mirrors/mongodb
mirrors/mongodb
0
0
Fork 0
mirror of https://github.com/mongodb/mongo.git synced 2024-11-28 07:59:02 +01:00
Code Issues Releases Activity

SERVER-17450 Cleanup SSL test infrastructure

Browse Source
This commit is contained in:
Spencer T Brody 2015-03-22 12:08:42 -04:00
parent ec174997f6
commit 43e53251a3
29 changed files with 107 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
buildscripts/smoke.py
View File

@ -252,14 +252,11 @@ class mongod(NullMongod):
self.auth = True
if self.kwargs.get('keyFile'):
argv += ['--keyFile', self.kwargs.get('keyFile')]
if self.kwargs.get('use_ssl') or self.kwargs.get('use_x509'):
if self.kwargs.get('use_ssl'):
argv += ['--sslMode', "requireSSL",
'--sslPEMKeyFile', 'jstests/libs/server.pem',
'--sslCAFile', 'jstests/libs/ca.pem',
'--sslWeakCertificateValidation']
if self.kwargs.get('use_x509'):
argv += ['--clusterAuthMode','x509'];
self.auth = True
'--sslAllowConnectionsWithoutCertificates']
print "running " + " ".join(argv)
self.proc = self._start(buildlogger(argv, is_global=True))
@ -456,7 +453,7 @@ def skipTest(path):
if basename in ["fastsync.js", "index_retry.js", "ttl_repl_maintenance.js",
"unix_socket1.js"]:
return True;
if auth or keyFile or use_x509: # For tests running with auth
if auth or keyFile: # For tests running with auth
# Skip any tests that run with auth explicitly
if parentDir.lower() == "auth" or "auth" in basename.lower():
return True
@ -588,9 +585,7 @@ def runTest(test, result):
'TestData.keyFile = ' + ternary( keyFile , '"' + str(keyFile) + '"' , 'null' ) + ";" + \
'TestData.keyFileData = ' + ternary( keyFile , '"' + str(keyFileData) + '"' , 'null' ) + ";" + \
'TestData.authMechanism = ' + ternary( authMechanism,
'"' + str(authMechanism) + '"', 'null') + ";" + \
'TestData.useSSL = ' + ternary( use_ssl ) + ";" + \
'TestData.useX509 = ' + ternary( use_x509 ) + ";"
'"' + str(authMechanism) + '"', 'null') + ";"
# this updates the default data directory for mongod processes started through shell (src/mongo/shell/servers.js)
evalString += 'MongoRunner.dataDir = "' + os.path.abspath(smoke_db_prefix + '/data/db') + '";'
evalString += 'MongoRunner.dataPath = MongoRunner.dataDir + "/";'
@ -702,8 +697,7 @@ def run_tests(tests):
auth=auth,
authMechanism=authMechanism,
keyFile=keyFile,
use_ssl=use_ssl,
use_x509=use_x509)
use_ssl=use_ssl)
master.start()
if small_oplog:
@ -730,8 +724,7 @@ def run_tests(tests):
auth=auth,
authMechanism=authMechanism,
keyFile=keyFile,
use_ssl=use_ssl,
use_x509=use_x509)
use_ssl=use_ssl)
slave.start()
primary = Connection(port=master.port, slave_okay=True);
@ -812,8 +805,7 @@ def run_tests(tests):
auth=auth,
authMechanism=authMechanism,
keyFile=keyFile,
use_ssl=use_ssl,
use_x509=use_x509)
use_ssl=use_ssl)
master.start()
except TestFailure, f:
@ -1095,7 +1087,7 @@ def set_globals(options, tests):
global small_oplog, small_oplog_rs
global no_journal, set_parameters, set_parameters_mongos, no_preallocj, storage_engine, wiredtiger_engine_config_string, wiredtiger_collection_config_string, wiredtiger_index_config_string
global auth, authMechanism, keyFile, keyFileData, smoke_db_prefix, test_path, start_mongod
global use_ssl, use_x509
global use_ssl
global file_of_commands_mode
global report_file, shell_write_mode, use_write_commands
global temp_path
@ -1105,9 +1097,6 @@ def set_globals(options, tests):
start_mongod = options.start_mongod
if hasattr(options, 'use_ssl'):
use_ssl = options.use_ssl
if hasattr(options, 'use_x509'):
use_x509 = options.use_x509
use_ssl = use_ssl or use_x509
#Careful, this can be called multiple times
test_path = options.test_path
@ -1298,9 +1287,6 @@ def main():
parser.add_option('--auth', dest='auth', default=False,
action="store_true",
help='Run standalone mongods in tests with authentication enabled')
parser.add_option('--use-x509', dest='use_x509', default=False,
action="store_true",
help='Use x509 auth for internal cluster authentication')
parser.add_option('--authMechanism', dest='authMechanism', default='SCRAM-SHA-1',
help='Use the given authentication mechanism, when --auth is used.')
parser.add_option('--keyFile', dest='keyFile', default=None,

