mirror of
https://github.com/mongodb/mongo.git
synced 2024-11-27 23:27:11 +01:00
50 lines
1.8 KiB
JavaScript
50 lines
1.8 KiB
JavaScript
// Verify a warning is emitted when a certificate is about to expire.
|
|
|
|
const SERVER_CERT = "jstests/libs/server.pem";
|
|
const CA_CERT = "jstests/libs/ca.pem";
|
|
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
|
|
|
|
function test(expiration, expect) {
|
|
const options = {
|
|
auth: '',
|
|
tlsMode: "requireTLS",
|
|
tlsCertificateKeyFile: SERVER_CERT,
|
|
tlsCAFile: CA_CERT,
|
|
setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration,
|
|
};
|
|
const mongo = MongoRunner.runMongod(options);
|
|
const external = mongo.getDB("$external");
|
|
|
|
external.createUser({
|
|
user: CLIENT_USER,
|
|
roles: [
|
|
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
|
|
{'role': 'readWriteAnyDatabase', 'db': 'admin'},
|
|
{'role': 'clusterMonitor', 'db': 'admin'},
|
|
]
|
|
});
|
|
|
|
assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}),
|
|
"authentication with valid user failed");
|
|
|
|
// Check that there's a "Successfully authenticated" message that includes the client IP
|
|
const log =
|
|
assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
|
|
|
|
function checkPeerCertificateExpires(element /*, index, array*/) {
|
|
const logJson = JSON.parse(element);
|
|
|
|
return (logJson.id === 23221 || logJson.id === 23222) &&
|
|
logJson.attr.peerSubjectName === CLIENT_USER;
|
|
}
|
|
assert.eq(log.some(checkPeerCertificateExpires), expect);
|
|
|
|
MongoRunner.stopMongod(mongo);
|
|
}
|
|
|
|
assert.doesNotThrow(
|
|
() => test(100, false),
|
|
[],
|
|
"If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.");
|
|
test(7300, true); // Work so long as certs expire no more than 20 years from now
|