RUBY-565 adding support for ssl cert validation

* Added new SSL options to MongoClient, MongoReplicaSetClient and MongoShardedClient.
* Added SSL certificate check to SSLSocket.
* Updated pool tests to support these changes.

The MongoDB auth spec explicity does not include any of these new SSL values (mostly because they're file paths) so there were no changes required the URI parser. SSL cert validation options must be set directly on the client.

Author: Brandon Black

lib/mongo/mongo_client.rb

@@ -30,8 +30,9 @@ class MongoClient
     DEFAULT_HOST         = 'localhost'
     DEFAULT_PORT         = 27017
     DEFAULT_DB_NAME      = 'test'
-    GENERIC_OPTS         = [:ssl, :auths, :logger, :connect]
+    GENERIC_OPTS         = [:auths, :logger, :connect]
     TIMEOUT_OPTS         = [:timeout, :op_timeout, :connect_timeout]
+    SSL_OPTS             = [:ssl, :ssl_key, :ssl_cert, :ssl_verify, :ssl_ca_cert]
     POOL_OPTS            = [:pool_size, :pool_timeout]
     READ_PREFERENCE_OPTS = [:read, :tag_sets, :secondary_acceptable_latency_ms]
     WRITE_CONCERN_OPTS   = [:w, :j, :fsync, :wtimeout]
@@ -50,6 +51,7 @@ class MongoClient
                 :pool_timeout,
                 :primary_pool,
                 :socket_class,
+                :socket_opts,
                 :op_timeout,
                 :tag_sets,
                 :acceptable_latency,
@@ -69,33 +71,43 @@ class MongoClient
     # MongoClient#arbiters. This is useful if your application needs to connect manually to nodes other
     # than the primary.
     #
-    # @param [String] host
-    # @param [Integer] port specify a port number here if only one host is being specified.
-    #
-    # @option opts [String, Integer, Symbol] :w (1) Set default number of nodes to which a write
-    #   should be acknowledged
-    # @option opts [Boolean] :j (false) Set journal acknowledgement
-    # @option opts [Integer] :wtimeout (nil) Set replica set acknowledgement timeout
-    # @option opts [Boolean] :fsync (false) Set fsync acknowledgement.
-    #
-    #     Notes about write concern options:
-    #       Write concern options are propagated to objects instantiated from this MongoClient.
-    #       These defaults can be overridden upon instantiation of any object by explicitly setting an options hash
-    #       on initialization.
-    # @option opts [Boolean] :slave_ok (false) Must be set to +true+ when connecting
-    #   to a single, slave node.
-    # @option opts [Logger, #debug] :logger (nil) A Logger instance for debugging driver ops. Note that
-    #   logging negatively impacts performance; therefore, it should not be used for high-performance apps.
-    # @option opts [Integer] :pool_size (1) The maximum number of socket self.connections allowed per
-    #   connection pool. Note: this setting is relevant only for multi-threaded applications.
-    # @option opts [Float] :timeout (5.0) When all of the self.connections a pool are checked out,
-    #   this is the number of seconds to wait for a new connection to be released before throwing an exception.
-    #   Note: this setting is relevant only for multi-threaded applications (which in Ruby are rare).
-    # @option opts [Float] :op_timeout (nil) The number of seconds to wait for a read operation to time out.
-    #   Disabled by default.
-    # @option opts [Float] :connect_timeout (nil) The number of seconds to wait before timing out a
-    #   connection attempt.
-    # @option opts [Boolean] :ssl (false) If true, create the connection to the server using SSL.
+    # @overload initialize(host, port, opts={})
+    #  @param [String] host hostname for the target MongoDB server.
+    #  @param [Integer] port specify a port number here if only one host is being specified.
+    #  @param [Hash] opts hash of optional settings and configuration values.
+    #
+    #  @option opts [String, Integer, Symbol] :w (1) Set default number of nodes to which a write
+    #    should be acknowledged
+    #  @option opts [Boolean] :j (false) Set journal acknowledgement
+    #  @option opts [Integer] :wtimeout (nil) Set replica set acknowledgement timeout
+    #  @option opts [Boolean] :fsync (false) Set fsync acknowledgement.
+    #
+    #  Notes about Write-Concern Options:
+    #   Write concern options are propagated to objects instantiated from this MongoClient.
+    #   These defaults can be overridden upon instantiation of any object by explicitly setting an options hash
+    #   on initialization.
+    #
+    #  @option opts [Boolean] :ssl (false) If true, create the connection to the server using SSL.
+    #  @option opts [String] :ssl_cert (nil) The certificate file used to identify the local connection against MongoDB.
+    #  @option opts [String] :ssl_key (nil) The private keyfile used to identify the local connection against MongoDB.
+    #    If included with the :ssl_cert then only :ssl_cert is needed.
+    #  @option opts [Boolean] :ssl_verify (nil) Specifies whether or not peer certification validation should occur.
+    #  @option opts [String] :ssl_ca_cert (nil) The ca_certs file contains a set of concatenated "certification authority"
+    #    certificates, which are used to validate certificates passed from the other end of the connection.
+    #    Required for :ssl_verify.
+    #  @option opts [Boolean] :slave_ok (false) Must be set to +true+ when connecting
+    #    to a single, slave node.
+    #  @option opts [Logger, #debug] :logger (nil) A Logger instance for debugging driver ops. Note that
+    #    logging negatively impacts performance; therefore, it should not be used for high-performance apps.
+    #  @option opts [Integer] :pool_size (1) The maximum number of socket self.connections allowed per
+    #    connection pool. Note: this setting is relevant only for multi-threaded applications.
+    #  @option opts [Float] :timeout (5.0) When all of the self.connections a pool are checked out,
+    #    this is the number of seconds to wait for a new connection to be released before throwing an exception.
+    #    Note: this setting is relevant only for multi-threaded applications.
+    #  @option opts [Float] :op_timeout (nil) The number of seconds to wait for a read operation to time out.
+    #    Disabled by default.
+    #  @option opts [Float] :connect_timeout (nil) The number of seconds to wait before timing out a
+    #    connection attempt.
     #
     # @example localhost, 27017 (or <code>ENV["MONGODB_URI"]</code> if available)
     #   MongoClient.new
@@ -459,9 +471,7 @@ def mongos?
     # @raise [ConnectionFailure] if unable to connect to any host or port.
     def connect
       close
-
       config = check_is_master(host_port)
-
       if config
         if config['ismaster'] == 1 || config['ismaster'] == true
           @read_primary = true
@@ -481,6 +491,7 @@ def connect
       if !connected?
         raise ConnectionFailure, "Failed to connect to a master node at #{host_port.join(":")}"
       end
+      true
     end
     alias :reconnect :connect
 
