Add X509 authentication tests. (#1771)

JAVA-5866

Author: vbabanin

.evergreen/.evg.yml

@@ -232,6 +232,17 @@ functions:
           cd $DRIVERS_TOOLS/.evergreen/auth_aws
           ./setup_secrets.sh drivers/aws_auth
 
+  "add-atlas-connect-variables-to-file":
+    - command: shell.exec
+      type: "test"
+      params:
+        include_expansions_in_env: [ "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN" ]
+        shell: "bash"
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect
+
   "start-csfle-servers":
     - command: ec2.assume_role
       params:
@@ -512,6 +523,16 @@ functions:
           # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
           JAVA_VERSION="8" MONGODB_URI="${plain_auth_mongodb_uri}" .evergreen/run-plain-auth-test.sh
 
+  "run-x509-auth-test":
+    - command: shell.exec
+      type: "test"
+      params:
+        silent: true
+        working_dir: "src"
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          JAVA_VERSION="8" .evergreen/run-x509-auth-tests.sh
+
   "run-aws-auth-test-with-regular-aws-credentials":
     - command: shell.exec
       type: "test"
@@ -978,6 +999,13 @@ tasks:
     commands:
       - func: "run-plain-auth-test"
 
+    # Test that x509 auth using server with OpenSSL 3 succeeds.
+  - name: "atlas-x509-auth-test-task"
+    commands:
+      - func: "assume-aws-test-secrets-role"
+      - func: "add-atlas-connect-variables-to-file"
+      - func: "run-x509-auth-test"
+
   - name: "aws-auth-test-with-regular-aws-credentials-task"
     commands:
       - func: "start-mongo-orchestration"
@@ -2254,6 +2282,7 @@ buildvariants:
       - name: "atlas-deployed-task-group"
       - name: "atlas-search-task"
       - name: "atlas-connectivity-task"
+      - name:  "atlas-x509-auth-test-task"
 
   - name: "atlas-data-lake-test"
     display_name: "Atlas Data Lake test"

.evergreen/run-x509-auth-tests.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Exit the script with error if any of the commands fail
+set -o errexit
+
+# Supported/used environment variables:
+#   JDK                                  Set the version of java to be used.  Java versions can be set from the java toolchain /opt/java
+#   ATLAS_X509_DEV                       Set the connection string for the Atlas X509 development cluster.
+#   ATLAS_X509_DEV_CERT_BASE64           Set the base64 encoded contents of a PEM file containing the client certificate (signed by the mongodb dev CA) and client private key for the X509 authentication on development cluster.
+#   ATLAS_X509_DEV_CERT_NOUSER_BASE64    Set the base64 encoded contents of a PEM file containing the client certificate (signed by the mongodb dev CA) and client private key for the X509 authentication on development cluster with the subject name that does not exist on the server/cluster.
+
+RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE:-$0}")"
+. "${RELATIVE_DIR_PATH}/setup-env.bash"
+
+MONGODB_URI=${ATLAS_X509_DEV:-}
+echo "$MONGODB_URI"
+ATLAS_X509_DEV_CERT_BASE64=${ATLAS_X509_DEV_CERT_BASE64:-}
+ATLAS_X509_DEV_CERT_NOUSER_BASE64=${ATLAS_X509_DEV_CERT_NOUSER_BASE64:-}
+
+############################################
+#            Functions                     #
+############################################
+
+provision_keystores () {
+  # Base64 decode contents of a PEM holder for client certificate (signed by the mongodb dev CA) and private key
+  echo "${ATLAS_X509_DEV_CERT_BASE64}" | base64 --decode > ca_and_pk.pem
+  echo "${ATLAS_X509_DEV_CERT_NOUSER_BASE64}" | base64 --decode > ca_and_pk_no_user.pem
+
+  # Build the pkcs12 (keystore). We include the leaf-only certificate (with public key) and private key in the keystore,
+  # assuming the signed certificate is already trusted by the Atlas as issuer is MongoDB dev CA.
+  echo "Creating PKCS12 keystore from ca_and_pk.pem"
+  openssl pkcs12 -export \
+    -in ca_and_pk.pem \
+    -out existing_user.p12 \
+    -password pass:test
+
+  echo "Creating PKCS12 keystore from ca_and_pk_no_user.pem"
+  openssl pkcs12 -export \
+    -in ca_and_pk_no_user.pem \
+    -out non_existing_user.p12 \
+    -password pass:test
+}
+
+############################################
+#            Main Program                  #
+############################################
+echo "Running X509 Authentication tests with Java ${JAVA_VERSION}"
+
+# Set up keystores for x509 authentication.
+provision_keystores
+
+./gradlew -PjavaVersion=${JAVA_VERSION} -Dorg.mongodb.test.uri=${MONGODB_URI} --info --continue \
+ -Dorg.mongodb.test.x509.auth.enabled=true \
+ -Dorg.mongodb.test.x509.auth.keystore.location="$(pwd)" \
+ driver-sync:test --tests X509AuthenticationTest \
+ driver-reactive-streams:test --tests X509AuthenticationTest

