mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
mongo/jstests/ssl_x509/speculative-auth-replset.js
Gabriel Marks a1486ee4a9 SERVER-121258 Fix mechanism map initialization for egress (#50311) 
GitOrigin-RevId: e64221f986747ee93b7ab2f9d3a707de5ffcd3df
2026-04-01 18:37:37 +00:00

114 lines
3.9 KiB
JavaScript
Raw Permalink Blame History

// Verify that replica sets can speculatively authenticate
// to each other during intra-cluster communication.
// @tags: [requires_replication]
import {ReplSetTest} from "jstests/libs/replsettest.js";
const x509_options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
clusterAuthMode: "sendX509",
};
const params = {
setParameter: {
// Disable QueryAnalysisSampler to ensure no extra speculative access generated by it.
"failpoint.disableQueryAnalysisSampler": tojson({mode: "alwaysOn"}),
},
};
const rst = new ReplSetTest({
nodes: 1,
nodeOptions: Object.assign(x509_options, params),
// ReplSetTest needs a keyFile present in order to know we want intracluster auth.
keyFile: "jstests/libs/key1",
// ReplicaSet needs to use localhost so that SAN/CN values match.
useHostName: false,
});
rst.startSet();
rst.initiate();
const admin = rst.getPrimary().getDB("admin");
admin.createUser({user: "admin", pwd: "pwd", roles: ["root"]});
function getMechStats(db) {
return assert.commandWorked(db.runCommand({serverStatus: 1})).security.authentication.mechanisms;
}
authutil.assertAuthenticate(rst.getPrimary(), "$external", {
mechanism: "MONGODB-X509",
});
// Capture statistics after a fresh instantiation of a 1-node replica set.
const initialMechStats = getMechStats(admin);
printjson(initialMechStats);
assert(initialMechStats["MONGODB-X509"] !== undefined);
// We've made no client connections for which speculation was possible,
// because we authenticated as `admin` using the shell helpers with SCRAM.
// Because of the simple cluster topology, we should have no intracluster authentication attempts.
Object.keys(initialMechStats).forEach(function (mech) {
if (mech.hasOwnProperty("ingress")) {
const specStats = initialMechStats[mech].ingress.speculativeAuthenticate;
const clusterStats = initialMechStats[mech].ingress.clusterAuthenticate;
if (mech === "MONGODB-X509") {
assert.eq(clusterStats.total, 1);
}
// No speculation has occured
assert.eq(specStats.total, 0);
// Statistics should be consistent for all mechanisms
assert.eq(specStats.total, specStats.successful);
assert.eq(clusterStats.total, clusterStats.successful);
}
});
{
// Add and remove a node to force intra-cluster traffic, and authentication attempts.
// Removal will require force-reconfig because the original node will not constitute a
// "majority" of the resulting two node replicaset.
const singleNodeConfig = rst.getReplSetConfigFromNode();
const newNode = rst.add(x509_options);
rst.reInitiate();
rst.awaitSecondaryNodes(null, [newNode]);
rst.stop(newNode);
rst.remove(newNode);
singleNodeConfig.version = rst.getReplSetConfigFromNode(0).version + 1;
assert.commandWorked(admin.runCommand({replSetReconfig: singleNodeConfig, force: true}));
}
{
// Capture new statistics, and assert that they're consistent.
const newMechStats = getMechStats(admin);
printjson(newMechStats);
assert.eq(
newMechStats["MONGODB-X509"].ingress.speculativeAuthenticate.total,
newMechStats["MONGODB-X509"].ingress.speculativeAuthenticate.successful,
);
assert.eq(
newMechStats["MONGODB-X509"].ingress.clusterAuthenticate.total,
newMechStats["MONGODB-X509"].ingress.clusterAuthenticate.successful,
);
// Speculative and cluster statistics should be incremented by intracluster auth.
assert.gt(
newMechStats["MONGODB-X509"].ingress.speculativeAuthenticate.total,
initialMechStats["MONGODB-X509"].ingress.speculativeAuthenticate.successful,
);
assert.gt(
newMechStats["MONGODB-X509"].ingress.clusterAuthenticate.total,
initialMechStats["MONGODB-X509"].ingress.clusterAuthenticate.successful,
);
}
admin.logout();
rst.stopSet();
Reference in New Issue View Git Blame Copy Permalink