2
jstests/replsets/rslib.js
View File

@ -47,7 +47,7 @@ reconnect = function(a) {
db = a;
}
db.bar.stats();
if (jsTest.options().keyFile || jsTest.options().useX509) { // SERVER-4241: Shell connections don't re-authenticate on reconnect
if (jsTest.options().keyFile) { // SERVER-4241: Shell connections don't re-authenticate on reconnect
return jsTest.authenticate(db.getMongo());
}
return true;

7
jstests/ssl/disable_x509.js
View File

@ -1,9 +1,12 @@
// Test enabling and disabling the MONGODB-X509 auth mech
TestData.useX509 = false;
var CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"
var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" });
var conn = MongoRunner.runMongod({smallfiles: "",
auth: "",
sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem"});
// Find out if this build supports the authenticationMechanisms startup parameter.
// If it does, restart with and without the MONGODB-X509 mechanisms enabled.

6
jstests/ssl/initial_sync1_x509.js
View File

@ -1,6 +1,10 @@
// Basic tests for cluster authentication using x509.
var common_options = {keyFile : "jstests/libs/key1"};
var common_options = {keyFile : "jstests/libs/key1",
sslMode : "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslAllowInvalidHostnames: ""};
function runInitialSyncTest() {
load("jstests/replsets/rslib.js");

3
jstests/ssl/mixed_mode_repl.js
View File

@ -1,9 +1,6 @@
// This test is related to mixed_mode_repl_nossl.js in
// the sslSpecial test set. This test must be run with --use-ssl
// If we are running in use-x509 passthrough mode, turn it off
// since it is not necessary for this test.
TestData.useX509 = false;
load("jstests/ssl/libs/ssl_helpers.js")
// Verify that requireSSL allows ssl connections

4
jstests/ssl/mixed_mode_sharded.js
View File

@ -2,10 +2,6 @@
* This test checks if different mixtures of ssl modes
* in a sharded cluster can or cannot function
*/
// If we are running in use-x509 passthrough mode, turn it off
// since it is not necessary for this test.
TestData.useX509 = false;
load("jstests/ssl/libs/ssl_helpers.js");
print("=== Testing requireSSL/requireSSL cluster ===");

5
jstests/ssl/set_parameter_ssl.js
View File

@ -1,6 +1,5 @@
// Test changing the --sslMode and --clusterAuthMode
// parameters using setParameter
TestData.useX509 = false;
var SERVER_CERT = "jstests/libs/server.pem"
var CA_CERT = "jstests/libs/ca.pem"
@ -19,7 +18,7 @@ function testSSLTransition(oldMode, newMode, shouldSucceed) {
"sslMode" : newMode });
assert(res["ok"] == shouldSucceed, tojson(res));
stopMongod(port);
MongoRunner.stopMongod(port);
}
function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) {
@ -36,7 +35,7 @@ function testAuthModeTransition(oldMode, newMode, sslMode, shouldSucceed) {
"clusterAuthMode" : newMode });
assert(res["ok"] == shouldSucceed, tojson(res));
stopMongod(port);
MongoRunner.stopMongod(port);
}
testSSLTransition("allowSSL", "invalid", false);

1
jstests/ssl/sharding_with_x509.js
View File

@ -5,6 +5,7 @@ var x509_options = {sslMode : "requireSSL",
sslPEMKeyFile : "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslClusterFile: "jstests/libs/cluster_cert.pem",
sslAllowInvalidHostnames: "",
clusterAuthMode: "x509"};
// Start ShardingTest with enableBalancer because ShardingTest attempts to turn

