Loading...

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.2.0-rc5
Affects Version/s: 3.2.0-rc3
Component/s: Security
Labels:
None

Backwards Compatibility:
Minor Change
Operating System:
ALL
Steps To Reproduce:
Hide

On solaris-spawn evergreen spawnhost:

export LC_ALL=C mkdir -p /data/mci/mongo-c-driver cd /data/mci/mongo-c-driver curl http://s3.amazonaws.com/mciuploads/mongo-c-driver/solaris-32-bit/8404048cf751df1c01e8f64867ebd4d86064f3e6/artifacts/mongo-mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz -o mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz --silent tar -xzf mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz curl -s http://downloads.mongodb.org/sunos5/mongodb-sunos5-x86_64-latest.tgz --output mongo-archive.tgz tar zxvf mongo-archive.tgz mv mongodb* mongodb export PATH=/data/mci/mongo-c-driver/mongodb/bin:$PATH:/opt/mongodbtoolchain/bin:

mkdir /data/db mongod -vvvv --smallfiles --logpath=/data/db/mongod.log --auth --dbpath=/data/db --fork mongo

> use admin switched to db admin > db.runCommand({createUser: "example", "pwd": "password", roles: [ ... {'role': 'userAdminAnyDatabase', 'db': 'admin'}, ... {'role': 'clusterAdmin', 'db': 'admin'}, ... {'role': 'dbAdminAnyDatabase', 'db': 'admin'}, ... {'role': 'readWriteAnyDatabase', 'db': 'admin'} ... ]}) { "ok" : 1 } > bye

mongoc_run () { filename=$1 executable=`basename $filename .c` gcc -o $executable $filename -Isrc/libbson/src/bson -Isrc/mongoc/ -L./.libs -lmongoc-1.0 -L./src/libbson/.libs -lbson-1.0 LD_LIBRARY_PATH=.libs/:src/libbson/.libs ./$executable }

mongoc_run bypass.c
Show
On solaris-spawn evergreen spawnhost: export LC_ALL=C mkdir -p /data/mci/mongo-c-driver cd /data/mci/mongo-c-driver curl http://s3.amazonaws.com/mciuploads/mongo-c-driver/solaris-32-bit/8404048cf751df1c01e8f64867ebd4d86064f3e6/artifacts/mongo-mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz -o mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz --silent tar -xzf mongo_c_driver_solaris_32_bit_8404048cf751df1c01e8f64867ebd4d86064f3e6_15_11_24_14_35_54.tar.gz curl -s http://downloads.mongodb.org/sunos5/mongodb-sunos5-x86_64-latest.tgz --output mongo-archive.tgz tar zxvf mongo-archive.tgz mv mongodb* mongodb export PATH=/data/mci/mongo-c-driver/mongodb/bin:$PATH:/opt/mongodbtoolchain/bin: mkdir /data/db mongod -vvvv --smallfiles --logpath=/data/db/mongod.log --auth --dbpath=/data/db --fork mongo > use admin switched to db admin > db.runCommand({createUser: "example", "pwd": "password", roles: [ ... {'role': 'userAdminAnyDatabase', 'db': 'admin'}, ... {'role': 'clusterAdmin', 'db': 'admin'}, ... {'role': 'dbAdminAnyDatabase', 'db': 'admin'}, ... {'role': 'readWriteAnyDatabase', 'db': 'admin'} ... ]}) { "ok" : 1 } > bye mongoc_run () { filename=$1 executable=`basename $filename .c` gcc -o $executable $filename -Isrc/libbson/src/bson -Isrc/mongoc/ -L./.libs -lmongoc-1.0 -L./src/libbson/.libs -lbson-1.0 LD_LIBRARY_PATH=.libs/:src/libbson/.libs ./$executable } mongoc_run bypass.c
Sprint:
Sharding D (12/11/15)

I can consistently reproduce the following:

$ mongod --version
db version v3.2.0-rc3-89-g3a8aab6
git version: 3a8aab65a494f6e5b31ea0358a517b103e1cbcb6

-bash-4.2$ rm -rf /data/db/*
-bash-4.2$ mongod -vvvv --smallfiles --logpath=/data/db/mongod.log --auth --dbpath=/data/db --fork
about to fork child process, waiting until server is ready for connections.
forked process: 20505
child process started successfully, parent exiting

