end
|
99
|
+
teardown_bulk
|
100
|
+
end
|
101
|
+
|
102
|
+
def test_auth_error
|
103
|
+
return unless @version >= '2.5.3'
|
104
|
+
init_auth_bulk
|
105
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
106
|
+
clear_collection(@collection)
|
107
|
+
@db.authenticate('insertOnly', 'password')
|
108
|
+
bulk = @collection.initialize_ordered_bulk_op
|
109
|
+
bulk.insert({:a => 1})
|
110
|
+
bulk.find({:a => 1}).remove
|
111
|
+
bulk.insert({:a => 2})
|
112
|
+
|
113
|
+
ex = assert_raise Mongo::BulkWriteError do
|
114
|
+
bulk.execute
|
115
|
+
end
|
116
|
+
result = ex.result
|
117
|
+
assert_match_document(
|
118
|
+
{
|
119
|
+
"ok" => 1,
|
120
|
+
"n" => 1,
|
121
|
+
"writeErrors" =>
|
122
|
+
[{
|
123
|
+
"index" => 1,
|
124
|
+
"code" => 13,
|
125
|
+
"errmsg" => /not authorized/
|
126
|
+
}],
|
127
|
+
"code" => 65,
|
128
|
+
"errmsg" => "batch item errors occurred",
|
129
|
+
"nInserted" => 1
|
130
|
+
}, result, "wire_version:#{wire_version}")
|
131
|
+
assert_equal 1, @collection.count
|
132
|
+
@db.logout
|
133
|
+
end
|
134
|
+
teardown_bulk
|
135
|
+
end
|
136
|
+
|
137
|
+
def test_auth_error_unordered
|
138
|
+
return unless @version >= '2.5.3'
|
139
|
+
init_auth_bulk
|
140
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
141
|
+
clear_collection(@collection)
|
142
|
+
@db.authenticate('insertOnly', 'password')
|
143
|
+
bulk = @collection.initialize_unordered_bulk_op
|
144
|
+
bulk.insert({:a => 1})
|
145
|
+
bulk.find({:a => 1}).remove_one
|
146
|
+
bulk.insert({:a => 2})
|
147
|
+
|
148
|
+
ex = assert_raise Mongo::BulkWriteError do
|
149
|
+
bulk.execute
|
150
|
+
end
|
151
|
+
result = ex.result
|
152
|
+
assert_equal 1, result["writeErrors"].length
|
153
|
+
assert_equal 2, result["n"]
|
154
|
+
assert_equal 2, result["nInserted"]
|
155
|
+
assert_equal 2, @collection.count
|
156
|
+
@db.logout
|
157
|
+
end
|
158
|
+
teardown_bulk
|
159
|
+
end
|
160
|
+
|
161
|
+
def test_duplicate_key_with_auth_error
|
162
|
+
return unless @version >= '2.5.3'
|
163
|
+
init_auth_bulk
|
164
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
165
|
+
clear_collection(@collection)
|
166
|
+
@db.authenticate('insertOnly', 'password')
|
167
|
+
bulk = @collection.initialize_ordered_bulk_op
|
168
|
+
bulk.insert({:_id => 1, :a => 1})
|
169
|
+
bulk.insert({:_id => 1, :a => 2})
|
170
|
+
bulk.find({:a => 1}).remove_one
|
171
|
+
|
172
|
+
ex = assert_raise Mongo::BulkWriteError do
|
173
|
+
bulk.execute
|
174
|
+
end
|
175
|
+
result = ex.result
|
176
|
+
assert_match_document(
|
177
|
+
{
|
178
|
+
"ok" => 1,
|
179
|
+
"n" => 1,
|
180
|
+
"writeErrors" =>
|
181
|
+
[{
|
182
|
+
"index" => 1,
|
183
|
+
"code" => 11000,
|
184
|
+
"errmsg" => /duplicate key error/
|
185
|
+
}],
|
186
|
+
"code" => 65,
|
187
|
+
"errmsg" => "batch item errors occurred",
|
188
|
+
"nInserted" => 1
|
189
|
+
}, result, "wire_version:#{wire_version}")
|
190
|
+
assert_equal 1, @collection.count
|
191
|
+
@db.logout
|
192
|
+
end
|
193
|
+
teardown_bulk
|
194
|
+
end
|
195
|
+
|
196
|
+
def test_duplicate_key_with_auth_error_unordered
|
197
|
+
return unless @version >= '2.5.3'
|
198
|
+
init_auth_bulk
|
199
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
200
|
+
clear_collection(@collection)
|
201
|
+
@db.authenticate('insertOnly', 'password')
|
202
|
+
bulk = @collection.initialize_unordered_bulk_op
|
203
|
+
bulk.insert({:_id => 1, :a => 1})
|
204
|
+
bulk.insert({:_id => 1, :a => 1})
|
205
|
+
bulk.find({:a => 1}).remove_one
|
206
|
+
|
207
|
+
ex = assert_raise Mongo::BulkWriteError do
|
208
|
+
bulk.execute
|
209
|
+
end
|
210
|
+
result = ex.result
|
211
|
+
assert_equal 2, result["writeErrors"].length
|
212
|
+
