1description: "redacted-commands"
2
3schemaVersion: "1.5"
4
5runOnRequirements:
6 - minServerVersion: "5.0"
7 auth: false
8
9createEntities:
10 - client:
11 id: &client client
12 observeEvents:
13 - commandStartedEvent
14 - commandSucceededEvent
15 observeSensitiveCommands: true
16 - database:
17 id: &database database
18 client: *client
19 databaseName: &databaseName command-monitoring-tests
20
21tests:
22 - description: "authenticate"
23 operations:
24 - name: runCommand
25 object: *database
26 arguments:
27 commandName: authenticate
28 command:
29 authenticate: 1
30 mechanism: "MONGODB-X509"
31 user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
32 db: "$external"
33 # An authentication error is expected, but we want to check that the
34 # CommandStartedEvent is redacted
35 expectError:
36 isError: true
37 expectEvents:
38 - client: *client
39 events:
40 - commandStartedEvent:
41 commandName: authenticate
42 # We cannot simply assert that command is an empty document
43 # because it's at root-level, so we make a best effort to make
44 # sure sensitive fields are redacted.
45 command:
46 authenticate: { $$exists: false }
47 mechanism: { $$exists: false }
48 user: { $$exists: false }
49 db: { $$exists: false }
50
51 - description: "saslStart"
52 operations:
53 - name: runCommand
54 object: *database
55 arguments:
56 commandName: saslStart
57 command:
58 saslStart: 1
59 payload: "definitely-invalid-payload"
60 db: "admin"
61 expectError:
62 isError: true
63 expectEvents:
64 - client: *client
65 events:
66 - commandStartedEvent:
67 commandName: saslStart
68 command:
69 saslStart: { $$exists: false }
70 payload: { $$exists: false }
71 db: { $$exists: false }
72
73 - description: "saslContinue"
74 operations:
75 - name: runCommand
76 object: *database
77 arguments:
78 commandName: saslContinue
79 command:
80 saslContinue: 1
81 conversationId: 0
82 payload: "definitely-invalid-payload"
83 expectError:
84 isError: true
85 expectEvents:
86 - client: *client
87 events:
88 - commandStartedEvent:
89 commandName: saslContinue
90 command:
91 saslContinue: { $$exists: false }
92 conversationId: { $$exists: false }
93 payload: { $$exists: false }
94
95 - description: "getnonce"
96 runOnRequirements:
97 - maxServerVersion: 6.1.99 # getnonce removed as of 6.2 via SERVER-71007
98 operations:
99 - name: runCommand
100 object: *database
101 arguments:
102 commandName: getnonce
103 command:
104 getnonce: 1
105 expectEvents:
106 - client: *client
107 events:
108 - commandStartedEvent:
109 commandName: getnonce
110 command: { getnonce: { $$exists: false } }
111 - commandSucceededEvent:
112 commandName: getnonce
113 reply:
114 ok: { $$exists: false }
115 nonce: { $$exists: false }
116
117 - description: "createUser"
118 operations:
119 - name: runCommand
120 object: *database
121 arguments:
122 commandName: createUser
123 command:
124 createUser: "private"
125 # Passing an object is prohibited and we want to trigger a command
126 # failure
127 pwd: {}
128 roles: []
129 expectError:
130 isError: true
131 expectEvents:
132 - client: *client
133 events:
134 - commandStartedEvent:
135 commandName: createUser
136 command:
137 createUser: { $$exists: false }
138 pwd: { $$exists: false }
139 roles: { $$exists: false }
140
141 - description: "updateUser"
142 operations:
143 - name: runCommand
144 object: *database
145 arguments:
146 commandName: updateUser
147 command:
148 updateUser: "private"
149 pwd: {}
150 roles: []
151 expectError:
152 isError: true
153 expectEvents:
154 - client: *client
155 events:
156 - commandStartedEvent:
157 commandName: updateUser
158 command:
159 updateUser: { $$exists: false }
160 pwd: { $$exists: false }
161 roles: { $$exists: false }
162
163 - description: "copydbgetnonce"
164 runOnRequirements:
165 - maxServerVersion: 3.6.99 # copydbgetnonce was removed as of 4.0 via SERVER-32276
166 operations:
167 - name: runCommand
168 object: *database
169 arguments:
170 commandName: copydbgetnonce
171 command:
172 copydbgetnonce: "private"
173 expectError:
174 isError: true
175 expectEvents:
176 - client: *client
177 events:
178 - commandStartedEvent:
179 commandName: copydbgetnonce
180 command: { copydbgetnonce: { $$exists: false } }
181
