Skip to content

chore(ci): add FIPS e2e and smoke tests MONGOSH-1222 #1298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 1, 2022
Merged

chore(ci): add FIPS e2e and smoke tests MONGOSH-1222 #1298

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
01c9daf
chore(ci): add FIPS e2e and smoke tests MONGOSH-1222
addaleax May 31, 2022
3bcc3a5
fixup: use proper test condition for FIPS smoke test
addaleax May 31, 2022
bd01d4d
fixup: adjust for CI results
addaleax May 31, 2022
e093335
fixup: skip fips smoke testing with openssl 3
addaleax Jun 1, 2022
63d0214
Merge remote-tracking branch 'origin/main' into 1222-dev
addaleax Jun 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
401 changes: 401 additions & 0 deletions .evergreen.yml
View file
Open in desktop

Large diffs are not rendered by default.

7 changes: 5 additions & 2 deletions .evergreen/evergreen.yml.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -798,8 +798,9 @@ tasks:
###
<% for (const { executableOsId, compileBuildVariant } of EXECUTABLE_PKG_INFO) {
for (const mVersion of ['stable', 'unstable']) {
for (const fipsVariant of ['fips', 'nofips']) {
%>
- name: e2e_tests_<% out(executableOsId.replace(/-/g, '_')) %><% out(mVersion === 'stable' ? '' : '_unstable') %>
- name: e2e_tests_<% out(executableOsId.replace(/-/g, '_')) %><% out(mVersion === 'stable' ? '' : '_unstable') %><% out(fipsVariant === 'fips' ? '_fips' : '') %>
tags: ["e2e-test"]
depends_on:
- name: compile_artifact
Expand All @@ -817,7 +818,8 @@ tasks:
vars:
node_js_version: "<% out(NODE_JS_VERSION_16) %>"
mongosh_server_test_version: "<% out(mVersion) %>"
<% } } %>
mongosh_test_e2e_force_fips: "<% out(fipsVariant === 'fips' ? '1' : '') %>"
<% } } } %>

###
# PACKAGING
Expand Down Expand Up @@ -1084,6 +1086,7 @@ buildvariants:
tasks:
- name: e2e_tests_linux_x64
- name: e2e_tests_linux_x64_openssl11
- name: e2e_tests_linux_x64_openssl11_fips
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only variant where FIPS support worked out of the box. For other OSes, I guess the docker tests have to be enough (although I was pleasantly surprised to see that FIPS support works even for their docker images).

- name: e2e_ubuntu1804_x64
display_name: "Ubuntu 18.04 x64 (E2E Tests)"
run_on: ubuntu1804-small
Expand Down
37 changes: 27 additions & 10 deletions packages/cli-repl/src/smoke-tests.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
/* eslint-disable no-console */
/* eslint-disable no-console, @typescript-eslint/no-non-null-assertion, chai-friendly/no-unused-expressions */
import { spawn } from 'child_process';
import assert from 'assert';
import { once } from 'events';
import { redactURICredentials } from '@mongosh/history';
import fleSmokeTestScript from './smoke-tests-fle';
import { buildInfo } from './build-info';

/**
* Run smoke tests on an executable, e.g.
Expand All @@ -20,11 +21,23 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
assert(!!smokeTestServer, 'Make sure MONGOSH_SMOKE_TEST_SERVER is set in CI');
}

for (const { input, output, testArgs } of [{
const skipFipsWithOpenSSL3 = process.env.MONGOSH_SMOKE_TEST_OS_SKIP_FIPS_WITH_OPENSSL3 && buildInfo().opensslVersion.startsWith('3.');
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to add this option since the docker images that provide a OpenSSL-3-capable OS don’t provide FIPS support in a usable way. That’s okay – we are being clear here about the fact that what we provide is shared OpenSSL support and the ability to put OpenSSL in FIPS mode. Making sure that their local OpenSSL works in FIPS mode is the user’s responsibility.

