summaryrefslogtreecommitdiff
path: root/jstests/ocsp/ocsp_client_verification_logging.js
diff options
context:
space:
mode:
Diffstat (limited to 'jstests/ocsp/ocsp_client_verification_logging.js')
-rw-r--r--jstests/ocsp/ocsp_client_verification_logging.js92
1 files changed, 92 insertions, 0 deletions
diff --git a/jstests/ocsp/ocsp_client_verification_logging.js b/jstests/ocsp/ocsp_client_verification_logging.js
new file mode 100644
index 00000000000..500b5b0f582
--- /dev/null
+++ b/jstests/ocsp/ocsp_client_verification_logging.js
@@ -0,0 +1,92 @@
+// Tests that OCSP responder latency is logged for client-side verification.
+// @tags: [
+// requires_http_client,
+// live_record_incompatible,
+// ]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+// We only have custom logging output for openssl.
+if (determineSSLProvider() !== "openssl") {
+ return;
+}
+
+const ocsp_options = {
+ sslMode: "requireSSL",
+ sslPEMKeyFile: OCSP_SERVER_CERT,
+ sslCAFile: OCSP_CA_PEM,
+ sslAllowInvalidHostnames: "",
+ setParameter: {
+ "failpoint.disableStapling": "{'mode':'alwaysOn'}",
+ "ocspEnabled": "true",
+ },
+};
+
+let mock_ocsp = new MockOCSPServer("", 1);
+mock_ocsp.start();
+
+let conn = MongoRunner.runMongod(ocsp_options);
+
+clearRawMongoProgramOutput();
+// The desired log line will be printed by the shell. We run a parallel shell because
+// 'rawMongoProgramOutput' will only return logs for subprocesses spawned by the shell.
+const runParallelShellSuccess = startParallelShell(
+ () => {
+ jsTestLog(
+ "Established connection with server to test successful certification verification.");
+ },
+ conn.port,
+ null /*noConnect */,
+ "--tls",
+ "--tlsCAFile",
+ OCSP_CA_PEM,
+ "--tlsCertificateKeyFile",
+ OCSP_CLIENT_CERT,
+ "--tlsAllowInvalidHostnames",
+ "--verbose",
+ 1);
+
+runParallelShellSuccess();
+let output = rawMongoProgramOutput();
+assert.gte(output.search(/"id":6840101/), 0, output);
+
+mock_ocsp.stop();
+
+jsTestLog("Restarting MockOCSPServer with FAULT_REVOKED option");
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1);
+mock_ocsp.start();
+
+clearRawMongoProgramOutput();
+jsTestLog("Spawning parallel shell that should throw due to revoked OCSP certificate");
+assert.throws(startParallelShell(
+ () => {
+ jsTestLog("Something went wrong if we print this!");
+ },
+ conn.port,
+ null /*noConnect */,
+ "--tls",
+ "--tlsCAFile",
+ OCSP_CA_PEM,
+ "--tlsCertificateKeyFile",
+ OCSP_CLIENT_CERT,
+ "--tlsAllowInvalidHostnames",
+ "--verbose",
+ 1));
+
+output = rawMongoProgramOutput();
+// Assert that the shell fails due to certificate being revoked, and we still measure OCSP responder
+// latency.
+assert.gte(output.search(/OCSPCertificateStatusRevoked/), 0);
+assert.gte(output.search(/"id":6840101/), 0);
+
+MongoRunner.stopMongod(conn);
+
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
+sleep(1000);
+mock_ocsp.stop();
+}()); \ No newline at end of file
View Lorry Controller Status