diff options
| author | Shaun Verch <shaun.verch@10gen.com> | 2013-09-10 16:23:15 -0400 |
|---|---|---|
| committer | Shaun Verch <shaun.verch@10gen.com> | 2013-10-04 16:58:54 -0400 |
| commit | d61cdb37d5fcc83f649c912df2c590649935eac1 (patch) | |
| tree | 2bc0bd95df4e95de1fa205a71ebc21935e76b636 /src | |
| parent | 05dd65e6a7718ce80e3f452d88fe5105a10e9247 (diff) | |
| download | mongo-d61cdb37d5fcc83f649c912df2c590649935eac1.tar.gz | |
SERVER-8510 Factored out ssl option registration and storage
Diffstat (limited to 'src')
| -rw-r--r-- | src/mongo/SConscript | 5 | ||||
| -rw-r--r-- | src/mongo/client/dbclient.cpp | 8 | ||||
| -rw-r--r-- | src/mongo/client/dbclient.h | 1 | ||||
| -rw-r--r-- | src/mongo/client/examples/httpClientTest.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/db/cmdline.cpp | 76 | ||||
| -rw-r--r-- | src/mongo/db/cmdline.h | 15 | ||||
| -rw-r--r-- | src/mongo/db/cmdline_test.cpp | 7 | ||||
| -rw-r--r-- | src/mongo/db/mongod_options.cpp | 1 | ||||
| -rw-r--r-- | src/mongo/db/server_options.cpp | 50 | ||||
| -rw-r--r-- | src/mongo/s/mongos_options.cpp | 1 | ||||
| -rw-r--r-- | src/mongo/shell/dbshell.cpp | 48 | ||||
| -rw-r--r-- | src/mongo/tools/tool.cpp | 3 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 23 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 217 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options.h | 56 |
15 files changed, 314 insertions, 199 deletions
diff --git a/src/mongo/SConscript b/src/mongo/SConscript index dc2beab8a8a..679a0a091ba 100644 --- a/src/mongo/SConscript +++ b/src/mongo/SConscript @@ -221,6 +221,7 @@ commonFiles = [ "pch.cpp", "util/stack_introspect.cpp", "util/net/sock.cpp", "util/net/ssl_manager.cpp", + "util/net/ssl_options.cpp", "util/net/httpclient.cpp", "util/net/message.cpp", "util/net/message_port.cpp", @@ -299,7 +300,9 @@ env.StaticLibrary('mongocommon', commonFiles, 'util/concurrency/thread_name', '$BUILD_DIR/third_party/shim_pcrecpp', '$BUILD_DIR/third_party/murmurhash3/murmurhash3', - '$BUILD_DIR/third_party/shim_boost'] + + '$BUILD_DIR/third_party/shim_boost', + '$BUILD_DIR/mongo/util/options_parser/options_parser', + ] + extraCommonLibdeps) env.StaticLibrary("coredb", [ diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp index 4b1b23ffabd..18f1916bbed 100644 --- a/src/mongo/client/dbclient.cpp +++ b/src/mongo/client/dbclient.cpp @@ -32,11 +32,7 @@ #include "mongo/util/assert_util.h" #include "mongo/util/md5.hpp" #include "mongo/util/net/ssl_manager.h" - -#ifdef MONGO_SSL -// TODO: Remove references to cmdline from the client. -#include "mongo/db/cmdline.h" -#endif // defined MONGO_SSL +#include "mongo/util/net/ssl_options.h" namespace mongo { @@ -896,7 +892,7 @@ namespace mongo { } #ifdef MONGO_SSL - if ( cmdLine.sslOnNormalPorts ) { + if (sslGlobalParams.sslOnNormalPorts) { return p->secure( sslManager() ); } #endif diff --git a/src/mongo/client/dbclient.h b/src/mongo/client/dbclient.h index b2f4e1382fc..317ae7d1be0 100644 --- a/src/mongo/client/dbclient.h +++ b/src/mongo/client/dbclient.h @@ -36,5 +36,6 @@ #include "mongo/client/gridfs.h" #include "mongo/client/sasl_client_authenticate.h" #include "mongo/client/syncclusterconnection.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/client/undef_macros.h" diff --git a/src/mongo/client/examples/httpClientTest.cpp b/src/mongo/client/examples/httpClientTest.cpp index b789f62ab36..554f84d7a20 100644 --- a/src/mongo/client/examples/httpClientTest.cpp +++ b/src/mongo/client/examples/httpClientTest.cpp @@ -47,7 +47,7 @@ void play( string url ) { int main( int argc, const char **argv, char **envp) { #ifdef MONGO_SSL - cmdLine.sslOnNormalPorts = true; + sslGlobalParams.sslOnNormalPorts = true; runGlobalInitializersOrDie(argc, argv, envp); #endif diff --git a/src/mongo/db/cmdline.cpp b/src/mongo/db/cmdline.cpp index e94a09b318b..66e2212cdf5 100644 --- a/src/mongo/db/cmdline.cpp +++ b/src/mongo/db/cmdline.cpp @@ -42,6 +42,7 @@ #include "mongo/util/map_util.h" #include "mongo/util/mongoutils/str.h" #include "mongo/util/net/listen.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/environment.h" #include "mongo/util/options_parser/option_section.h" #include "mongo/util/options_parser/options_parser.h" @@ -464,78 +465,9 @@ namespace { } #ifdef MONGO_SSL - - if (params.count("ssl.PEMKeyFile")) { - cmdLine.sslPEMKeyFile = boost::filesystem::absolute( - params["ssl.PEMKeyFile"].as<string>()).generic_string(); - } - - if (params.count("ssl.PEMKeyPassword")) { - cmdLine.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<string>(); - } - - if (params.count("ssl.clusterFile")) { - cmdLine.sslClusterFile = boost::filesystem::absolute( - params["ssl.clusterFile"].as<string>()).generic_string(); - } - - if (params.count("ssl.clusterPassword")) { - cmdLine.sslClusterPassword = params["ssl.clusterPassword"].as<string>(); - } - - if (params.count("ssl.CAFile")) { - cmdLine.sslCAFile = boost::filesystem::absolute( - params["ssl.CAFile"].as<std::string>()).generic_string(); - } - - if (params.count("ssl.CRLFile")) { - cmdLine.sslCRLFile = boost::filesystem::absolute( - params["ssl.CRLFile"].as<std::string>()).generic_string(); - } - - if (params.count("ssl.weakCertificateValidation")) { - cmdLine.sslWeakCertificateValidation = true; - } - if (params.count("ssl.sslOnNormalPorts")) { - cmdLine.sslOnNormalPorts = true; - if ( cmdLine.sslPEMKeyFile.size() == 0 ) { - return Status(ErrorCodes::BadValue, - "need sslPEMKeyFile with sslOnNormalPorts"); - } - if (cmdLine.sslWeakCertificateValidation && - cmdLine.sslCAFile.empty()) { - return Status(ErrorCodes::BadValue, - "need sslCAFile with sslWeakCertificateValidation"); - } - if (!cmdLine.sslCRLFile.empty() && - cmdLine.sslCAFile.empty()) { - return Status(ErrorCodes::BadValue, "need sslCAFile with sslCRLFile"); - } - if (params.count("ssl.FIPSMode")) { - cmdLine.sslFIPSMode = true; - } - } - else if (cmdLine.sslPEMKeyFile.size() || - cmdLine.sslPEMKeyPassword.size() || - cmdLine.sslClusterFile.size() || - cmdLine.sslClusterPassword.size() || - cmdLine.sslCAFile.size() || - cmdLine.sslCRLFile.size() || - cmdLine.sslWeakCertificateValidation || - cmdLine.sslFIPSMode) { - return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts"); - } - if (cmdLine.clusterAuthMode == "sendKeyfile" || - cmdLine.clusterAuthMode == "sendX509" || - cmdLine.clusterAuthMode == "x509") { - if (!cmdLine.sslOnNormalPorts){ - return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts"); - } - } - else if (params.count("clusterAuthMode") && cmdLine.clusterAuthMode != "keyfile") { - StringBuilder sb; - sb << "unsupported value for clusterAuthMode " << cmdLine.clusterAuthMode; - return Status(ErrorCodes::BadValue, sb.str()); + ret = storeSSLServerOptions(params); + if (!ret.isOK()) { + return ret; } #else // ifdef MONGO_SSL // Keyfile is currently the only supported value if not using SSL diff --git a/src/mongo/db/cmdline.h b/src/mongo/db/cmdline.h index 83b4c0fc238..e6a2d1f78ba 100644 --- a/src/mongo/db/cmdline.h +++ b/src/mongo/db/cmdline.h @@ -144,17 +144,6 @@ namespace mongo { ProcessId parentProc; // --fork pid of initial process ProcessId leaderProc; // --fork pid of leader process #endif -#ifdef MONGO_SSL - bool sslOnNormalPorts; // --sslOnNormalPorts - std::string sslPEMKeyFile; // --sslPEMKeyFile - std::string sslPEMKeyPassword; // --sslPEMKeyPassword - std::string sslClusterFile; // --sslInternalKeyFile - std::string sslClusterPassword; // --sslInternalKeyPassword - std::string sslCAFile; // --sslCAFile - std::string sslCRLFile; // --sslCRLFile - bool sslWeakCertificateValidation; // --sslWeakCertificateValidation - bool sslFIPSMode; // --sslFIPSMode -#endif /** * Switches to enable experimental (unsupported) features. @@ -216,10 +205,6 @@ namespace mongo { #if defined(_DURABLEDEFAULTOFF) dur = false; #endif - -#ifdef MONGO_SSL - sslOnNormalPorts = false; -#endif } extern CmdLine cmdLine; diff --git a/src/mongo/db/cmdline_test.cpp b/src/mongo/db/cmdline_test.cpp index fba25377126..9fe03f309c9 100644 --- a/src/mongo/db/cmdline_test.cpp +++ b/src/mongo/db/cmdline_test.cpp @@ -39,6 +39,13 @@ namespace mongo { CmdLine cmdLine; +#ifdef MONGO_SSL + Status storeSSLServerOptions(const optionenvironment::Environment& params) { + return Status(ErrorCodes::InternalError, + "This is a storeSSLServerOptions stub and should not be called"); + } +#endif // ifdef MONGO_SSL + namespace { namespace moe = mongo::optionenvironment; diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp index 8024d15c2ef..7456a033c08 100644 --- a/src/mongo/db/mongod_options.cpp +++ b/src/mongo/db/mongod_options.cpp @@ -35,6 +35,7 @@ #include "mongo/bson/util/builder.h" #include "mongo/db/module.h" #include "mongo/db/server_options.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/option_description.h" #include "mongo/util/options_parser/option_section.h" diff --git a/src/mongo/db/server_options.cpp b/src/mongo/db/server_options.cpp index c3d2ecb0f9c..bbc4957ee66 100644 --- a/src/mongo/db/server_options.cpp +++ b/src/mongo/db/server_options.cpp @@ -252,54 +252,4 @@ namespace mongo { return Status::OK(); } - Status addSSLServerOptions(moe::OptionSection* options) { - Status ret = options->addOption(OD("ssl.sslOnNormalPorts", "sslOnNormalPorts", moe::Switch, - "use ssl on configured ports", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, - "PEM file for ssl" , true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String, - "PEM file password" , true, moe::Value(), moe::Value(std::string("")))); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.clusterFile", "sslClusterFile", moe::String, - "Key file for internal SSL authentication" , true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.clusterPassword", "sslClusterPassword", moe::String, - "Internal authentication key file password" , true, moe::Value(), moe::Value(std::string("")))); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.CAFile", "sslCAFile", moe::String, - "Certificate Authority file for SSL", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.CRLFile", "sslCRLFile", moe::String, - "Certificate Revocation List file for SSL", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.weakCertificateValidation", "sslWeakCertificateValidation", - moe::Switch, "allow client to connect without presenting a certificate", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.FIPSMode", "sslFIPSMode", moe::Switch, - "activate FIPS 140-2 mode at startup", true)); - if (!ret.isOK()) { - return ret; - } - - return Status::OK(); - } - } // namespace mongo diff --git a/src/mongo/s/mongos_options.cpp b/src/mongo/s/mongos_options.cpp index e3f3a699712..b73e5898e15 100644 --- a/src/mongo/s/mongos_options.cpp +++ b/src/mongo/s/mongos_options.cpp @@ -22,6 +22,7 @@ #include "mongo/base/status.h" #include "mongo/bson/util/builder.h" #include "mongo/db/server_options.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/option_description.h" #include "mongo/util/options_parser/option_section.h" diff --git a/src/mongo/shell/dbshell.cpp b/src/mongo/shell/dbshell.cpp index f5f1e2112a0..df530dfac35 100644 --- a/src/mongo/shell/dbshell.cpp +++ b/src/mongo/shell/dbshell.cpp @@ -37,6 +37,7 @@ #include "mongo/shell/shell_utils.h" #include "mongo/shell/shell_utils_launcher.h" #include "mongo/util/file.