Skip to content

Add X509 authentication tests. #1771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .evergreen/.evg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,17 @@ functions:
cd $DRIVERS_TOOLS/.evergreen/auth_aws
./setup_secrets.sh drivers/aws_auth

"add-atlas-connect-variables-to-file":
- command: shell.exec
type: "test"
params:
include_expansions_in_env: [ "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN" ]
shell: "bash"
working_dir: "src"
script: |
${PREPARE_SHELL}
${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect

"start-csfle-servers":
- command: ec2.assume_role
params:
Expand Down Expand Up @@ -512,6 +523,16 @@ functions:
# DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
JAVA_VERSION="8" MONGODB_URI="${plain_auth_mongodb_uri}" .evergreen/run-plain-auth-test.sh

"run-x509-auth-test":
- command: shell.exec
type: "test"
params:
silent: true
working_dir: "src"
script: |
# DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
JAVA_VERSION="8" .evergreen/run-x509-auth-tests.sh

"run-aws-auth-test-with-regular-aws-credentials":
- command: shell.exec
type: "test"
Expand Down Expand Up @@ -978,6 +999,13 @@ tasks:
commands:
- func: "run-plain-auth-test"

# Test that x509 auth using server with OpenSSL 3 succeeds.
- name: "atlas-x509-auth-test-task"
commands:
- func: "assume-aws-test-secrets-role"
- func: "add-atlas-connect-variables-to-file"
- func: "run-x509-auth-test"

- name: "aws-auth-test-with-regular-aws-credentials-task"
commands:
- func: "start-mongo-orchestration"
Expand Down Expand Up @@ -2254,6 +2282,7 @@ buildvariants:
- name: "atlas-deployed-task-group"
- name: "atlas-search-task"
- name: "atlas-connectivity-task"
- name: "atlas-x509-auth-test-task"

- name: "atlas-data-lake-test"
display_name: "Atlas Data Lake test"
Expand Down
56 changes: 56 additions & 0 deletions .evergreen/run-x509-auth-tests.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/bin/bash

# Exit the script with error if any of the commands fail
set -o errexit

# Supported/used environment variables:
# JDK Set the version of java to be used. Java versions can be set from the java toolchain /opt/java
# ATLAS_X509_DEV Set the connection string for the Atlas X509 development cluster.
# ATLAS_X509_DEV_CERT_BASE64 Set the base64 encoded contents of a PEM file containing the client certificate (signed by the mongodb dev CA) and client private key for the X509 authentication on development cluster.
# ATLAS_X509_DEV_CERT_NOUSER_BASE64 Set the base64 encoded contents of a PEM file containing the client certificate (signed by the mongodb dev CA) and client private key for the X509 authentication on development cluster with the subject name that does not exist on the server/cluster.

RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE:-$0}")"
. "${RELATIVE_DIR_PATH}/setup-env.bash"

MONGODB_URI=${ATLAS_X509_DEV:-}
echo "$MONGODB_URI"
ATLAS_X509_DEV_CERT_BASE64=${ATLAS_X509_DEV_CERT_BASE64:-}
ATLAS_X509_DEV_CERT_NOUSER_BASE64=${ATLAS_X509_DEV_CERT_NOUSER_BASE64:-}

############################################
# Functions #
############################################

provision_keystores () {
# Base64 decode contents of a PEM holder for client certificate (signed by the mongodb dev CA) and private key
echo "${ATLAS_X509_DEV_CERT_BASE64}" | base64 --decode > ca_and_pk.pem
echo "${ATLAS_X509_DEV_CERT_NOUSER_BASE64}" | base64 --decode > ca_and_pk_no_user.pem

