CDRIVER-4222 add _mongoc_ssl_opts_from_bson (#886)

kevinAlbs · web-flow · commit a6184236b208 · 2021-11-08T16:16:28.000-05:00
diff --git a/src/libmongoc/CMakeLists.txt b/src/libmongoc/CMakeLists.txt
@@ -993,6 +993,7 @@ set (test-libmongoc-sources
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-shared.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-socket.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-speculative-auth.c
+   ${PROJECT_SOURCE_DIR}/tests/test-mongoc-ssl.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-stream.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-streamable-hello.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-thread.c
diff --git a/src/libmongoc/src/mongoc/mongoc-ssl-private.h b/src/libmongoc/src/mongoc/mongoc-ssl-private.h
@@ -52,6 +52,17 @@ _mongoc_ssl_opts_disable_ocsp_endpoint_check (const mongoc_ssl_opt_t *ssl_opt);
 void
 _mongoc_ssl_opts_cleanup (mongoc_ssl_opt_t *opt, bool free_internal);
 
+/* _mongoc_ssl_opts_from_bson is an internal helper for constructing an ssl_opt
+ * from a BSON document. It is used to parse TLS options for the KMIP KMS
+ * provider in CSFLE.
+ * - ssl_opt must be a zero'd out ssl_opt struct.
+ * - errmsg must be an initialized bson_string_t.
+ * - Returns false on error and appends to errmsg. */
+bool
+_mongoc_ssl_opts_from_bson (mongoc_ssl_opt_t *ssl_opt,
+                            const bson_t *bson,
+                            bson_string_t *errmsg);
+
 BSON_END_DECLS
 
 
diff --git a/src/libmongoc/src/mongoc/mongoc-ssl.c b/src/libmongoc/src/mongoc/mongoc-ssl.c
@@ -23,6 +23,7 @@
 #include "mongoc-ssl-private.h"
 #include "mongoc-log.h"
 #include "mongoc-uri.h"
+#include "mongoc-util-private.h"
 
 #if defined(MONGOC_ENABLE_SSL_OPENSSL)
 #include "mongoc-openssl-private.h"
@@ -178,5 +179,89 @@ _mongoc_ssl_opts_disable_ocsp_endpoint_check (const mongoc_ssl_opt_t *ssl_opt)
       ->tls_disable_ocsp_endpoint_check;
 }
 
+bool
+_mongoc_ssl_opts_from_bson (mongoc_ssl_opt_t *ssl_opt,
+                            const bson_t *bson,
+                            bson_string_t *errmsg)
+{
+   bson_iter_t iter;
+
+   if (ssl_opt->internal) {
+      bson_string_append (errmsg,
+                          "SSL options must not have internal state set");
+      return false;
+   }
+
+   ssl_opt->internal = bson_malloc0 (sizeof (_mongoc_internal_tls_opts_t));
+
+   if (!bson_iter_init (&iter, bson)) {
+      bson_string_append (errmsg,
+                          "error initializing iterator to BSON SSL options");
+      return false;
+   }
+
+   while (bson_iter_next (&iter)) {
+      const char *key = bson_iter_key (&iter);
+
+      if (BSON_ITER_HOLDS_UTF8 (&iter)) {
+         if (0 == bson_strcasecmp (key, MONGOC_URI_TLSCERTIFICATEKEYFILE)) {
+            ssl_opt->pem_file = bson_strdup (bson_iter_utf8 (&iter, NULL));
+            continue;
+         } else if (0 == bson_strcasecmp (
+                            key, MONGOC_URI_TLSCERTIFICATEKEYFILEPASSWORD)) {
+            ssl_opt->pem_pwd = bson_strdup (bson_iter_utf8 (&iter, NULL));
+            continue;
+         } else if (0 == bson_strcasecmp (key, MONGOC_URI_TLSCAFILE)) {
+            ssl_opt->ca_file = bson_strdup (bson_iter_utf8 (&iter, NULL));
+            continue;
+         }         
+      }
+      
+      if (BSON_ITER_HOLDS_BOOL (&iter)) {
+         if (0 ==
+             bson_strcasecmp (key, MONGOC_URI_TLSALLOWINVALIDCERTIFICATES)) {
+            /* If MONGOC_URI_TLSINSECURE was parsed, weak_cert_validation must
+             * remain true. */
+            ssl_opt->weak_cert_validation =
+               ssl_opt->weak_cert_validation || bson_iter_bool (&iter);
+            continue;
+         } else if (0 == bson_strcasecmp (
+                            key, MONGOC_URI_TLSALLOWINVALIDHOSTNAMES)) {
+            /* If MONGOC_URI_TLSINSECURE was parsed, allow_invalid_hostname must
+             * remain true. */
+            ssl_opt->allow_invalid_hostname =
+               ssl_opt->allow_invalid_hostname || bson_iter_bool (&iter);
+            continue;
+         } else if (0 == bson_strcasecmp (key, MONGOC_URI_TLSINSECURE)) {
+            if (bson_iter_bool (&iter)) {
+               ssl_opt->weak_cert_validation = true;
+               ssl_opt->allow_invalid_hostname = true;
+            }
+            continue;
+         } else if (0 ==
+                    bson_strcasecmp (
+                       key, MONGOC_URI_TLSDISABLECERTIFICATEREVOCATIONCHECK)) {
+            ((_mongoc_internal_tls_opts_t *) ssl_opt->internal)
+               ->tls_disable_certificate_revocation_check =
+               bson_iter_bool (&iter);
+            continue;
+         } else if (0 == bson_strcasecmp (
+                            key, MONGOC_URI_TLSDISABLEOCSPENDPOINTCHECK)) {
+            ((_mongoc_internal_tls_opts_t *) ssl_opt->internal)
+               ->tls_disable_ocsp_endpoint_check = bson_iter_bool (&iter);
+            continue;
+         }
+      }
+      
+      bson_string_append_printf (
+         errmsg,
+         "unexpected %s option: %s",
+         _mongoc_bson_type_to_str (bson_iter_type (&iter)),
+         key);
+      return false;
+   }
+
+   return true;
+}
 
