diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/mongo/util/net/SConscript | 2 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_client.cpp | 129 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_client.idl | 126 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_server.cpp | 222 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_server.idl | 187 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_test.cpp | 130 |
6 files changed, 402 insertions, 394 deletions
diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript index 9141e6eea81..69052eaad03 100644 --- a/src/mongo/util/net/SConscript +++ b/src/mongo/util/net/SConscript @@ -46,6 +46,7 @@ env.Library( target='ssl_options_client', source=[ 'ssl_options_client.cpp', + env.Idlc('ssl_options_client.idl')[0], ], LIBDEPS=[ '$BUILD_DIR/mongo/base', @@ -60,6 +61,7 @@ env.Library( target='ssl_options_server', source=[ 'ssl_options_server.cpp', + env.Idlc('ssl_options_server.idl')[0], ], LIBDEPS=[ '$BUILD_DIR/mongo/base', diff --git a/src/mongo/util/net/ssl_options_client.cpp b/src/mongo/util/net/ssl_options_client.cpp index 36a34325cb1..58be48b7ba3 100644 --- a/src/mongo/util/net/ssl_options_client.cpp +++ b/src/mongo/util/net/ssl_options_client.cpp @@ -30,12 +30,9 @@ #include "mongo/platform/basic.h" -#include "mongo/util/net/ssl_options.h" - -#include <boost/filesystem/operations.hpp> - #include "mongo/base/status.h" #include "mongo/config.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/startup_option_init.h" #include "mongo/util/options_parser/startup_options.h" @@ -44,138 +41,16 @@ #endif using namespace mongo; -namespace moe = mongo::optionenvironment; -using std::string; namespace { -MONGO_GENERAL_STARTUP_OPTIONS_REGISTER(SSLClientOptions)(InitializerContext*) { - auto& options = moe::startupOptions; - - options.addOptionChaining( - "tls", "tls", moe::Switch, "use TLS for all connections", {"ssl"}, {"ssl"}); - - options - .addOptionChaining("tls.CAFile", - "tlsCAFile", - moe::String, - "Certificate Authority file for TLS", - {"ssl.CAFile"}, - {"sslCAFile"}) - .requires("tls"); - - options - .addOptionChaining("tls.PEMKeyFile", - "tlsPEMKeyFile", - moe::String, - "PEM certificate/key file for TLS", - {"ssl.PEMKeyFile"}, - {"sslPEMKeyFile"}) - .requires("tls"); - - options - .addOptionChaining("tls.PEMKeyPassword", - "tlsPEMKeyPassword", - moe::String, - "Password for key in PEM file for TLS", - {"ssl.PEMKeyPassword"}, - {"sslPEMKeyPassword"}) - .requires("tls"); - - options - .addOptionChaining("tls.CRLFile", - "tlsCRLFile", - moe::String, - "Certificate Revocation List file for TLS", - {"ssl.CRLFile"}, - {"sslCRLFile"}) - .requires("tls") - .requires("tls.CAFile"); - - options - .addOptionChaining("net.tls.allowInvalidHostnames", - "tlsAllowInvalidHostnames", - moe::Switch, - "Allow connections to servers with non-matching hostnames", - {"net.ssl.allowInvalidHostnames"}, - {"sslAllowInvalidHostnames"}) - .requires("tls"); - - options - .addOptionChaining("tls.allowInvalidCertificates", - "tlsAllowInvalidCertificates", - moe::Switch, - "Allow connections to servers with invalid certificates", - {"ssl.allowInvalidCertificates"}, - {"sslAllowInvalidCertificates"}) - .requires("tls"); - - options.addOptionChaining("tls.FIPSMode", - "tlsFIPSMode", - moe::Switch, - "Activate FIPS 140-2 mode at startup", - {"ssl.FIPSMode"}, - {"sslFIPSMode"}); - -#ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS - options - .addOptionChaining("tls.certificateSelector", - "tlsCertificateSelector", - moe::String, - "TLS Certificate in system store", - {"ssl.certificateSelector"}, - {"sslCertificateSelector"}) - .incompatibleWith("tls.PEMKeyFile") - .incompatibleWith("tls.PEMKeyPassword"); -#endif - - options.addOptionChaining( - "tls.disabledProtocols", - "tlsDisabledProtocols", - moe::String, - "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]", - {"ssl.disabledProtocols"}, - {"sslDisabledProtocols"}); - - return