assert_equal 1, result["n"]
|
213
|
+
assert_equal 1, result["nInserted"]
|
214
|
+
assert_equal 1, @collection.count
|
215
|
+
@db.logout
|
216
|
+
end
|
217
|
+
teardown_bulk
|
218
|
+
end
|
219
|
+
|
220
|
+
def test_write_concern_error_with_auth_error
|
221
|
+
with_no_replication(@db.connection) do
|
222
|
+
return unless @version >= '2.5.3'
|
223
|
+
init_auth_bulk
|
224
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
225
|
+
clear_collection(@collection)
|
226
|
+
@db.authenticate('insertOnly', 'password')
|
227
|
+
bulk = @collection.initialize_ordered_bulk_op
|
228
|
+
bulk.insert({:_id => 1, :a => 1})
|
229
|
+
bulk.insert({:_id => 2, :a => 1})
|
230
|
+
bulk.find({:a => 1}).remove_one
|
231
|
+
|
232
|
+
ex = assert_raise Mongo::BulkWriteError do
|
233
|
+
bulk.execute({:w => 2})
|
234
|
+
end
|
235
|
+
result = ex.result
|
236
|
+
|
237
|
+
assert_match_document(
|
238
|
+
{
|
239
|
+
"ok" => 0,
|
240
|
+
"n" => 0,
|
241
|
+
"nInserted" => 0,
|
242
|
+
"writeErrors" =>
|
243
|
+
[{
|
244
|
+
"index" => 0,
|
245
|
+
"code" => 2,
|
246
|
+
"errmsg" => /'w' > 1/
|
247
|
+
}],
|
248
|
+
"code" => 65,
|
249
|
+
"errmsg" => "batch item errors occurred"
|
250
|
+
}, result, "wire_version#{wire_version}")
|
251
|
+
# Re-visit this when RUBY-731 is resolved:
|
252
|
+
assert (@collection.count == batch_commands?(wire_version) ? 0 : 1)
|
253
|
+
@db.logout
|
254
|
+
end
|
255
|
+
teardown_bulk
|
256
|
+
end
|
257
|
+
end
|
258
|
+
|
259
|
+
end
|
@@ -0,0 +1,164 @@
|
|
1
|
+
# Copyright (C) 2009-2013 MongoDB, Inc.
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
module GSSAPITests
|
16
|
+
|
17
|
+
# Tests for the GSSAPI Authentication Mechanism.
|
18
|
+
#
|
19
|
+
# Note: These tests will be skipped automatically unless the test environment
|
20
|
+
# has been configured.
|
21
|
+
#
|
22
|
+
# In order to run these tests, you must be using JRuby and must set the following
|
23
|
+
# environment variables. The realm and KDC are required so that the corresponding
|
24
|
+
# system properties can be set:
|
25
|
+
#
|
26
|
+
# export MONGODB_GSSAPI_HOST='server.domain.com'
|
27
|
+
# export MONGODB_GSSAPI_USER='applicationuser@example.com'
|
28
|
+
# export MONGODB_GSSAPI_REALM='applicationuser@example.com'
|
29
|
+
# export MONGODB_GSSAPI_KDC='SERVER.DOMAIN.COM'
|
30
|
+
#
|
31
|
+
# You must either use kinit or provide a config file that references a keytab file:
|
32
|
+
#
|
33
|
+
# export JAAS_LOGIN_CONFIG_FILE='file:///path/to/config/file'
|
34
|
+
#
|
35
|
+
MONGODB_GSSAPI_HOST = ENV['MONGODB_GSSAPI_HOST']
|
36
|
+
MONGODB_GSSAPI_USER = ENV['MONGODB_GSSAPI_USER']
|
37
|
+
MONGODB_GSSAPI_REALM = ENV['MONGODB_GSSAPI_REALM']
|
38
|
+
MONGODB_GSSAPI_KDC = ENV['MONGODB_GSSAPI_KDC']
|
39
|
+
MONGODB_GSSAPI_PORT = ENV['MONGODB_GSSAPI_PORT'] || '27017'
|
40
|
+
JAAS_LOGIN_CONFIG_FILE = ENV['JAAS_LOGIN_CONFIG_FILE']
|
41
|
+
|
42
|
+
if ENV.key?('MONGODB_GSSAPI_HOST') && ENV.key?('MONGODB_GSSAPI_USER') &&
|
43
|
+
ENV.key?('MONGODB_GSSAPI_REALM') && ENV.key?('MONGODB_GSSAPI_KDC') && RUBY_PLATFORM =~ /java/
|
44
|
+
def test_gssapi_authenticate
|
45
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
46
|
+
if client['admin'].command(:isMaster => 1)['setName']
|
47
|
+
client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
|
48
|
+
end
|
49
|
+
|
50
|
+
set_system_properties
|
51
|
+
db = client['kerberos']
|
52
|
+
db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI')
|
53
|
+
assert db.command(:dbstats => 1)
|
54
|
+
|
55
|
+
threads = []
|
56
|
+
4.times do
|
57
|
+
threads << Thread.new do
|
58
|
+
assert db.command(:dbstats => 1)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
threads.each(&:join)
|
62
