From 00528cee4912c79713c94de7d161638c7653cb2e Mon Sep 17 00:00:00 2001 From: Henrik Edin Date: Fri, 17 May 2019 15:51:49 -0400 Subject: [PATCH] SERVER-40643 SERVER-40645 Add jstests that test the split horizon feature Split horizon relies on SNI over TLS and we simulate this by using HOSTALIASES (Linux only) --- jstests/libs/splithorizon-ca.pem | 85 ++++++++++++ jstests/libs/splithorizon-server.pem | 55 ++++++++ jstests/ssl/repl_ssl_split_horizon.js | 190 ++++++++++++++++++++++++++ 3 files changed, 330 insertions(+) create mode 100644 jstests/libs/splithorizon-ca.pem create mode 100644 jstests/libs/splithorizon-server.pem create mode 100644 jstests/ssl/repl_ssl_split_horizon.js diff --git a/jstests/libs/splithorizon-ca.pem b/jstests/libs/splithorizon-ca.pem new file mode 100644 index 00000000000..69c2151d309 --- /dev/null +++ b/jstests/libs/splithorizon-ca.pem @@ -0,0 +1,85 @@ +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIJAPyQcqzQRuzfMA0GCSqGSIb3DQEBCwUAMIGDMSUwIwYD +VQQDDBxLZXJuZWwgU3BsaXQgSG9yaXpvbiBUZXN0IENBMQ8wDQYDVQQLDAZLZXJu +ZWwxFjAUBgNVBAoMDU1vbmdvREIsIEluYy4xETAPBgNVBAcMCE5ldyBZb3JrMREw +DwYDVQQIDAhOZXcgWW9yazELMAkGA1UEBhMCVVMwHhcNMTkwNTEwMTk1MzEzWhcN +MjkwNTA3MTk1MzEzWjCBgzElMCMGA1UEAwwcS2VybmVsIFNwbGl0IEhvcml6b24g +VGVzdCBDQTEPMA0GA1UECwwGS2VybmVsMRYwFAYDVQQKDA1Nb25nb0RCLCBJbmMu +MREwDwYDVQQHDAhOZXcgWW9yazERMA8GA1UECAwITmV3IFlvcmsxCzAJBgNVBAYT +AlVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw3SZ964JlbGux1MQ +5xN7U5NUM6hw5rrArA/W2CT0w9C2dTtavzb2RUvWhiR/JnAuyfpoNuvyH9XEvVXz +ffNjYkEBxPeAiSQro0MGWJzBlrVDORQ/r6k6d5aqeIPoPku3q32b2REI98iN3qSG +08WIaVhMSI02rHUnsxHBQfw6xieiLAxqoCHH7jTa8iktcxPxZ2tBVcozEbnpprLh +OnGrb1UwB/HvQmSpuSppyUVvU4fWjwuQMWBMwGm/oIR+sXhK0vN1qMTTYJhb9OrX +gH88lOqgAJYmKPSayeNeU+gHUbmleIEPsZX/DyXsklCYSAMyVqqEAmokHLjO66rl +yjq7qhGBW0HV5QyTW91Gge1WWhPD/wAnUQJeY0+bf6cAn2MQQmk1MtpOXuxqG3SC +04moMs+fwNphHkmtguwojOKKOt2QgDPgXhKSC+5adajiqT9Qyvv/fvn5PPszogah +LPPQEwjD3NlYOdu7DJqq9xM06Q3OJLBZ1XVFPZFJJ85k+VrwmhzSgple0HvT58w8 +th7F2Ajsq5n8Oy0Eqey1/WO9UmpvuzPs/0nGYvojPj9gJ3yHGaav59fpI0uuhWsZ +Pa9MIZie4ck0VjlhIyJCVugtooaXmNCIcZsGQDHH7NguMYld66U6yx2YrmtrjKv6 +XguP7FPNsoeGkXYf8ppmLmNHM3MCAwEAAaNTMFEwHQYDVR0OBBYEFEyUnNYBPgJg +SPYjJP4QYcwIi/cEMB8GA1UdIwQYMBaAFEyUnNYBPgJgSPYjJP4QYcwIi/cEMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKQY2FntJP1sY+8IICiK +uCN8ch5fGLXVOsSmr8zBa1DgFad1E6McHMluSdBdAzZ0bL3iFA9RKrJrJZ54YOTP +5/z3TJei2abr0DJFud7BEWhAPxm21kxi3dl3z8AovyYwCBByiE10lRgK1IGunwDb +Q3U5jXaPcFzuwZMBII2Y4Kvfor7LSzvkfuxj6WSKvNMlQOx6R10aP/bUF1A6v4Ug +4byPqYw+HdrRvIOhWHBtyRxOVralQ8aTNT5PLw2cyPioKilNOB0sjripeLQB/aMC +symIILuEa9FMnPkxmdEN+N5icYanCK2l6K4ApYClW/Q+1pdJCQigMc7FXXS2OOva +ydR+CPmPQpuDMgTRmeOFKUK/ZsXcsqgJo8c8ObPoIJ5jbSWNpJbAZVF9QLkhYv1a +1kP72lQDzaWgF7gpl7UnU1VYAv54oJss0v93Q+9EaUZBA7x4TXdTgbwDyBf4ZBXW +SsSBbrulpmfTF+YZ/YJh/Q2lXbx8qcC0qcxDqNNIG0uvsn2G9GZRloGl/5vV1vhM +kiRVb6y51/sf+3Lbe/zqSWKOG7aeTR+PmD6f+fAe2kQT5IlwJUeTmpFyyBSivpmZ +Xojo4B9vycdn3Ee3R8eQ63rGPQFiEREf+Nt78ENK/3jHsmLQhle5wBB581ZEL1rF +4K4tMBC3UPrkhyN1lgVewRMf +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAw3SZ964JlbGux1MQ5xN7U5NUM6hw5rrArA/W2CT0w9C2dTta +vzb2RUvWhiR/JnAuyfpoNuvyH9XEvVXzffNjYkEBxPeAiSQro0MGWJzBlrVDORQ/ +r6k6d5aqeIPoPku3q32b2REI98iN3qSG08WIaVhMSI02rHUnsxHBQfw6xieiLAxq +oCHH7jTa8iktcxPxZ2tBVcozEbnpprLhOnGrb1UwB/HvQmSpuSppyUVvU4fWjwuQ +MWBMwGm/oIR+sXhK0vN1qMTTYJhb9OrXgH88lOqgAJYmKPSayeNeU+gHUbmleIEP +sZX/DyXsklCYSAMyVqqEAmokHLjO66rlyjq7qhGBW0HV5QyTW91Gge1WWhPD/wAn +UQJeY0+bf6cAn2MQQmk1MtpOXuxqG3SC04moMs+fwNphHkmtguwojOKKOt2QgDPg +XhKSC+5adajiqT9Qyvv/fvn5PPszogahLPPQEwjD3NlYOdu7DJqq9xM06Q3OJLBZ +1XVFPZFJJ85k+VrwmhzSgple0HvT58w8th7F2Ajsq5n8Oy0Eqey1/WO9UmpvuzPs +/0nGYvojPj9gJ3yHGaav59fpI0uuhWsZPa9MIZie4ck0VjlhIyJCVugtooaXmNCI +cZsGQDHH7NguMYld66U6yx2YrmtrjKv6XguP7FPNsoeGkXYf8ppmLmNHM3MCAwEA +AQKCAgA6SAyZNEYbYu4w9W322XJOy4GyHan8wvcs11RDA1IRCa0+a8J1fhgVNbX0 +LfHULmNlSsvEhLqgD4goxPZkOi0KYUP7zamAO07f0d6UkbmQDODMpmMPKDEM89pF +MWARI1bTRhMwuMmpyR20o+6oOyCf+PpWL/V7mzuJQ+QSnvmPmMXcyJ8KvMf3Gb+n +seuhgvLa2bqTsEVmJb+sO265lKd//TDjTZsAey+4zRLaN2Ao0jqCUPpgHs0EGwRP +AvMcTDhTitEsz/QPu56/+z7jTA1ugj/PrPYYBEgbpza7Yla8YdUbh7B8TbPOeop+ +XpXp8zoRaasPZUL7ZYgd8cmvca//UmOwoL0vGQksENcakkAy9GXl4QEXyVEVC+y4 +FVrSDvTijlZJGc9v012KdWfPdYHsYDIWWAxs5mvOTDo+wqLFsxAvRM+JPtcIppsj +dLnFLib3StaRU9IQ1HIJQH16wlxSFvYdvKKS92tZVtB74Lv8HcfQ5sp32pqQ5VkT +1iQjZ9N89+IahL0qscK64mq5NJIzS9ISdHp6FJoDTPIEOA9qNl6I4AKmXCvRjRAg +1fqzRno/tl4/I62YX8Oex58UyOTyEar7T4XL9f/CIdgsExMpsO3OABvDaY/fozbc +ykIJAaBJD6EB8YUA1FEzEoMD044CkRzhQhmW2BwKLEmoNPueMQKCAQEA9L8sqoB8 +0DXwvXf7QLlWq/LdADhNTnmP2Akuk++eYN/YF4OubjAAtetmzNJbl/MLFLC+WAqB +y7I34Ve46hdu80hKsXIV60pr19fLeOvR4UP78myTcO08tTxM/9IB7LJN/OQGoPrt +XrNzQZ7zS9+VhdeXiorF+2k5KGRAp7tga+1rWR8teGVHWDn+8N0ev7L9s9ndRaCW +X4kYY47dpYPw24p6zcQPz4Y5UsfN+JBTeoqClRk4p3bVzaTlMJAx/D9WqhLQsoqW +dB5t9u6h9PPN68Hek/tBwarwA/mneo/hrRi8PiLgDu2pdMxGta7Fi6xH1ElAFzJL +aISlh4egB8Y4/QKCAQEAzHE8p6ie1Wvx7EhCRkrVmaNbmgd5kjB164JwfL7LzJ++ +0wFoi1eKiGDQVgU9hvNoapkyov/nNA/t5qBfDf2toVEPbYnyw0VTkACiLASmX9sd +WgkvQdfhe0xGxFSP36Uc54GPZEw4u9Ov2fq2tWNbvBoYhgyzV8SMcPAZ27Rl0WUO +Lg7y13Yz30d529miwFyo8fDmS5hQypl2xeSxGXvErO/mDeyyZQa8ahsXvtcK/HBC +slorOI8R0TJH+IoWoAhGEE4d/55pSX7ccr5/v3BDljQ+rbZadYSWsez6LutSxeed +tKuxEeDUXw4OB2cZ64VY5X60UaNOflVlVKIvUlzBLwKCAQAk97dcbZnsrSkWxUer +KBOCV2WwQdDTeKMUg5aIe9oVUdpG+vne5NtGny7g4yk4k1pqHqQxkiy2ws2T+PcS +TMXSc2ns0YmkB5KwgITYV+5UszscC/BdT0grK9eJkIP/55LGDv89U4mFE1/mWobv +P+9KzxyxrXJoHiWnBzWI4FGZG7xqMr5ggBO9rMzoPs4FMJkHkHHOsYnlFkUbzJmI +BZzc3FbeO64Tr3d7HHjtAYfKa597u9qF2PpEXJLNugoCyuJhQARL44kEMxBzCupl +oGnLIXZoLbxp71LfltcIOTFiPuk4DXaAar98x9oqWSK3jScwVnwaxNsFB3wlM4Ql +iHhVAoIBAQCQkEn5rCyUcb4h/H6Qwf4EpBTz9/EpRIc9v4DXVPs7eIIxJr/MOFzH +Tt5C1XXKZXgiWK4LwLS2hcUN3b0ZYZZTicRFCtTU68LJAwmp4qfbBE/fCLuX7ZWN +4EPyNHGADXtA4MaKf7NmbavdkYF9BgMqIbHRqE1w9JTyj3VZfFi7FqBORVfGr9jC +PAKZSW3iZCM64cOXFN+cQ6RPDwWEJZbPStv8YLFM6tR0my/RTLKCCse+4i/J0LEi +olFuGAcjpnYUtYhU5qlAxSoRIU+oCTRhlBP2NgoFK3p72jyWzOQ8+Sj1RqrxH3BM +vt2AspELj8FqlovfZoDsqGn8zKp1rQ0VAoIBADWTFYIXGEEWyT18/btubDR+UVmA +3U1zoSkgI9x/lc7qOFELRUZowO2v5G31hVn4codfGQya8ci7KYW5MlzNvSmUOMsJ +r3iRzT9lNu3I4is/P6W+QEOPuyQ/p4FIR+DA87t8yRkxWGz1n6Mw2HLPN/2sUkHy +s+xZtz/5WmCVLbRrFF8mumHBeZPNV65MQeqYUuJSIuZd4QA2rC3s9m4EGeGkVpyn +MH3Hd+XLhZJhEZKUGd+Tdhd6fOnTuKA7Kru2mS9EXzLFvYXrSXVzFBm4fEltFMEJ +HZQcxeHWr9dWSjTvQ0+7WTXWkPzbMxwReHohaG4TGL41dMswUFcacxIykGA= +-----END RSA PRIVATE KEY----- diff --git a/jstests/libs/splithorizon-server.pem b/jstests/libs/splithorizon-server.pem new file mode 100644 index 00000000000..b526281f1c2 --- /dev/null +++ b/jstests/libs/splithorizon-server.pem @@ -0,0 +1,55 @@ +-----BEGIN CERTIFICATE----- +MIIE1DCCArygAwIBAgIJAJLp0kxpAFIvMA0GCSqGSIb3DQEBCwUAMIGDMSUwIwYD +VQQDDBxLZXJuZWwgU3BsaXQgSG9yaXpvbiBUZXN0IENBMQ8wDQYDVQQLDAZLZXJu +ZWwxFjAUBgNVBAoMDU1vbmdvREIsIEluYy4xETAPBgNVBAcMCE5ldyBZb3JrMREw +DwYDVQQIDAhOZXcgWW9yazELMAkGA1UEBhMCVVMwHhcNMTkwNTEwMTk1NDU3WhcN +MjkwNTA3MTk1NDU3WjCBizEPMA0GA1UEAwwGc2VydmVyMR4wHAYDVQQLDBVLZXJu +ZWwgKFNwbGl0aG9yaXpvbikxJTAjBgNVBAoMHE1vbmdvREIsIEluYy4gKFNwbGl0 +aG9yaXpvbikxETAPBgNVBAcMCE5ldyBZb3JrMREwDwYDVQQIDAhOZXcgWW9yazEL +MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHKajR ++sZWfxokYFEynJ18jTKdazIqq/AJgUgwuBqptjUnYiy6dQJE7IoHV3Gn8QfRhjEV +HAf8KzawjxchvCZfMZhu4LdXsSjyK3a1r+2eTp4b8ECyNBOR0bh7h0+dwMBAfS4Q +7/F6nhtfzUXMR2oYRiOWT1la58VwHbm34ulB/0Uf3VeGP4lEaGURAOOq1NAew94z +qj0uWnoO0cd6MGgoG2z1mb+iTHfWfiQNqFHVOgzVkADRrH2yXmFQR+UWDd0/NnNs +8oMKKasoKJGH7me9BDyRuaFt5Rpri73kSELRyzZ+gbmtlh77VGwNFQd24vxMlpkn +ocoG8/kSS6qkgxzhAgMBAAGjQTA/MD0GA1UdEQQ2MDSCCWxvY2FsaG9zdIIJMTI3 +LjAuMC4xgg1zcGxpdGhvcml6b24xgg1zcGxpdGhvcml6b24yMA0GCSqGSIb3DQEB +CwUAA4ICAQB7oBJYud8UBoFKwyD57ZIbcPuu9y0bI+UDvEvGe0FYO1is8zguv/ri +VYHw1cdiq00x2+xJc/2te3qtWaR3cDX9nYqwfmc+HBxocsetsWwdOGkljJMiSA3y +OFG1KTL+RDhfa8pt72FhtlgojNlJ9vimFRRDGmqzWtp7heZQtjDVbqIJhk0aZU/2 +23n3/325AOsoSHOb+U7e8gOSOBV1WtTtJLzqmbHnK0/m5+DzevsAD4zpso6z8BM5 +wACbo19qpqj4miQRyrCySpYBQZCTwPx4Wb04BPLjbFEtI3sfiQ77DtQhak7/Vqy0 +YBkfAlihBCg8VaIxXzzGp+VSo+g8b14Hw0oQUjzsLX+rVULBZCWakHICJ2EQppE6 +QCCMvlc1QJE6eZ9K5XCn75YXiLwwY8TFUk7mTXD6TLUY7R9/whC5gyhE0WDwrhdP +8S4KU56pwZhFA5Cs1jrWBEbQml9Q4U7zPfBBxELYw7/CoY9nmSCx73mgIj3wOkTe +v15BMwFWtMcgyk7p3ajE+AQY2Ao+dKXfPhYP5YbsnDzRJPFMS0XrnJxjN2LlwU4a +WcR+v3nWAWi9j9jhz0v1kYp+cJ9uNkGsVHfTBw1MNxmLFP86IGnvI05X+JTOxc8f +C7QebLWNS/hCDCE+byJ4oA4OdmM84GPMmj4LZEZSj2ACDHNhbnkyIw== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxymo0frGVn8aJGBRMpydfI0ynWsyKqvwCYFIMLgaqbY1J2Is +unUCROyKB1dxp/EH0YYxFRwH/Cs2sI8XIbwmXzGYbuC3V7Eo8it2ta/tnk6eG/BA +sjQTkdG4e4dPncDAQH0uEO/xep4bX81FzEdqGEYjlk9ZWufFcB25t+LpQf9FH91X +hj+JRGhlEQDjqtTQHsPeM6o9Llp6DtHHejBoKBts9Zm/okx31n4kDahR1ToM1ZAA +0ax9sl5hUEflFg3dPzZzbPKDCimrKCiRh+5nvQQ8kbmhbeUaa4u95EhC0cs2foG5 +rZYe+1RsDRUHduL8TJaZJ6HKBvP5EkuqpIMc4QIDAQABAoIBAEVLN1Onnu5lVqEl +adrkJt84+U1QCKpUHDYSZx2cUJqPrLrBK7LMFzgH3JZlVEQMVp4NxHIFyLlyB5sy +jefM4MTqKpEZWnEGUKrBeJIKXfBghh5OXxQhjlWD1F4WXBsU/07wvuBhu3DgJcIV +V52Vk1JSxPr9LKe2UDmL/hv+tQ2it+PbD+1T78Ue8qVIuv4DA7NFbqB4Igh0O4F9 +ZhezHyLCzK93zGOeG8hwveepYm89bjHkV38YDsAsEcrtlhAZ2FCICj9+aiAbF3GV +Bfeh7A1wsjJF8hbYMc6TXch8MCpUYV9uf2dJ2OVGJtGpcYkovVFq+nrlglcP08/f +1BjaI8kCgYEA8OQFeiCi6lmRzl8PqkesWdafYP62jQETXufpw54lBye8S0j2skY+ +gpGPD8ya5hKbxzQNAnzvPLx8tLKEDBMv0toSFyB/Fy8UyOttdkEzTk3Lich8Te26 +e6OWBfOHtCA2ogk9PgEc/tLc05yMv7Dg0YcDPX7OeV/Ct53FyoIhEl8CgYEA06ec +0BPEk62qPomTodA3x22PmLycibTO4wrIlXwmyTwq9EqeeR+rb5frKxAh/OWgNZsy +MBLGH/kEExA+TTcNR45XaZ6Db3cOmgRdnMjaoOhac3oWRjirUfqrrt7hBNG6h+LH +KDEHTaj7q3uZbAH6/7PyHaR4LqDtAfVHecfSmL8CgYAEBHmG6OZurCG/ZFx5hYp9 +URQFZRocTelJyupeJdQOQ35jbwsWPA+s08qkA9CNh7/rWZXh9b1zsN0Pkm6bWPKS +PKrSkessss9Q7oQ71aiKZMfBO4O/NPjIORk2bjJUMblXiHnp/9DA+zlNmi3KwKNv +OyY1r1i4M32m3E3BK9xrVwKBgQC2u/GRXF/NuJRRZepGPETMM3VUwxLLeYVdVEQV +e5jpCL91Jq9nl8YllJ3/EfCmLYKChblw8+SGWjIAW3fOpocajnQ9xhNoOvwqUTaZ +VHgdkD33kSKGAgs3vhpX4imYRZKsG0kjFCFgFVMjnJS7QYJ5Hd0dZpA0gc/ebuwE +4laadQKBgAGSurqRuc+fosH7j24s1FLT8/2fiCuvidYhGT12SfkRGMUwn80TSvbO +G6NQMALnfkD5UdCApZeU2PGZ3IQJm2e/NYrp5JKZh/6vbqCqBiTQMC6FjAtv0+0V +C0RNdzgcSXWZhLyQE1c0ycXuBIzR+CpuhhHAV5B04rwQi/Onc5IX +-----END RSA PRIVATE KEY----- diff --git a/jstests/ssl/repl_ssl_split_horizon.js b/jstests/ssl/repl_ssl_split_horizon.js new file mode 100644 index 00000000000..d70980ebe88 --- /dev/null +++ b/jstests/ssl/repl_ssl_split_horizon.js @@ -0,0 +1,190 @@ +(function() { + 'use strict'; + // Create a temporary host file that creates two aliases for localhost