Status::OK(); -} MONGO_STARTUP_OPTIONS_STORE(SSLClientOptions)(InitializerContext*) { - const auto& params = moe::startupOptionsParsed; + const auto& params = mongo::optionenvironment::startupOptionsParsed; if (params.count("tls") && params["tls"].as<bool>() == true) { sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL); } - if (params.count("tls.PEMKeyFile")) { - sslGlobalParams.sslPEMKeyFile = params["tls.PEMKeyFile"].as<std::string>(); - } - - if (params.count("tls.PEMKeyPassword")) { - sslGlobalParams.sslPEMKeyPassword = params["tls.PEMKeyPassword"].as<std::string>(); - } - - if (params.count("tls.CAFile")) { - sslGlobalParams.sslCAFile = params["tls.CAFile"].as<std::string>(); - } - - if (params.count("tls.CRLFile")) { - sslGlobalParams.sslCRLFile = params["tls.CRLFile"].as<std::string>(); - } - - - if (params.count("net.tls.allowInvalidHostnames")) { - sslGlobalParams.sslAllowInvalidHostnames = - params["net.tls.allowInvalidHostnames"].as<bool>(); - } - - if (params.count("tls.allowInvalidCertificates")) { - sslGlobalParams.sslAllowInvalidCertificates = true; - } - - if (params.count("tls.FIPSMode")) { - sslGlobalParams.sslFIPSMode = true; - } - if (params.count("tls.disabledProtocols")) { const auto status = storeSSLDisabledProtocols(params["tls.disabledProtocols"].as<std::string>()); diff --git a/src/mongo/util/net/ssl_options_client.idl b/src/mongo/util/net/ssl_options_client.idl new file mode 100644 index 00000000000..a3652b73baf --- /dev/null +++ b/src/mongo/util/net/ssl_options_client.idl @@ -0,0 +1,126 @@ +# Copyright (C) 2018-present MongoDB, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the Server Side Public License, version 1, +# as published by MongoDB, Inc. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# Server Side Public License for more details. +# +# You should have received a copy of the Server Side Public License +# along with this program. If not, see +# <http://www.mongodb.com/licensing/server-side-public-license>. +# +# As a special exception, the copyright holders give permission to link the +# code of portions of this program with the OpenSSL library under certain +# conditions as described in each individual source file and distribute +# linked combinations including the program with the OpenSSL library. You +# must comply with the Server Side Public License in all respects for +# all of the code used other than as permitted herein. If you modify file(s) +# with this exception, you may extend this exception to your version of the +# file(s), but you are not obligated to do so. If you do not wish to do so, +# delete this exception statement from your version. If you delete this +# exception statement from all source files in the program, then also delete +# it in the license file. +# + +global: + cpp_namespace: "mongo" + cpp_includes: + - "mongo/config.h" + - "mongo/util/net/ssl_options.h" + configs: + section: "TLS Options" + source: [ yaml, cli, ini ] + +imports: + - "mongo/idl/basic_types.idl" + +configs: + tls: + description: "use TLS for all connections" + short_name: tls + deprecated_name: ssl + deprecated_short_name: ssl + arg_vartype: Switch + + "tls.PEMKeyFile": + description: "PEM certificate/key file for TLS" + short_name: tlsPEMKeyFile + deprecated_name: "ssl.PEMKeyFile" + deprecated_short_name: "sslPEMKeyFile" + arg_vartype: String + cpp_varname: "sslGlobalParams.sslPEMKeyFile" + requires: tls + "tls.PEMKeyPassword": + description: "Password for key in PEM file for TLS" + short_name: tlsPEMKeyPassword + deprecated_name: "ssl.PEMKeyPassword" + deprecated_short_name: sslPEMKeyPassword + arg_vartype: String + cpp_varname: "sslGlobalParams.sslPEMKeyPassword" + requires: tls + + "tls.CAFile": + description: "Certificate Authority file for TLS" + short_name: tlsCAFile + deprecated_name: "ssl.CAFile" + deprecated_short_name: sslCAFile + arg_vartype: String + cpp_varname: "sslGlobalParams.sslCAFile" + requires: tls + "tls.CRLFile": + description: "Certificate Revocation List file for TLS" + short_name: tlsCRLFile + deprecated_name: "ssl.CRLFile" + deprecated_short_name: sslCRLFile + arg_vartype: String + cpp_varname: "sslGlobalParams.sslCRLFile" + requires: [ tls, "tls.CAFile" ] + + "tls.allowInvalidHostnames": + description: "Allow connections to servers with non-matching hostnames" + short_name: tlsAllowInvalidHostnames + deprecated_name: "ssl.allowInvalidHostnames" + deprecated_short_name: sslAllowInvalidHostnames + arg_vartype: Switch + cpp_varname: "sslGlobalParams.sslAllowInvalidHostnames" + requires: tls + "tls.allowInvalidCertificates": + description: "Allow connections to servers with invalid certificates" + short_name: tlsAllowInvalidCertificates + deprecated_name: sslAllowInvalidCertificates + deprecated_short_name: sslAllowInvalidCertificates + arg_vartype: Switch + cpp_varname: "sslGlobalParams.sslAllowInvalidCertificates" + requires: tls + + "tls.FIPSMode": + description: "Activate FIPS 140-2 mode at startup" + short_name: tlsFIPSMode + deprecated_name: "ssl.FIPSMode" + deprecated_short_name: sslFIPSMode + arg_vartype: Switch + cpp_varname: "sslGlobalParams.sslFIPSMode" + requires: tls + + "tls.certificateSelector": + description: "TLS Certificate in system store" + short_name: tlsCertificateSelector + deprecated_name: "ssl.certificateSelector" + deprecated_short_name: sslCertificateSelector + arg_vartype: String + requires: tls + condition: + preprocessor: "defined(MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS)" + + "tls.disabledProtocols": + description: "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]" + short_name: tlsDisabledProtocols + deprecated_name: "ssl.disabledProtocols" + deprecated_short_name: sslDisabledProtocols + arg_vartype: String + requires: tls + diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp index bcca608e8bf..24d5c2a10da 100644 --- a/src/mongo/util/net/ssl_options_server.cpp +++ b/src/mongo/util/net/ssl_options_server.cpp @@ -54,170 +54,6 @@ using std::string; // Export these to the process space for the sake of ssl_options_test.cpp // but don't provide a header because we don't want to encourage use from elsewhere. namespace mongo { -Status addSSLServerOptions(moe::OptionSection* options) { - options - ->addOptionChaining("net.tls.tlsOnNormalPorts", - "tlsOnNormalPorts", - moe::Switch, - "Use TLS on configured ports", - {"net.ssl.sslOnNormalPorts"}, - {"sslOnNormalPorts"}) - .setSources(moe::SourceAllLegacy) - .incompatibleWith("net.tls.mode") - .incompatibleWith("net.ssl.mode"); - - options - ->addOptionChaining("net.tls.mode", - "tlsMode", - moe::String, - "Set the TLS operation mode (disabled|allowTLS|preferTLS|requireTLS)") - .incompatibleWith("net.ssl.mode"); - options - ->addOptionChaining("net.ssl.mode", - "sslMode", - moe::String, - "Set the TLS operation mode (disabled|allowSSL|preferSSL|requireSSL)") - .incompatibleWith("net.tls.mode") - .hidden(); - - options->addOptionChaining("net.tls.PEMKeyFile", - "tlsPEMKeyFile", - moe::String, - "PEM file for TLS", - {"net.ssl.PEMKeyFile"}, - {"sslPEMKeyFile"}); - - options - ->addOptionChaining("net.tls.PEMKeyPassword", - "tlsPEMKeyPassword", - moe::String, - "PEM file password", - {"net.ssl.PEMKeyPassword"}, - {"sslPEMKeyPassword"}) - .setImplicit(moe::Value(std::string(""))); - - options->addOptionChaining("net.tls.clusterFile", - "tlsClusterFile", - moe::String, - "Key file for internal TLS authentication", - {"net.ssl.clusterFile"}, - {"sslClusterFile"}); - - options - ->addOptionChaining("net.tls.clusterPassword", - "tlsClusterPassword", - moe::String, - "Internal authentication key file password", - {"net.ssl.clusterPassword"}, - {"sslClusterPassword"}) - .setImplicit(moe::Value(std::string(""))); - - options->addOptionChaining("net.tls.CAFile", - "tlsCAFile", - moe::String, - "Certificate Authority file for