SERVER-9515 Add shell helpers for role management commands

stbrody · stbrody · commit 1da10e829ebc · 2013-10-09T15:01:04.000-04:00
diff --git a/jstests/role_management_helpers.js b/jstests/role_management_helpers.js
@@ -0,0 +1,110 @@
+// This test is a basic sanity check of the shell helpers for manipulating role objects
+// It is not a comprehensive test of the functionality of the role manipulation commands
+
+function assertHasRole(rolesArray, roleName, roleDB) {
+    for (i in rolesArray) {
+        var curRole = rolesArray[i];
+        if (curRole.name == roleName && curRole.db == roleDB) {
+            return;
+        }
+    }
+    assert(false, "role " + roleName + "@" + roleDB + " not found in array: " + tojson(rolesArray));
+}
+
+function assertHasPrivilege(privilegeArray, privilege) {
+    for (i in privilegeArray) {
+        var curPriv = privilegeArray[i];
+        if (curPriv.resource.cluster == privilege.resource.cluster &&
+            curPriv.resource.anyResource == privilege.resource.anyResource &&
+            curPriv.resource.db == privilege.resource.db &&
+            curPriv.resource.collection == privilege.resource.collection) {
+            // Same resource
+            assert.eq(curPriv.actions.length, privilege.actions.length);
+            for (k in curPriv.actions) {
+                assert.eq(curPriv.actions[k], privilege.actions[k]);
+            }
+            return;
+        }
+    }
+    assert(false, "Privilege " + tojson(privilege) + " not found in privilege array: " +
+                   tojson(privilegeArray));
+}
+
+(function(db) {
+     var db = db.getSiblingDB("role_management_helpers");
+     db.dropDatabase();
+     db.dropAllRoles();
+
+     db.addRole({name:'roleA', roles: [], privileges: [{resource: {db:db.getName(), collection: ""},
+                                                        actions: ['find']}]});
+     db.addRole({name:'roleB', privileges: [], roles: ["roleA"]});
+     db.addRole({name:'roleC', privileges: [], roles: []});
+
+     // Test getRole
+     var roleObj = db.getRole("roleA");
+     assert.eq(0, roleObj.roles.length);
+     assert.eq(1, roleObj.privileges.length);
+     assertHasPrivilege(roleObj.privileges,
+                        {resource: {db:db.getName(), collection:""}, actions:['find']});
+     roleObj = db.getRole("roleB");
+     assert.eq(1, roleObj.privileges.length); // inherited from roleA
+     assertHasPrivilege(roleObj.privileges,
+                        {resource: {db:db.getName(), collection:""}, actions:['find']});
+     assert.eq(1, roleObj.roles.length);
+     assertHasRole(roleObj.roles, "roleA", db.getName());
+
+     // Granting roles to nonexistent role fails
+     assert.throws(function() { db.grantRolesToRole("fakeRole", ['dbAdmin']); });
+     // Granting roles to built-in role fails
+     assert.throws(function() { db.grantRolesToRole("readWrite", ['dbAdmin']); });
+     // Granting non-existant role fails
+     assert.throws(function() { db.grantRolesToRole("roleB", ['dbAdmin', 'fakeRole']); });
+
+     roleObj = db.getRole("roleB");
+     assert.eq(1, roleObj.privileges.length);
+     assert.eq(1, roleObj.roles.length);
+     assertHasRole(roleObj.roles, "roleA", db.getName());
+
+     // Granting a role you already have is no problem
+     db.grantRolesToRole("roleB", ['readWrite', 'roleC']);
+     roleObj = db.getRole("roleB");
+     assert.gt(roleObj.privileges.length, 1); // Got privileges from readWrite role
+     assert.eq(3, roleObj.roles.length);
+     assertHasRole(roleObj.roles, "readWrite", db.getName());
+     assertHasRole(roleObj.roles, "roleA", db.getName());
+     assertHasRole(roleObj.roles, "roleC", db.getName());
+
+     // Revoking roles the role doesn't have is fine
+     db.revokeRolesFromRole("roleB", ['roleA', 'readWrite', 'dbAdmin']);
+     roleObj = db.getRole("roleB");
+     assert.eq(0, roleObj.privileges.length);
+     assert.eq(1, roleObj.roles.length);
+     assertHasRole(roleObj.roles, "roleC", db.getName());
+
+     // Privileges on the same resource get collapsed
+     db.grantPrivilegesToRole("roleA",
+                              [{resource: {cluster:true}, actions:['listDatabases']},
+                               {resource: {db:db.getName(), collection:""}, actions:['insert']}]);
+     roleObj = db.getRole("roleA");
+     assert.eq(0, roleObj.roles.length);
+     assert.eq(2, roleObj.privileges.length);
+     assertHasPrivilege(roleObj.privileges,
+                        {resource: {db:db.getName(), collection:""}, actions:['find', 'insert']});
+     assertHasPrivilege(roleObj.privileges,
+                        {resource: {cluster:true}, actions:['listDatabases']});
+
+
+     // Test dropRole
+     db.dropRole('roleC');
+     assert.throws(function() {db.getRole('roleC')});
+     roleObj = db.getRole("roleB");
+     assert.eq(0, roleObj.privileges.length);
+     assert.eq(0, roleObj.roles.length);
+
+     // Test dropAllRoles
+     db.dropAllRoles();
+     assert.throws(function() {db.getRole('roleA')});
+     assert.throws(function() {db.getRole('roleB')});
+     assert.throws(function() {db.getRole('roleC')});
+
+}(db));
diff --git a/jstests/user_management_helpers.js b/jstests/user_management_helpers.js
@@ -1,3 +1,5 @@
+// This test is a basic sanity check of the shell helpers for manipulating user objects
+// It is not a comprehensive test of the functionality of the user manipulation commands
 function assertHasRole(rolesArray, roleName, roleDB, hasRole, canDelegate) {
     for (i in rolesArray) {
         var curRole = rolesArray[i];
@@ -7,7 +9,7 @@ function assertHasRole(rolesArray, roleName, roleDB, hasRole, canDelegate) {
             return;
         }
     }
-    assert(false, "role " + roleName + "@" + roleDB + " not found in array: " + rolesArray);
+    assert(false, "role " + roleName + "@" + roleDB + " not found in array: " + tojson(rolesArray));
 }
 
