mongo 2.9.0.rc0 → 2.9.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdc48b8fb67060880d69ada836cc9c468abe7fd2b2e959cffaeee5edb410f68a
-  data.tar.gz: c8a365dac958eea89f939f78a668474f9f2e5d1ddb94e8cf772d8eeccb52d6a2
+  metadata.gz: f7be78062f748710dc54cb80b22913e719ffdd5c066f09390ae701cbc4d5b817
+  data.tar.gz: 64fd81ea9461edf3d4211ea32ad2958cd64a2584d84e9a8d3492e22c4332109e
 SHA512:
-  metadata.gz: 6984456cca54c0a352903f1336a6a5c3674eacdd6abf7f9558900cc11d33806d9c32aa7700bcc950a0a8ca973ea5c7f5ad223dbd49c267c04e68703cfb98eda3
-  data.tar.gz: 1ea50f9927a8bb622bf0188c1b158d00f80d35fe0fae72e81c6bac9a94775a3be3f7404b6674962db97833d3449f3bed448fff177527c853fd2e8610c78c783a
+  metadata.gz: 8b2e95fc24ce7bea503e60e3c94066010945df1ba3822395fd34a2c8daa27df75cfbae4b4808133dd59663d65bbecdcb68511a46316aa3b3b840efdc3f34519c
+  data.tar.gz: ce9ebadaeabfb7bd01f662fae6b4a06bb9d35d19cc866af4dab0549a5011120df08a5353b3ca56fa8b3f4408a3b6e06736f0662ca65e2c55a552dea636db93c1

data/README.md

@@ -1,4 +1,4 @@
-MongoDB Ruby Driver [![Build Status][travis-img]][travis-url] [![Code Climate][codeclimate-img]][codeclimate-url] [![Gem Version][rubygems-img]][rubygems-url]
+MongoDB Ruby Driver [![Code Climate][codeclimate-img]][codeclimate-url] [![Gem Version][rubygems-img]][rubygems-url]
 -----
 The officially supported Ruby driver for [MongoDB](http://www.mongodb.org).
 
@@ -107,7 +107,5 @@ License
 
 [rubygems-img]: https://badge.fury.io/rb/mongo.svg
 [rubygems-url]: http://badge.fury.io/rb/mongo
-[travis-img]: https://secure.travis-ci.org/mongodb/mongo-ruby-driver.svg?branch=master
-[travis-url]: http://travis-ci.org/mongodb/mongo-ruby-driver?branch=master
 [codeclimate-img]: https://codeclimate.com/github/mongodb/mongo-ruby-driver.svg?branch=master
 [codeclimate-url]: https://codeclimate.com/github/mongodb/mongo-ruby-driver?branch=master

