mongo 1.10.0.rc0 → 1.10.0.rc1

data/test/shared/authentication/bulk_api_auth_shared.rb

@@ -0,0 +1,259 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License")
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0x
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module BulkAPIAuthTests
+
+  include Mongo
+
+  def init_auth_bulk
+    # enable authentication
+    @admin = @client["admin"]
+    @admin.add_user('admin', 'password', nil, :roles => ['readWriteAnyDatabase',
+                                                         'userAdminAnyDatabase',
+                                                         'dbAdminAnyDatabase'])
+    @admin.authenticate('admin', 'password')
+
+    # Set up the test db
+    @collection = @db["bulk-api-auth-tests"]
+
+    # db user can insert but not remove
+    res = BSON::OrderedHash.new
+    res[:db] = TEST_DB
+    res[:collection] = ""
+
+    cmd = BSON::OrderedHash.new
+    cmd[:createRole] = "insertOnly"
+    cmd[:privileges] = [{:resource => res, :actions => [ "insert", "find" ]}]
+    cmd[:roles] = []
+    @db.command(cmd)
+    @db.add_user('insertOnly', 'password', nil, :roles => ['insertOnly'])
+
+    # db user can insert and remove
+    cmd = BSON::OrderedHash.new
+    cmd[:createRole] = "insertAndRemove"
+    cmd[:privileges] = [{:resource => res, :actions => [ "insert", "remove", "find" ]}]
+    cmd[:roles] = []
+    @db.command(cmd)
+    @db.add_user('insertAndRemove', 'password', nil, :roles => ['insertAndRemove'])
+
+    # for 2.4 cleanup etc.
+    @db.add_user('admin', 'password', nil, :roles => ['readWrite',
+                                                      'userAdmin',
+                                                      'dbAdmin'])
+    @admin.logout
+  end
+
+  def teardown_bulk
+    remove_all_users_and_roles(@db, 'admin', 'password')
+    remove_all_users_and_roles(@admin, 'admin', 'password')
+  end
+
+  def clear_collection(collection)
+    @admin.authenticate('admin', 'password')
+    collection.remove
+    @admin.logout
+  end
+
+  def remove_all_users_and_roles(database, username, password)
+    @admin.authenticate('admin', 'password')
+    if @version < '2.5.3'
+      database['system.users'].remove
+    else
+      database.command({:dropAllRolesFromDatabase => 1})
+      database.command({:dropAllUsersFromDatabase => 1})
+    end
+    @admin.logout
+  end
+
+  def test_auth_no_error
+    return unless @version >= '2.5.3'
+    init_auth_bulk
+    with_write_commands_and_operations(@db.connection) do |wire_version|
+      clear_collection(@collection)
+      @db.authenticate('insertAndRemove', 'password')
+      bulk = @collection.initialize_ordered_bulk_op
+      bulk.insert({:a => 1})
+      bulk.find({:a => 1}).remove_one
+
+      result = bulk.execute
+      assert_match_document(
+          {
+              "ok" => 1,
+              "nInserted" => 1,
+              "nRemoved" => 1
+          }, result, "wire_version:#{wire_version}")
+      assert_equal 0, @collection.count
+      @db.logout
+    end
+    teardown_bulk
+  end
+
+  def test_auth_error
+    return unless @version >= '2.5.3'
+    init_auth_bulk
+    with_write_commands_and_operations(@db.connection) do |wire_version|
+      clear_collection(@collection)
+      @db.authenticate('insertOnly', 'password')
+      bulk = @collection.initialize_ordered_bulk_op
+      bulk.insert({:a => 1})
+      bulk.find({:a => 1}).remove
+      bulk.insert({:a => 2})
+
+      ex = assert_raise Mongo::BulkWriteError do
+        bulk.execute
+      end
+      result = ex.result
+      assert_match_document(
+          {
+              "ok" => 1,
+              "n" => 1,
+              "writeErrors" =>
+                  [{
+                       "index" => 1,
+                       "code" => 13,
+                       "errmsg" => /not authorized/
+                  }],
+              "code" => 65,
+              "errmsg" => "batch item errors occurred",
+              "nInserted" => 1
+           }, result, "wire_version:#{wire_version}")
+      assert_equal 1, @collection.count