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/environment.h" #include "mongo/util/options_parser/option_section.h" #include "mongo/util/options_parser/options_parser.h" @@ -751,32 +752,7 @@ Status addMongoShellOptions(moe::OptionSection* options) { return ret; } #ifdef MONGO_SSL - ret = options->addOption(OD("ssl", "ssl", moe::Switch, "use SSL for all connections", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.CAFile", "sslCAFile", moe::String, - "Certificate Authority for SSL" , true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, - "PEM certificate/key file for SSL" , true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String, - "password for key in PEM file for SSL" , true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.CRLFile", "sslCRLFile", moe::String, - "Certificate Revocation List file for SSL", true)); - if (!ret.isOK()) { - return ret; - } - ret = options->addOption(OD("ssl.FIPSMode", "sslFIPSMode", moe::Switch, - "activate FIPS 140-2 mode at startup", true)); + ret = addSSLClientOptions(options); if (!ret.isOK()) { return ret; } @@ -818,23 +794,9 @@ Status storeMongoShellOptions() { mongo::cmdLine.quiet = true; } #ifdef MONGO_SSL - if ( params.count( "ssl" ) ) { - mongo::cmdLine.sslOnNormalPorts = true; - } - if (params.count("ssl.PEMKeyFile")) { - mongo::cmdLine.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>(); - } - if (params.count("ssl.PEMKeyPassword")) { - mongo::cmdLine.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<std::string>(); - } - if (params.count("ssl.CAFile")) { - mongo::cmdLine.sslCAFile = params["ssl.CAFile"].as<std::string>(); - } - if (params.count("ssl.CRLFile")) { - mongo::cmdLine.sslCRLFile = params["ssl.CRLFile"].as<std::string>(); - } - if (params.count( "ssl.FIPSMode")) { - mongo::cmdLine.sslFIPSMode = true; + Status ret = storeSSLClientOptions(params); + if (!ret.isOK()) { + return ret; } #endif if ( params.count( "ipv6" ) ) { diff --git a/src/mongo/tools/tool.cpp b/src/mongo/tools/tool.cpp index dca18af4f7b..cd7b1117700 100644 --- a/src/mongo/tools/tool.cpp +++ b/src/mongo/tools/tool.cpp @@ -36,6 +36,7 @@ #include "mongo/util/file_allocator.h" #include "mongo/util/options_parser/option_section.h" #include "mongo/util/password.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/text.h" #include "mongo/util/version.h" @@ -126,7 +127,7 @@ namespace mongo { #ifdef MONGO_SSL if (_params.count("ssl")) { - mongo::cmdLine.sslOnNormalPorts = true; + sslGlobalParams.sslOnNormalPorts = true; } #endif diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index f0b8b401aa7..0fb645e988c 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -24,10 +24,10 @@ #include "mongo/base/init.h" #include "mongo/bson/util/atomic_int.h" -#include "mongo/db/cmdline.h" #include "mongo/util/concurrency/mutex.h" #include "mongo/util/mongoutils/str.h" #include "mongo/util/net/sock.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/scopeguard.h" #ifdef MONGO_SSL @@ -35,6 +35,9 @@ #endif namespace mongo { + + SSLGlobalParams sslGlobalParams; + #ifndef MONGO_SSL const std::string getSSLVersion(const std::string &prefix, const std::string &suffix) { return ""; @@ -271,16 +274,16 @@ namespace mongo { MONGO_INITIALIZER(SSLManager)(InitializerContext* context) { SimpleMutex::scoped_lock lck(sslManagerMtx); - if (cmdLine.sslOnNormalPorts) { + if (sslGlobalParams.sslOnNormalPorts) { const Params params( - cmdLine.sslPEMKeyFile, - cmdLine.sslPEMKeyPassword, - cmdLine.sslClusterFile, - cmdLine.sslClusterPassword, - cmdLine.sslCAFile, - cmdLine.sslCRLFile, - cmdLine.sslWeakCertificateValidation, - cmdLine.sslFIPSMode); + sslGlobalParams.sslPEMKeyFile, + sslGlobalParams.sslPEMKeyPassword, + sslGlobalParams.sslClusterFile, + sslGlobalParams.sslClusterPassword, + sslGlobalParams.sslCAFile, + sslGlobalParams.sslCRLFile, + sslGlobalParams.sslWeakCertificateValidation, + sslGlobalParams.sslFIPSMode); theSSLManager = new SSLManager(params, isSSLServer); } return Status::OK(); diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp