mongo 1.3.0 → 1.12.5

data/test/shared/authentication/gssapi_shared.rb

@@ -0,0 +1,176 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module GSSAPITests
+
+  # Tests for the GSSAPI Authentication Mechanism.
+  #
+  # Note: These tests will be skipped automatically unless the test environment
+  # has been configured.  
+  #
+  # In order to run these tests, you must be using JRuby and must set the following
+  #   environment variables. The realm and KDC are required so that the corresponding
+  #   system properties can be set:
+  #
+  #   export MONGODB_GSSAPI_HOST='server.domain.com'
+  #   export MONGODB_GSSAPI_USER='applicationuser@example.com'
+  #   export MONGODB_GSSAPI_REALM='applicationuser@example.com'
+  #   export MONGODB_GSSAPI_KDC='SERVER.DOMAIN.COM'
+  #
+  # You must use kinit when on MRI.
+  # You have the option of providing a config file that references a keytab file on JRuby:
+  #
+  #   export JAAS_LOGIN_CONFIG_FILE='file:///path/to/config/file'
+  #
+  MONGODB_GSSAPI_HOST    = ENV['MONGODB_GSSAPI_HOST']
+  MONGODB_GSSAPI_USER    = ENV['MONGODB_GSSAPI_USER']
+  MONGODB_GSSAPI_REALM   = ENV['MONGODB_GSSAPI_REALM']
+  MONGODB_GSSAPI_KDC     = ENV['MONGODB_GSSAPI_KDC']
+  MONGODB_GSSAPI_PORT    = ENV['MONGODB_GSSAPI_PORT'] || '27017'
+  MONGODB_GSSAPI_DB      = ENV['MONGODB_GSSAPI_DB']
+  JAAS_LOGIN_CONFIG_FILE = ENV['JAAS_LOGIN_CONFIG_FILE'] # only JRuby
+
+  if ENV.key?('MONGODB_GSSAPI_HOST') && ENV.key?('MONGODB_GSSAPI_USER') &&
+     ENV.key?('MONGODB_GSSAPI_REALM') && ENV.key?('MONGODB_GSSAPI_KDC') &&
+     ENV.key?('MONGODB_GSSAPI_DB')
+    def test_gssapi_authenticate
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
+      if client['admin'].command(:isMaster => 1)['setName']
+        client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
+      end
+
+      set_system_properties
+      db = client[MONGODB_GSSAPI_DB]
+      db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI')
+      assert db.command(:dbstats => 1)
+
+      threads = []
+      4.times do
+        threads << Thread.new do
+          assert db.command(:dbstats => 1)
+        end
+      end
+      threads.each(&:join)
+    end
+
+    def test_gssapi_authenticate_uri
+      require 'cgi'
+      set_system_properties
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI"
+      client = @client.class.from_uri(uri)
+      assert client[MONGODB_GSSAPI_DB].command(:dbstats => 1)
+    end
+
+    def test_wrong_service_name_fails
+      extra_opts = { :service_name => 'example' }
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST, MONGODB_GSSAPI_PORT)
+      if client['admin'].command(:isMaster => 1)['setName']
+        client = Mongo::MongoReplicaSetClient.new(["#{MONGODB_GSSAPI_HOST}:#{MONGODB_GSSAPI_PORT}"])
+      end
+
+      set_system_properties
+      assert_raise_error Mongo::AuthenticationError do
+        client[MONGODB_GSSAPI_DB].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+      end
+    end
+
+    def test_wrong_service_name_fails_uri
+      set_system_properties
+
+      require 'cgi'
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:example"
+      client = @client.class.from_uri(uri)
+      assert_raise_error Mongo::AuthenticationError do
+        client[MONGODB_GSSAPI_DB].command(:dbstats => 1)
+      end
+    end
+
+    def test_extra_opts
+      extra_opts = { :service_name => 'example', :canonicalize_host_name => true, 