+      @db.logout
+    end
+    teardown_bulk
+  end
+
+  def test_auth_error_unordered
+    return unless @version >= '2.5.3'
+    init_auth_bulk
+    with_write_commands_and_operations(@db.connection) do |wire_version|
+      clear_collection(@collection)
+      @db.authenticate('insertOnly', 'password')
+      bulk = @collection.initialize_unordered_bulk_op
+      bulk.insert({:a => 1})
+      bulk.find({:a => 1}).remove_one
+      bulk.insert({:a => 2})
+
+      ex = assert_raise Mongo::BulkWriteError do
+        bulk.execute
+      end
+      result = ex.result
+      assert_equal 1, result["writeErrors"].length
+      assert_equal 2, result["n"]
+      assert_equal 2, result["nInserted"]
+      assert_equal 2, @collection.count
+      @db.logout
+    end
+    teardown_bulk
+  end
+
+  def test_duplicate_key_with_auth_error
+    return unless @version >= '2.5.3'
+    init_auth_bulk
+    with_write_commands_and_operations(@db.connection) do |wire_version|
+      clear_collection(@collection)
+      @db.authenticate('insertOnly', 'password')
+      bulk = @collection.initialize_ordered_bulk_op
+      bulk.insert({:_id => 1, :a => 1})
+      bulk.insert({:_id => 1, :a => 2})
+      bulk.find({:a => 1}).remove_one
+
+      ex = assert_raise Mongo::BulkWriteError do
+        bulk.execute
+      end
+      result = ex.result
+      assert_match_document(
+          {
+              "ok" => 1,
+              "n" => 1,
+              "writeErrors" =>
+                  [{
+                       "index" => 1,
+                       "code" => 11000,
+                       "errmsg" => /duplicate key error/
+                  }],
+              "code" => 65,
+              "errmsg" => "batch item errors occurred",
+              "nInserted" => 1
+           }, result, "wire_version:#{wire_version}")
+      assert_equal 1, @collection.count
+      @db.logout
+    end
+    teardown_bulk
+  end
+
+  def test_duplicate_key_with_auth_error_unordered
+    return unless @version >= '2.5.3'
+    init_auth_bulk
+    with_write_commands_and_operations(@db.connection) do |wire_version|
+      clear_collection(@collection)
+      @db.authenticate('insertOnly', 'password')
+      bulk = @collection.initialize_unordered_bulk_op
+      bulk.insert({:_id => 1, :a => 1})
+      bulk.insert({:_id => 1, :a => 1})
+      bulk.find({:a => 1}).remove_one
+
+      ex = assert_raise Mongo::BulkWriteError do
+        bulk.execute
+      end
+      result = ex.result
+      assert_equal 2, result["writeErrors"].length
+      assert_equal 1, result["n"]
+      assert_equal 1, result["nInserted"]
+      assert_equal 1, @collection.count
+      @db.logout
+    end
+    teardown_bulk
+  end
+
+  def test_write_concern_error_with_auth_error
+    with_no_replication(@db.connection) do
+      return unless @version >= '2.5.3'
+      init_auth_bulk
+      with_write_commands_and_operations(@db.connection) do |wire_version|
+        clear_collection(@collection)
+        @db.authenticate('insertOnly', 'password')
+        bulk = @collection.initialize_ordered_bulk_op
+        bulk.insert({:_id => 1, :a => 1})
+        bulk.insert({:_id => 2, :a => 1})
+        bulk.find({:a => 1}).remove_one
+        
+        ex = assert_raise Mongo::BulkWriteError do
+          bulk.execute({:w => 2})
+        end
+        result = ex.result
+        
+        assert_match_document(
+            {
+                "ok" => 0,
+                "n" => 0,
+                "nInserted" => 0,
+                "writeErrors" =>
+                    [{
+                         "index" => 0,
+                         "code" => 2,
+                         "errmsg" => /'w' > 1/
+                    }],
+                "code" => 65,
+                "errmsg" => "batch item errors occurred"
+             }, result, "wire_version#{wire_version}")
+# Re-visit this when RUBY-731 is resolved:
+        assert (@collection.count == batch_commands?(wire_version) ? 0 : 1)
+        @db.logout
+      end
+      teardown_bulk
+    end
+  end
+
+end

