diff options
author | clang-format-7.0.1 <adam.martin@10gen.com> | 2019-07-26 18:20:35 -0400 |
---|---|---|
committer | ADAM David Alan Martin <adam.martin@10gen.com> | 2019-07-27 11:02:23 -0400 |
commit | 134a4083953270e8a11430395357fb70a29047ad (patch) | |
tree | dd428e1230e31d92b20b393dfdc17ffe7fa79cb6 /jstests/sslSpecial | |
parent | 1e46b5049003f427047e723ea5fab15b5a9253ca (diff) | |
download | mongo-134a4083953270e8a11430395357fb70a29047ad.tar.gz |
SERVER-41772 Apply clang-format 7.0.1 to the codebase
Diffstat (limited to 'jstests/sslSpecial')
-rw-r--r-- | jstests/sslSpecial/SERVER-26369.js | 32 | ||||
-rw-r--r-- | jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js | 22 | ||||
-rw-r--r-- | jstests/sslSpecial/tls1_0.js | 179 | ||||
-rw-r--r-- | jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js | 40 | ||||
-rw-r--r-- | jstests/sslSpecial/x509_cluster_auth_rollover.js | 175 |
5 files changed, 224 insertions, 224 deletions
diff --git a/jstests/sslSpecial/SERVER-26369.js b/jstests/sslSpecial/SERVER-26369.js index 737159a9183..6118bacd1db 100644 --- a/jstests/sslSpecial/SERVER-26369.js +++ b/jstests/sslSpecial/SERVER-26369.js @@ -3,23 +3,23 @@ TestData.skipCheckingUUIDsConsistentAcrossCluster = true; (function() { - 'use strict'; +'use strict'; - load("jstests/ssl/libs/ssl_helpers.js"); +load("jstests/ssl/libs/ssl_helpers.js"); - const st = new ShardingTest({shards: {rs0: {nodes: 1}}}); - let opts = { - sslMode: "allowSSL", - sslPEMKeyFile: "jstests/libs/client.pem", - sslCAFile: "jstests/libs/ca.pem", - shardsvr: '' - }; - requireSSLProvider('openssl', function() { - // Only the OpenSSL provider supports encrypted PKCS#8 - opts.sslPEMKeyFile = "jstests/libs/password_protected.pem"; - opts.sslPEMKeyPassword = "qwerty"; - }); +const st = new ShardingTest({shards: {rs0: {nodes: 1}}}); +let opts = { + sslMode: "allowSSL", + sslPEMKeyFile: "jstests/libs/client.pem", + sslCAFile: "jstests/libs/ca.pem", + shardsvr: '' +}; +requireSSLProvider('openssl', function() { + // Only the OpenSSL provider supports encrypted PKCS#8 + opts.sslPEMKeyFile = "jstests/libs/password_protected.pem"; + opts.sslPEMKeyPassword = "qwerty"; +}); - st.rs0.restart(0, opts); - st.stop(); +st.rs0.restart(0, opts); +st.stop(); })(); diff --git a/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js index 85f775c3b6b..dde05b3a891 100644 --- a/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js +++ b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js @@ -9,18 +9,18 @@ load('jstests/ssl/libs/ssl_helpers.js'); (function() { - 'use strict'; +'use strict'; - // Disable auth explicitly - var noAuthOptions = {noauth: ''}; - var transitionToX509AllowSSL = - Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); - var x509RequireSSL = Object.merge(requireSSL, {clusterAuthMode: 'x509'}); +// Disable auth explicitly +var noAuthOptions = {noauth: ''}; +var transitionToX509AllowSSL = + Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); +var x509RequireSSL = Object.merge(requireSSL, {clusterAuthMode: 'x509'}); - print('=== Testing no-auth/transitionToAuth cluster ==='); - mixedShardTest(noAuthOptions, transitionToX509AllowSSL, true); - mixedShardTest(transitionToX509AllowSSL, noAuthOptions, true); +print('=== Testing no-auth/transitionToAuth cluster ==='); +mixedShardTest(noAuthOptions, transitionToX509AllowSSL, true); +mixedShardTest(transitionToX509AllowSSL, noAuthOptions, true); - print('=== Testing transitionToAuth/transitionToAuth cluster ==='); - mixedShardTest(transitionToX509AllowSSL, transitionToX509AllowSSL, true); +print('=== Testing transitionToAuth/transitionToAuth cluster ==='); +mixedShardTest(transitionToX509AllowSSL, transitionToX509AllowSSL, true); }()); diff --git a/jstests/sslSpecial/tls1_0.js b/jstests/sslSpecial/tls1_0.js index 4947f64e941..699b977725d 100644 --- a/jstests/sslSpecial/tls1_0.js +++ b/jstests/sslSpecial/tls1_0.js @@ -1,107 +1,108 @@ // Make sure MongoD starts with TLS 1.0 disabled (except w/ old OpenSSL). (function() { - 'use strict'; +'use strict'; - load("jstests/ssl/libs/ssl_helpers.js"); +load("jstests/ssl/libs/ssl_helpers.js"); - // There will be cases where a connect is impossible, - // let the test runner clean those up. - TestData.failIfUnterminatedProcesses = false; +// There will be cases where a connect is impossible, +// let the test runner clean those up. +TestData.failIfUnterminatedProcesses = false; - const supportsTLS1_1 = (function() { - const openssl = getBuildInfo().openssl || {}; - if (openssl.compiled === undefined) { - // Native TLS build. - return true; - } - // OpenSSL 0.x.x => TLS 1.0 only. - if (/OpenSSL 0\./.test(openssl.compiled)) { - return false; - } - // OpenSSL 1.0.0-1.0.0k => TLS 1.0 only. - if (/OpenSSL 1\.0\.0[ a-k]/.test(openssl.compiled)) { - return false; - } - - // OpenSSL 1.0.0l and later include TLS 1.1 and 1.2 +const supportsTLS1_1 = (function() { + const openssl = getBuildInfo().openssl || {}; + if (openssl.compiled === undefined) { + // Native TLS build. return true; - })(); + } + // OpenSSL 0.x.x => TLS 1.0 only. + if (/OpenSSL 0\./.test(openssl.compiled)) { + return false; + } + // OpenSSL 1.0.0-1.0.0k => TLS 1.0 only. + if (/OpenSSL 1\.0\.0[ a-k]/.test(openssl.compiled)) { + return false; + } - const defaultEnableTLS1_0 = (function() { - // If the build doesn't support TLS 1.1, then TLS 1.0 is left enabled. - return !supportsTLS1_1; - })(); + // OpenSSL 1.0.0l and later include TLS 1.1 and 1.2 + return true; +})(); - const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2"; +const defaultEnableTLS1_0 = (function() { + // If the build doesn't support TLS 1.1, then TLS 1.0 is left enabled. + return !supportsTLS1_1; +})(); - function test(serverDP, clientDP, shouldSucceed) { - const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null); - let serverOpts = { - sslMode: 'allowSSL', - sslPEMKeyFile: 'jstests/libs/server.pem', - sslCAFile: 'jstests/libs/ca.pem', - waitForConnect: true - }; - if (serverDP !== null) { - serverOpts.sslDisabledProtocols = serverDP; - } - clearRawMongoProgramOutput(); - const mongod = MongoRunner.runMongod(serverOpts); - if (!mongod) { - assert(!shouldSucceed); - return; - } +const supportsTLS1_3 = detectDefaultTLSProtocol() !== "TLS1_2"; - let clientOpts = []; - if (clientDP !== null) { - clientOpts = ['--sslDisabledProtocols', clientDP]; - } - const didSucceed = (0 == runMongoProgram('mongo', - '--ssl', - '--port', - mongod.port, - '--sslPEMKeyFile', - 'jstests/libs/client.pem', - '--sslCAFile', - 'jstests/libs/ca.pem', - ...clientOpts, - '--eval', - ';')); +function test(serverDP, clientDP, shouldSucceed) { + const expectLogMessage = !defaultEnableTLS1_0 && (serverDP === null); + let serverOpts = { + sslMode: 'allowSSL', + sslPEMKeyFile: 'jstests/libs/server.pem', + sslCAFile: 'jstests/libs/ca.pem', + waitForConnect: true + }; + if (serverDP !== null) { + serverOpts.sslDisabledProtocols = serverDP; + } + clearRawMongoProgramOutput(); + const mongod = MongoRunner.runMongod(serverOpts); + if (!mongod) { + assert(!shouldSucceed); + return; + } - MongoRunner.stopMongod(mongod); + let clientOpts = []; + if (clientDP !