diff options
Diffstat (limited to 'jstests/sslSpecial/ssl_ecdsa_cert.js')
-rw-r--r-- | jstests/sslSpecial/ssl_ecdsa_cert.js | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/jstests/sslSpecial/ssl_ecdsa_cert.js b/jstests/sslSpecial/ssl_ecdsa_cert.js new file mode 100644 index 00000000000..000b042b319 --- /dev/null +++ b/jstests/sslSpecial/ssl_ecdsa_cert.js @@ -0,0 +1,73 @@ +load('jstests/ssl/libs/ssl_helpers.js'); + +const test = () => { + "use strict"; + + const ECDSA_CA_CERT = 'jstests/libs/ecdsa-ca.pem'; + const ECDSA_CLIENT_CERT = 'jstests/libs/ecdsa-client.pem'; + const ECDSA_SERVER_CERT = 'jstests/libs/ecdsa-server.pem'; + + const CLIENT_USER = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US'; + + print('Testing if platform supports usage of ECDSA certificates'); + const tlsOptions = { + tlsMode: 'preferTLS', + tlsPEMKeyFile: ECDSA_SERVER_CERT, + tlsCAFile: ECDSA_CA_CERT, + ipv6: '', + bind_ip_all: '', + waitForConnect: true, + tlsAllowConnectionsWithoutCertificates: "", + }; + + let mongod = MongoRunner.runMongod(tlsOptions); + + // Verify we can connect + assert.eq(0, + runMongoProgram('mongo', + '--tls', + '--tlsCAFile', + ECDSA_CA_CERT, + '--port', + mongod.port, + '--eval', + 'db.isMaster()'), + "mongo did not initialize properly"); + + // Add an X509 user + const addUserCmd = {createUser: CLIENT_USER, roles: [{role: 'root', db: 'admin'}]}; + assert.commandWorked(mongod.getDB('$external').runCommand(addUserCmd), + 'Failed to create X509 user using ECDSA certificates'); + + const command = function() { + assert(db.getSiblingDB('$external').auth({mechanism: 'MONGODB-X509', user: "CLIENT_USER"})); + + const connStatus = db.getSiblingDB('admin').runCommand({connectionStatus: 1}); + assert(connStatus.authInfo.authenticatedUsers[0].user === "CLIENT_USER"); + }; + + // Verify we can authenticate via X509 + assert.eq( + 0, + runMongoProgram('mongo', + '--tls', + '--tlsPEMKeyFile', + ECDSA_CLIENT_CERT, + '--tlsCAFile', + ECDSA_CA_CERT, + '--port', + mongod.port, + '--eval', + '(' + command.toString().replace(/CLIENT_USER/g, CLIENT_USER) + ')();'), + "ECDSA X509 authentication failed"); + MongoRunner.stopMongod(mongod); +}; + +const EXCLUDED_BUILDS = ['amazon', 'amzn64']; +if (EXCLUDED_BUILDS.includes(buildInfo().buildEnvironment.distmod)) { + print("*****************************************************"); + print("Skipping test because Amazon Linux does not support ECDSA certificates"); + print("*****************************************************"); +} else { + requireSSLProvider('openssl', test); +} |