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/X509AuthenticationTest.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.reactivestreams.client;
+
+import com.mongodb.MongoClientSettings;
+import com.mongodb.client.auth.AbstractX509AuthenticationTest;
+import com.mongodb.reactivestreams.client.syncadapter.SyncMongoClient;
+
+public class X509AuthenticationTest extends AbstractX509AuthenticationTest {
+    @Override
+    protected com.mongodb.client.MongoClient createMongoClient(final MongoClientSettings mongoClientSettings) {
+        return new SyncMongoClient(MongoClients.create(mongoClientSettings));
+    }
+}

driver-sync/src/test/functional/com/mongodb/client/auth/AbstractX509AuthenticationTest.java

@@ -0,0 +1,182 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.client.auth;
+
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoCommandException;
+import com.mongodb.MongoSecurityException;
+import com.mongodb.client.Fixture;
+import com.mongodb.client.MongoClient;
+import com.mongodb.connection.NettyTransportSettings;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import org.junit.jupiter.api.extension.ConditionEvaluationResult;
+import org.junit.jupiter.api.extension.ExecutionCondition;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.extension.ExtensionContext;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.stream.Stream;
+
+import static com.mongodb.AuthenticationMechanism.MONGODB_X509;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+@ExtendWith(AbstractX509AuthenticationTest.X509AuthenticationPropertyCondition.class)
+public abstract class AbstractX509AuthenticationTest {
+
+    private static final String KEYSTORE_PASSWORD = "test";
+    protected abstract MongoClient createMongoClient(MongoClientSettings mongoClientSettings);
+
+    private static Stream<Arguments> shouldAuthenticateWithClientCertificate() throws Exception {
+        String keystoreFileName = "existing_user.p12";
+        return getArgumentForKeystore(keystoreFileName);
+    }
+
+    @ParameterizedTest(name = "should authenticate with client certificate. MongoClientSettings: {0}")
+    @MethodSource
+    public void shouldAuthenticateWithClientCertificate(final MongoClientSettings mongoClientSettings) {
+        //given
+        try (MongoClient client = createMongoClient(mongoClientSettings)) {
+
+            //when & then command completes successfully with x509 authentication
+            client.getDatabase("test").getCollection("test").estimatedDocumentCount();
+        }
+    }
+
+    private static Stream<Arguments> shouldPassMutualTLSWithClientCertificateAndFailAuthenticateWithAbsentUser() throws Exception {
+        String keystoreFileName = "non_existing_user.p12";
+        return getArgumentForKeystore(keystoreFileName);
+    }
+
+    @ParameterizedTest(name = "should pass mutual TLS with client certificate and fail authenticate with absent user. "
+            + "MongoClientSettings: {0}")
+    @MethodSource
+    public void shouldPassMutualTLSWithClientCertificateAndFailAuthenticateWithAbsentUser(final MongoClientSettings mongoClientSettings) {
+        // given
+        try (MongoClient client = createMongoClient(mongoClientSettings)) {
+
+            // when & then
+            MongoSecurityException mongoSecurityException = assertThrows(MongoSecurityException.class,
+                    () -> client.getDatabase("test").getCollection("test").estimatedDocumentCount());
+
+            assertTrue(mongoSecurityException.getMessage().contains("Exception authenticating"));
+            MongoCommandException mongoCommandException = (MongoCommandException) mongoSecurityException.getCause();
+
+            assertTrue(mongoCommandException.getMessage().contains("Could not find user"));
+            assertEquals(11, mongoCommandException.getCode());
+        }
+    }
+
+    private static Stream<Arguments> getArgumentForKeystore(final String keystoreFileName) throws Exception {
+        SSLContext context = buildSslContextFromKeyStore(keystoreFileName);
+        MongoClientSettings.Builder mongoClientSettingsBuilder = Fixture.getMongoClientSettingsBuilder();
+        verifyX509AuthenticationIsRequired(mongoClientSettingsBuilder);
+
+        return Stream.of(
+                Arguments.of(mongoClientSettingsBuilder
+                        .applyToSslSettings(builder -> builder.context(context))
+                        .build()),
