From f89e4c1bd59c64664e8c9aa218bcb856be325d34 Mon Sep 17 00:00:00 2001 From: Eric Adum Date: Thu, 28 Jan 2021 15:55:21 -0500 Subject: [PATCH] fix: dont parse tls/ssl file paths in uri (#2718) NODE-2977 --- .evergreen/config.yml | 154 +++++++++++++++++++------ .evergreen/config.yml.in | 2 +- .evergreen/generate_evergreen_tasks.js | 42 ++++--- .evergreen/run-tls-tests.sh | 9 +- lib/core/uri_parser.js | 9 +- test/manual/tls_support.test.js | 14 ++- 6 files changed, 177 insertions(+), 53 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 38afe9b80b..5099e90815 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1,6 +1,6 @@ stepback: true command_type: system -exec_timeout_secs: 900 +exec_timeout_secs: 1200 timeout: - command: shell.exec params: @@ -1129,15 +1129,26 @@ tasks: commands: - func: install dependencies - func: run ldap tests - - name: test-tls-support + - name: test-tls-support-latest tags: - tls-support commands: - func: install dependencies - func: bootstrap mongo-orchestration vars: - SSL: ssl VERSION: latest + SSL: ssl + TOPOLOGY: server + - func: run tls tests + - name: test-tls-support-4.2 + tags: + - tls-support + commands: + - func: install dependencies + - func: bootstrap mongo-orchestration + vars: + VERSION: '4.2' + SSL: ssl TOPOLOGY: server - func: run tls tests - name: test-latest-ocsp-valid-cert-server-staples @@ -1437,7 +1448,8 @@ buildvariants: - test-auth-kerberos-legacy - test-auth-kerberos-unified - test-auth-ldap - - test-tls-support + - test-tls-support-latest + - test-tls-support-4.2 - test-latest-ocsp-valid-cert-server-staples - test-latest-ocsp-invalid-cert-server-staples - test-latest-ocsp-valid-cert-server-does-not-staple @@ -1481,37 +1493,111 @@ buildvariants: run_on: rhel70-small expansions: NODE_LTS_NAME: erbium - tasks: *ref_0 + tasks: &ref_1 + - test-latest-server + - test-latest-replica_set + - test-latest-sharded_cluster + - test-latest-server-unified + - test-latest-replica_set-unified + - test-latest-sharded_cluster-unified + - test-4.4-server + - test-4.4-replica_set + - test-4.4-sharded_cluster + - test-4.4-server-unified + - test-4.4-replica_set-unified + - test-4.4-sharded_cluster-unified + - test-4.2-server + - test-4.2-replica_set + - test-4.2-sharded_cluster + - test-4.2-server-unified + - test-4.2-replica_set-unified + - test-4.2-sharded_cluster-unified + - test-4.0-server + - test-4.0-replica_set + - test-4.0-sharded_cluster + - test-4.0-server-unified + - test-4.0-replica_set-unified + - test-4.0-sharded_cluster-unified + - test-3.6-server + - test-3.6-replica_set + - test-3.6-sharded_cluster + - test-3.6-server-unified + - test-3.6-replica_set-unified + - test-3.6-sharded_cluster-unified + - test-3.4-server + - test-3.4-replica_set + - test-3.4-sharded_cluster + - test-3.4-server-unified + - test-3.4-replica_set-unified + - test-3.4-sharded_cluster-unified + - test-3.2-server + - test-3.2-replica_set + - test-3.2-sharded_cluster + - test-3.2-server-unified + - test-3.2-replica_set-unified + - test-3.2-sharded_cluster-unified + - test-3.0-server + - test-3.0-replica_set + - test-3.0-sharded_cluster + - test-3.0-server-unified + - test-3.0-replica_set-unified + - test-3.0-sharded_cluster-unified + - test-2.6-server + - test-2.6-replica_set + - test-2.6-sharded_cluster + - test-2.6-server-unified + - test-2.6-replica_set-unified + - test-2.6-sharded_cluster-unified + - test-atlas-connectivity + - test-auth-kerberos-legacy + - test-auth-kerberos-unified + - test-auth-ldap + - test-tls-support-latest + - test-tls-support-4.2 + - test-latest-ocsp-valid-cert-server-staples + - test-latest-ocsp-invalid-cert-server-staples + - test-latest-ocsp-valid-cert-server-does-not-staple + - test-latest-ocsp-invalid-cert-server-does-not-staple + - test-latest-ocsp-soft-fail + - test-latest-ocsp-malicious-invalid-cert-mustStaple-server-does-not-staple + - test-latest-ocsp-malicious-no-responder-mustStaple-server-does-not-staple + - test-4.4-ocsp-valid-cert-server-staples + - test-4.4-ocsp-invalid-cert-server-staples + - test-4.4-ocsp-valid-cert-server-does-not-staple + - test-4.4-ocsp-invalid-cert-server-does-not-staple + - test-4.4-ocsp-soft-fail + - test-4.4-ocsp-malicious-invalid-cert-mustStaple-server-does-not-staple + - test-4.4-ocsp-malicious-no-responder-mustStaple-server-does-not-staple - name: rhel70-dubnium display_name: RHEL 7.0 Node Dubnium run_on: rhel70-small expansions: NODE_LTS_NAME: dubnium - tasks: *ref_0 + tasks: *ref_1 - name: rhel70-carbon display_name: RHEL 7.0 Node Carbon run_on: rhel70-small expansions: NODE_LTS_NAME: carbon - tasks: *ref_0 + tasks: *ref_1 - name: rhel70-boron display_name: RHEL 7.0 Node Boron run_on: rhel70-small expansions: NODE_LTS_NAME: boron - tasks: *ref_0 + tasks: *ref_1 - name: rhel70-argon display_name: RHEL 7.0 Node Argon run_on: rhel70-small expansions: NODE_LTS_NAME: argon - tasks: *ref_0 + tasks: *ref_1 - name: ubuntu-14.04-erbium display_name: Ubuntu 14.04 Node Erbium run_on: ubuntu1404-test expansions: NODE_LTS_NAME: erbium - tasks: &ref_1 + tasks: &ref_2 - test-4.0-server - test-4.0-replica_set - test-4.0-sharded_cluster @@ -1557,32 +1643,32 @@ buildvariants: run_on: ubuntu1404-test expansions: NODE_LTS_NAME: dubnium - tasks: *ref_1 + tasks: *ref_2 - name: ubuntu-14.04-carbon display_name: Ubuntu 14.04 Node Carbon run_on: ubuntu1404-test expansions: NODE_LTS_NAME: carbon - tasks: *ref_1 + tasks: *ref_2 - name: ubuntu-14.04-boron display_name: Ubuntu 14.04 Node Boron run_on: ubuntu1404-test expansions: NODE_LTS_NAME: boron - tasks: *ref_1 + tasks: *ref_2 - name: ubuntu-14.04-argon display_name: Ubuntu 14.04 Node Argon run_on: ubuntu1404-test expansions: NODE_LTS_NAME: argon - tasks: *ref_1 + tasks: *ref_2 - name: ubuntu-18.04-erbium display_name: Ubuntu 18.04 Node Erbium run_on: ubuntu1804-test expansions: NODE_LTS_NAME: erbium CLIENT_ENCRYPTION: true - tasks: &ref_2 + tasks: &ref_3 - test-latest-server - test-latest-replica_set - test-latest-sharded_cluster @@ -1629,7 +1715,8 @@ buildvariants: - test-auth-kerberos-legacy - test-auth-kerberos-unified - test-auth-ldap - - test-tls-support + - test-tls-support-latest + - test-tls-support-4.2 - test-latest-ocsp-valid-cert-server-staples - test-latest-ocsp-invalid-cert-server-staples - test-latest-ocsp-valid-cert-server-does-not-staple @@ -1650,35 +1737,35 @@ buildvariants: expansions: NODE_LTS_NAME: dubnium CLIENT_ENCRYPTION: true - tasks: *ref_2 + tasks: *ref_3 - name: ubuntu-18.04-carbon display_name: Ubuntu 18.04 Node Carbon run_on: ubuntu1804-test expansions: NODE_LTS_NAME: carbon CLIENT_ENCRYPTION: true - tasks: *ref_2 + tasks: *ref_3 - name: ubuntu-18.04-boron display_name: Ubuntu 18.04 Node Boron run_on: ubuntu1804-test expansions: NODE_LTS_NAME: boron CLIENT_ENCRYPTION: true - tasks: *ref_2 + tasks: *ref_3 - name: ubuntu-18.04-argon display_name: Ubuntu 18.04 Node Argon run_on: ubuntu1804-test expansions: NODE_LTS_NAME: argon CLIENT_ENCRYPTION: true - tasks: *ref_2 + tasks: *ref_3 - name: windows-64-vs2013-carbon display_name: Windows (VS2013) Node Carbon run_on: windows-64-vs2013-large expansions: NODE_LTS_NAME: carbon MSVS_VERSION: 2013 - tasks: &ref_3 + tasks: &ref_4 - test-4.2-server - test-4.2-replica_set - test-4.2-sharded_cluster @@ -1721,90 +1808,91 @@ buildvariants: - test-2.6-server-unified - test-2.6-replica_set-unified - test-2.6-sharded_cluster-unified + - test-tls-support-4.2 - name: windows-64-vs2013-boron display_name: Windows (VS2013) Node Boron run_on: windows-64-vs2013-large expansions: NODE_LTS_NAME: boron MSVS_VERSION: 2013 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2013-argon display_name: Windows (VS2013) Node Argon run_on: windows-64-vs2013-large expansions: NODE_LTS_NAME: argon MSVS_VERSION: 2013 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2015-erbium display_name: Windows (VS2015) Node Erbium run_on: windows-64-vs2015-large expansions: NODE_LTS_NAME: erbium MSVS_VERSION: 2015 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2015-dubnium display_name: Windows (VS2015) Node Dubnium run_on: windows-64-vs2015-large expansions: NODE_LTS_NAME: dubnium MSVS_VERSION: 2015 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2015-carbon display_name: Windows (VS2015) Node Carbon run_on: windows-64-vs2015-large expansions: NODE_LTS_NAME: carbon MSVS_VERSION: 2015 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2015-boron display_name: Windows (VS2015) Node Boron run_on: windows-64-vs2015-large expansions: NODE_LTS_NAME: boron MSVS_VERSION: 2015 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2015-argon display_name: Windows (VS2015) Node Argon run_on: windows-64-vs2015-large expansions: NODE_LTS_NAME: argon MSVS_VERSION: 2015 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2017-erbium display_name: Windows (VS2017) Node Erbium run_on: windows-64-vs2017-large expansions: NODE_LTS_NAME: erbium MSVS_VERSION: 2017 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2017-dubnium display_name: Windows (VS2017) Node Dubnium run_on: windows-64-vs2017-large expansions: NODE_LTS_NAME: dubnium MSVS_VERSION: 2017 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2017-carbon display_name: Windows (VS2017) Node Carbon run_on: windows-64-vs2017-large expansions: NODE_LTS_NAME: carbon MSVS_VERSION: 2017 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2017-boron display_name: Windows (VS2017) Node Boron run_on: windows-64-vs2017-large expansions: NODE_LTS_NAME: boron MSVS_VERSION: 2017 - tasks: *ref_3 + tasks: *ref_4 - name: windows-64-vs2017-argon display_name: Windows (VS2017) Node Argon run_on: windows-64-vs2017-large expansions: NODE_LTS_NAME: argon MSVS_VERSION: 2017 - tasks: *ref_3 + tasks: *ref_4 - name: lint display_name: lint run_on: rhel70 diff --git a/.evergreen/config.yml.in b/.evergreen/config.yml.in index 