[SERVER-57727] Race conditions in x509_invalid.js Created: 15/Jun/21  Updated: 29/Oct/23  Resolved: 12/Jul/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.2.16, 4.4.8, 5.0.2, 4.0.28, 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Sergey Galtsev (Inactive) Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.0, v4.4, v4.2, v4.0
Sprint: Security 2021-07-12
Participants:
Linked BF Score: 49

 Description   

In SERVER-55797 a following race condition was fixed in x509_invalid.js: 'No verified subject name available from client' could be emitted by mongod after assert.eq(!shouldSucceed, rawMongoProgramOutput().includes(...) check.

There are two more race conditions which should be addressed:

1. 'No verified subject name available from client' message from previous testClient(...) could be emitted after clearRawMongoProgramOutput(). This is likely what caused BF-21145

2. when 'No verified subject name available from client' message arrives late for assert.eq(!shouldSucceed, rawMongoProgramOutput().includes(...) check, it will be picked up for positive tests, as assert.soon() will wait for it to appear. However, it will not be picked up for negative tests, because assert.soon will see no message, happily exit, and the message will show after.

We need to refactor x509_invalid.js in following way:

  • every test should spawn a separate mongod
  • checkLog should be used so that it ties to an individual mongod, and therefore messages from one test would not contaminate the other test
  • assert.soon should be checking for both successful auth and failed auth. This way we could exit immediately after it fails or succeeds and not have to spin forever
  • perhaps reduce the default 5 min wait time to 30 sec or so
  • disable hang analyzer
  • also perhaps get rid of assert in runMongoProgram script, as it is confusing to see an assert in the test which does not indicate that there was an actual test fail


 Comments   
Comment by Githook User [ 07/Oct/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57727 race conditions in x509_invalid.js
Branch: v4.0
https://github.com/mongodb/mongo/commit/143bf0610de209b4922d05facd980447cc108247

Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 20/Jul/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57727 race conditions in x509_invalid.js
Branch: v4.2
https://github.com/mongodb/mongo/commit/546487fe28e0a5679cecb6fb026692f3798c514a

Comment by Githook User [ 20/Jul/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57727 race conditions in x509_invalid.js
Branch: v4.4
https://github.com/mongodb/mongo/commit/dcbda6e6b325c2fc047c8cce06cafc2d7f48f045

Comment by Githook User [ 19/Jul/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57727 race conditions in x509_invalid.js
Branch: v5.0
https://github.com/mongodb/mongo/commit/24f1f40022c0898e63aaed1d5a6a22c767e7fe0d

Comment by Githook User [ 12/Jul/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57727 race conditions in x509_invalid.js
Branch: master
https://github.com/mongodb/mongo/commit/66d9611c4e7bce7720002bb1d1f2fe74d1be4c43

Comment by Sergey Galtsev (Inactive) [ 02/Jul/21 ]

http://mongodbcr.appspot.com/810240001

Generated at Thu Feb 08 05:42:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.