mongodb/jstests/ssl/tlsCATrusts.js

// Test restricting role authorization via X509 extensions.
import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";

requireSSLProvider('openssl', function() {
    const SERVER_CERT = 'jstests/libs/server.pem';
    const COMBINED_CA_CERT = 'jstests/ssl/x509/root-and-trusted-ca.pem';
    const CA_HASH = cat('jstests/libs/ca.pem.digest.sha256');
    const TRUSTED_CA_HASH = cat('jstests/libs/trusted-ca.pem.digest.sha256');

    // Common suffix, keep the lines short.
    const RDN_SUFFIX = ',O=MongoDB,L=New York City,ST=New York,C=US';
    const USERS = [];

    const CLIENT = {
        cert: 'jstests/libs/client.pem',
        roles: [],
    };
    USERS.push('CN=client,OU=KernelUser');

    const CLIENT_ROLES = {
        cert: 'jstests/libs/client_roles.pem',
        roles: [{role: 'backup', db: 'admin'}, {role: 'readAnyDatabase', db: 'admin'}],
    };
    USERS.push('CN=Kernel Client Peer Role,OU=Kernel Users');

    const TRUSTED_CLIENT_TESTDB_ROLES = {
        cert: 'jstests/ssl/x509/trusted-client-testdb-roles.pem',
        roles: [{role: 'role1', db: 'testDB'}, {role: 'role2', db: 'testDB'}],
    };
    USERS.push('CN=Trusted Kernel Test Client With Roles,OU=Kernel Users');

    function test(tlsCATrusts, success, failure) {
        const options = {
            auth: '',
            tlsMode: 'requireTLS',
            tlsCertificateKeyFile: SERVER_CERT,
            tlsCAFile: COMBINED_CA_CERT,
        };

        if (tlsCATrusts !== null) {
            options.setParameter = {
                tlsCATrusts: tojson(tlsCATrusts),
            };
        }

        const mongod = MongoRunner.runMongod(options);

        const admin = mongod.getDB('admin');
        admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
        admin.auth({user: 'admin', pwd: 'pwd'});

        const external = mongod.getDB('$external');
        USERS.forEach((u) => external.createUser({user: u + RDN_SUFFIX, roles: []}));

        const testDB = mongod.getDB('test');
        testDB.createRole({role: 'role1', privileges: [], roles: []});
        testDB.createRole({role: 'role2', privileges: [], roles: []});

        // Sorting JS arrays of objects with arbitrary order is... complex.
        const serverTrusts =
            assert.commandWorked(admin.runCommand({getParameter: 1, tlsCATrusts: 1})).tlsCATrusts;
        function sortAndNormalizeRoles(roles) {
            return roles.map((r) => r.role + '.' + r.db).sort().join('/');
        }
        function sortAndNormalizeTrusts(trusts) {
            if (trusts === null) {
                return "(unconfigured)";
            }
            return trusts.map((t) => t.sha256 + '/' + sortAndNormalizeRoles(t.roles)).sort();
        }
        assert.eq(sortAndNormalizeTrusts(tlsCATrusts), sortAndNormalizeTrusts(serverTrusts));

        function impl(user, expect) {
            const snRoles = tojson(sortAndNormalizeRoles(user.roles));
            const uri = 'mongodb://localhost:' + mongod.port + '/admin';
            const script = tojson(sortAndNormalizeRoles) +
                'assert(db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509"}));' +
                'const status = assert.commandWorked(db.runCommand({connectionStatus: 1}));' +
                'const roles = status.authInfo.authenticatedUserRoles;' +
                'assert.eq(' + snRoles + ', sortAndNormalizeRoles(roles));';
            const mongo = runMongoProgram('mongo',
                                          '--tls',
                                          '--tlsCertificateKeyFile',
                                          user.cert,
                                          '--tlsCAFile',
                                          COMBINED_CA_CERT,
                                          uri,
                                          '--eval',
                                          script);
            expect(mongo, 0);
        }

        success.forEach((u) => impl(u, assert.eq));
        failure.forEach((u) => impl(u, assert.neq));

