def test_cert_ssl(self):
# Expects the server to be running with the server.pem, ca.pem
# and crl.pem provided in mongodb and the server tests e.g.:
#
# --sslPEMKeyFile=jstests/libs/server.pem
# --sslCAFile=jstests/libs/ca.pem
# --sslCRLFile=jstests/libs/crl.pem
#
# Also requires an /etc/hosts entry where "server" is resolvable.
if not test.env.mongod_validates_client_cert:
raise SkipTest("No mongod available over SSL with certs")
if not test.env.server_is_resolvable:
raise SkipTest("No hosts entry for 'server'. Cannot validate "
"hostname in the certificate")
if test.env.auth:
raise SkipTest("Can't test with auth")
client = AsyncIOMotorClient(test.env.uri,
ssl_certfile=CLIENT_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
response = yield from client.admin.command('ismaster')
if 'setName' in response:
client = AsyncIOMotorReplicaSetClient(test.env.rs_uri,
ssl=True,
ssl_certfile=CLIENT_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
def test_cert_ssl_validation_hostname_fail(self):
if not test.env.mongod_validates_client_cert:
raise SkipTest("No mongod available over SSL with certs")
if test.env.auth:
raise SkipTest("Can't test with auth")
client = AsyncIOMotorClient(env.host, env.port,
ssl=True, ssl_certfile=CLIENT_PEM,
io_loop=self.loop)
response = yield from client.admin.command('ismaster')
with self.assertRaises(ssl.CertificateError):
# Create client with hostname 'server', not 'localhost',
# which is what the server cert presents.
client = AsyncIOMotorClient(test.env.fake_hostname_uri,
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
if 'setName' in response:
with self.assertRaises(ssl.CertificateError):
client = AsyncIOMotorReplicaSetClient(
test.env.fake_hostname_uri,
replicaSet=response['setName'],
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
def test_cert_ssl_validation(self):
if not test.env.mongod_validates_client_cert:
raise SkipTest("No mongod available over SSL with certs")
if test.env.auth:
raise SkipTest("Can't test with auth")
client = AsyncIOMotorClient(env.host, env.port,
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
response = yield from client.admin.command('ismaster')
if 'setName' in response:
client = AsyncIOMotorReplicaSetClient(
env.host, env.port,
replicaSet=response['setName'],
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
def test_cert_ssl_validation_hostname_fail(self):
# Expects the server to be running with the server.pem, ca.pem
# and crl.pem provided in mongodb and the server tests e.g.:
#
# --sslPEMKeyFile=jstests/libs/server.pem
# --sslCAFile=jstests/libs/ca.pem
# --sslCRLFile=jstests/libs/crl.pem
if not test.env.mongod_validates_client_cert:
raise SkipTest("No mongod available over SSL with certs")
if test.env.auth:
raise SkipTest("Can't test with auth")
client = AsyncIOMotorClient(test.env.uri,
ssl=True,
ssl_certfile=CLIENT_PEM,
io_loop=self.loop)
response = yield from client.admin.command('ismaster')
try:
# The server presents a certificate named 'server', not localhost.
client = AsyncIOMotorClient(test.env.uri,
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
self.fail("Invalid hostname should have failed")
except ConnectionFailure as exc:
self.assertEqual("hostname 'localhost' doesn't match 'server'",
str(exc))
if 'setName' in response:
try:
client = AsyncIOMotorReplicaSetClient(
test.env.rs_uri,
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_REQUIRED,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()
self.fail("Invalid hostname should have failed")
except ConnectionFailure:
pass
def test_simple_ssl(self):
if not test.env.mongod_started_with_ssl:
raise SkipTest("No mongod available over SSL")
if test.env.mongod_validates_client_cert:
raise SkipTest("mongod validates SSL certs")
if test.env.auth:
raise SkipTest("Can't test with auth")
# Expects the server to be running with ssl and with
# no --sslPEMKeyFile or with --sslWeakCertificateValidation.
client = AsyncIOMotorClient(test.env.uri, ssl=True, io_loop=self.loop)
yield from client.db.collection.find_one()
response = yield from client.admin.command('ismaster')
if 'setName' in response:
client = AsyncIOMotorReplicaSetClient(test.env.rs_uri,
ssl=True,
io_loop=self.loop)
yield from client.db.collection.find_one()
def test_cert_ssl_validation_optional(self):
# Expects the server to be running with the server.pem, ca.pem
# and crl.pem provided in mongodb and the server tests e.g.:
#
# --sslPEMKeyFile=jstests/libs/server.pem
# --sslCAFile=jstests/libs/ca.pem
# --sslCRLFile=jstests/libs/crl.pem
#
# Also requires an /etc/hosts entry where "server" is resolvable.
if not test.env.mongod_validates_client_cert:
raise SkipTest("No mongod available over SSL with certs")
if not test.env.server_is_resolvable:
raise SkipTest("No hosts entry for 'server'. Cannot validate "
"hostname in the certificate")
if test.env.auth:
raise SkipTest("Can't test with auth")
client = AsyncIOMotorClient(test.env.fake_hostname_uri,
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_OPTIONAL,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
response = yield from client.admin.command('ismaster')
if 'setName' in response:
if response['primary'].split(":")[0] != 'server':
raise SkipTest("No hosts in the replicaset for 'server'. "
"Cannot validate hostname in the certificate")
client = AsyncIOMotorReplicaSetClient(
test.env.fake_hostname_uri,
replicaSet=response['setName'],
ssl_certfile=CLIENT_PEM,
ssl_cert_reqs=ssl.CERT_OPTIONAL,
ssl_ca_certs=CA_PEM,
io_loop=self.loop)
yield from client.db.collection.find_one()