mongo 2.9.0.rc0 → 2.9.0.rc1

data/spec/mongo/collection/view/map_reduce_spec.rb

@@ -646,6 +646,14 @@ describe Mongo::Collection::View::MapReduce do
       end
 
       context 'when the server is a valid for writing' do
+        before do
+          # We are inspecting server state - kill monitor threads so that
+          # server state is not changed in background due to intermittent
+          # connectivity issues in Evergreen
+          authorized_collection.client.cluster.servers_list.map do |server|
+            server.monitor.stop!
+          end
+        end
 
         it 'does not reroute the operation to a primary' do
           expect(Mongo::Logger.logger).not_to receive(:warn?)

data/spec/mongo/server_spec.rb

@@ -364,7 +364,8 @@ describe Mongo::Server do
 
     context 'server is unknown' do
       let(:server) do
-        described_class.new(address, cluster, monitoring, listeners, SpecConfig.instance.test_options)
+        described_class.new(address, cluster, monitoring, listeners,
+          SpecConfig.instance.test_options.merge(monitoring_io: false))
       end
 
       before do

data/spec/mongo/socket/ssl_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Mongo::Socket::SSL do
-  require_ssl
+  require_tls
 
   let(:address) do
     default_address.tap do
@@ -26,19 +26,19 @@ describe Mongo::Socket::SSL do
   end
 
   let (:key_string) do
-    File.read(SpecConfig.instance.client_key_pem)
+    File.read(SpecConfig.instance.local_client_key_path)
   end
 
   let (:cert_string) do
-    File.read(SpecConfig.instance.client_cert_pem)
+    File.read(SpecConfig.instance.local_client_cert_path)
   end
 
   let (:ca_cert_string) do
-    File.read(CA_PEM)
+    File.read(SpecConfig.instance.local_ca_cert_path)
   end
 
   let(:key_encrypted_string) do
-    File.read(CLIENT_KEY_ENCRYPTED_PEM)
+    File.read(SpecConfig.instance.client_encrypted_key_path)
   end
 
   let(:cert_object) do
@@ -102,7 +102,7 @@ describe Mongo::Socket::SSL do
           :ssl => true,
           :ssl_cert_string => cert_string,
           :ssl_key_string => key_encrypted_string,
-          :ssl_key_pass_phrase => CLIENT_KEY_PASSPHRASE,
+          :ssl_key_pass_phrase => SpecConfig.instance.client_encrypted_key_passphrase,
           :ssl_verify => false
         }
       end
@@ -163,7 +163,7 @@ describe Mongo::Socket::SSL do
           :ssl => true,
           :ssl_cert_string => cert_string,
           :ssl_cert_object => 'This is a string, not a Certificate',
-          :ssl_key => CLIENT_KEY_PEM,
+          :ssl_key => SpecConfig.instance.client_key_path,
           :ssl_verify => false
         }
       end
@@ -207,7 +207,7 @@ describe Mongo::Socket::SSL do
       let(:options) do
         {
           :ssl => true,
-          :ssl_cert => CLIENT_CERT_PEM,
+          :ssl_cert => SpecConfig.instance.client_cert_path,
           :ssl_key_string => key_string,
           :ssl_key_object => 'This is a string, not a PKey',
           :ssl_verify => false
@@ -227,7 +227,7 @@ describe Mongo::Socket::SSL do
         {
           :ssl => true,
           :ssl_cert_object => cert,
-          :ssl_key => CLIENT_KEY_PEM,
+          :ssl_key => SpecConfig.instance.local_client_key_path,
           :ssl_verify => false
         }
       end
@@ -254,7 +254,7 @@ describe Mongo::Socket::SSL do
               host_name,
               30,
               ::Socket::PF_INET,
-              options.merge(ssl_verify_hostname: true)
+              options.merge(ssl_verify: false, ssl_verify_hostname: true)
             )
           rescue => e
             error = e
@@ -274,7 +274,7 @@ describe Mongo::Socket::SSL do
               host_name,
               30,
               ::Socket::PF_INET,
-              options.merge(ssl_verify_hostname: false)
+              options.merge(ssl_verify: false, ssl_verify_hostname: false)
             )
           }.not_to raise_error
         end
@@ -291,7 +291,7 @@ describe Mongo::Socket::SSL do
           {
               :ssl => true,
               :ssl_key_object => key,
-              :ssl_cert => CLIENT_CERT_PEM,
+              :ssl_cert => SpecConfig.instance.client_cert_path,
               :ssl_verify => false
           }
         end
@@ -318,7 +318,7 @@ describe Mongo::Socket::SSL do
           {
               :ssl => true,
               :ssl_key_object => key,
-              :ssl_cert => CLIENT_CERT_PEM,
+              :ssl_cert => SpecConfig.instance.client_cert_path,
               :ssl_verify => false
           }
         end
@@ -384,7 +384,7 @@ describe Mongo::Socket::SSL do
 