TLS", - {"net.ssl.CAFile"}, - {"sslCAFile"}); - - options->addOptionChaining("net.tls.clusterCAFile", - "tlsClusterCAFile", - moe::String, - "CA used for verifying remotes during inbound connections", - {"net.ssl.clusterCAFile"}, - {"sslClusterCAFile"}); - - options->addOptionChaining("net.tls.CRLFile", - "tlsCRLFile", - moe::String, - "Certificate Revocation List file for TLS", - {"net.ssl.CRLFile"}, - {"sslCRLFile"}); - - options - ->addOptionChaining("net.tls.tlsCipherConfig", - "tlsCipherConfig", - moe::String, - "OpenSSL cipher configuration string", - {"net.ssl.sslCipherConfig"}, - {"sslCipherConfig"}) - .hidden(); - - options->addOptionChaining( - "net.tls.disabledProtocols", - "tlsDisabledProtocols", - moe::String, - "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]", - {"net.ssl.disabledProtocols"}, - {"sslDisabledProtocols"}); - - - options->addOptionChaining( - "net.tls.logVersions", - "tlsLogVersions", - moe::String, - "Comma separated list of TLS protocols to log on connect [TLS1_0,TLS1_1,TLS1_2]"); - - options->addOptionChaining("net.tls.weakCertificateValidation", - "tlsWeakCertificateValidation", - moe::Switch, - "Allow client to connect without presenting a certificate", - {"net.ssl.weakCertificateValidation"}, - {"sslWeakCertificateValidation"}); - - // Alias for --tlsWeakCertificateValidation. - options->addOptionChaining("net.tls.allowConnectionsWithoutCertificates", - "tlsAllowConnectionsWithoutCertificates", - moe::Switch, - "Allow client to connect without presenting a certificate", - {"net.ssl.allowConnectionsWithoutCertificates"}, - {"sslAllowConnectionsWithoutCertificates"}); - - options->addOptionChaining("net.tls.allowInvalidHostnames", - "tlsAllowInvalidHostnames", - moe::Switch, - "Allow server certificates to provide non-matching hostnames", - {"net.ssl.allowInvalidHostnames"}, - {"sslAllowInvalidHostnames"}); - - options->addOptionChaining("net.tls.allowInvalidCertificates", - "tlsAllowInvalidCertificates", - moe::Switch, - "Allow connections to servers with invalid certificates", - {"net.ssl.allowInvalidCertificates"}, - {"sslAllowInvalidCertificates"}); - - options->addOptionChaining("net.tls.FIPSMode", - "tlsFIPSMode", - moe::Switch, - "Activate FIPS 140-2 mode at startup", - {"net.ssl.FIPSMode"}, - {"sslFIPSMode"}); - -#ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS - options - ->addOptionChaining("net.tls.certificateSelector", - "tlsCertificateSelector", - moe::String, - "TLS Certificate in system store", - {"net.ssl.certificateSelector"}, - {"sslCertificateSelector"}) - .incompatibleWith("net.tls.PEMKeyFile") - .incompatibleWith("net.tls.PEMKeyPassword"); - - options - ->addOptionChaining("net.tls.clusterCertificateSelector", - "tlsClusterCertificateSelector", - moe::String, - "SSL/TLS Certificate in system store for internal TLS authentication", - {"net.ssl.clusterCertificateSelector"}, - {"sslClusterCertificateSelector"}) - .incompatibleWith("net.tls.clusterFile") - .incompatibleWith("net.tls.clusterFilePassword"); -#endif - - return Status::OK(); -} - Status storeTLSLogVersion(const std::string& loggedProtocols) { // The tlsLogVersion field is composed of a comma separated list of protocols to // log. First, tokenize the field. @@ -245,7 +81,13 @@ Status storeTLSLogVersion(const std::string& loggedProtocols) { return Status::OK(); } -Status storeSSLServerOptions(const moe::Environment& params) { +namespace { + +// storeSSLServerOptions depends on serverGlobalParams.clusterAuthMode +// and IDL based storage actions, and therefore must run later. +MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { + auto& params = moe::startupOptionsParsed; + if (params.count("net.tls.mode")) { std::string sslModeParam = params["net.tls.mode"].as<string>(); auto swMode = SSLParams::tlsModeParse(sslModeParam); @@ -269,20 +111,12 @@ Status storeSSLServerOptions(const moe::Environment& params) { boost::filesystem::absolute(params["net.tls.PEMKeyFile"].as<string>()).generic_string(); } - if (params.count("net.tls.PEMKeyPassword")) { - sslGlobalParams.sslPEMKeyPassword = params["net.tls.PEMKeyPassword"].as<string>(); - } - if (params.count("net.tls.clusterFile")) { sslGlobalParams.sslClusterFile = boost::filesystem::absolute(params["net.tls.clusterFile"].as<string>()) .generic_string(); } - if (params.count("net.tls.clusterPassword")) { - sslGlobalParams.sslClusterPassword = params["net.tls.clusterPassword"].as<string>(); - } - if (params.count("net.tls.CAFile")) { sslGlobalParams.sslCAFile = boost::filesystem::absolute(params["net.tls.CAFile"].as<std::string>()) @@ -340,28 +174,6 @@ Status storeSSLServerOptions(const moe::Environment& params) { } } - if (params.count("net.tls.weakCertificateValidation")) { - sslGlobalParams.sslWeakCertificateValidation = - params["net.tls.weakCertificateValidation"].as<bool>(); - } else if (params.count("net.tls.allowConnectionsWithoutCertificates")) { - sslGlobalParams.sslWeakCertificateValidation = - params["net.tls.allowConnectionsWithoutCertificates"].as<bool>(); - } - - if (params.count("net.tls.allowInvalidHostnames")) { - sslGlobalParams.sslAllowInvalidHostnames = - params["net.tls.allowInvalidHostnames"].as<bool>(); - } - - if (params.count("net.tls.allowInvalidCertificates")) { - sslGlobalParams.sslAllowInvalidCertificates = - params["net.tls.allowInvalidCertificates"].as<bool>(); - } - - if (params.count("net.tls.FIPSMode")) { - sslGlobalParams.sslFIPSMode = params["net.tls.FIPSMode"].as<bool>(); - } - #ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS if (params.count("net.tls.certificateSelector")) { const auto status = @@ -441,20 +253,6 @@ Status storeSSLServerOptions(const moe::Environment& params) { return Status::OK(); } -namespace { - -// Use module API to force this section to appear after core server options. -MONGO_MODULE_STARTUP_OPTIONS_REGISTER(SSLServerOptions)(InitializerContext*) { - moe::OptionSection options("SSL options"); - - auto status = addSSLServerOptions(&options); - if (!status.isOK()) { - return status; - } - - return moe::startupOptions.addSection(options); -} - // Alias --tlsOnNormalPorts as --tlsMode=requireTLS Status canonicalizeSSLServerOptions(moe::Environment* params) { if (params->count("net.tls.tlsOnNormalPorts") && @@ -514,11 +312,5 @@ MONGO_STARTUP_OPTIONS_VALIDATE(SSLServerOptions)(InitializerContext*) { return Status::OK(); } -// storeSSLServerOptions depends on serverGlobalParams.clusterAuthMode -// and therefore must run later. -MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { - return storeSSLServerOptions(moe::startupOptionsParsed); -} - } // namespace } // namespace mongo diff --git a/src/mongo/util/net/ssl_options_server.idl b/src/mongo/util/net/ssl_options_server.idl new file mode 100644 index 00000000000..6d27931fad2 --- /dev/null +++ b/src/mongo/util/net/ssl_options_server.idl @@ -0,0 +1,187 @@ +# Copyright (C) 2018-present MongoDB, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the Server Side Public License, version 1, +# as published by MongoDB, Inc. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# Server Side Public License for more details. +# +# You should have received a copy of the Server Side Public License +# along with this program. If not, see +# <http://www.mongodb.com/licensing/server-side-public-license>. +# +# As a special exception, the copyright holders give permission to link the +# code of portions of this program with the OpenSSL library under certain +# conditions as described in each individual source file and distribute +# linked combinations including the program with the OpenSSL library. You +# must comply with the Server Side Public License in all respects for +# all of the code used other than as permitted herein. If you modify file(s) +# with this exception, you may extend this exception to your version of the +# file(s), but you are not obligated to do so. If you do not wish to do so, +# delete this exception