mirror of https://github.com/mongodb/mongo
82 lines
2.9 KiB
JavaScript
82 lines
2.9 KiB
JavaScript
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
|
|
// certificate to the login keychain of the evergreen user. See,
|
|
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
|
|
// for details.
|
|
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
|
|
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
|
|
(function() {
|
|
'use strict';
|
|
|
|
load('jstests/libs/python.js');
|
|
|
|
const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
|
|
jsTest.log("HOST_TYPE = " + HOST_TYPE);
|
|
|
|
if (HOST_TYPE == "windows") {
|
|
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
|
|
|
|
// OpenSSL backed imports Root CA and intermediate CA
|
|
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
|
|
|
|
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
|
|
// Current User.
|
|
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
|
|
}
|
|
function testWithCerts(prefix) {
|
|
jsTest.log("Starting mongod blindly...");
|
|
// allowTLS to get a non-TLS control connection.
|
|
var opts = {
|
|
tlsMode: 'preferTLS',
|
|
tlsCertificateKeyFile: 'jstests/libs/' + prefix + 'server.pem',
|
|
waitForConnect: false,
|
|
setParameter: {tlsUseSystemCA: true},
|
|
env: {"SSL_CERT_FILE": "jstests/libs/" + prefix + "ca.pem"},
|
|
};
|
|
const conn = MongoRunner.runMongod(opts);
|
|
|
|
jsTest.log("Waiting for mongod to be non-TLS connectable...");
|
|
let argv = ['mongo', '--port', conn.port, '--eval', ';'];
|
|
|
|
assert.soon((exitCode) => {
|
|
exitCode = runMongoProgram.apply(null, argv);
|
|
return 0 == exitCode;
|
|
});
|
|
|
|
jsTest.log("Testing connection with " + prefix + "client.pem ...");
|
|
argv = [
|
|
'mongo',
|
|
'--tls',
|
|
'--port',
|
|
conn.port,
|
|
'--tlsCertificateKeyFile',
|
|
'jstests/libs/' + prefix + 'client.pem',
|
|
'--eval',
|
|
';'
|
|
];
|
|
|
|
if (HOST_TYPE == "linux") {
|
|
// On Linux we override the default path to the system CA store to point to our
|
|
// "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list
|
|
argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
|
|
}
|
|
|
|
let exitCode = runMongoProgram.apply(null, argv);
|
|
|
|
jsTest.log("Stopping mongod...");
|
|
MongoRunner.stopMongod(conn);
|
|
|
|
return exitCode;
|
|
}
|
|
|
|
try {
|
|
assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA');
|
|
assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA');
|
|
} finally {
|
|
if (HOST_TYPE == "windows") {
|
|
const trusted_ca_thumbprint = cat('jstests/libs/trusted-ca.pem.digest.sha1');
|
|
runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint);
|
|
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", trusted_ca_thumbprint);
|
|
}
|
|
}
|
|
})();
|