         let(:options) do
           super().merge(
-            :ssl_ca_cert => CA_PEM,
+            :ssl_ca_cert => SpecConfig.instance.local_ca_cert_path,
             :ssl_verify => true
           )
         end
@@ -426,7 +426,7 @@ describe Mongo::Socket::SSL do
 
         let(:options) do
           super().merge(
-            :ssl_ca_cert => CA_PEM,
+            :ssl_ca_cert => SpecConfig.instance.local_ca_cert_path,
             :ssl_ca_cert_string => 'This is a string, not a certificate',
             :ssl_verify => true
           )
@@ -442,7 +442,7 @@ describe Mongo::Socket::SSL do
 
         let(:options) do
           super().merge(
-            :ssl_ca_cert => CA_PEM,
+            :ssl_ca_cert => SpecConfig.instance.local_ca_cert_path,
             :ssl_ca_cert_object => 'This is a string, not an array of certificates',
             :ssl_verify => true
           )
@@ -456,7 +456,7 @@ describe Mongo::Socket::SSL do
       context 'both as a PEM-encoded string and as object parameter' do
 
         let(:options) do
-          cert = File.read(CA_PEM)
+          cert = File.read(SpecConfig.instance.local_ca_cert_path)
           super().merge(
             :ssl_ca_cert_string => cert,
             :ssl_ca_cert_object => 'This is a string, not an array of certificates',
@@ -470,6 +470,68 @@ describe Mongo::Socket::SSL do
       end
     end
 
+    context 'when CA certificate file is not what server cert is signed with' do
+      require_local_tls
+
+      let(:server) do
+        ClientRegistry.instance.global_client('authorized').cluster.next_primary
+      end
+
+      let(:connection) do
+        Mongo::Server::Connection.new(server, options)
+      end
+
+      context 'as a file' do
+        let(:options) do
+          SpecConfig.instance.test_options.merge(
+            ssl: true,
+            ssl_cert: SpecConfig.instance.client_cert_path,
+            ssl_key: SpecConfig.instance.client_key_path,
+            ssl_ca_cert: SpecConfig.instance.ssl_certs_dir.join('python-ca.crt').to_s,
+            ssl_verify: true,
+          )
+        end
+
+        it 'fails' do
+          connection
+          expect do
+            connection.connect!
+          end.to raise_error(Mongo::Error::SocketError, /SSLError/)
+        end
+      end
+    end
+
+    context 'when CA certificate file contains multiple certificates' do
+      require_local_tls
+
+      let(:server) do
+        ClientRegistry.instance.global_client('authorized').cluster.next_primary
+      end
+
+      let(:connection) do
+        Mongo::Server::Connection.new(server, options)
+      end
+
+      context 'as a file' do
+        let(:options) do
+          SpecConfig.instance.test_options.merge(
+            ssl: true,
+            ssl_cert: SpecConfig.instance.client_cert_path,
+            ssl_key: SpecConfig.instance.client_key_path,
+            ssl_ca_cert: SpecConfig.instance.multi_ca_path,
+            ssl_verify: true,
+          )
+        end
+
+        it 'succeeds' do
+          connection
+          expect do
+            connection.connect!
+          end.not_to raise_error
+        end
+      end
+    end
+
     context 'when a CA certificate is not provided' do
       require_local_tls
 
