SERVER-11554: Added new tests for mixed mode ssl

Also added ssl testing library functions

Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>

6 files changed, 139 insertions, 8 deletions

diff --git a/jstests/sslSpecial/mixed_mode_repl_nossl.js b/jstests/sslSpecial/mixed_mode_repl_nossl.js
new file mode 100644
index 00000000000..5eadb6516d7
--- /dev/null
+++ b/jstests/sslSpecial/mixed_mode_repl_nossl.js
@@ -0,0 +1,22 @@
+/**
+ * This test verifies that replica sets of different
+ * mixed modes can still function
+ */
+
+load("jstests/ssl/libs/ssl_helpers.js")
+
+// Verify that disabled allows non-ssl connections
+print("=== Testing disabled cluster ===");
+replShouldSucceed(disabled, disabled);
+
+// Test mixed sslMode allowSSL/preferSSL with non-ssl client
+print("=== Testing allowSSL/preferSSL cluster ===");
+replShouldSucceed(allowSSL, preferSSL);
+
+// Test mixed sslMode allowSSL/disabled with non-ssl client
+print("=== Testing allowSSL/disabled cluster ===");
+replShouldSucceed(allowSSL, disabled);
+
+// Test mixed sslMode disables/preferSSL - should fail with non-ssl client
+print("=== Testing disabled/preferSSL cluster - SHOULD FAIL ===");
+replShouldFail(disabled, preferSSL);
diff --git a/jstests/sslSpecial/mixed_mode_sharded_nossl.js b/jstests/sslSpecial/mixed_mode_sharded_nossl.js
new file mode 100644
index 00000000000..bbe002a2a04
--- /dev/null
+++ b/jstests/sslSpecial/mixed_mode_sharded_nossl.js
@@ -0,0 +1,20 @@
+/**
+ * This test checks if different mixtures of ssl modes
+ * in a sharded clutster can or cannot function
+ */
+
+load("jstests/ssl/libs/ssl_helpers.js");
+
+print("=== Testing disabled cluster ===");
+mixedShardTest(disabled, disabled, true);
+
+print("=== Testing disabled/preferSSL cluster - SHOULD FAIL ===");
+mixedShardTest(disabled, preferSSL, false);
+
+print("=== Testing allowSSL/disabled cluster ===");
+mixedShardTest(disabled, allowSSL, true);
+mixedShardTest(allowSSL, disabled, true);
+
+print("=== Testing allowSSL/preferSSL cluster ===");
+mixedShardTest(preferSSL, allowSSL, true);
+mixedShardTest(allowSSL, preferSSL, true);
diff --git a/jstests/sslSpecial/ssl_mixedmode.js b/jstests/sslSpecial/ssl_mixedmode.js
index 11217716183..a86185d406c 100644
--- a/jstests/sslSpecial/ssl_mixedmode.js
+++ b/jstests/sslSpecial/ssl_mixedmode.js
@@ -2,6 +2,7 @@
 // This tests runs through the 8 possible combinations of sslMode values
 // and SSL-enabled and disabled shell respectively. For each combination
 // expected behavior is verified. 
+
 var SERVER_CERT = "jstests/libs/server.pem"
 var CA_CERT = "jstests/libs/ca.pem" 
 var CLIENT_CERT = "jstests/libs/client.pem"
@@ -16,6 +17,7 @@ function testCombination(sslMode, sslShell, shouldSucceed) {
     else {
         MongoRunner.runMongod({port: port,
                                sslMode: sslMode, 
+                               sslAllowInvalidCertificates: "",
                                sslPEMKeyFile: SERVER_CERT,
                                sslCAFile: CA_CERT});
     }
diff --git a/jstests/sslSpecial/ssl_mixedmode2.js b/jstests/sslSpecial/ssl_mixedmode2.js
deleted file mode 100644
index 6c506df2f9e..00000000000
--- a/jstests/sslSpecial/ssl_mixedmode2.js
+++ /dev/null
@@ -1,8 +0,0 @@
-// Test mixed sslMode disabled/allowSSL, this test cannot be run
-// from the /ssl directory since the --use-ssl passthrough
-// will make it impossible for the shell to connect to the replicas
-ssl_options1 = {sslMode : "disabled"};
-ssl_options2 = {sslMode : "allowSSL",
-               sslPEMKeyFile : "jstests/libs/server.pem",
-               sslCAFile: "jstests/libs/ca.pem"};
-load("jstests/replsets/replset1.js");
diff --git a/jstests/sslSpecial/upgrade_to_ssl_nossl.js b/jstests/sslSpecial/upgrade_to_ssl_nossl.js
new file mode 100644
index 00000000000..439e23e1859
--- /dev/null
+++ b/jstests/sslSpecial/upgrade_to_ssl_nossl.js
@@ -0,0 +1,33 @@
+/**
+ * This test checks the upgrade path for mixed mode ssl
+ * from disabled up to preferSSL
+ *
+ * NOTE: This test is similar to upgrade_to_ssl.js in the
+ * ssl test suite. This test cannot use ssl communication
