diff options
23 files changed, 40 insertions, 483 deletions
diff --git a/jstests/ssl/cluster_member.js b/jstests/ssl/cluster_member.js deleted file mode 100644 index 670bbedd97c..00000000000 --- a/jstests/ssl/cluster_member.js +++ /dev/null @@ -1,116 +0,0 @@ -// Test configuration parameter tlsClusterAuthX509ExtensionValue -// aka: net.tls.clusterAuthX509.extensionValue -// @tags: [ featureFlagConfigurableX509ClusterAuthn ] - -(function() { -'use strict'; - -load('jstests/ssl/libs/ssl_helpers.js'); -if (determineSSLProvider() !== "openssl") { - jsTest.log('Test requires openssl based TLS support'); - return; -} - -// Fails when used without clusterAuthMode == 'X509' -{ - const opts = {auth: '', tlsClusterAuthX509ExtensionValue: 'foo'}; - const errmsg = - 'net.tls.clusterAuthX509.extensionValue requires a clusterAuthMode which allows for usage of X509'; - - jsTest.log('No clusterAuthMode set'); - clearRawMongoProgramOutput(); - assert.throws(() => MongoRunner.runMongod(opts)); - assert(rawMongoProgramOutput().includes(errmsg)); - - jsTest.log('clusterAuthMode == keyFile'); - clearRawMongoProgramOutput(); - opts.clusterAuthMode = 'keyFile'; - assert.throws(() => MongoRunner.runMongod(opts)); - assert(rawMongoProgramOutput().includes(errmsg)); -} - -function authAndDo(port, cert, cmd = ';') { - jsTest.log('Connecting to localhost using cert: ' + cert); - function x509auth(db) { - const ext = db.getSiblingDB('$external'); - assert.commandWorked(ext.runCommand({authenticate: 1, mechanism: 'MONGODB-X509'})); - return ext.adminCommand({connectionStatus: 1}); - } - clearRawMongoProgramOutput(); - const shell = runMongoProgram('mongo', - '--host', - 'localhost', - '--port', - port, - '--tls', - '--tlsCAFile', - 'jstests/libs/ca.pem', - '--tlsCertificateKeyFile', - cert, - '--eval', - x509auth + ' x509auth(db); ' + cmd); - assert.eq(shell, 0); -} - -function runTest(conn) { - const SERVER_RDN = 'CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US'; - const SERVER = 'jstests/libs/server.pem'; - const FOO_MEMBER = 'jstests/ssl/libs/cluster-member-foo.pem'; - const BAR_MEMBER = 'jstests/ssl/libs/cluster-member-bar.pem'; - const FOO_MEMBER_ALT = 'jstests/ssl/libs/cluster-member-foo-alt-rdn.pem'; - const FOO_MEMBER_ALT_RDN = 'CN=Doer,OU=Business,O=Company,L=Fakesville,ST=Example,C=ZZ'; - - const admin = conn.getDB('admin'); - const ext = conn.getDB('$external'); - - // Ensure no localhost auth bypass available. - assert.commandWorked(admin.runCommand({createUser: 'admin', pwd: 'admin', roles: ['root']})); - assert(admin.auth('admin', 'admin')); - - // Connect using server.pem which has the same RDN, but no custom extension. - // This will result in an unknown user condition because we are - // not recognized as a cluster member. - assert.throws(() => authAndDo(conn.port, SERVER)); - - const insertCmd = 'assert.writeOK(db.getSiblingDB("test").mycoll.insert({x:1}));'; - // Connect using same RDN WITH custom extension. - authAndDo(conn.port, FOO_MEMBER, insertCmd); - - // Connect using cert with membership extension, but wrong value. - assert.throws(() => authAndDo(conn.port, BAR_MEMBER)); - - // Connect using cert with right membership, but different RDN (allowed). - authAndDo(conn.port, FOO_MEMBER_ALT, insertCmd); - - // Create a user who would have been a cluster member under name based rules. - // We should have basic privs, testing with read but not write. - const readCmd = 'db.getSiblingDB("test").mycoll.find({});'; - const readRoles = [{db: 'admin', role: 'readAnyDatabase'}]; - assert.commandWorked(ext.runCommand({createUser: SERVER_RDN, roles: readRoles})); - authAndDo(conn.port, SERVER, readCmd); - assert.throws(() => authAndDo(conn.port, SERVER, insertCmd)); - - // Create a user with FOO_MEMBER_ALT's RDN to validate enforceUserClusterSeparation. - authAndDo(conn.port, FOO_MEMBER_ALT); - assert.commandWorked(ext.runCommand({createUser: FOO_MEMBER_ALT_RDN, roles: readRoles})); - assert.throws(() => authAndDo(conn.port, FOO_MEMBER_ALT)); -} - -{ - const opts = { - auth: '', - tlsMode: 'requireTLS', - tlsCertificateKeyFile: 'jstests/ssl/libs/cluster-member-foo.pem', - tlsCAFile: 'jstests/libs/ca.pem', - clusterAuthMode: 'x509', - tlsClusterAuthX509ExtensionValue: 'foo', - setParameter: { - enforceUserClusterSeparation: 'true', - }, - }; - - const mongod = MongoRunner.runMongod(opts); - runTest(mongod); - MongoRunner.stopMongod(mongod); -} -})(); diff --git a/jstests/ssl/libs/cluster-member-bar.pem b/jstests/ssl/libs/cluster-member-bar.pem deleted file mode 100644 index 27b9f533afd..