RUBY-565 testy goodness for ssl cert validation

Brandon Black · Brandon Black · commit 0443a02bace8 · 2013-06-10T14:56:22.000-07:00
Adding a few tests to cover the new SSL features. Sadly, there's too much certificate, /etc/hosts and MongoDB server mucking around for these tests to actually be run in bulk or automated in CI.

These tests must be run manually, and in some cases (spefifically for negative test cases) a single test at a time.

I've grouped the tests by their configuration and server options required to make them successful and provided notes for each test on how to set it up locall on your own machine.
diff --git a/tasks/testing.rake b/tasks/testing.rake
@@ -78,25 +78,25 @@ namespace :test do
     end
   end
 
+  Rake::TestTask.new(:functional) do |t|
+    t.test_files = FileList['test/functional/*_test.rb'] - [
+      'test/functional/grid_io_test.rb',
+      'test/functional/grid_test.rb',
+      'test/functional/ssl_test.rb'
+    ]
+    t.libs << 'test'
+  end
+
   Rake::TestTask.new(:replica_set) do |t|
     disabled = [
       'test/replica_set/complex_connect_test.rb',
       'test/replica_set/count_test.rb',
-      'test/replica_set/read_preference_test.rb'
+      'test/replica_set/read_preference_test.rb',
+      'test/replica_set/ssl_test.rb'
     ]
 
     t.test_files = FileList['test/replica_set/*_test.rb'] - disabled
     t.libs << 'test'
-    #t.verbose = true
-    #t.options = '-v'
-  end
-
-  Rake::TestTask.new(:functional) do |t|
-    t.test_files = FileList['test/functional/*_test.rb'] - [
-      "test/functional/grid_io_test.rb",
-      "test/functional/grid_test.rb"
-    ]
-    t.libs << 'test'
   end
 
