diff options
author | Shreyas Kalyan <shreyas.kalyan@mongodb.com> | 2019-09-26 01:02:56 +0000 |
---|---|---|
committer | evergreen <evergreen@mongodb.com> | 2019-09-26 01:02:56 +0000 |
commit | 002fe351d66d5bfccea1e5a9659fbe8ec1c120dc (patch) | |
tree | 1d757e99e2aba7ae9215fd5fa8ec06b06d6a2017 /jstests/ocsp | |
parent | 7a9cefdabf985360ada4ac7569b0682320075edf (diff) | |
download | mongo-002fe351d66d5bfccea1e5a9659fbe8ec1c120dc.tar.gz |
SERVER-42933 Implement a Mock OCSP responder for testing
Diffstat (limited to 'jstests/ocsp')
-rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 78 | ||||
-rw-r--r-- | jstests/ocsp/lib/ocsp_mock.py | 70 |
2 files changed, 148 insertions, 0 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js new file mode 100644 index 00000000000..3795cf2fee2 --- /dev/null +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -0,0 +1,78 @@ +/** + * Starts a mock OCSP Server to test + * OCSP certificate revocation. + */ + +// These are a list of faults to match the list of faults +// in ocsp_mock.py. +const FAULT_REVOKED = "revoked"; +const FAULT_UNKNOWN = "unknown"; + +const OCSP_PROGRAM = "jstests/ocsp/lib/ocsp_mock.py"; + +class MockOCSPServer { + /** + * Create a new OCSP Server. + * + * @param {string} fault_type + */ + constructor(fault_type) { + this.python = "python3"; + this.fault_type = fault_type; + + if (_isWindows()) { + this.python = "python.exe"; + } + + print("Using python interpreter: " + this.python); + this.ca_file = "jstests/libs/ocsp/ca.crt"; + this.ocsp_cert_file = "jstests/libs/ocsp/ocsp_cert.crt"; + this.ocsp_cert_key = "jstests/libs/ocsp/ocsp_cert.key"; + // The port must be hard coded to match the port of the + // responder in the certificates. + this.port = 8100; + } + + start() { + print("Mock OCSP Server will listen on port: " + this.port); + let args = [ + this.python, + "-u", + OCSP_PROGRAM, + "-p=" + this.port, + "--ca_file=" + this.ca_file, + "--ocsp_responder_cert=" + this.ocsp_cert_file, + "--ocsp_responder_key=" + this.ocsp_cert_key + ]; + + this.pid = _startMongoProgram({args: args}); + assert(checkProgram(this.pid).alive); + + if (this.fault_type) { + args.push("--fault=" + this.fault_type); + } + + assert.soon(function() { + return rawMongoProgramOutput().search("Mock OCSP Responder is running") !== -1; + }); + + sleep(1000); + print("Mock OCSP Server successfully started"); + } + + /** + * Get the URL. + * + * @return {string} url of http server + */ + getURL() { + return "http://localhost:" + this.port; + } + + /** + * Stop the web server + */ + stop() { + stopMongoProgramByPid(this.pid); + } +}
\ No newline at end of file diff --git a/jstests/ocsp/lib/ocsp_mock.py b/jstests/ocsp/lib/ocsp_mock.py new file mode 100644 index 00000000000..eeba8bf184d --- /dev/null +++ b/jstests/ocsp/lib/ocsp_mock.py @@ -0,0 +1,70 @@ +#! /usr/bin/env python3 +""" +Python script to interface as a mock OCSP responder. +""" + +import argparse +import logging +from datetime import datetime +from ocspresponder import OCSPResponder, CertificateStatus + +FAULT_REVOKED = "revoked" +FAULT_UNKNOWN = "unknown" + +fault = None + +def validate(serial: int): + if fault == FAULT_REVOKED: + return (CertificateStatus.revoked, datetime.today()) + elif fault == FAULT_UNKNOWN: + return (CertificateStatus.unknown, None) + return (CertificateStatus.good, None) + +def get_cert(serial: int): + """ + Assume the certificates are stored in the ``certs`` directory with the + serial as base filename. + """ + with open('jstests/libs/ocsp/serial/server-%s.pem' % serial, 'r') as f: + return f.read().strip() + +def main(): + """Main entry point""" + parser = argparse.ArgumentParser(description="MongoDB Mock OCSP Responder.") + + parser.add_argument('-p', '--port', type=int, default=8080, help="Port to listen on") + + parser.add_argument('--ca_file', type=str, required=True, help="CA file for OCSP responder") + + parser.add_argument('-v', '--verbose', action='count', help="Enable verbose tracing") + + parser.add_argument('--ocsp_responder_cert', type=str, required=True, help="OCSP Responder Certificate") + + parser.add_argument('--ocsp_responder_key', type=str, required=True, help="OCSP Responder Keyfile") + + parser.add_argument('--fault', choices=[FAULT_REVOKED, FAULT_UNKNOWN], type=str, help="Specify a specific fault to test") + + args = parser.parse_args() + if args.verbose: + logging.basicConfig(level=logging.DEBUG) + + global fault + if args.fault: + fault = args.fault + + print('Initializing OCSP Responder') + app = OCSPResponder( + args.ca_file, args.ocsp_responder_cert, args.ocsp_responder_key, + validate_func=validate, + cert_retrieve_func=get_cert, + ) + + if args.verbose: + app.serve(args.port, debug=True) + else: + app.serve(args.port) + + print('Mock OCSP Responder is running on port %s' % (str(args.port))) + +if __name__ == '__main__': + main() |