SERVER-47804 On Windows, warn user about slow OCSP responses

author: Erwin Pe <erwin.pe@mongodb.com> 2021-08-17 01:07:55 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-08-17 01:37:24 +0000
commit: fef0c3a59f8f84b143dd31e48fbd70890998cf89 (patch)
tree: 4ffe0a02131d26a0034e2d5ce5e7864c7e325836 /jstests/ocsp
parent: 0028db3e9c096e2196e66b1181f5e3c33cc435a3 (diff)
download: mongo-fef0c3a59f8f84b143dd31e48fbd70890998cf89.tar.gz
3 files changed, 60 insertions, 3 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 1896b2943c0..9d8d166cb9f 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -40,7 +40,10 @@ class MockOCSPServer {
      * @param {number} next_update_secs
      * @param {object} responder_certificate_set
      */
-    constructor(fault_type, next_update_secs, responder_certificate_set = OCSP_DELEGATE_RESPONDER) {
+    constructor(fault_type,
+                next_update_secs,
+                responder_certificate_set = OCSP_DELEGATE_RESPONDER,
+                response_delay_secs = 0) {
         this.python = "python3";
         this.fault_type = fault_type;
 
@@ -57,6 +60,7 @@ class MockOCSPServer {
         // responder in the certificates.
         this.port = 8100;
         this.next_update_secs = next_update_secs;
+        this.response_delay_secs = response_delay_secs;
     }
 
     start() {
@@ -68,7 +72,7 @@ class MockOCSPServer {
             "-p=" + this.port,
             "--ca_file=" + this.ca_file,
             "--ocsp_responder_cert=" + this.ocsp_cert_file,
-            "--ocsp_responder_key=" + this.ocsp_cert_key
+            "--ocsp_responder_key=" + this.ocsp_cert_key,
         ];
 
         if (this.fault_type) {
@@ -79,6 +83,10 @@ class MockOCSPServer {
             args.push("--next_update_seconds=" + this.next_update_secs);
         }
 
+        if (this.response_delay_secs) {
+            args.push("--response_delay_seconds=" + this.response_delay_secs);
+        }
+
         clearRawMongoProgramOutput();
 
         this.pid = _startMongoProgram({args: args});
diff --git a/jstests/ocsp/lib/ocsp_mock.py b/jstests/ocsp/lib/ocsp_mock.py
index 78a5313efe1..afc0ab4d074 100644
--- a/jstests/ocsp/lib/ocsp_mock.py
+++ b/jstests/ocsp/lib/ocsp_mock.py
@@ -32,12 +32,14 @@ def main():
 
     parser.add_argument('--next_update_seconds', type=int, default=32400, help="Specify how long the OCSP response should be valid for")
 
+    parser.add_argument('--response_delay_seconds', type=int, default=0, help="Delays the response by this number of seconds")
+
     args = parser.parse_args()
     if args.verbose:
         logging.basicConfig(level=logging.DEBUG)
 
     print('Initializing OCSP Responder')
-    mock_ocsp_responder.init_responder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds)
+    mock_ocsp_responder.init_responder(issuer_cert=args.ca_file, responder_cert=args.ocsp_responder_cert, responder_key=args.ocsp_responder_key, fault=args.fault, next_update_seconds=args.next_update_seconds, response_delay_seconds=args.response_delay_seconds)
 
     mock_ocsp_responder.init(port=args.port, debug=args.verbose, host=args.bind_ip)
 
diff --git a/jstests/ocsp/ocsp_slow_responder.js b/jstests/ocsp/ocsp_slow_responder.js
new file mode 100644
index 00000000000..6bc1ccce826
--- /dev/null
+++ b/jstests/ocsp/ocsp_slow_responder.js
@@ -0,0 +1,47 @@
+// Check that OCSP verification works
+// @tags: [requires_http_client]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (determineSSLProvider() !== "windows") {
+    return;
+}
+
+var ocsp_options = {
+    sslMode: "requireSSL",
+    sslPEMKeyFile: OCSP_SERVER_CERT,
+    sslCAFile: OCSP_CA_PEM,
+    sslAllowInvalidHostnames: "",
+    setParameter: {
+        "failpoint.disableStapling": "{'mode':'alwaysOn'}",
+        "ocspEnabled": "true",
+        "tlsOCSPSlowResponderWarningSecs": 3,
+        "tlsOCSPVerifyTimeoutSecs": 10,
+    },
+};
+
+let mock_ocsp = new MockOCSPServer("", 1, undefined, 3);
+mock_ocsp.start();
+
+var conn = null;
+
+assert.doesNotThrow(() => {
+    conn = MongoRunner.runMongod(ocsp_options);
+});
+
+const WARN_ID = 4780400;
+assert.eq(true,
+          checkLog.checkContainsOnceJson(conn, WARN_ID, {}),
+          'Expected log ID ' + WARN_ID + ' was not found');
+
+MongoRunner.stopMongod(conn);
+
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
+sleep(1000);
+mock_ocsp.stop();
+}());
author	Erwin Pe <erwin.pe@mongodb.com>	2021-08-17 01:07:55 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-08-17 01:37:24 +0000
commit	fef0c3a59f8f84b143dd31e48fbd70890998cf89 (patch)
tree	4ffe0a02131d26a0034e2d5ce5e7864c7e325836 /jstests/ocsp
parent	0028db3e9c096e2196e66b1181f5e3c33cc435a3 (diff)
download	mongo-fef0c3a59f8f84b143dd31e48fbd70890998cf89.tar.gz