mongo 1.10.0.rc0 → 1.10.0.rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/VERSION +1 -1
- data/lib/mongo/bulk_write_collection_view.rb +31 -3
- data/lib/mongo/collection.rb +69 -25
- data/lib/mongo/collection_writer.rb +3 -2
- data/lib/mongo/connection/node.rb +5 -0
- data/lib/mongo/cursor.rb +4 -1
- data/lib/mongo/db.rb +23 -41
- data/lib/mongo/functional.rb +2 -0
- data/lib/mongo/functional/authentication.rb +18 -3
- data/lib/mongo/functional/sasl_java.rb +48 -0
- data/lib/mongo/functional/uri_parser.rb +62 -50
- data/lib/mongo/mongo_client.rb +24 -9
- data/lib/mongo/mongo_replica_set_client.rb +16 -5
- data/lib/mongo/networking.rb +3 -3
- data/lib/mongo/utils/conversions.rb +2 -1
- data/test/functional/authentication_test.rb +6 -1
- data/test/functional/bulk_api_stress_test.rb +133 -0
- data/test/functional/bulk_write_collection_view_test.rb +573 -226
- data/test/functional/client_test.rb +3 -1
- data/test/functional/collection_test.rb +336 -17
- data/test/functional/conversions_test.rb +32 -0
- data/test/functional/cursor_test.rb +3 -3
- data/test/functional/db_api_test.rb +2 -2
- data/test/functional/db_test.rb +24 -0
- data/test/functional/uri_test.rb +49 -32
- data/test/helpers/test_unit.rb +8 -0
- data/test/replica_set/authentication_test.rb +5 -1
- data/test/replica_set/client_test.rb +5 -4
- data/test/replica_set/max_values_test.rb +6 -0
- data/test/shared/authentication/basic_auth_shared.rb +101 -30
- data/test/shared/authentication/bulk_api_auth_shared.rb +259 -0
- data/test/shared/authentication/gssapi_shared.rb +164 -0
- data/test/shared/ssl_shared.rb +49 -27
- data/test/unit/client_test.rb +4 -2
- data/test/unit/connection_test.rb +4 -2
- data/test/unit/cursor_test.rb +12 -0
- data/test/unit/db_test.rb +6 -0
- metadata +27 -20
- metadata.gz.sig +0 -0
@@ -0,0 +1,259 @@
|
|
1
|
+
# Copyright (C) 2009-2013 MongoDB, Inc.
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License")
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0x
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
module BulkAPIAuthTests
|
16
|
+
|
17
|
+
include Mongo
|
18
|
+
|
19
|
+
def init_auth_bulk
|
20
|
+
# enable authentication
|
21
|
+
@admin = @client["admin"]
|
22
|
+
@admin.add_user('admin', 'password', nil, :roles => ['readWriteAnyDatabase',
|
23
|
+
'userAdminAnyDatabase',
|
24
|
+
'dbAdminAnyDatabase'])
|
25
|
+
@admin.authenticate('admin', 'password')
|
26
|
+
|
27
|
+
# Set up the test db
|
28
|
+
@collection = @db["bulk-api-auth-tests"]
|
29
|
+
|
30
|
+
# db user can insert but not remove
|
31
|
+
res = BSON::OrderedHash.new
|
32
|
+
res[:db] = TEST_DB
|
33
|
+
res[:collection] = ""
|
34
|
+
|
35
|
+
cmd = BSON::OrderedHash.new
|
36
|
+
cmd[:createRole] = "insertOnly"
|
37
|
+
cmd[:privileges] = [{:resource => res, :actions => [ "insert", "find" ]}]
|
38
|
+
cmd[:roles] = []
|
39
|
+
@db.command(cmd)
|
40
|
+
@db.add_user('insertOnly', 'password', nil, :roles => ['insertOnly'])
|
41
|
+
|
42
|
+
# db user can insert and remove
|
43
|
+
cmd = BSON::OrderedHash.new
|
44
|
+
cmd[:createRole] = "insertAndRemove"
|
45
|
+
cmd[:privileges] = [{:resource => res, :actions => [ "insert", "remove", "find" ]}]
|
46
|
+
cmd[:roles] = []
|
47
|
+
@db.command(cmd)
|
48
|
+
@db.add_user('insertAndRemove', 'password', nil, :roles => ['insertAndRemove'])