@@ -481,7 +543,7 @@ describe Mongo::Socket::SSL do
 
       around do |example|
         saved = ENV['SSL_CERT_FILE']
-        ENV['SSL_CERT_FILE'] = CA_PEM
+        ENV['SSL_CERT_FILE'] = SpecConfig.instance.local_ca_cert_path
         begin
           example.run
         ensure
@@ -494,12 +556,143 @@ describe Mongo::Socket::SSL do
       end
     end
 
+    context 'when the client certificate uses an intermediate certificate' do
+      require_local_tls
+
+      let(:server) do
+        ClientRegistry.instance.global_client('authorized').cluster.next_primary
+      end
+
+      let(:connection) do
+        Mongo::Server::Connection.new(server, options)
+      end
+
+      context 'as a path to a file' do
+        context 'standalone' do
+          let(:options) do
+            SpecConfig.instance.test_options.merge(
+              ssl_cert: SpecConfig.instance.second_level_cert_path,
+              ssl_key: SpecConfig.instance.second_level_key_path,
+              ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+              ssl_verify: true,
+            )
+          end
+
+          it 'fails' do
+            connection
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Error::SocketError)
+          end
+        end
+
+        context 'bundled with intermediate cert' do
+
+          # https://github.com/jruby/jruby-openssl/issues/181
+          fails_on_jruby
+
+          let(:options) do
+            SpecConfig.instance.test_options.merge(
+              ssl: true,
+              ssl_cert: SpecConfig.instance.second_level_cert_bundle_path,
+              ssl_key: SpecConfig.instance.second_level_key_path,
+              ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+              ssl_verify: true,
+            )
+          end
+
+          it 'succeeds' do
+            connection
+            expect do
+              connection.connect!
+            end.not_to raise_error
+          end
+        end
+      end
+
+      context 'as a string' do
+        context 'standalone' do
+          let(:options) do
+            SpecConfig.instance.test_options.merge(
+              ssl_cert: nil,
+              ssl_cert_string: File.read(SpecConfig.instance.second_level_cert_path),
+              ssl_key: nil,
+              ssl_key_string: File.read(SpecConfig.instance.second_level_key_path),
+              ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+              ssl_verify: true,
+            )
+          end
+
+          it 'fails' do
+            connection
+            expect do
+              connection.connect!
+            end.to raise_error(Mongo::Error::SocketError)
+          end
+        end
+
+        context 'bundled with intermediate cert' do
+
+          # https://github.com/jruby/jruby-openssl/issues/181
+          fails_on_jruby
+
+          let(:options) do
+            SpecConfig.instance.test_options.merge(
+              ssl: true,
+              ssl_cert: nil,
+              ssl_cert_string: File.read(SpecConfig.instance.second_level_cert_bundle_path),
+              ssl_key: nil,
+              ssl_key_string: File.read(SpecConfig.instance.second_level_key_path),
+              ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+              ssl_verify: true,
+            )
+          end
+
+          it 'succeeds' do
+            connection
+            expect do
+              connection.connect!
+            end.not_to raise_error
+          end
+        end
+      end
+    end
+
+    context 'when client certificate and private key are bunded in a pem file' do
+      require_local_tls
+
+      let(:server) do
+        ClientRegistry.instance.global_client('authorized').cluster.next_primary
+      end
+
+      let(:connection) do
+        Mongo::Server::Connection.new(server, options)
+      end
+
+      let(:options) do
+        SpecConfig.instance.test_options.merge(
+          ssl: true,
+          ssl_cert: SpecConfig.instance.client_pem_path,
+          ssl_key: SpecConfig.instance.client_pem_path,
+          ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+          ssl_verify: true,
+        )
+      end
+
+      it 'succeeds' do
+        connection
+        expect do
+          connection.connect!
+        end.not_to raise_error
+      end
+    end
+
     context 'when ssl_verify is not specified' do
       require_local_tls
 
       let(:options) do
         super().merge(
-          :ssl_ca_cert => CA_PEM
+          :ssl_ca_cert => SpecConfig.instance.local_ca_cert_path
         ).tap { |options| options.delete(:ssl_verify) }
       end
 