+                     :service_realm => 'dumdum' }
+      client = Mongo::MongoClient.new(TEST_HOST, MONGODB_GSSAPI_PORT)
+      set_system_properties
+
+      Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
+        assert_equal opts[:service_name], extra_opts[:service_name]
+        assert_equal opts[:canonicalize_host_name], extra_opts[:canonicalize_host_name]
+        assert_equal opts[:service_realm], extra_opts[:service_realm]
+        [ username, client, socket, opts ]
+      end.returns('ok' => true )
+      client[MONGODB_GSSAPI_DB].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+    end
+
+    def test_extra_opts_uri
+      extra_opts = { :service_name => 'example', :canonicalize_host_name => true,
+                     :service_realm => 'dumdum' }
+      set_system_properties
+
+      Mongo::Sasl::GSSAPI.expects(:authenticate).with do |username, client, socket, opts|
+        assert_equal opts[:service_name], extra_opts[:service_name]
+        assert_equal opts[:canonicalize_host_name], extra_opts[:canonicalize_host_name]
+        assert_equal opts[:service_realm], extra_opts[:service_realm]
+        [ username, client, socket, opts ]
+      end.returns('ok' => true)
+
+      require 'cgi'
+      username = CGI::escape(ENV['MONGODB_GSSAPI_USER'])
+      uri = "mongodb://#{username}@#{ENV['MONGODB_GSSAPI_HOST']}:#{ENV['MONGODB_GSSAPI_PORT']}/?" +
+         "authMechanism=GSSAPI&authmechanismproperties=SERVICE_NAME:example," +
+         "CANONICALIZE_HOST_NAME:true,SERVICE_REALM:dumdum"
+      client = @client.class.from_uri(uri)
+      client.expects(:receive_message).returns([[{ 'ok' => 1 }], 1, 1])
+      client[MONGODB_GSSAPI_DB].command(:dbstats => 1)
+    end
+
+    # In order to run this test, you must set the following environment variable:
+    #
+    #   export MONGODB_GSSAPI_HOST_IP='---.---.---.---'
+    #
+    if ENV.key?('MONGODB_GSSAPI_HOST_IP')
+      def test_canonicalize_host_name
+        extra_opts = { :canonicalize_host_name => true }
+        set_system_properties
+        client = Mongo::MongoClient.new(ENV['MONGODB_GSSAPI_HOST_IP'], MONGODB_GSSAPI_PORT)
+
+        db = client[MONGODB_GSSAPI_DB]
+        db.authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+        assert db.command(:dbstats => 1)
+      end
+    end
+
+    def test_invalid_extra_options
+      extra_opts = { :invalid => true, :option => true }
+      client = Mongo::MongoClient.new(MONGODB_GSSAPI_HOST)
+
+      assert_raise Mongo::MongoArgumentError do
+        client[MONGODB_GSSAPI_DB].authenticate(MONGODB_GSSAPI_USER, nil, nil, nil, 'GSSAPI', extra_opts)
+      end
+    end
+
+    private
+    def set_system_properties
+      if RUBY_PLATFORM =~ /java/
+        java.lang.System.set_property 'javax.security.auth.useSubjectCredsOnly', 'false'
+        java.lang.System.set_property "java.security.krb5.realm", MONGODB_GSSAPI_REALM
+        java.lang.System.set_property "java.security.krb5.kdc", MONGODB_GSSAPI_KDC
+        java.lang.System.set_property "java.security.auth.login.config", JAAS_LOGIN_CONFIG_FILE if JAAS_LOGIN_CONFIG_FILE
+      end
+    end
+  end
+
+end

data/test/shared/authentication/sasl_plain_shared.rb

@@ -0,0 +1,96 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module SASLPlainTests
+
+  # Tests for the PLAIN (LDAP) Authentication Mechanism.
+  #
+  # Note: These tests will be skipped automatically unless the test environment
+  # has been configured.
