diff options
| author | Gabriel Marks <gabriel.marks@mongodb.com> | 2022-04-19 15:06:25 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-04-26 19:49:27 +0000 |
| commit | 08f44d0fbeb72dbb0a9af8a41e59029bd8bf6df6 (patch) | |
| tree | 928e899509fc1fc999936a179868c447fefbfada | |
| parent | 72560925f44955eb39f544df134d83ef271bd0f8 (diff) | |
| download | mongo-08f44d0fbeb72dbb0a9af8a41e59029bd8bf6df6.tar.gz | |
SERVER-63155 Re-enable ssl_cert_selector_apple.js
| -rw-r--r-- | buildscripts/resmokeconfig/suites/ssl.yml | 3 | ||||
| -rw-r--r-- | jstests/ssl/ssl_cert_selector_apple.js | 27 |
2 files changed, 19 insertions, 11 deletions
diff --git a/buildscripts/resmokeconfig/suites/ssl.yml b/buildscripts/resmokeconfig/suites/ssl.yml index ad69669e8fc..e662c5710cd 100644 --- a/buildscripts/resmokeconfig/suites/ssl.yml +++ b/buildscripts/resmokeconfig/suites/ssl.yml @@ -4,9 +4,6 @@ selector: roots: - jstests/ssl/*.js - src/mongo/db/modules/*/jstests/fips/*.js - exclude_files: - # TODO SERVER-63155 Re-enable this test. - - jstests/ssl/ssl_cert_selector_apple.js # ssl tests start their own mongod's. executor: diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js index 7e059316095..dd3d2e5912f 100644 --- a/jstests/ssl/ssl_cert_selector_apple.js +++ b/jstests/ssl/ssl_cert_selector_apple.js @@ -15,9 +15,9 @@ requireSSLProvider('apple', function() { 'use strict'; const CLIENT = - 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Client'; + 'CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US'; const SERVER = - 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server'; + 'CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US'; const INVALID = null; function getCertificateSHA1BySubject(subject) { @@ -34,16 +34,20 @@ requireSSLProvider('apple', function() { const searchIdx = out.indexOf(kSearchStr); assert.neq(searchIdx, -1, "SHA-1 hash not found in command output!"); - return out.substr(searchIdx + searchStr.length, kHashHexitLen); + return out.substr(searchIdx + kSearchStr.length, kHashHexitLen); } // Using the thumbprint of the certificate stored in the keychain should always work as a - // selector. - const trusted_server_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Server"); - const trusted_client_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Client"); + // selector. Uppercase everything so we don't fail on unmatching case. + const trusted_server_thumbprint = + getCertificateSHA1BySubject("Trusted Kernel Test Server").toUpperCase(); + const trusted_client_thumbprint = + getCertificateSHA1BySubject("Trusted Kernel Test Client").toUpperCase(); - const expected_server_thumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1"); - const expected_client_thumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1"); + const expected_server_thumbprint = + cat("jstests/libs/trusted-server.pem.digest.sha1").toUpperCase(); + const expected_client_thumbprint = + cat("jstests/libs/trusted-client.pem.digest.sha1").toUpperCase(); // If we fall into this case, our trusted certificates are not installed on the machine's // certificate keychain. This probably means that certificates have just been renewed, but have @@ -103,8 +107,15 @@ requireSSLProvider('apple', function() { } } + // Test each possible combination of server/cluster certificate selectors. Make sure we only use + // the trusted-server certificate as the server certificate, and only use the trusted-client + // certificate as the cluster certificate. testCases.forEach(cert => { + if (cert.name === CLIENT) + return; testCases.forEach(cluster => { + if (cluster.name === SERVER) + return; test(cert, cluster); }); }); |