diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-02-04 17:47:00 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-02-13 22:40:49 +0000 |
commit | 9f8ee9c62357b872788884a417dbed2812235325 (patch) | |
tree | 6661c3f75aab8b4c4b89d8015223ecdbe4b53214 /jstests/ocsp | |
parent | ea7294598dc4621245739da201c0aeaf11aaf957 (diff) | |
download | mongo-9f8ee9c62357b872788884a417dbed2812235325.tar.gz |
SERVER-42938 Implement Infrastructure for Provisioning and Refreshing OCSP Responses in the Server
create mode 100644 jstests/ocsp/ocsp_server_refresh.js
Diffstat (limited to 'jstests/ocsp')
-rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 8 | ||||
-rw-r--r-- | jstests/ocsp/lib/ocsp_mock.py | 6 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_basic.js | 7 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_server_refresh.js | 64 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_stapling.js | 7 |
5 files changed, 81 insertions, 11 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js index 00de55e3c86..40845ed2615 100644 --- a/jstests/ocsp/lib/mock_ocsp.js +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -16,8 +16,9 @@ class MockOCSPServer { * Create a new OCSP Server. * * @param {string} fault_type + * @param {number} next_update_secs */ - constructor(fault_type) { + constructor(fault_type, next_update_secs) { this.python = "python3"; this.fault_type = fault_type; @@ -32,6 +33,7 @@ class MockOCSPServer { // The port must be hard coded to match the port of the // responder in the certificates. this.port = 8100; + this.next_update_secs = next_update_secs; } start() { @@ -50,6 +52,10 @@ class MockOCSPServer { args.push("--fault=" + this.fault_type); } + if (this.next_update_secs) { + args.push("--next_update_seconds=" + this.next_update_secs); + } + this.pid = _startMongoProgram({args: args}); assert(checkProgram(this.pid).alive); diff --git a/jstests/ocsp/lib/ocsp_mock.py b/jstests/ocsp/lib/ocsp_mock.py index 3ad31193890..a1bc9af104c 100644 --- a/jstests/ocsp/lib/ocsp_mock.py +++ b/jstests/ocsp/lib/ocsp_mock.py @@ -26,14 +26,16 @@ def main(): parser.add_argument('--ocsp_responder_key', type=str, required=True, help="OCSP Responder Keyfile") - parser.add_argument('--fault', choices=[mock_ocsp_responder.FAULT_REVOKED, mock_ocsp_responder.FAULT_UNKNOWN], type=str, help="Specify a specific fault to test") + parser.add_argument('--fault', choices=[mock_ocsp_responder.FAULT_REVOKED, mock_ocsp_responder.FAULT_UNKNOWN, None], default=None, type=str, help="Specify a specific fault to test") + + parser.add_argument('--next_update_seconds', type=int, default=32400, help="Specify how long the OCSP response should be valid for") args = parser.parse_args() if args.verbose: logging.basicConfig(level=logging.DEBUG) print('Initializing OCSP Responder') - app = mock_ocsp_responder.OCSPResponder(args.ca_file, args.ocsp_responder_cert, args.ocsp_responder_key, args.fault) + app = mock_ocsp_responder.OCSPResponder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds) if args.verbose: app.serve(args.port, debug=True) diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js index f3b946e235b..ab9439fcc67 100644 --- a/jstests/ocsp/ocsp_basic.js +++ b/jstests/ocsp/ocsp_basic.js @@ -41,10 +41,9 @@ assert.throws(() => { MongoRunner.stopMongod(conn); -// The mongoRunner spawns a shell to validate the collections which races -// with the shutdown logic of the mock_ocsp responder on some platforms. -// We need this sleep to make sure that the threads don't interfere with -// each other. +// The mongoRunner spawns a new Mongo Object to validate the collections which races +// with the shutdown logic of the mock_ocsp responder on some platforms. We need this +// sleep to make sure that the threads don't interfere with each other. sleep(1000); mock_ocsp.stop(); }());
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js new file mode 100644 index 00000000000..61884fb5f2b --- /dev/null +++ b/jstests/ocsp/ocsp_server_refresh.js @@ -0,0 +1,64 @@ +// Check that OCSP verification works +// @tags: [requires_http_client] + +load("jstests/ocsp/lib/mock_ocsp.js"); + +(function() { +"use strict"; + +if (determineSSLProvider() != "openssl") { + return; +} + +if (!supportsStapling()) { + return; +} + +let mock_ocsp = new MockOCSPServer("", 20); +mock_ocsp.start(); + +const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_CERT, + sslCAFile: OCSP_CA_CERT, + sslAllowInvalidHostnames: "", + setParameter: { + "ocspEnabled": "true", + }, +}; + +let conn = null; + +assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); +}); + +mock_ocsp.stop(); +mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000); +mock_ocsp.start(); + +// We're sleeping here to give the server enough time to fetch a new OCSP response +// saying that it's revoked. +sleep(15000); + +assert.throws(() => { + new Mongo(conn.host); +}); + +mock_ocsp.stop(); +mock_ocsp = new MockOCSPServer("", 1000); +mock_ocsp.start(); + +// This ensures that the client was viewing a stapled response. +assert.throws(() => { + new Mongo(conn.host); +}); + +MongoRunner.stopMongod(conn); + +// The mongoRunner spawns a new Mongo Object to validate the collections which races +// with the shutdown logic of the mock_ocsp responder on some platforms. We need this +// sleep to make sure that the threads don't interfere with each other. +sleep(1000); +mock_ocsp.stop(); +}());
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js index 207c873d11a..b1162b5bff2 100644 --- a/jstests/ocsp/ocsp_stapling.js +++ b/jstests/ocsp/ocsp_stapling.js @@ -72,10 +72,9 @@ assert.throws(() => { MongoRunner.stopMongod(conn); -// The mongoRunner spawns a shell to validate the collections which races -// with the shutdown logic of the mock_ocsp responder on some platforms. -// We need this sleep to make sure that the threads don't interfere with -// each other. +// The mongoRunner spawns a new Mongo Object to validate the collections which races +// with the shutdown logic of the mock_ocsp responder on some platforms. We need this +// sleep to make sure that the threads don't interfere with each other. sleep(1000); mock_ocsp.stop(); }());
\ No newline at end of file |