From c40037e250f70f9aab213e3577aab129703339e3 Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Tue, 28 Sep 2021 15:07:51 +0800 Subject: [PATCH 1/7] Add openSSL() interface --- connection.go | 28 +++++++++++++++++++++++++++ connection_pool.go | 48 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 72 insertions(+), 4 deletions(-) diff --git a/connection.go b/connection.go index 7af6a29b..6499e87a 100644 --- a/connection.go +++ b/connection.go @@ -7,6 +7,7 @@ package nebula_go import ( + "crypto/tls" "fmt" "math" "time" @@ -59,6 +60,33 @@ func (cn *connection) open(hostAddress HostAddress, timeout time.Duration) error return nil } +func (cn *connection) openSSL(hostAddress HostAddress, timeout time.Duration, sslConfig *tls.Config) error { + ip := hostAddress.Host + port := hostAddress.Port + newAdd := fmt.Sprintf("%s:%d", ip, port) + cn.timeout = timeout + bufferSize := 128 << 10 + frameMaxLength := uint32(math.MaxUint32) + + SSLSocket, err := thrift.NewSSLSocketTimeout(newAdd, sslConfig, timeout) + if err != nil { + return fmt.Errorf("failed to create a net.Conn-backed Transport,: %s", err.Error()) + } + + // Set transport buffer + bufferedTranFactory := thrift.NewBufferedTransportFactory(bufferSize) + transport := thrift.NewFramedTransportMaxLength(bufferedTranFactory.GetTransport(SSLSocket), frameMaxLength) + pf := thrift.NewBinaryProtocolFactoryDefault() + cn.graph = graph.NewGraphServiceClientFactory(transport, pf) + if err = cn.graph.Open(); err != nil { + return fmt.Errorf("failed to open transport, error: %s", err.Error()) + } + if !cn.graph.IsOpen() { + return fmt.Errorf("transport is off") + } + return nil +} + // reopen reopens the current connection. // Because the code generated by Fbthrift does not handle the seqID, // the message will be dislocated when the timeout occurs, resulting in unexpected response. diff --git a/connection_pool.go b/connection_pool.go index d66f8266..52d1622f 100644 --- a/connection_pool.go +++ b/connection_pool.go @@ -8,6 +8,8 @@ package nebula_go import ( "container/list" + "crypto/tls" + "errors" "fmt" "sync" "time" @@ -49,21 +51,59 @@ func NewConnectionPool(addresses []HostAddress, conf PoolConfig, log Logger) (*C addresses: convAddress, hostIndex: 0, } - if err = newPool.initPool(); err != nil { + + // Init pool with non-SSL socket + if err = newPool.initPool(false, nil); err != nil { return nil, err } newPool.startCleaner() return newPool, nil } -// initPool innitializes the connection pool -func (pool *ConnectionPool) initPool() error { +// NewConnectionPool constructs a new SSL connection pool using the given addresses and configs +func NewSslConnectionPool(addresses []HostAddress, conf PoolConfig, sslConfig *tls.Config, log Logger) (*ConnectionPool, error) { + // Process domain to IP + convAddress, err := DomainToIP(addresses) + if err != nil { + return nil, fmt.Errorf("failed to find IP, error: %s ", err.Error()) + } + + // Check input + if len(convAddress) == 0 { + return nil, fmt.Errorf("failed to initialize connection pool: illegal address input") + } + + // Check config + conf.validateConf(log) + + newPool := &ConnectionPool{ + conf: conf, + log: log, + addresses: convAddress, + hostIndex: 0, + } + + // Init pool with SSL socket + if err = newPool.initPool(true, sslConfig); err != nil { + return nil, err + } + newPool.startCleaner() + return newPool, nil +} + +// initPool initializes the connection pool +func (pool *ConnectionPool) initPool(SSLEnabled bool, sslConfig *tls.Config) error { for i := 0; i < pool.conf.MinConnPoolSize; i++ { // Simple round-robin newConn := newConnection(pool.addresses[i%len(pool.addresses)]) // Open connection to host - err := newConn.open(newConn.severAddress, pool.conf.TimeOut) + err := errors.New("") + if SSLEnabled { + err = newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, sslConfig) + } else { + err = newConn.open(newConn.severAddress, pool.conf.TimeOut) + } if err != nil { // If initialization failed, clean idle queue idleLen := pool.idleConnectionQueue.Len() From 40682a423b6e9f9c1d26cf2552754d1299cba1d2 Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Thu, 30 Sep 2021 16:47:15 +0800 Subject: [PATCH 2/7] Add secrets for testing --- nebula-docker-compose/.env | 4 + nebula-docker-compose/docker-compose.yaml | 54 +++++++++ nebula-docker-compose/secrets/test.ca.key | 30 +++++ nebula-docker-compose/secrets/test.ca.pem | 24 ++++ nebula-docker-compose/secrets/test.ca.srl | 1 + nebula-docker-compose/secrets/test.client.crt | 21 ++++ nebula-docker-compose/secrets/test.client.csr | 17 +++ nebula-docker-compose/secrets/test.client.key | 27 +++++ nebula-docker-compose/ssl.env | 4 + ssl_connection_test.go | 109 ++++++++++++++++++ 10 files changed, 291 insertions(+) create mode 100644 nebula-docker-compose/.env create mode 100644 nebula-docker-compose/secrets/test.ca.key create mode 100644 nebula-docker-compose/secrets/test.ca.pem create mode 100644 nebula-docker-compose/secrets/test.ca.srl create mode 100644 nebula-docker-compose/secrets/test.client.crt create mode 100644 nebula-docker-compose/secrets/test.client.csr create mode 100644 nebula-docker-compose/secrets/test.client.key create mode 100644 nebula-docker-compose/ssl.env create mode 100644 ssl_connection_test.go diff --git a/nebula-docker-compose/.env b/nebula-docker-compose/.env new file mode 100644 index 00000000..cb75f733 --- /dev/null +++ b/nebula-docker-compose/.env @@ -0,0 +1,4 @@ +ca_path=/secrets/test.ca.pem +cert_path=/secrets/test.client.crt +key_path=/secrets/test.client.key +enable_ssl=false diff --git a/nebula-docker-compose/docker-compose.yaml b/nebula-docker-compose/docker-compose.yaml index 9fd542c7..a5b28dbd 100644 --- a/nebula-docker-compose/docker-compose.yaml +++ b/nebula-docker-compose/docker-compose.yaml @@ -17,6 +17,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} healthcheck: test: ["CMD", "curl", "-sf", "http://metad0:11000/status"] interval: 30s @@ -28,6 +33,7 @@ services: - 11000 - 11002 volumes: + - ./secrets:/secrets - ./data/meta0:/data/meta - ./logs/meta0:/logs networks: @@ -53,6 +59,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} healthcheck: test: ["CMD", "curl", "-sf", "http://metad1:11000/status"] interval: 30s @@ -64,6 +75,7 @@ services: - 11000 - 11002 volumes: + - ./secrets:/secrets - ./data/meta1:/data/meta - ./logs/meta1:/logs networks: @@ -89,6 +101,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} healthcheck: test: ["CMD", "curl", "-sf", "http://metad2:11000/status"] interval: 30s @@ -100,6 +117,7 @@ services: - 11000 - 11002 volumes: + - ./secrets:/secrets - ./data/meta2:/data/meta - ./logs/meta2:/logs networks: @@ -125,6 +143,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -140,6 +163,7 @@ services: - 12000 - 12002 volumes: + - ./secrets:/secrets - ./data/storage0:/data/storage - ./logs/storage0:/logs networks: @@ -165,6 +189,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -180,6 +209,7 @@ services: - 12000 - 12002 volumes: + - ./secrets:/secrets - ./data/storage1:/data/storage - ./logs/storage1:/logs networks: @@ -205,6 +235,11 @@ services: - --minloglevel=0 - --timezone_name=+08:00 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -220,6 +255,7 @@ services: - 12000 - 12002 volumes: + - ./secrets:/secrets - ./data/storage2:/data/storage - ./logs/storage2:/logs networks: @@ -245,6 +281,11 @@ services: - --timezone_name=+08:00 - --system_memory_high_watermark_ratio=0.99 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -260,6 +301,7 @@ services: - 13000 - 13002 volumes: + - ./secrets:/secrets - ./logs/graph:/logs networks: - nebula-net @@ -284,6 +326,11 @@ services: - --timezone_name=+08:00 - --system_memory_high_watermark_ratio=0.99 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -299,6 +346,7 @@ services: - 13000 - 13002 volumes: + - ./secrets:/secrets - ./logs/graph1:/logs networks: - nebula-net @@ -323,6 +371,11 @@ services: - --timezone_name=+08:00 - --system_memory_high_watermark_ratio=0.99 - --heartbeat_interval_secs=1 + # ssl + - --ca_path=${ca_path} + - --cert_path=${cert_path} + - --key_path=${key_path} + - --enable_ssl=${enable_ssl} depends_on: - metad0 - metad1 @@ -338,6 +391,7 @@ services: - 13000 - 13002 volumes: + - ./secrets:/secrets - ./logs/graph2:/logs networks: - nebula-net diff --git a/nebula-docker-compose/secrets/test.ca.key b/nebula-docker-compose/secrets/test.ca.key new file mode 100644 index 00000000..6006d0f2 --- /dev/null +++ b/nebula-docker-compose/secrets/test.ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,6D12ED8559E80FA3 + +tv9epnwlt4dP6Q5ee0dACOyFA5BTwYTdoMykQRJrKGwfaNeXUXn+sQ/U/oFHp1Wx +O8VZE+z2aHpiFSTw+Eh6MPt86X5yVG3tpeVO6dErvr8Kd+NpuI8zn7rNoOFRh8wD +33EFcQMLQPneDl10O18hooIoi0qwp1pd63hYZPwEhB3eOrM5Mnv9OVJs65bzYfyf +Wku33YWYxeqlDvMCsou8PZnv/M2wYsr7+QoTcNmGKP45igMthMDBzwgF+q0p9ZZU +N11c6ojAs01kfuqFf3vKfHNYe6zsBiNhnUuEy8enXSxD5E7tR/OI8aEzPLdk7fmN +/UsMK2LE0Yd5iS3O1x/1ZjSBxJ+M/UzzCO692GTAiD6Hc13iJOavq/vt1mEPjfCD +neF38Bhb5DfFi+UAHrz6EHMreamGCzP82us2maIs7mSTq7nXDZfbBc7mBDLAUUnT +J6tlrTyc+DQXzkJa6jmbxJhcsWm6XvjIBEzSXVHxEDPLnZICQk3VXODjCXTD75Rg +0WaS78Ven7DW8wn07q3VzWAFDKaet3VI+TVTv7EfIavlfiA6LSshaENdFLeHahNE +s/V/j5K3Pg6+WQcZRgOsfqIwUCSQxY13R6TTdaaCkLay5BggF5iiAO3pkqsJiadf +w843Ak4USBptymJxoZgJyFtQHpQyNiFfsAbs9BaYbg2evvE7/VQhLk0gQ7HgQMeJ +wgxEQqZQKDCCSugSzY1YEGXKnrZYCKyipzyyH936mE15zNwhYp/Pi2020+gmtP3h +CDfcPs1yeLI2/1JuimafbuKsv9xchWa6ASU8p8Q7wTLtUj9ylLKyA4A/75pK0DXG +Hv/q0O+UfhAMD438SoPBle7RSvIsDU1VjUqstlNybBglBZxGIME7/18+Ms7U32wh +4xFkZwxT2nqFgyk37tXMdMz9UBh12/AXR9NU4XY37C3Ao2TDT7/0DvU6KdJhsDpv +rGcaC2zzhko+0CPrLlk52KbqP003JXiWvOSI+FylyPPDB/YGitmndJUuQblf3u/E +l+tGi9MeSBQeWKV6D3AVnO05AZjfTUzSK0vw4DgNh5YPNJvLy31B7kDAS88vyGI1 +t6MBwjW4/tz/nS/p1Go3mSzBhPkIsCrZE+ar7lH8p8JqkLl4fXIMaVKIfyfJdzyS +lkh3K7bOGDPegxxxaWdb+EnC7k+1R3EOU7uJFW61HyrGI3q6Y7kOl5aYSJ5Ge1Uv +PycFWHWVTHq/R7HRE6HIJzGe/PnLIbStXLDFeivjfcYq1YaSaF8Vl+xg+0u3ULOl +P6IuPTph6dlcgttRZVl3ETcF0T+2wfbUwgjf0ZiguCJfR2jLGhPl1KBg0Kd9cTSY +zI3YMMd2G8hApt/QFlm4Ry8CqaJUmDcjDNIJT3M+RldUgfz37NsX05cA5e9+I1AL +2406F/v5U9gWsYx7HuwJtQrDzYYDbl1GD4H+qHFJE5JYhPP4AyWYxJ1NR5dqyvrt ++3r5+xlwZrS76c10RsBWL7th8ZEzRxOZxbtLwbf4bG/tIGfQP2sTnWwA+qym6b2S +sRduqOTP+xwnhOq/ZKn8lfsDfhT8CPnKHBsd09kM9y/UWuxFe0upLydRLE/Wsb9s +-----END RSA PRIVATE KEY----- diff --git a/nebula-docker-compose/secrets/test.ca.pem b/nebula-docker-compose/secrets/test.ca.pem new file mode 100644 index 00000000..412ba316 --- /dev/null +++ b/nebula-docker-compose/secrets/test.ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIUDcmZFpL4PcdCXfLRBK8bR2vb39cwDQYJKoZIhvcNAQEL +BQAwgZwxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI +SGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9u +MRYwFAYDVQQDDA1zaHlsb2NrIGh1YW5nMScwJQYJKoZIhvcNAQkBFhhzaHlsb2Nr +Lmh1YW5nQHZlc29mdC5jb20wHhcNMjEwODE5MDkyNDQ3WhcNMjUwODE4MDkyNDQ3 +WjCBnDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI +YW5nemhvdTEUMBIGA1UECgwLVmVzb2Z0IEluYy4xEDAOBgNVBAsMB3NlY3Rpb24x +FjAUBgNVBAMMDXNoeWxvY2sgaHVhbmcxJzAlBgkqhkiG9w0BCQEWGHNoeWxvY2su +aHVhbmdAdmVzb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMEAgpamCQHl+8JnUHI6/VmJHjDLYJLTliN/CwpFrhMqIVjJ8wG57WYLpXpn91Lz +eHu52LkVzcikybIJ2a+LOTvnhNFdbmTbqDtrb+s6wM/sO+nF6tU2Av4e5zhyKoeR +LL+rHMk3nymohbdN4djySFmOOU5A1O/4b0bZz4Ylu995kUawdiaEo13BzxxOC7Ik +Gge5RyDcm0uLXZqTAPy5Sjv/zpOyj0AqL1CJUH7XBN9OMRhVU0ZX9nHWl1vgLRld +J6XT17Y9QbbHhCNEdAmFE5kEFgCvZc+MungUYABlkvoj86TLmC/FMV6fWdxQssyd +hS+ssfJFLaTDaEFz5a/Tr48CAwEAAaNTMFEwHQYDVR0OBBYEFK0GVrQx+wX1GCHy +e+6fl4X+prmYMB8GA1UdIwQYMBaAFK0GVrQx+wX1GCHye+6fl4X+prmYMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHqP8P+ZUHmngviHLSSN1ln5 +Mx4BCkVeFRUaFx0yFXytV/iLXcG2HpFg3A9rAFoYgCDwi1xpsERnBZ/ShTv/eFOc +IxBY5yggx3/lGi8tAgvUdarhd7mQO67UJ0V4YU3hAkbnZ8grHHXj+4hfgUpY4ok6 +yaed6HXwknBb9W8N1jZI8ginhkhjaeRCHdMiF+fBvNCtmeR1bCml1Uz7ailrpcaT +Mf84+5VYuFEnaRZYWFNsWNCOBlJ/6/b3V10vMXzMmYHqz3xgAq0M3fVTFTzopnAX +DLSzorL/dYVdqEDCQi5XI9YAlgWN4VeGzJI+glkLOCNzHxRNP6Qev+YI+7Uxz6I= +-----END CERTIFICATE----- diff --git a/nebula-docker-compose/secrets/test.ca.srl b/nebula-docker-compose/secrets/test.ca.srl new file mode 100644 index 00000000..fbf9cacc --- /dev/null +++ b/nebula-docker-compose/secrets/test.ca.srl @@ -0,0 +1 @@ +7E73E19D9FB0276F6149040F5FEB802543EBB3F9 diff --git a/nebula-docker-compose/secrets/test.client.crt b/nebula-docker-compose/secrets/test.client.crt new file mode 100644 index 00000000..f50fa816 --- /dev/null +++ b/nebula-docker-compose/secrets/test.client.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk4CFH5z4Z2fsCdvYUkED1/rgCVD67P5MA0GCSqGSIb3DQEBCwUAMIGc +MQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6 +aG91MRQwEgYDVQQKDAtWZXNvZnQgSW5jLjEQMA4GA1UECwwHc2VjdGlvbjEWMBQG +A1UEAwwNc2h5bG9jayBodWFuZzEnMCUGCSqGSIb3DQEJARYYc2h5bG9jay5odWFu +Z0B2ZXNvZnQuY29tMB4XDTIxMDkyODEyMzk1NloXDTI0MDEwMTEyMzk1NlowQjEL +MAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVm +YXVsdCBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANqFy+Fhsb9ptr9CfcmqAt/AP2ibrUH1j9UVQZTwgSrApAAOjgWqLWaO+o6gz7Ds +ZSSx6OBXpyuA+blYcCeFjr45c2l4sdpy6G9bfSOKCzh8yZLlPAaDzgbNnsta/kqR +fePM3kV2DWxQQEXXKyHCjMgYPFl2nVpJ4/z669SLvDCr4UocmE7PG5OcK4AURgnc +eIGLszurBBgyFmxKZVxrdMRx5Xmidi8gIL5i97laMGWE6qtiOSRnWoh52vdB+2Dm +rkByY/7tsApXRPzSNjA/D9DYRzN7n3gz/2ndUFO7qLZBNv9rnvauqeaksdP+xpWb +jfMG7rVV6w7bE2PGqLp4v4kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhyJ/ZgYR +2EddiwHPT+twKTzgUjPKgnSkCfAE0dTRlkZIB9K/XPKhoG1ocalgxuyfwTKQhSmf +uWcV43jWpj9rizERcekugJoElz9JqF19u01RdoIIv10aZVb4+nhpYJ3ETNlV+pM6 +59WgSGqx53Cbrm9WaVqepGsFHtpU9SGZ/kmL4Yu9omWoyJ1uOf1aO4T9q5M/kA8O +Feb3MKTUwBZn+axsIzMpnNlqhltvLzPvTfVP/s9bzbP/VsQkIpNOM833gVU1IREM +LMNTliOkO6heVHs5tja9NjgTmpgZJASbUk5k7xAVk7obrlD/auYo/HN+pMMCsSeu +WMAMtzWQz/fA9w== +-----END CERTIFICATE----- diff --git a/nebula-docker-compose/secrets/test.client.csr b/nebula-docker-compose/secrets/test.client.csr new file mode 100644 index 00000000..4468adc1 --- /dev/null +++ b/nebula-docker-compose/secrets/test.client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnjCCAYYCAQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0 +eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANqFy+Fhsb9ptr9CfcmqAt/AP2ibrUH1j9UVQZTwgSrA +pAAOjgWqLWaO+o6gz7DsZSSx6OBXpyuA+blYcCeFjr45c2l4sdpy6G9bfSOKCzh8 +yZLlPAaDzgbNnsta/kqRfePM3kV2DWxQQEXXKyHCjMgYPFl2nVpJ4/z669SLvDCr +4UocmE7PG5OcK4AURgnceIGLszurBBgyFmxKZVxrdMRx5Xmidi8gIL5i97laMGWE +6qtiOSRnWoh52vdB+2DmrkByY/7tsApXRPzSNjA/D9DYRzN7n3gz/2ndUFO7qLZB +Nv9rnvauqeaksdP+xpWbjfMG7rVV6w7bE2PGqLp4v4kCAwEAAaAXMBUGCSqGSIb3 +DQEJBzEIDAYxMjM0NTYwDQYJKoZIhvcNAQELBQADggEBAHWHy1/p9Vn9klqdADBl +74SFoPFg6ErUQyBtBAJf+9m43hPIH7UNiPXb7R3p8fnsnKEO6Rb37I9nY3WeMLaG +MLjzzHg1+cbjgfsbFa/IZbjeRwVTAil5h/9E8Hm7E3fIllwetAFSIXOs1CvsCieR +zi+fnyX0s+az3AaV74wB2+1EODq+881oj6Y063DNa43fop7vHq37KJP0DnjjF3pv +xtf6uyyKvNhsEh4gIRBdEzBJ4A00TcI+uZ3gOdYEv7sIjwmKZzzEHFgpNXbj1D2Y +QLtZ/d+BwxN4ItzuyMYEc7sTlEKZJQvH1C8DA7SgIT3BSyRC8TQsBUWZ7tg1StlM +jLI= +-----END CERTIFICATE REQUEST----- diff --git a/nebula-docker-compose/secrets/test.client.key b/nebula-docker-compose/secrets/test.client.key new file mode 100644 index 00000000..2c4eacad --- /dev/null +++ b/nebula-docker-compose/secrets/test.client.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA2oXL4WGxv2m2v0J9yaoC38A/aJutQfWP1RVBlPCBKsCkAA6O +BaotZo76jqDPsOxlJLHo4FenK4D5uVhwJ4WOvjlzaXix2nLob1t9I4oLOHzJkuU8 +BoPOBs2ey1r+SpF948zeRXYNbFBARdcrIcKMyBg8WXadWknj/Prr1Iu8MKvhShyY +Ts8bk5wrgBRGCdx4gYuzO6sEGDIWbEplXGt0xHHleaJ2LyAgvmL3uVowZYTqq2I5 +JGdaiHna90H7YOauQHJj/u2wCldE/NI2MD8P0NhHM3ufeDP/ad1QU7uotkE2/2ue +9q6p5qSx0/7GlZuN8wbutVXrDtsTY8aouni/iQIDAQABAoIBAAoCevZV/UhhVUep +ig2ExiDts3ndN7B/yRjfomNqKOCGdnyyLftAclfyULPb1eeqzG9D3wD3wuaRP98n +l+uXiJRaGVlJeAwjm1YOgMrx9dWekbUy3u8FdpiFLrLt9hwAUh3vMndIExFVE7yf +QJCJUt2PjqQidM6/97uM2uSfif1IrJCVt7G9Q1ukI2X5RsTihmFLJjVkfYE83T5N +8wNGKKDyy+PuMjXl3gaHux7mOiorILHVFqzMMzgfEvghobTN/axLEAzgVJu+0Sqq +XrueMht4QIIST5ix1d9KN9kGZ5dq1MJ4Lfy5NjZ6eYhxdkq41O3USSJQQN/zW+uM +Ig/0JAECgYEA/DsRsWfaV7vo/fh0rZGP5pRDUSXKXliqnyukjCPTyuk9VHOSIDPh +uEvcdcP47iu2VwnKum5RRS8lu0Nd4I3qmvgepUp71cBsM9Bn/89WoLU5/lw3pbDs +saOW1lI5kZ/FCzDSGnGLFcC8PMd9MmqUIzzOkhvDn2XiQGeOkv5b7UECgYEA3cnG +JTNIPg1L55fwX9Uj3tyb03T8iqdHd6oeUS+fsBKDdgOrL5lW+WIsUJ1uIUZ8+pA2 +v4f2W+4yQueEcDvmi3+GB12Zzlfz26n7O9ZW+cvE1NZXycRtdZaDRFijovTZnnpv +3SFvDcdc8aUQ833SZ5XhzykPCfrRRFNd+x8EGEkCgYAhsfZsH7aQb97xRqa3pTF3 +GSlhBs5hCjFI8DicLBEYE06JIKNNwACQcTnzVYnEr3w9ZmZ5v1EGEAVXXemFnQ/R +QgI+DJQ8euc5iMbL6rPk5jDoJQOeE+Oa24LEANoF9TUKiKwYskBlWIkNCY1VFd3S +U0Y5SJI6kg7Gkc7/HhHDwQKBgQCT1zqT9ZlEc8yTNn7vAr8Egf4FeMgXDObg56+J +4rsJvW2QL2XfNtH5Lu3nVungmIIa7CLyjYk1QpSScI2h2uwVNQ58vnIWUB6n4Kkt ++/TCUoiEb9TZFGz6ozghSQzbRWgC8g67UtwaTTixg5zHEqo8jnaVhwMVXfI9H21Y +RhaOsQKBgQCOf8JLdIEMH8z0bGh2He0mv0qBcN9EUuhSw85+JZUReq+2sEeT8zM3 +hl1RMXKS3K+u8IiGAffESju5EK85/hD0NsSv4EGOWfuuN4/jRQ9MGJ9kEL6BBM9T +FAxvY63PS6yOy+rgT21dc8GOjlM1DOTPZzCrnKW1kvwaBsSZeNF59A== +-----END RSA PRIVATE KEY----- diff --git a/nebula-docker-compose/ssl.env b/nebula-docker-compose/ssl.env new file mode 100644 index 00000000..f9de7e25 --- /dev/null +++ b/nebula-docker-compose/ssl.env @@ -0,0 +1,4 @@ +ca_path=/secrets/test.ca.pem +cert_path=/secrets/test.client.crt +key_path=/secrets/test.client.key +enable_ssl=true diff --git a/ssl_connection_test.go b/ssl_connection_test.go new file mode 100644 index 00000000..08eeb4c3 --- /dev/null +++ b/ssl_connection_test.go @@ -0,0 +1,109 @@ +/* Copyright (c) 2020 vesoft inc. All rights reserved. + * + * This source code is licensed under Apache 2.0 License, + * attached with Common Clause Condition 1.0, found in the LICENSES directory. + */ + +package nebula_go + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" + "os" + "testing" + "time" +) + +func TestSSLConnection(t *testing.T) { + hostAdress := HostAddress{Host: address, Port: port} + // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} + hostList := []HostAddress{} + hostList = append(hostList, hostAdress) + + testPoolConfig = PoolConfig{ + TimeOut: 0 * time.Millisecond, + IdleTime: 0 * time.Millisecond, + MaxConnPoolSize: 10, + MinConnPoolSize: 1, + } + + var ( + rootCA = openAndReadFile(t, "./nebula-docker-compose/secrets/test.ca.pem") + cert = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.crt") + privateKey = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.key") + ) + + // generate the client certificate + clientCert, err := tls.X509KeyPair(cert, privateKey) + if err != nil { + panic(err) + } + + // parse root CA pem and add into CA pool + rootCAPool := x509.NewCertPool() + ok := rootCAPool.AppendCertsFromPEM(rootCA) + if !ok { + t.Fatal("unable to append supplied cert into tls.Config, are you sure it is a valid certificate") + } + + // set tls config + // InsecureSkipVerify is set to true for test purpose ONLY. DO NOT use it in production. + sslConfig := &tls.Config{ + Certificates: []tls.Certificate{clientCert}, + RootCAs: rootCAPool, + InsecureSkipVerify: true, // This is only used for testing + } + + // Initialize connectin pool + pool, err := NewSslConnectionPool(hostList, testPoolConfig, sslConfig, nebulaLog) + if err != nil { + t.Fatalf("fail to initialize the connection pool, host: %s, port: %d, %s", address, port, err.Error()) + } + // close all connections in the pool + defer pool.Close() + + // Create session + session, err := pool.GetSession(username, password) + if err != nil { + t.Fatalf("fail to create a new session from connection pool, username: %s, password: %s, %s", + username, password, err.Error()) + } + defer session.Release() + // Excute a query + resp, err := tryToExecute(session, "SHOW HOSTS;") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResSetResp(t, "show hosts", resp) + // Create a new space + resp, err = tryToExecute(session, "CREATE SPACE client_test(partition_num=1024, replica_factor=1, vid_type = FIXED_STRING(30));") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResSetResp(t, "create space", resp) + + resp, err = tryToExecute(session, "DROP SPACE client_test;") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResSetResp(t, "drop space", resp) +} + +func openAndReadFile(t *testing.T, path string) []byte { + // open file + f, err := os.Open(path) + if err != nil { + t.Fatalf(fmt.Sprintf("unable to open test file %s: %s", path, err)) + } + // read file + b, err := ioutil.ReadAll(f) + if err != nil { + t.Fatalf(fmt.Sprintf("unable to ReadAll of test file %s: %s", path, err)) + } + return b +} From b15364688034fe6c6e898b8ff9104818a99c242e Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Thu, 30 Sep 2021 17:09:48 +0800 Subject: [PATCH 3/7] Update GitHub action --- .github/workflows/test.yaml | 9 ++++++++- Makefile | 9 ++++++++- nebula-docker-compose/ssl.env | 4 ---- ssl_connection_test.go | 6 +++--- 4 files changed, 19 insertions(+), 9 deletions(-) delete mode 100644 nebula-docker-compose/ssl.env diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 1e1ac12d..f76dd10b 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -16,10 +16,17 @@ jobs: - name: Test with GO test run: | pushd nebula-docker-compose/ - docker-compose up -d + enable_ssl=false docker-compose up -d sleep 10 popd go test -v -race + - name: Test SSL connection + run: | + pushd nebula-docker-compose/ + enable_ssl=true docker-compose up -d + sleep 10 + popd + go test -v -run TestSSLConnection - name: Run examples run: | go run basic_example/graph_client_basic_example.go diff --git a/Makefile b/Makefile index 85a2f5ed..51af1433 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: build test fmt ci run-examples +.PHONY: build test fmt ci ssl-test run-examples default: build @@ -20,6 +20,13 @@ ci: go test -v -race; \ cd ./nebula-docker-compose && docker-compose down -v +ssl-test: + cd ./nebula-docker-compose && enable_ssl=true docker-compose up -d && \ + sleep 5 && \ + cd .. && \ + go test -v -run TestSSLConnection; \ + cd ./nebula-docker-compose && docker-compose down -v + run-examples: go run basic_example/graph_client_basic_example.go go run gorountines_example/graph_client_goroutines_example.go diff --git a/nebula-docker-compose/ssl.env b/nebula-docker-compose/ssl.env deleted file mode 100644 index f9de7e25..00000000 --- a/nebula-docker-compose/ssl.env +++ /dev/null @@ -1,4 +0,0 @@ -ca_path=/secrets/test.ca.pem -cert_path=/secrets/test.client.crt -key_path=/secrets/test.client.key -enable_ssl=true diff --git a/ssl_connection_test.go b/ssl_connection_test.go index 08eeb4c3..39d9b34d 100644 --- a/ssl_connection_test.go +++ b/ssl_connection_test.go @@ -77,21 +77,21 @@ func TestSSLConnection(t *testing.T) { t.Fatalf(err.Error()) return } - checkResSetResp(t, "show hosts", resp) + checkResultSet(t, "show hosts", resp) // Create a new space resp, err = tryToExecute(session, "CREATE SPACE client_test(partition_num=1024, replica_factor=1, vid_type = FIXED_STRING(30));") if err != nil { t.Fatalf(err.Error()) return } - checkResSetResp(t, "create space", resp) + checkResultSet(t, "create space", resp) resp, err = tryToExecute(session, "DROP SPACE client_test;") if err != nil { t.Fatalf(err.Error()) return } - checkResSetResp(t, "drop space", resp) + checkResultSet(t, "drop space", resp) } func openAndReadFile(t *testing.T, path string) []byte { From 0c4f8fa9ec67f953f5bfbf975dff5cece9195d94 Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Sun, 3 Oct 2021 22:34:38 +0800 Subject: [PATCH 4/7] Add skipCI() --- .github/workflows/test.yaml | 2 +- ssl_connection_test.go | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f76dd10b..add026fe 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -26,7 +26,7 @@ jobs: enable_ssl=true docker-compose up -d sleep 10 popd - go test -v -run TestSSLConnection + ssl_test=true go test -v -run TestSSLConnection - name: Run examples run: | go run basic_example/graph_client_basic_example.go diff --git a/ssl_connection_test.go b/ssl_connection_test.go index 39d9b34d..0328a9e0 100644 --- a/ssl_connection_test.go +++ b/ssl_connection_test.go @@ -17,6 +17,9 @@ import ( ) func TestSSLConnection(t *testing.T) { + // skip test when ssl_test is not set to true + skipCI(t) + hostAdress := HostAddress{Host: address, Port: port} // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} @@ -107,3 +110,9 @@ func openAndReadFile(t *testing.T, path string) []byte { } return b } + +func skipCI(t *testing.T) { + if os.Getenv("ssl_test") != "true" { + t.Skip("Skipping SSL testing in CI environment") + } +} From 89c3b977f434994902abbf16db409c588e4bda0e Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Mon, 11 Oct 2021 15:14:06 +0800 Subject: [PATCH 5/7] Modify newConnToHost() --- .github/workflows/test.yaml | 11 ++- Makefile | 9 +- connection_pool.go | 34 +++++-- nebula-docker-compose/.env | 4 +- nebula-docker-compose/docker-compose.yaml | 20 ++++ .../secrets/test.ca.password | 1 + .../secrets/test.self-signed.key | 30 ++++++ .../secrets/test.self-signed.password | 1 + .../secrets/test.self-signed.pem | 24 +++++ ssl_connection_test.go | 99 +++++++++++++++++-- 10 files changed, 213 insertions(+), 20 deletions(-) create mode 100644 nebula-docker-compose/secrets/test.ca.password create mode 100644 nebula-docker-compose/secrets/test.self-signed.key create mode 100644 nebula-docker-compose/secrets/test.self-signed.password create mode 100644 nebula-docker-compose/secrets/test.self-signed.pem diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index add026fe..aa8a34ea 