diff options
| author | Spencer T Brody <spencer@mongodb.com> | 2015-03-22 12:08:42 -0400 |
|---|---|---|
| committer | Spencer T Brody <spencer@mongodb.com> | 2015-04-06 18:19:21 -0400 |
| commit | 7baac52f05a3e0cbdb7168e51836f507eda99dff (patch) | |
| tree | 0bec9669a362aabd5d8b5cbcdcba4f9418c42509 | |
| parent | 9b278765717f4645f1469b389338d3ec055c3316 (diff) | |
| download | mongo-7baac52f05a3e0cbdb7168e51836f507eda99dff.tar.gz | |
SERVER-17450 Cleanup SSL test infrastructure
29 files changed, 107 insertions, 231 deletions
diff --git a/buildscripts/smoke.py b/buildscripts/smoke.py index ab8b53e9dee..783a2234109 100755 --- a/buildscripts/smoke.py +++ b/buildscripts/smoke.py @@ -252,14 +252,11 @@ class mongod(NullMongod): self.auth = True if self.kwargs.get('keyFile'): argv += ['--keyFile', self.kwargs.get('keyFile')] - if self.kwargs.get('use_ssl') or self.kwargs.get('use_x509'): + if self.kwargs.get('use_ssl'): argv += ['--sslMode', "requireSSL", '--sslPEMKeyFile', 'jstests/libs/server.pem', '--sslCAFile', 'jstests/libs/ca.pem', - '--sslWeakCertificateValidation'] - if self.kwargs.get('use_x509'): - argv += ['--clusterAuthMode','x509']; - self.auth = True + '--sslAllowConnectionsWithoutCertificates'] print "running " + " ".join(argv) self.proc = self._start(buildlogger(argv, is_global=True)) @@ -456,7 +453,7 @@ def skipTest(path): if basename in ["fastsync.js", "index_retry.js", "ttl_repl_maintenance.js", "unix_socket1.js"]: return True; - if auth or keyFile or use_x509: # For tests running with auth + if auth or keyFile: # For tests running with auth # Skip any tests that run with auth explicitly if parentDir.lower() == "auth" or "auth" in basename.lower(): return True @@ -588,9 +585,7 @@ def runTest(test, result): 'TestData.keyFile = ' + ternary( keyFile , '"' + str(keyFile) + '"' , 'null' ) + ";" + \ 'TestData.keyFileData = ' + ternary( keyFile , '"' + str(keyFileData) + '"' , 'null' ) + ";" + \ 'TestData.authMechanism = ' + ternary( authMechanism, - '"' + str(authMechanism) + '"', 'null') + ";" + \ - 'TestData.useSSL = ' + ternary( use_ssl ) + ";" + \ - 'TestData.useX509 = ' + ternary( use_x509 ) + ";" + '"' + str(authMechanism) + '"', 'null') + ";" # this updates the default data directory for mongod processes started through shell (src/mongo/shell/servers.js) evalString += 'MongoRunner.dataDir = "' + os.path.abspath(smoke_db_prefix + '/data/db') + '";' evalString += 'MongoRunner.dataPath = MongoRunner.dataDir + "/";' @@ -702,8 +697,7 @@ def run_tests(tests): auth=auth, authMechanism=authMechanism, keyFile=keyFile, - use_ssl=use_ssl, - use_x509=use_x509) + use_ssl=use_ssl) master.start() if small_oplog: @@ -730,8 +724,7 @@ def run_tests(tests): auth=auth, authMechanism=authMechanism, keyFile=keyFile, - use_ssl=use_ssl, - use_x509=use_x509) + use_ssl=use_ssl) slave.start() primary = Connection(port=master.port, slave_okay=True); @@ -812,8 +805,7 @@ def run_tests(tests): auth=auth, authMechanism=authMechanism, keyFile=keyFile, - use_ssl=use_ssl, - use_x509=use_x509) + use_ssl=use_ssl) master.start() except TestFailure, f: @@ -1095,7 +1087,7 @@ def set_globals(options, tests): global small_oplog, small_oplog_rs global no_journal, set_parameters, set_parameters_mongos, no_preallocj, storage_engine, wiredtiger_engine_config_string, wiredtiger_collection_config_string, wiredtiger_index_config_string global auth, authMechanism, keyFile, keyFileData, smoke_db_prefix, test_path, start_mongod - global use_ssl, use_x509 + global use_ssl global file_of_commands_mode global report_file, shell_write_mode, use_write_commands global temp_path @@ -1105,9 +1097,6 @@ def set_globals(options, tests): start_mongod = options.start_mongod if hasattr(options, 'use_ssl'): use_ssl = options.use_ssl - if hasattr(options, 'use_x509'): - use_x509 = options.use_x509 - use_ssl = use_ssl or use_x509 #Careful, this can be