diff options
author | Erwin Pe <erwin.pe@mongodb.com> | 2021-08-17 01:07:55 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-08-17 01:37:24 +0000 |
commit | fef0c3a59f8f84b143dd31e48fbd70890998cf89 (patch) | |
tree | 4ffe0a02131d26a0034e2d5ce5e7864c7e325836 /jstests/ocsp | |
parent | 0028db3e9c096e2196e66b1181f5e3c33cc435a3 (diff) | |
download | mongo-fef0c3a59f8f84b143dd31e48fbd70890998cf89.tar.gz |
SERVER-47804 On Windows, warn user about slow OCSP responses
Diffstat (limited to 'jstests/ocsp')
-rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 12 | ||||
-rw-r--r-- | jstests/ocsp/lib/ocsp_mock.py | 4 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_slow_responder.js | 47 |
3 files changed, 60 insertions, 3 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js index 1896b2943c0..9d8d166cb9f 100644 --- a/jstests/ocsp/lib/mock_ocsp.js +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -40,7 +40,10 @@ class MockOCSPServer { * @param {number} next_update_secs * @param {object} responder_certificate_set */ - constructor(fault_type, next_update_secs, responder_certificate_set = OCSP_DELEGATE_RESPONDER) { + constructor(fault_type, + next_update_secs, + responder_certificate_set = OCSP_DELEGATE_RESPONDER, + response_delay_secs = 0) { this.python = "python3"; this.fault_type = fault_type; @@ -57,6 +60,7 @@ class MockOCSPServer { // responder in the certificates. this.port = 8100; this.next_update_secs = next_update_secs; + this.response_delay_secs = response_delay_secs; } start() { @@ -68,7 +72,7 @@ class MockOCSPServer { "-p=" + this.port, "--ca_file=" + this.ca_file, "--ocsp_responder_cert=" + this.ocsp_cert_file, - "--ocsp_responder_key=" + this.ocsp_cert_key + "--ocsp_responder_key=" + this.ocsp_cert_key, ]; if (this.fault_type) { @@ -79,6 +83,10 @@ class MockOCSPServer { args.push("--next_update_seconds=" + this.next_update_secs); } + if (this.response_delay_secs) { + args.push("--response_delay_seconds=" + this.response_delay_secs); + } + clearRawMongoProgramOutput(); this.pid = _startMongoProgram({args: args}); diff --git a/jstests/ocsp/lib/ocsp_mock.py b/jstests/ocsp/lib/ocsp_mock.py index 78a5313efe1..afc0ab4d074 100644 --- a/jstests/ocsp/lib/ocsp_mock.py +++ b/jstests/ocsp/lib/ocsp_mock.py @@ -32,12 +32,14 @@ def main(): parser.add_argument('--next_update_seconds', type=int, default=32400, help="Specify how long the OCSP response should be valid for") + parser.add_argument('--response_delay_seconds', type=int, default=0, help="Delays the response by this number of seconds") + args = parser.parse_args() if args.verbose: logging.basicConfig(level=logging.DEBUG) print('Initializing OCSP Responder') - mock_ocsp_responder.init_responder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds) + mock_ocsp_responder.init_responder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds, response_delay_seconds=args.response_delay_seconds) mock_ocsp_responder.init(port=args.port, debug=args.verbose, host=args.bind_ip) diff --git a/jstests/ocsp/ocsp_slow_responder.js b/jstests/ocsp/ocsp_slow_responder.js new file mode 100644 index 00000000000..6bc1ccce826 --- /dev/null +++ b/jstests/ocsp/ocsp_slow_responder.js @@ -0,0 +1,47 @@ +// Check that OCSP verification works +// @tags: [requires_http_client] + +load("jstests/ocsp/lib/mock_ocsp.js"); + +(function() { +"use strict"; + +if (determineSSLProvider() !== "windows") { + return; +} + +var ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_CERT, + sslCAFile: OCSP_CA_PEM, + sslAllowInvalidHostnames: "", + setParameter: { + "failpoint.disableStapling": "{'mode':'alwaysOn'}", + "ocspEnabled": "true", + "tlsOCSPSlowResponderWarningSecs": 3, + "tlsOCSPVerifyTimeoutSecs": 10, + }, +}; + +let mock_ocsp = new MockOCSPServer("", 1, undefined, 3); +mock_ocsp.start(); + +var conn = null; + +assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); +}); + +const WARN_ID = 4780400; +assert.eq(true, + checkLog.checkContainsOnceJson(conn, WARN_ID, {}), + 'Expected log ID ' + WARN_ID + ' was not found'); + +MongoRunner.stopMongod(conn); + +// The mongoRunner spawns a new Mongo Object to validate the collections which races +// with the shutdown logic of the mock_ocsp responder on some platforms. We need this +// sleep to make sure that the threads don't interfere with each other. +sleep(1000); +mock_ocsp.stop(); +}()); |