-bash-4.2$ mongo
MongoDB shell version: 3.2.0-rc3-89-g3a8aab6
connecting to: test
> use admin
switched to db admin
> db.runCommand({createUser: "example", "pwd": "password", roles: [                    
... {'role': 'userAdminAnyDatabase', 'db': 'admin'},                                         
... {'role': 'clusterAdmin', 'db': 'admin'},                                                 
... {'role': 'dbAdminAnyDatabase', 'db': 'admin'},                                           
... {'role': 'readWriteAnyDatabase', 'db': 'admin'}                                          
... ]})
{ "ok" : 1 }
> 
bye

Then. Using the latest master of mongo-c-driver:

Create new client using "mongodb://example:password@localhost:27017/admin"
Create a schema validator: {"validator": {"number": {"$gte": 5, "validationAction": "error"}}}
Bulk insert 3 document that fail the validation, and get "Document failed validation" error back
Bulk insert 3 documents that fail the validation, passing bypassDocumentValidation: true

Now, what happens depends on the following:

If I have an active shell session logged in with the same username and password, the bypassDocumentValidation succeeds
If I have no active shell session the bypassDocumentValidation fails with authentication error.

"bypass.c"

#include <bcon.h>
#include <mongoc.h>

int main(void)
{
   mongoc_collection_t *collection;
   bson_t reply = BSON_INITIALIZER;
   mongoc_bulk_operation_t *bulk;
   mongoc_database_t *database;
   mongoc_write_concern_t *wr;
   mongoc_client_t *client;
   bson_error_t error;
   bson_t *options;
   int r;
   int i;

   client = mongoc_client_new ("mongodb://example:password@localhost:27017/admin");

   database = mongoc_client_get_database (client, "databaseName");
   collection = mongoc_database_get_collection (database, "collectionName");
   mongoc_collection_drop (collection, NULL);

   options = bson_new_from_json ("{\"validator\": {\"number\": {\"$gte\": 5}}, \"validationAction\": \"error\"}", -1, NULL);
   if (!mongoc_database_create_collection (database, "collectionName", options, &error)) {
      fprintf(stderr, "Got error %s on line %d\n", error.message, __LINE__);
      fprintf(stderr, "\nFAILED\n");
      return 1;
   }

   /* {{{ Default fails validation */
   bulk = mongoc_collection_create_bulk_operation (collection, true, NULL);
   for (i = 0; i < 3; i++) {
      bson_t *doc = bson_new_from_json ("{\"number\": 3 }", -1, NULL);
      mongoc_bulk_operation_insert (bulk, doc);
      bson_destroy (doc);
   }
   r = mongoc_bulk_operation_execute (bulk, &reply, &error);
   if (r) {
      fprintf(stderr, "Should have got error line %d\n", __LINE__);
      fprintf(stderr, "\nFAILED\n");
      return 1;
   } else {
      fprintf(stdout, "Correctly failed validation (%s) on line %d\n", error.message, __LINE__);
   }
   mongoc_bulk_operation_destroy (bulk);
   /* }}} */

   /* {{{ bypass_document_validation=true ignores validation */
   bulk = mongoc_collection_create_bulk_operation (collection, true, NULL);
   mongoc_bulk_operation_set_bypass_document_validation (bulk, true);
   for (i = 0; i < 3; i++) {
      bson_t *doc = bson_new_from_json ("{\"number\": 3 }", -1, NULL);
      mongoc_bulk_operation_insert (bulk, doc);
      bson_destroy (doc);
   }
   r = mongoc_bulk_operation_execute (bulk, &reply, &error);
   if (r) {
      fprintf(stdout, "Correctly bypassed document validation on line %d\n", __LINE__);
   } else {
      fprintf(stderr, "Got error %s on line %d\n", error.message, __LINE__);
      fprintf(stderr, "\nFAILED\n");
      return 1;
   }
   mongoc_bulk_operation_destroy (bulk);
   /* }}} */

   bson_destroy (options);
   mongoc_database_destroy (database);
   mongoc_collection_destroy (collection);
   mongoc_client_destroy (client);
}

—
EDIT: This was originally noticed on Solaris spawnhost that had nightly deployed on it. It was later confirmed on Linux too.

is documented by

DOCS-8944 bypassDocumentValidation authentication error

Closed

is related to

CDRIVER-1024 bypassDocumentValidation test fails on Solaris

Closed

SERVER-21486 successful authentication does not give full privilege with 3.0 mongos and 3.2 mongod

Closed

SERVER-21561 Remove privilege redaction added for backwards compatility

Closed

SERVER-21673 Shell ignores "opQueryOnly", "opCommandOnly" values for rpcProtocols option

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates