mongo 2.13.3 → 2.14.0.rc1

data/spec/integration/client_authentication_options_spec.rb

@@ -131,7 +131,7 @@ describe 'Client authentication options' do
     end
   end
 
-  shared_examples_for 'an auth mechanism that doesn\'t support auth_mech_properties' do
+  shared_examples_for 'an auth mechanism that does not support auth_mech_properties' do
     context 'with URI options' do
       let(:credentials) { "#{user}:#{pwd}@" }
       let(:options) { "?authMechanism=#{auth_mech_string}&authMechanismProperties=CANONICALIZE_HOST_NAME:true" }
@@ -163,7 +163,7 @@ describe 'Client authentication options' do
     end
   end
 
-  shared_examples_for 'an auth mechanism that doesn\'t support invalid auth sources' do
+  shared_examples_for 'an auth mechanism that does not support invalid auth sources' do
     context 'with URI options' do
       let(:credentials) { "#{user}:#{pwd}@" }
       let(:options) { "?authMechanism=#{auth_mech_string}&authSource=foo" }
@@ -199,7 +199,7 @@ describe 'Client authentication options' do
 
     it_behaves_like 'a supported auth mechanism'
     it_behaves_like 'auth mechanism that uses database or default auth source', 'admin'
-    it_behaves_like 'an auth mechanism that doesn\'t support auth_mech_properties'
+    it_behaves_like 'an auth mechanism that does not support auth_mech_properties'
   end
 
   context 'with SCRAM-SHA-1 auth mechanism' do
@@ -208,7 +208,7 @@ describe 'Client authentication options' do
 
     it_behaves_like 'a supported auth mechanism'
     it_behaves_like 'auth mechanism that uses database or default auth source', 'admin'
-    it_behaves_like 'an auth mechanism that doesn\'t support auth_mech_properties'
+    it_behaves_like 'an auth mechanism that does not support auth_mech_properties'
   end
 
   context 'with SCRAM-SHA-256 auth mechanism' do
@@ -217,7 +217,7 @@ describe 'Client authentication options' do
 
     it_behaves_like 'a supported auth mechanism'
     it_behaves_like 'auth mechanism that uses database or default auth source', 'admin'
-    it_behaves_like 'an auth mechanism that doesn\'t support auth_mech_properties'
+    it_behaves_like 'an auth mechanism that does not support auth_mech_properties'
   end
 
   context 'with GSSAPI auth mechanism' do
@@ -227,7 +227,7 @@ describe 'Client authentication options' do
     let(:auth_mech_sym) { :gssapi }
 
     it_behaves_like 'a supported auth mechanism'
-    it_behaves_like 'an auth mechanism that doesn\'t support invalid auth sources'
+    it_behaves_like 'an auth mechanism that does not support invalid auth sources'
 
     let(:auth_mech_properties) { { canonicalize_host_name: true, service_name: 'other'} }
 
@@ -302,7 +302,7 @@ describe 'Client authentication options' do
     it_behaves_like 'a supported auth mechanism'
     it_behaves_like 'auth mechanism that uses database or default auth source', '$external'
     it_behaves_like 'an auth mechanism with ssl'
-    it_behaves_like 'an auth mechanism that doesn\'t support auth_mech_properties'
+    it_behaves_like 'an auth mechanism that does not support auth_mech_properties'
   end
 
   context 'with MONGODB-X509 auth mechanism' do
@@ -313,8 +313,8 @@ describe 'Client authentication options' do
 
     it_behaves_like 'a supported auth mechanism'
     it_behaves_like 'an auth mechanism with ssl'
-    it_behaves_like 'an auth mechanism that doesn\'t support auth_mech_properties'
-    it_behaves_like 'an auth mechanism that doesn\'t support invalid auth sources'
+    it_behaves_like 'an auth mechanism that does not support auth_mech_properties'
+    it_behaves_like 'an auth mechanism that does not support invalid auth sources'
 
     context 'with URI options' do
       let(:credentials) { "#{user}@" }
@@ -439,35 +439,62 @@ describe 'Client authentication options' do
       {
         service_name: service_name,
         canonicalize_host_name: canonicalize_host_name,
-        service_realm: service_realm
-      }
+        service_realm: service_realm,
+      }.freeze
     end
 