|
49
|
+
|
50
|
+
# for 2.4 cleanup etc.
|
51
|
+
@db.add_user('admin', 'password', nil, :roles => ['readWrite',
|
52
|
+
'userAdmin',
|
53
|
+
'dbAdmin'])
|
54
|
+
@admin.logout
|
55
|
+
end
|
56
|
+
|
57
|
+
def teardown_bulk
|
58
|
+
remove_all_users_and_roles(@db, 'admin', 'password')
|
59
|
+
remove_all_users_and_roles(@admin, 'admin', 'password')
|
60
|
+
end
|
61
|
+
|
62
|
+
def clear_collection(collection)
|
63
|
+
@admin.authenticate('admin', 'password')
|
64
|
+
collection.remove
|
65
|
+
@admin.logout
|
66
|
+
end
|
67
|
+
|
68
|
+
def remove_all_users_and_roles(database, username, password)
|
69
|
+
@admin.authenticate('admin', 'password')
|
70
|
+
if @version < '2.5.3'
|
71
|
+
database['system.users'].remove
|
72
|
+
else
|
73
|
+
database.command({:dropAllRolesFromDatabase => 1})
|
74
|
+
database.command({:dropAllUsersFromDatabase => 1})
|
75
|
+
end
|
76
|
+
@admin.logout
|
77
|
+
end
|
78
|
+
|
79
|
+
def test_auth_no_error
|
80
|
+
return unless @version >= '2.5.3'
|
81
|
+
init_auth_bulk
|
82
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
83
|
+
clear_collection(@collection)
|
84
|
+
@db.authenticate('insertAndRemove', 'password')
|
85
|
+
bulk = @collection.initialize_ordered_bulk_op
|
86
|
+
bulk.insert({:a => 1})
|
87
|
+
bulk.find({:a => 1}).remove_one
|
88
|
+
|
89
|
+
result = bulk.execute
|
90
|
+
assert_match_document(
|
91
|
+
{
|
92
|
+
"ok" => 1,
|
93
|
+
"nInserted" => 1,
|
94
|
+
"nRemoved" => 1
|
95
|
+
}, result, "wire_version:#{wire_version}")
|
96
|
+
assert_equal 0, @collection.count
|
97
|
+
@db.logout
|
98
|
+
end
|
99
|
+
teardown_bulk
|
100
|
+
end
|
101
|
+
|
102
|
+
def test_auth_error
|
103
|
+
return unless @version >= '2.5.3'
|
104
|
+
init_auth_bulk
|
105
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
106
|
+
clear_collection(@collection)
|
107
|
+
@db.authenticate('insertOnly', 'password')
|
108
|
+
bulk = @collection.initialize_ordered_bulk_op
|
109
|
+
bulk.insert({:a => 1})
|
110
|
+
bulk.find({:a => 1}).remove
|
111
|
+
bulk.insert({:a => 2})
|
112
|
+
|
113
|
+
ex = assert_raise Mongo::BulkWriteError do
|
114
|
+
bulk.execute
|
115
|
+
end
|
116
|
+
result = ex.result
|
117
|
+
assert_match_document(
|
118
|
+
{
|
119
|
+
"ok" => 1,
|
120
|
+
"n" => 1,
|
121
|
+
"writeErrors" =>
|
122
|
+
[{
|
123
|
+
"index" => 1,
|
124
|
+
"code" => 13,
|
125
|
+
"errmsg" => /not authorized/
|
126
|
+
}],
|
127
|
+
"code" => 65,
|
128
|
+
"errmsg" => "batch item errors occurred",
|
129
|
+
"nInserted" => 1
|
130
|
+
}, result, "wire_version:#{wire_version}")
|
131
|
+
assert_equal 1, @collection.count
|
132
|
+
@db.logout
|
133
|
+
end
|
134
|
+
teardown_bulk
|
135
|
+
end
|
136
|
+
|
137
|
+
def test_auth_error_unordered
|
138
|
+
return unless @version >= '2.5.3'
|
139
|
+
init_auth_bulk
|
140
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
141
|
+
clear_collection(@collection)
|
142
|
+
@db.authenticate('insertOnly', 'password')
|
143
|
+
bulk = @collection.initialize_unordered_bulk_op
|
144
|
+
bulk.insert({:a => 1})
|
145
|
+
bulk.find({:a => 1}).remove_one
|
146
|
+
bulk.insert({:a => 2})
|
147
|
+
|
148
|
+
ex = assert_raise Mongo::BulkWriteError do
|
149
|
+
bulk.execute
|
150
|
+
end
|
151
|
+
result = ex.result
|
152
|
+
assert_equal 1, result["writeErrors"].length
|