        MongoRunner.stopMongod(mongod);
    }

    // Positive tests.
    const unconfigured = null;
    test(unconfigured, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);

    const allRoles = [
        {sha256: CA_HASH, roles: [{role: '', db: ''}]},
        {sha256: TRUSTED_CA_HASH, roles: [{role: '', db: ''}]}
    ];
    test(allRoles, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);

    const allRolesOnAdmin = [{sha256: CA_HASH, roles: [{role: '', db: 'admin'}]}];
    test(allRolesOnAdmin, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);

    const specificRolesOnAnyDB =
        [{sha256: CA_HASH, roles: [{role: 'backup', db: ''}, {role: 'readAnyDatabase', db: ''}]}];
    test(specificRolesOnAnyDB, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);

    const exactRoles = [{
        sha256: CA_HASH,
        roles: [{role: 'backup', db: 'admin'}, {role: 'readAnyDatabase', db: 'admin'}]
    }];
    test(exactRoles, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);

    const extraRoles = [{
        sha256: CA_HASH,
        roles: [
            {role: 'backup', db: 'admin'},
            {role: 'readAnyDatabase', db: 'admin'},
            {role: 'readWrite', db: 'admin'}
        ]
    }];
    test(extraRoles, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);

    const similarRoles = [
        {
            sha256: CA_HASH,
            roles: [
                {role: 'backup', db: 'test'},
                {role: 'readAnyDatabase', db: ''},
                {role: 'backup', db: 'admin'}
            ]
        },
        {
            sha256: TRUSTED_CA_HASH,
            roles: [
                {role: 'role1', db: 'admin'},
                {role: 'role2', db: 'testDB'},
                {role: 'role1', db: 'testDB'},
            ]
        }
    ];
    test(similarRoles, [CLIENT, CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES], []);

    const withUntrusted =
        [{sha256: CA_HASH, roles: [{role: '', db: ''}]}, {sha256: TRUSTED_CA_HASH, roles: []}];
    test(withUntrusted, [CLIENT, CLIENT_ROLES], [TRUSTED_CLIENT_TESTDB_ROLES]);

    const customRoles = [{
        sha256: TRUSTED_CA_HASH,
        roles: [
            {role: 'role1', db: 'testDB'},
            {role: 'role2', db: 'testDB'},
        ]
    }];
    test(customRoles, [CLIENT, TRUSTED_CLIENT_TESTDB_ROLES], [CLIENT_ROLES]);

    // Negative tests. CLIENT_CERT is okay because it doesn't ask for roles.
    const noTrustedCAs = [];
    test(noTrustedCAs, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);

    const noRoles = [{sha256: CA_HASH, roles: []}];
    test(noRoles, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);

    const insufficientRoles1 = [
        {sha256: CA_HASH, roles: [{role: 'backup', db: ''}]},
        {sha256: TRUSTED_CA_HASH, roles: [{role: 'role1', db: 'testDB'}]}
    ];
    test(insufficientRoles1, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);

    const insufficientRoles2 = [
        {sha256: CA_HASH, roles: [{role: 'readWriteAnyDatabase', db: ''}]},
        {sha256: TRUSTED_CA_HASH, roles: [{role: 'role2', db: 'testDB'}]}
    ];
    test(insufficientRoles2, [CLIENT], [CLIENT_ROLES, TRUSTED_CLIENT_TESTDB_ROLES]);

    const withTrusted =
        [{sha256: CA_HASH, roles: []}, {sha256: TRUSTED_CA_HASH, roles: [{role: '', db: ''}]}];
    test(withTrusted, [CLIENT, TRUSTED_CLIENT_TESTDB_ROLES], [CLIENT_ROLES]);
});