const expectFipsSupport = !!process.env.MONGOSH_SMOKE_TEST_OS_HAS_FIPS_SUPPORT && buildInfo().sharedOpenssl;
console.log('FIPS support required to pass?', { skipFipsWithOpenSSL3, expectFipsSupport });

for (const { input, output, testArgs, includeStderr } of [{
input: 'print("He" + "llo" + " Wor" + "ld!")',
output: /Hello World!/,
includeStderr: false,
testArgs: ['--nodb'],
}].concat(smokeTestServer ? [{
}].concat(skipFipsWithOpenSSL3 ? [] : [{
input: 'crypto.createHash("md5").update("hello").digest("hex")',
output: expectFipsSupport ?
/disabled for FIPS/i :
/disabled for FIPS|Could not enable FIPS mode/i,
includeStderr: true,
testArgs: ['--tlsFIPSMode', '--nodb']
}]).concat(smokeTestServer ? [{
input: `
const dbname = "testdb_simplesmoke" + new Date().getTime();
use(dbname);
Expand All @@ -34,13 +47,15 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
}
db.dropDatabase();`,
output: /Test succeeded/,
includeStderr: false,
testArgs: [smokeTestServer as string]
}, {
input: fleSmokeTestScript,
output: /Test succeeded|Test skipped/,
includeStderr: false,
testArgs: [smokeTestServer as string]
}] : [])) {
await runSmokeTest(executable, [...args, ...testArgs], input, output);
await runSmokeTest(executable, [...args, ...testArgs], input, output, includeStderr);
}
console.log('all tests passed');
}
Expand All @@ -53,16 +68,18 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
* @param input stdin contents of the executable
* @param output Expected contents of stdout
*/
async function runSmokeTest(executable: string, args: string[], input: string, output: RegExp): Promise<void> {
async function runSmokeTest(executable: string, args: string[], input: string, output: RegExp, includeStderr?: boolean): Promise<void> {
const proc = spawn(executable, [...args], {
stdio: ['pipe', 'pipe', 'inherit']
stdio: ['pipe', 'pipe', includeStderr ? 'pipe' : 'inherit']
});
let stdout = '';
proc.stdout.setEncoding('utf8').on('data', (chunk) => { stdout += chunk; });
proc.stdin.end(input);
await once(proc.stdout, 'end');
let stderr = '';
proc.stdout!.setEncoding('utf8').on('data', (chunk) => { stdout += chunk; });
proc.stderr?.setEncoding('utf8').on('data', (chunk) => { stderr += chunk; });
proc.stdin!.end(input);
await once(proc.stdout!, 'end');
try {
assert.match(stdout, output);
assert.match(includeStderr ? `${stdout}\n${stderr}` : stdout, output);
console.error({ status: 'success', input, output, stdout, executable, args: args.map(arg => redactURICredentials(arg)) });
} catch (err: any) {
console.error({ status: 'failure', input, output, stdout, executable, args: args.map(arg => redactURICredentials(arg)) });
Expand Down
21 changes: 15 additions & 6 deletions packages/cli-repl/test/e2e-auth.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,6 @@ describe('Auth e2e', function() {

