SERVER-34139 Add certificate selector for Apple for SecureTransport

1 files changed, 63 insertions, 0 deletions

diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js
new file mode 100644
index 00000000000..ae65612a98d
--- /dev/null
+++ b/jstests/ssl/ssl_cert_selector_apple.js
@@ -0,0 +1,63 @@
+/**
+ * Validate that the server can load certificates from the
+ * Secure Transport certificate store.
+ *
+ * Don't actually try to connect via SSL, because without interactivity,
+ * we won't be able to click on the "Allow" button that Apple insists on presenting.
+ *
+ * Just verify that we can startup when we select a valid cert,
+ * and fail when we do not.
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+requireSSLProvider('apple', function() {
+    'use strict';
+
+    const CLIENT =
+        'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Client';
+    const SERVER =
+        'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server';
+    const INVALID = null;
+
+    const testCases = [
+        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A8', name: SERVER},
+        {selector: 'subject=Trusted Kernel Test Server', name: SERVER},
+        {selector: 'thumbprint=9CA511552F14D3FC2009D425873599BF77832238', name: CLIENT},
+        {selector: 'subject=Trusted Kernel Test Client', name: CLIENT},
+        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A9', name: INVALID},
+        {selector: 'subject=Unknown Test Client', name: INVALID}
+    ];
+
+    function test(cert, cluster) {
+        const opts = {
+            sslMode: 'requireSSL',
+            sslCertificateSelector: cert.selector,
+            sslClusterCertificateSelector: cluster.selector,
+            waitForConnect: false
+        };
+        clearRawMongoProgramOutput();
+        const mongod = MongoRunner.runMongod(opts);
+
+        assert.soon(function() {
+            const log = rawMongoProgramOutput();
+            if ((cert.name === null) || (cluster.name === null)) {
+                // Invalid search criteria should fail.
+                return log.search('Certificate selector returned no results') >= 0;
+            }
+            // Valid search criteria should show our Subject Names.
+            const certOK = log.search('Server Certificate Name: ' + cert.name) >= 0;
+            const clusOK = log.search('Client Certificate Name: ' + cluster.name) >= 0;
+            return certOK && clusOK;
+        }, "Starting Mongod with " + tojson(opts), 10000);
+
+        const killOpts = {allowedExitCode: MongoRunner.EXIT_SIGKILL};
+        MongoRunner.stopMongod(mongod, undefined, killOpts);
+    }
+
+    testCases.forEach(cert => {
+        testCases.forEach(cluster => {
+            test(cert, cluster);
+        });
+    });
+});