+  #
+  # In order to run these tests, set the following environment variables:
+  #
+  #   export MONGODB_SASL_HOST='server.domain.com'
+  #   export MONGODB_SASL_USER='application%2Fuser%40example.com'
+  #   export MONGODB_SASL_PASS='password'
+  #
+  #   # optional (defaults to '$external')
+  #   export MONGODB_SASL_SOURCE='source_database'
+  #
+  if ENV.key?('MONGODB_SASL_HOST') && ENV.key?('MONGODB_SASL_USER') && ENV.key?('MONGODB_SASL_PASS')
+
+    def test_plain_authenticate
+      replica_set = @client.class.name == 'Mongo::MongoReplicaSetClient'
+
+      # TODO: Remove this once we have a replica set configured for SASL in CI
+      return if ENV.key?('CI') && replica_set
+
+      host   = replica_set ? [ENV['MONGODB_SASL_HOST']] : ENV['MONGODB_SASL_HOST']
+      client = @client.class.new(host)
+      source = ENV['MONGODB_SASL_SOURCE'] || '$external'
+      db     = client['test']
+
+      # should successfully authenticate
+      assert db.authenticate(ENV['MONGODB_SASL_USER'], ENV['MONGODB_SASL_PASS'], true, source, 'PLAIN')
+      assert client[source].logout
+
+      # should raise on missing password
+      ex = assert_raise Mongo::MongoArgumentError do
+        db.authenticate(ENV['MONGODB_SASL_USER'], nil, true, source, 'PLAIN')
+      end
+      assert_match /username and password are required/, ex.message
+
+      # should raise on invalid password
+      assert_raise Mongo::AuthenticationError do
+        db.authenticate(ENV['MONGODB_SASL_USER'], 'foo', true, source, 'PLAIN')
+      end
+    end
+
+    def test_plain_authenticate_from_uri
+      source = ENV['MONGODB_SASL_SOURCE'] || '$external'
+
+      uri    = "mongodb://#{ENV['MONGODB_SASL_USER']}:#{ENV['MONGODB_SASL_PASS']}@" +
+               "#{ENV['MONGODB_SASL_HOST']}/some_db?authSource=#{source}" +
+               "&authMechanism=PLAIN"
+
+      client = @client.class.from_uri(uri)
+      db     = client['test']
+
+      # should be able to checkout a socket (authentication gets applied)
+      assert socket = client.checkout_reader(:mode => :primary)
+      client[source].logout(:socket => socket)
+      client.checkin(socket)
+
+      uri = "mongodb://#{ENV['MONGODB_SASL_USER']}@#{ENV['MONGODB_SASL_HOST']}/" +
+            "some_db?authSource=#{source}&authMechanism=PLAIN"
+
+      # should raise for missing password
+      ex = assert_raise Mongo::MongoArgumentError do
+        client = @client.class.from_uri(uri)
+      end
+      assert_match /username and password are required/, ex.message
+
+      uri = "mongodb://#{ENV['MONGODB_SASL_USER']}:foo@#{ENV['MONGODB_SASL_HOST']}/" +
+            "some_db?authSource=#{source}&authMechanism=PLAIN"
+
+      # should raise for invalid password
+      client = @client.class.from_uri(uri)
+      assert_raise Mongo::AuthenticationError do
+        client.checkout_reader(:mode => :primary)
+      end
+    end
+
+  end
+
+end

data/test/shared/authentication/scram_shared.rb

@@ -0,0 +1,92 @@
+# Copyright (C) 2014 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module SCRAMTests
+
+  def setup_conversation
+    SecureRandom.expects(:base64).returns('NDA2NzU3MDY3MDYwMTgy')
+    @password = Digest::MD5.hexdigest("user:mongo:pencil")
+    @scram = Mongo::Authentication::SCRAM.new({ :username => 'user' }, @password)
+  end
+
+  def test_scram_authenticate
+    if @version.to_s > '2.7'
+      @client.clear_auths
+      assert @db.authenticate(TEST_USER, TEST_USER_PWD, nil, 'admin', 'SCRAM-SHA-1')
+    end
+  end
+
+  def test_scram_conversation_start
+    setup_conversation
+    command = @scram.start
+    assert_equal 1, command['saslStart']
+    assert_equal 'SCRAM-SHA-1', command['mechanism']
+    assert_equal 'n,,n=user,r=NDA2NzU3MDY3MDYwMTgy', command['payload'].to_s
+  end
+
+  def test_scram_conversation_continue
+    setup_conversation
+    payload = BSON::Binary.new(
+      'r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
+    )
+    reply = { 'conversationId' => 1, 'done' => false, 'payload' => payload, 'ok' => 1.0 }
+    command = @scram.continue(reply)
+    assert_equal 1, command['saslContinue']
+    assert_equal 1, command['conversationId']
+    assert_equal(
+      'c=biws,r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,p=qYUYNy6SQ9Jucq9rFA9nVgXQdbM=',
+      command['payload'].to_s
+    )
+  end
+
+  def test_scram_conversation_continue_with_invalid_nonce
+    setup_conversation
+    payload = BSON::Binary.new(
+      'r=NDA2NzU4MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
+    )
+    reply = { 'conversationId' => 1, 'done' => false, 'payload' => payload, 'ok' => 1.0 }
+    assert_raise_error Mongo::InvalidNonce do
+      @scram.continue(reply)
+    end
+  end
+
+  def test_scram_conversation_finalize
+    setup_conversation
+    continue_payload = BSON::Binary.new(
+      'r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
+    )
+    continue_reply = { 'conversationId' => 1, 'done' => false, 'payload' => continue_payload, 'ok' => 1.0 }
+    @scram.continue(continue_reply)
+    payload = BSON::Binary.new('v=gwo9E8+uifshm7ixj441GvIfuUY=')