data/test/shared/authentication/gssapi_shared.rb

@@ -0,0 +1,164 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module GSSAPITests
+
+  # Tests for the GSSAPI Authentication Mechanism.
+  #
+  # Note: These tests will be skipped automatically unless the test environment
+  # has been configured.  
+  #
+  # In order to run these tests, you must be using JRuby and must set the following
+  #   environment variables. The realm and KDC are required so that the corresponding
+  #   system properties can be set:
+  #
+  #   export MONGODB_GSSAPI_HOST='server.domain.com'
+  #   export MONGODB_GSSAPI_USER='applicationuser@example.com'
+  #   export MONGODB_GSSAPI_REALM='applicationuser@example.com'
+  #   export MONGODB_GSSAPI_KDC='SERVER.DOMAIN.COM'
+  #
+  # You must either use kinit or provide a config file that references a keytab file:
+  #
+  #   export JAAS_LOGIN_CONFIG_FILE='file:///path/to/config/file'
+  #
+  MONGODB_GSSAPI_HOST    = ENV['MONGODB_GSSAPI_HOST']
+  MONGODB_GSSAPI_USER    = ENV['MONGODB_GSSAPI_USER']
+  MONGODB_GSSAPI_REALM   = ENV['MONGODB_GSSAPI_REALM']
+  MONGODB_GSSAPI_KDC     = ENV['MONGODB_GSSAPI_KDC']
+  MONGODB_GSSAPI_PORT    = ENV['MONGODB_GSSAPI_PORT'] || '27017'
+  JAAS_LOGIN_CONFIG_FILE = ENV['JAAS_LOGIN_CONFIG_FILE']
+
+  if ENV.key?('MONGODB_GSSAPI_HOST') && ENV.key?('MONGODB_GSSAPI_USER') &&
+     ENV.key?('MONGODB_GSSAPI_REALM') && ENV.key?('MONGODB_GSSAPI_KDC') && RUBY_PLATFORM =~ /java/
+    def test_gssapi_authenticate
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
+      if client['admin'].command(:isMaster => 1)['setName']
+        client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
+      end
+
+      set_system_properties
+      db = client['kerberos']
+      db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI')
+      assert db.command(:dbstats => 1)
+
+      threads = []
+      4.times do
+        threads << Thread.new do
+          assert db.command(:dbstats => 1)
+        end
+      end
+      threads.each(&:join)
+    end
+
+    def test_gssapi_authenticate_uri
+      require 'cgi'
+      set_system_properties
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI"
+      client = @client.class.from_uri(uri)
+      assert client['kerberos'].command(:dbstats => 1)
+    end
+
+    def test_wrong_service_name_fails
+      extra_opts = { :gssapi_service_name => 'example' }
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
+      if client['admin'].command(:isMaster => 1)['setName']
+        client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
+      end
+
+      set_system_properties
+      assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
+        client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+      end
+    end
+
+    def test_wrong_service_name_fails_uri
+      set_system_properties
+
+      require 'cgi'
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI&gssapiServiceName=example"
+      client = @client.class.from_uri(uri)
+      assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
+        client['kerberos'].command(:dbstats => 1)
+      end
+    end
+
+    def test_extra_opts
+      extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
+      set_system_properties
+
+      Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
+        opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
+        opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
+      end.returns('ok' => true )
+      client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+    end
+
+    def test_extra_opts_uri
+      extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
+      set_system_properties
+
+      Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
+        opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
+        opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
+      end.returns('ok' => true)
+
+      require 'cgi'
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI&gssapiServiceName=example&canonicalizeHostName=true"
+      client = @client.class.from_uri(uri)
+      client.expects(:receive_message).returns([[{ 'ok' => 1 }], 1, 1])
+      client['kerberos'].command(:dbstats => 1)
+    end
+
+    # In order to run this test, you must set the following environment variable:
+    #
+    #   export MONGODB_GSSAPI_HOST_IP='---.---.---.---'
+    #
+    if ENV.key?('MONGODB_GSSAPI_HOST_IP')
+      def test_canonicalize_host_name
+        extra_opts = { :canonicalize_host_name => true }
+        set_system_properties
+        client = Mongo::MongoClient.new(ENV['MONGODB_GSSAPI_HOST_IP'], MONGODB_GSSAPI_PORT)
+
+        db = client['kerberos']
+        db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+        assert db.command(:dbstats => 1)
+      end
+    end
+
+    def test_invalid_extra_options
+      extra_opts = { :invalid => true, :option => true }
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST)
+
+      assert_raise Mongo::MongoArgumentError do
+        client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+      end
+    end
+
+    private
+    def set_system_properties
+      java.lang.System.set_property 'javax.security.auth.useSubjectCredsOnly', 'false'
+      java.lang.System.set_property "java.security.krb5.realm", MONGODB_GSSAPI_REALM
+      java.lang.System.set_property "java.security.krb5.kdc", MONGODB_GSSAPI_KDC
+      java.lang.System.set_property "java.security.auth.login.config", JAAS_LOGIN_CONFIG_FILE if JAAS_LOGIN_CONFIG_FILE
+    end
+  end
+
+end