@@ -513,7 +706,7 @@ describe Mongo::Socket::SSL do
 
       let(:options) do
         super().merge(
-          :ssl_ca_cert => CA_PEM,
+          :ssl_ca_cert => SpecConfig.instance.local_ca_cert_path,
           :ssl_verify => true
         )
       end

data/spec/mongo/socket/tcp_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Mongo::Socket::TCP do
-  require_no_ssl
+  require_no_tls
 
   let(:address) { default_address }
 

data/spec/support/certificates/README.md

@@ -0,0 +1,101 @@
+# Ruby Driver Test TLS Certificates
+
+## File Types
+
+All files in this directory are in the PEM format. They are generated by
+the x509gen MongoDB tool.
+
+The file extensions map to content as follows:
+
+- `.key` - private key
+- `.crt` - certificate
+- `.pem` - certificate and private key combined in the same file
+
+The file name fragments have the following meaning:
+
+- `second-level` - these certificates are signed by the intermediate
+certificates (`client-int.crt` & `server-int.crt`) rather than directly
+by the CA certificates.
+- `int` - these are intermediate certificates used for testing certificate
+chains. The server and the client sides have their own intermediate certificates.
+- `bundle` - these files contain the leaf certificates followed by intermediate
+certificates up to the CA certificates, but do not include the CA certificates.
+
+Keep in mind the following important notes:
+
+- In multi-ca.crt, the Ruby driver CA certificate must be last (the first
+certificate must be an unrelated certificate).
+
+## Tools
+
+To inspect a certificate:
+
+    openssl x509 -text -in path.pem
+
+## Manual Testing - openssl
+
+Start a test server using the simple certificate:
+
+    openssl s_server -port 29999 -CAfile ca.crt -cert server.pem -verify 1
+
+Use OpenSSL's test client to test certificate verification using the
+simple certificate:
+
+    openssl s_client -connect :29999 -CAfile ca.crt -cert client.pem \
+        -verify 1 -verify_return_error
+
+Same thing but using the second level certificate with the intermediate
+certificate (server follows chain up to the CA):
+
+    openssl s_client -connect :29999 -CAfile ca.crt \
+        -cert client-second-level-bundle.pem \
+        -verify 1 -verify_return_error
+
+Note however, that even though a client to server connection succeeds using
+the second level client bundle, openssl appears to be incapable to simply
+verify the same certificate chain using the verify command:
+
+    # This fails
+    openssl verify -verbose -CAfile ca.crt -untrusted client-int.crt \
+        client-second-level.pem 
+
+    # Also fails
+    openssl verify -trusted client-int.crt client-second-level.crt
+
+And when the server's certificate uses an intermediate certificate, the
+client seems to be unable to verify it also:
+
+    openssl s_server -port 29999  -CAfile ca.crt -verify 1 \
+        -cert server-second-level-bundle.pem
+
+    # This fails
+    openssl s_client -connect :29999 -CAfile ca.crt -cert client.pem \
+        -verify 1 -verify_return_error
+
+To sum up, openssl's command line tools appear to only handle certificate
+chains provided by the client when the server is verifying them, not the
+other way around and not when trying to standalone verify the chain.
+
+## Manual Testing - mongo
+
+When it comes to `mongod` and `mongo`, certificate chains are supported in
+both directions:
+
+    mongod --sslMode requireSSL \
+        --sslCAFile ca.crt \
+        --sslPEMKeyFile server-second-level-bundle.pem \
+        --sslClientCertificate client.pem
+
+    mongo --host localhost --ssl \
+        --sslCAFile ca.crt \
+        --sslPEMKeyFile client-second-level-bundle.pem
+
+The `--host` option needs to be given to `mongo` because the certificates here
+do not include 127.0.0.1 in subject alternate name.
+
+If the intermediate certificate is not provided, the connection should fail.
+
+    # Expected to fail
+    mongo --host localhost --ssl \
+        --sslCAFile ca.crt \
+        --sslPEMKeyFile client-second-level.pem