16
jstests/ssl/ssl_cert_password.js
View File

@ -10,13 +10,13 @@ resetDbpath(dbpath);
mkdir(external_scratch_dir);
// Password is correct
md = startMongod("--nopreallocj",
"--port", port,
"--dbpath", dbpath,
"--sslMode","requireSSL",
"--sslPEMKeyFile", "jstests/libs/password_protected.pem",
"--sslPEMKeyPassword", "qwerty");
// startMongod connects a Mongo shell, so if we get here, the test is successful.
var md = MongoRunner.runMongod({nopreallocj: "",
port: port,
dbpath: dbpath,
sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/password_protected.pem",
sslPEMKeyPassword: "qwerty"});
// MongoRunner.runMongod connects a Mongo shell, so if we get here, the test is successful.
// Password incorrect; error logged is:
@ -134,6 +134,6 @@ assert.eq(md5, md5_stored, "hash of stored file does not match the expected valu
if (!_isWindows()) {
// Stop the server
var exitCode = stopMongod(port, 15);
var exitCode = MongoRunner.stopMongod(port, 15);
assert(exitCode == 0);
}

30
jstests/ssl/ssl_crl.js
View File

@ -5,36 +5,28 @@
// crl.pem is a CRL with no revoked certificates.
// This test should allow the user to connect with client.pem certificate.
ports = allocatePorts(2);
port1 = ports[0];
var baseName = "jstests_ssl_ssl_crl";
var md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslCRLFile: "jstests/libs/crl.pem"});
var md = startMongod("--port", port1, "--dbpath",
MongoRunner.dataPath + baseName + "1",
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslCAFile", "jstests/libs/ca.pem",
"--sslCRLFile", "jstests/libs/crl.pem");
var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvalidCertificates",
var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates",
"--sslPEMKeyFile", "jstests/libs/client.pem",
"--eval", ";");
// 0 is the exit code for success
assert(mongo==0);
port2 = ports[1];
// This test ensures clients cannot connect if the CRL is expired.
md = startMongod("--port", port2, "--dbpath", MongoRunner.dataPath + baseName + "2",
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslCAFile", "jstests/libs/ca.pem",
"--sslCRLFile", "jstests/libs/crl_expired.pem");
md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslCRLFile: "jstests/libs/crl_expired.pem"});
mongo = runMongoProgram("mongo", "--port", port2, "--ssl", "--sslAllowInvalidCertificates",
mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates",
"--sslPEMKeyFile", "jstests/libs/client.pem",
"--eval", ";");

16
jstests/ssl/ssl_crl_revoked.js
View File

@ -2,18 +2,12 @@
// Note: crl_client_revoked.pem is a CRL with the client.pem certificate listed as revoked.
// This test should test that the user cannot connect with client.pem certificate.
port = allocatePorts( 1 )[ 0 ];
var baseName = "jstests_ssl_ssl_crl_revoked";
var md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslCRLFile: "jstests/libs/crl_client_revoked.pem"});
var md = startMongod( "--port", port, "--dbpath", MongoRunner.dataPath + baseName,
"--sslMode","requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslCAFile", "jstests/libs/ca.pem",
"--sslCRLFile", "jstests/libs/crl_client_revoked.pem");
var mongo = runMongoProgram("mongo", "--port", port, "--ssl", "--sslAllowInvalidCertificates",
var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates",
"--sslPEMKeyFile", "jstests/libs/client_revoked.pem",
"--eval", ";");

19
jstests/ssl/ssl_fips.js
View File

@ -1,15 +1,14 @@
// Test mongod start with FIPS mode enabled
ports = allocatePorts(1);
port1 = ports[0];
var baseName = "jstests_ssl_ssl_fips";
var md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslFIPSMode: ""});
var md = startMongod("--port", port1, "--dbpath",
MongoRunner.dataPath + baseName, "--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslFIPSMode");
var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvalidCertificates",
var mongo = runMongoProgram("mongo",
"--port", md.port,
"--ssl",
"--sslAllowInvalidCertificates",
"--sslPEMKeyFile", "jstests/libs/client.pem",
"--sslFIPSMode",
"--eval", ";");
@ -22,5 +21,5 @@ if (mongo != 0) {
}
else {
// kill mongod
stopMongod(port1);
MongoRunner.stopMongod(md);
}