-    context 'with URI options' do
-      let(:options) do
-        "?authMechanismProperties=SERVICE_NAME:#{service_name}," +
-          "CANONICALIZE_HOST_NAME:#{canonicalize_host_name}," +
-          "SERVICE_REALM:#{service_realm}"
-      end
-
+    shared_examples 'correctly sets auth mechanism properties on the client' do
       it 'correctly sets auth mechanism properties on the client' do
-        expect(client.options[:auth_mech_properties]).to eq({
+        expect(client.options[:auth_mech_properties]).to eq(
           'service_name' => service_name,
           'canonicalize_host_name' => canonicalize_host_name,
-          'service_realm' => service_realm
-        })
+          'service_realm' => service_realm,
+        )
+      end
+    end
+
+    context 'with URI options' do
+      let(:options) do
+        "?authMechanismProperties=SERVICE_name:#{service_name}," +
+          "CANONICALIZE_HOST_name:#{canonicalize_host_name}," +
+          "SERVICE_realm:#{service_realm}"
       end
+
+      include_examples 'correctly sets auth mechanism properties on the client'
     end
 
     context 'with client options' do
-      let(:client_opts) { { auth_mech_properties: auth_mechanism_properties } }
+      [:auth_mech_properties, 'auth_mech_properties'].each do |key|
 
-      it 'correctly sets auth mechanism properties on the client' do
-        expect(client.options[:auth_mech_properties]).to eq({
-          'service_name' => service_name,
-          'canonicalize_host_name' => canonicalize_host_name,
-          'service_realm' => service_realm
-        })
+        context "using #{key.class} keys" do
+          let(:client_opts) { { key => auth_mechanism_properties } }
+
+          include_examples 'correctly sets auth mechanism properties on the client'
+
+          context 'when options are given in mixed case' do
+            let(:auth_mechanism_properties) do
+              {
+                service_NAME: service_name,
+                canonicalize_host_NAME: canonicalize_host_name,
+                service_REALM: service_realm,
+              }.freeze
+            end
+
+            context 'using URI and options' do
+
+              let(:client) { new_local_client_nmio(uri, client_opts) }
+
+              include_examples 'correctly sets auth mechanism properties on the client'
+            end
+
+            context 'using host and options' do
+
+              let(:client) { new_local_client_nmio(['localhost'], client_opts) }
+
+              include_examples 'correctly sets auth mechanism properties on the client'
+            end
+          end
+        end
       end
     end
   end

data/spec/integration/connection_pool_populator_spec.rb

@@ -4,7 +4,9 @@ describe 'Connection pool populator integration' do
   let(:options) { {} }
 
   let(:server_options) do
-    SpecConfig.instance.test_options.merge(options).merge(SpecConfig.instance.auth_options)
+    Mongo::Utils.shallow_symbolize_keys(Mongo::Client.canonicalize_ruby_options(
+      SpecConfig.instance.all_test_options,
+    )).update(options)
   end
 
   let(:address) do

data/spec/integration/cursor_reaping_spec.rb

@@ -5,6 +5,16 @@ describe 'Cursor reaping' do
   # in MRI, I don't currently know how to force GC to run in JRuby
   only_mri
 
+  around(:all) do |example|
+    saved_level = Mongo::Logger.logger.level
+    Mongo::Logger.logger.level = Logger::DEBUG
+    begin
+      example.run
+    ensure
+      Mongo::Logger.logger.level = saved_level
+    end
+  end
+
   let(:subscriber) { EventSubscriber.new }
 
   let(:client) do
@@ -37,37 +47,63 @@ describe 'Cursor reaping' do
       expect(events).to be_empty
     end
 
