mirror
/
mongo
mirror of https://github.com/mongodb/mongo
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mongo/jstests/ssl/x509_expiring.js

61 lines
2.1 KiB
JavaScript
Raw Permalink Blame History

// Verify a warning is emitted when a certificate is about to expire.
(function() {
'use strict';
load("jstests/libs/logv2_helpers.js");
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
function test(expiration, expect) {
const options = {
auth: '',
tlsMode: "requireTLS",
tlsCertificateKeyFile: SERVER_CERT,
tlsCAFile: CA_CERT,
setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration,
};
const mongo = MongoRunner.runMongod(options);
const external = mongo.getDB("$external");
external.createUser({
user: CLIENT_USER,
roles: [
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
{'role': 'readWriteAnyDatabase', 'db': 'admin'},
{'role': 'clusterMonitor', 'db': 'admin'},
]
});
assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}),
"authentication with valid user failed");
// Check that there's a "Successfully authenticated" message that includes the client IP
const log =
assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
if (isJsonLog(mongo)) {
function checkPeerCertificateExpires(element, index, array) {
const logJson = JSON.parse(element);
return (logJson.id === 23221 || logJson.id === 23222) &&
logJson.attr.peerSubjectName === CLIENT_USER;
}
assert.eq(log.some(checkPeerCertificateExpires), expect);
} else {
const warning = `Peer certificate '${CLIENT_USER}' expires`;
assert.eq(log.some(line => line.includes(warning)), expect);
}
MongoRunner.stopMongod(mongo);
}
assert.doesNotThrow(
() => test(100, false),
[],
"If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.");
test(7300, true); // Work so long as certs expire no more than 20 years from now
})();
Reference in New Issue View Git Blame Copy Permalink