diff options
Diffstat (limited to 'jstests/ssl')
| -rw-r--r-- | jstests/ssl/disable_x509.js | 42 | ||||
| -rw-r--r-- | jstests/ssl/initial_sync1_x509.js | 49 | ||||
| -rw-r--r-- | jstests/ssl/libs/ssl_helpers.js | 61 | ||||
| -rw-r--r-- | jstests/ssl/mixed_mode_sharded.js | 2 | ||||
| -rw-r--r-- | jstests/ssl/set_parameter_ssl.js | 15 | ||||
| -rw-r--r-- | jstests/ssl/sharding_with_x509.js | 66 | ||||
| -rw-r--r-- | jstests/ssl/ssl_cert_password.js | 137 | ||||
| -rw-r--r-- | jstests/ssl/ssl_crl.js | 12 | ||||
| -rw-r--r-- | jstests/ssl/ssl_crl_revoked.js | 25 | ||||
| -rw-r--r-- | jstests/ssl/ssl_fips.js | 26 | ||||
| -rw-r--r-- | jstests/ssl/ssl_hostname_validation.js | 105 | ||||
| -rw-r--r-- | jstests/ssl/ssl_invalid_server_cert.js | 16 | ||||
| -rw-r--r-- | jstests/ssl/ssl_options.js | 21 | ||||
| -rw-r--r-- | jstests/ssl/ssl_weak.js | 45 | ||||
| -rw-r--r-- | jstests/ssl/ssl_without_ca.js | 49 | ||||
| -rw-r--r-- | jstests/ssl/upgrade_to_ssl.js | 24 | ||||
| -rw-r--r-- | jstests/ssl/upgrade_to_x509_ssl.js | 54 | ||||
| -rw-r--r-- | jstests/ssl/x509_client.js | 94 |
18 files changed, 490 insertions, 353 deletions
diff --git a/jstests/ssl/disable_x509.js b/jstests/ssl/disable_x509.js index 7aaf6ff1317..5663f6a6196 100644 --- a/jstests/ssl/disable_x509.js +++ b/jstests/ssl/disable_x509.js @@ -2,37 +2,45 @@ var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client"; -var conn = MongoRunner.runMongod({smallfiles: "", - auth: "", - sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem"}); +var conn = MongoRunner.runMongod({ + smallfiles: "", + auth: "", + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem" +}); // Find out if this build supports the authenticationMechanisms startup parameter. // If it does, restart with and without the MONGODB-X509 mechanisms enabled. var cmdOut = conn.getDB('admin').runCommand({getParameter: 1, authenticationMechanisms: 1}); if (cmdOut.ok) { MongoRunner.stopMongod(conn); - conn = MongoRunner.runMongod({ restart: conn, - setParameter: "authenticationMechanisms=MONGODB-X509" }); + conn = MongoRunner.runMongod( + {restart: conn, setParameter: "authenticationMechanisms=MONGODB-X509"}); external = conn.getDB("$external"); // Add user using localhost exception - external.createUser({user: CLIENT_USER, roles:[ - {'role':'userAdminAnyDatabase', 'db':'admin'}, - {'role':'readWriteAnyDatabase', 'db':'admin'}]}); + external.createUser({ + user: CLIENT_USER, + roles: [ + {'role': 'userAdminAnyDatabase', 'db': 'admin'}, + {'role': 'readWriteAnyDatabase', 'db': 'admin'} + ] + }); // Localhost exception should not be in place anymore - assert.throws( function() { test.foo.findOne();}, {}, "read without login" ); + assert.throws(function() { + test.foo.findOne(); + }, {}, "read without login"); - assert( external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), - "authentication with valid user failed" ); + assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), + "authentication with valid user failed"); MongoRunner.stopMongod(conn); - conn = MongoRunner.runMongod({ restart: conn, - setParameter: "authenticationMechanisms=SCRAM-SHA-1" }); + conn = MongoRunner.runMongod( + {restart: conn, setParameter: "authenticationMechanisms=SCRAM-SHA-1"}); external = conn.getDB("$external"); - assert( !external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), - "authentication with disabled auth mechanism succeeded" ); + assert(!external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), + "authentication with disabled auth mechanism succeeded"); } diff --git a/jstests/ssl/initial_sync1_x509.js b/jstests/ssl/initial_sync1_x509.js index 84f59d29556..85198604b57 100644 --- a/jstests/ssl/initial_sync1_x509.js +++ b/jstests/ssl/initial_sync1_x509.js @@ -1,17 +1,19 @@ // Basic tests for cluster authentication using x509. -var common_options = {keyFile : "jstests/libs/key1", - sslMode : "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslAllowInvalidHostnames: ""}; +var common_options = { + keyFile: "jstests/libs/key1", + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowInvalidHostnames: "" +}; function runInitialSyncTest() { load("jstests/replsets/rslib.js"); print("1. Bring up set"); - var replTest = new ReplSetTest({name: "jstests_initsync1_x509", - nodes : {node0 : x509_options1, node1 : x509_options2}}); + var replTest = new ReplSetTest( + {name: "jstests_initsync1_x509", nodes: {node0: x509_options1, node1: x509_options2}}); var conns = replTest.startSet(); replTest.initiate(); @@ -24,17 +26,17 @@ function runInitialSyncTest() { var admin_s1 = slave1.getDB("admin"); print("2. Create a root user."); - admin.createUser({ user: "root", pwd: "pass", roles: ["root"]}); + admin.createUser({user: "root", pwd: "pass", roles: ["root"]}); admin.auth("root", "pass"); admin_s1.auth("root", "pass"); print("3. Insert some data"); var bulk = foo.bar.initializeUnorderedBulkOp(); for (var i = 0; i < 100; i++) { - bulk.insert({ date: new Date(), x: i, str: "all the talk on the market" }); + bulk.insert({date: new Date(), x: i, str: "all the talk on the market"}); } assert.writeOK(bulk.execute()); - print("total in foo: "+foo.bar.count()); + print("total in foo: " + foo.bar.count()); print("4. Make sure synced"); replTest.awaitReplication(); @@ -43,7 +45,7 @@ function runInitialSyncTest() { master = replTest.getPrimary(); bulk = foo.bar.initializeUnorderedBulkOp(); for (var i = 0; i < 100; i++) { - bulk.insert({ date: new Date(), x: i, str: "all the talk on the market" }); + bulk.insert({date: new Date(), x: i, str: "all the talk on the market"}); } assert.writeOK(bulk.execute()); @@ -54,21 +56,19 @@ function runInitialSyncTest() { } // Standard case, clusterAuthMode: x509 -var x509_options1 = Object.merge(common_options, - {sslClusterFile: "jstests/libs/cluster_cert.pem", - clusterAuthMode: "x509"}); +var x509_options1 = Object.merge( + common_options, {sslClusterFile: "jstests/libs/cluster_cert.pem", clusterAuthMode: "x509"}); var x509_options2 = x509_options1; runInitialSyncTest(); -// Mixed clusterAuthMode: sendX509 and sendKeyFile and try adding --auth -x509_options1 = Object.merge(common_options, - {sslClusterFile: "jstests/libs/cluster_cert.pem", - clusterAuthMode: "sendX509", - auth: ""}); +// Mixed clusterAuthMode: sendX509 and sendKeyFile and try adding --auth +x509_options1 = Object.merge( + common_options, + {sslClusterFile: "jstests/libs/cluster_cert.pem", clusterAuthMode: "sendX509", auth: ""}); x509_options2 = Object.merge(common_options, {clusterAuthMode: "sendKeyFile"}); runInitialSyncTest(); -// Mixed clusterAuthMode: x509 and sendX509, use the PEMKeyFile for outgoing connections +// Mixed clusterAuthMode: x509 and sendX509, use the PEMKeyFile for outgoing connections x509_options1 = Object.merge(common_options, {clusterAuthMode: "x509"}); x509_options2 = Object.merge(common_options, {clusterAuthMode: "sendX509"}); runInitialSyncTest(); @@ -76,8 +76,9 @@ runInitialSyncTest(); // verify that replset initiate fails if using a self-signed cert x509_options1 = Object.merge(common_options, {clusterAuthMode: "x509"}); x509_options2 = Object.merge(common_options, - {sslClusterFile: "jstests/libs/smoke.pem", - clusterAuthMode: "x509"}); -var replTest = new ReplSetTest({nodes : {node0 : x509_options1, node1 : x509_options2}}); + {sslClusterFile: "jstests/libs/smoke.pem", clusterAuthMode: "x509"}); +var replTest = new ReplSetTest({nodes: {node0: x509_options1, node1: x509_options2}}); var conns = replTest.startSet(); -assert.throws( function() { replTest.initiate(); } ); +assert.throws(function() { + replTest.initiate(); +}); diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js index 2b7d7afc5b6..5fab2f1f030 100644 --- a/jstests/ssl/libs/ssl_helpers.js +++ b/jstests/ssl/libs/ssl_helpers.js @@ -9,19 +9,27 @@ var CLIENT_CERT = "jstests/libs/client.pem"; // Note: "sslAllowInvalidCertificates" is enabled to avoid // hostname conflicts with our testing certificates -var disabled = {sslMode: "disabled"}; -var allowSSL = {sslMode : "allowSSL", +var disabled = { + sslMode: "disabled" +}; +var allowSSL = { + sslMode: "allowSSL", sslAllowInvalidCertificates: "", - sslPEMKeyFile : SERVER_CERT, - sslCAFile: CA_CERT}; -var preferSSL = {sslMode : "preferSSL", + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT +}; +var preferSSL = { + sslMode: "preferSSL", sslAllowInvalidCertificates: "", - sslPEMKeyFile : SERVER_CERT, - sslCAFile: CA_CERT}; -var requireSSL = {sslMode : "requireSSL", + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT +}; +var requireSSL = { + sslMode: "requireSSL", sslAllowInvalidCertificates: "", - sslPEMKeyFile : SERVER_CERT, - sslCAFile: CA_CERT}; + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT +}; // Test if ssl replset configs work @@ -41,8 +49,7 @@ var replShouldFail = function(name, opt1, opt2) { ssl_options2 = opt2; ssl_name = name; replTest = null; - assert.throws(load,[replSetTestFile], - "This setup should have failed"); + assert.throws(load, [replSetTestFile], "This setup should have failed"); // clean up to continue running... if (replTest) { replTest.stopSet(15); @@ -55,11 +62,8 @@ var replShouldFail = function(name, opt1, opt2) { */ function mixedShardTest(options1, options2, shouldSucceed) { try { - var st = new ShardingTest({ - mongos : [options1], - config : [options1], - shards : [options1, options2] - }); + var st = new ShardingTest( + {mongos: [options1], config: [options1], shards: [options1, options2]}); st.stopBalancer(); // Test mongos talking to config servers @@ -67,39 +71,38 @@ function mixedShardTest(options1, options2, shouldSucceed) { assert.eq(r, true, "error enabling sharding for this configuration"); st.ensurePrimaryShard("test", "shard0000"); - r = st.adminCommand({ movePrimary: 'test', to: 'shard0001' }); + r = st.adminCommand({movePrimary: 'test', to: 'shard0001'}); var db1 = st.getDB("test"); - r = st.adminCommand({ shardCollection : "test.col" , key : { _id : 1 } }); + r = st.adminCommand({shardCollection: "test.col", key: {_id: 1}}); assert.eq(r, true, "error sharding collection for this configuration"); // Test mongos talking to shards - var bigstr = Array(1024*1024).join("#"); + var bigstr = Array(1024 * 1024).join("#"); var bulk = db1.col.initializeUnorderedBulkOp(); - for(var i = 0; i < 128; i++){ - bulk.insert({ _id: i, string: bigstr }); + for (var i = 0; i < 128; i++) { + bulk.insert({_id: i, string: bigstr}); } assert.writeOK(bulk.execute()); assert.eq(128, db1.col.count(), "error retrieving documents from cluster"); // Test shards talking to each other - r = st.getDB('test').adminCommand({ moveChunk: 'test.col', - find: { _id: 0 }, to: 'shard0000' }); + r = st.getDB('test').adminCommand({moveChunk: 'test.col', find: {_id: 0}, to: 'shard0000'}); assert(r.ok, "error moving chunks: " + tojson(r)); db1.col.remove({}); - } catch(e) { - if (shouldSucceed) throw e; - //silence error if we should fail... + } catch (e) { + if (shouldSucceed) + throw e; + // silence error if we should fail... print("IMPORTANT! => Test failed when it should have failed...continuing..."); } finally { // This has to be done in order for failure // to not prevent future tests from running... - if(st) { + if (st) { st.stop(); } } } - diff --git a/jstests/ssl/mixed_mode_sharded.js b/jstests/ssl/mixed_mode_sharded.js index 8abaf77dabf..cdebc285a9a 100644 --- a/jstests/ssl/mixed_mode_sharded.js +++ b/jstests/ssl/mixed_mode_sharded.js @@ -16,4 +16,4 @@ mixedShardTest(preferSSL, allowSSL, true); mixedShardTest(allowSSL, preferSSL, true); print("=== Testing allowSSL/requireSSL cluster - SHOULD FAIL ==="); -mixedShardTest(requireSSL, allowSSL, false); +mixedShardTest(requireSSL, allowSSL, false); diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index 92486f663d9..407ed8b0834 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -1,20 +1,16 @@ // Test changing the --sslMode and --clusterAuthMode parameters using