data/lib/mongo/client.rb

@@ -177,7 +177,9 @@ module Mongo
     #
     # @param [ Array<String> | String ] addresses_or_uri The array of server addresses in the
     #   form of host:port or a MongoDB URI connection string.
-    # @param [ Hash ] options The options to be used by the client.
+    # @param [ Hash ] options The options to be used by the client. If a MongoDB URI
+    #   connection string is also provided, these options take precedence over any
+    #   analogous options present in the URI string.
     #
     #
     # @option options [ String, Symbol ] :app_name Application name that is
@@ -274,24 +276,39 @@ module Mongo
     # @option options [ true, false ] :ssl Whether to use SSL.
     # @option options [ String ] :ssl_ca_cert The file containing concatenated
     #   certificate authority certificates used to validate certs passed from the
-    #   other end of the connection. One of :ssl_ca_cert, :ssl_ca_cert_string or
-    #   :ssl_ca_cert_object (in order of priority) is required for :ssl_verify.
-    # @option options [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object An array of
-    #   OpenSSL::X509::Certificate representing the certificate authority certificates used
-    #   to validate certs passed from the other end of the connection. One of :ssl_ca_cert,
-    #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority) is required for :ssl_verify.
-    # @option options [ String ] :ssl_ca_cert_string A string containing concatenated
-    #   certificate authority certificates used to validate certs passed from the
-    #   other end of the connection. One of :ssl_ca_cert, :ssl_ca_cert_string or
-    #   :ssl_ca_cert_object (in order of priority) is required for :ssl_verify.
+    #   other end of the connection. Intermediate certificates should NOT be
+    #   specified in files referenced by this option. One of :ssl_ca_cert,
+    #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority) is
+    #   required when using :ssl_verify.
+    # @option options [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object
+    #   An array of OpenSSL::X509::Certificate objects representing the
+    #   certificate authority certificates used to validate certs passed from
+    #   the other end of the connection. Intermediate certificates should NOT
+    #   be specified in files referenced by this option. One of :ssl_ca_cert,
+    #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority)
+    #   is required when using :ssl_verify.
+    # @option options [ String ] :ssl_ca_cert_string A string containing
+    #   certificate authority certificate used to validate certs passed from the
+    #   other end of the connection. This option allows passing only one CA
+    #   certificate to the driver. Intermediate certificates should NOT
+    #   be specified in files referenced by this option. One of :ssl_ca_cert,
+    #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority) is
+    #   required when using :ssl_verify.
     # @option options [ String ] :ssl_cert The certificate file used to identify
-    #   the connection against MongoDB. This option, if present, takes precedence
-    #   over the values of :ssl_cert_string and :ssl_cert_object
+    #   the connection against MongoDB. A certificate chain may be passed by
+    #   specifying the client certificate first followed by any intermediate
+    #   certificates up to the CA certificate. The file may also contain the
+    #   certificate's private key, which will be ignored. This option, if present,
+    #   takes precedence over the values of :ssl_cert_string and :ssl_cert_object
     # @option options [ OpenSSL::X509::Certificate ] :ssl_cert_object The OpenSSL::X509::Certificate
-    #   used to identify the connection against MongoDB
+    #   used to identify the connection against MongoDB. Only one certificate
+    #   may be passed through this option.
     # @option options [ String ] :ssl_cert_string A string containing the PEM-encoded
-    #   certificate used to identify the connection against MongoDB. This option, if present,
-    #   takes precedence over the value of :ssl_cert_object
+    #   certificate used to identify the connection against MongoDB. A certificate
+    #   chain may be passed by specifying the client certificate first followed
+    #   by any intermediate certificates up to the CA certificate. The string
+    #   may also contain the certificate's private key, which will be ignored,
+    #   This option, if present, takes precedence over the value of :ssl_cert_object
     # @option options [ String ] :ssl_key The private keyfile used to identify the
     #   connection against MongoDB. Note that even if the key is stored in the same
     #   file as the certificate, both need to be explicitly specified. This option,

data/lib/mongo/collection/view/aggregation.rb

@@ -42,6 +42,7 @@ module Mongo
         # The reroute message.
         #
         # @since 2.1.0
+        # @deprecated
         REROUTE = 'Rerouting the Aggregation operation to the primary server.'.freeze
 
         # Set to true if disk usage is allowed during the aggregation.
@@ -120,8 +121,8 @@ module Mongo
 
         def send_initial_query(server, session)
           unless valid_server?(server)
-            log_warn(REROUTE)
-            server = cluster.next_primary(false)
+            log_warn("Rerouting the Aggregation operation to the primary server - #{server.summary} is not suitable")
+            server = cluster.next_primary
           end
           validate_collation!(server)
           initial_query_op(session).execute(server)

data/lib/mongo/collection/view/map_reduce.rb

@@ -35,6 +35,7 @@ module Mongo
         # Reroute message.
         #
         # @since 2.1.0
+        # @deprecated
         REROUTE = 'Rerouting the MapReduce operation to the primary server.'.freeze
 
         # @return [ View ] view The collection view.
@@ -232,8 +233,8 @@ module Mongo
 
         def send_initial_query(server, session)
           unless valid_server?(server)
-            log_warn(REROUTE)
-            server = cluster.next_primary(false)
+            log_warn("Rerouting the MapReduce operation to the primary server - #{server.summary} is not suitable")
+            server = cluster.next_primary
           end
           validate_collation!(server)
           initial_query_op(session).execute(server)

data/lib/mongo/server/connectable.rb

@@ -23,15 +23,15 @@ module Mongo
       # The ssl option prefix.
       #
       # @since 2.1.0
+      # @deprecated
       SSL = 'ssl'.freeze
 
       # The default time in seconds to timeout an operation executed on a socket.
       #
       # @since 2.0.0
       #
-      # @deprecated Timeouts on Ruby sockets aren't effective so this default option is
-      #   no longer used.
-      #   Will be removed in driver version 3.0.
+      # @deprecated Timeouts on Ruby sockets aren't effective so this default
+      #   option is no longer used. Will be removed in driver version 3.0.
       TIMEOUT = 5.freeze
 
