82 lines
3.5 KiB
JavaScript
82 lines
3.5 KiB
JavaScript
// Test basic db operations in multitenancy using a securityToken.
|
|
|
|
(function() {
|
|
"use strict";
|
|
|
|
const mongod = MongoRunner.runMongod(
|
|
{auth: '', setParameter: {multitenancySupport: true, featureFlagMongoStore: true}});
|
|
const adminDb = mongod.getDB('admin');
|
|
|
|
// Prepare a user for testing pass tenant via $tenant.
|
|
// Must be authenticated as a user with ActionType::useTenant in order to use $tenant.
|
|
assert.commandWorked(adminDb.runCommand({createUser: 'admin', pwd: 'pwd', roles: ['root']}));
|
|
assert(adminDb.auth('admin', 'pwd'));
|
|
|
|
{
|
|
const kTenant = ObjectId();
|
|
const tokenConn = new Mongo(mongod.host);
|
|
|
|
// Create a user for kTenant and then set the security token on the connection.
|
|
assert.commandWorked(mongod.getDB('$external').runCommand({
|
|
createUser: "readWriteUserTenant1",
|
|
'$tenant': kTenant,
|
|
roles: [{role: 'readWriteAnyDatabase', db: 'admin'}]
|
|
}));
|
|
tokenConn._setSecurityToken(
|
|
_createSecurityToken({user: "readWriteUserTenant1", db: '$external', tenant: kTenant}));
|
|
|
|
// Create a collection for the tenant kTenant and then insert into it.
|
|
const tokenDB = tokenConn.getDB('test');
|
|
assert.commandWorked(tokenDB.createCollection('myColl0'));
|
|
assert.commandWorked(
|
|
tokenDB.runCommand({insert: 'myColl0', documents: [{_id: 0, a: 1, b: 1}]}));
|
|
|
|
// Find and modify the document.
|
|
const fad1 = assert.commandWorked(
|
|
tokenDB.runCommand({findAndModify: "myColl0", query: {a: 1}, update: {$inc: {a: 10}}}));
|
|
assert.eq({_id: 0, a: 1, b: 1}, fad1.value);
|
|
const fad2 = assert.commandWorked(
|
|
tokenDB.runCommand({findAndModify: "myColl0", query: {a: 11}, update: {$inc: {a: 10}}}));
|
|
assert.eq({_id: 0, a: 11, b: 1}, fad2.value);
|
|
|
|
// Create a user for a different tenant, and set the security token on the connection. Then,
|
|
// check that this tenant cannot access the other tenant's collection. We reuse the same
|
|
// connection, but swap the token out.
|
|
const kOtherTenant = ObjectId();
|
|
// const tokenConn2 = new Mongo(mongod.host);
|
|
|
|
assert.commandWorked(mongod.getDB('$external').runCommand({
|
|
createUser: "readWriteUserTenant2",
|
|
'$tenant': kOtherTenant,
|
|
roles: [{role: 'readWriteAnyDatabase', db: 'admin'}]
|
|
}));
|
|
tokenConn._setSecurityToken(_createSecurityToken(
|
|
{user: "readWriteUserTenant2", db: '$external', tenant: kOtherTenant}));
|
|
|
|
const tokenDB2 = tokenConn.getDB('test');
|
|
const fadOtherUser = assert.commandWorked(
|
|
tokenDB2.runCommand({findAndModify: "myColl0", query: {b: 1}, update: {$inc: {b: 10}}}));
|
|
assert.eq(null, fadOtherUser.value);
|
|
|
|
// Check that a privleged user with ActionType::useTenant can run findAndModify on the doc when
|
|
// passing the correct tenant, but not when passing a different tenant.
|
|
const privelegedConn = new Mongo(mongod.host);
|
|
assert(privelegedConn.getDB('admin').auth('admin', 'pwd'));
|
|
const privelegedDB = privelegedConn.getDB('test');
|
|
|
|
const fadCorrectDollarTenant = assert.commandWorked(privelegedDB.runCommand(
|
|
{findAndModify: "myColl0", query: {b: 1}, update: {$inc: {b: 10}}, '$tenant': kTenant}));
|
|
assert.eq({_id: 0, a: 21, b: 1}, fadCorrectDollarTenant.value);
|
|
|
|
const fadOtherDollarTenant = assert.commandWorked(privelegedDB.runCommand({
|
|
findAndModify: "myColl0",
|
|
query: {b: 1},
|
|
update: {$inc: {b: 10}},
|
|
'$tenant': kOtherTenant
|
|
}));
|
|
assert.eq(null, fadOtherDollarTenant.value);
|
|
}
|
|
|
|
MongoRunner.stopMongod(mongod);
|
|
})();
|