SERVER-46026 Fix ssl suite when using JSON logs

5 files changed, 90 insertions, 34 deletions

diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js
index 8bc1031ceeb..0b550275ca0 100644
--- a/jstests/ssl/ssl_count_protocols.js
+++ b/jstests/ssl/ssl_count_protocols.js
@@ -3,6 +3,7 @@
 'use strict';
 
 load("jstests/ssl/libs/ssl_helpers.js");
+load("jstests/libs/logv2_helpers.js");
 
 var SERVER_CERT = "jstests/libs/server.pem";
 var CLIENT_CERT = "jstests/libs/client.pem";
@@ -73,22 +74,41 @@ function runTestWithoutSubset(client) {
     print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
     const log = cat(conn.fullOptions.logFile);
 
-    // Find the last line in the log file and verify it has the right version
-    let re = /Accepted connection with TLS Version (1\.\d) from connection 127.0.0.1:\d+/g;
-    let result = re.exec(log);
-    let lastResult = null;
-    while (result !== null) {
-        lastResult = result;
-        result = re.exec(log);
-    }
+    if (isJsonLogNoConn()) {
+        const lines = log.split('\n');
+        let found = false;
+        for (let logMsg of lines) {
+            const logJson = JSON.parse(logMsg);
+            if (logJson.id === 23218 && /1\.\d/.test(logJson.attr.version) &&
+                /127.0.0.1:\d+/.test(logJson.attr.connection)) {
+                found = true;
+                break;
+            }
+        }
+        assert(found,
+               "'Accepted connection with TLS Version' log line missing in log file!\n" +
+                   "Log file contents: " + conn.fullOptions.logFile +
+                   "\n************************************************************\n" + log +
+                   "\n************************************************************");
+
+    } else {
+        // Find the last line in the log file and verify it has the right version
+        let re = /Accepted connection with TLS Version (1\.\d) from connection 127.0.0.1:\d+/g;
+        let result = re.exec(log);
+        let lastResult = null;
+        while (result !== null) {
+            lastResult = result;
+            result = re.exec(log);
+        }
 
-    assert(lastResult !== null,
-           "'Accepted connection with TLS Version' log line missing in log file!\n" +
-               "Log file contents: " + conn.fullOptions.logFile +
-               "\n************************************************************\n" + log +
-               "\n************************************************************");
+        assert(lastResult !== null,
+               "'Accepted connection with TLS Version' log line missing in log file!\n" +
+                   "Log file contents: " + conn.fullOptions.logFile +
+                   "\n************************************************************\n" + log +
+                   "\n************************************************************");
 
-    assert.eq(lastResult['1'], version_number);
+        assert.eq(lastResult['1'], version_number);
+    }
 
     MongoRunner.stopMongod(conn);
 }
diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js
index 595b063b1a8..568b85d9b33 100644
--- a/jstests/ssl/x509_client.js
+++ b/jstests/ssl/x509_client.js
@@ -1,4 +1,5 @@
 // Check if this build supports the authenticationMechanisms startup parameter.
+load("jstests/libs/logv2_helpers.js");
 var conn = MongoRunner.runMongod({
     auth: "",
     sslMode: "requireSSL",
@@ -74,10 +75,28 @@ function authAndTest(mongo) {
     // Check that there's a "Successfully authenticated" message that includes the client IP
     const log =
         assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
-    const successRegex = new RegExp(`Successfully authenticated as principal ${CLIENT_USER} on ` +
-                                    `\\$external from client (?:\\d{1,3}\\.){3}\\d{1,3}:\\d+`);
 
-    assert(log.some((line) => successRegex.test(line)));
+    if (isJsonLog(mongo)) {
+        function checkAuthSuccess(element, index, array) {
+            // TODO SERVER-46018: Parse can show because RamLog may return a truncated log
+            try {
+                const logJson = JSON.parse(element);
+
+                return logJson.id === 20429 && logJson.attr.principalName === CLIENT_USER &&
+                    logJson.attr.DB === "$external" &&
+                    /(?:\d{1,3}\.){3}\d{1,3}:\d+/.test(logJson.attr.client);
+            } catch (exception) {
+                return false;
+            }
+        }
+        assert(log.some(checkAuthSuccess));
+    } else {
+        const successRegex =
+            new RegExp(`Successfully authenticated as principal ${CLIENT_USER} on ` +
+                       `\\$external from client (?:\\d{1,3}\\.){3}\\d{1,3}:\\d+`);
+
+        assert(log.some((line) => successRegex.test(line)));
+    }
 