 
@@ -72,4 +74,11 @@ function assertHasRole(rolesArray, roleName, roleDB, hasRole, canDelegate) {
      assert.eq(1, userObj.roles.length);
      assertHasRole(userObj.roles, "readWrite", db.getName(), false, true);
 
+     // Test dropUser
+     db.dropUser('andy');
+     assert.throws(function() {printjson(db.getUser('andy'))});
+
+     // Test dropAllUsers
+     db.dropAllUsers()
+     assert.eq(0, db.getUsers().length);
 }(db));
diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js
@@ -1087,16 +1087,15 @@ DB.prototype.dropUser = function( username, writeConcern ){
         return true;
     }
 
-    var notFoundErrmsg = "User '" + username + "@" + this.getName() + "' not found";
-    if (res.errmsg == notFoundErrmsg) {
+    if (res.code == 11) { // Code 11 = UserNotFound
         return false;
     }
 
     if (res.errmsg == "no such cmd: dropUsers") {
         return this._removeUserV1(username, cmdObj['writeConcern']);
     }
 
-    throw "Couldn't drop user: " + res.errmsg;
+    throw Error(res.errmsg);
 }
 
 DB.prototype._removeUserV1 = function(username, writeConcern) {
@@ -1119,15 +1118,11 @@ DB.prototype.dropAllUsers = function(writeConcern) {
     var res = this.runCommand({dropUsersFromDatabase:1,
                                writeConcern: writeConcern ? writeConcern : _defaultWriteConcern});
 
-    if (res.n == 0) {
-        return false;
-    }
-
-    if (res.ok) {
-        return true;
+    if (!res.ok) {
+        throw Error(res.errmsg);
     }
 
