From 02e951695f22629acb1d9658e6068776c5697108 Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Wed, 13 Sep 2023 14:32:47 -0600 Subject: [PATCH 1/3] RUBY-3267 ignore SDAM unified specs when X.509 auth is enabled This is because the SDAM unified specs set a failpoint for an authentication conversation that is never used with X.509 authentication, and so can not pass with that active. --- spec/spec_tests/sdam_unified_spec.rb | 2 ++ spec/support/constraints.rb | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/spec/spec_tests/sdam_unified_spec.rb b/spec/spec_tests/sdam_unified_spec.rb index 8454edc004..21d6e1cbb3 100644 --- a/spec/spec_tests/sdam_unified_spec.rb +++ b/spec/spec_tests/sdam_unified_spec.rb @@ -9,5 +9,7 @@ SDAM_UNIFIED_TESTS = Dir.glob("#{base}/**/*.yml").sort describe 'SDAM unified spec tests' do + forbid_x509_auth + define_unified_spec_tests(base, SDAM_UNIFIED_TESTS) end diff --git a/spec/support/constraints.rb b/spec/support/constraints.rb index 47057743fb..6d92409937 100644 --- a/spec/support/constraints.rb +++ b/spec/support/constraints.rb @@ -17,6 +17,12 @@ def require_local_tls end end + def forbid_x509_auth + before(:all) do + skip 'X.509 auth not allowed' if SpecConfig.instance.x509_auth? + end + end + def max_bson_version(version) required_version = version.split('.').map(&:to_i) actual_version = bson_version(required_version.length) From a515a34c97bde93e5f7da7aed9f297794e6a987d Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Wed, 13 Sep 2023 15:12:39 -0600 Subject: [PATCH 2/3] re-enable the x.509 specs --- .evergreen/config.yml | 33 ++++++++++++++---------------- .evergreen/config/standard.yml.erb | 33 ++++++++++++++---------------- 2 files changed, 30 insertions(+), 36 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index e43a13b7b3..77166fb62e 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1300,24 +1300,21 @@ buildvariants: tasks: - name: "test-mlaunch" - # The X.509 tests are failing with exceptions being expected, but never - # raised. (RUBY-3267) - # - # - matrix_name: "x509-tests" - # matrix_spec: - # auth-and-ssl: "x509" - # ruby: "ruby-3.2" - # # needs the latest_5x_mdb because run-tests.sh uses `mongo` to configure - # # the server for certain auth mechanisms. Once run-tests.sh is made smart - # # enough to install mongosh, and then use either mongo or mongosh - # # (depending on server version and what's available), we can bump this to - # # the latest stable db version. - # mongodb-version: "5.3" - # topology: standalone - # os: rhel8 - # display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" - # tasks: - # - name: "test-mlaunch" + - matrix_name: "x509-tests" + matrix_spec: + auth-and-ssl: "x509" + ruby: "ruby-3.2" + # needs the latest_5x_mdb because run-tests.sh uses `mongo` to configure + # the server for certain auth mechanisms. Once run-tests.sh is made smart + # enough to install mongosh, and then use either mongo or mongosh + # (depending on server version and what's available), we can bump this to + # the latest stable db version. + mongodb-version: "5.3" + topology: standalone + os: rhel8 + display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" + tasks: + - name: "test-mlaunch" - matrix_name: "jruby-auth" matrix_spec: diff --git a/.evergreen/config/standard.yml.erb b/.evergreen/config/standard.yml.erb index 3bcd1b9acb..89cbc81ef1 100644 --- a/.evergreen/config/standard.yml.erb +++ b/.evergreen/config/standard.yml.erb @@ -232,24 +232,21 @@ buildvariants: tasks: - name: "test-mlaunch" - # The X.509 tests are failing with exceptions being expected, but never - # raised. (RUBY-3267) - # - # - matrix_name: "x509-tests" - # matrix_spec: - # auth-and-ssl: "x509" - # ruby: <%= latest_ruby %> - # # needs the latest_5x_mdb because run-tests.sh uses `mongo` to configure - # # the server for certain auth mechanisms. Once run-tests.sh is made smart - # # enough to install mongosh, and then use either mongo or mongosh - # # (depending on server version and what's available), we can bump this to - # # the latest stable db version. - # mongodb-version: <%= latest_5x_mdb %> - # topology: standalone - # os: rhel8 - # display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" - # tasks: - # - name: "test-mlaunch" + - matrix_name: "x509-tests" + matrix_spec: + auth-and-ssl: "x509" + ruby: <%= latest_ruby %> + # needs the latest_5x_mdb because run-tests.sh uses `mongo` to configure + # the server for certain auth mechanisms. Once run-tests.sh is made smart + # enough to install mongosh, and then use either mongo or mongosh + # (depending on server version and what's available), we can bump this to + # the latest stable db version. + mongodb-version: <%= latest_5x_mdb %> + topology: standalone + os: rhel8 + display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" + tasks: + - name: "test-mlaunch" - matrix_name: "jruby-auth" matrix_spec: From bbbfbdca371405ddb09ff5d9a2858f10b2f870c5 Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Wed, 13 Sep 2023 16:05:15 -0600 Subject: [PATCH 3/3] auth flow here assumes SASL; X.509 mechanism is incompatible --- spec/mongo/server/connection_spec.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spec/mongo/server/connection_spec.rb b/spec/mongo/server/connection_spec.rb index f1e0dabc56..a1acf2f69c 100644 --- a/spec/mongo/server/connection_spec.rb +++ b/spec/mongo/server/connection_spec.rb @@ -265,6 +265,10 @@ class ConnectionSpecTestException < Exception; end context 'when #authenticate! raises an exception' do require_auth + # because the mock/stub flow here doesn't cover the flow used by + # the X.509 authentication mechanism... + forbid_x509_auth + let(:server_options) do Mongo::Client.canonicalize_ruby_options( SpecConfig.instance.all_test_options,