153
|
+
assert_equal 2, result["n"]
|
154
|
+
assert_equal 2, result["nInserted"]
|
155
|
+
assert_equal 2, @collection.count
|
156
|
+
@db.logout
|
157
|
+
end
|
158
|
+
teardown_bulk
|
159
|
+
end
|
160
|
+
|
161
|
+
def test_duplicate_key_with_auth_error
|
162
|
+
return unless @version >= '2.5.3'
|
163
|
+
init_auth_bulk
|
164
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
165
|
+
clear_collection(@collection)
|
166
|
+
@db.authenticate('insertOnly', 'password')
|
167
|
+
bulk = @collection.initialize_ordered_bulk_op
|
168
|
+
bulk.insert({:_id => 1, :a => 1})
|
169
|
+
bulk.insert({:_id => 1, :a => 2})
|
170
|
+
bulk.find({:a => 1}).remove_one
|
171
|
+
|
172
|
+
ex = assert_raise Mongo::BulkWriteError do
|
173
|
+
bulk.execute
|
174
|
+
end
|
175
|
+
result = ex.result
|
176
|
+
assert_match_document(
|
177
|
+
{
|
178
|
+
"ok" => 1,
|
179
|
+
"n" => 1,
|
180
|
+
"writeErrors" =>
|
181
|
+
[{
|
182
|
+
"index" => 1,
|
183
|
+
"code" => 11000,
|
184
|
+
"errmsg" => /duplicate key error/
|
185
|
+
}],
|
186
|
+
"code" => 65,
|
187
|
+
"errmsg" => "batch item errors occurred",
|
188
|
+
"nInserted" => 1
|
189
|
+
}, result, "wire_version:#{wire_version}")
|
190
|
+
assert_equal 1, @collection.count
|
191
|
+
@db.logout
|
192
|
+
end
|
193
|
+
teardown_bulk
|
194
|
+
end
|
195
|
+
|
196
|
+
def test_duplicate_key_with_auth_error_unordered
|
197
|
+
return unless @version >= '2.5.3'
|
198
|
+
init_auth_bulk
|
199
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
200
|
+
clear_collection(@collection)
|
201
|
+
@db.authenticate('insertOnly', 'password')
|
202
|
+
bulk = @collection.initialize_unordered_bulk_op
|
203
|
+
bulk.insert({:_id => 1, :a => 1})
|
204
|
+
bulk.insert({:_id => 1, :a => 1})
|
205
|
+
bulk.find({:a => 1}).remove_one
|
206
|
+
|
207
|
+
ex = assert_raise Mongo::BulkWriteError do
|
208
|
+
bulk.execute
|
209
|
+
end
|
210
|
+
result = ex.result
|
211
|
+
assert_equal 2, result["writeErrors"].length
|
212
|
+
assert_equal 1, result["n"]
|
213
|
+
assert_equal 1, result["nInserted"]
|
214
|
+
assert_equal 1, @collection.count
|
215
|
+
@db.logout
|
216
|
+
end
|
217
|
+
teardown_bulk
|
218
|
+
end
|
219
|
+
|
220
|
+
def test_write_concern_error_with_auth_error
|
221
|
+
with_no_replication(@db.connection) do
|
222
|
+
return unless @version >= '2.5.3'
|
223
|
+
init_auth_bulk
|
224
|
+
with_write_commands_and_operations(@db.connection) do |wire_version|
|
225
|
+
clear_collection(@collection)
|
226
|
+
@db.authenticate('insertOnly', 'password')
|
227
|
+
bulk = @collection.initialize_ordered_bulk_op
|
228
|
+
bulk.insert({:_id => 1, :a => 1})
|
229
|
+
bulk.insert({:_id => 2, :a => 1})
|
230
|
+
bulk.find({:a => 1}).remove_one
|
231
|
+
|
232
|
+
ex = assert_raise Mongo::BulkWriteError do
|
233
|
+
bulk.execute({:w => 2})
|
234
|
+
end
|
235
|
+
result = ex.result
|
236
|
+
|
237
|
+
assert_match_document(
|
238
|
+
{
|
239
|
+
"ok" => 0,
|
240
|
+
"n" => 0,
|
241
|
+
"nInserted" => 0,
|
242
|
+
"writeErrors" =>
|
243
|
+
[{
|
244
|
+
"index" => 0,
|
245
|
+
"code" => 2,
|
246
|
+
"errmsg" => /'w' > 1/
|
247
|
+
}],
|
248
|
+
"code" => 65,
|
249
|
+
"errmsg" => "batch item errors occurred"
|
250
|
+
}, result, "wire_version#{wire_version}")
|
251
|
+
# Re-visit this when RUBY-731 is resolved:
|
252
|
+
