SERVER-37835 Support rolling over X509 cluster auth certificates

author: Jonathan Reams <jbreams@mongodb.com> 2018-12-19 13:41:40 -0500
committer: Jonathan Reams <jbreams@mongodb.com> 2019-01-03 17:18:52 -0500
commit: b7c5662bbb9c1e0c562b0dcf700547f387911661 (patch)
tree: 30f6382d1e103830067cab8b54306759f7d85214 /jstests/sslSpecial
parent: 310b84d607506406c78925693b4bf71dd95e35e5 (diff)
download: mongo-b7c5662bbb9c1e0c562b0dcf700547f387911661.tar.gz
1 files changed, 111 insertions, 0 deletions
diff --git a/jstests/sslSpecial/x509_cluster_auth_rollover.js b/jstests/sslSpecial/x509_cluster_auth_rollover.js
new file mode 100644
index 00000000000..6337b4d2a4a
--- /dev/null
+++ b/jstests/sslSpecial/x509_cluster_auth_rollover.js
@@ -0,0 +1,111 @@
+/**
+ * This test does a full rollover of the X509 auth for cluster membership. After the rollover,
+ * the cluster will have a new CA and the dn components used to determine cluster membership
+ * will have changed;
+ *
+ * @tags: [requires_persistence, requires_replication]
+ */
+
+(function() {
+    'use strict';
+
+    const rst = new ReplSetTest({
+        nodes: 3,
+        waitForKeys: false,
+        nodeOptions: {
+            sslMode: "preferSSL",
+            clusterAuthMode: "x509",
+            sslPEMKeyFile: "jstests/libs/server.pem",
+            sslCAFile: "jstests/libs/ca.pem",
+            sslAllowInvalidHostnames: ""
+        }
+    });
+    rst.startSet();
+
+    rst.initiateWithAnyNodeAsPrimary(
+        Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true}));
+
+    // Create a user to login as when auth is enabled later
+    rst.getPrimary().getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']});
+    rst.nodes.forEach((node) => {
+        assert(node.getDB("admin").auth("root", "root"));
+    });
+
+    // All the certificates' DNs share this base
+    const dnBase = "C=US, ST=New York, L=New York,";
+    // This is the DN of the rollover certificate.
+    const rolloverDN = dnBase + " O=MongoDB\\, Inc. (Rollover), OU=Kernel (Rollover), CN=server";
+    // This is the DN of the original certificate
+    const originalDN = dnBase + " O=MongoDB, OU=Kernel, CN=server";
+
+    // This will rollover the cluster to a new config in a rolling fashion. It will return when
+    // there is a primary and we are able to write to it.
+    const rolloverConfig = function(newConfig) {
+        const restart = function(node) {
+            const nodeId = rst.getNodeId(node);
+            rst.stop(nodeId);
+            const configId = "n" + nodeId;
+            rst.nodeOptions[configId] = Object.merge(rst.nodeOptions[configId], newConfig, true);
+            const newNode = rst.start(nodeId, {}, true, true);
+            assert(newNode.getDB("admin").auth("root", "root"));
+        };
+
+        rst.getSecondaries().forEach(function(secondary) {
+            restart(secondary);
+        });
+
+        restart(rst.getPrimary());
+
+        assert.soon(() => {
+            let primary = rst.getPrimary();
+            assert.commandWorked(primary.getDB("admin").runCommand({isMaster: 1}));
+            assert.writeOK(primary.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}));
+
+            // Start a shell that connects to the server with the current CA/cert configuration
+            // and ensure that it's able to connect and authenticate with x509.
+            const shellArgs = [
+                'mongo',
+                primary.name,
+                '--eval',
+                ';',
+                '--ssl',
+                '--sslAllowInvalidHostnames',
+                '--sslCAFile',
+                newConfig['sslCAFile'],
+                '--sslPEMKeyFile',
+                newConfig['sslPEMKeyFile'],
+                '--authenticationDatabase=$external',
+                '--authenticationMechanism=MONGODB-X509'
+            ];
+            assert.eq(_runMongoProgram.apply(null, shellArgs), 0);
+
+            return true;
+        });
+    };
+
+    jsTestLog("Rolling over CA certificate to combined old and new CA's");
+    rolloverConfig({
+        sslPEMKeyFile: "jstests/libs/server.pem",
+        sslCAFile: "jstests/libs/rollover_ca_merged.pem",
+        setParameter: {
+            tlsX509ClusterAuthDNOverride: rolloverDN,
+        }
+    });
+
+    jsTestLog("Rolling over to new certificate with new cluster DN and new CA");
+    rolloverConfig({
+        sslPEMKeyFile: "jstests/libs/rollover_server.pem",
+        sslCAFile: "jstests/libs/rollover_ca_merged.pem",
+        setParameter: {
+            tlsX509ClusterAuthDNOverride: originalDN,
+        }
+    });
+
+    jsTestLog("Rolling over to new CA only");
+    rolloverConfig({
+        sslPEMKeyFile: "jstests/libs/rollover_server.pem",
+        sslCAFile: "jstests/libs/rollover_ca.pem",
+    });
+
+    rst.stopSet();
+})();
author	Jonathan Reams <jbreams@mongodb.com>	2018-12-19 13:41:40 -0500
committer	Jonathan Reams <jbreams@mongodb.com>	2019-01-03 17:18:52 -0500
commit	b7c5662bbb9c1e0c562b0dcf700547f387911661 (patch)
tree	30f6382d1e103830067cab8b54306759f7d85214 /jstests/sslSpecial
parent	310b84d607506406c78925693b4bf71dd95e35e5 (diff)
download	mongo-b7c5662bbb9c1e0c562b0dcf700547f387911661.tar.gz