@@ -574,7 +585,7 @@ def check_is_master(node)
       begin
         host, port = *node
         config = nil
-        socket = @socket_class.new(host, port, @op_timeout, @connect_timeout)
+        socket = @socket_class.new(host, port, @op_timeout, @connect_timeout, @socket_opts)
         if @connect_timeout
           Timeout::timeout(@connect_timeout, OperationTimeout) do
             config = self['admin'].command({:ismaster => 1}, :socket => socket)
@@ -598,7 +609,8 @@ def valid_opts
       POOL_OPTS +
       READ_PREFERENCE_OPTS +
       WRITE_CONCERN_OPTS +
-      TIMEOUT_OPTS
+      TIMEOUT_OPTS +
+      SSL_OPTS
     end
 
     def check_opts(opts)
@@ -612,11 +624,32 @@ def check_opts(opts)
     # Parse option hash
     def setup(opts)
       @slave_ok = opts.delete(:slave_ok)
+      @ssl      = opts.delete(:ssl)
+      @unix     = @host ? @host.end_with?('.sock') : false
+
+      # if ssl options are present, but ssl is nil/false raise for misconfig
+      ssl_opts = opts.keys.select { |k| k.to_s.start_with?('ssl') }
+      if ssl_opts.size > 0 && !@ssl
+        raise MongoArgumentError, "SSL has not been enabled (:ssl=false) " +
+          "but the following  SSL related options were " +
+          "specified: #{ssl_opts.join(', ')}"
+      end
 