assert (@collection.count == batch_commands?(wire_version) ? 0 : 1)
|
253
|
+
@db.logout
|
254
|
+
end
|
255
|
+
teardown_bulk
|
256
|
+
end
|
257
|
+
end
|
258
|
+
|
259
|
+
end
|
@@ -0,0 +1,164 @@
|
|
1
|
+
# Copyright (C) 2009-2013 MongoDB, Inc.
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
module GSSAPITests
|
16
|
+
|
17
|
+
# Tests for the GSSAPI Authentication Mechanism.
|
18
|
+
#
|
19
|
+
# Note: These tests will be skipped automatically unless the test environment
|
20
|
+
# has been configured.
|
21
|
+
#
|
22
|
+
# In order to run these tests, you must be using JRuby and must set the following
|
23
|
+
# environment variables. The realm and KDC are required so that the corresponding
|
24
|
+
# system properties can be set:
|
25
|
+
#
|
26
|
+
# export MONGODB_GSSAPI_HOST='server.domain.com'
|
27
|
+
# export MONGODB_GSSAPI_USER='applicationuser@example.com'
|
28
|
+
# export MONGODB_GSSAPI_REALM='applicationuser@example.com'
|
29
|
+
# export MONGODB_GSSAPI_KDC='SERVER.DOMAIN.COM'
|
30
|
+
#
|
31
|
+
# You must either use kinit or provide a config file that references a keytab file:
|
32
|
+
#
|
33
|
+
# export JAAS_LOGIN_CONFIG_FILE='file:///path/to/config/file'
|
34
|
+
#
|
35
|
+
MONGODB_GSSAPI_HOST = ENV['MONGODB_GSSAPI_HOST']
|
36
|
+
MONGODB_GSSAPI_USER = ENV['MONGODB_GSSAPI_USER']
|
37
|
+
MONGODB_GSSAPI_REALM = ENV['MONGODB_GSSAPI_REALM']
|
38
|
+
MONGODB_GSSAPI_KDC = ENV['MONGODB_GSSAPI_KDC']
|
39
|
+
MONGODB_GSSAPI_PORT = ENV['MONGODB_GSSAPI_PORT'] || '27017'
|
40
|
+
JAAS_LOGIN_CONFIG_FILE = ENV['JAAS_LOGIN_CONFIG_FILE']
|
41
|
+
|
42
|
+
if ENV.key?('MONGODB_GSSAPI_HOST') && ENV.key?('MONGODB_GSSAPI_USER') &&
|
43
|
+
ENV.key?('MONGODB_GSSAPI_REALM') && ENV.key?('MONGODB_GSSAPI_KDC') && RUBY_PLATFORM =~ /java/
|
44
|
+
def test_gssapi_authenticate
|
45
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
46
|
+
if client['admin'].command(:isMaster => 1)['setName']
|
47
|
+
client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
|
48
|
+
end
|
49
|
+
|
50
|
+
set_system_properties
|
51
|
+
db = client['kerberos']
|
52
|
+
db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI')
|
53
|
+
assert db.command(:dbstats => 1)
|
54
|
+
|
55
|
+
threads = []
|
56
|
+
4.times do
|
57
|
+
threads << Thread.new do
|
58
|
+
assert db.command(:dbstats => 1)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
threads.each(&:join)
|
62
|
+
end
|
63
|
+
|
64
|
+
def test_gssapi_authenticate_uri
|
65
|
+
require 'cgi'
|
66
|
+
set_system_properties
|
67
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
68
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
69
|
+
"authMechanism=GSSAPI"
|
70
|
+
client = @client.class.from_uri(uri)
|
71
|
+
assert client['kerberos'].command(:dbstats => 1)
|
72
|
+
end
|
73
|
+
|
74
|
+
def test_wrong_service_name_fails
|
75
|
+
extra_opts = { :gssapi_service_name => 'example' }
|
76
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
77
|
+
if client['admin'].command(:isMaster => 1)['setName']
|
78
|
+
client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
|
79
|
+
end
|
80
|
+
|
81
|
+
set_system_properties
|
82
|
+
assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
|
83
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
def test_wrong_service_name_fails_uri
|
88
|
+
