mongo/jstests/auth/lib/bulk_write_base.js

// Auth test the BulkWrite command.
// These test cover privilege combination scenarios that commands_lib.js format cannot.
export function runTest(mongod) {
    const admin = mongod.getDB('admin');
    admin.createUser({user: 'admin', pwd: 'pass', roles: jsTest.adminUserRoles});
    assert(admin.auth('admin', 'pass'));

    // Establish test and test1
    mongod.getDB("test").coll.insert({x: "y"});
    mongod.getDB("test1").coll1.insert({x: "y"});

    admin.createRole({
        role: 'ns1Insert',
        privileges: [{resource: {db: "test", collection: "coll"}, actions: ['insert']}],
        roles: []
    });

    admin.createRole({
        role: 'ns2Insert',
        privileges: [{resource: {db: "test1", collection: "coll1"}, actions: ['insert']}],
        roles: []
    });

    admin.createRole({
        role: 'ns1Update',
        privileges: [{resource: {db: "test", collection: "coll"}, actions: ['update']}],
        roles: []
    });

    admin.createRole({
        role: 'ns2Update',
        privileges: [{resource: {db: "test1", collection: "coll1"}, actions: ['update']}],
        roles: []
    });

    admin.createRole({
        role: 'ns1Remove',
        privileges: [{resource: {db: "test", collection: "coll"}, actions: ['remove']}],
        roles: []
    });

    admin.createRole({
        role: 'ns2Remove',
        privileges: [{resource: {db: "test1", collection: "coll1"}, actions: ['remove']}],
        roles: []
    });

    admin.createRole({
        role: 'ns1BypassDocumentValidation',
        privileges:
            [{resource: {db: "test", collection: "coll"}, actions: ['bypassDocumentValidation']}],
        roles: []
    });

    admin.createRole({
        role: 'ns2BypassDocumentValidation',
        privileges:
            [{resource: {db: "test1", collection: "coll1"}, actions: ['bypassDocumentValidation']}],
        roles: []
    });

    // Create users to cover the scenarios where we have partial privileges on
    // byPassDocumentValidation and Insert + Update + Remove for ns1 + ns2.
    admin.createUser({
        user: 'user1',
        pwd: 'pass',
        roles: [
            'ns1Insert',
            'ns2Insert',
            'ns1Update',
            'ns2Update',
            'ns1Remove',
            'ns2Remove',
            'ns1BypassDocumentValidation'
        ]
    });
    admin.createUser({
        user: 'user2',
        pwd: 'pass',
        roles: [
            'ns1Insert',
            'ns1Update',
            'ns1Remove',
            'ns1BypassDocumentValidation',
            'ns2BypassDocumentValidation'
        ]
    });
    admin.createUser({user: 'user3', pwd: 'pass', roles: ['ns1Update']});

    admin.logout();

    // Commands to be used in testing.

    // Insert test.coll and test1.coll1 with bypassDocumentValidation.
    var cmd1 = {
        bulkWrite: 1,
        ops: [{insert: 0, document: {skey: "MongoDB"}}, {insert: 1, document: {skey: "MongoDB"}}],
        nsInfo: [{ns: "test.coll"}, {ns: "test1.coll1"}],
        bypassDocumentValidation: true,
    };

    var cmd2 = {
        bulkWrite: 1,
        ops: [
            {update: 0, filter: {skey: "MongoDB"}, updateMods: {field1: 1}},
            {update: 1, filter: {skey: "MongoDB"}, updateMods: {field1: 1}}
        ],
        nsInfo: [{ns: "test.coll"}, {ns: "test1.coll1"}],
        bypassDocumentValidation: true,
    };

    var cmd3 = {
        bulkWrite: 1,
        ops: [{delete: 0, filter: {skey: "MongoDB"}}, {delete: 1, filter: {skey: "MongoDB"}}],
        nsInfo: [{ns: "test.coll"}, {ns: "test1.coll1"}],
        bypassDocumentValidation: true,
    };

    var cmd4 = {
        bulkWrite: 1,
        ops: [{update: 0, filter: {skey: "MongoDB"}, updateMods: {field1: 1}, upsert: true}],
        nsInfo: [{ns: "test.coll"}]
    };

    const runAuthTest = function(test) {
        admin.auth(test.user, 'pass');

        if (test.expectedAuthorized) {
            assert.commandWorked(admin.runCommand(test.command));
        } else {
            assert.commandFailedWithCode(admin.runCommand(test.command), [ErrorCodes.Unauthorized]);
        }
        admin.logout();
    };

    // Tests that insert fails authorization when fully authorized on ns1 and missing
    // 'bypassDocumentValidation' on ns2
    runAuthTest({user: "user1", command: cmd1, expectedAuthorized: false});

    // Tests that insert fails authorization when fully authorized on ns1 and missing 'insert' on
    // ns2
    runAuthTest({user: "user2", command: cmd1, expectedAuthorized: false});

    // Tests that update fails authorization when fully authorized on ns1 and missing
    // 'bypassDocumentValidation' on ns2
    runAuthTest({user: "user1", command: cmd2, expectedAuthorized: false});

    // Tests that update fails authorization when fully authorized on ns1 and missing 'update' on
    // ns2
    runAuthTest({user: "user2", command: cmd2, expectedAuthorized: false});

    // Tests that delete fails authorization when fully authorized on ns1 and missing
    // 'bypassDocumentValidation' on ns2
    runAuthTest({user: "user1", command: cmd3, expectedAuthorized: false});

    // Tests that delete fails authorization when fully authorized on ns1 and missing 'delete' on
    // ns2
    runAuthTest({user: "user2", command: cmd3, expectedAuthorized: false});

    // Tests that update with 'upsert: true' fails without 'insert' on ns1.
    runAuthTest({user: "user3", command: cmd4, expectedAuthorized: false});
}