data/test/shared/ssl_shared.rb

@@ -15,9 +15,10 @@
 module SSLTests
   include Mongo
 
-  CERT_PATH   = "#{Dir.pwd}/test/fixtures/certificates/"
-  CLIENT_CERT = "#{CERT_PATH}client.pem"
-  CA_CERT     = "#{CERT_PATH}ca.pem"
+  MONGODB_X509_USERNAME = 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
+  CERT_PATH             = "#{Dir.pwd}/test/fixtures/certificates/"
+  CLIENT_CERT           = "#{CERT_PATH}client.pem"
+  CA_CERT               = "#{CERT_PATH}ca.pem"
 
   def create_client(*args)
     if @client_class == MongoClient
@@ -27,6 +28,14 @@ module SSLTests
     end
   end
 
+  # Requires MongoDB not built with SSL
+  #
+  def test_ssl_not_configured
+    assert_raise Mongo::ConnectionTimeoutError do
+      create_client(['localhost', 27017], :connect_timeout => 2, :ssl => true)
+    end
+  end
+
   # This test doesn't connect, no server config required
   def test_ssl_configuration
     # raises when ssl=false and ssl opts specified
@@ -134,40 +143,53 @@ module SSLTests
   # --sslCAFile /path/to/ca.pem \
   # --sslCRLFile /path/to/crl.pem
   #
-  if ENV.key?('MONGODB_X509_USER')
+  # Note that the cert requires username:
+  #   'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
+  #
+  def test_x509_authentication
+    mechanism = 'MONGODB-X509'
 
-    def test_x509_authentication
-      mechanism = 'MONGODB-X509'
-      client    = create_client(@connect_info, :ssl => true,
-                                               :ssl_cert => CLIENT_CERT)
+    client    = create_client(@connect_info, :ssl => true,
+                                             :ssl_cert => CLIENT_CERT,
+                                             :ssl_key  => CLIENT_CERT)
 
-      return unless client.server_version > '2.5.2'
+    return unless client.server_version > '2.5.2'
 
-      user     = ENV['MONGODB_X509_USER']
-      db       = client.db('$external')
+    db       = client.db('$external')
 
-      # add user for test (enable auth)
-      roles    = [{:role => 'readWriteAnyDatabase', :db => 'admin'},
-                  {:role => 'userAdminAnyDatabase', :db => 'admin'}]
-      db.add_user(user, nil, false, :roles => roles)
+    # add user for test (enable auth)
+    roles    = [{:role => 'readWriteAnyDatabase', :db => 'admin'},
+                {:role => 'userAdminAnyDatabase', :db => 'admin'}]
+    db.add_user(MONGODB_X509_USERNAME, nil, false, :roles => roles)
 
-      assert db.authenticate(user, nil, nil, nil, mechanism)
-      assert db.collection_names
+    assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
+    assert db.collection_names
 
-      assert db.logout
-      assert_raise Mongo::AuthenticationError do
-        db.collection_names
-      end
+    assert db.logout
+    assert_raise Mongo::OperationFailure do
+      db.collection_names
+    end
 
-      assert MongoReplicaSetClient.from_uri(
-        "mongodb://#{user}@#{@uri_info}/admin?authMechanism=#{mechanism}")
-      assert db.collection_names
+    # username and valid certificate don't match
+    assert_raise Mongo::AuthenticationError do
+      db.authenticate('test', nil, nil, nil, mechanism)
+    end
 
-      # clean up and remove all users
-      db.command(:dropAllUsersFromDatabase => 1)
-      db.logout
+    # username required
+    assert_raise Mongo::AuthenticationError do
+      db.authenticate(nil, nil, nil, nil, mechanism)
     end
 
+    assert MongoClient.from_uri(
+      "mongodb://#{MONGODB_X509_USERNAME}@#{@uri_info}/?ssl=true;authMechanism=#{mechanism}",
+          :ssl_cert => CLIENT_CERT,
+          :ssl_key  => CLIENT_CERT)
+    assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
+    assert db.collection_names
+
+    # clean up and remove all users
+    db.command(:dropAllUsersFromDatabase => 1)
+    db.logout
   end
 
 end