set_system_properties
|
89
|
+
|
90
|
+
require 'cgi'
|
91
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
92
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
93
|
+
"authMechanism=GSSAPI&gssapiServiceName=example"
|
94
|
+
client = @client.class.from_uri(uri)
|
95
|
+
assert_raise_error Java::OrgMongodbSasl::MongoSecurityException do
|
96
|
+
client['kerberos'].command(:dbstats => 1)
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def test_extra_opts
|
101
|
+
extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
|
102
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
|
103
|
+
set_system_properties
|
104
|
+
|
105
|
+
Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
|
106
|
+
opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
|
107
|
+
opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
|
108
|
+
end.returns('ok' => true )
|
109
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
110
|
+
end
|
111
|
+
|
112
|
+
def test_extra_opts_uri
|
113
|
+
extra_opts = { :gssapi_service_name => 'example', :canonicalize_host_name => true }
|
114
|
+
set_system_properties
|
115
|
+
|
116
|
+
Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
|
117
|
+
opts[:gssapi_service_name] == extra_opts[:gssapi_service_name]
|
118
|
+
opts[:canonicalize_host_name] == extra_opts[:canonicalize_host_name]
|
119
|
+
end.returns('ok' => true)
|
120
|
+
|
121
|
+
require 'cgi'
|
122
|
+
username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
|
123
|
+
uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
|
124
|
+
"authMechanism=GSSAPI&gssapiServiceName=example&canonicalizeHostName=true"
|
125
|
+
client = @client.class.from_uri(uri)
|
126
|
+
client.expects(:receive_message).returns([[{ 'ok' => 1 }], 1, 1])
|
127
|
+
client['kerberos'].command(:dbstats => 1)
|
128
|
+
end
|
129
|
+
|
130
|
+
# In order to run this test, you must set the following environment variable:
|
131
|
+
#
|
132
|
+
# export MONGODB_GSSAPI_HOST_IP='---.---.---.---'
|
133
|
+
#
|
134
|
+
if ENV.key?('MONGODB_GSSAPI_HOST_IP')
|
135
|
+
def test_canonicalize_host_name
|
136
|
+
extra_opts = { :canonicalize_host_name => true }
|
137
|
+
set_system_properties
|
138
|
+
client = Mongo::MongoClient.new(ENV['MONGODB_GSSAPI_HOST_IP'], MONGODB_GSSAPI_PORT)
|
139
|
+
|
140
|
+
db = client['kerberos']
|
141
|
+
db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
142
|
+
assert db.command(:dbstats => 1)
|
143
|
+
end
|
144
|
+
end
|
145
|
+
|
146
|
+
def test_invalid_extra_options
|
147
|
+
extra_opts = { :invalid => true, :option => true }
|
148
|
+
client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST)
|
149
|
+
|
150
|
+
assert_raise Mongo::MongoArgumentError do
|
151
|
+
client['kerberos'].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
private
|
156
|
+
def set_system_properties
|
157
|
+
java.lang.System.set_property 'javax.security.auth.useSubjectCredsOnly', 'false'
|
158
|
+
java.lang.System.set_property "java.security.krb5.realm", MONGODB_GSSAPI_REALM
|
159
|
+
java.lang.System.set_property "java.security.krb5.kdc", MONGODB_GSSAPI_KDC
|
160
|
+
java.lang.System.set_property "java.security.auth.login.config", JAAS_LOGIN_CONFIG_FILE if JAAS_LOGIN_CONFIG_FILE
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
164
|
+
end
|
