mirror of https://github.com/mongodb/mongo
121 lines
3.9 KiB
JavaScript
121 lines
3.9 KiB
JavaScript
// Ensure the server counts the server TLS versions used
|
|
import {
|
|
detectDefaultTLSProtocol,
|
|
sslProviderSupportsTLS1_0,
|
|
sslProviderSupportsTLS1_1,
|
|
} from "jstests/ssl/libs/ssl_helpers.js";
|
|
|
|
let SERVER_CERT = "jstests/libs/server.pem";
|
|
let CLIENT_CERT = "jstests/libs/client.pem";
|
|
let CA_CERT = "jstests/libs/ca.pem";
|
|
|
|
const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];
|
|
|
|
// First, figure out what protocol our local TLS stack wants to speak.
|
|
// We're going to observe a connection of this type from the testrunner.
|
|
const expectedDefaultProtocol = detectDefaultTLSProtocol();
|
|
print("Expected default protocol: " + expectedDefaultProtocol);
|
|
|
|
function runTestWithoutSubset(client) {
|
|
print("Running test: " + client);
|
|
let disabledProtocols = protocols.slice();
|
|
let expectedCounts = [0, 0, 0, 0, 0];
|
|
expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
|
|
let index = disabledProtocols.indexOf(client);
|
|
disabledProtocols.splice(index, 1);
|
|
expectedCounts[index] += 1;
|
|
print(tojson(expectedCounts));
|
|
|
|
const conn = MongoRunner.runMongod({
|
|
tlsMode: "allowTLS",
|
|
tlsCertificateKeyFile: SERVER_CERT,
|
|
tlsDisabledProtocols: "none",
|
|
useLogFiles: true,
|
|
tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
|
|
tlsCAFile: CA_CERT,
|
|
});
|
|
|
|
const exitStatus = runMongoProgram(
|
|
"mongo",
|
|
"--tls",
|
|
"--tlsAllowInvalidHostnames",
|
|
"--tlsCertificateKeyFile",
|
|
CLIENT_CERT,
|
|
"--tlsCAFile",
|
|
CA_CERT,
|
|
"--port",
|
|
conn.port,
|
|
"--tlsDisabledProtocols",
|
|
disabledProtocols.join(","),
|
|
"--eval",
|
|
// The Javascript string "1.0" is implicitly converted to the
|
|
// Number(1) Workaround this with parseFloat
|
|
"one = Number.parseFloat(1).toPrecision(2); a = {};" +
|
|
"a[one] = NumberLong(" +
|
|
expectedCounts[0] +
|
|
");" +
|
|
'a["1.1"] = NumberLong(' +
|
|
expectedCounts[1] +
|
|
");" +
|
|
'a["1.2"] = NumberLong(' +
|
|
expectedCounts[2] +
|
|
");" +
|
|
'a["1.3"] = NumberLong(' +
|
|
expectedCounts[3] +
|
|
");" +
|
|
'a["unknown"] = NumberLong(' +
|
|
expectedCounts[4] +
|
|
");" +
|
|
"assert.eq(db.serverStatus().transportSecurity, a);",
|
|
);
|
|
|
|
if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
|
|
// If the runtime environment does not support TLS 1.3, a client cannot connect to a
|
|
// server if TLS 1.3 is its only usable protocol version.
|
|
assert.neq(0, exitStatus, "A client which does not support TLS 1.3 should not be able to connect with it");
|
|
MongoRunner.stopMongod(conn);
|
|
return;
|
|
}
|
|
|
|
assert.eq(0, exitStatus, "");
|
|
|
|
print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
|
|
const log = cat(conn.fullOptions.logFile);
|
|
|
|
const lines = log.split("\n");
|
|
let found = false;
|
|
for (let logMsg of lines) {
|
|
if (!logMsg) {
|
|
continue;
|
|
}
|
|
const logJson = JSON.parse(logMsg);
|
|
if (
|
|
logJson.id === 23218 &&
|
|
/1\.\d/.test(logJson.attr.tlsVersion) &&
|
|
/127.0.0.1:\d+/.test(logJson.attr.remoteHost)
|
|
) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
assert(
|
|
found,
|
|
"'Accepted connection with TLS Version' log line missing in log file!\n" +
|
|
"Log file contents: " +
|
|
conn.fullOptions.logFile +
|
|
"\n************************************************************\n" +
|
|
log +
|
|
"\n************************************************************",
|
|
);
|
|
|
|
MongoRunner.stopMongod(conn);
|
|
}
|
|
if (sslProviderSupportsTLS1_0()) {
|
|
runTestWithoutSubset("TLS1_0");
|
|
}
|
|
if (sslProviderSupportsTLS1_1()) {
|
|
runTestWithoutSubset("TLS1_1");
|
|
}
|
|
runTestWithoutSubset("TLS1_2");
|
|
runTestWithoutSubset("TLS1_3");
|