setParameter var SERVER_CERT = "jstests/libs/server.pem"; -var CA_CERT = "jstests/libs/ca.pem"; +var CA_CERT = "jstests/libs/ca.pem"; function testSSLTransition(oldMode, newMode, shouldSucceed) { - var conn = MongoRunner.runMongod({ - sslMode: oldMode, - sslPEMKeyFile: SERVER_CERT, - sslCAFile: CA_CERT - }); + var conn = + MongoRunner.runMongod({sslMode: oldMode, sslPEMKeyFile: SERVER_CERT, sslCAFile: CA_CERT}); var adminDB = conn.getDB("admin"); adminDB.createUser({user: "root", pwd: "pwd", roles: ['root']}); adminDB.auth("root", "pwd"); - var res = adminDB.runCommand({ "setParameter" : 1, - "sslMode" : newMode }); + var res = adminDB.runCommand({"setParameter": 1, "sslMode": newMode}); assert(res["ok"] == shouldSucceed, tojson(res)); MongoRunner.stopMongod(conn.port); @@ -31,8 +27,7 @@ function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) { var adminDB = conn.getDB("admin"); adminDB.createUser({user: "root", pwd: "pwd", roles: ['root']}); adminDB.auth("root", "pwd"); - var res = adminDB.runCommand({ "setParameter" : 1, - "clusterAuthMode" : newMode }); + var res = adminDB.runCommand({"setParameter": 1, "clusterAuthMode": newMode}); assert(res["ok"] == shouldSucceed, tojson(res)); MongoRunner.stopMongod(conn.port); diff --git a/jstests/ssl/sharding_with_x509.js b/jstests/ssl/sharding_with_x509.js index 8a7e747c6ad..6e497ab290e 100644 --- a/jstests/ssl/sharding_with_x509.js +++ b/jstests/ssl/sharding_with_x509.js @@ -1,69 +1,73 @@ -// Tests basic sharding with x509 cluster auth +// Tests basic sharding with x509 cluster auth // The purpose is to verify the connectivity between mongos and the shards -var x509_options = {sslMode : "requireSSL", - sslPEMKeyFile : "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslClusterFile: "jstests/libs/cluster_cert.pem", - sslAllowInvalidHostnames: "", - clusterAuthMode: "x509"}; +var x509_options = { + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslClusterFile: "jstests/libs/cluster_cert.pem", + sslAllowInvalidHostnames: "", + clusterAuthMode: "x509" +}; // Start ShardingTest with enableBalancer because ShardingTest attempts to turn // off the balancer otherwise, which it will not be authorized to do. Once SERVER-14017 // is fixed the "enableBalancer" line could be removed. -var st = new ShardingTest({ name : "sharding_with_x509" , - shards : 2, - mongos : 1, - other: { - enableBalancer: true, - configOptions : x509_options, - mongosOptions : x509_options, - rsOptions : x509_options, - shardOptions : x509_options - }}); +var st = new ShardingTest({ + name: "sharding_with_x509", + shards: 2, + mongos: 1, + other: { + enableBalancer: true, + configOptions: x509_options, + mongosOptions: x509_options, + rsOptions: x509_options, + shardOptions: x509_options + } +}); st.s.getDB('admin').createUser({user: 'admin', pwd: 'pwd', roles: ['root']}); st.s.getDB('admin').auth('admin', 'pwd'); -var coll = st.s.getCollection( "test.foo" ); +var coll = st.s.getCollection("test.foo"); -st.shardColl( coll, { _id : 1 }, false ); +st.shardColl(coll, {_id: 1}, false); // Create an index so we can find by num later -coll.ensureIndex({ insert : 1 }); +coll.ensureIndex({insert: 1}); -print( "starting insertion phase" ); +print("starting insertion phase"); // Insert a bunch of data var toInsert = 2000; var bulk = coll.initializeUnorderedBulkOp(); -for( var i = 0; i < toInsert; i++ ){ - bulk.insert({ my: "test", data: "to", insert: i }); +for (var i = 0; i < toInsert; i++) { + bulk.insert({my: "test", data: "to", insert: i}); } assert.writeOK(bulk.execute()); -print( "starting updating phase" ); +print("starting updating phase"); // Update a bunch of data var toUpdate = toInsert; bulk = coll.initializeUnorderedBulkOp(); -for( var i = 0; i < toUpdate; i++ ){ - var id = coll.findOne({ insert : i })._id; - bulk.find({ insert : i, _id : id }).update({ $inc : { counter : 1 } }); +for (var i = 0; i < toUpdate; i++) { + var id = coll.findOne({insert: i})._id; + bulk.find({insert: i, _id: id}).update({$inc: {counter: 1}}); } assert.writeOK(bulk.execute()); -print( "starting deletion" ); +print("starting deletion"); // Remove a bunch of data var toDelete = toInsert / 2; bulk = coll.initializeUnorderedBulkOp(); -for( var i = 0; i < toDelete; i++ ){ - bulk.find({ insert : i }).remove(); +for (var i = 0; i < toDelete; i++) { + bulk.find({insert: i}).remove(); } assert.writeOK(bulk.execute()); // Make sure the right amount of data is there -assert.eq( coll.find().count(), toInsert / 2 ); +assert.eq(coll.find().count(), toInsert / 2); // Finish st.stop(); diff --git a/jstests/ssl/ssl_cert_password.js b/jstests/ssl/ssl_cert_password.js index b50fec9101c..772038f9970 100644 --- a/jstests/ssl/ssl_cert_password.js +++ b/jstests/ssl/ssl_cert_password.js @@ -11,20 +11,26 @@ resetDbpath(dbpath); mkdir(external_scratch_dir); // Password is correct -var md = MongoRunner.runMongod({nopreallocj: "", - dbpath: dbpath, - sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/password_protected.pem", - sslPEMKeyPassword: "qwerty"}); +var md = MongoRunner.runMongod({ + nopreallocj: "", + dbpath: dbpath, + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/password_protected.pem", + sslPEMKeyPassword: "qwerty" +}); // MongoRunner.runMongod connects a Mongo shell, so if we get here, the test is successful. - // Password incorrect; error logged is: // error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt -var exit_code = runMongoProgram("mongo", "--port", md.port, - "--ssl", "--sslAllowInvalidCertificates", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "barf"); +var exit_code = runMongoProgram("mongo", + "--port", + md.port, + "--ssl", + "--sslAllowInvalidCertificates", + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "barf"); // 1 is the exit code for failure assert(exit_code == 1); @@ -32,69 +38,95 @@ assert(exit_code == 1); // Test that mongodump and mongorestore support ssl c = md.getDB("dumprestore_ssl").getCollection("foo"); assert.eq(0, c.count(), "dumprestore_ssl.foo