# Build the pkcs12 (keystore). We include the leaf-only certificate (with public key) and private key in the keystore,
# assuming the signed certificate is already trusted by the Atlas as issuer is MongoDB dev CA.
echo "Creating PKCS12 keystore from ca_and_pk.pem"
openssl pkcs12 -export \
-in ca_and_pk.pem \
-out existing_user.p12 \
-password pass:test

echo "Creating PKCS12 keystore from ca_and_pk_no_user.pem"
openssl pkcs12 -export \
-in ca_and_pk_no_user.pem \
-out non_existing_user.p12 \
-password pass:test
}

############################################
# Main Program #
############################################
echo "Running X509 Authentication tests with Java ${JAVA_VERSION}"

# Set up keystores for x509 authentication.
provision_keystores

./gradlew -PjavaVersion=${JAVA_VERSION} -Dorg.mongodb.test.uri=${MONGODB_URI} --info --continue \
-Dorg.mongodb.test.x509.auth.enabled=true \
-Dorg.mongodb.test.x509.auth.keystore.location="$(pwd)" \
driver-sync:test --tests X509AuthenticationTest \
driver-reactive-streams:test --tests X509AuthenticationTest
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
* Copyright 2008-present MongoDB, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.mongodb.reactivestreams.client;

import com.mongodb.MongoClientSettings;
import com.mongodb.client.auth.AbstractX509AuthenticationTest;
import com.mongodb.reactivestreams.client.syncadapter.SyncMongoClient;

public class X509AuthenticationTest extends AbstractX509AuthenticationTest {
@Override
protected com.mongodb.client.MongoClient createMongoClient(final MongoClientSettings mongoClientSettings) {
return new SyncMongoClient(MongoClients.create(mongoClientSettings));
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
/*
* Copyright 2008-present MongoDB, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.mongodb.client.auth;

import com.mongodb.MongoClientSettings;
import com.mongodb.MongoCommandException;
import com.mongodb.MongoSecurityException;
import com.mongodb.client.Fixture;
import com.mongodb.client.MongoClient;
import com.mongodb.connection.NettyTransportSettings;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import org.junit.jupiter.api.extension.ConditionEvaluationResult;
import org.junit.jupiter.api.extension.ExecutionCondition;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.api.extension.ExtensionContext;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.stream.Stream;

import static com.mongodb.AuthenticationMechanism.MONGODB_X509;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;

@ExtendWith(AbstractX509AuthenticationTest.X509AuthenticationPropertyCondition.class)
public abstract class AbstractX509AuthenticationTest {

private static final String KEYSTORE_PASSWORD = "test";
protected abstract MongoClient createMongoClient(MongoClientSettings mongoClientSettings);

private static Stream<Arguments> shouldAuthenticateWithClientCertificate() throws Exception {
String keystoreFileName = "existing_user.p12";
return getArgumentForKeystore(keystoreFileName);
}

@ParameterizedTest(name = "should authenticate with client certificate. MongoClientSettings: {0}")
@MethodSource
public void shouldAuthenticateWithClientCertificate(final MongoClientSettings mongoClientSettings) {
//given
try (MongoClient client = createMongoClient(mongoClientSettings)) {

//when & then command completes successfully with x509 authentication
client.getDatabase("test").getCollection("test").estimatedDocumentCount();
}
}

private static Stream<Arguments> shouldPassMutualTLSWithClientCertificateAndFailAuthenticateWithAbsentUser() throws Exception {
String keystoreFileName = "non_existing_user.p12";
return getArgumentForKeystore(keystoreFileName);
}

@ParameterizedTest(name = "should pass mutual TLS with client certificate and fail authenticate with absent user. "
+ "MongoClientSettings: {0}")
@MethodSource
public void shouldPassMutualTLSWithClientCertificateAndFailAuthenticateWithAbsentUser(final MongoClientSettings mongoClientSettings) {
// given
try (MongoClient client = createMongoClient(mongoClientSettings)) {