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-bar.pem -# -# A server certificate with the mongoClusterMembership extension with a value of bar ------BEGIN CERTIFICATE----- -MIIEejCCA2KgAwIBAgIEWTZe1DANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MTU2WhcNMjUwNjE2MTU0MTU2WjBsMQswCQYD -VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp -dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG -c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9lxe3kPI/Hk -ZTloS7DbcXxJOfvz6+SXkEmsQeWh8asKYl1vMj9trkwZonpUvdGy3u32aQ2OttBw -ajE6TWpNxBpLPlksrpYcvOZBHROvVek5jkQIjCFY2a/xoD6bNSUKfjXiBVl3ahDy -b7cg6oGC6X3xe+Sa9Zj7HhiOY0LaoRZr0PSuIkxBxboMpghEv/Mq0YFoxhyuS/XI -9HGcIiipp9sVZNhiP4yZPfqruSB4ACYNVjDJTbNAgYhlCT8W1lHnO2pc2BRTbIj5 -NTbjcGeIjLzRf5ARzPF1XCknnECmszJFLHCONRG/k8Z8i87vIBqf83jo0y5W0GK7 -t5hTfDci3wIDAQABo4IBGjCCARYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD -VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQKCntdQt8iZZ8C -mEjgcbjEJZhO/DCBiwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8G -A1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoM -B01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3Qg -Q0GCBHvUrJMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMBQGCysGAQQBgo4p -AgECBAUMA2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjY+PUCpyNisWgM82A+eN+ipq -xGUJE97j7ikoGTzFYeGJ4ANYXxL9MlDakZjv+fNXy+ngSDqBGvZzN/mIIa72Phkz -Q/L+jLSH2HUZL8/ptTnf6M2mdYwuABSBE7+KG6emb1ywUudHFztzxZZDlSE+JVCO -F39amF2TMnzNqb1hBOz07RdZKBqEpo3PrL8MFlZxuN9i6YHp5b5Og+Li/ktWMaBv -6kZ+drMK3E+ku5QRPTARXuGXf7vFT+eC5Rk/jTi3prwveg7n4WKmecS6BuzVlLjt -kUIe0RqTS3HqkFqtb/mb4Dc1Bbi5MD86CZ1JNkWT1m8LozsAnKhfnrHbUViPdg== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC72XF7eQ8j8eRl -OWhLsNtxfEk5+/Pr5JeQSaxB5aHxqwpiXW8yP22uTBmielS90bLe7fZpDY620HBq -MTpNak3EGks+WSyulhy85kEdE69V6TmORAiMIVjZr/GgPps1JQp+NeIFWXdqEPJv -tyDqgYLpffF75Jr1mPseGI5jQtqhFmvQ9K4iTEHFugymCES/8yrRgWjGHK5L9cj0 -cZwiKKmn2xVk2GI/jJk9+qu5IHgAJg1WMMlNs0CBiGUJPxbWUec7alzYFFNsiPk1 -NuNwZ4iMvNF/kBHM8XVcKSecQKazMkUscI41Eb+TxnyLzu8gGp/zeOjTLlbQYru3 -mFN8NyLfAgMBAAECggEAJDf8pW3l+Ww+OTYkYdOru+nWxJNLqIPepTdPOzVnUA1G -Z0jUk7+fCigqGSW1CRRRhKIlDIRMq/rscc0kDKEedV0MfOz8rHzM9a7/hvewqsPZ -EREVBM+5Ld+6msb3bfvCVitVdOqXF6BE3j1U32IxN4vM77JYHlpssJTTf1f4h25S -qgZb+b8D+J54nuxiB6Q54WYSnzCMMCGmtIVceS/Itc6CVxLUl86WJUpoZwiQTUxX -sXJoYDOahJLPnuwOT+tNzlXHiFLQ4kB1M7mYFjNhurj9X9YSOR4fxWLqy4IJGQTH -oehCLuGBPVI578gPXim1QrAf3hG8to8ViFVgeNWygQKBgQDVCljM8t9dVZEm+F1r -e4lDb6rauycK9zAwQLKzgRAAxAT7OMs0WyuCMWHD3ZZDjtpSmb5m1kP22OXy0BRB -G08xFUtNAzsQkH5RBQHScec8RJ6bFgLQ99hd++Gc7jgp0XxuxoEvMKm1bEtbfoUu -6AoCuRf/kTqL3PY1HP5Yt7L9UQKBgQDhuqzwLNpCXnGk+0gf7qEkIMPqZqFzqrdb -eWWVmC1JO4kc5TNGJnEtVlS32ow+iN1qjZBptQY0/Ykohj3F2PZHF93zQ2sbDFAy -7BQWbYjO9DAzemtBqMNVtFe+5oABzbyhqzmZtNVG4C2XKkJkw0RUCtyvmE5/0obH -xT/t//RRLwKBgBO8JKO/r+9eeNbKVSUayYlks8gVZDWA1obxx1wXjZr0jZ2UEkbk -VzB1UKArS7swZYsXUOsH2D3qs8p9ehLZ68kZNuOIdBVBvWHV++g5wvjzRloJfPNM -sk9qgOjfrHY7QLKmUttDP8VdpdFw8/d3aU39RXrYQjsomeorqGghhEQxAoGAfqIZ -LswazazqGGIX/kIDCJ+RCUj2PkuBfcHG6XtrvG+35gv3Dd23FHYgJNxoXRSvEn3E -jGjPyJ6Leb6FnR6wWwXasAQcbBomS8sBIevlGiUHfXmp/jXND6GSsDfjjB99OT0z -nTVDiPVu3iUJBjo9dOB7Gc9aCn9yuVPBH6W9zGUCgYB6ew5VTrbwWO0KKYpiM6aN -ZXiYTMMcaJOjlmyBYtWYNdRusshh4i+ICF/eV9CXtW1cQcXGCM5gB0Py3r9ugSWk -xQDVotkSUP3GswftggX17jEyjTQKMVtDDATyIxU3XohAWeNQYuRV98+A41lFqE0v -GXbb4Dhv87TuIEAIsHCV5Q== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 deleted file mode 100644 index 53b59e4aa35..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -D498E0A2F8CF71D5349BB91E11E6D05350C88A3C
\ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 deleted file mode 100644 index a0ce1bd86a8..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -F957FEBEEC5C9C08C2500C17432B47635C12101E4DD42183FD333542ACD0AE5D
\ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem deleted file mode 100644 index 9b4a86dfd17..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-foo-alt-rdn.pem -# -# A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN ------BEGIN CERTIFICATE----- -MIIEdjCCA16gAwIBAgIEGs/cgTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MjEwWhcNMjUwNjE2MTU0MjEwWjBoMQswCQYD -VQQGEwJaWjEQMA4GA1UECAwHRXhhbXBsZTETMBEGA1UEBwwKRmFrZXN2aWxsZTEQ -MA4GA1UECgwHQ29tcGFueTERMA8GA1UECwwIQnVzaW5lc3MxDTALBgNVBAMMBERv -ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKB1iyc78amtXCaOfh -3wZ7jidmiLI0IMGk1KuGnUzyoRlX6PlFKm+I5/rbyVgVK0MEKIJU1rxrxBwwJyW/ -/D1NOH1FTcKk+FnkBs7T1iwct+2OocMArQVcavFayqcqubxvWFztjBNxCoh578OH -u7BBqG3iXu8HvWivm+FAkqYWNk8M0us5Ui/yQShRXcPRTYqAFyTatlcesijGMKEA -J1AE4xgVNmJI88qoUmS7ftbFW0B53ru7aJKtQ9xGcu1EtDEUSXpJAVmmSDmuAF0L -ZaGYUd/zerCweOgkmy0rEoFQPKKb9Ib9PJ4vo4VN6RKYt3DzDxpqu58pZMVJxxn+ -UjmnAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAdBgNVHSUE -FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOHQkRJH13hAyapsryfr -spM9JebhMIGLBgNVHSMEgYMwgYCheKR2MHQxCzAJBgNVBAYTAlVTMREwDwYDVQQI -DAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9u -Z29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwgVGVzdCBDQYIE -e9SskzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwFAYLKwYBBAGCjikCAQIE -BQwDZm9vMA0GCSqGSIb3DQEBCwUAA4IBAQBYpHCMUlGWm803moqfVGTkU/xGlPQd -hpMtmcf8GsSlDKmGXW335+95f5emZV7WmfKqaolAI0rjA7/sI98QuiqcloCEhSE9 -eS3jEuEEeDvySwnqKgz45eTXyjqjpH746uIXju427xQtr4z6gYYQZBls1ozEFrYp -MfQXZJqVm6Kodg72LNrjToWeuNGkeGtGikyqXAlCM3/s7FsapuN89KjNsQv1p8e0 -LTXnJAm/5yxcuQyxWq87pta11IS89RylDDwmMMBIJWwAE07O+zH/1OC6yevapKn7 -rZw/gYz4uhbmlzsQVJrHdsaZ8Dr6+Enpz5X9CmNRqijk5dbzaSS9wvbu ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCKB1iyc78amtXC -aOfh3wZ7jidmiLI0IMGk1KuGnUzyoRlX6PlFKm+I5/rbyVgVK0MEKIJU1rxrxBww -JyW//D1NOH1FTcKk+FnkBs7T1iwct+2OocMArQVcavFayqcqubxvWFztjBNxCoh5 -78OHu7BBqG3iXu8HvWivm+FAkqYWNk8M0us5Ui/yQShRXcPRTYqAFyTatlcesijG -MKEAJ1AE4xgVNmJI88qoUmS7ftbFW0B53ru7aJKtQ9xGcu1EtDEUSXpJAVmmSDmu -AF0LZaGYUd/zerCweOgkmy0rEoFQPKKb9Ib9PJ4vo4VN6RKYt3DzDxpqu58pZMVJ -xxn+UjmnAgMBAAECggEAKHROwr653ApVbE1i6Qh81emsEpkt4alYF/9c5m9kBhjB -XMqjhGoTloSnOZOhhVLQqX9V85ecUdmAiXxvy/0Z2nAcBxvrWH6RmguEwwGanDAs -KAmxJZmQYK3XX0zWAee+GsRDODw91nvH1DU5kaao2hWLXzWDyTjyXcXKFyrkEs4Z -1sQiJHCFQW1l5j6x7kAXrbOHUCziCww+vvCUCW7ujut/Nl1MLzPrsIvtghQKwvhe -uJVB7uZxtBHjQEfycZOLWCNUEE6WOJ/muUeCtHbmVbr50omOlRSJHP/MqUQaxnpM -KS38BoUbJpbaVOKvgokjLHXF8KojNQ+Embx1Ql0AgQKBgQC/6lS/3eQKAr1FmjlN -PicKDb6t08aE7THupy/sDL9jqEIYGfJPCbu8Guyd7nCwBCdJ8KcHQehukcZ8i1O4 -2Z/gMtuurHvD2S4+6sYjHZ9SyRiTkW8XY/jmwCYqAraS9fNNWj+maifyTcAreO+f -KVI5/2QCNPMqjqzFGaS2w5XueQKBgQC4HpMpbikIzUEK3QnpcpqIyufpYiZGhOb8 -qgwTZCw3Bqn7KKB7kfTYpghLdzQmqUch6yaBWN5+YgabFzNtOkXvstpH4m5BJ1Q0 -N1zTTiPHOxup0TUPWQo2Qa+h52p8BOvKSBNGcgNFDJ3tdDOAX5tNeywunx/w1HjA -aUUNoKLhHwKBgB+xjDNvaoR4tVc0Q/hMplfTs0Szr5ouLcvS0mgyJr1HgTrHtit1 -WQqUi7T9NqDq3q4oTv001jTEYDobLEVfszZsT7lGBN5wFGIRlY0hDDm4uhVMtELx -oJ5C50qSziHw+jAxEkfiShyK2IyVWUU4prqrQZHXuryxeTjHplsEa9NJAoGAURLV -hjbFxuRqsZfnV25pcba3K+NWK1M2SyetrZQ8i/ZZPwkCsabxg7yIhoJ06lk7w0nC -aM5zGn+bnQs4T+6LASNmTqT8G6BvyZZfP4R26LG0WrCOhrWUc5O0/Lvj/bxE/4uB -QVHO8sa9e+PhEbQHtLR6HgVfkTJeAYvZJkkHr80CgYBAo06hacP0ATWy9GetJztU -9OZfhobBuk3kBdU3tNFNe8UFRLg0MnUwv3FdXM6XsVhH/r18ApACityAzA+cMw5o -9nPyi+C8GqWum1eg3XaSPpKxNCVsAQuTJpSjL3JqeZSo07XUOAS2om5AQBLsbGHB -2hpwDA/Ccom2Sc8E/VysmQ== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 deleted file mode 100644 index 773e4493989..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -94F9962116E92EBDB4FC7007304957CCE1A41F26
\ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 deleted file mode 100644 index 02ea263cddb..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -215C9A1DB0D815E937668EBE8230496B9FDB3DBE2F9700820B9F631B87C28CB5
\ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo.pem b/jstests/ssl/libs/cluster-member-foo.pem deleted file mode 100644 index a80d90767d7..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-foo.pem -# -# A server certificate with the mongoClusterMembership extension with a value of foo ------BEGIN CERTIFICATE----- -MIIEejCCA2KgAwIBAgIEU7DfoTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MTUzWhcNMjUwNjE2MTU0MTUzWjBsMQswCQYD -VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp -dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG -c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoj7sGnUpd3gu -MWBZD3gwilIw5IoVySUak0g9F7VESbU0nvCS6Df594TnE7v+pYUczq6U2o8fgAUi -8J1iH6Zj/osIbeQuoDbFpWyVmYGNFwDsvWcxXQEuWpdn0Fk2U6Ropaxbbp9Md9je -Xp/1kfpV2Fmg0IKvC+l3hkoalnBBJseftbVV5qs0Gw1yftyL0t8Fu4JVl/mQQKYD -19pyPxuDapgMRhGCmcjhjuNeFY0w6T17TBT/tQ9B8wM5hNlXElvWQqKnQybXF1S7 -ZRfXOHRFgBxUxJaEREPHHjt9QozFY6NS/BN9oBQyihj1PFqB54yFNoNRx/eQAM2C -LUXk+wyfZwIDAQABo4IBGjCCARYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD -VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRS6fOGvmeuH1/U -CQikWX+BkLLLgzCBiwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8G -A1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoM -B01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3Qg -Q0GCBHvUrJMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMBQGCysGAQQBgo4p -AgECBAUMA2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAPNCV4cJ+4rirKCT5Rw3p0ZUW -OBmb4ZRKVJn0VuLTBth8516ftP3N1IXtuSy7UjpqW3wSrqN3YNI9tibNlrs5CGkA -9EZiX1y0sxxUTM73EqzV9kx6dJ2g0BDolgc68sYdofIdIDNMzvfqg4cyIsH94KxJ -h4FXD8bE3fnrusaZoD0TDUwJ7/YX6Jv191R06vZHR5YXnnPzZD+Kig+tKLh5ePCN -KcgoPPMf3TPPbvpZVcyQHeceBSZ4+1lN/s4EUhSvit7TMO0TlfleLv2gC48MQt3R -YKu70fqITRKchyXu2kAgIjAhUWjtllmYrIiWjiWwCaPJYcYIxXXIn3f9itzjjA== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCiPuwadSl3eC4x -YFkPeDCKUjDkihXJJRqTSD0XtURJtTSe8JLoN/n3hOcTu/6lhRzOrpTajx+ABSLw -nWIfpmP+iwht5C6gNsWlbJWZgY0XAOy9ZzFdAS5al2fQWTZTpGilrFtun0x32N5e -n/WR+lXYWaDQgq8L6XeGShqWcEEmx5+1tVXmqzQbDXJ+3IvS3wW7glWX+ZBApgPX -2nI/G4NqmAxGEYKZyOGO414VjTDpPXtMFP+1D0HzAzmE2VcSW9ZCoqdDJtcXVLtl -F9c4dEWAHFTEloREQ8ceO31CjMVjo1L8E32gFDKKGPU8WoHnjIU2g1HH95AAzYIt -ReT7DJ9nAgMBAAECggEAD9NUY1ZHR6x00QMlXMFr9qoCs+AWNOsGFxSmROA8+3WN -3uz3X2hKXQ7dHUsqkQmVYEGeKl1ohKu7lz26uvyXZ1Y3acSmmaEOEU8wnmsJEJPa -A7WDlp9NXq/DBAsXpfv06ygPORCXvF7ufctbgDQrWHGRopUErwREUNh8lGz5pecO -FawUQoIrWfOx8bq/PFXAFiaJHfk1SaadZdHS1TX4ZUm07iYuYUTqxarffmyub8ZN -lO7G/3fdivgfuBnMETUDFOu7xSphk56AFlxLBuEVk+u8/I5XHWiRcVKTA4vtbyUX -xjM/sxO7qCZ6cY1Z/xaHOJUj0FoT5wqjjn4UltWerQKBgQDOPdiL6TLlQkF6rr6t -Jo2anm/Xs+dr70NIwsfYxNNLGoLCENxAwYIjKjD93UuS/eTEkKga141bS/05pEiM -rjv+jBxJd3El3RavBjYV+npjRiC7qlVg/hPhx6ZXCEOg2gx/6zIj9fzGmf8JEeLh -VvIDqXw2b7mJUSv80AfWb+SHLQKBgQDJY8CZRP8hsGhV3b64PquME38CGwCSIdqW -3MxAQHE0KFo98HFoElUecUklZh+AoHL9hpGuDRvSJ7AC3ynNnV5IxKYYjwM2pNL+ -nr3RNsNhrPcEMj/elW7BZoVG+zGyLjiTx7GO6e3S0rivUDhAQSEhp3G8ZM0kxsvi -/RqxLXVdYwKBgCp+RaK2Hp1r5E/htzm3ys9Du6mG0LTFbGiOcVyxWRONV8miba8N -78FNDSEROmQD2eHCKFC3ftGDu53nwmbx8zyEI8PjTzXM8sKHFhe7LwJLTa088DB2 -ySPo3dXqxvxaUN7+V6tfIIDO8+QrgkKJhn3IquYQaPro9ZY2SpcdIMnVAoGAFF08 -5YK/lcWD12Lz3SehKynxhuH6HczEkMrE8J5TlCWccnT00sQ/zTNBZUG9X8FZv18z -LflvXcHbn363eG44UX1pGkSj24uxNkQRB63U9fSKiecW5EgSCgZ25aWS8eSQngjs -YHoxLUdXm4quFXlAg2muK5G52MUtaseTQmVJX+cCgYBRFJ1zUDYHpniXEsGUx/OV -FBEZg359fRTKZUnXAtOW4gbaWMmLZ8N47pRvJakbkvqrMWUFagZKWDbA7+BxopVB -prIvNrSaIM3Q9o+H7gsA85O1qPkQQV+1Ue6OCPlxLz8AVnWb5zu1eFUNkrLeKwz0 -WREDb3ONFYMUxgzcvCDXgQ== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 deleted file mode 100644 index 21209a1dc30..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -5A081EAA0D42DED66771504EC405C5F9AE4885EA
\ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 deleted file mode 100644 index 4ef362e70f5..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -D0298CCEA9CEEBF3E739E331AD7A4C5A485DCB8FC66AD236F281BB5040136076
\ No newline at end of file diff --git a/jstests/ssl/x509/README b/jstests/ssl/x509/README index e85e25ecb4f..346e06f750d 100644 --- a/jstests/ssl/x509/README +++ b/jstests/ssl/x509/README @@ -64,4 +64,3 @@ certs: - mongoRoles: - {role: readWrite, db: test1} - {role: read, db: test2} - - mongoClusterMembership: clusterName diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml index ebedbaba66d..b2f50d283ba 100644 --- a/jstests/ssl/x509/certs.yml +++ b/jstests/ssl/x509/certs.yml @@ -284,7 +284,7 @@ certs: - name: 'server.pem' description: General purpose server certificate file. Subject: {CN: 'server'} - extensions: &server_pem_extensions + extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] @@ -342,36 +342,6 @@ certs: extensions: extendedKeyUsage: [serverAuth] -- name: 'cluster-member-foo.