diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2018-07-26 16:15:41 +0000 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-08-29 14:50:33 +0000 |
commit | 17ccef2b9f0c71b60d31b84b8824215ff87f03aa (patch) | |
tree | 8cc015711f93715bf1373703f3d2017f1d9d3678 /jstests/ssl | |
parent | d92fe6cd9242a22e8ae56f48e64a20770d9e8291 (diff) | |
download | mongo-17ccef2b9f0c71b60d31b84b8824215ff87f03aa.tar.gz |
SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately
Diffstat (limited to 'jstests/ssl')
-rw-r--r-- | jstests/ssl/ssl_cluster_ca.js | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/jstests/ssl/ssl_cluster_ca.js b/jstests/ssl/ssl_cluster_ca.js new file mode 100644 index 00000000000..38b9026455d --- /dev/null +++ b/jstests/ssl/ssl_cluster_ca.js @@ -0,0 +1,82 @@ +// Verify certificates and CAs between intra-cluster +// and client->server communication using different CAs. + +(function() { + "use strict"; + + function testRS(opts, succeed) { + const origSkipCheck = TestData.skipCheckDBHashes; + const rsOpts = { + // Use localhost so that SAN matches. + useHostName: false, + nodes: {node0: opts, node1: opts}, + }; + const rs = new ReplSetTest(rsOpts); + rs.startSet(); + if (succeed) { + rs.initiate(); + assert.commandWorked(rs.getPrimary().getDB('admin').runCommand({isMaster: 1})); + } else { + assert.throws(function() { + rs.initiate(); + }); + TestData.skipCheckDBHashes = true; + } + rs.stopSet(); + TestData.skipCheckDBHashes = origSkipCheck; + } + + // The name "trusted" in these certificates is misleading. + // They're just a separate trust chain from the ones without the name. + // ca.pem signed client.pem and server.pem + // trusted-ca.pem signed trusted-client.pem and trusted-server.pem + const valid_options = { + tlsMode: 'requireTLS', + // Servers present trusted-server.pem to clients and each other for inbound connections. + // Peers validate trusted-server.pem using trusted-ca.pem when making those connections. + tlsPEMKeyFile: 'jstests/libs/trusted-server.pem', + tlsCAFile: 'jstests/libs/trusted-ca.pem', + // Servers making outbound connections to other servers present server.pem to their peers + // which their peers validate using ca.pem. + tlsClusterFile: 'jstests/libs/server.pem', + tlsClusterCAFile: 'jstests/libs/ca.pem', + // SERVER-36895: IP based hostname validation with SubjectAlternateName + tlsAllowInvalidHostnames: '', + }; + + testRS(valid_options, true); + + const wrong_cluster_file = + Object.assign({}, valid_options, {tlsClusterFile: valid_options.tlsPEMKeyFile}); + testRS(wrong_cluster_file, false); + + const wrong_key_file = + Object.assign({}, valid_options, {tlsPEMKeyFile: valid_options.tlsClusterFile}); + testRS(wrong_key_file, false); + + const mongod = MongoRunner.runMongod(valid_options); + assert(mongod, "Failed starting standalone mongod with alternate CA"); + + function testConnect(cert, succeed) { + const mongo = runMongoProgram("mongo", + "--host", + "localhost", + "--port", + mongod.port, + "--tls", + "--tlsCAFile", + valid_options.tlsCAFile, + "--tlsPEMKeyFile", + cert, + "--eval", + ";"); + + // runMongoProgram returns 0 on success + assert.eq(mongo === 0, succeed); + } + + testConnect('jstests/libs/client.pem', true); + testConnect('jstests/libs/trusted-client.pem', false); + + MongoRunner.stopMongod(mongod); +}()); |