that are in the + // splithorizon certificate. + // The aliases are 'splithorizon1' and 'splithorizon2' + const hostsFile = MongoRunner.dataPath + 'split-horizon-hosts'; + writeFile(hostsFile, "splithorizon1 localhost\nsplithorizon2 localhost\n"); + + // Check if HOSTALIASES works on this system (Will not work on Windows or OSX and may not work + // on Linux) + try { + var rc = + runMongoProgram("env", "HOSTALIASES=" + hostsFile, "getent", "hosts", "splithorizon1"); + } catch (e) { + jsTestLog( + `Failed the check for HOSTALIASES support using env, we are probably on a non-GNU platform. Skipping this test.`); + removeFile(hostsFile); + return; + } + + if (rc != 0) { + removeFile(hostsFile); + + // Check glibc version to figure out of HOSTALIASES will work as expected + clearRawMongoProgramOutput(); + var rc = runProgram("getconf", "GNU_LIBC_VERSION"); + if (rc != 0) { + jsTestLog( + `Failed the check for GLIBC version, we are probably on a non-GNU platform. Skipping this test.`); + return; + } + + // Output is of the format: 'glibc x.yz' + var output = rawMongoProgramOutput(); + var fields = output.split(" "); + var glibc_version = parseFloat(fields[2]); + + // Fail this test if we are on GLIBC >= 2.2 and HOSTALIASES still doesn't work + if (glibc_version < 2.2) { + jsTestLog(`HOSTALIASES does not seem to work as expected on this system. GLIBC + version is ${glibc_version}, skipping this test.`); + return; + } else { + assert(false, `HOSTALIASES does not seem to work as expected on this system. GLIBC + version is ${glibc_version}`); + } + } + + var replTest = new ReplSetTest({ + name: "splitHorizontest", + nodes: 2, + nodeOptions: { + sslMode: "requireSSL", + sslPEMKeyFile: "jstests/libs/splithorizon-server.pem", + }, + host: "localhost", + useHostName: false, + }); + + replTest.startSet({ + env: { + SSL_CERT_FILE: 'jstests/libs/splithorizon-ca.pem', + }, + }); + + // Create some variables needed for our horizons, we're replacing localhost with the horizon + // name, leaving the port the same (so we can connect) + var node0 = replTest.nodeList()[0]; + var node1 = replTest.nodeList()[1]; + var node0localHostname = node0; + var node1localHostname = node1; + var node0horizonHostname = node0.replace("localhost", "splithorizon1"); + var node1horizonHostname = node1.replace("localhost", "splithorizon1"); + var node0horizonMissingHostname = node0.replace("localhost", "splithorizon2"); + var node1horizonMissingHostname = node1.replace("localhost", "splithorizon2"); + + var config = replTest.getReplSetConfig(); + config.members[0].horizons = {}; + config.members[0].horizons.horizon_name = node0horizonHostname; + config.members[1].horizons = {}; + config.members[1].horizons.horizon_name = node1horizonHostname; + + replTest.initiate(config); + + var checkExpectedHorizon = function(url, memberIndex, expectedHostname) { + // Run isMaster in the shell and check that we get the expected hostname back + var argv = [ + 'env', + "HOSTALIASES=" + hostsFile, + "SSL_CERT_FILE=jstests/libs/splithorizon-ca.pem", + './mongo', + url, + '--eval', + ("assert(db.runCommand({isMaster: 1})['hosts'][" + memberIndex + "] == '" + + expectedHostname + "')") + ]; + return runMongoProgram(...argv); + }; + + // Using localhost should use the default horizon + var defaultURL = `mongodb://${node0localHostname}/admin?replicaSet=${replTest.name}&ssl=true`; + jsTestLog(`URL without horizon: ${defaultURL}`); + assert.eq(checkExpectedHorizon(defaultURL, 0, node0localHostname), + 0, + "localhost does not return horizon"); + assert.eq(checkExpectedHorizon(defaultURL, 1, node1localHostname), + 0, + "localhost does not return horizon"); + + // Using 'splithorizon1' should use that horizon + var horizonURL = `mongodb://${node0horizonHostname}/admin?replicaSet=${replTest.name}&ssl=true`; + jsTestLog(`URL with horizon: ${horizonURL}`); + assert.eq(checkExpectedHorizon(horizonURL, 0, node0horizonHostname), + 0, + "does not return horizon as expected"); + assert.eq(checkExpectedHorizon(horizonURL, 1, node1horizonHostname), + 0, + "does not return horizon as expected"); + + // Using 'splithorizon2' does not have a horizon so it should return default + var horizonMissingURL = + `mongodb://${node0horizonMissingHostname}/admin?replicaSet=${replTest.name}&ssl=true`; + jsTestLog(`URL with horizon: ${horizonMissingURL}`); + assert.eq(checkExpectedHorizon(horizonMissingURL, 0, node0localHostname), + 0, + "does not return localhost as expected"); + assert.eq(checkExpectedHorizon(horizonMissingURL, 1, node1localHostname), + 0, + "does not return localhost as expected"); + + // Check so we can replSetReconfig to add another horizon + config.version += 1; + config.members[0].horizons.other_horizon_name = node0horizonMissingHostname; + config.members[1].horizons.other_horizon_name = node1horizonMissingHostname; + + assert.adminCommandWorkedAllowingNetworkError(replTest.getPrimary(), {replSetReconfig: config}); + + // Using 'splithorizon2' should now return the new horizon + var horizonMissingURL = + `mongodb://${node0horizonMissingHostname}/admin?replicaSet=${replTest.name}&ssl=true`; + jsTestLog(`URL with