called multiple times test_path = options.test_path @@ -1298,9 +1287,6 @@ def main(): parser.add_option('--auth', dest='auth', default=False, action="store_true", help='Run standalone mongods in tests with authentication enabled') - parser.add_option('--use-x509', dest='use_x509', default=False, - action="store_true", - help='Use x509 auth for internal cluster authentication') parser.add_option('--authMechanism', dest='authMechanism', default='SCRAM-SHA-1', help='Use the given authentication mechanism, when --auth is used.') parser.add_option('--keyFile', dest='keyFile', default=None, diff --git a/jstests/replsets/rslib.js b/jstests/replsets/rslib.js index bb3b8374738..7111063f38e 100644 --- a/jstests/replsets/rslib.js +++ b/jstests/replsets/rslib.js @@ -47,7 +47,7 @@ reconnect = function(a) { db = a; } db.bar.stats(); - if (jsTest.options().keyFile || jsTest.options().useX509) { // SERVER-4241: Shell connections don't re-authenticate on reconnect + if (jsTest.options().keyFile) { // SERVER-4241: Shell connections don't re-authenticate on reconnect return jsTest.authenticate(db.getMongo()); } return true; diff --git a/jstests/ssl/disable_x509.js b/jstests/ssl/disable_x509.js index 8b3ec8957b6..57175aa0f94 100644 --- a/jstests/ssl/disable_x509.js +++ b/jstests/ssl/disable_x509.js @@ -1,9 +1,12 @@ // Test enabling and disabling the MONGODB-X509 auth mech -TestData.useX509 = false; var CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US" -var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" }); +var conn = MongoRunner.runMongod({smallfiles: "", + auth: "", + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem"}); // Find out if this build supports the authenticationMechanisms startup parameter. // If it does, restart with and without the MONGODB-X509 mechanisms enabled. diff --git a/jstests/ssl/initial_sync1_x509.js b/jstests/ssl/initial_sync1_x509.js index 27eb67207ed..f767dba0dde 100644 --- a/jstests/ssl/initial_sync1_x509.js +++ b/jstests/ssl/initial_sync1_x509.js @@ -1,6 +1,10 @@ // Basic tests for cluster authentication using x509. -var common_options = {keyFile : "jstests/libs/key1"}; +var common_options = {keyFile : "jstests/libs/key1", + sslMode : "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowInvalidHostnames: ""}; function runInitialSyncTest() { load("jstests/replsets/rslib.js"); diff --git a/jstests/ssl/mixed_mode_repl.js b/jstests/ssl/mixed_mode_repl.js index 80109a0581c..e5d7297c7e3 100644 --- a/jstests/ssl/mixed_mode_repl.js +++ b/jstests/ssl/mixed_mode_repl.js @@ -1,9 +1,6 @@ // This test is related to mixed_mode_repl_nossl.js in // the sslSpecial test set. This test must be run with --use-ssl -// If we are running in use-x509 passthrough mode, turn it off -// since it is not necessary for this test. -TestData.useX509 = false; load("jstests/ssl/libs/ssl_helpers.js") // Verify that requireSSL allows ssl connections diff --git a/jstests/ssl/mixed_mode_sharded.js b/jstests/ssl/mixed_mode_sharded.js index 08d872939a2..efee241ff0c 100644 --- a/jstests/ssl/mixed_mode_sharded.js +++ b/jstests/ssl/mixed_mode_sharded.js @@ -2,10 +2,6 @@ * This test checks if different mixtures of ssl modes * in a sharded cluster can or cannot function */ - -// If we are running in use-x509 passthrough mode, turn it off -// since it is not necessary for this test. -TestData.useX509 = false; load("jstests/ssl/libs/ssl_helpers.js"); print("=== Testing requireSSL/requireSSL cluster ==="); diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index 19d11b9047f..801d4e15b72 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -1,6 +1,5 @@ // Test changing the --sslMode and --clusterAuthMode // parameters using setParameter -TestData.useX509 = false; var SERVER_CERT = "jstests/libs/server.pem" var CA_CERT = "jstests/libs/ca.pem" @@ -19,7 +18,7 @@ function testSSLTransition(oldMode, newMode, shouldSucceed) { "sslMode" : newMode }); assert(res["ok"] == shouldSucceed, tojson(res)); - stopMongod(port); + MongoRunner.stopMongod(port); } function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) { @@ -36,7 +35,7 @@ function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) { "clusterAuthMode" : newMode }); assert(res["ok"] == shouldSucceed, tojson(res)); - stopMongod(port); + MongoRunner.stopMongod(port); } testSSLTransition("allowSSL", "invalid", false); diff --git a/jstests/ssl/sharding_with_x509.js b/jstests/ssl/sharding_with_x509.js index 1a1e41f6cae..aee7ac0e15f 100644 --- a/jstests/ssl/sharding_with_x509.js +++ b/jstests/ssl/sharding_with_x509.js @@ -5,6 +5,7 @@ var x509_options = {sslMode : "requireSSL", sslPEMKeyFile : "jstests/libs/server.pem", sslCAFile: "jstests/libs/ca.pem", sslClusterFile: "jstests/libs/cluster_cert.pem", + sslAllowInvalidHostnames: "", clusterAuthMode: "x509"}; // Start ShardingTest with enableBalancer because ShardingTest attempts to turn diff --git a/jstests/ssl/ssl_cert_password.js b/jstests/ssl/ssl_cert_password.js index 1c03f6ed7e0..1c0e271be20 100644 --- a/jstests/ssl/ssl_cert_password.js +++ b/jstests/ssl/ssl_cert_password.js @@ -10,13 +10,13 @@ resetDbpath(dbpath); mkdir(external_scratch_dir); // Password is correct -md = startMongod("--nopreallocj", - "--port", port, - "--dbpath", dbpath, - "--sslMode","requireSSL", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); -// startMongod connects a Mongo shell, so if we get here, the test is successful. +var md = MongoRunner.runMongod({nopreallocj: "", + port: port, + dbpath: dbpath, + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/password_protected.pem", + sslPEMKeyPassword: "qwerty"}); +// MongoRunner.runMongod connects a Mongo shell, so if we get here, the test is successful. // Password incorrect; error logged is: @@ -134,6 +134,6 @@ assert.eq(md5, md5_stored, "hash of stored file does not match the expected valu if (!_isWindows()) { // Stop the server - var exitCode = stopMongod(port, 15); + var exitCode = MongoRunner.stopMongod(port, 15); assert(exitCode == 0); } diff --git a/jstests/ssl/ssl_crl.js b/jstests/ssl/ssl_crl.js index 0d4bf0f4200..fd83c3979ef 100644 --- a/jstests/ssl/ssl_crl.js +++ b/jstests/ssl/ssl_crl.js @@ -5,36 +5,28 @@ // crl.pem is a CRL with no revoked certificates. // This test should allow the user to connect with client.pem certificate. -ports = allocatePorts(2); -port1 = ports[0]; -var baseName = "jstests_ssl_ssl_crl"; +var md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslCRLFile: "jstests/libs/crl.pem"}); -var md = startMongod("--port", port1, "--dbpath", - MongoRunner.dataPath + baseName + "1", - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslCAFile", "jstests/libs/ca.pem", - "--sslCRLFile", "jstests/libs/crl.pem"); - - -var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvalidCertificates", +var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); // 0 is the exit code for success assert(mongo==0); -port2 = ports[1]; + // This test ensures clients cannot connect if the CRL is expired. -md = startMongod("--port", port2, "--dbpath", MongoRunner.dataPath + baseName + "2", - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslCAFile", "jstests/libs/ca.pem", - "--sslCRLFile", "jstests/libs/crl_expired.pem"); +md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslCRLFile: "jstests/libs/crl_expired.pem"}); -mongo = runMongoProgram("mongo", "--port", port2, "--ssl", "--sslAllowInvalidCertificates", +mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); diff --git a/jstests/ssl/ssl_crl_revoked.js b/jstests/ssl/ssl_crl_revoked.js index 53d6671f4f4..97ab29bf46e 100644 --- a/jstests/ssl/ssl_crl_revoked.js +++ b/jstests/ssl/ssl_crl_revoked.js @@ -2,18 +2,12 @@ // Note: crl_client_revoked.pem is a CRL with the client.pem certificate listed as