/Users/deen/code/yugabyte-db/ent/src/yb/integration-tests/secure_connection_test.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (c) YugaByte, Inc. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except |
4 | | // in compliance with the License. You may obtain a copy of the License at |
5 | | // |
6 | | // http://www.apache.org/licenses/LICENSE-2.0 |
7 | | // |
8 | | // Unless required by applicable law or agreed to in writing, software distributed under the License |
9 | | // is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express |
10 | | // or implied. See the License for the specific language governing permissions and limitations |
11 | | // under the License. |
12 | | // |
13 | | |
14 | | #include "yb/client/ql-dml-test-base.h" |
15 | | #include "yb/client/schema.h" |
16 | | #include "yb/client/session.h" |
17 | | #include "yb/client/table_handle.h" |
18 | | #include "yb/client/yb_op.h" |
19 | | |
20 | | #include "yb/common/ql_value.h" |
21 | | |
22 | | #include "yb/rpc/messenger.h" |
23 | | #include "yb/rpc/secure_stream.h" |
24 | | |
25 | | #include "yb/server/secure.h" |
26 | | |
27 | | #include "yb/util/size_literals.h" |
28 | | #include "yb/util/env_util.h" |
29 | | |
30 | | #include "yb/yql/cql/ql/util/errcodes.h" |
31 | | #include "yb/yql/cql/ql/util/statement_result.h" |
32 | | |
33 | | DECLARE_bool(TEST_private_broadcast_address); |
34 | | DECLARE_bool(allow_insecure_connections); |
35 | | DECLARE_bool(enable_stream_compression); |
36 | | DECLARE_bool(node_to_node_encryption_use_client_certificates); |
37 | | DECLARE_bool(use_client_to_server_encryption); |
38 | | DECLARE_bool(use_node_to_node_encryption); |
39 | | DECLARE_bool(verify_client_endpoint); |
40 | | DECLARE_bool(verify_server_endpoint); |
41 | | DECLARE_int32(TEST_nodes_per_cloud); |
42 | | DECLARE_int32(stream_compression_algo); |
43 | | DECLARE_int32(yb_client_admin_operation_timeout_sec); |
44 | | DECLARE_string(TEST_public_hostname_suffix); |
45 | | DECLARE_string(cert_file_pattern); |
46 | | DECLARE_string(certs_dir); |
47 | | DECLARE_string(cipher_list); |
48 | | DECLARE_string(ciphersuites); |
49 | | DECLARE_string(key_file_pattern); |
50 | | DECLARE_string(node_to_node_encryption_required_uid); |
51 | | DECLARE_string(ssl_protocols); |
52 | | |
53 | | using namespace std::literals; |
54 | | |
55 | | namespace yb { |
56 | | |
57 | | class SecureConnectionTest : public client::KeyValueTableTest<MiniCluster> { |
58 | | public: |
59 | 0 | SecureConnectionTest() { |
60 | 0 | } |
61 | | |
62 | 0 | void SetUp() override { |
63 | 0 | FLAGS_use_node_to_node_encryption = true; |
64 | 0 | FLAGS_use_client_to_server_encryption = true; |
65 | 0 | FLAGS_allow_insecure_connections = false; |
66 | 0 | FLAGS_TEST_public_hostname_suffix = ".ip.yugabyte"; |
67 | 0 | FLAGS_TEST_private_broadcast_address = true; |
68 | 0 | FLAGS_certs_dir = CertsDir(); |
69 | |
|
70 | 0 | KeyValueTableTest::SetUp(); |
71 | |
|
72 | 0 | DontVerifyClusterBeforeNextTearDown(); // Verify requires insecure connection. |
73 | 0 | } |
74 | | |
75 | 0 | virtual std::string CertsDir() { |
76 | 0 | const auto sub_dir = JoinPathSegments("ent", "test_certs"); |
77 | 0 | auto root_dir = env_util::GetRootDir(sub_dir); |
78 | 0 | return JoinPathSegments(root_dir, sub_dir); |
79 | 0 | } |
80 | | |
81 | 0 | CHECKED_STATUS CreateClient() override { |