       # @return [ Integer ] pid The process id when the connection was created.
@@ -69,7 +69,11 @@ module Mongo
       private
 
       def ssl_options
-        @ssl_options[:ssl] == true ? @ssl_options : {}
+        @ssl_options ||= if options[:ssl]
+          options.select { |k, v| k.to_s.start_with?('ssl') }
+        else
+          {}
+        end.freeze
       end
 
       def ensure_connected

data/lib/mongo/server/connection.rb

@@ -93,7 +93,6 @@ module Mongo
         @monitoring = server.monitoring
         @options = options.freeze
         @server = server
-        @ssl_options = options.select { |k, v| k.to_s.start_with?(SSL) }.freeze
         @socket = nil
         @last_checkin = nil
         @auth_mechanism = nil

data/lib/mongo/server/monitor/connection.rb

@@ -114,7 +114,6 @@ module Mongo
           @address = address
           @options = options.freeze
           @app_metadata = options[:app_metadata]
-          @ssl_options = options.reject { |k, v| !k.to_s.start_with?(SSL) }
           @socket = nil
           @pid = Process.pid
           @compressor = nil

data/lib/mongo/socket/ssl.rb

@@ -149,33 +149,90 @@ module Mongo
       end
 
       def set_cert(context, options)
+        # Since we clear cert_text during processing, we need to examine
+        # ssl_cert_object here to avoid considering it if we have also
+        # processed the text.
         if options[:ssl_cert]
-          context.cert = OpenSSL::X509::Certificate.new(File.open(options[:ssl_cert]))
-        elsif options[:ssl_cert_string]
-          context.cert = OpenSSL::X509::Certificate.new(options[:ssl_cert_string])
-        elsif options[:ssl_cert_object]
-          context.cert = options[:ssl_cert_object]
+          cert_text = File.read(options[:ssl_cert])
+          cert_object = nil
+        elsif cert_text = options[:ssl_cert_string]
+          cert_object = nil
+        else
+          cert_object = options[:ssl_cert_object]
+        end
+
+        # The client certificate may be a single certificate or a bundle
+        # (client certificate followed by intermediate certificates).
+        # The text may also include private keys for the certificates.
+        # OpenSSL supports passing the entire bundle as a certificate chain
+        # to the context via SSL_CTX_use_certificate_chain_file, but the
+        # Ruby openssl extension does not currently expose this functionality
+        # per https://github.com/ruby/openssl/issues/254.
+        # Therefore, extract the individual certificates from the certificate
+        # text, and if there is more than one certificate provided, use
+        # extra_chain_cert option to add the intermediate ones. This
+        # implementation is modeled after
+        # https://github.com/venuenext/ruby-kafka/commit/9495f5daf254b43bc88062acad9359c5f32cb8b5.
+        # Note that the parsing here is not identical to what OpenSSL employs -
+        # for instance, if there is no newline between two certificates
+        # this code will extract them both but OpenSSL fails in this situation.
+        if cert_text
+          certs = cert_text.scan(/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/)
+          if certs.length > 1
+            context.cert = OpenSSL::X509::Certificate.new(certs.shift)
+            context.extra_chain_cert = certs.map do |cert|
+              OpenSSL::X509::Certificate.new(cert)
+            end
+            # All certificates are already added to the context, skip adding
+            # them again below.
+            cert_text = nil
+          end
+        end
+
+        if cert_text
+          context.cert = OpenSSL::X509::Certificate.new(cert_text)
+        elsif cert_object
+          context.cert = cert_object
         end
       end
 
       def set_key(context, options)
         passphrase = options[:ssl_key_pass_phrase]
         if options[:ssl_key]
-          context.key = passphrase ? OpenSSL::PKey.read(File.open(options[:ssl_key]), passphrase) :
-            OpenSSL::PKey.read(File.open(options[:ssl_key]))
+          context.key = load_private_key(File.read(options[:ssl_key]), passphrase)
         elsif options[:ssl_key_string]
-          context.key = passphrase ? OpenSSL::PKey.read(options[:ssl_key_string], passphrase) :
-            OpenSSL::PKey.read(options[:ssl_key_string])
+          context.key = load_private_key(options[:ssl_key_string], passphrase)
         elsif options[:ssl_key_object]
           context.key = options[:ssl_key_object]
         end
       end
 
+      def load_private_key(text, passphrase)
+        args = if passphrase
+          [text, passphrase]
+        else
+          [text]
+        end
+        # On JRuby, PKey.read does not grok cert+key bundles.
+        # https://github.com/jruby/jruby-openssl/issues/176
+        if BSON::Environment.jruby?
+          [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA].each do |cls|
+            begin
+              return cls.send(:new, *args)
+            rescue OpenSSL::PKey::PKeyError
+              # ignore
+            end
+          end
+          # Neither RSA nor DSA worked, fall through to trying PKey
+        end
+        OpenSSL::PKey.send(:read, *args)
+      end
+
       def set_cert_verification(context, options)
         context.verify_mode = OpenSSL::SSL::VERIFY_PEER
         cert_store = OpenSSL::X509::Store.new
         if options[:ssl_ca_cert]
-          cert_store.add_cert(OpenSSL::X509::Certificate.new(File.open(options[:ssl_ca_cert])))
+          cert_store.add_file(options[:ssl_ca_cert])
         elsif options[:ssl_ca_cert_string]
           cert_store.add_cert(OpenSSL::X509::Certificate.new(options[:ssl_ca_cert_string]))
         elsif options[:ssl_ca_cert_object]