collection is not initially empty"); -c.save({ a : 22 }); +c.save({a: 22}); assert.eq(1, c.count(), "failed to insert document into dumprestore_ssl.foo collection"); -exit_code = runMongoProgram("mongodump", "--out", external_scratch_dir, - "--port", md.port, +exit_code = runMongoProgram("mongodump", + "--out", + external_scratch_dir, + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongodump with ssl"); c.drop(); assert.eq(0, c.count(), "dumprestore_ssl.foo collection is not empty after drop"); -exit_code = runMongoProgram("mongorestore", "--dir", external_scratch_dir, - "--port", md.port, +exit_code = runMongoProgram("mongorestore", + "--dir", + external_scratch_dir, + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongorestore with ssl"); assert.soon("c.findOne()", "no data after sleep. Expected a document after calling mongorestore"); -assert.eq(1, c.count(), +assert.eq(1, + c.count(), "did not find expected document in dumprestore_ssl.foo collection after mongorestore"); -assert.eq(22, c.findOne().a, - "did not find correct value in document after mongorestore"); +assert.eq(22, c.findOne().a, "did not find correct value in document after mongorestore"); // Test that mongoimport and mongoexport support ssl var exportimport_ssl_dbname = "exportimport_ssl"; c = md.getDB(exportimport_ssl_dbname).getCollection("foo"); assert.eq(0, c.count(), "exportimport_ssl.foo collection is not initially empty"); -c.save({ a : 22 }); +c.save({a: 22}); assert.eq(1, c.count(), "failed to insert document into exportimport_ssl.foo collection"); var exportimport_file = "data.json"; -exit_code = runMongoProgram("mongoexport", "--out", external_scratch_dir + exportimport_file, - "-d", exportimport_ssl_dbname, "-c", "foo", - "--port", md.port, +exit_code = runMongoProgram("mongoexport", + "--out", + external_scratch_dir + exportimport_file, + "-d", + exportimport_ssl_dbname, + "-c", + "foo", + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongoexport with ssl"); c.drop(); assert.eq(0, c.count(), "afterdrop", "-d", exportimport_ssl_dbname, "-c", "foo"); -exit_code = runMongoProgram("mongoimport", "--file", external_scratch_dir + exportimport_file, - "-d", exportimport_ssl_dbname, "-c", "foo", - "--port", md.port, +exit_code = runMongoProgram("mongoimport", + "--file", + external_scratch_dir + exportimport_file, + "-d", + exportimport_ssl_dbname, + "-c", + "foo", + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongoimport with ssl"); assert.soon("c.findOne()", "no data after sleep. Expected a document after calling mongoimport"); -assert.eq(1, c.count(), +assert.eq(1, + c.count(), "did not find expected document in dumprestore_ssl.foo collection after mongoimport"); -assert.eq(22, c.findOne().a, - "did not find correct value in document after mongoimport"); +assert.eq(22, c.findOne().a, "did not find correct value in document after mongoimport"); // Test that mongofiles supports ssl var mongofiles_ssl_dbname = "mongofiles_ssl"; @@ -103,11 +135,18 @@ mongofiles_db = md.getDB(mongofiles_ssl_dbname); source_filename = 'jstests/ssl/ssl_cert_password.js'; filename = 'ssl_cert_password.js'; -exit_code = runMongoProgram("mongofiles", "-d", mongofiles_ssl_dbname, "put", source_filename, - "--port", md.port, +exit_code = runMongoProgram("mongofiles", + "-d", + mongofiles_ssl_dbname, + "put", + source_filename, + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongofiles with ssl"); @@ -120,12 +159,20 @@ md5_computed = mongofiles_db.runCommand({filemd5: file_obj._id}).md5; assert.eq(md5, md5_stored, "md5 incorrect for file"); assert.eq(md5, md5_computed, "md5 computed incorrectly by server"); -exit_code = runMongoProgram("mongofiles", "-d", mongofiles_ssl_dbname, "get", source_filename, - "-l", external_scratch_dir + filename, - "--port", md.port, +exit_code = runMongoProgram("mongofiles", + "-d", + mongofiles_ssl_dbname, + "get", + source_filename, + "-l", + external_scratch_dir + filename, + "--port", + md.port, "--ssl", - "--sslPEMKeyFile", "jstests/libs/password_protected.pem", - "--sslPEMKeyPassword", "qwerty"); + "--sslPEMKeyFile", + "jstests/libs/password_protected.pem", + "--sslPEMKeyPassword", + "qwerty"); assert.eq(exit_code, 0, "Failed to start mongofiles with ssl"); diff --git a/jstests/ssl/ssl_crl.js b/jstests/ssl/ssl_crl.js index 96c12b91bb9..9f70ba91b2b 100644 --- a/jstests/ssl/ssl_crl.js +++ b/jstests/ssl/ssl_crl.js @@ -8,20 +8,12 @@ load("jstests/libs/ssl_test.js"); var testUnrevoked = new SSLTest( // Server option overrides - { - sslMode: "requireSSL", - sslCRLFile: "jstests/libs/crl.pem" - } -); + {sslMode: "requireSSL", sslCRLFile: "jstests/libs/crl.pem"}); assert(testUnrevoked.connectWorked()); var testRevoked = new SSLTest( // Server option overrides - { - sslMode: "requireSSL", - sslCRLFile: "jstests/libs/crl_expired.pem" - } -); + {sslMode: "requireSSL", sslCRLFile: "jstests/libs/crl_expired.pem"}); assert(!testRevoked.connectWorked()); diff --git a/jstests/ssl/ssl_crl_revoked.js b/jstests/ssl/ssl_crl_revoked.js index 97ab29bf46e..cfe5d03d285 100644 --- a/jstests/ssl/ssl_crl_revoked.js +++ b/jstests/ssl/ssl_crl_revoked.js @@ -2,16 +2,23 @@ // Note: crl_client_revoked.pem is a CRL with the client.pem certificate listed as revoked. // This test should test that the user cannot connect with client.pem certificate. -var md = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslCRLFile: "jstests/libs/crl_client_revoked.pem"}); +var md = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslCRLFile: "jstests/libs/crl_client_revoked.pem" +}); -var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", - "--sslPEMKeyFile", "jstests/libs/client_revoked.pem", - "--eval", ";"); +var mongo = runMongoProgram("mongo", + "--port", + md.port, + "--ssl", + "--sslAllowInvalidCertificates", + "--sslPEMKeyFile", + "jstests/libs/client_revoked.pem", + "--eval", + ";"); // 1 is the exit code for the shell failing