SERVER-34139 Add certificate selector for Apple for SecureTransport

3 files changed, 91 insertions, 27 deletions

diff --git a/jstests/libs/trusted-server.pfx b/jstests/libs/trusted-server.pfx
new file mode 100644
index 00000000000..f68d75f88b9
--- /dev/null
+++ b/jstests/libs/trusted-server.pfx
diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js
new file mode 100644
index 00000000000..ae65612a98d
--- /dev/null
+++ b/jstests/ssl/ssl_cert_selector_apple.js
@@ -0,0 +1,63 @@
+/**
+ * Validate that the server can load certificates from the
+ * Secure Transport certificate store.
+ *
+ * Don't actually try to connect via SSL, because without interactivity,
+ * we won't be able to click on the "Allow" button that Apple insists on presenting.
+ *
+ * Just verify that we can startup when we select a valid cert,
+ * and fail when we do not.
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+requireSSLProvider('apple', function() {
+    'use strict';
+
+    const CLIENT =
+        'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Client';
+    const SERVER =
+        'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server';
+    const INVALID = null;
+
+    const testCases = [
+        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A8', name: SERVER},
+        {selector: 'subject=Trusted Kernel Test Server', name: SERVER},
+        {selector: 'thumbprint=9CA511552F14D3FC2009D425873599BF77832238', name: CLIENT},
+        {selector: 'subject=Trusted Kernel Test Client', name: CLIENT},
+        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A9', name: INVALID},
+        {selector: 'subject=Unknown Test Client', name: INVALID}
+    ];
+
+    function test(cert, cluster) {
+        const opts = {
+            sslMode: 'requireSSL',
+            sslCertificateSelector: cert.selector,
+            sslClusterCertificateSelector: cluster.selector,
+            waitForConnect: false
+        };
+        clearRawMongoProgramOutput();
+        const mongod = MongoRunner.runMongod(opts);
+
+        assert.soon(function() {
+            const log = rawMongoProgramOutput();
+            if ((cert.name === null) || (cluster.name === null)) {
+                // Invalid search criteria should fail.
+                return log.search('Certificate selector returned no results') >= 0;
+            }
+            // Valid search criteria should show our Subject Names.
+            const certOK = log.search('Server Certificate Name: ' + cert.name) >= 0;
+            const clusOK = log.search('Client Certificate Name: ' + cluster.name) >= 0;
+            return certOK && clusOK;
+        }, "Starting Mongod with " + tojson(opts), 10000);
+
+        const killOpts = {allowedExitCode: MongoRunner.EXIT_SIGKILL};
+        MongoRunner.stopMongod(mongod, undefined, killOpts);
+    }
+
+    testCases.forEach(cert => {
+        testCases.forEach(cluster => {
+            test(cert, cluster);
+        });
+    });
+});
diff --git a/jstests/ssl/ssl_with_system_ca.js b/jstests/ssl/ssl_with_system_ca.js
index 812ebef43c6..570f55c1424 100644
--- a/jstests/ssl/ssl_with_system_ca.js
+++ b/jstests/ssl/ssl_with_system_ca.js
@@ -2,14 +2,12 @@
 // certificate to the login keychain of the evergreen user. See,
 // https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
 // for details.
-((function() {
+// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
+//   security add-trusted-cert -d jstests/libs/trusted-ca.pem
+(function() {
     'use strict';
-    // Do not fail if this test leaves unterminated processes because testWithCerts
-    // is expected to throw before it calls stopMongod.
-    TestData.failIfUnterminatedProcesses = false;
 
     const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
-
     if (HOST_TYPE == "windows") {
         // OpenSSL backed imports Root CA and intermediate CA
         runProgram(
@@ -20,34 +18,37 @@
         runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
     }
 
-    var testWithCerts = function(serverPem) {
+    function testWithCerts(prefix) {
         jsTest.log(`Testing with SSL certs $ {
-            serverPem
+            clientPem connecting to serverPem
         }`);
-        // allowSSL instead of requireSSL so that the non-SSL connection succeeds.
-        var conn = MongoRunner.runMongod(
-            {sslMode: 'requireSSL', sslPEMKeyFile: "jstests/libs/" + serverPem});
-
-        // Should not be able to authenticate with x509.
-        // Authenticate call will return 1 on success, 0 on error.
-        var argv =
-            ['./mongo', '--ssl', '--port', conn.port, '--eval', ('db.runCommand({buildInfo: 1})')];
+
+        // allowSSL to get a non-SSL control connection.
+        const conn = MongoRunner.runMongod(
+            {sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/' + prefix + 'server.pem'});
+
+        let argv = [
+            './mongo',
+            '--ssl',
+            '--port',
+            conn.port,
+            '--sslPEMKeyFile',
+            'jstests/libs/' + prefix + 'client.pem',
+            '--eval',
+            ';'
+        ];
+
         if (HOST_TYPE == "linux") {
             // On Linux we override the default path to the system CA store to point to our
             // "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list
             argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
         }
-        var exitStatus = runMongoProgram.apply(null, argv);
-        assert.eq(exitStatus, 0, "successfully connected with SSL");
 
+        const exitCode = runMongoProgram.apply(null, argv);
         MongoRunner.stopMongod(conn);
-    };
-
-    assert.throws(function() {
-        // Note: this leaves a running mongod process.
-        testWithCerts("server.pem", "client.pem");
-    });
-    assert.doesNotThrow(function() {
-        testWithCerts("trusted-server.pem", "trusted-client.pem");
-    });
-})());
+        return exitCode;
+    }
+
+    assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA');
+    assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA');
+})();