data/lib/mongo/version.rb

@@ -17,5 +17,5 @@ module Mongo
   # The current version of the driver.
   #
   # @since 2.0.0
-  VERSION = '2.9.0.rc0'.freeze
+  VERSION = '2.9.0.rc1'.freeze
 end

data/spec/README.md

@@ -58,8 +58,11 @@ to start a replica set.
 
 First, install [mtools](https://github.com/rueckstiess/mtools):
 
-    pip install mtools --user
+    pip install 'mtools[mlaunch]' --user -U --upgrade-strategy eager
+    # On Linux:
     export PATH=~/.local/bin:$PATH
+    # On MacOS:
+    export PATH=$PATH:~/Library/Python/2.7/bin
     
 Then, launch a replica set:
 
@@ -84,14 +87,40 @@ cluster topology.
 ## TLS With Verification
 
 The test suite includes a set of TLS certificates for configuring a server
-and a client to perform full TLS verification. The server can be started as
-follows, if the current directory is the top of the driver source tree:
+and a client to perform full TLS verification in the `spec/support/certificates`
+directory. The server can be started as follows, if the current directory is
+the top of the driver source tree:
 
     mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL \
       --sslPEMKeyFile `pwd`/spec/support/certificates/server.pem \
       --sslCAFile `pwd`/spec/support/certificates/ca.pem \
       --sslClientCertificate `pwd`/spec/support/certificates/client.pem
 
+To test that the driver works when the server's certificate is signed by an
+intermediate certificate (i.e. uses certificate chaining), use the chained
+server certificate bundle:
+
+    mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL \
+      --sslPEMKeyFile `pwd`/spec/support/certificates/server-second-level-bundle.pem \
+      --sslCAFile `pwd`/spec/support/certificates/ca.pem \
+      --sslClientCertificate `pwd`/spec/support/certificates/client.pem
+
+The driver's test suite is configured to verify certificates by default.
+If the server is launched with the certificates from the driver's test suite,
+the test suite can be run simply by specifying `tls=true` URI option:
+
+    MONGODB_URI='mongodb://localhost:27017/?tls=true' rake 
+
+The driver's test suite can also be executed against a server launched with
+any other certificates. In this case the certificates need to be explicitly
+specified in the URI, for example as follows:
+
+    MONGODB_URI='mongodb://localhost:27017/?tls=true&tlsCAFile=path/to/ca.crt&tlsCertificateKeyFile=path/to/client.pem' rake 
+
+Note that some tests (specifically testing TLS verification) expect the server
+to be launched using the certificates in the driver's test suite, and will
+fail when run against a server using other certificates.
+
 ## TLS Without Verification
 
 It is also possible to enable TLS but omit certificate verification. In this
@@ -108,6 +137,9 @@ verification, run:
 
     MONGODB_URI='mongodb://localhost:27017/?tls=true&tlsInsecure=true' rake 
 
+Note that there are tests in the test suite that cover TLS verification, and
+they may fail if the test suite is run in this way.
+
 ## Authentication
 
 mlaunch can configure authentication on the server:
@@ -160,6 +192,10 @@ permissions:
 
     sudo chmod 0666 /tmp/mongodb-27017.sock
 
+Alternatively, specify the following argument to `mlaunch` or `mongod`:
+
+    --filePermissions 0666
+
 ### Non-Identical Hostnames
 
 The test suite should be configured to connect to exactly the hostnames

data/spec/integration/auth_spec.rb

@@ -120,7 +120,7 @@ describe 'Auth' do
     end
 
     context 'attempting to connect to a non-tls server with tls' do
-      require_no_ssl
+      require_no_tls
 
       let(:options) { {ssl: true} }
 
@@ -138,7 +138,7 @@ describe 'Auth' do
     end
 
     context 'attempting to connect to a tls server without tls' do
-      require_ssl
+      require_tls
 
       let(:options) { {} }
 

data/spec/integration/ssl_uri_options_spec.rb

@@ -1,20 +1,21 @@
 require 'spec_helper'
 