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of foo - Subject: {CN: 'server'} - extensions: - <<: *server_pem_extensions - mongoClusterMembership: foo - -- name: 'cluster-member-bar.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of bar - Subject: {CN: 'server'} - extensions: - <<: *server_pem_extensions - mongoClusterMembership: bar - -- name: 'cluster-member-foo-alt-rdn.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN - Subject: - C: 'ZZ' - ST: 'Example' - L: 'Fakesville' - O: 'Company' - OU: 'Business' - CN: 'Doer' - extensions: - <<: *server_pem_extensions - mongoClusterMembership: foo - # For tenant migration testing. - name: 'rs0.pem' description: General purpose server certificate file. diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py index 58848ceaaa6..45ac802e51c 100755 --- a/jstests/ssl/x509/mkcert.py +++ b/jstests/ssl/x509/mkcert.py @@ -20,17 +20,10 @@ import shutil import mkdigest # pylint: disable=protected-access -try: - # Newer versions of PyOpenSSL hide OBJ_create, but also seem okay without it. - OBJ_create = OpenSSL._util.lib.OBJ_create - OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45') - OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56') - OBJ_create(b'1.3.6.1.4.1.34601.2.1.1', b'mongoRoles', - b'Sequence of MongoDB Database Roles') - OBJ_create(b'1.3.6.1.4.1.34601.2.1.2', b'mongoClusterMembership', - b'Name of MongoDB cluster this cert is a member of') -except: - pass +OpenSSL._util.lib.OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45') +OpenSSL._util.lib.OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56') +OpenSSL._util.lib.OBJ_create(b'1.3.6.1.4.1.34601.2.1.1', b'mongoRoles', + b'Sequence of MongoDB Database Roles') # pylint: enable=protected-access CONFIGFILE = 'jstests/ssl/x509/certs.yml' @@ -326,15 +319,6 @@ def set_mongo_roles_extension(exts, cert): exts.append(OpenSSL.crypto.X509Extension(b'1.3.6.1.4.1.34601.2.1.1', False, value)) -def set_mongo_cluster_membership_extension(exts, cert): - """Encode a symbolic name to a mongodbClusterMembership extension.""" - name = cert.get('extensions', {}).get('mongoClusterMembership') - if not name: - return - - value = b'DER:' + binascii.hexlify(to_der_utf8_string(name)) - exts.append(OpenSSL.crypto.X509Extension(b'1.3.6.1.4.1.34601.2.1.2', False, value)) - def set_crl_distribution_point_extension(exts, cert): """Specify URI(s) for CRL distribution point(s).""" uris = cert.get('extensions', {}).get('crlDistributionPoints') @@ -361,7 +345,6 @@ def set_extensions(x509, cert): set_crl_distribution_point_extension(exts, cert) set_san_extension(x509, exts, cert) set_mongo_roles_extension(exts, cert) - set_mongo_cluster_membership_extension(exts, cert) ns_comment = cert.get('extensions', {}).get('nsComment') if ns_comment: diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 8f1dd94b2f5..c8fdf9e9be7 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -229,15 +229,7 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, request, boost::none)); }; - const bool isClusterMember = ([&] { - const auto& requiredValue = sslGlobalParams.clusterAuthX509ExtensionValue; - if (requiredValue.empty()) { - return sslConfiguration.isClusterMember(clientName); - } - return sslPeerInfo.getClusterMembership() == requiredValue; - })(); - - if (isClusterMember) { + if (sslConfiguration.isClusterMember(clientName)) { // Handle internal cluster member auth, only applies to server-server connections if (!clusterAuthMode.allowsX509()) { uassert(ErrorCodes::AuthenticationFailed, @@ -255,18 +247,6 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) "with cluster membership"); } - if (gEnforceUserClusterSeparation) { - auto* am = AuthorizationManager::get(opCtx->getServiceContext()); - BSONObj ignored; - const bool userExists = - am->getUserDescription(opCtx, request.name, &ignored).isOK(); - uassert(ErrorCodes::AuthenticationFailed, - "The provided certificate represents both a cluster member and an " - "explicit user which exists in the authzn database. " - "Prohibiting authentication due to enforceUserClusterSeparation setting.", - !userExists); - } - session->setAsClusterMember(); authorizationSession->grantInternalAuthorization(client); } diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 