0
0
mirror of https://github.com/mongodb/mongo.git synced 2024-11-25 09:19:32 +01:00
mongodb/jstests/ssl/x509_expiring.js
2023-08-06 20:48:04 +00:00

50 lines
1.8 KiB
JavaScript

// Verify a warning is emitted when a certificate is about to expire.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
function test(expiration, expect) {
const options = {
auth: '',
tlsMode: "requireTLS",
tlsCertificateKeyFile: SERVER_CERT,
tlsCAFile: CA_CERT,
setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration,
};
const mongo = MongoRunner.runMongod(options);
const external = mongo.getDB("$external");
external.createUser({
user: CLIENT_USER,
roles: [
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
{'role': 'readWriteAnyDatabase', 'db': 'admin'},
{'role': 'clusterMonitor', 'db': 'admin'},
]
});
assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}),
"authentication with valid user failed");
// Check that there's a "Successfully authenticated" message that includes the client IP
const log =
assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
function checkPeerCertificateExpires(element /*, index, array*/) {
const logJson = JSON.parse(element);
return (logJson.id === 23221 || logJson.id === 23222) &&
logJson.attr.peerSubjectName === CLIENT_USER;
}
assert.eq(log.some(checkPeerCertificateExpires), expect);
MongoRunner.stopMongod(mongo);
}
assert.doesNotThrow(
() => test(100, false),
[],
"If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.");
test(7300, true); // Work so long as certs expire no more than 20 years from now