revoked. // This test should test that the user cannot connect with client.pem certificate. -port = allocatePorts( 1 )[ 0 ]; -var baseName = "jstests_ssl_ssl_crl_revoked"; +var md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslCRLFile: "jstests/libs/crl_client_revoked.pem"}); - -var md = startMongod( "--port", port, "--dbpath", MongoRunner.dataPath + baseName, - "--sslMode","requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslCAFile", "jstests/libs/ca.pem", - "--sslCRLFile", "jstests/libs/crl_client_revoked.pem"); - - -var mongo = runMongoProgram("mongo", "--port", port, "--ssl", "--sslAllowInvalidCertificates", +var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client_revoked.pem", "--eval", ";"); diff --git a/jstests/ssl/ssl_fips.js b/jstests/ssl/ssl_fips.js index ebcac31e91b..bd1eb36f1cd 100644 --- a/jstests/ssl/ssl_fips.js +++ b/jstests/ssl/ssl_fips.js @@ -1,15 +1,16 @@ // Test mongod start with FIPS mode enabled ports = allocatePorts(1); port1 = ports[0]; -var baseName = "jstests_ssl_ssl_fips"; +var md = MongoRunner.runMongod({port: port1, + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslFIPSMode: ""}); - -var md = startMongod("--port", port1, "--dbpath", - MongoRunner.dataPath + baseName, "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslFIPSMode"); - -var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvalidCertificates", +var mongo = runMongoProgram("mongo", + "--port", port1, + "--ssl", + "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--sslFIPSMode", "--eval", ";"); @@ -22,5 +23,5 @@ if (mongo != 0) { } else { // kill mongod - stopMongod(port1); + MongoRunner.stopMongod(md); } diff --git a/jstests/ssl/ssl_hostname_validation.js b/jstests/ssl/ssl_hostname_validation.js index f3bf97bd168..98f99b557e2 100644 --- a/jstests/ssl/ssl_hostname_validation.js +++ b/jstests/ssl/ssl_hostname_validation.js @@ -7,12 +7,6 @@ var SAN_CERT = "jstests/libs/localhostnameSAN.pem"; var CLIENT_CERT = "jstests/libs/client.pem" var BAD_SAN_CERT = "jstests/libs/badSAN.pem"; -// We want to be able to control all SSL parameters -// but still need an SSL shell hence the test is placed -// in the /ssl directory -TestData.useX509 = false; -TestData.useSSL = false; - port = allocatePorts(1)[0]; function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSucceed) { @@ -52,7 +46,7 @@ function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSuc assert.eq(1, mongo, "Connection attempt succeeded when it should fail certPath: " + certPath); } - stopMongod(port); + MongoRunner.stopMongod(port); } // 1. Test client connections with different server certificates diff --git a/jstests/ssl/ssl_invalid_server_cert.js b/jstests/ssl/ssl_invalid_server_cert.js index d179c944fae..6487d0f99b2 100644 --- a/jstests/ssl/ssl_invalid_server_cert.js +++ b/jstests/ssl/ssl_invalid_server_cert.js @@ -1,23 +1,18 @@ // Test SSL Certificate Expiration Monitoring // This tests that a mongod with --sslMode requireSSL will not start with an // X.509 certificate that is not yet valid or has expired. -ports = allocatePorts(1); -port = ports[0]; -var baseName = "jstests_ssl_ssl_invalid_server_cert"; // This test ensures that a mongod will not start with a certificate that is // not yet valid. Tested certificate will become valid 06-17-2020. -var md = startMongod("--port", port, "--dbpath", MongoRunner.dataPath + baseName, - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/not_yet_valid.pem", - "--sslCAFile", "jstests/libs/ca.pem"); +var md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/not_yet_valid.pem", + sslCAFile: "jstests/libs/ca.pem"}); assert.eq(null, md, "Possible to start mongod with not yet valid certificate."); // This test ensures that a mongod with SSL will not start with an expired certificate. -md = startMongod("--port", port, "--dbpath", MongoRunner.dataPath + baseName, - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/expired.pem", - "--sslCAFile", "jstests/libs/ca.pem"); +md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/expired.pem", + sslCAFile: "jstests/libs/ca.pem"}); assert.eq(null, md, "Possible to start mongod with expired certificate"); diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js index f4dcb4d4d47..1881114b482 100644 --- a/jstests/ssl/ssl_options.js +++ b/jstests/ssl/ssl_options.js @@ -5,7 +5,8 @@ jsTest.log("Testing censorship of ssl options"); var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem", sslMode : "requireSSL", sslPEMKeyPassword : "qwerty", - sslClusterPassword : "qwerty" }; + sslClusterPassword : "qwerty", + sslCAFile: "jstests/libs/ca.pem"}; var mongodSource = MongoRunner.runMongod(mongodConfig); var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts"); diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js index 25e2e442549..5a239a6d13c 100644 --- a/jstests/ssl/ssl_weak.js +++ b/jstests/ssl/ssl_weak.js @@ -1,27 +1,22 @@ // Test forcing certificate validation // This tests that forcing certification validation will prohibit clients without certificates // from connecting. -ports = allocatePorts( 2 ); - -var baseName = "jstests_ssl_ssl_weak"; - // Test that connecting with no client certificate and --sslAllowConnectionsWithoutCertificates // (an alias for sslWeakCertificateValidation) connects successfully. -var md = startMongod( "--port", ports[0], "--dbpath", MongoRunner.dataPath + baseName + "1", - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslCAFile", "jstests/libs/ca.pem", - "--sslAllowConnectionsWithoutCertificates"); +var md = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowConnectionsWithoutCertificates: ""}); -var mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates", +var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 0 is the exit code for success assert(mongo==0); // Test that connecting with a valid client certificate connects successfully. -mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates", +mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); @@ -29,14 +24,13 @@ mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalid assert(mongo==0); -// Test that connecting with no client certificate and no --sslWeakCertificateValidation fails to -// connect. -var md2 = startMongod( "--port", ports[1], "--dbpath", MongoRunner.dataPath + baseName + "2", - "--sslMode", "requireSSL", - "--sslPEMKeyFile", "jstests/libs/server.pem", - "--sslCAFile", "jstests/libs/ca.pem"); +// Test that connecting with no client certificate and no --sslAllowConnectionsWithoutCertificates +// fails to connect. +var md2 = MongoRunner.runMongod({sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem"}); -mongo = runMongoProgram("mongo", "--port", ports[1], "--ssl", "--sslAllowInvalidCertificates", +mongo = runMongoProgram("mongo", "--port", md2.port, "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 1 is the exit code for failure diff --git a/jstests/ssl/ssl_without_ca.js b/jstests/ssl/ssl_without_ca.js index f70495f3961..87e69eed7e4 100644 --- a/jstests/ssl/ssl_without_ca.js +++ b/jstests/ssl/ssl_without_ca.js @@ -1,7 +1,3 @@ -// Must turn these off so we don't have CA file supplied automatically. -TestData.usex509 = false; -TestData.useSSL = false; - var SERVER_CERT = "jstests/libs/server.