|
+
end
|
63
|
+
|
64
|
+
def test_gssapi_authenticate_uri
|
65
|
+
require 'cgi'
|
66
|
+
set_system_properties
|
67
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
68
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
69
|
+
"authMechanism=GSSAPI"
|
70
|
+
client = @client.class.from_uri(uri)
|
71
|
+
assert client['kerberos'].command(:dbstats => 1)
|
72
|
+
end
|
73
|
+
|
74
|
+
def test_wrong_service_name_fails
|
75
|
+
extra_opts = { :gssapi_service_name => 'example' }
|
76
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
77
|
+
if client['admin'].command(:isMaster => 1)['setName']
|
78
|
+
client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
|
79
|
+
end
|
80
|
+
|
81
|
+
set_system_properties
|
82
|
+
assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
|
83
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
def test_wrong_service_name_fails_uri
|
88
|
+
set_system_properties
|
89
|
+
|
90
|
+
require 'cgi'
|
91
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
92
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
93
|
+
"authMechanism=GSSAPI&gssapiServiceName=example"
|
94
|
+
client = @client.class.from_uri(uri)
|
95
|
+
assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
|
96
|
+
client['kerberos'].command(:dbstats => 1)
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def test_extra_opts
|
101
|
+
extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
|
102
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
103
|
+
set_system_properties
|
104
|
+
|
105
|
+
Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
|
106
|
+
opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
|
107
|
+
opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
|
108
|
+
end.returns('ok' => true )
|
109
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
110
|
+
end
|
111
|
+
|
112
|
+
def test_extra_opts_uri
|
113
|
+
extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
|
114
|
+
set_system_properties
|
115
|
+
|
116
|
+
Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
|
117
|
+
opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
|
118
|
+
opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
|
119
|
+
end.returns('ok' => true)
|
120
|
+
|
121
|
+
require 'cgi'
|
122
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
123
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
124
|
+
"authMechanism=GSSAPI&gssapiServiceName=example&canonicalizeHostName=true"
|
125
|
+
client = @client.class.from_uri(uri)
|
126
|
+
client.expects(:receive_message).returns([[{ 'ok' => 1 }], 1, 1])
|
127
|
+
client['kerberos'].command(:dbstats => 1)
|
128
|
+
end
|
129
|
+
|
130
|
+
# In order to run this test, you must set the following environment variable:
|
131
|
+
#
|
132
|
+
# export MONGODB_GSSAPI_HOST_IP='---.---.---.---'
|
133
|
+
#
|
134
|
+
if ENV.key?('MONGODB_GSSAPI_HOST_IP')
|
135
|
+
def test_canonicalize_host_name
|
136
|
+
extra_opts = { :canonicalize_host_name => true }
|
137
|
+
set_system_properties
|
138
|
+
client = Mongo::MongoClient.new(ENV['MONGODB_GSSAPI_HOST_IP'], MONGODB_GSSAPI_PORT)
|
139
|
+
|
140
|
+
db = client['kerberos']
|
141
|
+
db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
142
|
+
assert db.command(:dbstats => 1)
|
143
|
+
end
|
144
|
+
end
|
145
|
+
|
146
|
+
def test_invalid_extra_options
|
147
|
+
extra_opts = { :invalid => true, :option => true }
|
148
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST)
|
149
|
+
|
150
|
+
assert_raise Mongo::MongoArgumentError do
|
151
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
private
|
156
|
+
def set_system_properties
|
157
|
+
java.lang.System.set_property 'javax.security.auth.useSubjectCredsOnly', 'false'