-    throw "Couldn't drop users: " + res.errmsg;
+    return res.n;
 }
 
 DB.prototype.__pwHash = function( nonce, username, pass ) {
@@ -1230,6 +1225,9 @@ DB.prototype.getUser = function(username) {
         throw Error(res.errmsg);
     }
 
+    if (res.users.length == 0) {
+        throw Error("User " + username + "@" + db.getName() + " not found");
+    }
     return res.users[0];
 }
 
@@ -1242,4 +1240,111 @@ DB.prototype.getUsers = function() {
     return res.users;
 }
 
+DB.prototype.addRole = function(roleObj, writeConcern) {
+    var name = roleObj["name"];
+    var cmdObj = {createRole:name};
+    cmdObj = Object.extend(cmdObj, roleObj);
+    delete cmdObj["name"];
+    cmdObj["writeConcern"] = writeConcern ? writeConcern : _defaultWriteConcern;
+
+    var res = this.runCommand(cmdObj);
+
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+    printjson(roleObj);
+}
+
+DB.prototype.updateRole = function(name, updateObject, writeConcern) {
+    var cmdObj = {updateRole:name};
+    cmdObj = Object.extend(cmdObj, updateObject);
+    cmdObj['writeConcern'] =  writeConcern ? writeConcern : _defaultWriteConcern;
+    var res = this.runCommand(cmdObj);
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+};
+
+DB.prototype.dropRole = function(name, writeConcern) {
+    var cmdObj = {dropRole:name,
+                  writeConcern: writeConcern ? writeConcern : _defaultWriteConcern};
+    var res = this.runCommand(cmdObj);
+
+    if (res.ok) {
+        return true;
+    }
+
+    if (res.code == 31) { // Code 31 = RoleNotFound
+        return false;
+    }
+
+    throw Error(res.errmsg);
+};
+
+DB.prototype.dropAllRoles = function(writeConcern) {
+    var res = this.runCommand({dropRolesFromDatabase:1,
+                               writeConcern: writeConcern ? writeConcern : _defaultWriteConcern});
+
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+
+    return res.n;
+}
+
+DB.prototype.grantRolesToRole = function(rolename, roles, writeConcern) {
+    var cmdObj = {grantRolesToRole: rolename,
+                  grantedRoles: roles,
+                  writeConcern: writeConcern ? writeConcern : _defaultWriteConcern};
+    var res = this.runCommand(cmdObj);
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+}
+
+DB.prototype.revokeRolesFromRole = function(rolename, roles, writeConcern) {
+    var cmdObj = {revokeRolesFromRole: rolename,
+                  revokedRoles: roles,
+                  writeConcern: writeConcern ? writeConcern : _defaultWriteConcern};
+    var res = this.runCommand(cmdObj);
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+}
+
+DB.prototype.grantPrivilegesToRole = function(rolename, privileges, writeConcern) {
+    var cmdObj = {grantPrivilegesToRole: rolename,
+                  privileges: privileges,
+                  writeConcern: writeConcern ? writeConcern : _defaultWriteConcern};
+    var res = this.runCommand(cmdObj);
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+}
+
+DB.prototype.revokePrivilegesFromRole = function(rolename, privileges, writeConcern) {
+    var cmdObj = {revokePrivilegesFromRole: rolename,
+                  privileges: privileges,
+                  writeConcern: writeConcern ? writeConcern : _defaultWriteConcern};
+    var res = this.runCommand(cmdObj);
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+}
+
+DB.prototype.getRole = function(rolename) {
+    if (typeof rolename != "string") {
+        throw Error("Role name for getRole shell helper must be a string");
+    }
+    var res = this.runCommand({rolesInfo: rolename});
+    if (!res.ok) {
+        throw Error(res.errmsg);
+    }
+
+    if (res.roles.length == 0) {
+        throw Error("Role " + rolename + "@" + db.getName() + " not found");
+    }
+    return res.roles[0];
+}
+
 }());
