diff options
author | Andrew Shuvalov <andrew.shuvalov@mongodb.com> | 2020-11-19 21:11:30 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-11-20 14:58:12 +0000 |
commit | d3faf32669a87871992a8534cffab58d83377d79 (patch) | |
tree | 0e3302ac5eeffb47c237f609ad2328af91b4d2e9 /src/mongo/util/net | |
parent | 1cabc1efdd46b045bd85189e142fd9b3fa65dc1a (diff) | |
download | mongo-d3faf32669a87871992a8534cffab58d83377d79.tar.gz |
SERVER-52710: wire up transient SSL parameters up to the NetworkInterface
Diffstat (limited to 'src/mongo/util/net')
-rw-r--r-- | src/mongo/util/net/SConscript | 21 | ||||
-rw-r--r-- | src/mongo/util/net/network_interface_ssl_test.cpp | 75 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_test.cpp | 38 |
4 files changed, 139 insertions, 7 deletions
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript index adf8b0ec033..71c46e22df6 100644 --- a/src/mongo/util/net/SConscript +++ b/src/mongo/util/net/SConscript @@ -230,6 +230,7 @@ if get_option('ssl') == 'on': 'sock_test.cpp', ], LIBDEPS=[ + '$BUILD_DIR/mongo/client/connection_string', '$BUILD_DIR/mongo/db/server_options_servers', '$BUILD_DIR/mongo/transport/transport_layer', '$BUILD_DIR/mongo/util/cmdline_utils/cmdline_utils', @@ -239,3 +240,23 @@ if get_option('ssl') == 'on': 'ssl_options_server', ], ) + +if get_option('ssl') == 'on': + env.CppIntegrationTest( + target='network_interface_ssl_test', + source=[ + 'network_interface_ssl_test.cpp', + ], + LIBDEPS=[ + '$BUILD_DIR/mongo/client/connection_string', + '$BUILD_DIR/mongo/executor/network_interface', + '$BUILD_DIR/mongo/executor/network_interface_factory', + '$BUILD_DIR/mongo/executor/network_interface_fixture', + '$BUILD_DIR/mongo/executor/network_interface_thread_pool', + '$BUILD_DIR/mongo/executor/thread_pool_task_executor', + '$BUILD_DIR/mongo/transport/transport_layer_egress_init', + '$BUILD_DIR/mongo/util/concurrency/thread_pool', + '$BUILD_DIR/mongo/util/version_impl', + ], +) + diff --git a/src/mongo/util/net/network_interface_ssl_test.cpp b/src/mongo/util/net/network_interface_ssl_test.cpp new file mode 100644 index 00000000000..8e3b446bdfe --- /dev/null +++ b/src/mongo/util/net/network_interface_ssl_test.cpp @@ -0,0 +1,75 @@ +/** + * Copyright (C) 2018-present MongoDB, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Server Side Public License, version 1, + * as published by MongoDB, Inc. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Server Side Public License for more details. + * + * You should have received a copy of the Server Side Public License + * along with this program. If not, see + * <http://www.mongodb.com/licensing/server-side-public-license>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the Server Side Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kTest + +#include <fstream> + +#include "mongo/platform/basic.h" + +#include "mongo/executor/network_interface_integration_fixture.h" +#include "mongo/logv2/log.h" +#include "mongo/unittest/integration_test.h" +#include "mongo/unittest/unittest.h" +#include "mongo/util/assert_util.h" + +namespace mongo { +namespace executor { +namespace { + +std::string LoadFile(const std::string& name) { + std::ifstream input(name); + std::string str((std::istreambuf_iterator<char>(input)), std::istreambuf_iterator<char>()); + return str; +} + +class NetworkInterfaceSSLFixture : public NetworkInterfaceIntegrationFixture { +public: + void setUp() final { + ConnectionPool::Options options; + options.transientSSLParams.emplace([] { + TransientSSLParams params; + params.sslClusterPEMPayload = LoadFile("jstests/libs/client.pem"); + params.targetedClusterConnectionString = ConnectionString::forLocal(); + return params; + }()); + LOGV2(5181101, "Initializing the test connection with transient SSL params"); + createNet(nullptr, std::move(options)); + net().startup(); + } +}; + +TEST_F(NetworkInterfaceSSLFixture, Ping) { + assertCommandOK("admin", BSON("ping" << 1)); +} + + +} // namespace +} // namespace executor +} // namespace mongo diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index d42474657a3..cbd75b964f2 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1331,7 +1331,7 @@ private: StatusWith<boost::optional<std::vector<DERInteger>>> _parseTLSFeature(X509* peerCert) const; /** @return true if was successful, otherwise false */ - bool _setupPEM(SSL_CTX* context, const std::string& keyFile, PasswordFetcher* password); + bool _setupPEM(SSL_CTX* context, const std::string& keyFile, PasswordFetcher* password) const; /** * @param payload in-memory payload of a PEM file @@ -1340,7 +1340,7 @@ private: bool _setupPEMFromMemoryPayload(SSL_CTX* context, const std::string& payload, PasswordFetcher* password, - StringData targetClusterURI); + StringData targetClusterURI) const; /** * Setup PEM from BIO, which could be file or memory input abstraction. @@ -1356,7 +1356,7 @@ private: UniqueBIO inBio, PasswordFetcher* password, std::optional<StringData> keyFile, - std::optional<StringData> targetClusterURI); + std::optional<StringData> targetClusterURI) const; /** * Loads a certificate chain from memory into context. @@ -2437,7 +2437,7 @@ bool SSLManagerOpenSSL::_readCertificateChainFromMemory( bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, const std::string& keyFile, - PasswordFetcher* password) { + PasswordFetcher* password) const { logv2::DynamicAttributes errorAttrs; errorAttrs.add("keyFile", keyFile); @@ -2466,7 +2466,7 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, bool SSLManagerOpenSSL::_setupPEMFromMemoryPayload(SSL_CTX* context, const std::string& payload, PasswordFetcher* password, - StringData targetClusterURI) { + StringData targetClusterURI) const { logv2::DynamicAttributes errorAttrs; errorAttrs.add("targetClusterURI", targetClusterURI); @@ -2492,7 +2492,7 @@ bool SSLManagerOpenSSL::_setupPEMFromBIO(SSL_CTX* context, UniqueBIO inBio, PasswordFetcher* password, std::optional<StringData> keyFile, - std::optional<StringData> targetClusterURI) { + std::optional<StringData> targetClusterURI) const { logv2::DynamicAttributes errorAttrs; if (keyFile) { errorAttrs.add("keyFile", *keyFile); diff --git a/src/mongo/util/net/ssl_manager_test.cpp b/src/mongo/util/net/ssl_manager_test.cpp index af325854a87..1fbd42bde40 100644 --- a/src/mongo/util/net/ssl_manager_test.cpp +++ b/src/mongo/util/net/ssl_manager_test.cpp @@ -36,6 +36,7 @@ #include "mongo/transport/service_entry_point.h" #include "mongo/transport/transport_layer_asio.h" +#include "mongo/transport/transport_layer_manager.h" #include "mongo/util/net/ssl/context_base.hpp" #include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_options.h" @@ -52,7 +53,6 @@ namespace mongo { namespace { - // Test implementation needed by ASIO transport. class ServiceEntryPointUtil : public ServiceEntryPoint { public: @@ -602,6 +602,42 @@ TEST(SSLManager, InitServerSideContextFromMemory) { SSLManagerInterface::ConnectionDirection::kOutgoing)); } +TEST(SSLManager, TransientSSLParams) { + SSLParams params; + params.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL); + params.sslCAFile = "jstests/libs/ca.pem"; + params.sslClusterFile = "jstests/libs/client.pem"; + + std::shared_ptr<SSLManagerInterface> manager = + SSLManagerInterface::create(params, false /* isSSLServer */); + + ServiceEntryPointUtil sepu; + + auto options = [] { + ServerGlobalParams params; + params.noUnixSocket = true; + transport::TransportLayerASIO::Options opts(¶ms); + return opts; + }(); + transport::TransportLayerASIO tla(options, &sepu); + + TransientSSLParams transientSSLParams; + transientSSLParams.sslClusterPEMPayload = LoadFile("jstests/libs/client.pem"); + transientSSLParams.targetedClusterConnectionString = ConnectionString::forLocal(); + + auto result = tla.createTransientSSLContext(transientSSLParams, manager.get()); + + // This will fail because we need to rotate certificates first to + // initialize the default SSL context inside TransportLayerASIO. + ASSERT_NOT_OK(result.getStatus()); + + // Init the transport properly. + uassertStatusOK(tla.rotateCertificates(manager, false /* asyncOCSPStaple */)); + + result = tla.createTransientSSLContext(transientSSLParams, manager.get()); + uassertStatusOK(result.getStatus()); +} + #endif } // namespace |