1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
// Verify a warning is emitted when a certificate is about to expire.
(function() {
'use strict';
load("jstests/libs/logv2_helpers.js");
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
function test(expiration, expect) {
const options = {
auth: '',
tlsMode: "requireTLS",
tlsCertificateKeyFile: SERVER_CERT,
tlsCAFile: CA_CERT,
setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration,
};
const mongo = MongoRunner.runMongod(options);
const external = mongo.getDB("$external");
external.createUser({
user: CLIENT_USER,
roles: [
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
{'role': 'readWriteAnyDatabase', 'db': 'admin'},
{'role': 'clusterMonitor', 'db': 'admin'},
]
});
assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}),
"authentication with valid user failed");
// Check that there's a "Successfully authenticated" message that includes the client IP
const log =
assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
if (isJsonLog(mongo)) {
function checkPeerCertificateExpires(element, index, array) {
const logJson = JSON.parse(element);
return (logJson.id === 23221 || logJson.id === 23222) &&
logJson.attr.peerSubjectName === CLIENT_USER;
}
assert.eq(log.some(checkPeerCertificateExpires), expect);
} else {
const warning = `Peer certificate '${CLIENT_USER}' expires`;
assert.eq(log.some(line => line.includes(warning)), expect);
}
MongoRunner.stopMongod(mongo);
}
assert.doesNotThrow(
() => test(100, false),
[],
"If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.");
test(7300, true); // Work so long as certs expire no more than 20 years from now
})();
|