+ * and therefore cannot test modes that only allow ssl.
+ */
+
+load("jstests/ssl/libs/ssl_helpers.js");
+
+var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : {sslMode:"disabled"} });
+rst.startSet();
+rst.initiate();
+
+var rstConn1 = rst.getMaster();
+rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"});
+assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet");
+
+print("===== UPGRADE disabled -> allowSSL =====");
+rst.upgradeSet({sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates:""});
+var rstConn2 = rst.getMaster();
+rstConn2.getDB("test").a.insert({a:2, str:"TESTTESTTEST"});
+assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet");
+
+print("===== UPGRADE allowSSL -> preferSSL =====");
+rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates:""});
+var rstConn3 = rst.getMaster();
+rstConn3.getDB("test").a.insert({a:3, str:"TESTTESTTEST"});
+assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet");
+
+var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", "--eval", ";");
+assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed");
diff --git a/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js
new file mode 100644
index 00000000000..481532c22de
--- /dev/null
+++ b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js
@@ -0,0 +1,62 @@
+/**
+ * This test checks the upgrade path for mixed mode ssl + x509 auth
+ * from disabled/keyfiles up to preferSSL/x509
+ *
+ * NOTE: This test is similar to upgrade_to_x509_ssl.js in the
+ * ssl test suite. This test cannot use ssl communication
+ * and therefore cannot test modes that only allow ssl.
+ */
+
+load("jstests/ssl/libs/ssl_helpers.js");
+
+opts = {sslMode:"disabled", clusterAuthMode:"keyFile", keyFile: KEYFILE}
+var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : opts });
+rst.startSet();
+rst.initiate();
+
+// Connect to master and do some basic operations
+var rstConn1 = rst.getMaster();
+rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"});
+assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet");
+
+print("===== UPGRADE disabled,keyFile -> allowSSL,sendKeyfile =====");
+rst.upgradeSet({sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT,
+                sslAllowInvalidCertificates:"",
+                clusterAuthMode:"sendKeyFile", keyFile: KEYFILE,
+                sslCAFile: CA_CERT});
+rst.awaitReplication();
+
+var rstConn2 = rst.getMaster();
+rstConn2.getDB("test").a.insert({a:2, str:"CHECKCHECKCHECK"});
+assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet");
+
+print("===== UPGRADE allowSSL,sendKeyfile -> preferSSL,sendX509 =====");
+rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT,
+                sslAllowInvalidCertificates:"",
+                clusterAuthMode:"sendX509", keyFile: KEYFILE,
+                sslCAFile: CA_CERT});
+rst.awaitReplication();
+var rstConn3 = rst.getMaster();
+rstConn3.getDB("test").a.insert({a:3, str:"PEASandCARROTS"});
+assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet");
+
+var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl",
+                                    "--sslPEMKeyFile",  CLIENT_CERT, "--eval", ";");
+assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed");
+
+print("===== UPGRADE preferSSL,sendX509 -> preferSSL,x509 =====");
+//we cannot upgrade past preferSSL here because it will break the test client
+rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT,
+                sslAllowInvalidCertificates:"",
+                clusterAuthMode:"x509", keyFile: KEYFILE,
+                sslCAFile: CA_CERT});
+rst.awaitReplication();
+var rstConn4 = rst.getMaster();
+rstConn4.getDB("test").a.insert({a:4, str:"BEEP BOOP"});
+rst.awaitReplication();
+assert.eq(4, rstConn4.getDB("test").a.count(), "Error interacting with replSet");
+
+// Test that an ssl connection can still be made
+var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl",
+                                    "--sslPEMKeyFile",  CLIENT_CERT, "--eval", ";");
+assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed");