mirror of
https://github.com/mongodb/mongo.git
synced 2024-11-30 00:56:44 +01:00
112 lines
3.6 KiB
JavaScript
112 lines
3.6 KiB
JavaScript
/**
|
|
* This test does a full rollover of the X509 auth for cluster membership. After the rollover,
|
|
* the cluster will have a new CA and the dn components used to determine cluster membership
|
|
* will have changed;
|
|
*
|
|
* @tags: [requires_persistence, requires_replication]
|
|
*/
|
|
|
|
(function() {
|
|
'use strict';
|
|
|
|
const rst = new ReplSetTest({
|
|
nodes: 3,
|
|
waitForKeys: false,
|
|
nodeOptions: {
|
|
sslMode: "preferSSL",
|
|
clusterAuthMode: "x509",
|
|
sslPEMKeyFile: "jstests/libs/server.pem",
|
|
sslCAFile: "jstests/libs/ca.pem",
|
|
sslAllowInvalidHostnames: ""
|
|
}
|
|
});
|
|
rst.startSet();
|
|
|
|
rst.initiateWithAnyNodeAsPrimary(
|
|
Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true}));
|
|
|
|
// Create a user to login as when auth is enabled later
|
|
rst.getPrimary().getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']}, {w: 3});
|
|
rst.nodes.forEach((node) => {
|
|
assert(node.getDB("admin").auth("root", "root"));
|
|
});
|
|
|
|
// All the certificates' DNs share this base
|
|
const dnBase = "C=US, ST=New York, L=New York,";
|
|
// This is the DN of the rollover certificate.
|
|
const rolloverDN = dnBase + " O=MongoDB\\, Inc. (Rollover), OU=Kernel (Rollover), CN=server";
|
|
// This is the DN of the original certificate
|
|
const originalDN = dnBase + " O=MongoDB, OU=Kernel, CN=server";
|
|
|
|
// This will rollover the cluster to a new config in a rolling fashion. It will return when
|
|
// there is a primary and we are able to write to it.
|
|
const rolloverConfig = function(newConfig) {
|
|
const restart = function(node) {
|
|
const nodeId = rst.getNodeId(node);
|
|
rst.stop(nodeId);
|
|
const configId = "n" + nodeId;
|
|
rst.nodeOptions[configId] = Object.merge(rst.nodeOptions[configId], newConfig, true);
|
|
const newNode = rst.start(nodeId, {}, true, true);
|
|
assert(newNode.getDB("admin").auth("root", "root"));
|
|
};
|
|
|
|
rst.getSecondaries().forEach(function(secondary) {
|
|
restart(secondary);
|
|
});
|
|
|
|
restart(rst.getPrimary());
|
|
|
|
assert.soon(() => {
|
|
let primary = rst.getPrimary();
|
|
assert.commandWorked(primary.getDB("admin").runCommand({isMaster: 1}));
|
|
assert.commandWorked(primary.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}));
|
|
|
|
// Start a shell that connects to the server with the current CA/cert configuration
|
|
// and ensure that it's able to connect and authenticate with x509.
|
|
const shellArgs = [
|
|
'mongo',
|
|
primary.name,
|
|
'--eval',
|
|
';',
|
|
'--ssl',
|
|
'--sslAllowInvalidHostnames',
|
|
'--sslCAFile',
|
|
newConfig['sslCAFile'],
|
|
'--sslPEMKeyFile',
|
|
newConfig['sslPEMKeyFile'],
|
|
'--authenticationDatabase=$external',
|
|
'--authenticationMechanism=MONGODB-X509'
|
|
];
|
|
assert.eq(_runMongoProgram.apply(null, shellArgs), 0);
|
|
|
|
return true;
|
|
});
|
|
};
|
|
|
|
jsTestLog("Rolling over CA certificate to combined old and new CA's");
|
|
rolloverConfig({
|
|
sslPEMKeyFile: "jstests/libs/server.pem",
|
|
sslCAFile: "jstests/libs/rollover_ca_merged.pem",
|
|
setParameter: {
|
|
tlsX509ClusterAuthDNOverride: rolloverDN,
|
|
}
|
|
});
|
|
|
|
jsTestLog("Rolling over to new certificate with new cluster DN and new CA");
|
|
rolloverConfig({
|
|
sslPEMKeyFile: "jstests/libs/rollover_server.pem",
|
|
sslCAFile: "jstests/libs/rollover_ca_merged.pem",
|
|
setParameter: {
|
|
tlsX509ClusterAuthDNOverride: originalDN,
|
|
}
|
|
});
|
|
|
|
jsTestLog("Rolling over to new CA only");
|
|
rolloverConfig({
|
|
sslPEMKeyFile: "jstests/libs/rollover_server.pem",
|
|
sslCAFile: "jstests/libs/rollover_ca.pem",
|
|
});
|
|
|
|
rst.stopSet();
|
|
})();
|