8
jstests/ssl/ssl_hostname_validation.js
View File

@ -7,12 +7,6 @@ var SAN_CERT = "jstests/libs/localhostnameSAN.pem";
var CLIENT_CERT = "jstests/libs/client.pem"
var BAD_SAN_CERT = "jstests/libs/badSAN.pem";
// We want to be able to control all SSL parameters
// but still need an SSL shell hence the test is placed
// in the /ssl directory
TestData.useX509 = false;
TestData.useSSL = false;
port = allocatePorts(1)[0];
function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSucceed) {
@ -52,7 +46,7 @@ function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSuc
assert.eq(1, mongo, "Connection attempt succeeded when it should fail certPath: " +
certPath);
}
stopMongod(port);
MongoRunner.stopMongod(port);
}
// 1. Test client connections with different server certificates

17
jstests/ssl/ssl_invalid_server_cert.js
View File

@ -1,23 +1,18 @@
// Test SSL Certificate Expiration Monitoring
// This tests that a mongod with --sslMode requireSSL will not start with an
// X.509 certificate that is not yet valid or has expired.
ports = allocatePorts(1);
port = ports[0];
var baseName = "jstests_ssl_ssl_invalid_server_cert";
// This test ensures that a mongod will not start with a certificate that is
// not yet valid. Tested certificate will become valid 06-17-2020.
var md = startMongod("--port", port, "--dbpath", MongoRunner.dataPath + baseName,
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/not_yet_valid.pem",
"--sslCAFile", "jstests/libs/ca.pem");
var md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/not_yet_valid.pem",
sslCAFile: "jstests/libs/ca.pem"});
assert.eq(null, md, "Possible to start mongod with not yet valid certificate.");
// This test ensures that a mongod with SSL will not start with an expired certificate.
md = startMongod("--port", port, "--dbpath", MongoRunner.dataPath + baseName,
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/expired.pem",
"--sslCAFile", "jstests/libs/ca.pem");
md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/expired.pem",
sslCAFile: "jstests/libs/ca.pem"});
assert.eq(null, md, "Possible to start mongod with expired certificate");

3
jstests/ssl/ssl_options.js
View File

@ -5,7 +5,8 @@ jsTest.log("Testing censorship of ssl options");
var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem",
sslMode : "requireSSL",
sslPEMKeyPassword : "qwerty",
sslClusterPassword : "qwerty" };
sslClusterPassword : "qwerty",
sslCAFile: "jstests/libs/ca.pem"};
var mongodSource = MongoRunner.runMongod(mongodConfig);
var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts");

30
jstests/ssl/ssl_weak.js
View File

@ -1,27 +1,22 @@
// Test forcing certificate validation
// This tests that forcing certification validation will prohibit clients without certificates
// from connecting.
ports = allocatePorts( 2 );
var baseName = "jstests_ssl_ssl_weak";
// Test that connecting with no client certificate and --sslAllowConnectionsWithoutCertificates
// (an alias for sslWeakCertificateValidation) connects successfully.
var md = startMongod( "--port", ports[0], "--dbpath", MongoRunner.dataPath + baseName + "1",
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslCAFile", "jstests/libs/ca.pem",
"--sslAllowConnectionsWithoutCertificates");
var md = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslAllowConnectionsWithoutCertificates: ""});
var mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates",
var mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates",
"--eval", ";");
// 0 is the exit code for success
assert(mongo==0);
// Test that connecting with a valid client certificate connects successfully.
mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates",
mongo = runMongoProgram("mongo", "--port", md.port, "--ssl", "--sslAllowInvalidCertificates",
"--sslPEMKeyFile", "jstests/libs/client.pem",
"--eval", ";");
@ -29,14 +24,13 @@ mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalid
assert(mongo==0);
// Test that connecting with no client certificate and no --sslWeakCertificateValidation fails to
// connect.
var md2 = startMongod( "--port", ports[1], "--dbpath", MongoRunner.dataPath + baseName + "2",
"--sslMode", "requireSSL",
"--sslPEMKeyFile", "jstests/libs/server.pem",
"--sslCAFile", "jstests/libs/ca.pem");
// Test that connecting with no client certificate and no --sslAllowConnectionsWithoutCertificates
// fails to connect.
var md2 = MongoRunner.runMongod({sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem"});
mongo = runMongoProgram("mongo", "--port", ports[1], "--ssl", "--sslAllowInvalidCertificates",
mongo = runMongoProgram("mongo", "--port", md2.port, "--ssl", "--sslAllowInvalidCertificates",
"--eval", ";");
// 1 is the exit code for failure

4
jstests/ssl/ssl_without_ca.js
View File

@ -1,7 +1,3 @@
// Must turn these off so we don't have CA file supplied automatically.
TestData.usex509 = false;
TestData.useSSL = false;
var SERVER_CERT = "jstests/libs/server.pem";
var CLIENT_CERT = "jstests/libs/client.pem";
var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client";

15
jstests/ssl/upgrade_to_ssl.js
View File

@ -7,13 +7,14 @@
* and therefore cannot test modes that do not allow ssl.
*/
// If we are running in use-x509 passthrough mode, turn it off
// since it is not necessary for this test.
TestData.useX509 = false;
load("jstests/ssl/libs/ssl_helpers.js");
// "sslAllowInvalidCertificates" is enabled to avoid hostname conflicts with our testing certs
opts = {sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""};
var opts = {sslMode:"allowSSL",
sslPEMKeyFile: SERVER_CERT,
sslAllowInvalidCertificates: "",
sslAllowConnectionsWithoutCertificates: "",
sslCAFile: "jstests/libs/ca.pem"};
var rst = new ReplSetTest({ name: 'sslSet', nodes: 3, nodeOptions : opts });
rst.startSet();
rst.initiate();
@ -23,7 +24,8 @@ rstConn1.getDB("test").a.insert({a:1, str:"TESTTESTTEST"});
assert.eq(1, rstConn1.getDB("test").a.count(), "Error interacting with replSet");
print("===== UPGRADE allowSSL -> preferSSL =====");
rst.upgradeSet({sslMode:"preferSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""});
opts.sslMode = "preferSSL";
rst.upgradeSet(opts);
var rstConn2 = rst.getMaster();
rstConn2.getDB("test").a.insert({a:2, str:"CHECKCHECK"});
assert.eq(2, rstConn2.getDB("test").a.count(), "Error interacting with replSet");
@ -33,7 +35,8 @@ var canConnectNoSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--eval",
assert.eq(0, canConnectNoSSL, "non-SSL Connection attempt failed when it should succeed");
print("===== UPGRADE preferSSL -> requireSSL =====");
rst.upgradeSet({sslMode:"requireSSL", sslPEMKeyFile: SERVER_CERT, sslAllowInvalidCertificates: ""});
opts.sslMode = "requireSSL";
rst.upgradeSet(opts);
var rstConn3 = rst.getMaster();
rstConn3.getDB("test").a.insert({a:3, str:"GREENEGGSANDHAM"});
assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet");

3
jstests/ssl/upgrade_to_x509_ssl.js
View File

@ -14,9 +14,6 @@ function authAllNodes() {
}
};
// If we are running in use-x509 passthrough mode, turn it off
// since it is not necessary for this test.
TestData.useX509 = false;
load("jstests/ssl/libs/ssl_helpers.js");
opts = {sslMode:"allowSSL", sslPEMKeyFile: SERVER_CERT,

29
jstests/ssl/x509_client.js
View File

@ -1,10 +1,9 @@
// If we are running in use-x509 passthrough mode, turn it off or else the auth
// part of this test will not work correctly
TestData.useX509 = false;
// Check if this build supports the authenticationMechanisms startup parameter.
var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" });
var conn = MongoRunner.runMongod({smallfiles: "",
auth: "",
sslMode: "requireSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem"});
conn.getDB('admin').createUser({user: "root", pwd: "pass", roles: ["root"]});
conn.getDB('admin').auth("root", "pass");
var cmdOut = conn.getDB('admin').runCommand({getParameter: 1, authenticationMechanisms: 1})
@ -50,26 +49,24 @@ function authAndTest(mongo) {
}
print("1. Testing x.509 auth to mongod");
var mongo = MongoRunner.runMongod({port : port,
sslMode : "requireSSL",
sslPEMKeyFile : SERVER_CERT,
sslCAFile : CA_CERT,
auth:""});
authAndTest(mongo);
stopMongod(port);
print("2. Testing x.509 auth to mongos");
var x509_options = {sslMode : "requireSSL",
sslPEMKeyFile : SERVER_CERT,
sslCAFile : CA_CERT};
var mongo = MongoRunner.runMongod(Object.merge(x509_options, {port: port, auth: ""}));
authAndTest(mongo);
MongoRunner.stopMongod(port);
print("2. Testing x.509 auth to mongos");
var st = new ShardingTest({ shards : 1,
mongos : 1,
other: {
extraOptions : {"keyFile" : "jstests/libs/key1"},
configOptions : x509_options,
mongosOptions : x509_options,
shardOptions : x509_options,
}});
authAndTest(new Mongo("localhost:" + st.s0.port))

