From a03273a49638734768c4d1dd2ce26e741f2549ad Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Tue, 8 May 2018 12:58:01 -0400 Subject: SERVER-34888 Do not store subject name without validation (cherry picked from commit 500e0e69ed7799f5a147c786e6622486920cd68c) --- jstests/ssl/x509_invalid.js | 61 +++++++++++++++++++++++++++++++++++++ jstests/ssl/x509_startup_warning.js | 33 ++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 jstests/ssl/x509_invalid.js create mode 100644 jstests/ssl/x509_startup_warning.js (limited to 'jstests/ssl') diff --git a/jstests/ssl/x509_invalid.js b/jstests/ssl/x509_invalid.js new file mode 100644 index 00000000000..39605fa307c --- /dev/null +++ b/jstests/ssl/x509_invalid.js @@ -0,0 +1,61 @@ +// Test X509 auth when --sslAllowInvalidCertificates is enabled + +(function() { + 'use strict'; + + const CLIENT_NAME = 'C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client'; + const CLIENT_CERT = 'jstests/libs/client.pem'; + const SERVER_CERT = 'jstests/libs/server.pem'; + const CA_CERT = 'jstests/libs/ca.pem'; + const SELF_SIGNED_CERT = 'jstests/libs/client-self-signed.pem'; + + function testClient(conn, cert, name, shouldSucceed) { + let auth = {mechanism: 'MONGODB-X509'}; + if (name !== null) { + auth.name = name; + } + const script = 'assert(db.getSiblingDB(\'$external\').auth(' + tojson(auth) + '));'; + clearRawMongoProgramOutput(); + const exitCode = runMongoProgram('mongo', + '--ssl', + '--sslAllowInvalidHostnames', + '--sslPEMKeyFile', + cert, + '--sslCAFile', + CA_CERT, + '--port', + conn.port, + '--eval', + script); + + assert.eq(shouldSucceed, exitCode === 0, "exitCode = " + tojson(exitCode)); + assert.eq( + !shouldSucceed, + rawMongoProgramOutput().includes('No verified subject name available from client')); + } + + function runTest(conn) { + const admin = conn.getDB('admin'); + admin.createUser({user: "admin", pwd: "admin", roles: ["root"]}); + admin.auth('admin', 'admin'); + + const external = conn.getDB('$external'); + external.createUser({user: CLIENT_NAME, roles: [{'role': 'readWrite', 'db': 'test'}]}); + + testClient(conn, CLIENT_CERT, CLIENT_NAME, true); + testClient(conn, SELF_SIGNED_CERT, CLIENT_NAME, false); + testClient(conn, CLIENT_CERT, null, true); + testClient(conn, SELF_SIGNED_CERT, null, false); + } + + // Standalone. + const mongod = MongoRunner.runMongod({ + auth: '', + sslMode: 'requireSSL', + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT, + sslAllowInvalidCertificates: '', + }); + runTest(mongod); + MongoRunner.stopMongod(mongod); +})(); diff --git a/jstests/ssl/x509_startup_warning.js b/jstests/ssl/x509_startup_warning.js new file mode 100644 index 00000000000..888e29255e3 --- /dev/null +++ b/jstests/ssl/x509_startup_warning.js @@ -0,0 +1,33 @@ +// Test for startuo warning when X509 auth and sslAllowInvalidCertificates are enabled + +(function() { + 'use strict'; + + function runTest(opts, expectWarning) { + clearRawMongoProgramOutput(); + const mongod = MongoRunner.runMongod(Object.assign({ + auth: '', + sslMode: 'requireSSL', + sslPEMKeyFile: 'jstests/libs/server.pem', + sslCAFile: 'jstests/libs/ca.pem', + }, + opts)); + assert.eq(expectWarning, + rawMongoProgramOutput().includes( + 'WARNING: While invalid X509 certificates may be used')); + MongoRunner.stopMongod(mongod); + } + + // Don't expect a warning when we're not using both options together. + runTest({}, false); + runTest({sslAllowInvalidCertificates: '', setParameter: 'authenticationMechanisms=SCRAM-SHA-1'}, + false); + runTest({setParameter: 'authenticationMechanisms=MONGODB-X509'}, false); + runTest({clusterAuthMode: 'x509'}, false); + + // Do expect a warning when we're combining options. + runTest( + {sslAllowInvalidCertificates: '', setParameter: 'authenticationMechanisms=MONGODB-X509'}, + true); + runTest({sslAllowInvalidCertificates: '', clusterAuthMode: 'x509'}, true); +})(); -- cgit v1.2.1