|
158
|
+
java.lang.System.set_property "java.security.krb5.realm", MONGODB_GSSAPI_REALM
|
159
|
+
java.lang.System.set_property "java.security.krb5.kdc", MONGODB_GSSAPI_KDC
|
160
|
+
java.lang.System.set_property "java.security.auth.login.config", JAAS_LOGIN_CONFIG_FILE if JAAS_LOGIN_CONFIG_FILE
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
164
|
+
end
|
data/test/shared/ssl_shared.rb
CHANGED
@@ -15,9 +15,10 @@
|
|
15
15
|
module SSLTests
|
16
16
|
include Mongo
|
17
17
|
|
18
|
-
|
19
|
-
|
20
|
-
|
18
|
+
MONGODB_X509_USERNAME = 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
|
19
|
+
CERT_PATH = "#{Dir.pwd}/test/fixtures/certificates/"
|
20
|
+
CLIENT_CERT = "#{CERT_PATH}client.pem"
|
21
|
+
CA_CERT = "#{CERT_PATH}ca.pem"
|
21
22
|
|
22
23
|
def create_client(*args)
|
23
24
|
if @client_class == MongoClient
|
@@ -27,6 +28,14 @@ module SSLTests
|
|
27
28
|
end
|
28
29
|
end
|
29
30
|
|
31
|
+
# Requires MongoDB not built with SSL
|
32
|
+
#
|
33
|
+
def test_ssl_not_configured
|
34
|
+
assert_raise Mongo::ConnectionTimeoutError do
|
35
|
+
create_client(['localhost', 27017], :connect_timeout => 2, :ssl => true)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
30
39
|
# This test doesn't connect, no server config required
|
31
40
|
def test_ssl_configuration
|
32
41
|
# raises when ssl=false and ssl opts specified
|
@@ -134,40 +143,53 @@ module SSLTests
|
|
134
143
|
# --sslCAFile /path/to/ca.pem \
|
135
144
|
# --sslCRLFile /path/to/crl.pem
|
136
145
|
#
|
137
|
-
|
146
|
+
# Note that the cert requires username:
|
147
|
+
# 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
|
148
|
+
#
|
149
|
+
def test_x509_authentication
|
150
|
+
mechanism = 'MONGODB-X509'
|
138
151
|
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
:ssl_cert => CLIENT_CERT)
|
152
|
+
client = create_client(@connect_info, :ssl => true,
|
153
|
+
:ssl_cert => CLIENT_CERT,
|
154
|
+
:ssl_key => CLIENT_CERT)
|
143
155
|
|
144
|
-
|
156
|
+
return unless client.server_version > '2.5.2'
|
145
157
|
|
146
|
-
|
147
|
-
db = client.db('$external')
|
158
|
+
db = client.db('$external')
|
148
159
|
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
160
|
+
# add user for test (enable auth)
|
161
|
+
roles = [{:role => 'readWriteAnyDatabase', :db => 'admin'},
|
162
|
+
{:role => 'userAdminAnyDatabase', :db => 'admin'}]
|
163
|
+
db.add_user(MONGODB_X509_USERNAME, nil, false, :roles => roles)
|
153
164
|
|
154
|
-
|
155
|
-
|
165
|
+
assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
|
166
|
+
assert db.collection_names
|
156
167
|
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
168
|
+
assert db.logout
|
169
|
+
assert_raise Mongo::OperationFailure do
|
170
|
+
db.collection_names
|
171
|
+
end
|
161
172
|
|
162
|
-
|
163
|
-
|
164
|
-
|
173
|
+
# username and valid certificate don't match
|
174
|
+
assert_raise Mongo::AuthenticationError do
|
175
|
+
db.authenticate('test', nil, nil, nil, mechanism)
|
176
|
+
end
|
165
177
|
|
166
|
-
|
167
|
-
|
168
|
-
db.
|
178
|
+
# username required
|
179
|
+
assert_raise Mongo::AuthenticationError do
|
180
|
+
db.authenticate(nil, nil, nil, nil, mechanism)
|
169
181
|
end
|
170
182
|
|
183
|
+
assert MongoClient.from_uri(
|
184
|
+
"mongodb://#{MONGODB_X509_USERNAME}@#{@uri_info}/?ssl=true;authMechanism=#{mechanism}",
|
185
|
+
:ssl_cert => CLIENT_CERT,
|
186
|
+
:ssl_key => CLIENT_CERT)
|
187
|
+
assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
|
188
|
+
assert db.collection_names
|
189
|
+
|
190
|
+
# clean up and remove all users
|
191
|
+
db.command(:dropAllUsersFromDatabase => 1)
|
192
|
+
db.logout
|
171
193
|
end
|
172
194
|
|
173
195
|
end
|