+
+                Arguments.of(mongoClientSettingsBuilder
+                        .applyToSslSettings(builder -> builder.context(context))
+                        .transportSettings(NettyTransportSettings.nettyBuilder()
+                                .sslContext(SslContextBuilder.forClient()
+                                        .sslProvider(SslProvider.JDK)
+                                        .keyManager(getKeyManagerFactory(keystoreFileName))
+                                        .build())
+                                .build())
+                        .build()),
+
+                Arguments.of(mongoClientSettingsBuilder
+                        .applyToSslSettings(builder -> builder.context(context))
+                        .transportSettings(NettyTransportSettings.nettyBuilder()
+                                .sslContext(SslContextBuilder.forClient()
+                                        .sslProvider(SslProvider.OPENSSL)
+                                        .keyManager(getKeyManagerFactory(keystoreFileName))
+                                        .build())
+                                .build())
+                        .build())
+        );
+    }
+
+    private static SSLContext buildSslContextFromKeyStore(final String keystoreFileName) throws Exception {
+        KeyManagerFactory keyManagerFactory = getKeyManagerFactory(keystoreFileName);
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
+        return sslContext;
+    }
+
+    private static KeyManagerFactory getKeyManagerFactory(final String keystoreFileName)
+            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
+        KeyStore ks = KeyStore.getInstance("PKCS12");
+        try (FileInputStream fis = new FileInputStream(getKeystoreLocation() + File.separator + keystoreFileName)) {
+            ks.load(fis, KEYSTORE_PASSWORD.toCharArray());
+        }
+        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
+                KeyManagerFactory.getDefaultAlgorithm());
+        keyManagerFactory.init(ks, KEYSTORE_PASSWORD.toCharArray());
+        return keyManagerFactory;
+    }
+
+    private static String getKeystoreLocation() {
+        return System.getProperty("org.mongodb.test.x509.auth.keystore.location");
+    }
+
+    /**
+     * The connection string is sourced from an environment variable populated from Secret Storage.
+     * We verify it still requires X.509 authentication before running these tests to ensure test invariants.
+     */
+    private static void verifyX509AuthenticationIsRequired(final MongoClientSettings.Builder mongoClientSettingsBuilder) {
+        com.mongodb.assertions.Assertions.assertTrue(
+                com.mongodb.assertions.Assertions.assertNotNull(mongoClientSettingsBuilder.build().getCredential())
+                        .getAuthenticationMechanism() == MONGODB_X509);
+    }
+
+    /**
+       This condition allows to skip initialization of method sources and test execution.
+        - @EnableIf on the class, assumeTrue in the constructor - do not block method source initialization.
+        - assumeTrue in the static block - fails the test.
+     **/
+    public static class X509AuthenticationPropertyCondition implements ExecutionCondition {
+        @Override
+        public ConditionEvaluationResult evaluateExecutionCondition(final ExtensionContext context) {
+            if (isX509TestsEnabled()) {
+                return ConditionEvaluationResult.enabled("Test is enabled because x509 auth configuration exists");
+            } else {
+                return ConditionEvaluationResult.disabled("Test is disabled because x509 auth configuration is missing");
+            }
+        }
+    }
+
+    private static boolean isX509TestsEnabled() {
+        return Boolean.parseBoolean(System.getProperty("org.mongodb.test.x509.auth.enabled"));
+    }
+}

driver-sync/src/test/functional/com/mongodb/client/auth/X509AuthenticationTest.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.client.auth;
+
+import com.mongodb.MongoClientSettings;
+import com.mongodb.client.MongoClient;
+import com.mongodb.client.MongoClients;
+
+public class X509AuthenticationTest extends AbstractX509AuthenticationTest {
+    @Override
+    protected MongoClient createMongoClient(final MongoClientSettings mongoClientSettings) {
+        return MongoClients.create(mongoClientSettings);
+    }
+}