diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2018-03-17 14:40:13 -0400 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-04-02 19:58:23 -0400 |
commit | c872bdd8d24a7beb9df42cbe227e99d6738ba71e (patch) | |
tree | 62ca0a42ae0ff5e20e13184c72ff2605c9b9feb8 /jstests/ssl/ssl_with_system_ca.js | |
parent | 069b34c332ea7e8330759037df7bc4bc7d207f2f (diff) | |
download | mongo-c872bdd8d24a7beb9df42cbe227e99d6738ba71e.tar.gz |
SERVER-34139 Add certificate selector for Apple for SecureTransport
Diffstat (limited to 'jstests/ssl/ssl_with_system_ca.js')
-rw-r--r-- | jstests/ssl/ssl_with_system_ca.js | 55 |
1 files changed, 28 insertions, 27 deletions
diff --git a/jstests/ssl/ssl_with_system_ca.js b/jstests/ssl/ssl_with_system_ca.js index 812ebef43c6..570f55c1424 100644 --- a/jstests/ssl/ssl_with_system_ca.js +++ b/jstests/ssl/ssl_with_system_ca.js @@ -2,14 +2,12 @@ // certificate to the login keychain of the evergreen user. See, // https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961 // for details. -((function() { +// To install trusted-ca.pem for local testing on OSX, invoke the following at a console: +// security add-trusted-cert -d jstests/libs/trusted-ca.pem +(function() { 'use strict'; - // Do not fail if this test leaves unterminated processes because testWithCerts - // is expected to throw before it calls stopMongod. - TestData.failIfUnterminatedProcesses = false; const HOST_TYPE = getBuildInfo().buildEnvironment.target_os; - if (HOST_TYPE == "windows") { // OpenSSL backed imports Root CA and intermediate CA runProgram( @@ -20,34 +18,37 @@ runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem"); } - var testWithCerts = function(serverPem) { + function testWithCerts(prefix) { jsTest.log(`Testing with SSL certs $ { - serverPem + clientPem connecting to serverPem }`); - // allowSSL instead of requireSSL so that the non-SSL connection succeeds. - var conn = MongoRunner.runMongod( - {sslMode: 'requireSSL', sslPEMKeyFile: "jstests/libs/" + serverPem}); - - // Should not be able to authenticate with x509. - // Authenticate call will return 1 on success, 0 on error. - var argv = - ['./mongo', '--ssl', '--port', conn.port, '--eval', ('db.runCommand({buildInfo: 1})')]; + + // allowSSL to get a non-SSL control connection. + const conn = MongoRunner.runMongod( + {sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/' + prefix + 'server.pem'}); + + let argv = [ + './mongo', + '--ssl', + '--port', + conn.port, + '--sslPEMKeyFile', + 'jstests/libs/' + prefix + 'client.pem', + '--eval', + ';' + ]; + if (HOST_TYPE == "linux") { // On Linux we override the default path to the system CA store to point to our // "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem"); } - var exitStatus = runMongoProgram.apply(null, argv); - assert.eq(exitStatus, 0, "successfully connected with SSL"); + const exitCode = runMongoProgram.apply(null, argv); MongoRunner.stopMongod(conn); - }; - - assert.throws(function() { - // Note: this leaves a running mongod process. - testWithCerts("server.pem", "client.pem"); - }); - assert.doesNotThrow(function() { - testWithCerts("trusted-server.pem", "trusted-client.pem"); - }); -})()); + return exitCode; + } + + assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA'); + assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA'); +})(); |