statement from your version. If you delete this +# exception statement from all source files in the program, then also delete +# it in the license file. +# + +global: + cpp_namespace: "mongo" + cpp_includes: + - "mongo/config.h" + - "mongo/util/net/ssl_options.h" + configs: + section: "TLS Options" + source: [ yaml, cli, ini ] + # Name these initializers so they can be invoked from ssl_options_test.cpp + initializer_name: SSLServerOptionsIDL + +imports: + - "mongo/idl/basic_types.idl" + +configs: + "net.tls.tlsOnNormalPorts": + description: "Use TLS on configured ports" + short_name: tlsOnNormalPorts + deprecated_name: "net.ssl.sslOnNormalPorts" + deprecated_short_name: sslOnNormalPorts + arg_vartype: Switch + source: [ cli, ini ] + conflicts: [ "net.tls.mode", "net.ssl.mode" ] + + "net.tls.mode": + description: "Set the TLS operation mode (disabled|allowTLS|preferTLS|requireTLS)" + short_name: tlsMode + arg_vartype: String + conflicts: "net.ssl.mode" + "net.ssl.mode": + description: "Set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL)" + short_name: sslMode + arg_vartype: String + conflicts: "net.tls.mode" + hidden: true + + "net.tls.PEMKeyFile": + description: "PEM file for TLS" + short_name: tlsPEMKeyFile + deprecated_name: "net.ssl.PEMKeyFile" + deprecated_short_name: sslPEMKeyFile + arg_vartype: String + "net.tls.PEMKeyPassword": + description: "PEM file password" + short_name: tlsPEMKeyPassword + deprecated_name: "net.ssl.PEMKeyPassword" + deprecated_short_name: sslPEMKeyPassword + arg_vartype: String + cpp_varname: sslGlobalParams.sslPEMKeyPassword + implicit: '' + + "net.tls.clusterFile": + description: "Key file for internal TLS authentication" + short_name: tlsClusterFile + deprecated_name: "net.ssl.clusterFile" + deprecated_short_name: sslClusterFile + arg_vartype: String + "net.tls.clusterPassword": + description: "Internal authentication key file password" + short_name: tlsClusterPassword + deprecated_name: "net.ssl.clusterPassword" + deprecated_short_name: sslClusterPassword + arg_vartype: String + cpp_varname: sslGlobalParams.sslClusterPassword + implicit: '' + + "net.tls.CAFile": + description: "Certificate Authority file for TLS" + short_name: tlsCAFile + deprecated_name: "net.ssl.CAFile" + deprecated_short_name: sslCAFile + arg_vartype: String + "net.tls.clusterCAFile": + description: "CA used for verifying remotes during inbound connections" + short_name: tlsClusterCAFile + deprecated_name: "net.ssl.clusterCAFile" + deprecated_short_name: sslClusterCAFile + arg_vartype: String + "net.tls.CRLFile": + description: "Certificate Revocation List file for TLS" + short_name: tlsCRLFile + deprecated_name: "net.ssl.CRLFile" + deprecated_short_name: sslCRLFile + arg_vartype: String + + "net.tls.tlsCipherConfig": + description: "OpenSSL cipher configuration string" + short_name: tlsCipherConfig + deprecated_name: "net.ssl.sslCipherConfig" + deprecated_short_name: sslCipherConfig + arg_vartype: String + hidden: true + "net.tls.disabledProtocols": + description: "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]" + short_name: tlsDisabledProtocols + deprecated_name: "net.ssl.disabledProtocols" + deprecated_short_name: sslDisabledProtocols + arg_vartype: String + "net.tls.allowConnectionsWithoutCertificates": + # Alias for --tlsWeakCertificateValidation. + description: "Allow client to connect without presenting a certificate" + short_name: tlsAllowConnectionsWithoutCertificates + deprecated_name: + - "net.tls.weakCertificateValidation" + - "net.ssl.weakCertificateValidation" + - "net.ssl.allowConnectionsWithoutCertificates" + deprecated_short_name: + - tlsWeakCertificateValidation + - sslWeakCertificateValidation + - sslAllowConnectionsWithoutCertificates + arg_vartype: Switch + cpp_varname: sslGlobalParams.sslWeakCertificateValidation + "net.tls.allowInvalidHostnames": + description: "Allow server certificates to provide non-matching hostnames" + short_name: tlsAllowInvalidHostnames + deprecated_name: "net.ssl.allowInvalidHostnames" + deprecated_short_name: sslAllowInvalidHostnames + arg_vartype: Switch + cpp_varname: sslGlobalParams.sslAllowInvalidHostnames + "net.tls.allowInvalidCertificates": + description: "Allow connections to servers with invalid certificates" + short_name: tlsAllowInvalidCertificates + deprecated_name: "net.ssl.allowInvalidCertificates" + deprecated_short_name: sslAllowInvalidCertificates + arg_vartype: Switch + cpp_varname: sslGlobalParams.sslAllowInvalidCertificates + "net.tls.FIPSMode": + description: "Activate FIPS 140-2 mode at startup" + short_name: tlsFIPSMode + deprecated_name: "net.ssl.FIPSMode" + deprecated_short_name: sslFIPSMode + arg_vartype: Switch + cpp_varname: sslGlobalParams.sslFIPSMode + + # Certificate Selectors are only available on OSX/Windows with --ssl-provider=native (or auto) + "net.tls.certificateSelector": + description: "TLS Certificate in system store" + short_name: tlsCertificateSelector + deprecated_name: "net.ssl.certificateSelector" + deprecated_short_name: sslCertificateSelector + arg_vartype: String + conflicts: [ "net.tls.PEMKeyFile", "net.tls.PEMKeyPassword" ] + condition: + preprocessor: "defined(MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS)" + "net.tls.clusterCertificateSelector": + description: "SSL/TLS Certificate in system store for internal TLS authentication" + short_name: tlsClusterCertificateSelector + deprecated_name: "tls.ssl.clusterCertificateSelector" + deprecated_short_name: sslClusterCertificateSelector + arg_vartype: String + conflicts: [ "net.tls.clusterFile", "net.tls.clusterFilePassword" ] + condition: + preprocessor: "defined(MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS)" + + "net.tls.logVersions": + description: "Comma separated list of TLS protocols to log on connect [TLS1_0,TLS1_1,TLS1_2]" + short_name: tlsLogVersions + arg_vartype: String + diff --git a/src/mongo/util/net/ssl_options_test.cpp b/src/mongo/util/net/ssl_options_test.cpp index e2658e3a58d..c352f5d39c1 100644 --- a/src/mongo/util/net/ssl_options_test.cpp +++ b/src/mongo/util/net/ssl_options_test.cpp @@ -36,21 +36,53 @@ #include <ostream> +#include "mongo/base/global_initializer.h" +#include "mongo/base/initializer.h" #include "mongo/db/server_options_server_helpers.h" #include "mongo/unittest/unittest.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/options_parser/environment.h" #include "mongo/util/options_parser/option_section.h" #include "mongo/util/options_parser/options_parser.h" +#include "mongo/util/options_parser/startup_options.h" namespace moe = mongo::optionenvironment; namespace mongo { -Status addSSLServerOptions(moe::OptionSection* options); -Status storeSSLServerOptions(const moe::Environment& params); - namespace { +Status executeInitializer(const std::string& name) try { + const auto* node = + getGlobalInitializer().getInitializerDependencyGraph().getInitializerNode(name); + if (!node) { + return {ErrorCodes::BadValue, str::stream() << "Unknown initializer: '" << name << "'"}; + } + + const auto& fn = node->getInitializerFunction(); + if (!fn) { + return {ErrorCodes::InternalError, + str::stream() << "Initializer node '" << name << "' has no associated function."}; + } + + // The initializers we call don't actually need a context currently. + return fn(nullptr); +} catch (const DBException& ex) { + return ex.toStatus(); +} + +Status addSSLServerOptions() { + return executeInitializer("SSLServerOptionsIDL_Register"); +} + +Status storeSSLServerOptions() { + auto status = executeInitializer("SSLServerOptionsIDL_Store"); + if (!status.isOK()) { + return status; + } + + return executeInitializer("SSLServerOptions_Store"); +} + namespace test { struct Vector : public std::vector<uint8_t> { Vector(std::vector<uint8_t> v) : std::vector<uint8_t>(std::move(v)) {} @@ -118,11 +150,11 @@ private: }; TEST(SetupOptions, tlsModeDisabled) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::vector<std::string> argv; argv.push_back("binaryname"); @@ -130,19 +162,18 @@ TEST(SetupOptions, tlsModeDisabled) { argv.push_back("disabled"); std::map<std::string, std::string> env_map; - ASSERT_OK(::mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(::mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_disabled); } TEST(SetupOptions, sslModeDisabled) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::vector<std::string> argv; argv.push_back("binaryname"); @@ -150,19 +181,18 @@ TEST(SetupOptions, sslModeDisabled) { argv.push_back("disabled"); std::map<std::string, std::string> env_map; - ASSERT_OK(::mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(::mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_disabled); } TEST(SetupOptions, tlsModeRequired) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::string sslPEMKeyFile = "jstests/libs/server.pem"; std::string sslCAFFile = "jstests/libs/ca.pem"; @@ -195,10 +225,9 @@ TEST(SetupOptions, tlsModeRequired) { argv.push_back("TLS1_2"); std::map<std::string, std::string> env_map; - ASSERT_OK(mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_requireSSL); ASSERT_EQ(::mongo::sslGlobalParams.sslPEMKeyFile.substr( @@ -226,11 +255,11 @@ TEST(SetupOptions, tlsModeRequired) { } TEST(SetupOptions, sslModeRequired) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::string sslPEMKeyFile = "jstests/libs/server.pem"; std::string sslCAFFile = "jstests/libs/ca.pem"; @@ -263,10 +292,9 @@ TEST(SetupOptions, sslModeRequired) { argv.push_back("TLS1_0"); std::map<std::string, std::string> env_map; - ASSERT_OK(mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_requireSSL); ASSERT_EQ(::mongo::sslGlobalParams.sslPEMKeyFile.substr( @@ -295,11 +323,11 @@ TEST(SetupOptions, sslModeRequired) { #ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS TEST(SetupOptions, tlsModeRequiredCertificateSelector) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::vector<std::string> argv; argv.push_back("binaryname"); @@ -311,10 +339,9 @@ TEST(SetupOptions, tlsModeRequiredCertificateSelector) { argv.push_back("subject=Subject 2"); std::map<std::string, std::string> env_map; - ASSERT_OK(mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_requireSSL); ASSERT_EQ(::mongo::sslGlobalParams.sslCertificateSelector.subject, "Subject 1"); @@ -322,11 +349,11 @@ TEST(SetupOptions, tlsModeRequiredCertificateSelector) { } TEST(SetupOptions, sslModeRequiredCertificateSelector) { - OptionsParserTester parser; - moe::Environment environment; - moe::OptionSection options; + moe::startupOptions = moe::OptionSection(); + moe::startupOptionsParsed = moe::Environment(); - ASSERT_OK(::mongo::addGeneralServerOptions(&options)); + ASSERT_OK(::mongo::addGeneralServerOptions(&moe::startupOptions)); + ASSERT_OK(addSSLServerOptions()); std::vector<std::string> argv; argv.push_back("binaryname"); @@ -338,10 +365,9 @@ TEST(SetupOptions, sslModeRequiredCertificateSelector) { argv.push_back("subject=Subject 2"); std::map<std::string, std::string> env_map; - ASSERT_OK(mongo::addSSLServerOptions(&options)); - - ASSERT_OK(parser.run(options, argv, env_map, &environment)); - ASSERT_OK(mongo::storeSSLServerOptions(environment)); + OptionsParserTester parser; + ASSERT_OK(parser.run(moe::startupOptions, argv, env_map, &moe::startupOptionsParsed)); + ASSERT_OK(storeSSLServerOptions()); ASSERT_EQ(::mongo::sslGlobalParams.sslMode.load(), ::mongo::sslGlobalParams.SSLMode_requireSSL); ASSERT_EQ(::mongo::sslGlobalParams.sslCertificateSelector.subject, "Subject 1"); @@ -363,7 +389,7 @@ TEST(SetupOptions, disableNonSSLConnectionLoggingFalse) { std::map<std::string, std::string> env_map; ASSERT_OK(parser.run(options, argv, env_map, &environment)); - Status storeRet = mongo::storeServerOptions(environment); + ASSERT_OK(mongo::storeServerOptions(environment)); ASSERT_EQ(::mongo::sslGlobalParams.disableNonSSLConnectionLogging, false); } |