2
jstests/sslSpecial/set_parameter_nossl.js
View File

@ -17,7 +17,7 @@ function testTransition(newSSLMode, newClusterAuthMode) {
var res = adminDB.runCommand({ "setParameter" : 1,
"clusterAuthMode" : newClusterAuthMode });
assert(!res["ok"]);
stopMongod(port);
MongoRunner.stopMongod(port);
}
testTransition("allowSSL", "sendKeyFile");

2
jstests/sslSpecial/ssl_mixedmode.js
View File

@ -44,7 +44,7 @@ function testCombination(sslMode, sslShell, shouldSucceed) {
assert.eq(1, mongo, "Connection attempt succeeded when it should fail sslMode:" +
sslMode + " SSL-shell:" + sslShell);
}
stopMongod(port);
MongoRunner.stopMongod(port);
}
testCombination("disabled", false, true);

2
src/mongo/shell/mongo.js
View File

@ -34,7 +34,7 @@ Mongo.prototype.getSlaveOk = function() {
}
Mongo.prototype.getDB = function( name ){
if ((jsTest.options().keyFile || jsTest.options().useX509) &&
if ((jsTest.options().keyFile) &&
((typeof this.authenticated == 'undefined') || !this.authenticated)) {
jsTest.authenticate(this)
}

11
src/mongo/shell/mongodtest.js
View File

@ -34,17 +34,6 @@ startMongodTest = function (port, dirname, restart, extraOptions) {
options["auth"] = "";
if(jsTestOptions().keyFile && (!extraOptions || !extraOptions['keyFile']))
options['keyFile'] = jsTestOptions().keyFile
if(jsTestOptions().useSSL) {
if (!options["sslMode"])
options["sslMode"] = "requireSSL";
if (!options["sslPEMKeyFile"])
options["sslPEMKeyFile"] = "jstests/libs/server.pem";
if (!options["sslCAFile"])
options["sslCAFile"] = "jstests/libs/ca.pem";
options["sslWeakCertificateValidation"] = "";
}
if (jsTestOptions().useX509 && !options["clusterAuthMode"])
options["clusterAuthMode"] = "x509";
if (extraOptions)
Object.extend(options , extraOptions);

5
src/mongo/shell/replsettest.js
View File

@ -460,8 +460,7 @@ ReplSetTest.prototype.initiate = function( cfg , initCmd , timeout ) {
this.awaitSecondaryNodes(timeout);
// Setup authentication if running test with authentication
if ((jsTestOptions().keyFile || jsTestOptions().useX509) &&
cmdKey == 'replSetInitiate') {
if ((jsTestOptions().keyFile) && cmdKey == 'replSetInitiate') {
master = this.getMaster();
jsTest.authenticateNodes(this.nodes);
}
@ -731,7 +730,7 @@ ReplSetTest.prototype.restart = function( n , options, signal, wait ){
this.stop(n, signal, options);
started = this.start( n , options , true, wait );
if (jsTestOptions().keyFile || jsTestOptions().useX509) {
if (jsTestOptions().keyFile) {
if (started.length) {
// if n was an array of conns, start will return an array of connections
for (var i = 0; i < started.length; i++) {