82 | 0 | auto host = "127.0.0.52"; |
83 | 0 | client_ = VERIFY_RESULT(DoCreateClient(host, host, &secure_context_)); |
84 | 0 | return Status::OK(); |
85 | 0 | } |
86 | | |
87 | 0 | Result<std::unique_ptr<client::YBClient>> CreateBadClient() { |
88 | 0 | google::FlagSaver flag_saver; |
89 | 0 | FLAGS_yb_client_admin_operation_timeout_sec = 5; |
90 | 0 | auto name = "127.0.0.54"; |
91 | 0 | auto host = "127.0.0.52"; |
92 | 0 | return DoCreateClient(name, host, &bad_secure_context_); |
93 | 0 | } |
94 | | |
95 | | Result<std::unique_ptr<client::YBClient>> DoCreateClient( |
96 | | const std::string& name, const std::string& host, |
97 | 0 | std::unique_ptr<rpc::SecureContext>* secure_context) { |
98 | 0 | rpc::MessengerBuilder messenger_builder("test_client"); |
99 | 0 | *secure_context = VERIFY_RESULT(server::SetupSecureContext( |
100 | 0 | FLAGS_certs_dir, name, server::SecureContextType::kInternal, &messenger_builder)); |
101 | 0 | auto messenger = VERIFY_RESULT(messenger_builder.Build()); |
102 | 0 | messenger->TEST_SetOutboundIpBase(VERIFY_RESULT(HostToAddress(host))); |
103 | 0 | return cluster_->CreateClient(std::move(messenger)); |
104 | 0 | } |
105 | | |
106 | | void TestSimpleOps(); |
107 | | |
108 | | std::unique_ptr<rpc::SecureContext> secure_context_; |
109 | | std::unique_ptr<rpc::SecureContext> bad_secure_context_; |
110 | | }; |
111 | | |
112 | 0 | void SecureConnectionTest::TestSimpleOps() { |
113 | 0 | CreateTable(client::Transactional::kFalse); |
114 | |
|
115 | 0 | const int32_t kKey = 1; |
116 | 0 | const int32_t kValue = 2; |
117 | |
|
118 | 0 | { |
119 | 0 | auto session = NewSession(); |
120 | 0 | auto op = ASSERT_RESULT(WriteRow(session, kKey, kValue)); |
121 | 0 | ASSERT_EQ(op->response().status(), QLResponsePB::YQL_STATUS_OK); |
122 | 0 | } |
123 | |
|
124 | 0 | { |
125 | 0 | auto value = ASSERT_RESULT(SelectRow(NewSession(), kKey)); |
126 | 0 | ASSERT_EQ(kValue, value); |
127 | 0 | } |
128 | 0 | } |
129 | | |
130 | 0 | TEST_F(SecureConnectionTest, Simple) { |
131 | 0 | TestSimpleOps(); |
132 | 0 | } |
133 | | |
134 | | class SecureConnectionTLS12Test : public SecureConnectionTest { |
135 | 0 | void SetUp() override { |
136 | 0 | FLAGS_ssl_protocols = "tls12"; |
137 | 0 | SecureConnectionTest::SetUp(); |
138 | 0 | } |
139 | | }; |
140 | | |
141 | 0 | TEST_F_EX(SecureConnectionTest, TLS12, SecureConnectionTLS12Test) { |
142 | 0 | TestSimpleOps(); |
143 | |
|
144 | 0 | FLAGS_ssl_protocols = "ssl2 ssl3,tls10 tls11"; |
145 | 0 | ASSERT_NOK(CreateBadClient()); |
146 | 0 | } |
147 | | |
148 | 0 | TEST_F(SecureConnectionTest, BigWrite) { |
149 | 0 | client::YBSchemaBuilder builder; |
150 | 0 | builder.AddColumn(kKeyColumn)->Type(INT32)->HashPrimaryKey()->NotNull(); |
151 | 0 | builder.AddColumn(kValueColumn)->Type(STRING); |
152 | |
|
153 | 0 | ASSERT_OK(table_.Create(client::kTableName, 1, client_.get(), &builder)); |
154 | |
|
155 | 0 | const int32_t kKey = 1; |
156 | 0 | const std::string kValue(64_KB, 'X'); |
157 | |
|
158 | 0 | auto session = NewSession(); |
159 | 0 | { |
160 | 0 | const auto op = table_.NewWriteOp(QLWriteRequestPB::QL_STMT_INSERT); |
161 | 0 | auto* const req = op->mutable_request(); |
162 | 0 | QLAddInt32HashValue(req, kKey); |
163 | 0 | table_.AddStringColumnValue(req, kValueColumn, kValue); |
164 | 0 | ASSERT_OK(session->ApplyAndFlush(op)); |