182 - description: "copydbsaslstart"
183 runOnRequirements:
184 - maxServerVersion: 4.0.99 # copydbsaslstart was removed as of 4.2 via SERVER-36211
185 operations:
186 - name: runCommand
187 object: *database
188 arguments:
189 commandName: copydbsaslstart
190 command:
191 copydbsaslstart: "private"
192 expectError:
193 isError: true
194 expectEvents:
195 - client: *client
196 events:
197 - commandStartedEvent:
198 commandName: copydbsaslstart
199 command: { copydbsaslstart: { $$exists: false } }
200
201 - description: "copydb"
202 runOnRequirements:
203 - maxServerVersion: 4.0.99 # copydb was removed as of 4.2 via SERVER-36257
204 operations:
205 - name: runCommand
206 object: *database
207 arguments:
208 commandName: copydb
209 command:
210 copydb: "private"
211 expectError:
212 isError: true
213 expectEvents:
214 - client: *client
215 events:
216 - commandStartedEvent:
217 commandName: copydb
218 command: { copydb: { $$exists: false } }
219
220 - description: "hello with speculative authenticate"
221 runOnRequirements:
222 - minServerVersion: "4.9"
223 operations:
224 - name: runCommand
225 object: *database
226 arguments:
227 commandName: hello
228 command:
229 hello: 1
230 speculativeAuthenticate:
231 saslStart: 1
232 expectEvents:
233 - client: *client
234 events:
235 - commandStartedEvent:
236 commandName: hello
237 command:
238 hello: { $$exists: false }
239 speculativeAuthenticate: { $$exists: false }
240 - commandSucceededEvent:
241 commandName: hello
242 reply:
243 # Even though authentication above fails and the reply does not
244 # contain sensitive information, we're expecting the reply to be
245 # redacted as well.
246 isWritablePrimary: { $$exists: false }
247 # This assertion will currently always hold true since we're
248 # not expecting successful authentication, in which case this
249 # field is missing anyways.
250 speculativeAuthenticate: { $$exists: false }
251
252 - description: "legacy hello with speculative authenticate"
253 operations:
254 - name: runCommand
255 object: *database
256 arguments:
257 commandName: ismaster
258 command:
259 ismaster: 1
260 speculativeAuthenticate:
261 saslStart: 1
262 - name: runCommand
263 object: *database
264 arguments:
265 commandName: isMaster
266 command:
267 isMaster: 1
268 speculativeAuthenticate:
269 saslStart: 1
270 expectEvents:
271 - client: *client
272 events:
273 - commandStartedEvent:
274 commandName: ismaster
275 command:
276 ismaster: { $$exists: false }
277 speculativeAuthenticate: { $$exists: false }
278 - commandSucceededEvent:
279 commandName: ismaster
280 reply:
281 ismaster: { $$exists: false }
282 speculativeAuthenticate: { $$exists: false }
283 - commandStartedEvent:
284 commandName: isMaster
285 command:
286 isMaster: { $$exists: false }
287 speculativeAuthenticate: { $$exists: false }
288 - commandSucceededEvent:
289 commandName: isMaster
290 reply:
291 ismaster: { $$exists: false }
292 speculativeAuthenticate: { $$exists: false }
293
294 - description: "hello without speculative authenticate is not redacted"
295 runOnRequirements:
296 - minServerVersion: "4.9"
297 operations:
298 - name: runCommand
299 object: *database
300 arguments:
301 commandName: hello
302 command:
303 hello: 1
304 expectEvents:
305 - client: *client
306 events:
307 - commandStartedEvent:
308 commandName: hello
309 command:
310 hello: 1
311 - commandSucceededEvent:
312 commandName: hello
313 reply:
314 isWritablePrimary: { $$exists: true }
315
316 - description: "legacy hello without speculative authenticate is not redacted"
317 operations:
318 - name: runCommand
319 object: *database
320 arguments:
321 commandName: ismaster
322 command:
323 ismaster: 1
324 - name: runCommand
325 object: *database
326 arguments:
327 commandName: isMaster
328 command:
329 isMaster: 1
330 expectEvents:
331 - client: *client
332 events:
333 - commandStartedEvent:
334 commandName: ismaster
335 command:
336 ismaster: 1
337 - commandSucceededEvent:
338 commandName: ismaster
339 reply:
340 ismaster: { $$exists: true }
341 - commandStartedEvent:
342 commandName: isMaster
343 command:
344 isMaster: 1
345 - commandSucceededEvent:
346 commandName: isMaster
347 reply:
348 ismaster: { $$exists: true }
View as plain text