to connect, which is what we want // for a successful test. -assert(mongo==1); - +assert(mongo == 1); diff --git a/jstests/ssl/ssl_fips.js b/jstests/ssl/ssl_fips.js index 2630377fe36..9b3e4b94c96 100644 --- a/jstests/ssl/ssl_fips.js +++ b/jstests/ssl/ssl_fips.js @@ -1,27 +1,31 @@ // Test mongod start with FIPS mode enabled var port = allocatePort(); -var md = MongoRunner.runMongod({port: port, - sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslFIPSMode: ""}); +var md = MongoRunner.runMongod({ + port: port, + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslFIPSMode: "" +}); var mongo = runMongoProgram("mongo", - "--port", port, + "--port", + port, "--ssl", "--sslAllowInvalidCertificates", - "--sslPEMKeyFile", "jstests/libs/client.pem", + "--sslPEMKeyFile", + "jstests/libs/client.pem", "--sslFIPSMode", - "--eval", ";"); + "--eval", + ";"); // if mongo shell didn't start/connect properly if (mongo != 0) { print("mongod failed to start, checking for FIPS support"); mongoOutput = rawMongoProgramOutput(); assert(mongoOutput.match(/this version of mongodb was not compiled with FIPS support/) || - mongoOutput.match(/FIPS_mode_set:fips mode not supported/)); -} -else { + mongoOutput.match(/FIPS_mode_set:fips mode not supported/)); +} else { // verify that auth works, SERVER-18051 md.getDB("admin").createUser({user: "root", pwd: "root", roles: ["root"]}); assert(md.getDB("admin").auth("root", "root"), "auth failed"); diff --git a/jstests/ssl/ssl_hostname_validation.js b/jstests/ssl/ssl_hostname_validation.js index 7c60226f0ec..ab727320744 100644 --- a/jstests/ssl/ssl_hostname_validation.js +++ b/jstests/ssl/ssl_hostname_validation.js @@ -1,53 +1,62 @@ // Test SSL server certificate hostname validation -// for client-server and server-server connections -var CA_CERT = "jstests/libs/ca.pem"; +// for client-server and server-server connections +var CA_CERT = "jstests/libs/ca.pem"; var SERVER_CERT = "jstests/libs/server.pem"; -var CN_CERT = "jstests/libs/localhostnameCN.pem"; -var SAN_CERT = "jstests/libs/localhostnameSAN.pem"; +var CN_CERT = "jstests/libs/localhostnameCN.pem"; +var SAN_CERT = "jstests/libs/localhostnameSAN.pem"; var CLIENT_CERT = "jstests/libs/client.pem"; var BAD_SAN_CERT = "jstests/libs/badSAN.pem"; function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSucceed) { - var mongod = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: certPath, - sslCAFile: CA_CERT}); + var mongod = MongoRunner.runMongod( + {sslMode: "requireSSL", sslPEMKeyFile: certPath, sslCAFile: CA_CERT}); var mongo; if (allowInvalidCert) { mongo = runMongoProgram("mongo", - "--port", mongod.port, + "--port", + mongod.port, "--ssl", - "--sslCAFile", CA_CERT, - "--sslPEMKeyFile", CLIENT_CERT, + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, "--sslAllowInvalidCertificates", - "--eval", ";"); - } - else if (allowInvalidHost) { + "--eval", + ";"); + } else if (allowInvalidHost) { mongo = runMongoProgram("mongo", - "--port", mongod.port, + "--port", + mongod.port, "--ssl", - "--sslCAFile", CA_CERT, - "--sslPEMKeyFile", CLIENT_CERT, + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, "--sslAllowInvalidHostnames", - "--eval", ";"); + "--eval", + ";"); } else { mongo = runMongoProgram("mongo", - "--port", mongod.port, + "--port", + mongod.port, "--ssl", - "--sslCAFile", CA_CERT, - "--sslPEMKeyFile", CLIENT_CERT, - "--eval", ";"); + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, + "--eval", + ";"); } if (shouldSucceed) { // runMongoProgram returns 0 on success - assert.eq(0, mongo, "Connection attempt failed when it should succeed certPath: " + - certPath); - } - else { + assert.eq( + 0, mongo, "Connection attempt failed when it should succeed certPath: " + certPath); + } else { // runMongoProgram returns 1 on failure - assert.eq(1, mongo, "Connection attempt succeeded when it should fail certPath: " + - certPath); + assert.eq( + 1, mongo, "Connection attempt succeeded when it should fail certPath: " + certPath); } MongoRunner.stopMongod(mongod.port); } @@ -67,35 +76,43 @@ testCombination(SERVER_CERT, true, true, true); testCombination(BAD_SAN_CERT, false, false, false); // 2. Initiate ReplSetTest with invalid certs -ssl_options = {sslMode : "requireSSL", - // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS - sslPEMKeyFile : CLIENT_CERT, - sslCAFile: CA_CERT}; +ssl_options = { + sslMode: "requireSSL", + // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS + sslPEMKeyFile: CLIENT_CERT, + sslCAFile: CA_CERT +}; -replTest = new ReplSetTest({nodes : {node0 : ssl_options, node1 : ssl_options}}); +replTest = new ReplSetTest({nodes: {node0: ssl_options, node1: ssl_options}}); replTest.startSet(); -assert.throws( function() { replTest.initiate(); } ); +assert.throws(function() { + replTest.initiate(); +}); replTest.stopSet(); // 3. Initiate ReplSetTest with invalid certs but set allowInvalidHostnames -ssl_options = {sslMode : "requireSSL", - sslPEMKeyFile : SERVER_CERT, - sslCAFile: CA_CERT, - sslAllowInvalidHostnames: ""}; +ssl_options = { + sslMode: "requireSSL", + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT, + sslAllowInvalidHostnames: "" +}; -var replTest = new ReplSetTest({nodes : {node0 : ssl_options, node1 : ssl_options}}); +var replTest = new ReplSetTest({nodes: {node0: ssl_options, node1: ssl_options}}); replTest.startSet(); replTest.initiate(); replTest.stopSet(); // 4. Initiate ReplSetTest with invalid certs but set allowInvalidCertificates -ssl_options = {sslMode : "requireSSL", - // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS - sslPEMKeyFile : SERVER_CERT, - sslCAFile: CA_CERT, - sslAllowInvalidCertificates: ""}; +ssl_options = { + sslMode: "requireSSL", + // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT, + sslAllowInvalidCertificates: "" +}; -var replTest = new ReplSetTest({nodes : {node0 : ssl_options, node1 : ssl_options}}); +var replTest = new ReplSetTest({nodes: {node0: ssl_options, node1: ssl_options}}); replTest.startSet(); replTest.initiate(); replTest.stopSet(); diff --git a/jstests/ssl/ssl_invalid_server_cert.js b/jstests/ssl/ssl_invalid_server_cert.js index 6487d0f99b2..c6b9642ea54 100644 --- a/jstests/ssl/ssl_invalid_server_cert.js +++ b/jstests/ssl/ssl_invalid_server_cert.js @@ -4,15 +4,19 @@ // This test ensures that a mongod will not start with a certificate that is // not yet valid. Tested certificate will become valid 06-17-2020. -var md = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/not_yet_valid.pem", - sslCAFile: "jstests/libs/ca.pem"}); +var md = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/not_yet_valid.pem", + sslCAFile: "jstests/libs/ca.pem" +}); assert.eq(null, md, "Possible to start mongod with not yet valid certificate."); // This test ensures that a mongod with SSL will not start with an expired certificate. -md = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/expired.pem", - sslCAFile: "jstests/libs/ca.pem"}); +md = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/expired.pem", + sslCAFile: "jstests/libs/ca.pem" +}); assert.eq(null, md, "Possible to start mongod with expired certificate"); diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js index 1881114b482..571f854851b 100644 --- a/jstests/ssl/ssl_options.js +++ b/jstests/ssl/ssl_options.js @@ -2,11 +2,13 @@ var baseName = "jstests_ssl_ssl_options"; jsTest.log("Testing censorship of ssl options"); -var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem", - sslMode : "requireSSL", - sslPEMKeyPassword : "qwerty", - sslClusterPassword : "qwerty", - sslCAFile: "jstests/libs/ca.pem"}; +var mongodConfig = { + sslPEMKeyFile: "jstests/libs/password_protected.pem", + sslMode: "requireSSL", + sslPEMKeyPassword: "qwerty", + sslClusterPassword: "qwerty", + sslCAFile: "jstests/libs/ca.pem" +}; var mongodSource = MongoRunner.runMongod(mongodConfig); var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts"); @@ -15,7 +17,8 @@ var i; var isPassword = false; for (i = 0; i < getCmdLineOptsResult.argv.length; i++) { if (isPassword) { - assert.eq(getCmdLineOptsResult.argv[i], "<password>", + assert.eq(getCmdLineOptsResult.argv[i], + "<password>", "Password not properly censored: " + tojson(getCmdLineOptsResult)); isPassword = false; continue; @@ -26,9 +29,11 @@ for (i = 0; i < getCmdLineOptsResult.argv.length; i++) { isPassword = true; } } -assert.eq(getCmdLineOptsResult.parsed.net.ssl.PEMKeyPassword, "<password>", +assert.eq(getCmdLineOptsResult.parsed.net.ssl.PEMKeyPassword, + "<password>", "Password not properly censored: " + tojson(getCmdLineOptsResult)); -assert.eq(getCmdLineOptsResult.parsed.net.ssl.clusterPassword, "<password>", +assert.eq(getCmdLineOptsResult.parsed.net.ssl.clusterPassword, + "<password>", "Password not properly censored: " + tojson(getCmdLineOptsResult)); MongoRunner.stopMongod(mongodSource.port); diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js index 5a239a6d13c..c5ea8a27a6e 100644 --- a/jstests/ssl/ssl_weak.js +++ b/jstests/ssl/ssl_weak.js @@ -4,34 +4,43 @@ // Test that connecting with no client certificate and --sslAllowConnectionsWithoutCertificates // (an alias for sslWeakCertificateValidation) connects successfully. -var md = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", - sslAllowConnectionsWithoutCertificates: ""}); +var md = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + sslAllowConnectionsWithoutCertificates: "" +}); -var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", - "--eval", ";"); +var mongo = runMongoProgram( + "mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 0 is the exit code for success -assert(mongo==0); +assert(mongo == 0); // Test that connecting with a valid client certificate connects successfully. -mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates", - "--sslPEMKeyFile", "jstests/libs/client.pem", - "--eval", ";"); +mongo = runMongoProgram("mongo", + "--port", + md.port, + "--ssl", + "--sslAllowInvalidCertificates", + "--sslPEMKeyFile", + "jstests/libs/client.pem", + "--eval", + ";"); // 0 is the exit code for success -assert(mongo==0); - +assert(mongo == 0); // Test that connecting with no client certificate and no --sslAllowConnectionsWithoutCertificates // fails to connect. -var md2 = MongoRunner.runMongod({sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem"}); +var md2 = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem" +}); -mongo = runMongoProgram("mongo", "--port", md2.port, "--ssl", "--sslAllowInvalidCertificates", - "--eval", ";"); +mongo = runMongoProgram( + "mongo", "--port", md2.port, "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 1 is the exit code for failure -assert(mongo==1); +assert(mongo == 1); diff --git a/jstests/ssl/ssl_without_ca.js b/jstests/ssl/ssl_without_ca.js index 87e69eed7e4..0e865cc5fee 100644 --- a/jstests/ssl/ssl_without_ca.js +++ b/jstests/ssl/ssl_without_ca.js @@ -5,27 +5,30 @@ var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=c jsTest.log("Assert x509 auth is not allowed when a standalone mongod is run without a CA file."); // allowSSL instead of requireSSL so that the non-SSL connection succeeds. -var conn = MongoRunner.runMongod({sslMode: 'allowSSL', - sslPEMKeyFile: SERVER_CERT, - auth: ''}); +var conn = MongoRunner.runMongod({sslMode: 'allowSSL', sslPEMKeyFile: SERVER_CERT, auth: ''}); var external = conn.getDB('$external'); external.createUser({ user: CLIENT_USER, roles: [ - {'role':'userAdminAnyDatabase', 'db':'admin'}, - {'role':'readWriteAnyDatabase', 'db':'admin'} - ]}); + {'role': 'userAdminAnyDatabase', 'db': 'admin'}, + {'role': 'readWriteAnyDatabase', 'db': 'admin'} + ] +}); // Should not be able to authenticate with x509. // Authenticate call will return 1 on success, 0 on error. -var exitStatus = runMongoProgram('mongo', '--ssl', '--sslAllowInvalidCertificates', - '--sslPEMKeyFile', CLIENT_CERT, - '--port', conn.port, - '--eval', ('quit(db.getSisterDB("$external").auth({' + - 