horizon: ${horizonMissingURL}`); + assert.eq(checkExpectedHorizon(horizonMissingURL, 0, node0horizonMissingHostname), + 0, + "does not return horizon as expected"); + assert.eq(checkExpectedHorizon(horizonMissingURL, 1, node1horizonMissingHostname), + 0, + "does not return horizon as expected"); + + // Change horizon to return a different port to connect to, so the feature can be used in a + // port-forwarding environment + var node0horizonHostnameDifferentPort = "splithorizon1:80"; + var node1horizonHostnameDifferentPort = "splithorizon1:81"; + config.version += 1; + config.members[0].horizons.horizon_name = node0horizonHostnameDifferentPort; + config.members[1].horizons.horizon_name = node1horizonHostnameDifferentPort; + + assert.adminCommandWorkedAllowingNetworkError(replTest.getPrimary(), {replSetReconfig: config}); + + // Build the connection URL, do not set replicaSet as that will trigger the ReplicaSetMonitor + // which will fail as we can't actually connect now (port is wrong) + var horizonDifferentPortURL = `mongodb://${node0horizonHostname}/admin?ssl=true`; + jsTestLog(`URL with horizon using different port: ${horizonDifferentPortURL}`); + assert.eq(checkExpectedHorizon(horizonDifferentPortURL, 0, node0horizonHostnameDifferentPort), + 0, + "does not return horizon as expected"); + assert.eq(checkExpectedHorizon(horizonDifferentPortURL, 1, node1horizonHostnameDifferentPort), + 0, + "does not return horizon as expected"); + + // Providing a config where horizons does not exist in all members is expected to fail + config.version += 1; + config.members[0].horizons.horizon_mismatch = node0.replace("localhost", "splithorizon3"); + assert.commandFailed(replTest.getPrimary().adminCommand({replSetReconfig: config})); + + // Providing a config where horizon hostnames are duplicated in members is expected to fail + config.version += 1; + config.members[1].horizons.horizon_mismatch = config.members[0].horizons.horizon_mismatch; + assert.commandFailed(replTest.getPrimary().adminCommand({replSetReconfig: config})); + + // Two horizons with duplicated hostnames are not allowed + config.version += 1; + delete config.members[0].horizons.horizon_mismatch; + delete config.members[1].horizons.horizon_mismatch; + config.members[0].horizons.horizon_dup_hostname = config.members[0].horizons.horizon_name; + config.members[1].horizons.horizon_dup_hostname = config.members[1].horizons.horizon_name; + assert.commandFailed(replTest.getPrimary().adminCommand({replSetReconfig: config})); + + replTest.stopSet(); + removeFile(hostsFile); +})();