165 | 0 | ASSERT_OK(CheckOp(op.get())); |
166 | 0 | } |
167 | |
|
168 | 0 | { |
169 | 0 | const auto op = table_.NewReadOp(); |
170 | 0 | auto* const req = op->mutable_request(); |
171 | 0 | QLAddInt32HashValue(req, kKey); |
172 | 0 | table_.AddColumns({kValueColumn}, req); |
173 | 0 | ASSERT_OK(session->ApplyAndFlush(op)); |
174 | 0 | ASSERT_OK(CheckOp(op.get())); |
175 | 0 | auto rowblock = yb::ql::RowsResult(op.get()).GetRowBlock(); |
176 | 0 | ASSERT_EQ(rowblock->row_count(), 1); |
177 | 0 | ASSERT_EQ(kValue, rowblock->row(0).column(0).string_value()); |
178 | 0 | } |
179 | 0 | } |
180 | | |
181 | | class SecureConnectionWithClientCertificatesTest : public SecureConnectionTest { |
182 | 0 | void SetUp() override { |
183 | 0 | FLAGS_TEST_nodes_per_cloud = 100; |
184 | 0 | FLAGS_node_to_node_encryption_use_client_certificates = true; |
185 | 0 | FLAGS_verify_client_endpoint = true; |
186 | 0 | SecureConnectionTest::SetUp(); |
187 | 0 | } |
188 | | }; |
189 | | |
190 | 0 | TEST_F_EX(SecureConnectionTest, ClientCertificates, SecureConnectionWithClientCertificatesTest) { |
191 | 0 | TestSimpleOps(); |
192 | |
|
193 | 0 | ASSERT_NOK(CreateBadClient()); |
194 | 0 | } |
195 | | |
196 | | class SecureConnectionVerifyNameOnlyTest : public SecureConnectionTest { |
197 | 0 | void SetUp() override { |
198 | 0 | FLAGS_TEST_nodes_per_cloud = 100; |
199 | 0 | FLAGS_node_to_node_encryption_use_client_certificates = true; |
200 | 0 | FLAGS_node_to_node_encryption_required_uid = "yugabyte-test"; |
201 | 0 | SecureConnectionTest::SetUp(); |
202 | 0 | } |
203 | | |
204 | 0 | std::string CertsDir() override { |
205 | 0 | const auto sub_dir = JoinPathSegments("ent", "test_certs", "named"); |
206 | 0 | auto root_dir = env_util::GetRootDir(sub_dir); |
207 | 0 | return JoinPathSegments(root_dir, sub_dir); |
208 | 0 | } |
209 | | }; |
210 | | |
211 | 0 | TEST_F_EX(SecureConnectionTest, VerifyNameOnly, SecureConnectionVerifyNameOnlyTest) { |
212 | 0 | TestSimpleOps(); |
213 | 0 | } |
214 | | |
215 | | class SecureConnectionCipherListTest : public SecureConnectionTest { |
216 | 0 | void SetUp() override { |
217 | 0 | FLAGS_cipher_list = "HIGH"; |
218 | 0 | FLAGS_ssl_protocols = "tls12"; |
219 | 0 | SecureConnectionTest::SetUp(); |
220 | 0 | } |
221 | | }; |
222 | | |
223 | 0 | TEST_F_EX(SecureConnectionTest, CipherList, SecureConnectionCipherListTest) { |
224 | 0 | TestSimpleOps(); |
225 | 0 | } |
226 | | |
227 | | class SecureConnectionCipherSuitesTest : public SecureConnectionTest { |
228 | 0 | void SetUp() override { |
229 | 0 | FLAGS_ciphersuites = "TLS_AES_128_CCM_8_SHA256"; |
230 | 0 | FLAGS_ssl_protocols = "tls13"; |
231 | 0 | SecureConnectionTest::SetUp(); |
232 | 0 | } |
233 | | }; |
234 | | |
235 | 0 | TEST_F_EX(SecureConnectionTest, CipherSuites, SecureConnectionCipherSuitesTest) { |
236 | 0 | TestSimpleOps(); |
237 | 0 | } |
238 | | |
239 | | class SecureConnectionCompressionTest : public SecureConnectionTest { |
240 | 0 | void SetUp() override { |
241 | 0 | FLAGS_enable_stream_compression = true; |
242 | 0 | FLAGS_stream_compression_algo = 1; |
243 | 0 | SecureConnectionTest::SetUp(); |
244 | 0 | } |
245 | | }; |
246 | | |
247 | 0 | TEST_F_EX(SecureConnectionTest, Compression, SecureConnectionCompressionTest) { |
248 | 0 | TestSimpleOps(); |
249 | 0 | } |
250 | | |
251 | | } // namespace yb |