0
0
mirror of https://github.com/mongodb/mongo.git synced 2024-11-28 07:59:02 +01:00
mongodb/jstests/ssl_linear/repl_ssl_noca.js
Matt Broadstone 771dabd098 SERVER-81339 Convert ReplSetTest and ShardingTest to modules (#26332)
GitOrigin-RevId: 744aa110a53786b23c62ff53f87a1418b5991e8d
2024-08-20 22:00:49 +00:00

91 lines
3.7 KiB
JavaScript

// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
import {getPython3Binary} from "jstests/libs/python.js";
import {ReplSetTest} from "jstests/libs/replsettest.js";
const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
jsTest.log("HOST_TYPE = " + HOST_TYPE);
if (HOST_TYPE == "macOS") {
// Ensure trusted-ca.pem is properly installed on MacOS hosts.
// (MacOS is the only OS where it is installed outside of this test)
let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem");
assert.eq(0, exitCode, 'Check for proper installation of Trusted CA on MacOS host');
}
if (HOST_TYPE == "windows") {
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
// OpenSSL backed imports Root CA and intermediate CA
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
// Current User.
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
}
try {
var replTest = new ReplSetTest({
name: "TLSTest",
nodes: 1,
nodeOptions: {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
setParameter: {tlsUseSystemCA: true},
},
host: "localhost",
useHostName: false,
});
replTest.startSet({
env: {
SSL_CERT_FILE: 'jstests/libs/trusted-ca.pem',
},
});
replTest.initiate();
var nodeList = replTest.nodeList().join();
var checkShell = function(url) {
// Should not be able to authenticate with x509.
// Authenticate call will return 1 on success, 0 on error.
var argv = ['mongo', url, '--eval', ('db.runCommand({replSetGetStatus: 1})')];
if (url.endsWith('&ssl=true')) {
argv.push('--tls', '--tlsCertificateKeyFile', 'jstests/libs/trusted-client.pem');
}
if (!_isWindows()) {
// On Linux we override the default path to the system CA store to point to our
// system CA. On Windows, this CA will have been added to the user's trusted CA list
argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
}
var ret = runMongoProgram(...argv);
return ret;
};
jsTest.log("Testing with no ssl specification...");
var noMentionSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}`;
assert.neq(checkShell(noMentionSSLURL), 0, "shell correctly failed to connect without SSL");
jsTest.log("Testing with ssl specified false...");
var disableSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}&ssl=false`;
assert.neq(checkShell(disableSSLURL), 0, "shell correctly failed to connect without SSL");
jsTest.log("Testing with ssl specified true...");
var useSSLURL = `mongodb://${nodeList}/admin?replicaSet=${replTest.name}&ssl=true`;
assert.eq(checkShell(useSSLURL), 0, "successfully connected with SSL");
replTest.stopSet();
} finally {
if (_isWindows()) {
const ca_thumbprint = cat('jstests/libs/trusted-ca.pem.digest.sha1');
runProgram("certutil.exe", "-delstore", "-f", "Root", ca_thumbprint);
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", ca_thumbprint);
}
}