-
Notifications
You must be signed in to change notification settings - Fork 5.6k
/
Copy pathssl_cert_selector.js
151 lines (134 loc) · 5.61 KB
/
ssl_cert_selector.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/**
* Tests that the server can load its keys and certificates from the certificate store
* through a selector, and that the correct keys are used for ingress/egress connections.
*/
import {getPython3Binary} from "jstests/libs/python.js";
import {ReplSetTest} from "jstests/libs/replsettest.js";
import {
requireSSLProvider,
TRUSTED_CA_CERT,
TRUSTED_CLIENT_CERT,
TRUSTED_SERVER_CERT,
} from "jstests/ssl/libs/ssl_helpers.js";
const clientThumbprint = cat('jstests/libs/trusted-client.pem.digest.sha1');
const serverThumbprint = cat('jstests/libs/trusted-server.pem.digest.sha1');
const CLIENT = 'CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US';
const SERVER = 'CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US';
const testCases = [
{
selector: `thumbprint=${serverThumbprint}`,
expectIngressKeyUsed: SERVER,
expectEgressKeyUsed: SERVER
},
{
selector: `thumbprint=${serverThumbprint}`,
clusterSelector: `thumbprint=${clientThumbprint}`,
expectIngressKeyUsed: SERVER,
expectEgressKeyUsed: CLIENT,
},
{
keyFile: TRUSTED_SERVER_CERT,
clusterSelector: `thumbprint=${clientThumbprint}`,
expectIngressKeyUsed: SERVER,
expectEgressKeyUsed: CLIENT,
},
{
selector: `thumbprint=${serverThumbprint}`,
clusterFile: TRUSTED_CLIENT_CERT,
expectIngressKeyUsed: SERVER,
expectEgressKeyUsed: CLIENT,
},
{
selector: 'subject=Trusted Kernel Test Server',
clusterSelector: 'subject=Trusted Kernel Test Client',
expectIngressKeyUsed: SERVER,
expectEgressKeyUsed: CLIENT,
},
];
function testServerSelectorKeyUsage(testCase) {
jsTestLog(`Running testServerSelectorKeyUsage with test case: ${tojson(testCase)}`);
// Start a replica set with one mongod configured with the test case key file parameters
// and a system CA store containing trusted-ca.pem.
const rst = new ReplSetTest({nodes: 1});
rst.startSet({
tlsMode: 'requireTLS',
tlsCertificateKeyFile: testCase.keyFile,
tlsCertificateSelector: testCase.selector,
tlsClusterFile: testCase.clusterFile,
tlsClusterCertificateSelector: testCase.clusterSelector,
tlsAllowInvalidHostnames: "",
tlsAllowConnectionsWithoutCertificates: "",
waitForConnect: true,
setParameter: {tlsUseSystemCA: true},
});
rst.initiate();
rst.awaitReplication();
let conn = rst.getPrimary();
jsTestLog("Testing server uses correct key on ingress");
assert.soon(function() {
return runMongoProgram('mongo',
'--tls',
'--tlsAllowInvalidHostnames',
'--tlsCAFile',
TRUSTED_CA_CERT,
'--tlsCertificateKeyFile',
TRUSTED_CLIENT_CERT,
'--port',
conn.port,
'--eval',
'quit()') === 0;
}, "mongo did not initialize properly");
assert.soon(
() => {
const log = rawMongoProgramOutput(".*");
return log.search(testCase.expectIngressKeyUsed) !== -1;
},
`logfile did not contain expected peer certificate info: ${
testCase.expectIngressKeyUsed}.\n` +
"Log File Contents\n==============================\n" + rawMongoProgramOutput(".*") +
"\n==============================\n");
jsTestLog("Testing server uses correct key on egress");
// Add new node to test the other node's egress key
let otherNode = rst.add({
tlsMode: 'requireTLS',
tlsCertificateKeyFile: TRUSTED_SERVER_CERT,
tlsCAFile: TRUSTED_CA_CERT,
tlsAllowInvalidHostnames: "",
setParameter: {tlsWithholdClientCertificate: true},
waitForConnect: true,
});
jsTestLog("Reinitiating replica set with one additional node");
rst.reInitiate();
rst.awaitSecondaryNodes();
assert.commandWorked(otherNode.adminCommand({clearLog: 'global'}));
// Verify node 1 can now connect to node 2
jsTestLog("Forcing egress connection with replSetTestEgress...");
assert.commandWorked(conn.adminCommand({replSetTestEgress: 1}));
checkLog.containsRelaxedJson(
otherNode, 6723802, {peerSubjectName: testCase.expectEgressKeyUsed});
jsTestLog("Stopping the replica set...");
rst.stopSet();
}
requireSSLProvider('windows', function() {
if (_isWindows()) {
assert.eq(0,
runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
// SChannel backed follows Windows rules and only trusts Root in LocalMachine
runProgram("certutil.exe", "-addstore", "-f", "Root", TRUSTED_CA_CERT);
// Import a pfx file since it contains both a cert and private key and is easy to import
// via command line.
const importPfx = function(pfxFile) {
return runProgram("certutil.exe", "-importpfx", "-f", "-p", "qwerty", pfxFile);
};
assert.eq(0, importPfx("jstests\\libs\\trusted-client.pfx"));
assert.eq(0, importPfx("jstests\\libs\\trusted-server.pfx"));
}
try {
testCases.forEach(test => testServerSelectorKeyUsage(test));
} finally {
if (_isWindows()) {
const trusted_ca_thumbprint = cat('jstests/libs/trusted-ca.pem.digest.sha1');
runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint);
}
}
});