-      @ssl = opts.delete(:ssl)
-      @unix = @host ? @host.end_with?('.sock') : false
-
+      @socket_opts = {}
       if @ssl
+        # construct ssl socket opts
+        @socket_opts[:key]     = opts.delete(:ssl_key)
+        @socket_opts[:cert]    = opts.delete(:ssl_cert)
+        @socket_opts[:verify]  = opts.delete(:ssl_verify)
+        @socket_opts[:ca_cert] = opts.delete(:ssl_ca_cert)
+
+        # verify peer requires ca_cert, raise if only one is present
+        if @socket_opts[:verify] && !@socket_opts[:ca_cert]
+          raise MongoArgumentError,
+            "If :ssl_verify_mode has been specified, then you must include " +
+            ":ssl_ca_cert in order to perform server validation."
+        end
+
         @socket_class = Mongo::SSLSocket
       elsif @unix
         @socket_class = Mongo::UNIXSocket
@@ -631,7 +664,8 @@ def setup(opts)
       @pool_size = opts.delete(:pool_size) || 1
       if opts[:timeout]
         warn "The :timeout option has been deprecated " +
-          "and will be removed in the 2.0 release. Use :pool_timeout instead."
+             "and will be removed in the 2.0 release. " +
+             "Use :pool_timeout instead."
       end
       @pool_timeout = opts.delete(:pool_timeout) || opts.delete(:timeout) || 5.0
 

lib/mongo/mongo_replica_set_client.rb

@@ -83,6 +83,13 @@ class MongoReplicaSetClient < MongoClient
     #   @option opts [Float] :connect_timeout (30) The number of seconds to wait before timing out a
     #     connection attempt.
     #   @option opts [Boolean] :ssl (false) If true, create the connection to the server using SSL.
+    #   @option opts [String] :ssl_cert (nil) The certificate file used to identify the local connection against MongoDB.
+    #   @option opts [String] :ssl_key (nil) The private keyfile used to identify the local connection against MongoDB.
+    #     If included with the :ssl_cert then only :ssl_cert is needed.
+    #   @option opts [Boolean] :ssl_verify (nil) Specifies whether or not peer certification validation should occur.
+    #   @option opts [String] :ssl_ca_cert (nil) The ca_certs file contains a set of concatenated "certification authority"
+    #     certificates, which are used to validate certificates passed from the other end of the connection.
+    #     Required for :ssl_verify.
     #   @option opts [Boolean] :refresh_mode (false) Set this to :sync to periodically update the
     #     state of the connection every :refresh_interval seconds. Replica set connection failures
     #     will always trigger a complete refresh. This option is useful when you want to add new nodes

lib/mongo/mongo_sharded_client.rb

@@ -66,7 +66,7 @@ def initialize(*args)
     end
 
     def valid_opts
-      GENERIC_OPTS + SHARDED_CLUSTER_OPTS + READ_PREFERENCE_OPTS + WRITE_CONCERN_OPTS
+      super + SHARDED_CLUSTER_OPTS
     end
 
     def inspect

lib/mongo/util/node.rb

@@ -62,8 +62,9 @@ def connect
       @node_mutex.synchronize do
         begin
           @socket = @client.socket_class.new(@host, @port,
-            @client.op_timeout, @client.connect_timeout
-          )
+                                             @client.op_timeout,
+                                             @client.connect_timeout,
+                                             @client.socket_opts)
         rescue OperationTimeout, ConnectionFailure, OperationFailure, SocketError, SystemCallError, IOError => ex
           @client.log(:debug, "Failed connection to #{host_string} with #{ex.class}, #{ex.message}.")
           close

lib/mongo/util/pool.rb

@@ -175,7 +175,9 @@ def checkin(socket)
     # therefore, it runs within a mutex.
     def checkout_new_socket
       begin
-        socket = @client.socket_class.new(@host, @port, @client.op_timeout, @client.connect_timeout)
+        socket = @client.socket_class.new(@host, @port, @client.op_timeout,
+                                                        @client.connect_timeout,
+                                                        @client.socket_opts)
         socket.pool = self
       rescue => ex
         socket.close if socket

lib/mongo/util/ssl_socket.rb

@@ -24,18 +24,45 @@ module Mongo
   class SSLSocket
     include SocketUtil
 
-    def initialize(host, port, op_timeout=nil, connect_timeout=nil)
-      @op_timeout = op_timeout
+    def initialize(host, port, op_timeout=nil, connect_timeout=nil, opts={})
+      @pid             = Process.pid
+      @op_timeout      = op_timeout
       @connect_timeout = connect_timeout
-      @pid = Process.pid
 
