SERVER-121821 Load test certs separately for macOS on ssl_modes_not_disabled_ingress.js (#50704)

GitOrigin-RevId: d3967fb6ddee24e6a89a34879e97e6a6178c150c
2026-03-31 12:08:28 -07:00 · 2026-03-31 12:08:28 -07:00 · a5ad8f670b
commit a5ad8f670b
parent 677c8c8a94
1 changed files with 29 additions and 18 deletions
--- a/jstests/ssl_linear/ssl_modes_not_disabled_ingress.js
+++ b/jstests/ssl_linear/ssl_modes_not_disabled_ingress.js
@ -2,18 +2,29 @@
 // ingress connections accepted by both TCP/IP and Unix Domain sockets.

 import {ShardingTest} from "jstests/libs/shardingtest.js";
-import {
-    runTLSModeTest,
-    TRUSTED_CA_CERT,
-    TRUSTED_CLIENT_CERT,
-    TRUSTED_CLUSTER_CERT,
-    TRUSTED_SERVER_CERT,
-} from "jstests/ssl/libs/ssl_helpers.js";
+import {runTLSModeTest} from "jstests/ssl/libs/ssl_helpers.js";

 if (_isWindows()) {
    quit();
 }

+const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
+jsTest.log.info("HOST_TYPE = " + HOST_TYPE);
+
+let trustedCA = getX509Path("trusted-ca.pem");
+let trustedServer = getX509Path("trusted-server.pem");
+let trustedClient = getX509Path("trusted-client.pem");
+
+if (HOST_TYPE == "macOS") {
+    trustedCA = "/opt/x509/macos-trusted-ca.pem";
+    trustedServer = "/opt/x509/macos-trusted-server.pem";
+    trustedClient = "/opt/x509/macos-trusted-client.pem";
+    // Ensure trustedCA is properly installed on MacOS hosts.
+    // (MacOS is the only OS where it is installed outside of this test)
+    let exitCode = runProgram("security", "verify-cert", "-c", trustedClient);
+    assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host");
+}
+
 // jstests/sslSpecial/ssl_modes_disabled_ingress.js covers 'disabled'. We can't
 // include all of them in one file because ssl_special doesn't support requireTLS while
 // ssl_linear doesn't support disabled.
@ -22,7 +33,7 @@ mkdir(socketPrefix);

 function runTestWithMode(tlsMode) {
    const mongod = MongoRunner.runMongod(tlsMode);
-    runTLSModeTest(mongod, tlsMode.tlsMode, TRUSTED_CLIENT_CERT, TRUSTED_CA_CERT, socketPrefix);
+    runTLSModeTest(mongod, tlsMode.tlsMode, trustedClient, trustedCA, socketPrefix);
    MongoRunner.stopMongod(mongod);

    const st = new ShardingTest({
@ -36,31 +47,31 @@ function runTestWithMode(tlsMode) {
            useHostname: false,
        },
    });
-    runTLSModeTest(st.s0, tlsMode.tlsMode, TRUSTED_CLIENT_CERT, TRUSTED_CA_CERT, socketPrefix);
+    runTLSModeTest(st.s0, tlsMode.tlsMode, trustedClient, trustedCA, socketPrefix);
    st.stop();
 }

 const requireTLSMode = {
    tlsMode: "requireTLS",
-    tlsCertificateKeyFile: TRUSTED_SERVER_CERT,
-    tlsCAFile: TRUSTED_CA_CERT,
-    tlsClusterFile: TRUSTED_CLUSTER_CERT,
+    tlsCertificateKeyFile: trustedServer,
+    tlsCAFile: trustedCA,
+    tlsClusterFile: trustedClient,
    unixSocketPrefix: socketPrefix,
 };

 const allowTLSMode = {
    tlsMode: "allowTLS",
-    tlsCertificateKeyFile: TRUSTED_SERVER_CERT,
-    tlsCAFile: TRUSTED_CA_CERT,
-    tlsClusterFile: TRUSTED_CLUSTER_CERT,
+    tlsCertificateKeyFile: trustedServer,
+    tlsCAFile: trustedCA,
+    tlsClusterFile: trustedClient,
    unixSocketPrefix: socketPrefix,
 };

 const preferTLSMode = {
    tlsMode: "preferTLS",
-    tlsCertificateKeyFile: TRUSTED_SERVER_CERT,
-    tlsCAFile: TRUSTED_CA_CERT,
-    tlsClusterFile: TRUSTED_CLUSTER_CERT,
+    tlsCertificateKeyFile: trustedServer,
+    tlsCAFile: trustedCA,
+    tlsClusterFile: trustedClient,
    unixSocketPrefix: socketPrefix,
 };