+    reply = { 'conversationId' => 1, 'done' => false, 'payload' => payload, 'ok' => 1.0 }
+    command = @scram.finalize(reply)
+    assert_equal 1, command['saslContinue']
+    assert_equal 1, command['conversationId']
+    assert_equal '', command['payload'].to_s
+  end
+
+  def test_scram_conversation_finalize_with_invalid_server_signature
+    setup_conversation
+    continue_payload = BSON::Binary.new(
+      'r=NDA2NzU3MDY3MDYwMTgyt7/+IWaw1HaZZ5NmPJUTWapLpH2Gg+d8,s=AVvQXzAbxweH2RYDICaplw==,i=10000'
+    )
+    continue_reply = { 'conversationId' => 1, 'done' => false, 'payload' => continue_payload, 'ok' => 1.0 }
+    @scram.continue(continue_reply)
+    payload = BSON::Binary.new('v=LQ+8yhQeVL2a3Dh+TDJ7xHz4Srk=')
+    reply = { 'conversationId' => 1, 'done' => false, 'payload' => payload, 'ok' => 1.0 }
+    assert_raise_error Mongo::InvalidSignature do
+      @scram.finalize(reply)
+    end
+  end
+end

data/test/shared/ssl_shared.rb

@@ -0,0 +1,235 @@
+# Copyright (C) 2009-2013 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module SSLTests
+  include Mongo
+
+  MONGODB_X509_USERNAME = 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
+  CERT_PATH             = "#{Dir.pwd}/test/fixtures/certificates/"
+  CLIENT_CERT           = "#{CERT_PATH}client.pem"
+  CLIENT_CERT_PASS      = "#{CERT_PATH}password_protected.pem"
+  CA_CERT               = "#{CERT_PATH}ca.pem"
+  PASS_PHRASE           = ENV['SSL_KEY_PASS_PHRASE']
+
+  def create_client(*args)
+    if @client_class == MongoClient
+      @client_class.new(*args[0], args[1])
+    else
+      @client_class.new(args[0], args[1])
+    end
+  end
+
+  # Requires MongoDB not built with SSL
+  #
+  def test_ssl_not_configured
+    assert_raise Mongo::ConnectionTimeoutError do
+      create_client(['localhost', 27017], :connect_timeout => 2, :ssl => true)
+    end
+  end
+
+  # This test doesn't connect, no server config required
+  def test_ssl_configuration
+    # raises when ssl=false and ssl opts specified
+    assert_raise MongoArgumentError do
+      create_client(@connect_info, :connect  => false,
+                                   :ssl      => false,
+                                   :ssl_cert => CLIENT_CERT)
+    end
+
+    # raises when ssl=nil and ssl opts specified
+    assert_raise MongoArgumentError do
+      create_client(@connect_info, :connect => false,
+                                   :ssl_key => CLIENT_CERT)
+    end
+
+    # raises when verify=true and no ca_cert
+    assert_raise MongoArgumentError do
+      create_client(@connect_info, :connect    => false,
+                                   :ssl        => true,
+                                   :ssl_key    => CLIENT_CERT,
+                                   :ssl_cert   => CLIENT_CERT,
+                                   :ssl_verify => true)
+    end
+
+    # raises when key passphrase is given without key file
+    assert_raise MongoArgumentError do
+      create_client(@connect_info, :connect             => false,
+                                   :ssl                 => true,
+                                   :ssl_key_pass_phrase => PASS_PHRASE)
+    end
+  end
+
+  # Requires MongoDB built with SSL and the following options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem \
+  # --sslWeakCertificateValidation
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_basic
+    client = create_client(@connect_info, :connect => false, :ssl => true)
+    assert client.connect
+  end
+
+  # Requires MongoDB built with SSL and the following options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_cert
+    client = create_client(@connect_info, :connect  => false,
+                                          :ssl      => true,
+                                          :ssl_cert => CLIENT_CERT,
+                                          :ssl_key  => CLIENT_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_with_peer_cert_validation
+    client = create_client(@connect_info, :connect     => false,
+                                          :ssl         => true,
+                                          :ssl_key     => CLIENT_CERT,
+                                          :ssl_cert    => CLIENT_CERT,
+                                          :ssl_verify  => true,
+                                          :ssl_ca_cert => CA_CERT)
+    assert client.connect
+  end
+
+  def test_ssl_peer_cert_validation_hostname_fail
+    client = create_client(@bad_connect_info, :connect     => false,
+                                              :ssl         => true,
+                                              :ssl_key     => CLIENT_CERT,
+                                              :ssl_cert    => CLIENT_CERT,
+                                              :ssl_verify  => true,
+                                              :ssl_ca_cert => CA_CERT)
+    assert_raise ConnectionFailure do
+      client.connect
+    end
+  end
+
+  # Requires MongoDB built with SSL and the following options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/password_protected.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts.