       @tcp_socket = ::TCPSocket.new(host, port)
       @tcp_socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
 
-      @socket = OpenSSL::SSL::SSLSocket.new(@tcp_socket)
-      @socket.sync_close = true
+      @context = OpenSSL::SSL::SSLContext.new
 
-      connect
+      if opts[:cert]
+        @context.cert = OpenSSL::X509::Certificate.new(File.open(opts[:cert]))
+      end
+
+      if opts[:key]
+        @context.key = OpenSSL::PKey::RSA.new(File.open(opts[:key]))
+      end
+
+      if opts[:verify]
+        @context.ca_file = opts[:ca_cert]
+        @context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
+
+      begin
+        @socket = OpenSSL::SSL::SSLSocket.new(@tcp_socket, @context)
+        @socket.sync_close = true
+        connect
+      rescue SSLError
+        raise ConnectionFailure, "SSL handshake failed. MongoDB may " +
+                                 "not be configured with SSL support."
+      end
+
+      if opts[:verify]
+        unless OpenSSL::SSL.verify_certificate_identity(@socket.peer_cert, host)
+          raise ConnectionFailure, "SSL handshake failed. Hostname mismatch."
+        end
+      end
+
+      self
     end
 
     def connect

lib/mongo/util/tcp_socket.rb

@@ -24,14 +24,14 @@ module Mongo
   class TCPSocket
     include SocketUtil
 
-    def initialize(host, port, op_timeout=nil, connect_timeout=nil)
-      @op_timeout = op_timeout
+    def initialize(host, port, op_timeout=nil, connect_timeout=nil, opts={})
+      @op_timeout      = op_timeout
       @connect_timeout = connect_timeout
-      @pid = Process.pid
+      @pid             = Process.pid
 
       # TODO: Prefer ipv6 if server is ipv6 enabled
       @address = Socket.getaddrinfo(host, nil, Socket::AF_INET).first[3]
-      @port = port
+      @port    = port
 
       @socket_address = Socket.pack_sockaddr_in(@port, @address)
       @socket = Socket.new(Socket::AF_INET, Socket::SOCK_STREAM, 0)

lib/mongo/util/unix_socket.rb

@@ -21,15 +21,15 @@ module Mongo
   # sans Timeout::timeout
   #
   class UNIXSocket < TCPSocket
-    def initialize(socket_path, port=:socket, op_timeout=nil, connect_timeout=nil)
-      @op_timeout = op_timeout
+    def initialize(socket_path, port=:socket, op_timeout=nil, connect_timeout=nil, opts={})
+      @op_timeout      = op_timeout
       @connect_timeout = connect_timeout
 
-      @address = socket_path
-      @port = :socket # purposely override input
+      @address         = socket_path
+      @port            = :socket # purposely override input
 
-      @socket_address = Socket.pack_sockaddr_un(@address)
-      @socket = Socket.new(Socket::AF_UNIX, Socket::SOCK_STREAM, 0)
+      @socket_address  = Socket.pack_sockaddr_un(@address)
+      @socket          = Socket.new(Socket::AF_UNIX, Socket::SOCK_STREAM, 0)
       connect
     end
   end

test/unit/node_test.rb

@@ -36,6 +36,7 @@ def setup
     @client.stubs(:connect_timeout).returns(nil)
     @client.expects(:log)
     @client.expects(:mongos?).returns(false)
+    @client.stubs(:socket_opts)
 
     assert node.connect
     node.config

test/unit/pool_manager_test.rb

@@ -32,6 +32,7 @@ class PoolManagerTest < Test::Unit::TestCase
       @client.stubs(:socket_class).returns(TCPSocket)
       @client.stubs(:mongos?).returns(false)
       @client.stubs(:[]).returns(@db)
+      @client.stubs(:socket_opts)
 
       @client.stubs(:replica_set_name).returns(nil)
       @client.stubs(:log)