     // Check that we can add a user and read data
     test.createUser(
diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js
index fd05ba2a6cb..1c2ef47e838 100644
--- a/jstests/ssl/x509_expiring.js
+++ b/jstests/ssl/x509_expiring.js
@@ -3,6 +3,8 @@
 (function() {
 'use strict';
 
+load("jstests/libs/logv2_helpers.js");
+
 const SERVER_CERT = "jstests/libs/server.pem";
 const CA_CERT = "jstests/libs/ca.pem";
 const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
@@ -33,9 +35,24 @@ function test(expiration, expect) {
     // Check that there's a "Successfully authenticated" message that includes the client IP
     const log =
         assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
-    const warning = `Peer certificate '${CLIENT_USER}' expires`;
 
-    assert.eq(log.some(line => line.includes(warning)), expect);
+    if (isJsonLog(mongo)) {
+        function checkPeerCertificateExpires(element, index, array) {
+            // TODO SERVER-46018: Parse can show because RamLog may return a truncated log
+            try {
+                const logJson = JSON.parse(element);
+
+                return (logJson.id === 23221 || logJson.id === 23222) &&
+                    logJson.attr.peerSubjectName === CLIENT_USER;
+            } catch (exception) {
+                return false;
+            }
+        }
+        assert.eq(log.some(checkPeerCertificateExpires), expect);
+    } else {
+        const warning = `Peer certificate '${CLIENT_USER}' expires`;
+        assert.eq(log.some(line => line.includes(warning)), expect);
+    }
 
     MongoRunner.stopMongod(mongo);
 }
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 9ce82d61531..3891bc6e330 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -291,10 +291,10 @@ bool CmdAuthenticate::run(OperationContext* opCtx,
         if (!serverGlobalParams.quiet.load()) {
             auto const client = opCtx->getClient();
             LOGV2(20428,
-                  "Failed to authenticate {user} from client {client_getRemote} with mechanism "
+                  "Failed to authenticate {user} from client {client} with mechanism "
                   "{mechanism}: {status}",
                   "user"_attr = user,
-                  "client_getRemote"_attr = client->getRemote(),
+                  "client"_attr = client->getRemote(),
                   "mechanism"_attr = mechanism,
                   "status"_attr = status);
         }
@@ -311,11 +311,11 @@ bool CmdAuthenticate::run(OperationContext* opCtx,
 
     if (!serverGlobalParams.quiet.load()) {
         LOGV2(20429,
-              "Successfully authenticated as principal {user_getUser} on {user_getDB} from client "
-              "{opCtx_getClient_session_remote}",
-              "user_getUser"_attr = user.getUser(),
-              "user_getDB"_attr = user.getDB(),
-              "opCtx_getClient_session_remote"_attr = opCtx->getClient()->session()->remote());
+              "Successfully authenticated as principal {principalName} on {DB} from client "
+              "{client}",
+              "principalName"_attr = user.getUser(),
+              "DB"_attr = user.getDB(),
+              "client"_attr = opCtx->getClient()->session()->remote());
     }
 
     result.append("dbname", user.getDB());
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 1fcc08f0205..fd888831e5c 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -1128,11 +1128,10 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) {
     }
 
     if (!versionString.empty()) {
-        LOGV2(
-            23218,
-            "Accepted connection with TLS Version {versionString} from connection {hostForLogging}",
-            "versionString"_attr = versionString,
-            "hostForLogging"_attr = hostForLogging);
+        LOGV2(23218,
+              "Accepted connection with TLS Version {version} from connection {connection}",
+              "version"_attr = versionString,
+              "connection"_attr = hostForLogging);
     }
 }
 
@@ -1160,13 +1159,14 @@ bool hostNameMatchForX509Certificates(std::string nameToMatch, std::string certH
 }
 
 void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer) {
-    LOGV2_WARNING(23221, "Peer certificate '{peer}' expires soon", "peer"_attr = peer);
+    LOGV2_WARNING(
+        23221, "Peer certificate '{peerSubjectName}' expires soon", "peerSubjectName"_attr = peer);
 }
 
 void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer, Days days) {
     LOGV2_WARNING(23222,
-                  "Peer certificate '{peer}' expires in {days}",
-                  "peer"_attr = peer,
+                  "Peer certificate '{peerSubjectName}' expires in {days}",
+                  "peerSubjectName"_attr = peer,
                   "days"_attr = days);
 }