jstests/ssl/ssl_cluster_ca.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

// Verify certificates and CAs between intra-cluster
// and client->server communication using different CAs.

(function() {
    "use strict";

    function testRS(opts, succeed) {
        const origSkipCheck = TestData.skipCheckDBHashes;
        const rsOpts = {
            // Use localhost so that SAN matches.
            useHostName: false,
            nodes: {node0: opts, node1: opts},
        };
        const rs = new ReplSetTest(rsOpts);
        rs.startSet();
        if (succeed) {
            rs.initiate();
            assert.commandWorked(rs.getPrimary().getDB('admin').runCommand({isMaster: 1}));
        } else {
            assert.throws(function() {
                rs.initiate();
            });
            TestData.skipCheckDBHashes = true;
        }
        rs.stopSet();
        TestData.skipCheckDBHashes = origSkipCheck;
    }

    // The name "trusted" in these certificates is misleading.
    // They're just a separate trust chain from the ones without the name.
    // ca.pem signed client.pem and server.pem
    // trusted-ca.pem signed trusted-client.pem and trusted-server.pem
    const valid_options = {
        tlsMode: 'requireTLS',
        // Servers present trusted-server.pem to clients and each other for inbound connections.
        // Peers validate trusted-server.pem using trusted-ca.pem when making those connections.
        tlsCertificateKeyFile: 'jstests/libs/trusted-server.pem',
        tlsCAFile: 'jstests/libs/trusted-ca.pem',
        // Servers making outbound connections to other servers present server.pem to their peers
        // which their peers validate using ca.pem.
        tlsClusterFile: 'jstests/libs/server.pem',
        tlsClusterCAFile: 'jstests/libs/ca.pem',
        // SERVER-36895: IP based hostname validation with SubjectAlternateName
        tlsAllowInvalidHostnames: '',
    };

    testRS(valid_options, true);

    const wrong_cluster_file =
        Object.assign({}, valid_options, {tlsClusterFile: valid_options.tlsCertificateKeyFile});
    testRS(wrong_cluster_file, false);

    const wrong_key_file =
        Object.assign({}, valid_options, {tlsCertificateKeyFile: valid_options.tlsClusterFile});
    testRS(wrong_key_file, false);

    const mongod = MongoRunner.runMongod(valid_options);
    assert(mongod, "Failed starting standalone mongod with alternate CA");

    function testConnect(cert, succeed) {
        const mongo = runMongoProgram("mongo",
                                      "--host",
                                      "localhost",
                                      "--port",
                                      mongod.port,
                                      "--tls",
                                      "--tlsCAFile",
                                      valid_options.tlsCAFile,
                                      "--tlsCertificateKeyFile",
                                      cert,
                                      "--eval",
                                      ";");

        // runMongoProgram returns 0 on success
        assert.eq(mongo === 0, succeed);
    }

    testConnect('jstests/libs/client.pem', true);
    testConnect('jstests/libs/trusted-client.pem', false);

    MongoRunner.stopMongod(mongod);
}());