jstests/ssl/ssl_cluster_ca.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

// Verify certificates and CAs between intra-cluster
// and client->server communication using different CAs.

(function() {
"use strict";

function testRS(opts, succeed) {
    const origSkipCheck = TestData.skipCheckDBHashes;
    const rsOpts = {
        // Use localhost so that SAN matches.
        useHostName: false,
        nodes: {node0: opts, node1: opts},
    };
    const rs = new ReplSetTest(rsOpts);
    rs.startSet();
    if (succeed) {
        rs.initiate();
        assert.commandWorked(rs.getPrimary().getDB('admin').runCommand({isMaster: 1}));
    } else {
        assert.throws(function() {
            rs.initiate();
        });
        TestData.skipCheckDBHashes = true;
    }
    rs.stopSet();
    TestData.skipCheckDBHashes = origSkipCheck;
}

// The name "trusted" in these certificates is misleading.
// They're just a separate trust chain from the ones without the name.
// ca.pem signed client.pem and server.pem
// trusted-ca.pem signed trusted-client.pem and trusted-server.pem
const valid_options = {
    tlsMode: 'requireTLS',
    // Servers present trusted-server.pem to clients and each other for inbound connections.
    // Peers validate trusted-server.pem using trusted-ca.pem when making those connections.
    tlsCertificateKeyFile: 'jstests/libs/trusted-server.pem',
    tlsCAFile: 'jstests/libs/trusted-ca.pem',
    // Servers making outbound connections to other servers present server.pem to their peers
    // which their peers validate using ca.pem.
    tlsClusterFile: 'jstests/libs/server.pem',
    tlsClusterCAFile: 'jstests/libs/ca.pem',
    // SERVER-36895: IP based hostname validation with SubjectAlternateName
    tlsAllowInvalidHostnames: '',
};

testRS(valid_options, true);

const wrong_cluster_file =
    Object.assign({}, valid_options, {tlsClusterFile: valid_options.tlsCertificateKeyFile});
testRS(wrong_cluster_file, false);

const wrong_key_file =
    Object.assign({}, valid_options, {tlsCertificateKeyFile: valid_options.tlsClusterFile});
testRS(wrong_key_file, false);

const mongod = MongoRunner.runMongod(valid_options);
assert(mongod, "Failed starting standalone mongod with alternate CA");

function testConnect(cert, succeed) {
    const mongo = runMongoProgram("mongo",
                                  "--host",
                                  "localhost",
                                  "--port",
                                  mongod.port,
                                  "--tls",
                                  "--tlsCAFile",
                                  valid_options.tlsCAFile,
                                  "--tlsCertificateKeyFile",
                                  cert,
                                  "--eval",
                                  ";");

    // runMongoProgram returns 0 on success
    assert.eq(mongo === 0, succeed);
}

testConnect('jstests/libs/client.pem', true);
testConnect('jstests/libs/trusted-client.pem', false);

MongoRunner.stopMongod(mongod);
}());