Merge pull request #622 from estolfo/RUBY-886-ssl-verify

RUBY-886 verify server certificates by default when ssl is true

Author: estolfo

lib/mongo/socket/ssl.rb

@@ -100,22 +100,34 @@ def readbyte
 
       def create_context(options)
         context = OpenSSL::SSL::SSLContext.new
-        if options[:ssl_cert]
-          context.cert = OpenSSL::X509::Certificate.new(File.open(options[:ssl_cert]))
-        end
-        if options[:ssl_key]
-          if options[:ssl_key_pass_phrase]
-            context.key = OpenSSL::PKey::RSA.new(File.open(options[:ssl_key]),
-                                                           options[:ssl_key_pass_phrase])
-          else
-            context.key = OpenSSL::PKey::RSA.new(File.open(options[:ssl_key]))
-          end
+        set_cert(context, options) if options[:ssl_cert]
+        set_key(context, options) if options[:ssl_key]
+        set_cert_verification(context, options) unless options[:ssl_verify] == false
+        context
+      end
+
+      def set_cert(context, options)
+        context.cert = OpenSSL::X509::Certificate.new(File.open(options[:ssl_cert]))
+      end
+
+      def set_key(context, options)
+        if options[:ssl_key_pass_phrase]
+          context.key = OpenSSL::PKey::RSA.new(File.open(options[:ssl_key]),
+                                               options[:ssl_key_pass_phrase])
+        else
+          context.key = OpenSSL::PKey::RSA.new(File.open(options[:ssl_key]))
         end
-        if options[:ssl_verify] || options[:ssl_ca_cert]
-          context.ca_file = options[:ssl_ca_cert]
-          context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
+
+      def set_cert_verification(context, options)
+        context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        cert_store = OpenSSL::X509::Store.new
+        if options[:ssl_ca_cert]
+          cert_store.add_file(options[:ssl_ca_cert])
+        else
+          cert_store.set_default_paths
         end
-        context
+        context.cert_store = cert_store
       end
 
       def verify_certificate!(socket)

spec/mongo/server/connection_pool_spec.rb

@@ -2,6 +2,10 @@
 
 describe Mongo::Server::ConnectionPool do
 
+  let(:options) do
+    TEST_OPTIONS.merge(max_pool_size: 2)
+  end
+
   let(:address) do
     Mongo::Address.new('127.0.0.1:27017')
   end
@@ -17,7 +21,7 @@
   describe '#checkin' do
 
     let(:server) do
-      Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+      Mongo::Server.new(address, double('cluster'), monitoring, listeners, options)
     end
 
     let!(:pool) do
@@ -47,7 +51,7 @@
   describe '#checkout' do
 
     let(:server) do
-      Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+      Mongo::Server.new(address, double('cluster'), monitoring, listeners, options)
     end
 
     let!(:pool) do
@@ -95,7 +99,7 @@
   describe '.get' do
 
     let(:server) do
-      Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+      Mongo::Server.new(address, double('cluster'), monitoring, listeners, options)
     end
 
     let!(:pool) do
@@ -110,7 +114,7 @@
   describe '#inspect' do
 
     let(:server) do
-      Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+      Mongo::Server.new(address, double('cluster'), monitoring, listeners, options)
     end
 
     let!(:pool) do
@@ -129,7 +133,7 @@
   describe '#with_connection' do
 
     let(:server) do
-      Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+      Mongo::Server.new(address, double('cluster'), monitoring, listeners, options)
     end
 
     let!(:pool) do

spec/mongo/server/connection_spec.rb

@@ -15,7 +15,7 @@
   end
 
   let(:server) do
-    Mongo::Server.new(address, double('cluster'), monitoring, listeners, ssl: SSL)
+    Mongo::Server.new(address, double('cluster'), monitoring, listeners, TEST_OPTIONS)
   end
 
   describe '#connect!' do

spec/mongo/socket/ssl_spec.rb

@@ -12,9 +12,10 @@
 
       let(:options) do
         {
-          :ssl => true,
-          :ssl_cert => CLIENT_PEM,
-          :ssl_key => CLIENT_PEM
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CLIENT_PEM,
+            :ssl_verify => false
         }
       end
 
@@ -31,9 +32,10 @@
 
       let(:options) do
         {
-          :ssl => true,
-          :ssl_cert => CLIENT_PEM,
-          :ssl_key => CRL_PEM
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CRL_PEM,
+            :ssl_verify => false
         }
       end
 
@@ -51,7 +53,8 @@
             :ssl => true,
             :ssl_cert => CLIENT_PEM,
             :ssl_key => CLIENT_PEM,
-            :ssl_ca_cert => CA_PEM
+            :ssl_ca_cert => CA_PEM,
+            :ssl_verify => true
         }
       end
 
