diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2019-08-29 00:50:54 +0000 |
---|---|---|
committer | evergreen <evergreen@mongodb.com> | 2019-08-29 00:50:54 +0000 |
commit | f299e8b9f2f1f39cf58f959579837e0d4b7a396d (patch) | |
tree | 7bc140f2405fb6b24f2e7f5b26882cb482835cc2 /jstests/ssl/x509_expiring.js | |
parent | 6729eaa16ca2794425fd90f034506e8d30a0cb5f (diff) | |
download | mongo-f299e8b9f2f1f39cf58f959579837e0d4b7a396d.tar.gz |
SERVER-41121 Warn when a peer certificate is about to expire
Diffstat (limited to 'jstests/ssl/x509_expiring.js')
-rw-r--r-- | jstests/ssl/x509_expiring.js | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js new file mode 100644 index 00000000000..fd05ba2a6cb --- /dev/null +++ b/jstests/ssl/x509_expiring.js @@ -0,0 +1,45 @@ +// Verify a warning is emitted when a certificate is about to expire. + +(function() { +'use strict'; + +const SERVER_CERT = "jstests/libs/server.pem"; +const CA_CERT = "jstests/libs/ca.pem"; +const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; + +function test(expiration, expect) { + const options = { + auth: '', + tlsMode: "requireTLS", + tlsCertificateKeyFile: SERVER_CERT, + tlsCAFile: CA_CERT, + setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration, + }; + const mongo = MongoRunner.runMongod(options); + const external = mongo.getDB("$external"); + + external.createUser({ + user: CLIENT_USER, + roles: [ + {'role': 'userAdminAnyDatabase', 'db': 'admin'}, + {'role': 'readWriteAnyDatabase', 'db': 'admin'}, + {'role': 'clusterMonitor', 'db': 'admin'}, + ] + }); + + assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), + "authentication with valid user failed"); + + // Check that there's a "Successfully authenticated" message that includes the client IP + const log = + assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log; + const warning = `Peer certificate '${CLIENT_USER}' expires`; + + assert.eq(log.some(line => line.includes(warning)), expect); + + MongoRunner.stopMongod(mongo); +} + +test(30, false); +test(7300, true); // Work so long as certs expire no more than 20 years from now +})(); |