diff options
-rw-r--r-- | jstests/ssl/mixed_mode_sharded_transition.js | 33 | ||||
-rw-r--r-- | jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js | 48 | ||||
-rw-r--r-- | jstests/ssl/upgrade_noauth_to_x509_ssl.js | 58 | ||||
-rw-r--r-- | jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js | 28 | ||||
-rw-r--r-- | jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js | 44 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 4 |
6 files changed, 166 insertions, 49 deletions
diff --git a/jstests/ssl/mixed_mode_sharded_transition.js b/jstests/ssl/mixed_mode_sharded_transition.js new file mode 100644 index 00000000000..0955f0ef7dd --- /dev/null +++ b/jstests/ssl/mixed_mode_sharded_transition.js @@ -0,0 +1,33 @@ +/* + * Tests simultaneous upgrade from noauth/no-ssl to x509/requireSSL on a sharded cluster. + * The purpose is to verify the connectivity between mongos, config server, and the shards + * + * NOTE: This test is similar to the mixed_mode_sharded_transition.js in the sslSpecial + * test suite. This suite must use ssl so it cannot test modes without ssl. + */ + +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + 'use strict'; + + var transitionToX509AllowSSL = + Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); + var transitionToX509PreferSSL = + Object.merge(preferSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); + var x509RequireSSL = Object.merge(requireSSL, {clusterAuthMode: 'x509'}); + + function testCombos(opt1, opt2, shouldSucceed) { + mixedShardTest(opt1, opt2, shouldSucceed); + mixedShardTest(opt2, opt1, shouldSucceed); + } + + print('=== Testing transitionToAuth/allowSSL - transitionToAuth/preferSSL cluster ==='); + testCombos(transitionToX509AllowSSL, transitionToX509PreferSSL, true); + + print('=== Testing transitionToAuth/preferSSL - transitionToAuth/preferSSL cluster ==='); + mixedShardTest(transitionToX509PreferSSL, transitionToX509PreferSSL, true); + + print('=== Testing transitionToAuth/preferSSL - x509/requireSSL cluster ==='); + testCombos(transitionToX509PreferSSL, x509RequireSSL, true); +}()); diff --git a/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js b/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js deleted file mode 100644 index e7ca25b7304..00000000000 --- a/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js +++ /dev/null @@ -1,48 +0,0 @@ -/** - * This test checks the upgrade path from noauth/allowSSL to x509/requireSSL - * - * This test requires users to persist across a restart. - * @tags: [requires_persistence] - */ - -load('jstests/ssl/libs/ssl_helpers.js'); - -(function() { - 'use strict'; - - // Disable auth explicitly - var noAuthAllowSSL = Object.merge(allowSSL, {noauth: ''}); - - // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. - var tryX509preferSSL = Object.merge( - preferSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'}); - var x509RequireSSL = - Object.merge(requireSSL, {transitionToAuth: undefined, clusterAuthMode: 'x509'}); - - var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuthAllowSSL}); - rst.startSet(); - rst.initiate(); - - var rstConn1 = rst.getPrimary(); - // Create a user to login when auth is enabled later - rstConn1.getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']}); - - rstConn1.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}); - assert.eq(1, rstConn1.getDB('test').a.count(), 'Error interacting with replSet'); - - print('=== UPGRADE no-auth/allowSSL -> try X509/preferSSL ==='); - rst.upgradeSet(tryX509preferSSL); - var rstConn2 = rst.getPrimary(); - rstConn2.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}); - assert.eq(2, rstConn2.getDB('test').a.count(), 'Error interacting with replSet'); - - print('=== UPGRADE try X509/preferSSL -> X509/requireSSL ==='); - rst.upgradeSet(x509RequireSSL, 'root', 'root'); - - // upgradeSet leaves its connections logged in as root - var rstConn3 = rst.getPrimary(); - rstConn3.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}); - assert.eq(3, rstConn3.getDB('test').a.count(), 'Error interacting with replSet'); - - rst.stopSet(); -}()); diff --git a/jstests/ssl/upgrade_noauth_to_x509_ssl.js b/jstests/ssl/upgrade_noauth_to_x509_ssl.js new file mode 100644 index 00000000000..ba1f53bdb8e --- /dev/null +++ b/jstests/ssl/upgrade_noauth_to_x509_ssl.js @@ -0,0 +1,58 @@ +/** + * This test checks the upgrade path from noauth/nossl to x509/requireSSL. + * + * NOTE: This test uses ssl communication and therefore cannot test modes that + * do not allow ssl. The first step in the full upgrade process is to restart + * the each node into the "transitionToX509AllowSSL" state and is tested in + * the sslSpecial directory. + * + * This test requires users and data to persist across a restart. + * @tags: [requires_persistence] + */ + +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + 'use strict'; + var dbName = 'upgradeToX509'; + + var transitionToX509AllowSSL = + Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); + + // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. + var x509RequireSSL = + Object.merge(requireSSL, {transitionToAuth: undefined, clusterAuthMode: 'x509'}); + + var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: transitionToX509AllowSSL}); + rst.startSet(); + rst.initiate(); + + var rstConn1 = rst.getPrimary(); + var testDB = rstConn1.getDB(dbName); + + // Create a user to login when auth is enabled later + assert.commandWorked(rstConn1.adminCommand( + {createUser: 'root', pwd: 'root', roles: ['root'], writeConcern: {w: 3}})); + + assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.eq(1, testDB.a.count(), 'Error interacting with replSet'); + + print('=== UPGRADE transition to x509/allowSSL -> transition to x509/preferSSL ==='); + rst.nodes.forEach(function(node) { + assert.commandWorked(node.adminCommand({setParameter: 1, sslMode: "preferSSL"})); + }); + rst.awaitSecondaryNodes(); + testDB = rst.getPrimary().getDB(dbName); + assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.eq(2, testDB.a.count(), 'Error interacting with replSet'); + + print('=== UPGRADE transition to x509/preferSSL -> x509/requireSSL ==='); + rst.upgradeSet(x509RequireSSL, 'root', 'root'); + + // upgradeSet leaves its connections logged in as root + testDB = rst.getPrimary().getDB(dbName); + assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.eq(3, testDB.a.count(), 'Error interacting with replSet'); + + rst.stopSet(); +}()); diff --git a/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js new file mode 100644 index 00000000000..4978b56e11f --- /dev/null +++ b/jstests/sslSpecial/mixed_mode_sharded_transition_nossl.js @@ -0,0 +1,28 @@ +/* + * Tests simultaneous upgrade from noauth/no-ssl to x509/requireSSL on a sharded cluster. + * The purpose is to verify the connectivity between mongos, config server, and the shards + * + * NOTE: This test is similar to the mixed_mode_sharded_transition.js in the ssl + * test suite. This suite does not use ssl so it cannot test modes with ssl. + */ + +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + 'use strict'; + + // Disable auth explicitly + var noAuthOptions = { + noauth: '' + }; + var transitionToX509AllowSSL = + Object.merge(allowSSL, {transitionToAuth: '', clusterAuthMode: 'x509'}); + var x509RequireSSL = Object.merge(requireSSL, {clusterAuthMode: 'x509'}); + + print('=== Testing no-auth/transitionToAuth cluster ==='); + mixedShardTest(noAuthOptions, transitionToX509AllowSSL, true); + mixedShardTest(transitionToX509AllowSSL, noAuthOptions, true); + + print('=== Testing transitionToAuth/transitionToAuth cluster ==='); + mixedShardTest(transitionToX509AllowSSL, transitionToX509AllowSSL, true); +}()); diff --git a/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js new file mode 100644 index 00000000000..964397397de --- /dev/null +++ b/jstests/sslSpecial/upgrade_noauth_to_x509_nossl.js @@ -0,0 +1,44 @@ +/** + * This test checks the upgrade path from noauth/allowSSL to x509/requireSSL + * + * NOTE: This test is similar to upgrade_noauth_to_x509_ssl.js in the ssl test + * suite. This test cannot use ssl communication and therefore cannot test + * modes that only allow ssl. + * + * This test requires data to persist across a restart. + * @tags: [requires_persistence] + */ + +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + 'use strict'; + var dbName = 'upgradeToX509'; + + // Disable auth explicitly + var noAuth = { + noauth: '' + }; + + // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. + var transitionToX509AllowSSL = + Object.merge(allowSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'}); + + var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuth}); + rst.startSet(); + rst.initiate(); + + var testDB = rst.getPrimary().getDB(dbName); + assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.eq(1, testDB.a.count(), 'Error interacting with replSet'); + + print('=== UPGRADE no-auth/no-ssl -> transition to X509/allowSSL ==='); + rst.upgradeSet(transitionToX509AllowSSL); + + // Connect to the new primary + testDB = rst.getPrimary().getDB(dbName); + assert.writeOK(testDB.a.insert({a: 1, str: 'TESTTESTTEST'})); + assert.eq(2, testDB.a.count(), 'Error interacting with replSet'); + + rst.stopSet(); +}()); diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 2d29e4704f2..452cf0507fb 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -344,8 +344,10 @@ Status storeSSLServerOptions(const moe::Environment& params) { } } if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) { + // allowSSL and x509 is valid only when we are transitioning to auth. if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 || - clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) { + (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509 && + !serverGlobalParams.transitionToAuth)) { return Status(ErrorCodes::BadValue, "cannot have x.509 cluster authentication in allowSSL mode"); } |