diff options
| author | Erwin Pe <erwin.pe@mongodb.com> | 2022-02-15 16:05:58 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-02-15 16:37:58 +0000 |
| commit | d1842162c8e3e55d2ca25133d85be68550a0b659 (patch) | |
| tree | f90beeea53684e1ff7837eeceeb95e1a6e80be9b | |
| parent | 6cb3a52ab53f9f63cf2bf8333463e531a3e3a29d (diff) | |
| download | mongo-d1842162c8e3e55d2ca25133d85be68550a0b659.tar.gz | |
SERVER-59220 Connectivity probes in ocsp_server_refresh.js should use fresh shells
(cherry picked from commit 9957c797a0db77012cd2dd58d3535e9d435cd431)
| -rw-r--r-- | jstests/ocsp/lib/ocsp_helpers.js | 34 | ||||
| -rw-r--r-- | jstests/ocsp/ocsp_ignore_irrelevant.js | 32 | ||||
| -rw-r--r-- | jstests/ocsp/ocsp_server_refresh.js | 20 |
3 files changed, 43 insertions, 43 deletions
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js index dfe52376e1f..90ec04d35ba 100644 --- a/jstests/ocsp/lib/ocsp_helpers.js +++ b/jstests/ocsp/lib/ocsp_helpers.js @@ -61,6 +61,40 @@ var waitForServer = function(conn) { } }; +var clientConnect = function(conn) { + const exitCode = runMongoProgram("mongo", + "--host", + "localhost", + "--port", + conn.port, + "--tls", + "--tlsCAFile", + OCSP_CA_PEM, + "--tlsCertificateKeyFile", + OCSP_CLIENT_CERT, + "--tlsAllowInvalidHostnames", + "--verbose", + 1, + "--eval", + ";"); + return exitCode; +}; + +const OCSP_REVOKED = "OCSPCertificateStatusRevoked"; + +var assertClientConnectFails = function(conn, reason) { + clearRawMongoProgramOutput(); + assert.neq(clientConnect(conn), 0); + const errmsg = rawMongoProgramOutput(); + if (typeof reason === 'string' || reason instanceof RegExp) { + assert.neq(errmsg.search(reason), -1); + } +}; + +var assertClientConnectSucceeds = function(conn) { + assert.eq(clientConnect(conn), 0); +}; + var supportsStapling = function() { if (determineSSLProvider() !== "openssl") { return false; diff --git a/jstests/ocsp/ocsp_ignore_irrelevant.js b/jstests/ocsp/ocsp_ignore_irrelevant.js index d2a9c4c4e26..f0070db115e 100644 --- a/jstests/ocsp/ocsp_ignore_irrelevant.js +++ b/jstests/ocsp/ocsp_ignore_irrelevant.js @@ -12,25 +12,6 @@ if (determineSSLProvider() === "apple") { const INCLUDE_EXTRA_STATUS = true; -function clientConnect(mongod, cafile) { - const exitCode = runMongoProgram("mongo", - "--host", - "localhost", - "--port", - mongod.port, - "--tls", - "--tlsCAFile", - OCSP_CA_PEM, - "--tlsCertificateKeyFile", - OCSP_CLIENT_CERT, - "--tlsAllowInvalidHostnames", - "--verbose", - 1, - "--eval", - ";"); - return exitCode; -} - /** * Tests OCSP status verification in the client-side ignores the statuses * of irrelevant certificates. No stapling is performed server-side. @@ -62,7 +43,7 @@ function testClient(serverCert, caCert, responderCertPair, issuerDigest) { "Testing client can connect if OCSP response has extraneous statuses and the matching CertID is Good"); mock_ocsp.start(); - assert.eq(clientConnect(conn), 0); + assertClientConnectSucceeds(conn); mock_ocsp.stop(); @@ -72,7 +53,7 @@ function testClient(serverCert, caCert, responderCertPair, issuerDigest) { new MockOCSPServer(FAULT_REVOKED, 1, responderCertPair, INCLUDE_EXTRA_STATUS, issuerDigest); mock_ocsp.start(); - assert.neq(clientConnect(conn), 0); + assertClientConnectFails(conn); MongoRunner.stopMongod(conn); @@ -117,7 +98,7 @@ function testStapling(serverCert, caCert, responderCertPair, issuerDigest) { conn = MongoRunner.runMongod(ocsp_options); waitForServer(conn); - assert.eq(clientConnect(conn), 0); + assertClientConnectSucceeds(conn); MongoRunner.stopMongod(conn); sleep(1000); @@ -133,12 +114,7 @@ function testStapling(serverCert, caCert, responderCertPair, issuerDigest) { conn = MongoRunner.runMongod(ocsp_options); waitForServer(conn); - clearRawMongoProgramOutput(); - assert.neq(clientConnect(conn), 0); - - assert.soon(function() { - return rawMongoProgramOutput().search("OCSPCertificateStatusRevoked") !== -1; - }); + assertClientConnectFails(conn, OCSP_REVOKED); MongoRunner.stopMongod(conn); diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js index 8b87089e2bf..409924f6e5e 100644 --- a/jstests/ocsp/ocsp_server_refresh.js +++ b/jstests/ocsp/ocsp_server_refresh.js @@ -37,18 +37,14 @@ mock_ocsp.start(); // saying that it's revoked. sleep(15000); -assert.throws(() => { - new Mongo(conn.host); -}); +assertClientConnectFails(conn, OCSP_REVOKED); mock_ocsp.stop(); mock_ocsp = new MockOCSPServer("", 1000); mock_ocsp.start(); // This ensures that the client was viewing a stapled response. -assert.throws(() => { - new Mongo(conn.host); -}); +assertClientConnectFails(conn, OCSP_REVOKED); MongoRunner.stopMongod(conn); @@ -66,9 +62,7 @@ mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 10); mock_ocsp.start(); sleep(30000); // the client should be trying to connect after its certificate has been revoked. -assert.throws(() => { - new Mongo(conn.host); -}); +assertClientConnectFails(conn, OCSP_REVOKED); MongoRunner.stopMongod(conn); // The mongoRunner spawns a new Mongo Object to validate the collections which races @@ -93,9 +87,7 @@ mock_ocsp.stop(); // If the server stapled an expired response, then the client would refuse to connect. // We now check that the server has not stapled a response. sleep(NEXT_UPDATE * 1000); -assert.doesNotThrow(() => { - new Mongo(conn.host); -}); +assertClientConnectSucceeds(conn); MongoRunner.stopMongod(conn); @@ -130,9 +122,7 @@ sleep(20000); // By asserting here that a new connection cannot be established to the // mongod, we prove that the server has refreshed its stapled response sooner // than the refresh period indicated. -assert.throws(() => { - new Mongo(conn.host); -}); +assertClientConnectFails(conn, OCSP_REVOKED); MongoRunner.stopMongod(conn); |