new file mode 100644 index 00000000000..ee1900dbb75 --- /dev/null +++ b/src/mongo/util/net/ssl_options.cpp @@ -0,0 +1,217 @@ +/* Copyright 2013 10gen Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mongo/util/net/ssl_options.h" + +#include <boost/filesystem/operations.hpp> + +#include "mongo/base/status.h" +#include "mongo/db/cmdline.h" +#include "mongo/util/options_parser/environment.h" +#include "mongo/util/options_parser/option_description.h" +#include "mongo/util/options_parser/option_section.h" + +namespace mongo { + + typedef moe::OptionDescription OD; + typedef moe::PositionalOptionDescription POD; + + Status addSSLServerOptions(moe::OptionSection* options) { + Status ret = options->addOption(OD("ssl.sslOnNormalPorts", "sslOnNormalPorts", moe::Switch, + "use ssl on configured ports", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, + "PEM file for ssl", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String, + "PEM file password", true, moe::Value(), moe::Value(std::string("")))); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.clusterFile", "sslClusterFile", moe::String, + "Key file for internal SSL authentication", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.clusterPassword", "sslClusterPassword", moe::String, + "Internal authentication key file password", true, moe::Value(), + moe::Value(std::string("")))); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.CAFile", "sslCAFile", moe::String, + "Certificate Authority file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.CRLFile", "sslCRLFile", moe::String, + "Certificate Revocation List file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.weakCertificateValidation", "sslWeakCertificateValidation", + moe::Switch, "allow client to connect without presenting a certificate", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.FIPSMode", "sslFIPSMode", moe::Switch, + "activate FIPS 140-2 mode at startup", true)); + if (!ret.isOK()) { + return ret; + } + + return Status::OK(); + } + + Status addSSLClientOptions(moe::OptionSection* options) { + Status ret = options->addOption(OD("ssl", "ssl", moe::Switch, "use SSL for all connections", + true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.CAFile", "sslCAFile", moe::String, + "Certificate Authority file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, + "PEM certificate/key file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String, + "password for key in PEM file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.CRLFile", "sslCRLFile", moe::String, + "Certificate Revocation List file for SSL", true)); + if (!ret.isOK()) { + return ret; + } + ret = options->addOption(OD("ssl.FIPSMode", "sslFIPSMode", moe::Switch, + "activate FIPS 140-2 mode at startup", true)); + if (!ret.isOK()) { + return ret; + } + + return Status::OK(); + } + + Status storeSSLServerOptions(const moe::Environment& params) { + + if (params.count("ssl.PEMKeyFile")) { + sslGlobalParams.sslPEMKeyFile = boost::filesystem::absolute( + params["ssl.PEMKeyFile"].as<string>()).generic_string(); + } + + if (params.count("ssl.PEMKeyPassword")) { + sslGlobalParams.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<string>(); + } + + if (params.count("ssl.clusterFile")) { + sslGlobalParams.sslClusterFile = boost::filesystem::absolute( + params["ssl.clusterFile"].as<string>()).generic_string(); + } + + if (params.count("ssl.clusterPassword")) { + sslGlobalParams.sslClusterPassword = params["ssl.clusterPassword"].as<string>(); + } + + if (params.count("ssl.CAFile")) { + sslGlobalParams.sslCAFile = boost::filesystem::absolute( + params["ssl.CAFile"].as<std::string>()).generic_string(); + } + + if (params.count("ssl.CRLFile")) { + sslGlobalParams.sslCRLFile = boost::filesystem::absolute( + params["ssl.CRLFile"].as<std::string>()).generic_string(); + } + + if (params.count("ssl.weakCertificateValidation")) { + sslGlobalParams.sslWeakCertificateValidation = true; + } + if (params.count("ssl.sslOnNormalPorts")) { + sslGlobalParams.sslOnNormalPorts = true; + if (sslGlobalParams.sslPEMKeyFile.size() == 0) { + return Status(ErrorCodes::BadValue, + "need sslPEMKeyFile with sslOnNormalPorts"); + } + if (sslGlobalParams.sslWeakCertificateValidation && + sslGlobalParams.sslCAFile.empty()) { + return Status(ErrorCodes::BadValue, + "need sslCAFile with sslWeakCertificateValidation"); + } + if (!sslGlobalParams.sslCRLFile.empty() && + sslGlobalParams.sslCAFile.empty()) { + return Status(ErrorCodes::BadValue, "need sslCAFile with sslCRLFile"); + } + if (params.count("ssl.FIPSMode")) { + sslGlobalParams.sslFIPSMode = true; + } + } + else if (sslGlobalParams.sslPEMKeyFile.size() || + sslGlobalParams.sslPEMKeyPassword.size() || + sslGlobalParams.sslClusterFile.size() || + sslGlobalParams.sslClusterPassword.size() || + sslGlobalParams.sslCAFile.size() || + sslGlobalParams.sslCRLFile.size() || + sslGlobalParams.sslWeakCertificateValidation || + sslGlobalParams.sslFIPSMode) { + return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts"); + } + if (cmdLine.clusterAuthMode == "sendKeyfile" || + cmdLine.clusterAuthMode == "sendX509" || + cmdLine.clusterAuthMode == "x509") { + if (!sslGlobalParams.sslOnNormalPorts){ + return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts"); + } + } + else if (params.count("clusterAuthMode") && cmdLine.clusterAuthMode != "keyfile") { + StringBuilder sb; + sb << "unsupported value for clusterAuthMode " << cmdLine.clusterAuthMode; + return Status(ErrorCodes::BadValue, sb.str()); + } + + return Status::OK(); + } + + Status storeSSLClientOptions(const moe::Environment& params) { + if (params.count("ssl")) { + sslGlobalParams.sslOnNormalPorts = true; + } + if (params.count("ssl.PEMKeyFile")) { + sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>(); + } + if (params.count("ssl.PEMKeyPassword")) { + sslGlobalParams.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<std::string>(); + } + if (params.count("ssl.CAFile")) { + sslGlobalParams.sslCAFile = params["ssl.CAFile"].as<std::string>(); + } + if (params.count("ssl.CRLFile")) { + sslGlobalParams.sslCRLFile = params["ssl.CRLFile"].as<std::string>(); + } + if (params.count("ssl.FIPSMode")) { + sslGlobalParams.sslFIPSMode = true; + } + return Status::OK(); + } + +} // namespace mongo diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h new file mode 100644 index 00000000000..c21e166db81 --- /dev/null +++ b/src/mongo/util/net/ssl_options.h @@ -0,0 +1,56 @@ +/* Copyright 2013 10gen Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include "mongo/base/status.h" + +namespace mongo { + + namespace optionenvironment { + class OptionSection; + class Environment; + } // namespace optionenvironment + + namespace moe = mongo::optionenvironment; + + extern moe::Environment sslParsedOptions; + + struct SSLGlobalParams { + bool sslOnNormalPorts; // --sslOnNormalPorts + std::string sslPEMKeyFile; // --sslPEMKeyFile + std::string sslPEMKeyPassword; // --sslPEMKeyPassword + std::string sslClusterFile; // --sslInternalKeyFile + std::string sslClusterPassword; // --sslInternalKeyPassword + std::string sslCAFile; // --sslCAFile + std::string sslCRLFile; // --sslCRLFile + bool sslWeakCertificateValidation; // --sslWeakCertificateValidation + bool sslFIPSMode; // --sslFIPSMode + + SSLGlobalParams() { + sslOnNormalPorts = false; + } + }; + + extern SSLGlobalParams sslGlobalParams; + + Status addSSLServerOptions(moe::OptionSection* options); + + Status addSSLClientOptions(moe::OptionSection* options); + + Status storeSSLServerOptions(const moe::Environment& params); + + Status storeSSLClientOptions(const moe::Environment& params); +} |