 #endif
diff --git a/src/libmongoc/tests/test-libmongoc.c b/src/libmongoc/tests/test-libmongoc.c
@@ -282,6 +282,8 @@ extern void
 test_generation_map_install (TestSuite *suite);
 extern void
 test_shared_install (TestSuite *suite);
+extern void
+test_ssl_install (TestSuite *suite);
 
 typedef struct {
    mongoc_log_level_t level;
@@ -2960,6 +2962,7 @@ main (int argc, char *argv[])
    test_server_stream_install (&suite);
    test_generation_map_install (&suite);
    test_shared_install (&suite);
+   test_ssl_install (&suite);
 
    if (test_framework_is_loadbalanced ()) {
       mongoc_global_mock_service_id = true;
diff --git a/src/libmongoc/tests/test-mongoc-ssl.c b/src/libmongoc/tests/test-mongoc-ssl.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright 2021-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "TestSuite.h"
+#include "mongoc-config.h"
+#include "test-conveniences.h"
+
+#ifdef MONGOC_ENABLE_SSL
+#include "mongoc-ssl-private.h"
+
+typedef struct {
+   const char *description;
+   const char *bson;
+   const char *expect_error;
+   const char *expect_pem_file;
+   const char *expect_pem_pwd;
+   const char *expect_ca_file;
+   bool expect_weak_cert_validation;
+   bool expect_allow_invalid_hostname;
+   bool expect_disable_ocsp_endpoint_check;
+   bool expect_disable_certificate_revocation_check;
+} testcase_t;
+
+/*
+The following are the only valid options for _mongoc_ssl_opts_from_bson:
+
+MONGOC_URI_TLSCERTIFICATEKEYFILE "tlscertificatekeyfile"
+MONGOC_URI_TLSCERTIFICATEKEYFILEPASSWORD "tlscertificatekeyfilepassword"
+MONGOC_URI_TLSCAFILE "tlscafile"
+MONGOC_URI_TLSALLOWINVALIDCERTIFICATES "tlsallowinvalidcertificates"
+MONGOC_URI_TLSALLOWINVALIDHOSTNAMES "tlsallowinvalidhostnames"
+MONGOC_URI_TLSINSECURE "tlsinsecure"
+MONGOC_URI_TLSDISABLECERTIFICATEREVOCATIONCHECK
+"tlsdisablecertificaterevocationcheck"
+MONGOC_URI_TLSDISABLEOCSPENDPOINTCHECK "tlsdisableocspendpointcheck"
+*/
+
+static void
+test_mongoc_ssl_opts_from_bson (void)
+{
+   testcase_t tests[] = {
+      {
+         "test all options set",
+         "{'tlsCertificateKeyFile': 'test_pem_file', "
+         "'tlsCertificateKeyFilePassword': 'test_pem_pwd', 'tlsCAFile': "
+         "'test_ca_file', 'tlsAllowInvalidCertificates': true, "
+         "'tlsAllowInvalidHostnames': true, 'tlsInsecure': true, "
+         "'tlsDisableCertificateRevocationCheck': true, "
+         "'tlsDisableOCSPEndpointCheck': true }",
+         NULL /* expect_error */,
+         "test_pem_file" /* pem_file */,
+         "test_pem_pwd" /* pem_pwd */,
+         "test_ca_file" /* ca_file */,
+         true /* weak_cert_validation */,
+         true /* allow_invalid_hostname */,
+         true /* disable_ocsp_endpoint_check */,
+         true /* disable_certificate_revocation_check */
+      },
+      {
+         "test options are case insentive",
+         "{'tlscertificatekeyfile': 'test_pem_file', "
+         "'tlscertificatekeyfilepassword': 'test_pem_pwd', 'tlscafile': "
+         "'test_ca_file', 'tlsallowinvalidcertificates': true, "
+         "'tlsallowinvalidhostnames': true, 'tlsinsecure': true, "
+         "'tlsdisablecertificaterevocationcheck': true, "
+         "'tlsdisableocspendpointcheck': true }",
+         NULL /* expect_error */,
+         "test_pem_file" /* pem_file */,
+         "test_pem_pwd" /* pem_pwd */,
+         "test_ca_file" /* ca_file */,
+         true /* weak_cert_validation */,
+         true /* allow_invalid_hostname */,
+         true /* disable_ocsp_endpoint_check */,
+         true /* disable_certificate_revocation_check */
+      },
+      {
+         "test no options set",
+         "{}",
+         NULL /* expect_error */,
+         NULL /* pem_file */,
+         NULL /* pem_pwd */,
+         NULL /* ca_file */,
+         false /* weak_cert_validation */,
