diff options
author | Henrik Edin <henrik.edin@mongodb.com> | 2020-02-14 16:52:00 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-02-18 16:53:37 +0000 |
commit | 19f7a856c0b1c80c378191d5ae3451cdd09e5c61 (patch) | |
tree | 4dfdc1862d69b72168fcb4e3e1d363e1ac9bc944 | |
parent | 14240d538a74be094badf4936a56cb3232d89f1d (diff) | |
download | mongo-19f7a856c0b1c80c378191d5ae3451cdd09e5c61.tar.gz |
SERVER-46026 Fix ssl suite when using JSON logs
-rw-r--r-- | jstests/ssl/ssl_count_protocols.js | 48 | ||||
-rw-r--r-- | jstests/ssl/x509_client.js | 25 | ||||
-rw-r--r-- | jstests/ssl/x509_expiring.js | 21 | ||||
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 14 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 16 |
5 files changed, 90 insertions, 34 deletions
diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js index 8bc1031ceeb..0b550275ca0 100644 --- a/jstests/ssl/ssl_count_protocols.js +++ b/jstests/ssl/ssl_count_protocols.js @@ -3,6 +3,7 @@ 'use strict'; load("jstests/ssl/libs/ssl_helpers.js"); +load("jstests/libs/logv2_helpers.js"); var SERVER_CERT = "jstests/libs/server.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; @@ -73,22 +74,41 @@ function runTestWithoutSubset(client) { print(`Checking ${conn.fullOptions.logFile} for TLS version message`); const log = cat(conn.fullOptions.logFile); - // Find the last line in the log file and verify it has the right version - let re = /Accepted connection with TLS Version (1\.\d) from connection 127.0.0.1:\d+/g; - let result = re.exec(log); - let lastResult = null; - while (result !== null) { - lastResult = result; - result = re.exec(log); - } + if (isJsonLogNoConn()) { + const lines = log.split('\n'); + let found = false; + for (let logMsg of lines) { + const logJson = JSON.parse(logMsg); + if (logJson.id === 23218 && /1\.\d/.test(logJson.attr.version) && + /127.0.0.1:\d+/.test(logJson.attr.connection)) { + found = true; + break; + } + } + assert(found, + "'Accepted connection with TLS Version' log line missing in log file!\n" + + "Log file contents: " + conn.fullOptions.logFile + + "\n************************************************************\n" + log + + "\n************************************************************"); + + } else { + // Find the last line in the log file and verify it has the right version + let re = /Accepted connection with TLS Version (1\.\d) from connection 127.0.0.1:\d+/g; + let result = re.exec(log); + let lastResult = null; + while (result !== null) { + lastResult = result; + result = re.exec(log); + } - assert(lastResult !== null, - "'Accepted connection with TLS Version' log line missing in log file!\n" + - "Log file contents: " + conn.fullOptions.logFile + - "\n************************************************************\n" + log + - "\n************************************************************"); + assert(lastResult !== null, + "'Accepted connection with TLS Version' log line missing in log file!\n" + + "Log file contents: " + conn.fullOptions.logFile + + "\n************************************************************\n" + log + + "\n************************************************************"); - assert.eq(lastResult['1'], version_number); + assert.eq(lastResult['1'], version_number); + } MongoRunner.stopMongod(conn); } diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js index 595b063b1a8..568b85d9b33 100644 --- a/jstests/ssl/x509_client.js +++ b/jstests/ssl/x509_client.js @@ -1,4 +1,5 @@ // Check if this build supports the authenticationMechanisms startup parameter. +load("jstests/libs/logv2_helpers.js"); var conn = MongoRunner.runMongod({ auth: "", sslMode: "requireSSL", @@ -74,10 +75,28 @@ function authAndTest(mongo) { // Check that there's a "Successfully authenticated" message that includes the client IP const log = assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log; - const successRegex = new RegExp(`Successfully authenticated as principal ${CLIENT_USER} on ` + - `\\$external from client (?:\\d{1,3}\\.){3}\\d{1,3}:\\d+`); - assert(log.some((line) => successRegex.test(line))); + if (isJsonLog(mongo)) { + function checkAuthSuccess(element, index, array) { + // TODO SERVER-46018: Parse can show because RamLog may return a truncated log + try { + const logJson = JSON.parse(element); + + return logJson.id === 20429 && logJson.attr.principalName === CLIENT_USER && + logJson.attr.DB === "$external" && + /(?:\d{1,3}\.){3}\d{1,3}:\d+/.test(logJson.attr.client); + } catch (exception) { + return false; + } + } + assert(log.some(checkAuthSuccess)); + } else { + const successRegex = + new RegExp(`Successfully authenticated as principal ${CLIENT_USER} on ` + + `\\$external from client (?:\\d{1,3}\\.){3}\\d{1,3}:\\d+`); + + assert(log.some((line) => successRegex.test(line))); + } // Check that we can add a user and read data test.createUser( diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js index fd05ba2a6cb..1c2ef47e838 100644 --- a/jstests/ssl/x509_expiring.js +++ b/jstests/ssl/x509_expiring.js @@ -3,6 +3,8 @@ (function() { 'use strict'; +load("jstests/libs/logv2_helpers.js"); + const SERVER_CERT = "jstests/libs/server.pem"; const CA_CERT = "jstests/libs/ca.pem"; const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; @@ -33,9 +35,24 @@ function test(expiration, expect) { // Check that there's a "Successfully authenticated" message that includes the client IP const log = assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log; - const warning = `Peer certificate '${CLIENT_USER}' expires`; - assert.eq(log.some(line => line.includes(warning)), expect); + if (isJsonLog(mongo)) { + function checkPeerCertificateExpires(element, index, array) { + // TODO SERVER-46018: Parse can show because RamLog may return a truncated log + try { + const logJson = JSON.parse(element); + + return (logJson.id === 23221 || logJson.id === 23222) && + logJson.attr.peerSubjectName === CLIENT_USER; + } catch (exception) { + return false; + } + } + assert.eq(log.some(checkPeerCertificateExpires), expect); + } else { + const warning = `Peer certificate '${CLIENT_USER}' expires`; + assert.eq(log.some(line => line.includes(warning)), expect); + } MongoRunner.stopMongod(mongo); } diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 9ce82d61531..3891bc6e330 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -291,10 +291,10 @@ bool CmdAuthenticate::run(OperationContext* opCtx, if (!serverGlobalParams.quiet.load()) { auto const client = opCtx->getClient(); LOGV2(20428, - "Failed to authenticate {user} from client {client_getRemote} with mechanism " + "Failed to authenticate {user} from client {client} with mechanism " "{mechanism}: {status}", "user"_attr = user, - "client_getRemote"_attr = client->getRemote(), + "client"_attr = client->getRemote(), "mechanism"_attr = mechanism, "status"_attr = status); } @@ -311,11 +311,11 @@ bool CmdAuthenticate::run(OperationContext* opCtx, if (!serverGlobalParams.quiet.load()) { LOGV2(20429, - "Successfully authenticated as principal {user_getUser} on {user_getDB} from client " - "{opCtx_getClient_session_remote}", - "user_getUser"_attr = user.getUser(), - "user_getDB"_attr = user.getDB(), - "opCtx_getClient_session_remote"_attr = opCtx->getClient()->session()->remote()); + "Successfully authenticated as principal {principalName} on {DB} from client " + "{client}", + "principalName"_attr = user.getUser(), + "DB"_attr = user.getDB(), + "client"_attr = opCtx->getClient()->session()->remote()); } result.append("dbname", user.getDB()); diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 1fcc08f0205..fd888831e5c 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -1128,11 +1128,10 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) { } if (!versionString.empty()) { - LOGV2( - 23218, - "Accepted connection with TLS Version {versionString} from connection {hostForLogging}", - "versionString"_attr = versionString, - "hostForLogging"_attr = hostForLogging); + LOGV2(23218, + "Accepted connection with TLS Version {version} from connection {connection}", + "version"_attr = versionString, + "connection"_attr = hostForLogging); } } @@ -1160,13 +1159,14 @@ bool hostNameMatchForX509Certificates(std::string nameToMatch, std::string certH } void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer) { - LOGV2_WARNING(23221, "Peer certificate '{peer}' expires soon", "peer"_attr = peer); + LOGV2_WARNING( + 23221, "Peer certificate '{peerSubjectName}' expires soon", "peerSubjectName"_attr = peer); } void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer, Days days) { LOGV2_WARNING(23222, - "Peer certificate '{peer}' expires in {days}", - "peer"_attr = peer, + "Peer certificate '{peerSubjectName}' expires in {days}", + "peerSubjectName"_attr = peer, "days"_attr = days); } |