   desc "Runs test cleanup"
diff --git a/test/fixtures/certificates/crl_expired.pem b/test/fixtures/certificates/crl_expired.pem
diff --git a/test/functional/ssl_test.rb b/test/functional/ssl_test.rb
@@ -0,0 +1,109 @@
+require 'test_helper'
+
+class SSLCertValidationTest < Test::Unit::TestCase
+  include Mongo
+
+  CERT_PATH   = "#{Dir.pwd}/test/fixtures/certificates/"
+  CLIENT_CERT = "#{CERT_PATH}client.pem"
+  CA_CERT     = "#{CERT_PATH}ca.pem"
+
+  # This test doesn't connect, no server config required
+  def test_ssl_configuration
+    # raises when ssl=false and ssl opts specified
+    assert_raise MongoArgumentError do
+      MongoClient.new('server', 27017, :connect  => false,
+                                       :ssl      => false,
+                                       :ssl_cert => CLIENT_CERT)
+    end
+
+    # raises when ssl=nil and ssl opts specified
+    assert_raise MongoArgumentError do
+      MongoClient.new('server', 27017, :connect => false,
+                                       :ssl_key => CLIENT_CERT)
+    end
+
+    # raises when verify=true and no ca_cert
+    assert_raise MongoArgumentError do
+      MongoClient.new('server', 27017, :connect    => false,
+                                       :ssl        => true,
+                                       :ssl_key    => CLIENT_CERT,
+                                       :ssl_cert   => CLIENT_CERT,
+                                       :ssl_verify => true)
+    end
+  end
+
+  # Requires MongoDB built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem \
+  # --sslWeakCertificateValidation
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_basic
+    client = MongoClient.new('server', 27017, :connect => false,
+                                              :ssl     => true)
+    assert client.connect
+  end
+
+  # Requires MongoDB built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_cert
+    client = MongoClient.new('server', 27017, :connect  => false,
+                                              :ssl      => true,
+                                              :ssl_cert => CLIENT_CERT,
+                                              :ssl_key  => CLIENT_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_with_peer_cert_validation
+    client = MongoClient.new('server', 27017, :connect     => false,
+                                              :ssl         => true,
+                                              :ssl_key     => CLIENT_CERT,
+                                              :ssl_cert    => CLIENT_CERT,
+                                              :ssl_verify  => true,
+                                              :ssl_ca_cert => CA_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_peer_cert_validation_hostname_fail
+    client = MongoClient.new('localhost', 27017, :connect     => false,
+                                                 :ssl         => true,
+                                                 :ssl_key     => CLIENT_CERT,
+                                                 :ssl_cert    => CLIENT_CERT,
+                                                 :ssl_verify  => true,
+                                                 :ssl_ca_cert => CA_CERT)
+    assert_raise ConnectionFailure do
+      client.connect
+    end
+  end
+
+  # Requires mongod built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl_client_revoked.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_invalid_cert
+    assert_raise ConnectionFailure do
+      MongoClient.new('server', 27017, :ssl         => true,
+                                       :ssl_key     => CLIENT_CERT,
+                                       :ssl_cert    => CLIENT_CERT,
+                                       :ssl_verify  => true,
+                                       :ssl_ca_cert => CA_CERT)
+    end
+  end
+
+end
diff --git a/test/replica_set/ssl_test.rb b/test/replica_set/ssl_test.rb
@@ -0,0 +1,114 @@
+require 'test_helper'
+
+# Note: For testing with MongoReplicaSetClient you *MUST* use the
+# hostname 'server' for all members of the replica set.
+
+class ReplicaSetSSLCertValidationTest < Test::Unit::TestCase
+  include Mongo
+
+  CERT_PATH   = "#{Dir.pwd}/test/fixtures/certificates/"
+  CLIENT_CERT = "#{CERT_PATH}client.pem"
+  CA_CERT     = "#{CERT_PATH}ca.pem"
+  SEEDS       = ['server:3000','server:3001','server:3002']
+  BAD_SEEDS   = ['localhost:3000','localhost:3001','localhost:3002']
+
+  # This test doesn't connect, no server config required
+  def test_ssl_configuration
+    # raises when ssl=false and ssl opts specified
+    assert_raise MongoArgumentError do
+      MongoReplicaSetClient.new(SEEDS, :connect  => false,
+                                       :ssl      => false,
+                                       :ssl_cert => CLIENT_CERT)
+    end
+
+    # raises when ssl=nil and ssl opts specified
+    assert_raise MongoArgumentError do
+      MongoReplicaSetClient.new(SEEDS, :connect => false,
+                                       :ssl_key => CLIENT_CERT)
+    end
+
+    # raises when verify=true and no ca_cert
+    assert_raise MongoArgumentError do
+      MongoReplicaSetClient.new(SEEDS, :connect    => false,
+                                       :ssl        => true,
+                                       :ssl_key    => CLIENT_CERT,
+                                       :ssl_cert   => CLIENT_CERT,
+                                       :ssl_verify => true)
+    end
+  end
+
+  # Requires MongoDB built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem \
+  # --sslWeakCertificateValidation
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_basic
+    client = MongoReplicaSetClient.new(SEEDS, :connect => false,
+                                              :ssl     => true)
+    assert client.connect
+  end
+
+  # Requires MongoDB built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_cert
+    client = MongoReplicaSetClient.new(SEEDS, :connect  => false,
+                                              :ssl      => true,
+                                              :ssl_cert => CLIENT_CERT,
+                                              :ssl_key  => CLIENT_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_with_peer_cert_validation
+    client = MongoReplicaSetClient.new(SEEDS, :connect     => false,
+                                              :ssl         => true,
+                                              :ssl_key     => CLIENT_CERT,
+                                              :ssl_cert    => CLIENT_CERT,
+                                              :ssl_verify  => true,
+                                              :ssl_ca_cert => CA_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_peer_cert_validation_hostname_fail
+    client = MongoReplicaSetClient.new(BAD_SEEDS, :connect     => false,
+                                                  :ssl         => true,
+                                                  :ssl_key     => CLIENT_CERT,
+                                                  :ssl_cert    => CLIENT_CERT,
+                                                  :ssl_verify  => true,
+                                                  :ssl_ca_cert => CA_CERT)
+    assert_raise ConnectionFailure do
+      client.connect
+    end
+  end
+
+  # Requires mongod built with SSL and the follow options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl_client_revoked.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_invalid_cert
+    assert_raise ConnectionFailure do
+      MongoReplicaSetClient.new(SEEDS, :ssl         => true,
+                                       :ssl_key     => CLIENT_CERT,
+                                       :ssl_cert    => CLIENT_CERT,
+                                       :ssl_verify  => true,
+                                       :ssl_ca_cert => CA_CERT)
+    end
+  end
+
+end