 describe 'SSL connections with URI options' do
-  # SpecConfig currently creates clients exclusively through non-URI options. Because we don't
-  # currently have a way to create what the URI would look like for a given client, it's simpler
-  # just to test the that TLS works when configured from a URI on a standalone server without auth
-  # required, since that allows us to build the URI more easily.
+  # SpecConfig currently creates clients exclusively through non-URI options.
+  # Because we don't currently have a way to create what the URI would look
+  # like for a given client, it's simpler just to test the that TLS works when
+  # configured from a URI on a standalone server without auth required, since
+  # that allows us to build the URI more easily.
   require_no_auth
   require_topology :single
-  require_ssl
+  require_tls
 
   let(:hosts) do
     SpecConfig.instance.addresses.join(',')
   end
 
   let(:uri) do
-    "mongodb://#{hosts}/?tls=true&tlsInsecure=true&tlsCertificateKeyFile=#{SpecConfig.instance.client_cert_key_pem}"
+    "mongodb://#{hosts}/?tls=true&tlsInsecure=true&tlsCertificateKeyFile=#{SpecConfig.instance.client_pem_path}"
   end
 
   it 'successfully connects and runs an operation' do

data/spec/lite_spec_helper.rb

@@ -18,22 +18,6 @@ TRANSACTIONS_API_TESTS = Dir.glob("#{CURRENT_PATH}/spec_tests/data/transactions_
 CHANGE_STREAMS_TESTS = Dir.glob("#{CURRENT_PATH}/spec_tests/data/change_streams/*.yml")
 CMAP_TESTS = Dir.glob("#{CURRENT_PATH}/spec_tests/data/cmap/*.yml")
 
-if ENV['DRIVERS_TOOLS']
-  CLIENT_CERT_PEM = ENV['DRIVER_TOOLS_CLIENT_CERT_PEM']
-  CLIENT_KEY_PEM = ENV['DRIVER_TOOLS_CLIENT_KEY_PEM']
-  CA_PEM = ENV['DRIVER_TOOLS_CA_PEM']
-  CLIENT_KEY_ENCRYPTED_PEM = ENV['DRIVER_TOOLS_CLIENT_KEY_ENCRYPTED_PEM']
-else
-  SSL_CERTS_DIR = "#{CURRENT_PATH}/support/certificates"
-  CLIENT_PEM = "#{SSL_CERTS_DIR}/client.pem"
-  CA_PEM = "#{SSL_CERTS_DIR}/ca.pem"
-  CRL_PEM = "#{SSL_CERTS_DIR}/crl.pem"
-  CLIENT_KEY_PEM = "#{SSL_CERTS_DIR}/client_key.pem"
-  CLIENT_CERT_PEM = "#{SSL_CERTS_DIR}/client_cert.pem"
-  CLIENT_KEY_ENCRYPTED_PEM = "#{SSL_CERTS_DIR}/client_key_encrypted.pem"
-  CLIENT_KEY_PASSPHRASE = "passphrase"
-end
-
 require 'mongo'
 
 unless ENV['CI']

data/spec/mongo/client_construction_spec.rb

@@ -318,23 +318,23 @@ describe Mongo::Client do
 
         let(:options) do
           {
-              :ssl => true,
-              :ssl_ca_cert => CA_PEM,
-              :ssl_ca_cert_string => 'ca cert string',
-              :ssl_ca_cert_object => 'ca cert object',
-              :ssl_cert => CLIENT_CERT_PEM,
-              :ssl_cert_string => 'cert string',
-              :ssl_cert_object => 'cert object',
-              :ssl_key => CLIENT_KEY_PEM,
-              :ssl_key_string => 'key string',
-              :ssl_key_object => 'key object',
-              :ssl_key_pass_phrase => 'passphrase',
-              :ssl_verify => true
+            :ssl => true,
+            :ssl_ca_cert => SpecConfig.instance.ca_cert_path,
+            :ssl_ca_cert_string => 'ca cert string',
+            :ssl_ca_cert_object => 'ca cert object',
+            :ssl_cert => SpecConfig.instance.client_cert_path,
+            :ssl_cert_string => 'cert string',
+            :ssl_cert_object => 'cert object',
+            :ssl_key => SpecConfig.instance.client_key_path,
+            :ssl_key_string => 'key string',
+            :ssl_key_object => 'key object',
+            :ssl_key_pass_phrase => 'passphrase',
+            :ssl_verify => true
           }
         end
 
         let(:client) do
-          new_local_client_nmio(['127.0.0.1:27017'], SpecConfig.instance.test_options.merge(options))
+          new_local_client_nmio(['127.0.0.1:27017'], options)
         end
 
         it 'sets the ssl option' do