SERVER-42938 Implement Infrastructure for Provisioning and Refreshing OCSP Responses in the Server

 create mode 100644 jstests/ocsp/ocsp_server_refresh.js

5 files changed, 81 insertions, 11 deletions

diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 00de55e3c86..40845ed2615 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -16,8 +16,9 @@ class MockOCSPServer {
      * Create a new OCSP Server.
      *
      * @param {string} fault_type
+     * @param {number} next_update_secs
      */
-    constructor(fault_type) {
+    constructor(fault_type, next_update_secs) {
         this.python = "python3";
         this.fault_type = fault_type;
 
@@ -32,6 +33,7 @@ class MockOCSPServer {
         // The port must be hard coded to match the port of the
         // responder in the certificates.
         this.port = 8100;
+        this.next_update_secs = next_update_secs;
     }
 
     start() {
@@ -50,6 +52,10 @@ class MockOCSPServer {
             args.push("--fault=" + this.fault_type);
         }
 
+        if (this.next_update_secs) {
+            args.push("--next_update_seconds=" + this.next_update_secs);
+        }
+
         this.pid = _startMongoProgram({args: args});
         assert(checkProgram(this.pid).alive);
 
diff --git a/jstests/ocsp/lib/ocsp_mock.py b/jstests/ocsp/lib/ocsp_mock.py
index 3ad31193890..a1bc9af104c 100644
--- a/jstests/ocsp/lib/ocsp_mock.py
+++ b/jstests/ocsp/lib/ocsp_mock.py
@@ -26,14 +26,16 @@ def main():
 
     parser.add_argument('--ocsp_responder_key', type=str, required=True, help="OCSP Responder Keyfile")
 
-    parser.add_argument('--fault', choices=[mock_ocsp_responder.FAULT_REVOKED, mock_ocsp_responder.FAULT_UNKNOWN], type=str, help="Specify a specific fault to test")
+    parser.add_argument('--fault', choices=[mock_ocsp_responder.FAULT_REVOKED, mock_ocsp_responder.FAULT_UNKNOWN, None], default=None, type=str, help="Specify a specific fault to test")
+
+    parser.add_argument('--next_update_seconds', type=int, default=32400, help="Specify how long the OCSP response should be valid for")
 
     args = parser.parse_args()
     if args.verbose:
         logging.basicConfig(level=logging.DEBUG)
 
     print('Initializing OCSP Responder')
-    app = mock_ocsp_responder.OCSPResponder(args.ca_file, args.ocsp_responder_cert, args.ocsp_responder_key, args.fault)
+    app = mock_ocsp_responder.OCSPResponder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds)
 
     if args.verbose:
         app.serve(args.port, debug=True)
diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js
index f3b946e235b..ab9439fcc67 100644
--- a/jstests/ocsp/ocsp_basic.js
+++ b/jstests/ocsp/ocsp_basic.js
@@ -41,10 +41,9 @@ assert.throws(() => {
 
 MongoRunner.stopMongod(conn);
 
-// The mongoRunner spawns a shell to validate the collections which races
-// with the shutdown logic of the mock_ocsp responder on some platforms.
-// We need this sleep to make sure that the threads don't interfere with
-// each other.
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
 sleep(1000);
 mock_ocsp.stop();
 }());
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js
new file mode 100644
index 00000000000..61884fb5f2b
--- /dev/null
+++ b/jstests/ocsp/ocsp_server_refresh.js
@@ -0,0 +1,64 @@
+// Check that OCSP verification works
+// @tags: [requires_http_client]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (determineSSLProvider() != "openssl") {
+    return;
+}
+
+if (!supportsStapling()) {
+    return;
+}
+
+let mock_ocsp = new MockOCSPServer("", 20);
+mock_ocsp.start();
+
+const ocsp_options = {
+    sslMode: "requireSSL",
+    sslPEMKeyFile: OCSP_SERVER_CERT,
+    sslCAFile: OCSP_CA_CERT,
+    sslAllowInvalidHostnames: "",
+    setParameter: {
+        "ocspEnabled": "true",
+    },
+};
+
+let conn = null;
+
+assert.doesNotThrow(() => {
+    conn = MongoRunner.runMongod(ocsp_options);
+});
+
+mock_ocsp.stop();
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000);
+mock_ocsp.start();
+
+// We're sleeping here to give the server enough time to fetch a new OCSP response
+// saying that it's revoked.
+sleep(15000);
+
+assert.throws(() => {
+    new Mongo(conn.host);
+});
+
+mock_ocsp.stop();
+mock_ocsp = new MockOCSPServer("", 1000);
+mock_ocsp.start();
+
+// This ensures that the client was viewing a stapled response.
+assert.throws(() => {
+    new Mongo(conn.host);
+});
+
+MongoRunner.stopMongod(conn);
+
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
+sleep(1000);
+mock_ocsp.stop();
+}());
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 207c873d11a..b1162b5bff2 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -72,10 +72,9 @@ assert.throws(() => {
 
 MongoRunner.stopMongod(conn);
 
-// The mongoRunner spawns a shell to validate the collections which races
-// with the shutdown logic of the mock_ocsp responder on some platforms.
-// We need this sleep to make sure that the threads don't interfere with
-// each other.
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
 sleep(1000);
 mock_ocsp.stop();
 }());
\ No newline at end of file