82ace1c063c..4384a88ebbf 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -1030,7 +1030,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt #ifdef MONGO_CONFIG_SSL auto& sslManager = opCtx->getClient()->session()->getSSLManager(); - if (isExternal && sslManager && sslGlobalParams.clusterAuthX509ExtensionValue.empty() && + if (isExternal && sslManager && sslManager->getSSLConfiguration().isClusterMember(userName.getUser())) { if (gEnforceUserClusterSeparation) { uasserted(ErrorCodes::BadValue, diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript index 09b609aadb3..35dc7afe72d 100644 --- a/src/mongo/util/net/SConscript +++ b/src/mongo/util/net/SConscript @@ -64,7 +64,6 @@ env.Library( '$BUILD_DIR/mongo/db/auth/auth_options', '$BUILD_DIR/mongo/db/auth/cluster_auth_mode', '$BUILD_DIR/mongo/db/server_base', - '$BUILD_DIR/mongo/db/server_feature_flags', '$BUILD_DIR/mongo/util/options_parser/options_parser', ], ) diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 74c2f2c8748..98c7a7a447a 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -1071,11 +1071,6 @@ StatusWith<DERToken> DERToken::parse(ConstDataRange cdr, size_t* outLength) { } } // namespace -StatusWith<std::string> parseDERString(ConstDataRange cdrExtension) { - ConstDataRangeCursor cdcExtension(cdrExtension); - return readDERString(cdcExtension); -} - StatusWith<stdx::unordered_set<RoleName>> parsePeerRoles(ConstDataRange cdrExtension) { stdx::unordered_set<RoleName> roles; diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 28b218530d5..ae2682ba8a8 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -152,11 +152,6 @@ const ASN1OID mongodbRolesOID("1.3.6.1.4.1.34601.2.1.1", "MongoRoles", "Sequence of MongoDB Database Roles"); -const ASN1OID mongodbClusterMembershipOID( - "1.3.6.1.4.1.34601.2.1.2", - "MongoDBClusterMembership", - "String name identifying the cluster this certificate is a member of"); - /** * Counts of negogtiated version used by TLS connections. */ @@ -416,11 +411,6 @@ extern bool isSSLServer; bool hostNameMatchForX509Certificates(std::string nameToMatch, std::string certHostName); /** - * Parse a UTF8 string from a DER encoded ASN.1 DisplayString. - */ -StatusWith<std::string> parseDERString(ConstDataRange cdr); - -/** * Parse a binary blob of DER encoded ASN.1 into a set of RoleNames. */ StatusWith<stdx::unordered_set<RoleName>> parsePeerRoles(ConstDataRange cdrExtension); diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index de847d52da0..361b8a78c89 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -109,11 +109,6 @@ using transport::SSLConnectionContext; namespace { -// NIDs mapping to OIDs in the MongoDBInc namespace. -// Allocated during MONGO_INITIALIZER(SSLManager), valid for process lifetime. -static int sMongoDbRolesNID; -static int sMongoDbClusterMembershipNID; - MONGO_FAIL_POINT_DEFINE(disableStapling); using UniqueX509StoreCtx = @@ -1520,21 +1515,11 @@ private: */ void _getCRLInfo(StringData crlFile, CRLInformationToLog* info) const; - struct ParsedPeerExtensions { - stdx::unordered_set<RoleName> roles; - boost::optional<std::string> clusterMembership; - }; - StatusWith<ParsedPeerExtensions> _parsePeerExtensions(X509* peerCert) const; - - // Fetches NID for mongodbRolesOID constant. - static int _getMongoDbRolesNID() { - return sMongoDbRolesNID; - } + StatusWith<stdx::unordered_set<RoleName>> _parsePeerRoles(X509* peerCert) const; - // Fetches NID for mongodbClusterMembershipOID constant. - static int _getMongoDbClusterMembershipNID() { - return sMongoDbClusterMembershipNID; - } + // Fetches NID for mongodbRolesOID constant. Initializes once, safe to invoke + // multiple times. + static int _getMongoDbRolesOID(); StatusWith<boost::optional<std::vector<DERInteger>>> _parseTLSFeature(X509* peerCert) const; @@ -1633,19 +1618,17 @@ bool isSSLServer = false; extern SSLManagerCoordinator* theSSLManagerCoordinator; +static int sMongoDbRolesOID; + MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManager, ("SetupOpenSSL", "EndStartupOptionHandling")) (InitializerContext*) { if (!isSSLServer || (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled)) { theSSLManagerCoordinator = new SSLManagerCoordinator(); } - sMongoDbRolesNID = OBJ_create(mongodbRolesOID.identifier.c_str(), + sMongoDbRolesOID = OBJ_create(mongodbRolesOID.identifier.c_str(), mongodbRolesOID.shortDescription.c_str(), mongodbRolesOID.longDescription.c_str()); - - sMongoDbClusterMembershipNID = OBJ_create(mongodbClusterMembershipOID.identifier.c_str(), - mongodbClusterMembershipOID.shortDescription.c_str(), - mongodbClusterMembershipOID.longDescription.c_str()); } std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create( @@ -3336,13 +3319,13 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( "cipher"_attr = SSL_CIPHER_get_name(cipher)); } - auto swParsedPeerExtensions = _parsePeerExtensions(peerCert.get()); - if (!swParsedPeerExtensions.isOK()) { - return Future<SSLPeerInfo>::makeReady(swParsedPeerExtensions.getStatus()); + StatusWith<stdx::unordered_set<RoleName>> swPeerCertificateRoles = + _parsePeerRoles(peerCert.get()); + if (!swPeerCertificateRoles.isOK()) { + return Future<SSLPeerInfo>::makeReady(swPeerCertificateRoles.getStatus()); } - auto parsedPeerExtensions = std::move(swParsedPeerExtensions.getValue()); - if (auto status = _validatePeerRoles(parsedPeerExtensions.roles, conn); !status.isOK()) { + if (auto status = _validatePeerRoles(swPeerCertificateRoles.getValue(), conn); !status.isOK()) { return status; } @@ -3372,11 +3355,8 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( return std::move(ocspFuture) .then([peerSubject, sni, - roles = std::move(parsedPeerExtensions.roles), - clusterMembership = std::move(parsedPeerExtensions.clusterMembership)] { - SSLPeerInfo info(peerSubject, sni, roles); - info.setClusterMembership(clusterMembership); - return info; + peerCertificateRoles = std::move(swPeerCertificateRoles.getValue())] { + return SSLPeerInfo(peerSubject, sni, peerCertificateRoles); }); } @@ -3512,8 +3492,7 @@ SSLPeerInfo SSLManagerOpenSSL::parseAndValidatePeerCertificateDeprecated( return swPeerSubjectName.getValue(); } -StatusWith<SSLManagerOpenSSL::ParsedPeerExtensions> SSLManagerOpenSSL::_parsePeerExtensions( - X509* peerCert) const { +StatusWith<stdx::unordered_set<RoleName>> SSLManagerOpenSSL::_parsePeerRoles(X509* peerCert) const { // exts is owned by the peerCert const STACK_OF(X509_EXTENSION)* exts = X509_get0_extensions(peerCert); @@ -3522,37 +3501,29 @@ StatusWith<SSLManagerOpenSSL::ParsedPeerExtensions> SSLManagerOpenSSL::_parsePee extCount = sk_X509_EXTENSION_num(exts); } - ASN1_OBJECT* rolesObj = OBJ_nid2obj(_getMongoDbRolesNID()); - ASN1_OBJECT* clusterMembershipObj = OBJ_nid2obj(_getMongoDbClusterMembershipNID()); + ASN1_OBJECT* rolesObj = OBJ_nid2obj(_getMongoDbRolesOID()); // Search all certificate extensions for our own - ParsedPeerExtensions parsed; + stdx::unordered_set<RoleName> roles; for (int i = 0; i < extCount; i++) { X509_EXTENSION* ex = sk_X509_EXTENSION_value(exts, i); ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex); if (!OBJ_cmp(obj, rolesObj)) { - // mongodbRoles extension. + // We've found an extension which has our roles OID ASN1_OCTET_STRING* data = X509_EXTENSION_get_data(ex); - auto ptr = reinterpret_cast<char*>(data->data); - auto swRoles = parsePeerRoles(ConstDataRange(ptr, ptr + data->length)); - if (!swRoles.isOK()) { - return std::move(swRoles.getStatus()); - } - parsed.roles = std::move(swRoles.getValue()); - } else if (!OBJ_cmp(obj, clusterMembershipObj)) { - // mongodbClusterMembership extension. - ASN1_OCTET_STRING* data = X509_EXTENSION_get_data(ex); - auto ptr = reinterpret_cast<char*>(data->data); - auto swMembership = parseDERString(ConstDataRange(ptr, ptr + data->length)); - if (!swMembership.isOK()) { - return std::move(swMembership.getStatus()); - } - parsed.clusterMembership = std::move(swMembership.getValue()); + + return parsePeerRoles( + ConstDataRange(reinterpret_cast<char*>(data->data), + reinterpret_cast<char*>(data->data) + data->length)); } } - return parsed; + return roles; +} + +int SSLManagerOpenSSL::_getMongoDbRolesOID() { + return sMongoDbRolesOID; } StatusWith<boost::optional<std::vector<DERInteger>>> SSLManagerOpenSSL::_parseTLSFeature( diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 41bb82c66ea..e58bedcd076 