diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2018-03-17 14:40:13 -0400 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-04-02 19:58:23 -0400 |
commit | c872bdd8d24a7beb9df42cbe227e99d6738ba71e (patch) | |
tree | 62ca0a42ae0ff5e20e13184c72ff2605c9b9feb8 /jstests | |
parent | 069b34c332ea7e8330759037df7bc4bc7d207f2f (diff) | |
download | mongo-c872bdd8d24a7beb9df42cbe227e99d6738ba71e.tar.gz |
SERVER-34139 Add certificate selector for Apple for SecureTransport
Diffstat (limited to 'jstests')
-rw-r--r-- | jstests/libs/trusted-server.pfx | bin | 0 -> 2533 bytes | |||
-rw-r--r-- | jstests/ssl/ssl_cert_selector_apple.js | 63 | ||||
-rw-r--r-- | jstests/ssl/ssl_with_system_ca.js | 55 |
3 files changed, 91 insertions, 27 deletions
diff --git a/jstests/libs/trusted-server.pfx b/jstests/libs/trusted-server.pfx Binary files differnew file mode 100644 index 00000000000..f68d75f88b9 --- /dev/null +++ b/jstests/libs/trusted-server.pfx diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js new file mode 100644 index 00000000000..ae65612a98d --- /dev/null +++ b/jstests/ssl/ssl_cert_selector_apple.js @@ -0,0 +1,63 @@ +/** + * Validate that the server can load certificates from the + * Secure Transport certificate store. + * + * Don't actually try to connect via SSL, because without interactivity, + * we won't be able to click on the "Allow" button that Apple insists on presenting. + * + * Just verify that we can startup when we select a valid cert, + * and fail when we do not. + */ + +load('jstests/ssl/libs/ssl_helpers.js'); + +requireSSLProvider('apple', function() { + 'use strict'; + + const CLIENT = + 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Client'; + const SERVER = + 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server'; + const INVALID = null; + + const testCases = [ + {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A8', name: SERVER}, + {selector: 'subject=Trusted Kernel Test Server', name: SERVER}, + {selector: 'thumbprint=9CA511552F14D3FC2009D425873599BF77832238', name: CLIENT}, + {selector: 'subject=Trusted Kernel Test Client', name: CLIENT}, + {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A9', name: INVALID}, + {selector: 'subject=Unknown Test Client', name: INVALID} + ]; + + function test(cert, cluster) { + const opts = { + sslMode: 'requireSSL', + sslCertificateSelector: cert.selector, + sslClusterCertificateSelector: cluster.selector, + waitForConnect: false + }; + clearRawMongoProgramOutput(); + const mongod = MongoRunner.runMongod(opts); + + assert.soon(function() { + const log = rawMongoProgramOutput(); + if ((cert.name === null) || (cluster.name === null)) { + // Invalid search criteria should fail. + return log.search('Certificate selector returned no results') >= 0; + } + // Valid search criteria should show our Subject Names. + const certOK = log.search('Server Certificate Name: ' + cert.name) >= 0; + const clusOK = log.search('Client Certificate Name: ' + cluster.name) >= 0; + return certOK && clusOK; + }, "Starting Mongod with " + tojson(opts), 10000); + + const killOpts = {allowedExitCode: MongoRunner.EXIT_SIGKILL}; + MongoRunner.stopMongod(mongod, undefined, killOpts); + } + + testCases.forEach(cert => { + testCases.forEach(cluster => { + test(cert, cluster); + }); + }); +}); diff --git a/jstests/ssl/ssl_with_system_ca.js b/jstests/ssl/ssl_with_system_ca.js index 812ebef43c6..570f55c1424 100644 --- a/jstests/ssl/ssl_with_system_ca.js +++ b/jstests/ssl/ssl_with_system_ca.js @@ -2,14 +2,12 @@ // certificate to the login keychain of the evergreen user. See, // https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961 // for details. -((function() { +// To install trusted-ca.pem for local testing on OSX, invoke the following at a console: +// security add-trusted-cert -d jstests/libs/trusted-ca.pem +(function() { 'use strict'; - // Do not fail if this test leaves unterminated processes because testWithCerts - // is expected to throw before it calls stopMongod. - TestData.failIfUnterminatedProcesses = false; const HOST_TYPE = getBuildInfo().buildEnvironment.target_os; - if (HOST_TYPE == "windows") { // OpenSSL backed imports Root CA and intermediate CA runProgram( @@ -20,34 +18,37 @@ runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem"); } - var testWithCerts = function(serverPem) { + function testWithCerts(prefix) { jsTest.log(`Testing with SSL certs $ { - serverPem + clientPem connecting to serverPem }`); - // allowSSL instead of requireSSL so that the non-SSL connection succeeds. - var conn = MongoRunner.runMongod( - {sslMode: 'requireSSL', sslPEMKeyFile: "jstests/libs/" + serverPem}); - - // Should not be able to authenticate with x509. - // Authenticate call will return 1 on success, 0 on error. - var argv = - ['./mongo', '--ssl', '--port', conn.port, '--eval', ('db.runCommand({buildInfo: 1})')]; + + // allowSSL to get a non-SSL control connection. + const conn = MongoRunner.runMongod( + {sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/' + prefix + 'server.pem'}); + + let argv = [ + './mongo', + '--ssl', + '--port', + conn.port, + '--sslPEMKeyFile', + 'jstests/libs/' + prefix + 'client.pem', + '--eval', + ';' + ]; + if (HOST_TYPE == "linux") { // On Linux we override the default path to the system CA store to point to our // "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem"); } - var exitStatus = runMongoProgram.apply(null, argv); - assert.eq(exitStatus, 0, "successfully connected with SSL"); + const exitCode = runMongoProgram.apply(null, argv); MongoRunner.stopMongod(conn); - }; - - assert.throws(function() { - // Note: this leaves a running mongod process. - testWithCerts("server.pem", "client.pem"); - }); - assert.doesNotThrow(function() { - testWithCerts("trusted-server.pem", "trusted-client.pem"); - }); -})()); + return exitCode; + } + + assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA'); + assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA'); +})(); |