[SERVER-25825] Authz test for user-defined roles does not properly manipulate privileges Created: 26/Aug/16  Updated: 22/Nov/16  Resolved: 06/Sep/16

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.3.11
Fix Version/s: 3.2.12, 3.3.14

Type: Bug Priority: Major - P3
Reporter: Kyle Suarez Assignee: Kyle Suarez
Resolution: Done Votes: 0
Labels: test-only
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-19398 command_user_defined_roles.js incorre... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   

In jstests/auth/commands_user_defined_roles.js, the function runOneTest() tests that each test case works when either the database or collection named in each resource is the empty string. But it attempts to do this by manipulating a local copy of the privileges array, and these modifications aren't used when testProperAuthorization() is called.



 Comments   
Comment by Githook User [ 22/Nov/16 ]

Author:

{u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}

Message: SERVER-25825 Make user-defined roles tests correctly manipulate privileges
Branch: v3.2
https://github.com/mongodb/mongo/commit/e730cf0430e5b9fc11c5882a782b2f26f46d3bfe

Comment by Githook User [ 06/Sep/16 ]

Author:

{u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}

Message: SERVER-25526 add views authz tests to auth commands lib

Adds test infrastructure to handle special-case behavior for views when a
privilege specifies "removeWhenTestingAuthzFailure: false".

Also fixes SERVER-25825.
Branch: master
https://github.com/mongodb/mongo/commit/1f389ce467330cda1171d2a04bd0e0b2890aaf8d

Comment by Kyle Suarez [ 26/Aug/16 ]

I think a fix might be as simple as

diff --git a/jstests/auth/commands_user_defined_roles.js b/jstests/auth/commands_user_defined_roles.js
index 8dff4e0..af13904 100644
--- a/jstests/auth/commands_user_defined_roles.js
+++ b/jstests/auth/commands_user_defined_roles.js
@@ -116,7 +116,7 @@ function runOneTest(conn, t) {
             failures.push(t.testname + ": " + msg);
         }
         // test resource pattern where collection is ""
-        privileges.forEach(function(j) {
+        testcase.privileges.forEach(function(j) {
             if (j.resource.collection && !j.resource.collection.startsWith('system.')) {
                 j.resource.collection = "";
             }
@@ -126,7 +126,8 @@ function runOneTest(conn, t) {
             failures.push(t.testname + ": " + msg);
         }
         // test resource pattern where database is ""
-        privileges.forEach(function(j) {
+        testcase.privileges = privileges;
+        testcase.privileges.forEach(function(j) {
             if (j.resource.db) {
                 j.resource.db = "";
             }

but I'm not 100% confident with my JavaScript.

Generated at Thu Feb 08 04:10:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.