+    def abandon_cursors
+      [].tap do |cursor_ids|
+        # scopes are weird, having this result in a let block
+        # makes it not garbage collected
+        10.times do
+          scope = collection.find.batch_size(2).no_cursor_timeout
+
+          # there is no API for retrieving the cursor
+          scope.each.first
+          # and keep the first cursor
+          cursor_ids << scope.instance_variable_get('@cursor').id
+        end
+      end
+    end
+
     # this let block is a kludge to avoid copy pasting all of this code
     let(:cursor_id_and_kill_event) do
       expect(Mongo::Operation::KillCursors).to receive(:new).at_least(:once).and_call_original
 
-      cursor_id = nil
-
-      # scopes are weird, having this result in a let block
-      # makes it not garbage collected
-      2.times do
-        scope = collection.find.batch_size(2).no_cursor_timeout
+      cursor_ids = abandon_cursors
 
-        # there is no API for retrieving the cursor
-        scope.each.first
-        # and keep the first cursor
-        cursor_id ||= scope.instance_variable_get('@cursor').id
+      cursor_ids.each do |cursor_id|
+        expect(cursor_id).to be_a(Integer)
+        expect(cursor_id > 0).to be true
       end
 
-      expect(cursor_id).to be_a(Integer)
-      expect(cursor_id > 0).to be true
-
       GC.start
+      sleep 1
 
       # force periodic executor to run because its frequency is not configurable
       client.cluster.instance_variable_get('@periodic_executor').execute
 
       started_event = subscriber.started_events.detect do |event|
-        event.command['killCursors'] &&
-        event.command['cursors'].map { |c| Utils.int64_value(c) }.include?(cursor_id)
+        event.command['killCursors']
+      end
+      started_event.should_not be nil
+
+      found_cursor_id = nil
+      started_event = subscriber.started_events.detect do |event|
+        found = false
+        if event.command['killCursors']
+          cursor_ids.each do |cursor_id|
+            if event.command['cursors'].map { |c| Utils.int64_value(c) }.include?(cursor_id)
+              found_cursor_id = cursor_id
+              found = true
+              break
+            end
+          end
+        end
+        found
+      end
+
+      if started_event.nil?
+        p subscriber.started_events
       end
 
-      expect(started_event).not_to be_nil
+      started_event.should_not be nil
 
       succeeded_event = subscriber.succeeded_events.detect do |event|
         event.command_name == 'killCursors' && event.request_id == started_event.request_id
@@ -77,7 +113,7 @@ describe 'Cursor reaping' do
 
       expect(succeeded_event.reply['ok']).to eq 1
 
-      [cursor_id, succeeded_event]
+      [found_cursor_id, succeeded_event]
     end
 
     it 'is reaped' do

data/spec/integration/ocsp_connectivity_spec.rb

@@ -0,0 +1,26 @@
+require 'lite_spec_helper'
+
+# These tests test the configurations described in
+# https://github.com/mongodb/specifications/blob/master/source/ocsp-support/tests/README.rst#integration-tests-permutations-to-be-tested
+describe 'OCSP connectivity' do
+  require_ocsp_connectivity
+  clear_ocsp_cache
+
+  let(:client) do
+    new_local_client(ENV.fetch('MONGODB_URI'),
+      server_selection_timeout: 5,
+    )
+  end
+
+  if ENV['OCSP_CONNECTIVITY'] == 'fail'
+    it 'fails to connect' do
+      lambda do
+        client.command(ping: 1)
+      end.should raise_error(Mongo::Error::NoServerAvailable, /UNKNOWN/)
+    end
+  else
+    it 'works' do
+      client.command(ping: 1)
+    end
+  end
+end