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client"; diff --git a/jstests/ssl/upgrade_to_ssl.js b/jstests/ssl/upgrade_to_ssl.js index e43162246a2..802e99d9eeb 100644 --- a/jstests/ssl/upgrade_to_ssl.js +++ b/jstests/ssl/upgrade_to_ssl.js @@ -7,13 +7,14 @@ * and therefore cannot test modes that do not allow ssl. */ -// If we are running in use-x509 passthrough mode, turn it off -// since it is not necessary for this test. -TestData.useX509 = false; load("jstests/ssl/libs/ssl_helpers.js"); // "sslAllowInvalidCertificates" is enabled to avoid hostname conflicts with our testing certs -opts = {sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""}; +var opts = {sslMode:"allowSSL", + sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates: "", + sslAllowConnectionsWithoutCertificates: "", + sslCAFile: "jstests/libs/ca.pem"}; var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : opts }); rst.startSet(); rst.initiate(); @@ -23,7 +24,8 @@ rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); print("===== UPGRADE allowSSL -> preferSSL ====="); -rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""}); +opts.sslMode = "preferSSL"; +rst.upgradeSet(opts); var rstConn2 = rst.getMaster(); rstConn2.getDB("test").a.insert({a:2, str:"CHECKCHECK"}); assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet"); @@ -33,7 +35,8 @@ var canConnectNoSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--eval", assert.eq(0, canConnectNoSSL, "non-SSL Connection attempt failed when it should succeed"); print("===== UPGRADE preferSSL -> requireSSL ====="); -rst.upgradeSet({sslMode:"requireSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""}); +opts.sslMode = "requireSSL"; +rst.upgradeSet(opts); var rstConn3 = rst.getMaster(); rstConn3.getDB("test").a.insert({a:3, str:"GREENEGGSANDHAM"}); assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); diff --git a/jstests/ssl/upgrade_to_x509_ssl.js b/jstests/ssl/upgrade_to_x509_ssl.js index c80cbf677aa..a7f8b571d29 100644 --- a/jstests/ssl/upgrade_to_x509_ssl.js +++ b/jstests/ssl/upgrade_to_x509_ssl.js @@ -14,9 +14,6 @@ function authAllNodes() { } }; -// If we are running in use-x509 passthrough mode, turn it off -// since it is not necessary for this test. -TestData.useX509 = false; load("jstests/ssl/libs/ssl_helpers.js"); opts = {sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js index c2329554e3f..c2c15f7b567 100644 --- a/jstests/ssl/x509_client.js +++ b/jstests/ssl/x509_client.js @@ -1,10 +1,9 @@ -// If we are running in use-x509 passthrough mode, turn it off or else the auth -// part of this test will not work correctly - -TestData.useX509 = false; - // Check if this build supports the authenticationMechanisms startup parameter. -var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" }); +var conn = MongoRunner.runMongod({smallfiles: "", + auth: "", + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem"}); conn.getDB('admin').createUser({user: "root", pwd: "pass", roles: ["root"]}); conn.getDB('admin').auth("root", "pass"); var cmdOut = conn.getDB('admin').runCommand({getParameter: 1, authenticationMechanisms: 1}) @@ -50,19 +49,16 @@ function authAndTest(mongo) { } print("1. Testing x.509 auth to mongod"); -var mongo = MongoRunner.runMongod({port : port, - sslMode : "requireSSL", - sslPEMKeyFile : SERVER_CERT, - sslCAFile : CA_CERT, - auth:""}); +var x509_options = {sslMode : "requireSSL", + sslPEMKeyFile : SERVER_CERT, + sslCAFile : CA_CERT}; + +var mongo = MongoRunner.runMongod(Object.merge(x509_options, {port: port, auth: ""})); authAndTest(mongo); -stopMongod(port); +MongoRunner.stopMongod(port); print("2. Testing x.509 auth to mongos"); -var x509_options = {sslMode : "requireSSL", - sslPEMKeyFile : SERVER_CERT, - sslCAFile : CA_CERT}; var st = new ShardingTest({ shards : 1, mongos : 1, @@ -70,6 +66,7 @@ var st = new ShardingTest({ shards : 1, extraOptions : {"keyFile" : "jstests/libs/key1"}, configOptions : x509_options, mongosOptions : x509_options, + shardOptions : x509_options, }}); authAndTest(new Mongo("localhost:" + st.s0.port)) diff --git a/jstests/sslSpecial/set_parameter_nossl.js b/jstests/sslSpecial/set_parameter_nossl.js index 825ce05fd8e..0b5e72dd4fb 100644 --- a/jstests/sslSpecial/set_parameter_nossl.js +++ b/jstests/sslSpecial/set_parameter_nossl.js @@ -17,7 +17,7 @@ function testTransition(newSSLMode, newClusterAuthMode) { var