mirror of https://github.com/mongodb/mongo
88 lines
3.0 KiB
JavaScript
88 lines
3.0 KiB
JavaScript
// Test invalid SSL keyfile settings.
|
|
|
|
import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
|
|
|
|
function runTest(name, config, expect) {
|
|
jsTest.log('Running test: ' + name);
|
|
clearRawMongoProgramOutput();
|
|
|
|
let mongod = null;
|
|
try {
|
|
mongod = MongoRunner.runMongod(config);
|
|
} catch (e) {
|
|
//
|
|
}
|
|
assert.eq(null, mongod, 'Mongod started unexpectedly');
|
|
|
|
const output = rawMongoProgramOutput();
|
|
assert.eq(
|
|
true, output.includes(expect), "Server failure message did not include '" + expect + "'");
|
|
}
|
|
|
|
const validityMessage = 'The provided SSL certificate is expired or not yet valid';
|
|
|
|
// Test that startup fails with certificate that has yet to become valid.
|
|
const notYetValid = {
|
|
tlsMode: 'requireTLS',
|
|
tlsCertificateKeyFile: 'jstests/libs/not_yet_valid.pem',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
};
|
|
runTest('not-yet-valid', notYetValid, validityMessage);
|
|
|
|
// Test that startup fails with expired certificate.
|
|
const expired = {
|
|
tlsMode: 'requireTLS',
|
|
tlsCertificateKeyFile: 'jstests/libs/expired.pem',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
};
|
|
runTest('expired', expired, validityMessage);
|
|
|
|
// Test that startup fails with no certificate at all.
|
|
const needKeyFile = 'need tlsCertificateKeyFile or certificateSelector when TLS is enabled';
|
|
runTest('no-key-file', {tlsMode: 'requireTLS', tlsCAFile: 'jstests/libs/ca.pem'}, needKeyFile);
|
|
|
|
// Test that startup also fails if only tlsClusterFile is provided
|
|
runTest('cluster-file-only',
|
|
{
|
|
tlsMode: 'requireTLS',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
tlsClusterFile: 'jstests/libs/client.pem'
|
|
},
|
|
needKeyFile);
|
|
|
|
requireSSLProvider(['windows', 'apple'], function() {
|
|
const selector = "subject=Trusted Kernel Test Server";
|
|
|
|
// Test that startup also fails if only tlsClusterSelector is provided
|
|
runTest('cluster-selector-only',
|
|
{
|
|
tlsMode: 'requireTLS',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
tlsClusterCertificateSelector: selector,
|
|
},
|
|
needKeyFile);
|
|
|
|
// Test that startup fails if both key file and cert selector are provided
|
|
const keyFileAndSelector = {
|
|
tlsMode: 'requireTLS',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
tlsCertificateKeyFile: 'jstests/libs/client.pem',
|
|
tlsCertificateSelector: selector,
|
|
};
|
|
runTest(
|
|
'keyfile-and-selector',
|
|
keyFileAndSelector,
|
|
"net.tls.certificateKeyFile is not allowed when net.tls.certificateSelector is specified");
|
|
|
|
// Test that startup fails if both cluster file and cluster cert selector are provided
|
|
const clusterFileAndSelector = {
|
|
tlsMode: 'requireTLS',
|
|
tlsCAFile: 'jstests/libs/ca.pem',
|
|
tlsClusterFile: 'jstests/libs/client.pem',
|
|
tlsClusterCertificateSelector: selector,
|
|
};
|
|
runTest(
|
|
'cluster-keyfile-and-selector',
|
|
clusterFileAndSelector,
|
|
"net.tls.clusterFile is not allowed when net.tls.clusterCertificateSelector is specified");
|
|
}); |