'user: "' + CLIENT_USER + '" ,' + - 'mechanism: "MONGODB-X509"}));' - )); +var exitStatus = runMongoProgram('mongo', + '--ssl', + '--sslAllowInvalidCertificates', + '--sslPEMKeyFile', + CLIENT_CERT, + '--port', + conn.port, + '--eval', + ('quit(db.getSisterDB("$external").auth({' + + 'user: "' + CLIENT_USER + '" ,' + + 'mechanism: "MONGODB-X509"}));')); assert.eq(exitStatus, 0, "authentication via MONGODB-X509 without CA succeeded"); @@ -33,17 +36,21 @@ MongoRunner.stopMongod(conn.port); jsTest.log("Assert mongod doesn\'t start with CA file missing and clusterAuthMode=x509."); -var sslParams = {clusterAuthMode: 'x509', sslMode: 'requireSSL', sslPEMKeyFile: SERVER_CERT}; +var sslParams = { + clusterAuthMode: 'x509', + sslMode: 'requireSSL', + sslPEMKeyFile: SERVER_CERT +}; var conn = MongoRunner.runMongod(sslParams); assert.isnull(conn, "server started with x509 clusterAuthMode but no CA file"); jsTest.log("Assert mongos doesn\'t start with CA file missing and clusterAuthMode=x509."); assert.throws(function() { - new ShardingTest({shards: 1, mongos: 1, verbose: 2, - other: {configOptions: sslParams, - mongosOptions: sslParams, - shardOptions: sslParams}}); - }, - null, - "mongos started with x509 clusterAuthMode but no CA file"); + new ShardingTest({ + shards: 1, + mongos: 1, + verbose: 2, + other: {configOptions: sslParams, mongosOptions: sslParams, shardOptions: sslParams} + }); +}, null, "mongos started with x509 clusterAuthMode but no CA file"); diff --git a/jstests/ssl/upgrade_to_ssl.js b/jstests/ssl/upgrade_to_ssl.js index 0c4a2caf222..f1f8409b2a5 100644 --- a/jstests/ssl/upgrade_to_ssl.js +++ b/jstests/ssl/upgrade_to_ssl.js @@ -10,24 +10,26 @@ load("jstests/ssl/libs/ssl_helpers.js"); // "sslAllowInvalidCertificates" is enabled to avoid hostname conflicts with our testing certs -var opts = {sslMode:"allowSSL", - sslPEMKeyFile: SERVER_CERT, - sslAllowInvalidCertificates: "", - sslAllowConnectionsWithoutCertificates: "", - sslCAFile: "jstests/libs/ca.pem"}; -var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : opts }); +var opts = { + sslMode: "allowSSL", + sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates: "", + sslAllowConnectionsWithoutCertificates: "", + sslCAFile: "jstests/libs/ca.pem" +}; +var rst = new ReplSetTest({name: 'sslSet', nodes: 3, nodeOptions: opts}); rst.startSet(); rst.initiate(); var rstConn1 = rst.getPrimary(); -rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); +rstConn1.getDB("test").a.insert({a: 1, str: "TESTTESTTEST"}); assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); print("===== UPGRADE allowSSL -> preferSSL ====="); opts.sslMode = "preferSSL"; rst.upgradeSet(opts); var rstConn2 = rst.getPrimary(); -rstConn2.getDB("test").a.insert({a:2, str:"CHECKCHECK"}); +rstConn2.getDB("test").a.insert({a: 2, str: "CHECKCHECK"}); assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet"); // Check that non-ssl connections can still be made @@ -38,10 +40,10 @@ print("===== UPGRADE preferSSL -> requireSSL ====="); opts.sslMode = "requireSSL"; rst.upgradeSet(opts); var rstConn3 = rst.getPrimary(); -rstConn3.getDB("test").a.insert({a:3, str:"GREENEGGSANDHAM"}); +rstConn3.getDB("test").a.insert({a: 3, str: "GREENEGGSANDHAM"}); assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); // Check that ssl connections can be made -var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], - "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); +var canConnectSSL = runMongoProgram( + "mongo", "--port", rst.ports[0], "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); diff --git a/jstests/ssl/upgrade_to_x509_ssl.js b/jstests/ssl/upgrade_to_x509_ssl.js index 2ff79bcd7bf..e9d79859077 100644 --- a/jstests/ssl/upgrade_to_x509_ssl.js +++ b/jstests/ssl/upgrade_to_x509_ssl.js @@ -19,35 +19,46 @@ function authAllNodes() { load("jstests/ssl/libs/ssl_helpers.js"); -opts = {sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, - sslAllowInvalidCertificates: "", - clusterAuthMode:"sendKeyFile", keyFile: KEYFILE, - sslCAFile: CA_CERT}; +opts = { + sslMode: "allowSSL", + sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates: "", + clusterAuthMode: "sendKeyFile", + keyFile: KEYFILE, + sslCAFile: CA_CERT +}; var NUM_NODES = 3; -var rst = new ReplSetTest({ name: 'sslSet', nodes: NUM_NODES, nodeOptions : opts }); +var rst = new ReplSetTest({name: 'sslSet', nodes: NUM_NODES, nodeOptions: opts}); rst.startSet(); rst.initiate(); // Connect to master and do some basic operations var rstConn1 = rst.getPrimary(); print("Performing basic operations on master."); -rstConn1.getDB("admin").createUser({user:"root", pwd:"pwd", roles:["root"]}, {w: NUM_NODES}); +rstConn1.getDB("admin").createUser({user: "root", pwd: "pwd", roles: ["root"]}, {w: NUM_NODES}); rstConn1.getDB("admin").auth("root", "pwd"); -rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"}); -rstConn1.getDB("test").a.insert({a:1, str:"WOOPWOOPWOOPWOOPWOOP"}); +rstConn1.getDB("test").a.insert({a: 1, str: "TESTTESTTEST"}); +rstConn1.getDB("test").a.insert({a: 1, str: "WOOPWOOPWOOPWOOPWOOP"}); assert.eq(2, rstConn1.getDB("test").a.count(), "Error interacting with replSet"); print("===== UPGRADE allowSSL,sendKeyfile -> preferSSL,sendX509 ====="); authAllNodes(); rst.awaitReplication(); -rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, - sslAllowInvalidCertificates: "", - clusterAuthMode:"sendX509", keyFile: KEYFILE, - sslCAFile: CA_CERT}, "root", "pwd"); +rst.upgradeSet( + { + sslMode: "preferSSL", + sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates: "", + clusterAuthMode: "sendX509", + keyFile: KEYFILE, + sslCAFile: CA_CERT + }, + "root", + "pwd"); // The upgradeSet call restarts the nodes so we need to reauthenticate. authAllNodes(); var rstConn3 = rst.getPrimary(); -rstConn3.getDB("test").a.insert({a:3, str:"TESTTESTTEST"}); +rstConn3.getDB("test").a.insert({a: 3, str: "TESTTESTTEST"}); assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); rst.awaitReplication(); // Test