+  # If SSL_KEY_PASS_PHRASE is not set as an environment variable,
+  # you will be prompted to enter a passphrase at runtime.
+  #
+  def test_ssl_with_key_pass_phrase
+    client = create_client(@connect_info, :connect             => false,
+                                          :ssl                 => true,
+                                          :ssl_cert            => CLIENT_CERT_PASS,
+                                          :ssl_key             => CLIENT_CERT_PASS,
+                                          :ssl_key_pass_phrase => PASS_PHRASE)
+    assert client.connect
+  end
+
+  def test_ssl_with_key_pass_phrase_fail
+    client = create_client(@connect_info, :connect             => false,
+                                          :ssl                 => true,
+                                          :ssl_cert            => CLIENT_CERT_PASS,
+                                          :ssl_key             => CLIENT_CERT_PASS,
+                                          :ssl_key_pass_phrase => "secret")
+    assert_raise OpenSSL::PKey::RSAError do
+      client.connect
+    end
+  end
+
+  # Requires mongod built with SSL and the following options:
+  #
+  # mongod --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl_client_revoked.pem
+  #
+  # Make sure you have 'server' as an alias for localhost in /etc/hosts
+  #
+  def test_ssl_with_invalid_cert
+    assert_raise ConnectionFailure do
+      create_client(@connect_info, :ssl         => true,
+                                   :ssl_key     => CLIENT_CERT,
+                                   :ssl_cert    => CLIENT_CERT,
+                                   :ssl_verify  => true,
+                                   :ssl_ca_cert => CA_CERT)
+    end
+  end
+
+  # X509 Authentication Tests
+  #
+  # Requires MongoDB built with SSL and the following options:
+  #
+  # mongod --auth --dbpath /path/to/data/directory --sslOnNormalPorts \
+  # --sslPEMKeyFile /path/to/server.pem \
+  # --sslCAFile /path/to/ca.pem \
+  # --sslCRLFile /path/to/crl.pem
+  #
+  # Note that the cert requires username:
+  #   'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US'
+  #
+  def test_x509_authentication
+    mechanism = 'MONGODB-X509'
+
+    client    = create_client(@connect_info, :ssl => true,
+                                             :ssl_cert => CLIENT_CERT,
+                                             :ssl_key  => CLIENT_CERT)
+
+    return unless client.server_version > '2.5.2'
+
+    db       = client.db('$external')
+
+    # add user for test (enable auth)
+    roles    = [{:role => 'readWriteAnyDatabase', :db => 'admin'},
+                {:role => 'userAdminAnyDatabase', :db => 'admin'}]
+    db.add_user(MONGODB_X509_USERNAME, nil, false, :roles => roles)
+
+    assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
+    assert db.collection_names
+
+    assert db.logout
+    assert_raise Mongo::OperationFailure do
+      db.collection_names
+    end
+
+    # username and valid certificate don't match
+    assert_raise Mongo::AuthenticationError do
+      db.authenticate('test', nil, nil, nil, mechanism)
+    end
+
+    # username required
+    assert_raise Mongo::AuthenticationError do
+      db.authenticate(nil, nil, nil, nil, mechanism)
+    end
+
+    assert MongoClient.from_uri(
+      "mongodb://#{MONGODB_X509_USERNAME}@#{@uri_info}/?ssl=true;authMechanism=#{mechanism}",
+          :ssl_cert => CLIENT_CERT,
+          :ssl_key  => CLIENT_CERT)
+    assert db.authenticate(MONGODB_X509_USERNAME, nil, nil, nil, mechanism)
+    assert db.collection_names
+
+    # clean up and remove all users
+    db.command(:dropAllUsersFromDatabase => 1)
+    db.logout
+  end
+
+end