SERVER-6823 Enable simultaneous ssl/x509 auth upgrade with only two restarts

Reduce the required number of restarts from three to two by allowing sslMode
allowSSL to be used in combination with transitionToAuth and clusterAuthMode
x509.

2 files changed, 72 insertions, 0 deletions

diff --git a/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js
new file mode 100644
index 00000000000..4978b56e11f
--- /dev/null
+++ b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js
@@ -0,0 +1,28 @@
+/*
+ * Tests simultaneous upgrade from noauth/no-ssl to x509/requireSSL on a sharded cluster.
+ * The purpose is to verify the connectivity between mongos, config server, and the shards
+ *
+ * NOTE: This test is similar to the mixed_mode_sharded_transition.js in the ssl
+ * test suite. This suite does not use ssl so it cannot test modes with ssl.
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+    'use strict';
+
+    // Disable auth explicitly
+    var noAuthOptions = {
+        noauth: ''
+    };
+    var transitionToX509AllowSSL =
+        Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'});
+    var x509RequireSSL = Object.merge(requireSSL, {clusterAuthMode: 'x509'});
+
+    print('=== Testing no-auth/transitionToAuth cluster ===');
+    mixedShardTest(noAuthOptions, transitionToX509AllowSSL, true);
+    mixedShardTest(transitionToX509AllowSSL, noAuthOptions, true);
+
+    print('=== Testing transitionToAuth/transitionToAuth cluster ===');
+    mixedShardTest(transitionToX509AllowSSL, transitionToX509AllowSSL, true);
+}());
diff --git a/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js
new file mode 100644
index 00000000000..964397397de
--- /dev/null
+++ b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js
@@ -0,0 +1,44 @@
+/**
+ * This test checks the upgrade path from noauth/allowSSL to x509/requireSSL
+ *
+ * NOTE: This test is similar to upgrade_noauth_to_x509_ssl.js in the ssl test
+ * suite. This test cannot use ssl communication and therefore cannot test
+ * modes that only allow ssl.
+ *
+ * This test requires data to persist across a restart.
+ * @tags: [requires_persistence]
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+    'use strict';
+    var dbName = 'upgradeToX509';
+
+    // Disable auth explicitly
+    var noAuth = {
+        noauth: ''
+    };
+
+    // Undefine the flags we're replacing, otherwise upgradeSet will keep old values.
+    var transitionToX509AllowSSL =
+        Object.merge(allowSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'});
+
+    var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuth});
+    rst.startSet();
+    rst.initiate();
+
+    var testDB = rst.getPrimary().getDB(dbName);
+    assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'}));
+    assert.eq(1, testDB.a.count(), 'Error interacting with replSet');
+
+    print('=== UPGRADE no-auth/no-ssl -> transition to X509/allowSSL ===');
+    rst.upgradeSet(transitionToX509AllowSSL);
+
+    // Connect to the new primary
+    testDB = rst.getPrimary().getDB(dbName);
+    assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'}));
+    assert.eq(2, testDB.a.count(), 'Error interacting with replSet');
+
+    rst.stopSet();
+}());