mirror of https://github.com/mongodb/mongo
48 lines
1.8 KiB
JavaScript
48 lines
1.8 KiB
JavaScript
// Verify a warning is emitted when a certificate is about to expire.
|
|
|
|
const SERVER_CERT = "jstests/libs/server.pem";
|
|
const CA_CERT = "jstests/libs/ca.pem";
|
|
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
|
|
|
|
function test(expiration, expect) {
|
|
const options = {
|
|
auth: "",
|
|
tlsMode: "requireTLS",
|
|
tlsCertificateKeyFile: SERVER_CERT,
|
|
tlsCAFile: CA_CERT,
|
|
setParameter: "tlsX509ExpirationWarningThresholdDays=" + expiration,
|
|
};
|
|
const mongo = MongoRunner.runMongod(options);
|
|
const external = mongo.getDB("$external");
|
|
|
|
external.createUser({
|
|
user: CLIENT_USER,
|
|
roles: [
|
|
{"role": "userAdminAnyDatabase", "db": "admin"},
|
|
{"role": "readWriteAnyDatabase", "db": "admin"},
|
|
{"role": "clusterMonitor", "db": "admin"},
|
|
],
|
|
});
|
|
|
|
assert(external.auth({user: CLIENT_USER, mechanism: "MONGODB-X509"}), "authentication with valid user failed");
|
|
|
|
// Check that there's a "Successfully authenticated" message that includes the client IP
|
|
const log = assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
|
|
|
|
function checkPeerCertificateExpires(element /*, index, array*/) {
|
|
const logJson = JSON.parse(element);
|
|
|
|
return (logJson.id === 23221 || logJson.id === 23222) && logJson.attr.peerSubjectName === CLIENT_USER;
|
|
}
|
|
assert.eq(log.some(checkPeerCertificateExpires), expect);
|
|
|
|
MongoRunner.stopMongod(mongo);
|
|
}
|
|
|
|
assert.doesNotThrow(
|
|
() => test(100, false),
|
|
[],
|
|
"If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.",
|
|
);
|
|
test(7300, true); // Work so long as certs expire no more than 20 years from now
|