Support MongoDB 2.4 options in add_user.

behackett · behackett · commit 6a5a8b95acaa · 2013-03-21T15:51:47.000-07:00
diff --git a/pymongo/database.py b/pymongo/database.py
@@ -606,7 +606,7 @@ def __iter__(self):
     def next(self):
         raise TypeError("'Database' object is not iterable")
 
-    def add_user(self, name, password, read_only=False):
+    def add_user(self, name, password=None, read_only=None, **kwargs):
         """Create user `name` with password `password`.
 
         Add a new user with permissions for this :class:`Database`.
@@ -615,8 +615,17 @@ def add_user(self, name, password, read_only=False):
 
         :Parameters:
           - `name`: the name of the user to create
-          - `password`: the password of the user to create
-          - `read_only` (optional): if ``True`` it will make user read only
+          - `password` (optional): the password of the user to create. Can not
+            be used with the ``userSource`` argument.
+          - `read_only` (optional): if ``True`` the user will be read only
+          - `**kwargs` (optional): optional parameters for the user document
+            (e.g. ``userSource``, ``otherDBRoles``, or ``roles``)
+
+        .. note:: The use of optional keyword arguments like ``userSource``,
+           ``otherDBRoles``, or ``roles`` requires MongoDB >= 2.4.0
+
+        .. versionchanged:: 2.5
+           Added kwargs support for optional fields introduced in MongoDB 2.4
 
         .. versionchanged:: 2.2
            Added support for read only users
@@ -625,8 +634,11 @@ def add_user(self, name, password, read_only=False):
         """
 
         user = self.system.users.find_one({"user": name}) or {"user": name}
-        user["pwd"] = auth._password_digest(name, password)
-        user["readOnly"] = common.validate_boolean('read_only', read_only)
+        if password is not None:
+            user["pwd"] = auth._password_digest(name, password)
+        if read_only is not None:
+            user["readOnly"] = common.validate_boolean('read_only', read_only)
+        user.update(kwargs)
 
         try:
             self.system.users.save(user, **self._get_wc_override())
diff --git a/test/test_auth.py b/test/test_auth.py
@@ -193,5 +193,57 @@ def test_uri_options(self):
             self.assertTrue(client.pymongo_test.command('dbstats'))
 
 
+class TestDelegatedAuth(unittest.TestCase):
+
+    def setUp(self):
+        self.client = MongoClient(host, port)
+        if not version.at_least(self.client, (2, 4, 0)):
+            raise SkipTest('Delegated authentication requires MongoDB >= 2.4.0')
+        if not server_started_with_auth(self.client):
+            raise SkipTest('Authentication is not enabled on server')
+        # Give admin all priviledges.
+        self.client.admin.add_user('admin', 'pass',
+                                   roles=['readAnyDatabase',
+                                          'readWriteAnyDatabase',
+                                          'userAdminAnyDatabase',
+                                          'dbAdminAnyDatabase',
+                                          'clusterAdmin'])
+
+    def tearDown(self):
+        self.client.admin.authenticate('admin', 'pass')
+        self.client.pymongo_test.system.users.remove()
+        self.client.pymongo_test2.system.users.remove()
+        self.client.pymongo_test2.foo.remove()
+        self.client.admin.system.users.remove()
+        self.client.admin.logout()
+
+    def test_delegated_auth(self):
+        self.client.admin.authenticate('admin', 'pass')
+        self.client.pymongo_test2.foo.remove()
+        self.client.pymongo_test2.foo.insert({})
+        # User definition with no roles in pymongo_test.
+        self.client.pymongo_test.add_user('user', 'pass', roles=[])
+        # Delegate auth to pymongo_test.
+        self.client.pymongo_test2.add_user('user',
+                                           userSource='pymongo_test',
+                                           roles=['read'])
+        self.client.admin.logout()
+        self.assertRaises(OperationFailure, self.client.pymongo_test2.foo.find_one)
+        # Auth must occur on the db where the user is defined.
+        self.assertFalse(self.client.pymongo_test2.authenticate('user', 'pass'))
+        # Auth directly
+        self.assertTrue(self.client.pymongo_test.authenticate('user', 'pass'))
+        self.assertTrue(self.client.pymongo_test2.foo.find_one())
+        self.client.pymongo_test.logout()
+        self.assertRaises(OperationFailure, self.client.pymongo_test2.foo.find_one)
+        # Auth using source
+        self.assertTrue(self.client.pymongo_test2.authenticate(
+            'user', 'pass', source='pymongo_test'))
+        self.assertTrue(self.client.pymongo_test2.foo.find_one())
+        # Must logout from the db authenticate was called on.
+        self.client.pymongo_test2.logout()
+        self.assertRaises(OperationFailure, self.client.pymongo_test2.foo.find_one)
+
+
 if __name__ == "__main__":
     unittest.main()
diff --git a/test/test_database.py b/test/test_database.py
@@ -309,9 +309,8 @@ def test_authenticate_add_remove_user(self):
         db.system.users.remove({})
         db.remove_user("mike")
 
-        self.assertRaises(TypeError, db.add_user, "user", None)
         self.assertRaises(TypeError, db.add_user, "user", '')
-        self.assertRaises(TypeError, db.add_user, "user", 'password', None)
+        self.assertRaises(TypeError, db.add_user, "user", 'password', 15)
         self.assertRaises(ConfigurationError, db.add_user,
                           "user", 'password', 'True')
 