== null) { + clientOpts = ['--sslDisabledProtocols', clientDP]; + } + const didSucceed = (0 == + runMongoProgram('mongo', + '--ssl', + '--port', + mongod.port, + '--sslPEMKeyFile', + 'jstests/libs/client.pem', + '--sslCAFile', + 'jstests/libs/ca.pem', + ...clientOpts, + '--eval', + ';')); - // Exit code based success/failure. - assert.eq( - didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP)); + MongoRunner.stopMongod(mongod); - assert.eq(expectLogMessage, - rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0, - "TLS 1.0 was/wasn't automatically disabled"); - } + // Exit code based success/failure. + assert.eq( + didSucceed, shouldSucceed, "Running with " + tojson(serverDP) + "/" + tojson(clientDP)); + + assert.eq(expectLogMessage, + rawMongoProgramOutput().search('Automatically disabling TLS 1.0') >= 0, + "TLS 1.0 was/wasn't automatically disabled"); +} - // Tests with default client behavior (TLS 1.0 disabled if 1.1 available). - test(null, null, true); - test('none', null, true); - test('TLS1_0', null, supportsTLS1_1); - test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3); - test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1); - test('TLS1_0,TLS1_1', null, supportsTLS1_1); - test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3); - test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false); +// Tests with default client behavior (TLS 1.0 disabled if 1.1 available). +test(null, null, true); +test('none', null, true); +test('TLS1_0', null, supportsTLS1_1); +test('TLS1_1,TLS1_2', null, !supportsTLS1_1 || supportsTLS1_3); +test('TLS1_1,TLS1_2,TLS1_3', null, !supportsTLS1_1); +test('TLS1_0,TLS1_1', null, supportsTLS1_1); +test('TLS1_0,TLS1_1,TLS1_2', null, supportsTLS1_3); +test('TLS1_0,TLS1_1,TLS1_2,TLS1_3', null, false); - // Tests with TLS 1.0 always enabled on client. - test(null, 'none', true); - test('none', 'none', true); - test('TLS1_0', 'none', supportsTLS1_1); - test('TLS1_1,TLS1_2', 'none', true); - test('TLS1_0,TLS1_1', 'none', supportsTLS1_1); +// Tests with TLS 1.0 always enabled on client. +test(null, 'none', true); +test('none', 'none', true); +test('TLS1_0', 'none', supportsTLS1_1); +test('TLS1_1,TLS1_2', 'none', true); +test('TLS1_0,TLS1_1', 'none', supportsTLS1_1); - // Tests with TLS 1.0 explicitly disabled on client. - test(null, 'TLS1_0', supportsTLS1_1); - test('none', 'TLS1_0', supportsTLS1_1); - test('TLS1_0', 'TLS1_0', supportsTLS1_1); - test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3); - test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false); - test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1); +// Tests with TLS 1.0 explicitly disabled on client. +test(null, 'TLS1_0', supportsTLS1_1); +test('none', 'TLS1_0', supportsTLS1_1); +test('TLS1_0', 'TLS1_0', supportsTLS1_1); +test('TLS1_1,TLS1_2', 'TLS1_0', supportsTLS1_3); +test('TLS1_1,TLS1_2,TLS1_3', 'TLS1_0', false); +test('TLS1_0,TLS1_1', 'TLS1_0', supportsTLS1_1); })(); diff --git a/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js index 29c0ee0238b..79330a27c27 100644 --- a/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js +++ b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js @@ -12,31 +12,31 @@ load('jstests/ssl/libs/ssl_helpers.js'); (function() { - 'use strict'; - var dbName = 'upgradeToX509'; +'use strict'; +var dbName = 'upgradeToX509'; - // Disable auth explicitly - var noAuth = {noauth: ''}; +// Disable auth explicitly +var noAuth = {noauth: ''}; - // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. - var transitionToX509AllowSSL = - Object.merge(allowSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'}); +// Undefine the flags we're replacing, otherwise upgradeSet will keep old values. +var transitionToX509AllowSSL = + Object.merge(allowSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'}); - var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuth}); - rst.startSet(); - rst.initiate(); +var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuth}); +rst.startSet(); +rst.initiate(); - var