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -66,13 +66,12 @@ struct SSLParams { std::string sslPEMKeyFile; // --tlsCertificateKeyFile std::string sslPEMKeyPassword; // --tlsCertificateKeyFilePassword std::string sslClusterFile; // --tlsInternalKeyFile - std::string sslClusterPassword; // --tlsInternalKeyPassword - std::string sslCAFile; // --tlsCAFile - std::string sslClusterCAFile; // --tlsClusterCAFile - std::string sslCRLFile; // --tlsCRLFile - std::string sslCipherConfig; // --tlsCipherConfig - std::string sslCipherSuiteConfig; // --tlsCipherSuiteConfig - std::string clusterAuthX509ExtensionValue; // --tlsClusterAuthX509ExtensionValue + std::string sslClusterPassword; // --tlsInternalKeyPassword + std::string sslCAFile; // --tlsCAFile + std::string sslClusterCAFile; // --tlsClusterCAFile + std::string sslCRLFile; // --tlsCRLFile + std::string sslCipherConfig; // --tlsCipherConfig + std::string sslCipherSuiteConfig; // --tlsCipherSuiteConfig boost::optional<TLSCATrusts> tlsCATrusts; // --setParameter tlsCATrusts diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp index 2f1e6f15179..8636ea6eadd 100644 --- a/src/mongo/util/net/ssl_options_server.cpp +++ b/src/mongo/util/net/ssl_options_server.cpp @@ -37,7 +37,6 @@ #include "mongo/base/status.h" #include "mongo/config.h" #include "mongo/db/auth/auth_options_gen.h" -#include "mongo/db/server_feature_flags_gen.h" #include "mongo/db/server_options.h" #include "mongo/logv2/log.h" #include "mongo/util/options_parser/startup_option_init.h" @@ -242,18 +241,6 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { } } - if (params.count("net.tls.clusterAuthX509.extensionValue")) { - uassert(ErrorCodes::BadValue, - "Unknown configuration option 'net.tls.clusterAuthX509.extensionValue'", - gFeatureFlagConfigurableX509ClusterAuthn.isEnabledAndIgnoreFCV()); - uassert(ErrorCodes::BadValue, - "net.tls.clusterAuthX509.extensionValue requires " - "a clusterAuthMode which allows for usage of X509", - clusterAuthMode.allowsX509()); - sslGlobalParams.clusterAuthX509ExtensionValue = - params["net.tls.clusterAuthX509.extensionValue"].as<std::string>(); - } - if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) { // allowSSL and x509 is valid only when we are transitioning to auth. if (clusterAuthMode.sendsX509() && !serverGlobalParams.transitionToAuth) { diff --git a/src/mongo/util/net/ssl_options_server.idl b/src/mongo/util/net/ssl_options_server.idl index 0311f3e74da..cdb0a4602f0 100644 --- a/src/mongo/util/net/ssl_options_server.idl +++ b/src/mongo/util/net/ssl_options_server.idl @@ -180,12 +180,3 @@ configs: short_name: tlsLogVersions arg_vartype: String - "net.tls.clusterAuthX509.extensionValue": - description: >- - If specified, clients who expect to be regarded as cluster members - must present a valid X.509 certificate containing an X.509 extension - for OID 1.3.6.1.4.1.34601.2.1.2 which contains the specified value. - short_name: tlsClusterAuthX509ExtensionValue - arg_vartype: String - # // TODO SERVER-74989 X.509 Subject Name Matching - # conflicts: "net.tls.clusterAuthX509.attributes" diff --git a/src/mongo/util/net/ssl_peer_info.h b/src/mongo/util/net/ssl_peer_info.h index 39b1ec51779..befef936c1b 100644 --- a/src/mongo/util/net/ssl_peer_info.h +++ b/src/mongo/util/net/ssl_peer_info.h @@ -29,8 +29,6 @@ #pragma once -#include <boost/optional.hpp> - #include "mongo/transport/session.h" #include "mongo/util/net/ssl_types.h" @@ -72,14 +70,6 @@ public: static SSLPeerInfo& forSession(const std::shared_ptr<transport::Session>& session); static const SSLPeerInfo& forSession(const std::shared_ptr<const transport::Session>& session); - const boost::optional<std::string>& getClusterMembership() const { - return _clusterMembership; - } - - void setClusterMembership(boost::optional<std::string> clusterMembership) { - _clusterMembership = std::move(clusterMembership); - } - private: /** * This flag is used to indicate if the underlying socket is using TLS or not. A default @@ -90,6 +80,5 @@ private: SSLX509Name _subjectName; boost::optional<std::string> _sniName; stdx::unordered_set<RoleName> _roles; - boost::optional<std::string> _clusterMembership; }; } // namespace mongo |