diff options
| author | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-04-21 18:43:25 -0400 |
|---|---|---|
| committer | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-05-22 20:29:39 -0400 |
| commit | 1b4b52a9d413e145478a303b63ab760894938c80 (patch) | |
| tree | 3286cdd06d688d4345a80215f84b4674a398b753 /jstests/ssl | |
| parent | 7a85cae38fba537980d6c9fc573ef077fd2df74e (diff) | |
| download | mongo-1b4b52a9d413e145478a303b63ab760894938c80.tar.gz | |
SERVER-12621 narrow the localhost exception when auth is enabled
Diffstat (limited to 'jstests/ssl')
| -rw-r--r-- | jstests/ssl/initial_sync1_x509.js | 64 | ||||
| -rw-r--r-- | jstests/ssl/libs/ssl_helpers.js | 9 | ||||
| -rw-r--r-- | jstests/ssl/set_parameter_ssl.js | 10 | ||||
| -rw-r--r-- | jstests/ssl/sharding_with_x509.js | 4 | ||||
| -rw-r--r-- | jstests/ssl/upgrade_to_x509_ssl.js | 17 | ||||
| -rw-r--r-- | jstests/ssl/x509_client.js | 4 |
6 files changed, 93 insertions, 15 deletions
diff --git a/jstests/ssl/initial_sync1_x509.js b/jstests/ssl/initial_sync1_x509.js index 410fc2ba827..0d70bd17cf7 100644 --- a/jstests/ssl/initial_sync1_x509.js +++ b/jstests/ssl/initial_sync1_x509.js @@ -1,15 +1,65 @@ -// Basic tests for cluster authentication using x509 -// This test is launching replsets/initial_sync1.js with different -// values for clusterAuthMode to emulate an upgrade process. +// Basic tests for cluster authentication using x509. var common_options = {keyFile : "jstests/libs/key1"}; +function runInitialSyncTest() { + load("jstests/replsets/rslib.js"); + + print("1. Bring up set"); + var replTest = new ReplSetTest({name: "jstests_initsync1_x509", + nodes : {node0 : x509_options1, node1 : x509_options2}}); + + var conns = replTest.startSet(); + replTest.initiate(); + + var master = replTest.getMaster(); + var foo = master.getDB("foo"); + var admin = master.getDB("admin"); + + var slave1 = replTest.liveNodes.slaves[0]; + var admin_s1 = slave1.getDB("admin"); + + print("2. Create a root user."); + admin.createUser({ user: "root", pwd: "pass", roles: ["root"]}); + admin.auth("root", "pass"); + admin_s1.auth("root", "pass"); + + print("3. Insert some data"); + var bulk = foo.bar.initializeUnorderedBulkOp(); + for (var i = 0; i < 100; i++) { + bulk.insert({ date: new Date(), x: i, str: "all the talk on the market" }); + } + assert.writeOK(bulk.execute()); + print("total in foo: "+foo.bar.count()); + + print("4. Make sure synced"); + replTest.awaitReplication(); + + print("5. Insert some stuff"); + master = replTest.getMaster(); + bulk = foo.bar.initializeUnorderedBulkOp(); + for (var i = 0; i < 100; i++) { + bulk.insert({ date: new Date(), x: i, str: "all the talk on the market" }); + } + assert.writeOK(bulk.execute()); + + print("6. Everyone happy eventually"); + replTest.awaitReplication(300000); + + print("7. Check hbmsg"); + master.getDB("admin").runCommand({replSetTest:1, sethbmsg:"foo bar baz"}); + var status = master.getDB("admin").runCommand({replSetGetStatus:1}); + printjson(status); + assert.eq(status.members[0].infoMessage, "foo bar baz"); + replTest.stopSet(); +} + // Standard case, clusterAuthMode: x509 -x509_options1 = Object.merge(common_options, +var x509_options1 = Object.merge(common_options, {sslClusterFile: "jstests/libs/cluster-cert.pem", clusterAuthMode: "x509"}); var x509_options2 = x509_options1; -load("jstests/replsets/initial_sync1.js"); +runInitialSyncTest(); // Mixed clusterAuthMode: sendX509 and sendKeyFile and try adding --auth x509_options1 = Object.merge(common_options, @@ -17,12 +67,12 @@ x509_options1 = Object.merge(common_options, clusterAuthMode: "sendX509", auth: ""}); x509_options2 = Object.merge(common_options, {clusterAuthMode: "sendKeyFile"}); -load("jstests/replsets/initial_sync1.js"); +runInitialSyncTest(); // Mixed clusterAuthMode: x509 and sendX509, use the PEMKeyFile for outgoing connections x509_options1 = Object.merge(common_options, {clusterAuthMode: "x509"}); x509_options2 = Object.merge(common_options, {clusterAuthMode: "sendX509"}); -load("jstests/replsets/initial_sync1.js"); +runInitialSyncTest(); // verify that replset initiate fails if using a self-signed cert x509_options1 = Object.merge(common_options, {clusterAuthMode: "x509"}); diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js index c4a0f97968e..5ff3c9f1ba9 100644 --- a/jstests/ssl/libs/ssl_helpers.js +++ b/jstests/ssl/libs/ssl_helpers.js @@ -102,7 +102,7 @@ function mixedShardTest(options1, options2, shouldSucceed) { // TODO: merge this with that file and add to utils? // -ReplSetTest.prototype.upgradeSet = function( options ){ +ReplSetTest.prototype.upgradeSet = function( options, user, pwd ){ options = options || {} var nodes = this.nodes @@ -130,15 +130,18 @@ ReplSetTest.prototype.upgradeSet = function( options ){ this.nodeOptions[nodeName] = Object.merge(this.nodeOptions[nodeName], options); } printjson(this.nodeOptions); - this.upgradeNode( node, options, true ) + this.upgradeNode( node, options, true, user, pwd ) if( noDowntimePossible ) assert.eq( this.getNodeId( primary ), prevPrimaryId ) } } -ReplSetTest.prototype.upgradeNode = function( node, opts, waitForState ){ +ReplSetTest.prototype.upgradeNode = function( node, opts, waitForState, user, pwd ){ var node = this.restart( node, opts ) + if (user != undefined) { + node.getDB("admin").auth(user, pwd); + } // By default, wait for primary or secondary state if( waitForState == undefined ) waitForState = true if( waitForState == true ) waitForState = [ ReplSetTest.State.PRIMARY, diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index 2460c8041ae..34a5c101087 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -8,11 +8,13 @@ port = allocatePorts(1)[0]; function testSSLTransition(oldMode, newMode, shouldSucceed) { var conn = MongoRunner.runMongod({port: port, - sslMode: oldMode, + sslMode: oldMode, sslPEMKeyFile: SERVER_CERT, sslCAFile: CA_CERT}); - var adminDB = conn.getDB("admin"); + var adminDB = conn.getDB("admin"); + adminDB.createUser({user: "root", pwd: "pwd", roles: ['root']}); + adminDB.auth("root", "pwd"); var res = adminDB.runCommand({ "setParameter" : 1, "sslMode" : newMode }); @@ -27,7 +29,9 @@ function testAuthModeTransition(oldMode, newMode, shouldSucceed) { sslCAFile: CA_CERT, clusterAuthMode: oldMode}); - var adminDB = conn.getDB("admin"); + var adminDB = conn.getDB("admin"); + adminDB.createUser({user: "root", pwd: "pwd", roles: ['root']}); + adminDB.auth("root", "pwd"); var res = adminDB.runCommand({ "setParameter" : 1, "clusterAuthMode" : newMode }); diff --git a/jstests/ssl/sharding_with_x509.js b/jstests/ssl/sharding_with_x509.js