testDB = rst.getPrimary().getDB(dbName); - assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); - assert.eq(1, testDB.a.find().itcount(), 'Error interacting with replSet'); +var testDB = rst.getPrimary().getDB(dbName); +assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); +assert.eq(1, testDB.a.find().itcount(), 'Error interacting with replSet'); - print('=== UPGRADE no-auth/no-ssl -> transition to X509/allowSSL ==='); - rst.upgradeSet(transitionToX509AllowSSL); +print('=== UPGRADE no-auth/no-ssl -> transition to X509/allowSSL ==='); +rst.upgradeSet(transitionToX509AllowSSL); - // Connect to the new primary - testDB = rst.getPrimary().getDB(dbName); - assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); - assert.eq(2, testDB.a.find().itcount(), 'Error interacting with replSet'); +// Connect to the new primary +testDB = rst.getPrimary().getDB(dbName); +assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); +assert.eq(2, testDB.a.find().itcount(), 'Error interacting with replSet'); - rst.stopSet(); +rst.stopSet(); }()); diff --git a/jstests/sslSpecial/x509_cluster_auth_rollover.js b/jstests/sslSpecial/x509_cluster_auth_rollover.js index d163274a78c..ab106be3679 100644 --- a/jstests/sslSpecial/x509_cluster_auth_rollover.js +++ b/jstests/sslSpecial/x509_cluster_auth_rollover.js @@ -7,106 +7,105 @@ */ (function() { - 'use strict'; +'use strict'; - const rst = new ReplSetTest({ - nodes: 3, - waitForKeys: false, - nodeOptions: { - sslMode: "preferSSL", - clusterAuthMode: "x509", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslAllowInvalidHostnames: "" - } - }); - rst.startSet(); +const rst = new ReplSetTest({ + nodes: 3, + waitForKeys: false, + nodeOptions: { + sslMode: "preferSSL", + clusterAuthMode: "x509", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowInvalidHostnames: "" + } +}); +rst.startSet(); - rst.initiateWithAnyNodeAsPrimary( - Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true})); +rst.initiateWithAnyNodeAsPrimary( + Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true})); - // Create a user to login as when auth is enabled later - rst.getPrimary().getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']}, - {w: 3}); - rst.nodes.forEach((node) => { - assert(node.getDB("admin").auth("root", "root")); - }); +// Create a user to login as when auth is enabled later +rst.getPrimary().getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']}, {w: 3}); +rst.nodes.forEach((node) => { + assert(node.getDB("admin").auth("root", "root")); +}); - // All the certificates' DNs share this base - const dnBase = "C=US, ST=New York, L=New York,"; - // This is the DN of the rollover certificate. - const rolloverDN = dnBase + " O=MongoDB\\, Inc. (Rollover), OU=Kernel (Rollover), CN=server"; - // This is the DN of the original certificate - const originalDN = dnBase + " O=MongoDB, OU=Kernel, CN=server"; +// All the certificates' DNs share this base +const dnBase = "C=US, ST=New York, L=New York,"; +// This is the DN of the rollover certificate. +const rolloverDN = dnBase + " O=MongoDB\\, Inc. (Rollover), OU=Kernel (Rollover), CN=server"; +// This is the DN of the original certificate +const originalDN = dnBase + " O=MongoDB, OU=Kernel, CN=server"; - // This will rollover the cluster to a new config in a rolling fashion. It will return when - // there is a primary and we are able to write to it. - const rolloverConfig = function(newConfig) { - const restart = function(node) { - const nodeId = rst.getNodeId(node); - rst.stop(nodeId); - const configId = "n" + nodeId; - rst.nodeOptions[configId] = Object.merge(rst.nodeOptions[configId], newConfig, true); - const newNode = rst.start(nodeId, {}, true, true); - assert(newNode.getDB("admin").auth("root", "root")); - }; +// This will rollover the cluster to a new config in a rolling fashion. It will return when +// there is a primary and we are able to write to it. +const rolloverConfig = function(newConfig) { + const restart = function(node) { + const nodeId = rst.getNodeId(node); + rst.stop(nodeId); + const configId = "n" + nodeId; + rst.nodeOptions[configId] = Object.merge(rst.nodeOptions[configId], newConfig, true); + const newNode = rst.start(nodeId, {}, true, true); + assert(newNode.getDB("admin").auth("root", "root")); + }; - rst.getSecondaries().forEach(function(secondary) { - restart(secondary); - }); + rst.getSecondaries().forEach(function(secondary) { + restart(secondary); + }); - restart(rst.getPrimary()); + restart(rst.getPrimary()); - assert.soon(() => { - let primary = rst.getPrimary(); - assert.commandWorked(primary.getDB("admin").runCommand({isMaster: 1})); - assert.writeOK(primary.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.soon(() => { + let primary = rst.getPrimary(); + assert.commandWorked(primary.getDB("admin").runCommand({isMaster: 1})); + assert.writeOK(primary.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'})); - // Start a shell that connects to the server with the current CA/cert configuration - // and ensure that it's able to connect and authenticate with x509. - const shellArgs = [ - 'mongo', - primary.name, - '--eval', - ';', - '--ssl', - '--sslAllowInvalidHostnames', - '--sslCAFile', - newConfig['sslCAFile'], - '--sslPEMKeyFile', - newConfig['sslPEMKeyFile'], - '--authenticationDatabase=$external', - '--authenticationMechanism=MONGODB-X509' - ]; - assert.eq(_runMongoProgram.apply(null, shellArgs), 0); + // Start a shell that connects to the server with the current CA/cert configuration + // and ensure that it's able to connect and authenticate with x509. + const shellArgs = [ + 'mongo', + primary.name, + '--eval', + ';', + '--ssl', + '--sslAllowInvalidHostnames', + '--sslCAFile', + newConfig['sslCAFile'], + '--sslPEMKeyFile', + newConfig['sslPEMKeyFile'], + '--authenticationDatabase=$external', + '--authenticationMechanism=MONGODB-X509' + ]; + assert.eq(_runMongoProgram.apply(null, shellArgs), 0); - return true; - }); - }; - - jsTestLog("Rolling over CA certificate to combined old and new CA's"); - rolloverConfig({ - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/rollover_ca_merged.pem", - setParameter: { - tlsX509ClusterAuthDNOverride: rolloverDN, - } + return true; }); +}; - jsTestLog("Rolling over to new certificate with new cluster DN and new CA"); - rolloverConfig({ - sslPEMKeyFile: "jstests/libs/rollover_server.pem", - sslCAFile: "jstests/libs/rollover_ca_merged.pem", - setParameter: { - tlsX509ClusterAuthDNOverride: originalDN, - } - }); +jsTestLog("Rolling over CA certificate to combined old and new CA's"); +rolloverConfig({ + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/rollover_ca_merged.pem", + setParameter: { + tlsX509ClusterAuthDNOverride: rolloverDN, + } +}); - jsTestLog("Rolling over to new CA only"); - rolloverConfig({ - sslPEMKeyFile: "jstests/libs/rollover_server.pem", - sslCAFile: "jstests/libs/rollover_ca.pem", - }); +jsTestLog("Rolling over to new certificate with new cluster DN and new CA"); +rolloverConfig({ + sslPEMKeyFile: "jstests/libs/rollover_server.pem", + sslCAFile: "jstests/libs/rollover_ca_merged.pem", + setParameter: { + tlsX509ClusterAuthDNOverride: originalDN, + } +}); + +jsTestLog("Rolling over to new CA only"); +rolloverConfig({ + sslPEMKeyFile: "jstests/libs/rollover_server.pem", + sslCAFile: "jstests/libs/rollover_ca.pem", +}); - rst.stopSet(); +rst.stopSet(); })(); |