diff options
author | Kyle Erf <erf@mongodb.com> | 2013-12-12 15:16:14 -0500 |
---|---|---|
committer | Matt Kangas <matt.kangas@mongodb.com> | 2013-12-13 15:42:28 -0500 |
commit | 2c54682ce88e2c4e7fe8c99baeadfece0831dbd2 (patch) | |
tree | 9523bca472d92773cb6ef84593e3f62aa0649285 /jstests/sslSpecial | |
parent | 779be6eeb263c9dab4072650602366e46d331b1b (diff) | |
download | mongo-2c54682ce88e2c4e7fe8c99baeadfece0831dbd2.tar.gz |
SERVER-11554: Added new tests for mixed mode ssl
Also added ssl testing library functions
Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>
Diffstat (limited to 'jstests/sslSpecial')
-rw-r--r-- | jstests/sslSpecial/mixed_mode_repl_nossl.js | 22 | ||||
-rw-r--r-- | jstests/sslSpecial/mixed_mode_sharded_nossl.js | 20 | ||||
-rw-r--r-- | jstests/sslSpecial/ssl_mixedmode.js | 2 | ||||
-rw-r--r-- | jstests/sslSpecial/ssl_mixedmode2.js | 8 | ||||
-rw-r--r-- | jstests/sslSpecial/upgrade_to_ssl_nossl.js | 33 | ||||
-rw-r--r-- | jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js | 62 |
6 files changed, 139 insertions, 8 deletions
diff --git a/jstests/sslSpecial/mixed_mode_repl_nossl.js b/jstests/sslSpecial/mixed_mode_repl_nossl.js new file mode 100644 index 00000000000..5eadb6516d7 --- /dev/null +++ b/jstests/sslSpecial/mixed_mode_repl_nossl.js @@ -0,0 +1,22 @@ +/** + * This test verifies that replica sets of different + * mixed modes can still function + */ + +load("jstests/ssl/libs/ssl_helpers.js") + +// Verify that disabled allows non-ssl connections +print("=== Testing disabled cluster ==="); +replShouldSucceed(disabled, disabled); + +// Test mixed sslMode allowSSL/preferSSL with non-ssl client +print("=== Testing allowSSL/preferSSL cluster ==="); +replShouldSucceed(allowSSL, preferSSL); + +// Test mixed sslMode allowSSL/disabled with non-ssl client +print("=== Testing allowSSL/disabled cluster ==="); +replShouldSucceed(allowSSL, disabled); + +// Test mixed sslMode disables/preferSSL - should fail with non-ssl client +print("=== Testing disabled/preferSSL cluster - SHOULD FAIL ==="); +replShouldFail(disabled, preferSSL); diff --git a/jstests/sslSpecial/mixed_mode_sharded_nossl.js b/jstests/sslSpecial/mixed_mode_sharded_nossl.js new file mode 100644 index 00000000000..bbe002a2a04 --- /dev/null +++ b/jstests/sslSpecial/mixed_mode_sharded_nossl.js @@ -0,0 +1,20 @@ +/** + * This test checks if different mixtures of ssl modes + * in a sharded clutster can or cannot function + */ + +load("jstests/ssl/libs/ssl_helpers.js"); + +print("=== Testing disabled cluster ==="); +mixedShardTest(disabled, disabled, true); + +print("=== Testing disabled/preferSSL cluster - SHOULD FAIL ==="); +mixedShardTest(disabled, preferSSL, false); + +print("=== Testing allowSSL/disabled cluster ==="); +mixedShardTest(disabled, allowSSL, true); +mixedShardTest(allowSSL, disabled, true); + +print("=== Testing allowSSL/preferSSL cluster ==="); +mixedShardTest(preferSSL, allowSSL, true); +mixedShardTest(allowSSL, preferSSL, true); diff --git a/jstests/sslSpecial/ssl_mixedmode.js b/jstests/sslSpecial/ssl_mixedmode.js index 11217716183..a86185d406c 100644 --- a/jstests/sslSpecial/ssl_mixedmode.js +++ b/jstests/sslSpecial/ssl_mixedmode.js @@ -2,6 +2,7 @@ // This tests runs through the 8 possible combinations of sslMode values // and SSL-enabled and disabled shell respectively. For each combination // expected behavior is verified. + var SERVER_CERT = "jstests/libs/server.pem" var CA_CERT = "jstests/libs/ca.pem" var CLIENT_CERT = "jstests/libs/client.pem" @@ -16,6 +17,7 @@ function testCombination(sslMode, sslShell, shouldSucceed) { else { MongoRunner.runMongod({port: port, sslMode: sslMode, + sslAllowInvalidCertificates: "", sslPEMKeyFile: SERVER_CERT, sslCAFile: CA_CERT}); } diff --git a/jstests/sslSpecial/ssl_mixedmode2.js b/jstests/sslSpecial/ssl_mixedmode2.js deleted file mode 100644 index 6c506df2f9e..00000000000 --- a/jstests/sslSpecial/ssl_mixedmode2.js +++ /dev/null @@ -1,8 +0,0 @@ -// Test mixed sslMode disabled/allowSSL, this test cannot be run -// from the /ssl directory since the --use-ssl passthrough -// will make it impossible for the shell to connect to the replicas -ssl_options1 = {sslMode : "disabled"}; -ssl_options2 = {sslMode : "allowSSL", - sslPEMKeyFile : "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem"}; -load("jstests/replsets/replset1.js"); diff --git a/jstests/sslSpecial/upgrade_to_ssl_nossl.js b/jstests/sslSpecial/upgrade_to_ssl_nossl.js new file mode 100644 index 00000000000..439e23e1859 --- /dev/null +++ b/jstests/sslSpecial/upgrade_to_ssl_nossl.js @@ -0,0 +1,33 @@ +/** + * This test checks the upgrade path for mixed mode ssl + * from disabled up to preferSSL + * + * NOTE: This test is similar to upgrade_to_ssl.js in the + * ssl test suite. This test cannot use ssl communication + * and therefore cannot test modes that only allow ssl. + */ + +load("jstests/ssl/libs/ssl_helpers.js"); + +var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : {sslMode:"disabled"} }); +rst.startSet(); +rst.initiate(); + +var rstConn1 = rst.getMaster(); +rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); +assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); + +print("===== UPGRADE disabled -> allowSSL ====="); +rst.upgradeSet({sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates:""}); +var rstConn2 = rst.getMaster(); +rstConn2.getDB("test").a.insert({a:2, str:"TESTTESTTEST"}); +assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet"); + +print("===== UPGRADE allowSSL -> preferSSL ====="); +rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates:""}); +var rstConn3 = rst.getMaster(); +rstConn3.getDB("test").a.insert({a:3, str:"TESTTESTTEST"}); +assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); + +var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", "--eval", ";"); +assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); diff --git a/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js new file mode 100644 index 00000000000..481532c22de --- /dev/null +++ b/jstests/sslSpecial/upgrade_to_x509_ssl_nossl.js @@ -0,0 +1,62 @@ +/** + * This test checks the upgrade path for mixed mode ssl + x509 auth + * from disabled/keyfiles up to preferSSL/x509 + * + * NOTE: This test is similar to upgrade_to_x509_ssl.js in the + * ssl test suite. This test cannot use ssl communication + * and therefore cannot test modes that only allow ssl. + */ + +load("jstests/ssl/libs/ssl_helpers.js"); + +opts = {sslMode:"disabled", clusterAuthMode:"keyFile", keyFile: KEYFILE} +var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : opts }); +rst.startSet(); +rst.initiate(); + +// Connect to master and do some basic operations +var rstConn1 = rst.getMaster(); +rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); +assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); + +print("===== UPGRADE disabled,keyFile -> allowSSL,sendKeyfile ====="); +rst.upgradeSet({sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates:"", + clusterAuthMode:"sendKeyFile", keyFile: KEYFILE, + sslCAFile: CA_CERT}); +rst.awaitReplication(); + +var rstConn2 = rst.getMaster(); +rstConn2.getDB("test").a.insert({a:2, str:"CHECKCHECKCHECK"}); +assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet"); + +print("===== UPGRADE allowSSL,sendKeyfile -> preferSSL,sendX509 ====="); +rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates:"", + clusterAuthMode:"sendX509", keyFile: KEYFILE, + sslCAFile: CA_CERT}); +rst.awaitReplication(); +var rstConn3 = rst.getMaster(); +rstConn3.getDB("test").a.insert({a:3, str:"PEASandCARROTS"}); +assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); + +var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", + "--sslPEMKeyFile", CLIENT_CERT, "--eval", ";"); +assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); + +print("===== UPGRADE preferSSL,sendX509 -> preferSSL,x509 ====="); +//we cannot upgrade past preferSSL here because it will break the test client +rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates:"", + clusterAuthMode:"x509", keyFile: KEYFILE, + sslCAFile: CA_CERT}); +rst.awaitReplication(); +var rstConn4 = rst.getMaster(); +rstConn4.getDB("test").a.insert({a:4, str:"BEEP BOOP"}); +rst.awaitReplication(); +assert.eq(4, rstConn4.getDB("test").a.count(), "Error interacting with replSet"); + +// Test that an ssl connection can still be made +var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", + "--sslPEMKeyFile", CLIENT_CERT, "--eval", ";"); +assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); |