/** * This test checks the upgrade path for mixed mode ssl + x509 auth * from disabled/keyfiles up to preferSSL/x509 * * NOTE: This test is similar to upgrade_to_x509_ssl.js in the * ssl test suite. This test cannot use ssl communication * and therefore cannot test modes that only allow ssl. * * This test requires users to persist across a restart. * @tags: [requires_persistence] */ load("jstests/ssl/libs/ssl_helpers.js"); function authAllNodes() { for (var n = 0; n < rst.nodes.length; n++) { var status = rst.nodes[n].getDB("admin").auth("root", "pwd"); assert.eq(status, 1); } } // The mongo shell cannot authenticate as the internal __system user in tests that use x509 for // cluster authentication. Choosing the default value for wcMajorityJournalDefault in // ReplSetTest cannot be done automatically without the shell performing such authentication, so // in this test we must make the choice explicitly, based on the global test options. var wcMajorityJournalDefault; if (jsTestOptions().noJournal || jsTestOptions().storageEngine == "ephemeralForTest" || jsTestOptions().storageEngine == "inMemory") { wcMajorityJournalDefault = false; } else { wcMajorityJournalDefault = true; } opts = { sslMode: "disabled", clusterAuthMode: "keyFile", }; var NUM_NODES = 3; var rst = new ReplSetTest( {name: 'sslSet', nodes: NUM_NODES, waitForKeys: false, keyFile: KEYFILE, nodeOptions: opts}); rst.startSet(); // ReplSetTest.initiate() requires all nodes to be to be authorized to run replSetGetStatus. // TODO(SERVER-14017): Remove this in favor of using initiate() everywhere. rst.initiateWithAnyNodeAsPrimary(Object.extend( rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: wcMajorityJournalDefault})); // Connect to master and do some basic operations var rstConn1 = rst.getPrimary(); rstConn1.getDB("admin").createUser({user: "root", pwd: "pwd", roles: ["root"]}, {w: NUM_NODES}); rstConn1.getDB("admin").auth("root", "pwd"); rstConn1.getDB("test").a.insert({a: 1, str: "TESTTESTTEST"}); assert.eq(1, rstConn1.getDB("test").a.find().itcount(), "Error interacting with replSet"); print("===== UPGRADE disabled,keyFile -> allowSSL,sendKeyfile ====="); authAllNodes(); rst.upgradeSet({ sslMode: "allowSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: "", clusterAuthMode: "sendKeyFile", keyFile: KEYFILE, sslCAFile: CA_CERT }, "root", "pwd"); authAllNodes(); rst.awaitReplication(); var rstConn2 = rst.getPrimary(); rstConn2.getDB("test").a.insert({a: 2, str: "CHECKCHECKCHECK"}); assert.eq(2, rstConn2.getDB("test").a.find().itcount(), "Error interacting with replSet"); print("===== UPGRADE allowSSL,sendKeyfile -> preferSSL,sendX509 ====="); rst.upgradeSet({ sslMode: "preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: "", clusterAuthMode: "sendX509", keyFile: KEYFILE, sslCAFile: CA_CERT }, "root", "pwd"); authAllNodes(); rst.awaitReplication(); var rstConn3 = rst.getPrimary(); rstConn3.getDB("test").a.insert({a: 3, str: "PEASandCARROTS"}); assert.eq(3, rstConn3.getDB("test").a.find().itcount(), "Error interacting with replSet"); var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", CLIENT_CERT, "--eval", ";"); assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); print("===== UPGRADE preferSSL,sendX509 -> preferSSL,x509 ====="); // we cannot upgrade past preferSSL here because it will break the test client rst.upgradeSet({ sslMode: "preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: "", clusterAuthMode: "x509", keyFile: KEYFILE, sslCAFile: CA_CERT }, "root", "pwd"); authAllNodes(); rst.awaitReplication(); var rstConn4 = rst.getPrimary(); rstConn4.getDB("test").a.insert({a: 4, str: "BEEP BOOP"}); rst.awaitReplication(); assert.eq(4, rstConn4.getDB("test").a.find().itcount(), "Error interacting with replSet"); // Test that an ssl connection can still be made var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", CLIENT_CERT, "--eval", ";"); assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); rst.stopSet();