// when & then
MongoSecurityException mongoSecurityException = assertThrows(MongoSecurityException.class,
() -> client.getDatabase("test").getCollection("test").estimatedDocumentCount());

assertTrue(mongoSecurityException.getMessage().contains("Exception authenticating"));
MongoCommandException mongoCommandException = (MongoCommandException) mongoSecurityException.getCause();

assertTrue(mongoCommandException.getMessage().contains("Could not find user"));
assertEquals(11, mongoCommandException.getCode());
}
}

private static Stream<Arguments> getArgumentForKeystore(final String keystoreFileName) throws Exception {
SSLContext context = buildSslContextFromKeyStore(keystoreFileName);
MongoClientSettings.Builder mongoClientSettingsBuilder = Fixture.getMongoClientSettingsBuilder();
verifyX509AuthenticationIsRequired(mongoClientSettingsBuilder);

return Stream.of(
Arguments.of(mongoClientSettingsBuilder
.applyToSslSettings(builder -> builder.context(context))
.build()),

Arguments.of(mongoClientSettingsBuilder
.applyToSslSettings(builder -> builder.context(context))
.transportSettings(NettyTransportSettings.nettyBuilder()
.sslContext(SslContextBuilder.forClient()
.sslProvider(SslProvider.JDK)
.keyManager(getKeyManagerFactory(keystoreFileName))
.build())
.build())
.build()),

Arguments.of(mongoClientSettingsBuilder
.applyToSslSettings(builder -> builder.context(context))
.transportSettings(NettyTransportSettings.nettyBuilder()
.sslContext(SslContextBuilder.forClient()
.sslProvider(SslProvider.OPENSSL)
.keyManager(getKeyManagerFactory(keystoreFileName))
.build())
.build())
.build())
);
}

private static SSLContext buildSslContextFromKeyStore(final String keystoreFileName) throws Exception {
KeyManagerFactory keyManagerFactory = getKeyManagerFactory(keystoreFileName);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
return sslContext;
}

private static KeyManagerFactory getKeyManagerFactory(final String keystoreFileName)
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
KeyStore ks = KeyStore.getInstance("PKCS12");
try (FileInputStream fis = new FileInputStream(getKeystoreLocation() + File.separator + keystoreFileName)) {
ks.load(fis, KEYSTORE_PASSWORD.toCharArray());
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(ks, KEYSTORE_PASSWORD.toCharArray());
return keyManagerFactory;
}

private static String getKeystoreLocation() {
return System.getProperty("org.mongodb.test.x509.auth.keystore.location");
}

/**
* The connection string is sourced from an environment variable populated from Secret Storage.
* We verify it still requires X.509 authentication before running these tests to ensure test invariants.
*/
private static void verifyX509AuthenticationIsRequired(final MongoClientSettings.Builder mongoClientSettingsBuilder) {
com.mongodb.assertions.Assertions.assertTrue(
com.mongodb.assertions.Assertions.assertNotNull(mongoClientSettingsBuilder.build().getCredential())
.getAuthenticationMechanism() == MONGODB_X509);
}

/**
This condition allows to skip initialization of method sources and test execution.
- @EnableIf on the class, assumeTrue in the constructor - do not block method source initialization.
- assumeTrue in the static block - fails the test.
**/
public static class X509AuthenticationPropertyCondition implements ExecutionCondition {
@Override
public ConditionEvaluationResult evaluateExecutionCondition(final ExtensionContext context) {
if (isX509TestsEnabled()) {
return ConditionEvaluationResult.enabled("Test is enabled because x509 auth configuration exists");
} else {
return ConditionEvaluationResult.disabled("Test is disabled because x509 auth configuration is missing");
}
}
}

private static boolean isX509TestsEnabled() {
return Boolean.parseBoolean(System.getProperty("org.mongodb.test.x509.auth.enabled"));
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
* Copyright 2008-present MongoDB, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.mongodb.client.auth;

import com.mongodb.MongoClientSettings;
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoClients;

public class X509AuthenticationTest extends AbstractX509AuthenticationTest {
@Override
protected MongoClient createMongoClient(final MongoClientSettings mongoClientSettings) {
return MongoClients.create(mongoClientSettings);
}
}