res = adminDB.runCommand({ "setParameter" : 1, "clusterAuthMode" : newClusterAuthMode }); assert(!res["ok"]); - stopMongod(port); + MongoRunner.stopMongod(port); } testTransition("allowSSL", "sendKeyFile"); diff --git a/jstests/sslSpecial/ssl_mixedmode.js b/jstests/sslSpecial/ssl_mixedmode.js index 8ed3c276b3a..701c5ea10d7 100644 --- a/jstests/sslSpecial/ssl_mixedmode.js +++ b/jstests/sslSpecial/ssl_mixedmode.js @@ -44,7 +44,7 @@ function testCombination(sslMode, sslShell, shouldSucceed) { assert.eq(1, mongo, "Connection attempt succeeded when it should fail sslMode:" + sslMode + " SSL-shell:" + sslShell); } - stopMongod(port); + MongoRunner.stopMongod(port); } testCombination("disabled", false, true); diff --git a/src/mongo/shell/mongo.js b/src/mongo/shell/mongo.js index c5384166677..043c254c29d 100644 --- a/src/mongo/shell/mongo.js +++ b/src/mongo/shell/mongo.js @@ -34,7 +34,7 @@ Mongo.prototype.getSlaveOk = function() { } Mongo.prototype.getDB = function( name ){ - if ((jsTest.options().keyFile || jsTest.options().useX509) && + if ((jsTest.options().keyFile) && ((typeof this.authenticated == 'undefined') || !this.authenticated)) { jsTest.authenticate(this) } diff --git a/src/mongo/shell/mongodtest.js b/src/mongo/shell/mongodtest.js index a8a5e04b5a2..0a05f377d9c 100644 --- a/src/mongo/shell/mongodtest.js +++ b/src/mongo/shell/mongodtest.js @@ -34,17 +34,6 @@ startMongodTest = function (port, dirname, restart, extraOptions) { options["auth"] = ""; if(jsTestOptions().keyFile && (!extraOptions || !extraOptions['keyFile'])) options['keyFile'] = jsTestOptions().keyFile - if(jsTestOptions().useSSL) { - if (!options["sslMode"]) - options["sslMode"] = "requireSSL"; - if (!options["sslPEMKeyFile"]) - options["sslPEMKeyFile"] = "jstests/libs/server.pem"; - if (!options["sslCAFile"]) - options["sslCAFile"] = "jstests/libs/ca.pem"; - options["sslWeakCertificateValidation"] = ""; - } - if (jsTestOptions().useX509 && !options["clusterAuthMode"]) - options["clusterAuthMode"] = "x509"; if (extraOptions) Object.extend(options , extraOptions); diff --git a/src/mongo/shell/replsettest.js b/src/mongo/shell/replsettest.js index f3a923b95b0..3604f099e18 100644 --- a/src/mongo/shell/replsettest.js +++ b/src/mongo/shell/replsettest.js @@ -460,8 +460,7 @@ ReplSetTest.prototype.initiate = function( cfg , initCmd , timeout ) { this.awaitSecondaryNodes(timeout); // Setup authentication if running test with authentication - if ((jsTestOptions().keyFile || jsTestOptions().useX509) && - cmdKey == 'replSetInitiate') { + if ((jsTestOptions().keyFile) && cmdKey == 'replSetInitiate') { master = this.getMaster(); jsTest.authenticateNodes(this.nodes); } @@ -731,7 +730,7 @@ ReplSetTest.prototype.restart = function( n , options, signal, wait ){ this.stop(n, signal, options); started = this.start( n , options , true, wait ); - if (jsTestOptions().keyFile || jsTestOptions().useX509) { + if (jsTestOptions().keyFile) { if (started.length) { // if n was an array of conns, start will return an array of connections for (var i = 0; i < started.length; i++) { diff --git a/src/mongo/shell/servers.js b/src/mongo/shell/servers.js index 52defda408c..6c487edb20e 100755 --- a/src/mongo/shell/servers.js +++ b/src/mongo/shell/servers.js @@ -423,23 +423,7 @@ MongoRunner.mongoOptions = function( opts ){ // Default for waitForConnect is true opts.waitForConnect = (waitForConnect == undefined || waitForConnect == null) ? true : waitForConnect; - - if( jsTestOptions().useSSL ) { - if (!opts.sslMode) opts.sslMode = "requireSSL"; - if (!opts.sslPEMKeyFile) opts.sslPEMKeyFile = "jstests/libs/server.pem"; - if (!opts.sslCAFile) opts.sslCAFile = "jstests/libs/ca.pem"; - - // Needed for jstest/ssl/upgrade_to_ssl.js - opts.sslWeakCertificateValidation = ""; - - // Needed for jstest/ssl/ssl_hostname_validation.js - opts.sslAllowInvalidHostnames = ""; - } - if ( jsTestOptions().useX509 && !opts.clusterAuthMode ) { - opts.clusterAuthMode = "x509"; - } - opts.port = opts.port || MongoRunner.nextOpenPort() MongoRunner.usedPortMap[ "" + parseInt( opts.port ) ] = true @@ -493,22 +477,6 @@ MongoRunner.mongodOptions = function( opts ){ opts.keyFile = jsTestOptions().keyFile } - if( jsTestOptions().useSSL ) { - if (!opts.sslMode) opts.sslMode = "requireSSL"; - if (!opts.sslPEMKeyFile) opts.sslPEMKeyFile = "jstests/libs/server.pem"; - if (!opts.sslCAFile) opts.sslCAFile = "jstests/libs/ca.pem"; - - // Needed for jstest/ssl/upgrade_to_ssl.js - opts.sslWeakCertificateValidation = ""; - - // Needed for jstest/ssl/ssl_hostname_validation.js - opts.sslAllowInvalidHostnames = ""; - } - - if ( jsTestOptions().useX509 && !opts.clusterAuthMode ) { - opts.clusterAuthMode = "x509"; - } - if( opts.noReplSet ) opts.replSet = null if( opts.arbiter ) opts.oplogSize = 1 diff --git a/src/mongo/shell/servers_misc.js b/src/mongo/shell/servers_misc.js index 2a652ce8662..8c338e8285b 100644 --- a/src/mongo/shell/servers_misc.js +++ b/src/mongo/shell/servers_misc.js @@ -163,26 +163,6 @@ ReplTest.prototype.getOptions = function( master , extra , putBinaryFirst, norep a.push( jsTestOptions().keyFile ) } - if( jsTestOptions().useSSL ) { - if (!a.contains("--sslMode")) { - a.push( "--sslMode" ) - a.push( "requireSSL" ) - } - if (!a.contains("--sslPEMKeyFile")) { - a.push( "--sslPEMKeyFile" ) - a.push( "jstests/libs/server.pem" ) - } - if (!a.contains("--sslCAFile")) { - a.push( "--sslCAFile" ) - a.push( "jstests/libs/ca.pem" ) - } - a.push( "--sslWeakCertificateValidation" ) - } - if( jsTestOptions().useX509 && !a.contains("--clusterAuthMode")) { - a.push( "--clusterAuthMode" ) - a.push( "x509" ) - } - if ( !norepl ) { if ( master ){ a.push( "--master" ); @@ -218,7 +198,7 @@ ReplTest.prototype.start = function( master , options , restart, norepl ){ return conn; } else { var conn = startMongod.apply(null, o); - if (jsTestOptions().keyFile || jsTestOptions().auth || jsTestOptions().useX509) { + if (jsTestOptions().keyFile || jsTestOptions().auth) { jsTest.authenticate(conn); } if (!master) { @@ -331,14 +311,6 @@ function startParallelShell( jsCode, port, noConnect ){ args.push("--port", port); } - if( jsTestOptions().useSSL ) { - args.push( "--ssl" ) - args.push( "--sslPEMKeyFile" ) - args.push( "jstests/libs/client.pem" ) - args.push( "--sslCAFile" ) - args.push( "jstests/libs/ca.pem" ) - } - x = startMongoProgramNoConnect.apply(null, args); return function(){ return waitProgram( x ); diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js index 2396e6df790..04b1cf3096b 100644 --- a/src/mongo/shell/shardingtest.js +++ b/src/mongo/shell/shardingtest.js @@ -424,7 +424,7 @@ ShardingTest = function( testName , numShards , verboseLevel , numMongos , other ); } - if (jsTestOptions().keyFile || jsTestOptions().useX509) { + if (jsTestOptions().keyFile) { jsTest.authenticate( this._configConnection ); jsTest.authenticateNodes( this._configServers ); jsTest.authenticateNodes( this._mongos ); diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js index e61e3c7f4ff..694a5a10709 100644 --- a/src/mongo/shell/utils.js +++ b/src/mongo/shell/utils.js @@ -157,9 +157,7 @@ jsTestOptions = function(){ authPassword : TestData.keyFileData, authMechanism : TestData.authMechanism, adminUser : TestData.adminUser || "admin", - adminPassword : TestData.adminPassword || "password", - useSSL : TestData.useSSL, - useX509 : TestData.useX509}); + adminPassword : TestData.adminPassword || "password"}); } return _jsTestOptions; } @@ -195,7 +193,7 @@ jsTest.randomize = function( seed ) { } jsTest.authenticate = function(conn) { - if (!jsTest.options().auth && !jsTest.options().keyFile && !jsTest.options().useX509) { + if (!jsTest.options().auth && !jsTest.options().keyFile) { conn.authenticated = true; return true; } |