SERVER-52710: wire up transient SSL parameters up to the NetworkInterface

4 files changed, 139 insertions, 7 deletions

diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index adf8b0ec033..71c46e22df6 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -230,6 +230,7 @@ if get_option('ssl') == 'on':
             'sock_test.cpp',
         ],
         LIBDEPS=[
+            '$BUILD_DIR/mongo/client/connection_string',
             '$BUILD_DIR/mongo/db/server_options_servers',
             '$BUILD_DIR/mongo/transport/transport_layer',
             '$BUILD_DIR/mongo/util/cmdline_utils/cmdline_utils',
@@ -239,3 +240,23 @@ if get_option('ssl') == 'on':
             'ssl_options_server',
         ],
     )
+
+if get_option('ssl') == 'on':
+    env.CppIntegrationTest(
+        target='network_interface_ssl_test',
+        source=[
+            'network_interface_ssl_test.cpp',
+        ],
+        LIBDEPS=[
+            '$BUILD_DIR/mongo/client/connection_string',
+            '$BUILD_DIR/mongo/executor/network_interface',
+            '$BUILD_DIR/mongo/executor/network_interface_factory',
+            '$BUILD_DIR/mongo/executor/network_interface_fixture',
+            '$BUILD_DIR/mongo/executor/network_interface_thread_pool',
+            '$BUILD_DIR/mongo/executor/thread_pool_task_executor',
+            '$BUILD_DIR/mongo/transport/transport_layer_egress_init',
+            '$BUILD_DIR/mongo/util/concurrency/thread_pool',
+            '$BUILD_DIR/mongo/util/version_impl',
+        ],
+)
+
diff --git a/src/mongo/util/net/network_interface_ssl_test.cpp b/src/mongo/util/net/network_interface_ssl_test.cpp
new file mode 100644
index 00000000000..8e3b446bdfe
--- /dev/null
+++ b/src/mongo/util/net/network_interface_ssl_test.cpp
@@ -0,0 +1,75 @@
+/**
+ *    Copyright (C) 2018-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kTest
+
+#include <fstream>
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/executor/network_interface_integration_fixture.h"
+#include "mongo/logv2/log.h"
+#include "mongo/unittest/integration_test.h"
+#include "mongo/unittest/unittest.h"
+#include "mongo/util/assert_util.h"
+
+namespace mongo {
+namespace executor {
+namespace {
+
+std::string LoadFile(const std::string& name) {
+    std::ifstream input(name);
+    std::string str((std::istreambuf_iterator<char>(input)), std::istreambuf_iterator<char>());
+    return str;
+}
+
+class NetworkInterfaceSSLFixture : public NetworkInterfaceIntegrationFixture {
+public:
+    void setUp() final {
+        ConnectionPool::Options options;
+        options.transientSSLParams.emplace([] {
+            TransientSSLParams params;
+            params.sslClusterPEMPayload = LoadFile("jstests/libs/client.pem");
+            params.targetedClusterConnectionString = ConnectionString::forLocal();
+            return params;
+        }());
+        LOGV2(5181101, "Initializing the test connection with transient SSL params");
+        createNet(nullptr, std::move(options));
+        net().startup();
+    }
+};
+
+TEST_F(NetworkInterfaceSSLFixture, Ping) {
+    assertCommandOK("admin", BSON("ping" << 1));
+}
+
+
+}  // namespace
+}  // namespace executor
+}  // namespace mongo
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index d42474657a3..cbd75b964f2 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1331,7 +1331,7 @@ private:
     StatusWith<boost::optional<std::vector<DERInteger>>> _parseTLSFeature(X509* peerCert) const;
 
     /** @return true if was successful, otherwise false */
-    bool _setupPEM(SSL_CTX* context, const std::string& keyFile, PasswordFetcher* password);
+    bool _setupPEM(SSL_CTX* context, const std::string& keyFile, PasswordFetcher* password) const;
 
     /**
      * @param payload in-memory payload of a PEM file
@@ -1340,7 +1340,7 @@ private:
     bool _setupPEMFromMemoryPayload(SSL_CTX* context,
                                     const std::string& payload,
                                     PasswordFetcher* password,
-                                    StringData targetClusterURI);
+                                    StringData targetClusterURI) const;
 