describe('user management', () => {
describe('createUser', () => {
afterEach(async() => {
await assertUserAuth();
});
it('all arguments', async() => {
await shell.executeLine(`use ${dbName}`);
expect(await shell.executeLine(
Expand All @@ -125,6 +122,7 @@ describe('Auth e2e', function() {
mechanisms: ['SCRAM-SHA-256']
});
shell.assertNoErrors();
await assertUserAuth();
});
it('default arguments', async() => {
await shell.executeLine(`use ${dbName}`);
Expand All @@ -136,8 +134,12 @@ describe('Auth e2e', function() {
mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']
});
shell.assertNoErrors();
await assertUserAuth();
});
it('digestPassword', async() => {
it('digestPassword', async function() {
if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
return this.skip(); // No SCRAM-SHA-1 in FIPS mode
}
await shell.executeLine(`use ${dbName}`);
expect(await shell.executeLine(
'db.createUser({ user: "anna", pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-1"], passwordDigestor: "client"})'
Expand All @@ -147,6 +149,7 @@ describe('Auth e2e', function() {
mechanisms: ['SCRAM-SHA-1']
});
shell.assertNoErrors();
await assertUserAuth();
});
});
describe('updateUser', () => {
Expand Down Expand Up @@ -190,7 +193,10 @@ describe('Auth e2e', function() {
});
shell.assertNoErrors();
});
it('digestPassword', async() => {
it('digestPassword', async function() {
if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
return this.skip(); // No SCRAM-SHA-1 in FIPS mode
}
await shell.executeLine(`use ${dbName}`);
expect(await shell.executeLine(
'db.updateUser("anna", { pwd: "pwd3", passwordDigestor: "client", mechanisms: ["SCRAM-SHA-1"]})'
Expand Down Expand Up @@ -825,7 +831,10 @@ describe('Auth e2e', function() {
shell.assertNoErrors();
});
context('with specific auth mechanisms', () => {
it('can auth with SCRAM-SHA-1', async() => {
it('can auth with SCRAM-SHA-1', async function() {
if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
return this.skip(); // No SCRAM-SHA-1 in FIPS mode
}
const connectionString = await testServer.connectionString();
shell = TestShell.start({ args: [
connectionString,
Expand Down
5 changes: 4 additions & 1 deletion packages/cli-repl/test/e2e-tls.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -424,7 +424,10 @@ describe('e2e TLS', () => {
shell.assertContainsOutput('MongoServerSelectionError');
});

it('works with valid cert (with tlsCertificateSelector)', async() => {
it('works with valid cert (with tlsCertificateSelector)', async function() {
if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
return this.skip(); // No tlsCertificateSelector support in FIPS mode
}
const fakeOsCaModule = path.resolve(tmpdir.path, 'fake-ca.js');
await fs.writeFile(fakeOsCaModule, `
const fs = require('fs');
Expand Down
9 changes: 7 additions & 2 deletions packages/cli-repl/test/test-shell.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,13 @@ export class TestShell {
env = { ...env, MONGOSH_FORCE_TERMINAL: '1' };
}

const args = [...options.args];
if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
args.push('--tlsFIPSMode');
}

if (process.env.MONGOSH_TEST_EXECUTABLE_PATH) {
shellProcess = spawn(process.env.MONGOSH_TEST_EXECUTABLE_PATH, [...options.args], {
shellProcess = spawn(process.env.MONGOSH_TEST_EXECUTABLE_PATH, args, {
stdio: [ 'pipe', 'pipe', 'pipe' ],
env: env,
cwd: options.cwd
Expand All @@ -52,7 +57,7 @@ export class TestShell {
env = { ...env, CLEAR_SIGINT_LISTENERS: '1' };
}

shellProcess = spawn('node', [path.resolve(__dirname, '..', 'bin', 'mongosh.js'), ...options.args], {
shellProcess = spawn('node', [path.resolve(__dirname, '..', 'bin', 'mongosh.js'), ...args], {
stdio: [ 'pipe', 'pipe', 'pipe' ],
env: env,
cwd: options.cwd
Expand Down
2 changes: 1 addition & 1 deletion scripts/docker/amazonlinux1-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN yum repolist
RUN yum install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just so that we can see the openssl config values more easily for debugging

RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/amazonlinux2-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN yum repolist
RUN yum install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/centos7-epel-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ RUN yum repolist
RUN yum install -y epel-release
RUN yum repolist
RUN yum install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/centos7-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN yum repolist
RUN yum install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/debian10-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN apt-get update
RUN apt-get install -y man-db
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/debian11-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN apt-get update
RUN apt-get install -y man-db
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/debian9-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN apt-get update
RUN apt-get install -y man-db
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/fedora34-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN yum repolist
RUN yum install -y man
RUN yum install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
3 changes: 2 additions & 1 deletion scripts/docker/rocky8-epel-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ RUN dnf install -y epel-release
RUN dnf repolist
RUN dnf install -y man
RUN dnf install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENV MONGOSH_SMOKE_TEST_OS_SKIP_FIPS_WITH_OPENSSL3=1
ENTRYPOINT [ "mongosh" ]
3 changes: 2 additions & 1 deletion scripts/docker/rocky8-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN dnf repolist
RUN dnf install -y man
RUN dnf install -y /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENV MONGOSH_SMOKE_TEST_OS_HAS_FIPS_SUPPORT=1
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/suse12-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@ ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN zypper --no-gpg-checks --non-interactive addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.1:Update/standard/openSUSE:Leap:15.1:Update.repo
RUN zypper --no-gpg-checks --non-interactive refresh
RUN zypper --no-gpg-checks --non-interactive install /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/suse15-rpm.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ RUN zypper --no-gpg-checks --non-interactive addrepo https://download.opensuse.o
RUN zypper --no-gpg-checks --non-interactive refresh
RUN zypper --no-gpg-checks --non-interactive install man
RUN zypper --no-gpg-checks --non-interactive install /tmp/*mongosh*.rpm
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/ubuntu18.04-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
RUN apt-get update
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/ubuntu20.04-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ RUN apt-get update
RUN yes | unminimize
RUN apt-get install -y man-db
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENTRYPOINT [ "mongosh" ]
2 changes: 1 addition & 1 deletion scripts/docker/ubuntu20.04-tgz.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ RUN apt-get update
RUN apt-get install -y libgssapi-krb5-2
RUN tar -C /tmp --strip-components=1 -xvzf /tmp/*mongosh*.tgz
RUN ln -s /tmp/bin/mongosh /usr/bin/mongosh
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /tmp/bin/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
ENTRYPOINT [ "mongosh" ]
3 changes: 2 additions & 1 deletion scripts/docker/ubuntu22.04-deb.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ RUN apt-get update
RUN yes | unminimize
RUN apt-get install -y man-db
RUN apt-get install -y /tmp/*mongosh*.deb
RUN /usr/bin/mongosh --version
RUN /usr/bin/mongosh --build-info
RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
RUN man mongosh | grep -q tlsAllowInvalidCertificates
ENV MONGOSH_SMOKE_TEST_OS_SKIP_FIPS_WITH_OPENSSL3=1
ENTRYPOINT [ "mongosh" ]
7 changes: 6 additions & 1 deletion testing/certificates/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,9 +133,14 @@ To recreate the certificates follow the steps outlined below.
openssl ca -create_serial -config ca.cnf -in client.csr -out client.pem -days 99999
```
This will also generate a `<FINGERPRINT>.pem` file which can be removed.
4. Create a bundle with client key and certificate to use for connecting:
4. Create an encrypted client key file from the existing unencrypted one:
```
openssl pkcs8 -topk8 -in client.key -v2 aes-256-cbc -out client.encrypted.key -passout pass:p4ssw0rd
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to use the openssl pkcs8 command here, because it gives a different format than openssl rsa, and in particular the password derviation algorithm used by the latter isn’t FIPS-compatible (you can tell the difference by the different section names in the client.bundle.encrypted.pem file)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would have never figured this one

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mcasimir To be clear, my knowledge here also only comes from StackOverflow 😉 https://superuser.com/questions/1664393/are-private-keys-generated-by-openssl-when-fips-mode-is-disabled-usable-when-fip

```
5. Create bundles with client key and certificate to use for connecting:
```
cat client.pem client.key > client.bundle.pem
cat client.pem client.encrypted.key > client.bundle.encrypted.pem
```

## Create Client Certificate not from CA
Expand Down
Loading