1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
var SERVER_CERT = "jstests/libs/server.pem";
var CLIENT_CERT = "jstests/libs/client.pem";
var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client";
jsTest.log("Assert x509 auth is not allowed when a standalone mongod is run without a CA file.");
// allowSSL instead of requireSSL so that the non-SSL connection succeeds.
var conn = MongoRunner.runMongod({sslMode: 'allowSSL', sslPEMKeyFile: SERVER_CERT, auth: ''});
var external = conn.getDB('$external');
external.createUser({
user: CLIENT_USER,
roles: [
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
{'role': 'readWriteAnyDatabase', 'db': 'admin'}
]
});
// Should not be able to authenticate with x509.
// Authenticate call will return 1 on success, 0 on error.
var exitStatus = runMongoProgram('mongo',
'--ssl',
'--sslAllowInvalidCertificates',
'--sslPEMKeyFile',
CLIENT_CERT,
'--port',
conn.port,
'--eval',
('quit(db.getSiblingDB("$external").auth({' +
'user: "' + CLIENT_USER + '" ,' +
'mechanism: "MONGODB-X509"}));'));
assert.eq(exitStatus, 0, "authentication via MONGODB-X509 without CA succeeded");
MongoRunner.stopMongod(conn);
jsTest.log("Assert mongod doesn\'t start with CA file missing and clusterAuthMode=x509.");
var sslParams = {clusterAuthMode: 'x509', sslMode: 'requireSSL', sslPEMKeyFile: SERVER_CERT};
assert.throws(() => MongoRunner.runMongod(sslParams),
[],
"server started with x509 clusterAuthMode but no CA file");
jsTest.log("Assert mongos doesn\'t start with CA file missing and clusterAuthMode=x509.");
var rstOptions = {
waitForKeys: false,
isConfigServer: true,
hostname: getHostName(),
useHostName: true,
nodes: 1
};
var startOptions = {
// Ensure that journaling is always enabled for config servers.
configsvr: "",
storageEngine: "wiredTiger",
sslMode: 'allowSSL',
sslPEMKeyFile: 'jstests/libs/trusted-server.pem'
};
var configRS = new ReplSetTest(rstOptions);
configRS.startSet(startOptions);
// Make sure the mongoS failed to start up for the proper reason.
assert.throws(() => MongoRunner.runMongos({
clusterAuthMode: 'x509',
sslMode: 'requireSSL',
sslPEMKeyFile: SERVER_CERT,
configdb: configRS.getURL()
}),
[],
"mongos started with x509 clusterAuthMode but no CA file");
assert.neq(-1, rawMongoProgramOutput().search("No TLS certificate validation can be performed"));
configRS.stopSet();
|