97685e1b6b..1c0bc712a2 100644 --- a/.evergreen/config.yml.in +++ b/.evergreen/config.yml.in @@ -11,7 +11,7 @@ command_type: system # Protect ourself against rogue test case, or curl gone wild, that runs forever # Good rule of thumb: the averageish length a task takes, times 5 # That roughly accounts for variable system performance for various buildvariants -exec_timeout_secs: 900 +exec_timeout_secs: 1200 # What to do when evergreen hits the timeout (`post:` tasks are run automatically) timeout: diff --git a/.evergreen/generate_evergreen_tasks.js b/.evergreen/generate_evergreen_tasks.js index 7f8ac42b35..1b52adcfe3 100644 --- a/.evergreen/generate_evergreen_tasks.js +++ b/.evergreen/generate_evergreen_tasks.js @@ -8,6 +8,7 @@ const LATEST_EFFECTIVE_VERSION = '5.0'; const MONGODB_VERSIONS = ['latest', '4.4', '4.2', '4.0', '3.6', '3.4', '3.2', '3.0', '2.6']; const AWS_AUTH_VERSIONS = ['latest', '4.4']; const OCSP_VERSIONS = ['latest', '4.4']; +const TLS_VERSIONS = ['latest', '4.2']; // also test on 4.2 because 4.4+ currently skipped on windows const NODE_VERSIONS = ['erbium', 'dubnium', 'carbon', 'boron', 'argon']; const TOPOLOGIES = ['server', 'replica_set', 'sharded_cluster'].concat([ 'server-unified', @@ -73,6 +74,11 @@ const OPERATING_SYSTEMS = [ ) ); +const WINDOWS_SKIP_TAGS = new Set([ + 'atlas-connect', + 'auth' +]); + const BASE_TASKS = []; const TASKS = []; const SINGLETON_TASKS = []; @@ -142,24 +148,27 @@ TASKS.push( name: 'test-auth-ldap', tags: ['auth', 'ldap'], commands: [{ func: 'install dependencies' }, { func: 'run ldap tests' }] - }, - { - name: 'test-tls-support', + } +); + +TLS_VERSIONS.forEach(VERSION => { + TASKS.push({ + name: `test-tls-support-${VERSION}`, tags: ['tls-support'], commands: [ { func: 'install dependencies' }, { func: 'bootstrap mongo-orchestration', vars: { + VERSION, SSL: 'ssl', - VERSION: 'latest', TOPOLOGY: 'server' } }, { func: 'run tls tests' } ] - } -); + }); +}); OCSP_VERSIONS.forEach(VERSION => { // manually added tasks @@ -282,7 +291,7 @@ OCSP_VERSIONS.forEach(VERSION => { ] } ]); -}) +}); const AWS_AUTH_TASKS = []; @@ -311,24 +320,28 @@ AWS_AUTH_VERSIONS.forEach(VERSION => { { func: 'run aws ECS auth test' } ] }); -}) - +}); const BUILD_VARIANTS = []; const getTaskList = (() => { const memo = {}; - return function(mongoVersion, onlyBaseTasks = false) { - const key = mongoVersion + (onlyBaseTasks ? 'b' : ''); + return function(mongoVersion, os) { + const key = mongoVersion + os; if (memo[key]) { return memo[key]; } - const taskList = onlyBaseTasks ? BASE_TASKS : BASE_TASKS.concat(TASKS); + const taskList = BASE_TASKS.concat(TASKS); const ret = taskList.filter(task => { - const tasksWithVars = task.commands.filter(task => !!task.vars); if (task.name.match(/^aws/)) return false; + // skip unsupported tasks on windows + if (os.match(/^windows/) && task.tags.filter(tag => WINDOWS_SKIP_TAGS.has(tag)).length) { + return false; + } + + const tasksWithVars = task.commands.filter(task => !!task.vars); if (!tasksWithVars.length) { return true; } @@ -362,7 +375,7 @@ OPERATING_SYSTEMS.forEach( msvsVersion }) => { const testedNodeVersions = NODE_VERSIONS.filter(version => nodeVersions.includes(version)); - const tasks = getTaskList(mongoVersion, !!msvsVersion); + const tasks = getTaskList(mongoVersion, osName.split('-')[0]); testedNodeVersions.forEach(NODE_LTS_NAME => { const nodeLtsDisplayName = `Node ${NODE_LTS_NAME[0].toUpperCase()}${NODE_LTS_NAME.substr(1)}`; @@ -405,7 +418,6 @@ BUILD_VARIANTS.push({ }); // special case for MONGODB-AWS authentication - BUILD_VARIANTS.push({ name: 'ubuntu1804-test-mongodb-aws', display_name: 'MONGODB-AWS Auth test', diff --git a/.evergreen/run-tls-tests.sh b/.evergreen/run-tls-tests.sh index c7c5ed6480..50dc666894 100644 --- a/.evergreen/run-tls-tests.sh +++ b/.evergreen/run-tls-tests.sh @@ -5,7 +5,14 @@ set -o errexit # Exit the script with error if any of the commands fail export PROJECT_DIRECTORY="$(pwd)" NODE_ARTIFACTS_PATH="${PROJECT_DIRECTORY}/node-artifacts" export NVM_DIR="${NODE_ARTIFACTS_PATH}/nvm" -[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" +if [[ "$OS" == "Windows_NT" ]]; then + export NVM_HOME=`cygpath -m -a "$NVM_DIR"` + export NVM_SYMLINK=`cygpath -m -a "$NODE_ARTIFACTS_PATH/bin"` + export NVM_ARTIFACTS_PATH=`cygpath -m -a "$NODE_ARTIFACTS_PATH/bin"` + export PATH=`cygpath $NVM_SYMLINK`:`cygpath $NVM_HOME`:$PATH +else + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" +fi export SSL_KEY_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/client.pem" export SSL_CA_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem" diff --git a/lib/core/uri_parser.js b/lib/core/uri_parser.js index fca8032c17..6918508629 100644 --- a/lib/core/uri_parser.js +++ b/lib/core/uri_parser.js @@ -11,6 +11,11 @@ const ReadPreference = require('./topologies/read_preference'); */ const HOSTS_RX = /(mongodb(?:\+srv|)):\/\/(?: (?:[^:]*) (?: : ([^@]*) )? @ )?([^/?]*)(?:\/|)(.*)/; +// Options that reference file paths should not be parsed +const FILE_PATH_OPTIONS = new Set( + ['sslCA', 'sslCert', 'sslKey', 'tlsCAFile', 'tlsCertificateKeyFile'].map(key => key.toLowerCase()) +); + /** * Determines whether a provided address matches the provided parent domain in order * to avoid certain attack vectors. @@ -424,7 +429,9 @@ function parseQueryString(query, options) { } const normalizedKey = key.toLowerCase(); - const parsedValue = parseQueryStringItemValue(normalizedKey, value); + const parsedValue = FILE_PATH_OPTIONS.has(normalizedKey) + ? value + : parseQueryStringItemValue(normalizedKey, value); applyConnectionStringOption(result, normalizedKey, parsedValue, options); } diff --git a/test/manual/tls_support.test.js b/test/manual/tls_support.test.js index c8635d8a85..b492af32c7 100644 --- a/test/manual/tls_support.test.js +++ b/test/manual/tls_support.test.js @@ -13,10 +13,20 @@ describe('TLS Support', function() { const connectionString = process.env.MONGODB_URI; const tlsCertificateKeyFile = process.env.SSL_KEY_FILE; const tlsCAFile = process.env.SSL_CA_FILE; + const tlsSettings = { tls: true, tlsCertificateKeyFile, tlsCAFile }; it( - 'should connect with tls', - makeConnectionTest(connectionString, { tls: true, tlsCertificateKeyFile, tlsCAFile }) + 'should connect with tls via client options', + makeConnectionTest(connectionString, tlsSettings) + ); + + it( + 'should connect with tls via url options', + makeConnectionTest( + `${connectionString}?${Object.keys(tlsSettings) + .map(key => `${key}=${tlsSettings[key]}`) + .join('&')}` + ) ); });