+         false /* allow_invalid_hostname */,
+         false /* disable_ocsp_endpoint_check */,
+         false /* disable_certificate_revocation_check */
+      },
+      {
+         "test tlsInsecure overrides tlsAllowInvalidHostnames and "
+         "tlsAllowInvalidCertificates set",
+         "{'tlsInsecure': true, 'tlsAllowInvalidHostnames': false, "
+         "'tlsAllowInvalidCertificates': false}",
+         NULL /* expect_error */,
+         NULL /* pem_file */,
+         NULL /* pem_pwd */,
+         NULL /* ca_file */,
+         true /* weak_cert_validation */,
+         true /* allow_invalid_hostname */,
+         false /* disable_ocsp_endpoint_check */,
+         false /* disable_certificate_revocation_check */
+      },
+      {
+         "test unrecognized option",
+         "{'foo': true }",
+         "unexpected BOOL option: foo" /* expect_error */,
+         NULL /* pem_file */,
+         NULL /* pem_pwd */,
+         NULL /* ca_file */,
+         false /* weak_cert_validation */,
+         false /* allow_invalid_hostname */,
+         false /* disable_ocsp_endpoint_check */,
+         false /* disable_certificate_revocation_check */
+      },
+      {
+         "test wrong value type",
+         "{'tlsCaFile': true }",
+         "unexpected BOOL option: tlsCaFile" /* expect_error */,
+         NULL /* pem_file */,
+         NULL /* pem_pwd */,
+         NULL /* ca_file */,
+         false /* weak_cert_validation */,
+         false /* allow_invalid_hostname */,
+         false /* disable_ocsp_endpoint_check */,
+         false /* disable_certificate_revocation_check */
+      },
+      {0}};
+   testcase_t *test;
+
+   for (test = tests; test->bson != NULL; test++) {
+      mongoc_ssl_opt_t ssl_opt = {0};
+      bson_string_t *errmsg = bson_string_new (NULL);
+      bool ok =
+         _mongoc_ssl_opts_from_bson (&ssl_opt, tmp_bson (test->bson), errmsg);
+
+      MONGOC_DEBUG ("testcase: %s", test->bson);
+      if (test->expect_error) {
+         ASSERT_CONTAINS (errmsg->str, test->expect_error);
+         ASSERT (!ok);
+      } else {
+         if (!ok) {
+            test_error ("unexpected error parsing: %s", errmsg->str);
+         }
+      }
+
+      if (!test->expect_pem_file) {
+         ASSERT (!ssl_opt.pem_file);
+      } else {
+         ASSERT (ssl_opt.pem_file);
+         ASSERT_CMPSTR (test->expect_pem_file, ssl_opt.pem_file);
+      }
+
+      if (!test->expect_pem_pwd) {
+         ASSERT (!ssl_opt.pem_pwd);
+      } else {
+         ASSERT (ssl_opt.pem_pwd);
+         ASSERT_CMPSTR (test->expect_pem_pwd, ssl_opt.pem_pwd);
+      }
+
+      if (!test->expect_ca_file) {
+         ASSERT (!ssl_opt.ca_file);
+      } else {
+         ASSERT (ssl_opt.ca_file);
+         ASSERT_CMPSTR (test->expect_ca_file, ssl_opt.ca_file);
+      }
+
+      ASSERT (test->expect_weak_cert_validation ==
+              ssl_opt.weak_cert_validation);
+      ASSERT (test->expect_allow_invalid_hostname ==
+              ssl_opt.allow_invalid_hostname);
+      ASSERT (test->expect_disable_ocsp_endpoint_check ==
+              _mongoc_ssl_opts_disable_ocsp_endpoint_check (&ssl_opt));
+      ASSERT (test->expect_disable_certificate_revocation_check ==
+              _mongoc_ssl_opts_disable_certificate_revocation_check (&ssl_opt));
+
+      /* It is not possible to set ca_dir or crl_file. */
+      ASSERT (!ssl_opt.ca_dir);
+      ASSERT (!ssl_opt.crl_file);
+
+      _mongoc_ssl_opts_cleanup (&ssl_opt, true /* free_internal */);
+      bson_string_free (errmsg, true /* free_segment */);
+   }
+}
+
+#endif /* MONGOC_ENABLE_SSL */
+
+void
+test_ssl_install (TestSuite *suite)
+{
+#ifdef MONGOC_ENABLE_SSL
+   TestSuite_Add (suite, "/ssl_opt/from_bson", test_mongoc_ssl_opts_from_bson);
+#endif /* MONGOC_ENABLE_SSL */
+}