@@ -63,5 +66,88 @@
         expect(socket).to be_alive
       end
     end
+
+    context 'when a CA certificate is not provided', if: running_ssl? && testing_locally? do
+
+      let(:options) do
+        {
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CLIENT_PEM,
+            :ssl_verify => true
+        }
+      end
+
+      before do
+        ENV['SSL_CERT_FILE']= CA_PEM
+        socket.connect!
+      end
+
+      it 'uses the default cert store' do
+        expect(socket).to be_alive
+      end
+    end
+
+    context 'when ssl_verify is not specified' do
+
+      let(:options) do
+        {
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CLIENT_PEM,
+            :ssl_ca_cert => CA_PEM
+        }
+      end
+
+      before do
+        socket.connect!
+      end
+
+      it 'verifies the server certificate' do
+        expect(socket).to be_alive
+      end
+    end
+
+    context 'when ssl_verify is true' do
+
+      let(:options) do
+        {
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CLIENT_PEM,
+            :ssl_ca_cert => CA_PEM,
+            :ssl_verify => true
+        }
+      end
+
+      before do
+        socket.connect!
+      end
+
+      it 'verifies the server certificate' do
+        expect(socket).to be_alive
+      end
+    end
+
+    context 'when ssl_verify is false' do
+
+      let(:options) do
+        {
+            :ssl => true,
+            :ssl_cert => CLIENT_PEM,
+            :ssl_key => CLIENT_PEM,
+            :ssl_ca_cert => 'invalid',
+            :ssl_verify => false
+        }
+      end
+
+      before do
+        socket.connect!
+      end
+
+      it 'does not verify the server certificate' do
+        expect(socket).to be_alive
+      end
+    end
   end
 end

spec/spec_helper.rb

@@ -17,6 +17,20 @@
   end
 end
 
+TEST_SET = 'ruby-driver-rs'
+COVERAGE_MIN = 90
+CURRENT_PATH = File.expand_path(File.dirname(__FILE__))
+SERVER_DISCOVERY_TESTS = Dir.glob("#{CURRENT_PATH}/support/sdam/**/*.yml")
+SERVER_SELECTION_RTT_TESTS = Dir.glob("#{CURRENT_PATH}/support/server_selection/rtt/*.yml")
+SERVER_SELECTION_TESTS = Dir.glob("#{CURRENT_PATH}/support/server_selection/selection/**/*.yml")
+CRUD_TESTS = Dir.glob("#{CURRENT_PATH}/support/crud_tests/**/*.yml")
+
+SSL_CERTS_DIR = "#{CURRENT_PATH}/support/certificates"
+CLIENT_PEM = "#{SSL_CERTS_DIR}/client.pem"
+CLIENT_PASSWORD_PEM = "#{SSL_CERTS_DIR}/password_protected.pem"
+CA_PEM = "#{SSL_CERTS_DIR}/ca.pem"
+CRL_PEM = "#{SSL_CERTS_DIR}/crl.pem"
+
 require 'mongo'
 
 require 'support/travis'
@@ -61,20 +75,6 @@
   end
 end
 
-TEST_SET = 'ruby-driver-rs'
-COVERAGE_MIN = 90
-CURRENT_PATH = File.expand_path(File.dirname(__FILE__))
-SERVER_DISCOVERY_TESTS = Dir.glob("#{CURRENT_PATH}/support/sdam/**/*.yml")
-SERVER_SELECTION_RTT_TESTS = Dir.glob("#{CURRENT_PATH}/support/server_selection/rtt/*.yml")
-SERVER_SELECTION_TESTS = Dir.glob("#{CURRENT_PATH}/support/server_selection/selection/**/*.yml")
-CRUD_TESTS = Dir.glob("#{CURRENT_PATH}/support/crud_tests/**/*.yml")
-
-SSL_CERTS_DIR = "#{CURRENT_PATH}/support/certificates"
-CLIENT_PEM = "#{SSL_CERTS_DIR}/client.pem"
-CLIENT_PASSWORD_PEM = "#{SSL_CERTS_DIR}/password_protected.pem"
-CA_PEM = "#{SSL_CERTS_DIR}/ca.pem"
-CRL_PEM = "#{SSL_CERTS_DIR}/crl.pem"
-
 # Determine whether the test clients are connecting to a standalone.
 #
 # @since 2.0.0
@@ -149,10 +149,16 @@ def list_command_enabled?
   $list_command_enabled ||= $mongo_client.cluster.servers.first.features.list_indexes_enabled?
 end
 
+# Is the test suite running locally (not on Travis or Jenkins).
+#
+# @since 2.1.0
 def testing_locally?
   !(ENV['CI'] || ENV['JENKINS_HOME'])
 end
 
+# Is the test suite running on SSL.
+#
+# @since 2.0.2
 def running_ssl?
   SSL
 end

spec/support/authorization.rb

@@ -50,12 +50,28 @@
 # @since 2.0.3
 SSL = ENV['SSL_ENABLED'] == 'true'
 
+# SSL options.
+#
+# @since 2.1.0
+SSL_OPTIONS = {
+                  ssl: SSL,
+                  ssl_verify: false,
+                  ssl_cert:  CLIENT_PEM,
+                  ssl_key:  CLIENT_PEM
+                }
+
+# Base test options.
+#
+# @since 2.1.0
+BASE_OPTIONS = {
+                  max_pool_size: 1,
+                  write: WRITE_CONCERN
+               }
+
 # Options for test suite clients.
 #
 # @since 2.0.3
-TEST_OPTIONS = CONNECT.merge(max_pool_size: 1,
-                             write: WRITE_CONCERN,
-                             ssl: SSL)
+TEST_OPTIONS = BASE_OPTIONS.merge(CONNECT).merge(SSL_OPTIONS)
 
 # The root user name.
 #

spec/support/certificates/client.pem

@@ -32,13 +32,13 @@ Certificate:
                     6e:a7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Basic Constraints: 
+            X509v3 Basic Constraints:
                 CA:FALSE
-            Netscape Comment: 
+            Netscape Comment:
                 OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 4A:8B:EE:22:42:E6:F8:62:4C:86:38:8D:C5:78:95:98:C1:10:05:7C
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 keyid:07:41:19:3A:9F:7E:C5:B7:22:4E:B7:BC:D5:DF:E4:FC:09:B8:64:16
 
     Signature Algorithm: sha1WithRSAEncryption