data/test/shared/ssl_shared.rb
CHANGED
@@ -15,9 +15,10 @@
|
|
15
15
|
module SSLTests
|
16
16
|
include Mongo
|
17
17
|
|
18
|
-
|
19
|
-
|
20
|
-
|
18
|
+
MONGODB_X509_USERNAME = 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
|
19
|
+
CERT_PATH = "#{Dir.pwd}/test/fixtures/certificates/"
|
20
|
+
CLIENT_CERT = "#{CERT_PATH}client.pem"
|
21
|
+
CA_CERT = "#{CERT_PATH}ca.pem"
|
21
22
|
|
22
23
|
def create_client(*args)
|
23
24
|
if @client_class == MongoClient
|
@@ -27,6 +28,14 @@ module SSLTests
|
|
27
28
|
end
|
28
29
|
end
|
29
30
|
|
31
|
+
# Requires MongoDB not built with SSL
|
32
|
+
#
|
33
|
+
def test_ssl_not_configured
|
34
|
+
assert_raise Mongo::ConnectionTimeoutError do
|
35
|
+
create_client(['localhost', 27017], :connect_timeout => 2, :ssl => true)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
30
39
|
# This test doesn't connect, no server config required
|
31
40
|
def test_ssl_configuration
|
32
41
|
# raises when ssl=false and ssl opts specified
|
@@ -134,40 +143,53 @@ module SSLTests
|
|
134
143
|
# --sslCAFile /path/to/ca.pem \
|
135
144
|
# --sslCRLFile /path/to/crl.pem
|
136
145
|
#
|
137
|
-
|
146
|
+
# Note that the cert requires username:
|
147
|
+
# 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
|
148
|
+
#
|
149
|
+
def test_x509_authentication
|
150
|
+
mechanism = 'MONGODB-X509'
|
138
151
|
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
:ssl_cert => CLIENT_CERT)
|
152
|
+
client = create_client(@connect_info, :ssl => true,
|
153
|
+
:ssl_cert => CLIENT_CERT,
|
154
|
+
:ssl_key => CLIENT_CERT)
|
143
155
|
|
144
|
-
|
156
|
+
return unless client.server_version > '2.5.2'
|
145
157
|
|
146
|
-
|
147
|
-
db = client.db('$external')
|
158
|
+
db = client.db('$external')
|
148
159
|
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
160
|
+
# add user for test (enable auth)
|
161
|
+
roles = [{:role => 'readWriteAnyDatabase', :db => 'admin'},
|
162
|
+
{:role => 'userAdminAnyDatabase', :db => 'admin'}]
|
163
|
+
db.add_user(MONGODB_X509_USERNAME, nil, false, :roles => roles)
|
153
164
|
|
154
|
-
|
155
|
-
|
165
|
+
assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
|
166
|
+
assert db.collection_names
|
156
167
|
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
168
|
+
assert db.logout
|
169
|
+
assert_raise Mongo::OperationFailure do
|
170
|
+
db.collection_names
|
171
|
+
end
|
161
172
|
|
162
|
-
|
163
|
-
|
164
|
-
|
173
|
+
# username and valid certificate don't match
|
174
|
+
assert_raise Mongo::AuthenticationError do
|
175
|
+
db.authenticate('test', nil, nil, nil, mechanism)
|
176
|
+
end
|
165
177
|
|
166
|
-
|
167
|
-
|
168
|
-
db.
|
178
|
+
# username required
|
179
|
+
assert_raise Mongo::AuthenticationError do
|
180
|
+
db.authenticate(nil, nil, nil, nil, mechanism)
|
169
181
|
end
|
170
182
|
|
183
|
+
assert MongoClient.from_uri(
|
184
|
+
"mongodb://#{MONGODB_X509_USERNAME}@#{@uri_info}/?ssl=true;authMechanism=#{mechanism}",
|
185
|
+
:ssl_cert => CLIENT_CERT,
|
186
|
+
:ssl_key => CLIENT_CERT)
|
187
|
+
assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
|
188
|
+
assert db.collection_names
|
189
|
+
|
190
|
+
# clean up and remove all users
|
191
|
+
db.command(:dropAllUsersFromDatabase => 1)
|
192
|
+
db.logout
|
171
193
|
end
|
172
194
|
|
173
195
|
end
|