32
src/mongo/shell/servers.js
View File

@ -423,23 +423,7 @@ MongoRunner.mongoOptions = function( opts ){
// Default for waitForConnect is true
opts.waitForConnect = (waitForConnect == undefined || waitForConnect == null) ?
true : waitForConnect;
if( jsTestOptions().useSSL ) {
if (!opts.sslMode) opts.sslMode = "requireSSL";
if (!opts.sslPEMKeyFile) opts.sslPEMKeyFile = "jstests/libs/server.pem";
if (!opts.sslCAFile) opts.sslCAFile = "jstests/libs/ca.pem";
// Needed for jstest/ssl/upgrade_to_ssl.js
opts.sslWeakCertificateValidation = "";
// Needed for jstest/ssl/ssl_hostname_validation.js
opts.sslAllowInvalidHostnames = "";
}
if ( jsTestOptions().useX509 && !opts.clusterAuthMode ) {
opts.clusterAuthMode = "x509";
}
opts.port = opts.port || MongoRunner.nextOpenPort()
MongoRunner.usedPortMap[ "" + parseInt( opts.port ) ] = true
@ -493,22 +477,6 @@ MongoRunner.mongodOptions = function( opts ){
opts.keyFile = jsTestOptions().keyFile
}
if( jsTestOptions().useSSL ) {
if (!opts.sslMode) opts.sslMode = "requireSSL";
if (!opts.sslPEMKeyFile) opts.sslPEMKeyFile = "jstests/libs/server.pem";
if (!opts.sslCAFile) opts.sslCAFile = "jstests/libs/ca.pem";
// Needed for jstest/ssl/upgrade_to_ssl.js
opts.sslWeakCertificateValidation = "";
// Needed for jstest/ssl/ssl_hostname_validation.js
opts.sslAllowInvalidHostnames = "";
}
if ( jsTestOptions().useX509 && !opts.clusterAuthMode ) {
opts.clusterAuthMode = "x509";
}
if( opts.noReplSet ) opts.replSet = null
if( opts.arbiter ) opts.oplogSize = 1

30
src/mongo/shell/servers_misc.js
View File

@ -163,26 +163,6 @@ ReplTest.prototype.getOptions = function( master , extra , putBinaryFirst, norep
a.push( jsTestOptions().keyFile )
}
if( jsTestOptions().useSSL ) {
if (!a.contains("--sslMode")) {
a.push( "--sslMode" )
a.push( "requireSSL" )
}
if (!a.contains("--sslPEMKeyFile")) {
a.push( "--sslPEMKeyFile" )
a.push( "jstests/libs/server.pem" )
}
if (!a.contains("--sslCAFile")) {
a.push( "--sslCAFile" )
a.push( "jstests/libs/ca.pem" )
}
a.push( "--sslWeakCertificateValidation" )
}
if( jsTestOptions().useX509 && !a.contains("--clusterAuthMode")) {
a.push( "--clusterAuthMode" )
a.push( "x509" )
}
if ( !norepl ) {
if ( master ){
a.push( "--master" );
@ -218,7 +198,7 @@ ReplTest.prototype.start = function( master , options , restart, norepl ){
return conn;
} else {
var conn = startMongod.apply(null, o);
if (jsTestOptions().keyFile || jsTestOptions().auth || jsTestOptions().useX509) {
if (jsTestOptions().keyFile || jsTestOptions().auth) {
jsTest.authenticate(conn);
}
if (!master) {
@ -331,14 +311,6 @@ function startParallelShell( jsCode, port, noConnect ){
args.push("--port", port);
}
if( jsTestOptions().useSSL ) {
args.push( "--ssl" )
args.push( "--sslPEMKeyFile" )
args.push( "jstests/libs/client.pem" )
args.push( "--sslCAFile" )
args.push( "jstests/libs/ca.pem" )
}
x = startMongoProgramNoConnect.apply(null, args);
return function(){
return waitProgram( x );

2
src/mongo/shell/shardingtest.js
View File

@ -424,7 +424,7 @@ ShardingTest = function( testName , numShards , verboseLevel , numMongos , other
);
}
if (jsTestOptions().keyFile || jsTestOptions().useX509) {
if (jsTestOptions().keyFile) {
jsTest.authenticate( this._configConnection );
jsTest.authenticateNodes( this._configServers );
jsTest.authenticateNodes( this._mongos );

6
src/mongo/shell/utils.js
View File

@ -157,9 +157,7 @@ jsTestOptions = function(){
authPassword : TestData.keyFileData,
authMechanism : TestData.authMechanism,
adminUser : TestData.adminUser || "admin",
adminPassword : TestData.adminPassword || "password",
useSSL : TestData.useSSL,
useX509 : TestData.useX509});
adminPassword : TestData.adminPassword || "password"});
}
return _jsTestOptions;
}
@ -195,7 +193,7 @@ jsTest.randomize = function( seed ) {
}
jsTest.authenticate = function(conn) {
if (!jsTest.options().auth && !jsTest.options().keyFile && !jsTest.options().useX509) {
if (!jsTest.options().auth && !jsTest.options().keyFile) {
conn.authenticated = true;
return true;
}