that a non-ssl connection can still be made @@ -55,11 +66,18 @@ var canConnectNoSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--eval", assert.eq(0, canConnectNoSSL, "SSL Connection attempt failed when it should succeed"); print("===== UPGRADE preferSSL,sendX509 -> requireSSL,x509 ====="); -rst.upgradeSet({sslMode:"requireSSL", sslPEMKeyFile: SERVER_CERT, - sslAllowInvalidCertificates: "", - clusterAuthMode:"x509", keyFile: KEYFILE, - sslCAFile: CA_CERT}, "root", "pwd"); +rst.upgradeSet( + { + sslMode: "requireSSL", + sslPEMKeyFile: SERVER_CERT, + sslAllowInvalidCertificates: "", + clusterAuthMode: "x509", + keyFile: KEYFILE, + sslCAFile: CA_CERT + }, + "root", + "pwd"); authAllNodes(); var rstConn4 = rst.getPrimary(); -rstConn4.getDB("test").a.insert({a:4, str:"TESTTESTTEST"}); +rstConn4.getDB("test").a.insert({a: 4, str: "TESTTESTTEST"}); assert.eq(4, rstConn4.getDB("test").a.count(), "Error interacting with replSet"); diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js index 769909f14b4..82c726fc0fd 100644 --- a/jstests/ssl/x509_client.js +++ b/jstests/ssl/x509_client.js @@ -1,21 +1,23 @@ // Check if this build supports the authenticationMechanisms startup parameter. -var conn = MongoRunner.runMongod({smallfiles: "", - auth: "", - sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem"}); +var conn = MongoRunner.runMongod({ + smallfiles: "", + auth: "", + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem" +}); conn.getDB('admin').createUser({user: "root", pwd: "pass", roles: ["root"]}); conn.getDB('admin').auth("root", "pass"); var cmdOut = conn.getDB('admin').runCommand({getParameter: 1, authenticationMechanisms: 1}); if (cmdOut.ok) { - TestData.authMechanism = "MONGODB-X509"; // SERVER-10353 + TestData.authMechanism = "MONGODB-X509"; // SERVER-10353 } conn.getDB('admin').dropAllUsers(); conn.getDB('admin').logout(); MongoRunner.stopMongod(conn); var SERVER_CERT = "jstests/libs/server.pem"; -var CA_CERT = "jstests/libs/ca.pem"; +var CA_CERT = "jstests/libs/ca.pem"; var SERVER_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=server"; var INTERNAL_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=internal"; @@ -27,49 +29,59 @@ function authAndTest(mongo) { test = mongo.getDB("test"); // It should be impossible to create users with the same name as the server's subject - assert.throws( function() { - external.createUser({user: SERVER_USER, - roles: [{'role':'userAdminAnyDatabase', 'db':'admin'}] - }); + assert.throws(function() { + external.createUser( + {user: SERVER_USER, roles: [{'role': 'userAdminAnyDatabase', 'db': 'admin'}]}); }, {}, "Created user with same name as the server's x.509 subject"); // It should be impossible to create users with names recognized as cluster members - assert.throws( function() { - external.createUser({user: INTERNAL_USER, - roles: [{'role':'userAdminAnyDatabase', 'db':'admin'}] - }); + assert.throws(function() { + external.createUser( + {user: INTERNAL_USER, roles: [{'role': 'userAdminAnyDatabase', 'db': 'admin'}]}); }, {}, "Created user which would be recognized as a cluster member"); // Add user using localhost exception - external.createUser({user: CLIENT_USER, roles:[ - {'role':'userAdminAnyDatabase', 'db':'admin'}, - {'role':'readWriteAnyDatabase', 'db':'admin'}]}); + external.createUser({ + user: CLIENT_USER, + roles: [ + {'role': 'userAdminAnyDatabase', 'db': 'admin'}, + {'role': 'readWriteAnyDatabase', 'db': 'admin'} + ] + }); // It should be impossible to create users with an internal name - assert.throws( function() {external.createUser({user: SERVER_USER, roles: [ - {'role':'userAdminAnyDatabase', 'db':'admin'}]});}); + assert.throws(function() { + external.createUser( + {user: SERVER_USER, roles: [{'role': 'userAdminAnyDatabase', 'db': 'admin'}]}); + }); // Localhost exception should not be in place anymore - assert.throws( function() { test.foo.findOne();}, {}, "read without login" ); + assert.throws(function() { + test.foo.findOne(); + }, {}, "read without login"); - assert( !external.auth({user: INVALID_CLIENT_USER, mechanism: 'MONGODB-X509'}), - "authentication with invalid user failed" ); - assert( external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), - "authentication with valid user failed" ); + assert(!external.auth({user: INVALID_CLIENT_USER, mechanism: 'MONGODB-X509'}), + "authentication with invalid user failed"); + assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}), + "authentication with valid user failed"); // Check that we can add a user and read data - test.createUser({user: "test", pwd: "test", roles:[ - {'role': 'readWriteAnyDatabase', 'db': 'admin'}]}); + test.createUser( + {user: "test", pwd: "test", roles: [{'role': 'readWriteAnyDatabase', 'db': 'admin'}]}); test.foo.findOne(); external.logout(); - assert.throws( function() { test.foo.findOne();}, {}, "read after logout" ); + assert.throws(function() { + test.foo.findOne(); + }, {}, "read after logout"); } print("1. Testing x.509 auth to mongod"); -var x509_options = {sslMode : "requireSSL", - sslPEMKeyFile : SERVER_CERT, - sslCAFile : CA_CERT}; +var x509_options = { + sslMode: "requireSSL", + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT +}; var mongo = MongoRunner.runMongod(Object.merge(x509_options, {auth: ""})); @@ -78,14 +90,16 @@ MongoRunner.stopMongod(mongo.port); print("2. Testing x.509 auth to mongos"); -var st = new ShardingTest({ shards : 1, - mongos : 1, - other: { - extraOptions : {"keyFile" : "jstests/libs/key1"}, - configOptions : x509_options, - mongosOptions : x509_options, - shardOptions : x509_options, - useHostname: false, - }}); +var st = new ShardingTest({ + shards: 1, + mongos: 1, + other: { + extraOptions: {"keyFile": "jstests/libs/key1"}, + configOptions: x509_options, + mongosOptions: x509_options, + shardOptions: x509_options, + useHostname: false, + } +}); authAndTest(new Mongo("localhost:" + st.s0.port)); |