data/spec/integration/ocsp_verifier_cache_spec.rb

@@ -0,0 +1,188 @@
+require 'lite_spec_helper'
+require 'webrick'
+
+describe Mongo::Socket::OcspVerifier do
+  require_ocsp_verifier
+
+  shared_examples 'verifies' do
+    context 'mri' do
+      fails_on_jruby
+
+      it 'verifies the first time and reads from cache the second time' do
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          verifier.verify_with_cache.should be true
+        end
+
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).not_to receive(:do_verify)
+
+          verifier.verify_with_cache.should be true
+        end
+      end
+    end
+
+    context 'jruby' do
+      require_jruby
+
+      # JRuby does not return OCSP endpoints, therefore we never perform
+      # any validation.
+      # https://github.com/jruby/jruby-openssl/issues/210
+      it 'does not verify' do
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          verifier.verify.should be false
+        end
+
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          verifier.verify.should be false
+        end
+      end
+    end
+  end
+
+  shared_examples 'fails verification' do
+    context 'mri' do
+      fails_on_jruby
+
+      it 'verifies the first time, reads from cache the second time, raises an exception in both cases' do
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          lambda do
+            verifier.verify
+          # Redirect tests receive responses from port 8101,
+          # tests without redirects receive responses from port 8100.
+          end.should raise_error(Mongo::Error::ServerCertificateRevoked, %r,TLS certificate of 'foo' has been revoked according to 'http://localhost:810[01]/status',)
+        end
+
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).not_to receive(:do_verify)
+
+          lambda do
+            verifier.verify
+          # Redirect tests receive responses from port 8101,
+          # tests without redirects receive responses from port 8100.
+          end.should raise_error(Mongo::Error::ServerCertificateRevoked, %r,TLS certificate of 'foo' has been revoked according to 'http://localhost:810[01]/status',)
+        end
+      end
+    end
+
+    context 'jruby' do
+      require_jruby
+
+      # JRuby does not return OCSP endpoints, therefore we never perform
+      # any validation.
+      # https://github.com/jruby/jruby-openssl/issues/210
+      it 'does not verify' do
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          verifier.verify.should be false
+        end
+
+        RSpec::Mocks.with_temporary_scope do
+          expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+          verifier.verify.should be false
+        end
+      end
+    end
+  end
+
+  shared_examples 'does not verify' do
+    it 'does not verify and does not raise an exception' do
+      RSpec::Mocks.with_temporary_scope do
+        expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+        verifier.verify.should be false
+      end
+
+      RSpec::Mocks.with_temporary_scope do
+        expect_any_instance_of(Mongo::Socket::OcspVerifier).to receive(:do_verify).and_call_original
+
+        verifier.verify.should be false
+      end
+    end
+  end
+
+  shared_context 'verifier' do |opts|
+    algorithm = opts[:algorithm]
+
+    let(:cert_path) { SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/server.pem") }
+    let(:ca_cert_path) { SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/ca.pem") }
+
+    let(:cert) { OpenSSL::X509::Certificate.new(File.read(cert_path)) }
+    let(:ca_cert) { OpenSSL::X509::Certificate.new(File.read(ca_cert_path)) }
+
+    let(:cert_store) do
+      OpenSSL::X509::Store.new.tap do |store|
+        store.add_cert(ca_cert)
+      end
+    end
+
+    let(:verifier) do
+      described_class.new('foo', cert, ca_cert, cert_store, timeout: 3)
+    end
+  end
+
+  include_context 'verifier', algorithm: 'rsa'
+  algorithm = 'rsa'
+
+  %w(ca delegate).each do |responder_cert|
+    responder_cert_file_name = {
+      'ca' => 'ca',
+      'delegate' => 'ocsp-responder',
+    }.fetch(responder_cert)
+
+    context "when responder uses #{responder_cert} cert" do
+      context 'good response' do
+        with_ocsp_mock(
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/ca.pem"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.crt"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.key"),
+        )
+
+        include_examples 'verifies'
+
+        it 'does not wait for the timeout' do
+          lambda do
+            verifier.verify
+          end.should take_shorter_than 3
+        end
+      end
+
+      context 'revoked response' do
+        with_ocsp_mock(
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/ca.pem"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.crt"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.key"),
+          fault: 'revoked'
+        )
+
+        include_examples 'fails verification'
+      end
+
+      context 'unknown response' do
+        with_ocsp_mock(
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/ca.pem"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.crt"),
+          SpecConfig.instance.ocsp_files_dir.join("#{algorithm}/#{responder_cert_file_name}.key"),
+          fault: 'unknown',
+        )
+
+        include_examples 'does not verify'
+
+        it 'does not wait for the timeout' do
+          lambda do
+            verifier.verify
+          end.should take_shorter_than 3
+        end
+      end
+    end
+  end
+end