mirrors/mongodb
mirrors/mongodb
0
0
Fork 0
mirror of https://github.com/mongodb/mongo.git synced 2024-11-25 09:19:32 +01:00
Code Issues Releases Activity
9f736f576d
mongodb/jstests/ssl/ssl_count_protocols.js
W. Brad Moore 3cbd53553c SERVER-84397: Use proper SSL options in tests 
GitOrigin-RevId: 2ceb3b5faa6e0038e0f6d2f4326241b735b83535
2024-02-01 15:32:18 +00:00

103 lines
4.3 KiB
JavaScript
Raw Blame History

// Ensure the server counts the server TLS versions used
import {
detectDefaultTLSProtocol,
sslProviderSupportsTLS1_0,
sslProviderSupportsTLS1_1,
} from "jstests/ssl/libs/ssl_helpers.js";
var SERVER_CERT = "jstests/libs/server.pem";
var CLIENT_CERT = "jstests/libs/client.pem";
var CA_CERT = "jstests/libs/ca.pem";
const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];
// First, figure out what protocol our local TLS stack wants to speak.
// We're going to observe a connection of this type from the testrunner.
const expectedDefaultProtocol = detectDefaultTLSProtocol();
print("Expected default protocol: " + expectedDefaultProtocol);
function runTestWithoutSubset(client) {
print("Running test: " + client);
let disabledProtocols = protocols.slice();
let expectedCounts = [0, 0, 0, 0, 0];
expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
var index = disabledProtocols.indexOf(client);
disabledProtocols.splice(index, 1);
expectedCounts[index] += 1;
print(tojson(expectedCounts));
const conn = MongoRunner.runMongod({
tlsMode: 'allowTLS',
tlsCertificateKeyFile: SERVER_CERT,
tlsDisabledProtocols: 'none',
useLogFiles: true,
tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
tlsCAFile: CA_CERT
});
const exitStatus = runMongoProgram('mongo',
'--tls',
'--tlsAllowInvalidHostnames',
'--tlsCertificateKeyFile',
CLIENT_CERT,
'--tlsCAFile',
CA_CERT,
'--port',
conn.port,
'--tlsDisabledProtocols',
disabledProtocols.join(","),
'--eval',
// The Javascript string "1.0" is implicitly converted to the
// Number(1) Workaround this with parseFloat
'one = Number.parseFloat(1).toPrecision(2); a = {};' +
'a[one] = NumberLong(' + expectedCounts[0] + ');' +
'a["1.1"] = NumberLong(' + expectedCounts[1] + ');' +
'a["1.2"] = NumberLong(' + expectedCounts[2] + ');' +
'a["1.3"] = NumberLong(' + expectedCounts[3] + ');' +
'a["unknown"] = NumberLong(' + expectedCounts[4] + ');' +
'assert.eq(db.serverStatus().transportSecurity, a);');
if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
// If the runtime environment does not support TLS 1.3, a client cannot connect to a
// server if TLS 1.3 is its only usable protocol version.
assert.neq(0,
exitStatus,
"A client which does not support TLS 1.3 should not be able to connect with it");
MongoRunner.stopMongod(conn);
return;
}
assert.eq(0, exitStatus, "");
print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
const log = cat(conn.fullOptions.logFile);
const lines = log.split('\n');
let found = false;
for (let logMsg of lines) {
if (!logMsg) {
continue;
}
const logJson = JSON.parse(logMsg);
if (logJson.id === 23218 && /1\.\d/.test(logJson.attr.tlsVersion) &&
/127.0.0.1:\d+/.test(logJson.attr.remoteHost)) {
found = true;
break;
}
}
assert(found,
"'Accepted connection with TLS Version' log line missing in log file!\n" +
"Log file contents: " + conn.fullOptions.logFile +
"\n************************************************************\n" + log +
"\n************************************************************");
MongoRunner.stopMongod(conn);
}
if (sslProviderSupportsTLS1_0()) {
runTestWithoutSubset("TLS1_0");
}
if (sslProviderSupportsTLS1_1()) {
runTestWithoutSubset("TLS1_1");
}
runTestWithoutSubset("TLS1_2");
runTestWithoutSubset("TLS1_3");
View Git Blame Copy Permalink