diff options
author | Jonathan Reams <jbreams@mongodb.com> | 2018-12-19 13:41:40 -0500 |
---|---|---|
committer | Jonathan Reams <jbreams@mongodb.com> | 2019-01-03 17:18:52 -0500 |
commit | b7c5662bbb9c1e0c562b0dcf700547f387911661 (patch) | |
tree | 30f6382d1e103830067cab8b54306759f7d85214 /jstests/sslSpecial | |
parent | 310b84d607506406c78925693b4bf71dd95e35e5 (diff) | |
download | mongo-b7c5662bbb9c1e0c562b0dcf700547f387911661.tar.gz |
SERVER-37835 Support rolling over X509 cluster auth certificates
Diffstat (limited to 'jstests/sslSpecial')
-rw-r--r-- | jstests/sslSpecial/x509_cluster_auth_rollover.js | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/jstests/sslSpecial/x509_cluster_auth_rollover.js b/jstests/sslSpecial/x509_cluster_auth_rollover.js new file mode 100644 index 00000000000..6337b4d2a4a --- /dev/null +++ b/jstests/sslSpecial/x509_cluster_auth_rollover.js @@ -0,0 +1,111 @@ +/** + * This test does a full rollover of the X509 auth for cluster membership. After the rollover, + * the cluster will have a new CA and the dn components used to determine cluster membership + * will have changed; + * + * @tags: [requires_persistence, requires_replication] + */ + +(function() { + 'use strict'; + + const rst = new ReplSetTest({ + nodes: 3, + waitForKeys: false, + nodeOptions: { + sslMode: "preferSSL", + clusterAuthMode: "x509", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowInvalidHostnames: "" + } + }); + rst.startSet(); + + rst.initiateWithAnyNodeAsPrimary( + Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true})); + + // Create a user to login as when auth is enabled later + rst.getPrimary().getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']}); + rst.nodes.forEach((node) => { + assert(node.getDB("admin").auth("root", "root")); + }); + + // All the certificates' DNs share this base + const dnBase = "C=US, ST=New York, L=New York,"; + // This is the DN of the rollover certificate. + const rolloverDN = dnBase + " O=MongoDB\\, Inc. (Rollover), OU=Kernel (Rollover), CN=server"; + // This is the DN of the original certificate + const originalDN = dnBase + " O=MongoDB, OU=Kernel, CN=server"; + + // This will rollover the cluster to a new config in a rolling fashion. It will return when + // there is a primary and we are able to write to it. + const rolloverConfig = function(newConfig) { + const restart = function(node) { + const nodeId = rst.getNodeId(node); + rst.stop(nodeId); + const configId = "n" + nodeId; + rst.nodeOptions[configId] = Object.merge(rst.nodeOptions[configId], newConfig, true); + const newNode = rst.start(nodeId, {}, true, true); + assert(newNode.getDB("admin").auth("root", "root")); + }; + + rst.getSecondaries().forEach(function(secondary) { + restart(secondary); + }); + + restart(rst.getPrimary()); + + assert.soon(() => { + let primary = rst.getPrimary(); + assert.commandWorked(primary.getDB("admin").runCommand({isMaster: 1})); + assert.writeOK(primary.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'})); + + // Start a shell that connects to the server with the current CA/cert configuration + // and ensure that it's able to connect and authenticate with x509. + const shellArgs = [ + 'mongo', + primary.name, + '--eval', + ';', + '--ssl', + '--sslAllowInvalidHostnames', + '--sslCAFile', + newConfig['sslCAFile'], + '--sslPEMKeyFile', + newConfig['sslPEMKeyFile'], + '--authenticationDatabase=$external', + '--authenticationMechanism=MONGODB-X509' + ]; + assert.eq(_runMongoProgram.apply(null, shellArgs), 0); + + return true; + }); + }; + + jsTestLog("Rolling over CA certificate to combined old and new CA's"); + rolloverConfig({ + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/rollover_ca_merged.pem", + setParameter: { + tlsX509ClusterAuthDNOverride: rolloverDN, + } + }); + + jsTestLog("Rolling over to new certificate with new cluster DN and new CA"); + rolloverConfig({ + sslPEMKeyFile: "jstests/libs/rollover_server.pem", + sslCAFile: "jstests/libs/rollover_ca_merged.pem", + setParameter: { + tlsX509ClusterAuthDNOverride: originalDN, + } + }); + + jsTestLog("Rolling over to new CA only"); + rolloverConfig({ + sslPEMKeyFile: "jstests/libs/rollover_server.pem", + sslCAFile: "jstests/libs/rollover_ca.pem", + }); + + rst.stopSet(); +})(); |