     /**
      * Setup PEM from BIO, which could be file or memory input abstraction.
@@ -1356,7 +1356,7 @@ private:
                           UniqueBIO inBio,
                           PasswordFetcher* password,
                           std::optional<StringData> keyFile,
-                          std::optional<StringData> targetClusterURI);
+                          std::optional<StringData> targetClusterURI) const;
 
     /**
      * Loads a certificate chain from memory into context.
@@ -2437,7 +2437,7 @@ bool SSLManagerOpenSSL::_readCertificateChainFromMemory(
 
 bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context,
                                   const std::string& keyFile,
-                                  PasswordFetcher* password) {
+                                  PasswordFetcher* password) const {
     logv2::DynamicAttributes errorAttrs;
     errorAttrs.add("keyFile", keyFile);
 
@@ -2466,7 +2466,7 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context,
 bool SSLManagerOpenSSL::_setupPEMFromMemoryPayload(SSL_CTX* context,
                                                    const std::string& payload,
                                                    PasswordFetcher* password,
-                                                   StringData targetClusterURI) {
+                                                   StringData targetClusterURI) const {
     logv2::DynamicAttributes errorAttrs;
     errorAttrs.add("targetClusterURI", targetClusterURI);
 
@@ -2492,7 +2492,7 @@ bool SSLManagerOpenSSL::_setupPEMFromBIO(SSL_CTX* context,
                                          UniqueBIO inBio,
                                          PasswordFetcher* password,
                                          std::optional<StringData> keyFile,
-                                         std::optional<StringData> targetClusterURI) {
+                                         std::optional<StringData> targetClusterURI) const {
     logv2::DynamicAttributes errorAttrs;
     if (keyFile) {
         errorAttrs.add("keyFile", *keyFile);
diff --git a/src/mongo/util/net/ssl_manager_test.cpp b/src/mongo/util/net/ssl_manager_test.cpp
index af325854a87..1fbd42bde40 100644
--- a/src/mongo/util/net/ssl_manager_test.cpp
+++ b/src/mongo/util/net/ssl_manager_test.cpp
@@ -36,6 +36,7 @@
 
 #include "mongo/transport/service_entry_point.h"
 #include "mongo/transport/transport_layer_asio.h"
+#include "mongo/transport/transport_layer_manager.h"
 #include "mongo/util/net/ssl/context_base.hpp"
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
@@ -52,7 +53,6 @@
 namespace mongo {
 namespace {
 
-
 // Test implementation needed by ASIO transport.
 class ServiceEntryPointUtil : public ServiceEntryPoint {
 public:
@@ -602,6 +602,42 @@ TEST(SSLManager, InitServerSideContextFromMemory) {
                                             SSLManagerInterface::ConnectionDirection::kOutgoing));
 }
 
+TEST(SSLManager, TransientSSLParams) {
+    SSLParams params;
+    params.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
+    params.sslCAFile = "jstests/libs/ca.pem";
+    params.sslClusterFile = "jstests/libs/client.pem";
+
+    std::shared_ptr<SSLManagerInterface> manager =
+        SSLManagerInterface::create(params, false /* isSSLServer */);
+
+    ServiceEntryPointUtil sepu;
+
+    auto options = [] {
+        ServerGlobalParams params;
+        params.noUnixSocket = true;
+        transport::TransportLayerASIO::Options opts(&params);
+        return opts;
+    }();
+    transport::TransportLayerASIO tla(options, &sepu);
+
+    TransientSSLParams transientSSLParams;
+    transientSSLParams.sslClusterPEMPayload = LoadFile("jstests/libs/client.pem");
+    transientSSLParams.targetedClusterConnectionString = ConnectionString::forLocal();
+
+    auto result = tla.createTransientSSLContext(transientSSLParams, manager.get());
+
+    // This will fail because we need to rotate certificates first to
+    // initialize the default SSL context inside TransportLayerASIO.
+    ASSERT_NOT_OK(result.getStatus());
+
+    // Init the transport properly.
+    uassertStatusOK(tla.rotateCertificates(manager, false /* asyncOCSPStaple */));
+
+    result = tla.createTransientSSLContext(transientSSLParams, manager.get());
+    uassertStatusOK(result.getStatus());
+}
+
 #endif
 
 }  // namespace