mirror of
https://github.com/mongodb/mongo.git
synced 2024-11-28 07:59:02 +01:00
771dabd098
GitOrigin-RevId: 744aa110a53786b23c62ff53f87a1418b5991e8d
91 lines
3.7 KiB
JavaScript
91 lines
3.7 KiB
JavaScript
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
|
|
// certificate to the login keychain of the evergreen user. See,
|
|
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
|
|
// for details.
|
|
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
|
|
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
|
|
|
|
import {getPython3Binary} from "jstests/libs/python.js";
|
|
import {ReplSetTest} from "jstests/libs/replsettest.js";
|
|
|
|
const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
|
|
jsTest.log("HOST_TYPE = " + HOST_TYPE);
|
|
|
|
if (HOST_TYPE == "macOS") {
|
|
// Ensure trusted-ca.pem is properly installed on MacOS hosts.
|
|
// (MacOS is the only OS where it is installed outside of this test)
|
|
let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem");
|
|
assert.eq(0, exitCode, 'Check for proper installation of Trusted CA on MacOS host');
|
|
}
|
|
if (HOST_TYPE == "windows") {
|
|
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
|
|
|
|
// OpenSSL backed imports Root CA and intermediate CA
|
|
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
|
|
|
|
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
|
|
// Current User.
|
|
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
|
|
}
|
|
|
|
try {
|
|
var replTest = new ReplSetTest({
|
|
name: "TLSTest",
|
|
nodes: 1,
|
|
nodeOptions: {
|
|
tlsMode: "requireTLS",
|
|
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
|
|
setParameter: {tlsUseSystemCA: true},
|
|
},
|
|
host: "localhost",
|
|
useHostName: false,
|
|
});
|
|
|
|
replTest.startSet({
|
|
env: {
|
|
SSL_CERT_FILE: 'jstests/libs/trusted-ca.pem',
|
|
},
|
|
});
|
|
|
|
replTest.initiate();
|
|
|
|
var nodeList = replTest.nodeList().join();
|
|
|
|
var checkShell = function(url) {
|
|
// Should not be able to authenticate with x509.
|
|
// Authenticate call will return 1 on success, 0 on error.
|
|
var argv = ['mongo', url, '--eval', ('db.runCommand({replSetGetStatus: 1})')];
|
|
|
|
if (url.endsWith('&ssl=true')) {
|
|
argv.push('--tls', '--tlsCertificateKeyFile', 'jstests/libs/trusted-client.pem');
|
|
}
|
|
|
|
if (!_isWindows()) {
|
|
// On Linux we override the default path to the system CA store to point to our
|
|
// system CA. On Windows, this CA will have been added to the user's trusted CA list
|
|
argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
|
|
}
|
|
var ret = runMongoProgram(...argv);
|
|
return ret;
|
|
};
|
|
|
|
jsTest.log("Testing with no ssl specification...");
|
|
var noMentionSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}`;
|
|
assert.neq(checkShell(noMentionSSLURL), 0, "shell correctly failed to connect without SSL");
|
|
|
|
jsTest.log("Testing with ssl specified false...");
|
|
var disableSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}&ssl=false`;
|
|
assert.neq(checkShell(disableSSLURL), 0, "shell correctly failed to connect without SSL");
|
|
|
|
jsTest.log("Testing with ssl specified true...");
|
|
var useSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}&ssl=true`;
|
|
assert.eq(checkShell(useSSLURL), 0, "successfully connected with SSL");
|
|
|
|
replTest.stopSet();
|
|
} finally {
|
|
if (_isWindows()) {
|
|
const ca_thumbprint = cat('jstests/libs/trusted-ca.pem.digest.sha1');
|
|
runProgram("certutil.exe", "-delstore", "-f", "Root", ca_thumbprint);
|
|
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", ca_thumbprint);
|
|
}
|
|
} |