index 559fb325c7f..f27b30c7b71 100644 --- a/jstests/ssl/sharding_with_x509.js +++ b/jstests/ssl/sharding_with_x509.js @@ -7,10 +7,14 @@ var x509_options = {sslMode : "requireSSL", sslClusterFile: "jstests/libs/cluster-cert.pem", clusterAuthMode: "x509"}; +// Start ShardingTest with enableBalancer because ShardingTest attempts to turn +// off the balancer otherwise, which it will not be authorized to do. Once SERVER-14017 +// is fixed the "enableBalancer" line could be removed. var st = new ShardingTest({ name : "sharding_with_x509" , shards : 2, mongos : 1, other: { + enableBalancer: true, configOptions : x509_options, mongosOptions : x509_options, rsOptions : x509_options, diff --git a/jstests/ssl/upgrade_to_x509_ssl.js b/jstests/ssl/upgrade_to_x509_ssl.js index 89696eb864c..b89a5753535 100644 --- a/jstests/ssl/upgrade_to_x509_ssl.js +++ b/jstests/ssl/upgrade_to_x509_ssl.js @@ -22,15 +22,25 @@ rst.initiate(); // Connect to master and do some basic operations var rstConn1 = rst.getMaster(); +print("Performing basic operations on master."); +rstConn1.getDB("admin").createUser({user:"root", pwd:"pwd", roles:["root"]}); +rstConn1.getDB("admin").auth("root", "pwd"); rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); rstConn1.getDB("test").a.insert({a:1, str:"WOOPWOOPWOOPWOOPWOOP"}); assert.eq(2, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); print("===== UPGRADE allowSSL,sendKeyfile -> preferSSL,sendX509 ====="); +for (var n = 0; n < rst.nodes.length; n++) { + rst.nodes[n].getDB("admin").auth("root", "pwd"); +} rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: "", clusterAuthMode:"sendX509", keyFile: KEYFILE, - sslCAFile: CA_CERT}); + sslCAFile: CA_CERT}, "root", "pwd"); +// The upgradeSet call restarts the nodes so we need to reauthenticate. +for (var n = 0; n < rst.nodes.length; n++) { + rst.nodes[n].getDB("admin").auth("root", "pwd"); +} rst.awaitReplication(); var rstConn3 = rst.getMaster(); rstConn3.getDB("test").a.insert({a:3, str:"TESTTESTTEST"}); @@ -44,7 +54,10 @@ print("===== UPGRADE preferSSL,sendX509 -> requireSSL,x509 ====="); rst.upgradeSet({sslMode:"requireSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: "", clusterAuthMode:"x509", keyFile: KEYFILE, - sslCAFile: CA_CERT}); + sslCAFile: CA_CERT}, "root", "pwd"); +for (var n = 0; n < rst.nodes.length; n++) { + rst.nodes[n].getDB("admin").auth("root", "pwd"); +} rst.awaitReplication(); var rstConn4 = rst.getMaster(); rstConn4.getDB("test").a.insert({a:4, str:"TESTTESTTEST"}); diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js index f4589e91bdd..b049d428383 100644 --- a/jstests/ssl/x509_client.js +++ b/jstests/ssl/x509_client.js @@ -5,10 +5,14 @@ TestData.useX509 = false; // Check if this build supports the authenticationMechanisms startup parameter. var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" }); +conn.getDB('admin').createUser({user: "root", pwd: "pass", roles: ["root"]}); +conn.getDB('admin').auth("root", "pass"); var cmdOut = conn.getDB('admin').runCommand({getParameter: 1, authenticationMechanisms: 1}) if (cmdOut.ok) { TestData.authMechanism = "MONGODB-X509"; // SERVER-10353 } +conn.getDB('admin').dropAllUsers(); +conn.getDB('admin').logout(); MongoRunner.stopMongod(conn); var SERVER_CERT = "jstests/libs/server.pem" |