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,13 +20,20 @@ jobs: sleep 10 popd go test -v -race - - name: Test SSL connection + - name: Test SSL connection with CA run: | pushd nebula-docker-compose/ enable_ssl=true docker-compose up -d sleep 10 popd - ssl_test=true go test -v -run TestSSLConnection + ssl_test=true go test -v -run TestSslConnection + - name: Test SSL connection self-signed + run: | + pushd nebula-docker-compose/ + enable_ssl=true ca_signed docker-compose up -d + sleep 10 + popd + self_signed=true go test -v -run TestSslConnectionSelfSigned - name: Run examples run: | go run basic_example/graph_client_basic_example.go diff --git a/Makefile b/Makefile index 51af1433..33ad4c9b 100644 --- a/Makefile +++ b/Makefile @@ -18,13 +18,20 @@ ci: sleep 5 && \ cd .. && \ go test -v -race; \ + cd ./nebula-docker-compose && docker-compose down -v + +ssl-test: + cd ./nebula-docker-compose && enable_ssl=true docker-compose up -d && \ + sleep 5 && \ + cd .. && \ + go test -v -run TestSslConnection; \ cd ./nebula-docker-compose && docker-compose down -v ssl-test: cd ./nebula-docker-compose && enable_ssl=true docker-compose up -d && \ sleep 5 && \ cd .. && \ - go test -v -run TestSSLConnection; \ + ssl_test=true go test -v -run TestSslConnection; \ cd ./nebula-docker-compose && docker-compose down -v run-examples: diff --git a/connection_pool.go b/connection_pool.go index 52d1622f..23728133 100644 --- a/connection_pool.go +++ b/connection_pool.go @@ -27,6 +27,7 @@ type ConnectionPool struct { rwLock sync.RWMutex cleanerChan chan struct{} //notify when pool is close closed bool + sslConfig *tls.Config } // NewConnectionPool constructs a new connection pool using the given addresses and configs @@ -50,10 +51,11 @@ func NewConnectionPool(addresses []HostAddress, conf PoolConfig, log Logger) (*C log: log, addresses: convAddress, hostIndex: 0, + sslConfig: nil, } // Init pool with non-SSL socket - if err = newPool.initPool(false, nil); err != nil { + if err = newPool.initPool(); err != nil { return nil, err } newPool.startCleaner() @@ -81,10 +83,11 @@ func NewSslConnectionPool(addresses []HostAddress, conf PoolConfig, sslConfig *t log: log, addresses: convAddress, hostIndex: 0, + sslConfig: sslConfig, } // Init pool with SSL socket - if err = newPool.initPool(true, sslConfig); err != nil { + if err = newPool.initPool(); err != nil { return nil, err } newPool.startCleaner() @@ -92,15 +95,15 @@ func NewSslConnectionPool(addresses []HostAddress, conf PoolConfig, sslConfig *t } // initPool initializes the connection pool -func (pool *ConnectionPool) initPool(SSLEnabled bool, sslConfig *tls.Config) error { +func (pool *ConnectionPool) initPool() error { for i := 0; i < pool.conf.MinConnPoolSize; i++ { // Simple round-robin newConn := newConnection(pool.addresses[i%len(pool.addresses)]) // Open connection to host err := errors.New("") - if SSLEnabled { - err = newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, sslConfig) + if pool.sslConfig != nil { + err = newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, pool.sslConfig) } else { err = newConn.open(newConn.severAddress, pool.conf.TimeOut) } @@ -207,8 +210,14 @@ func (pool *ConnectionPool) release(conn *connection) { func (pool *ConnectionPool) Ping(host HostAddress, timeout time.Duration) error { newConn := newConnection(host) // Open connection to host - if err := newConn.open(newConn.severAddress, timeout); err != nil { - return err + if pool.sslConfig != nil { + if err := newConn.open(newConn.severAddress, timeout); err != nil { + return err + } + } else { + if err := newConn.openSSL(newConn.severAddress, timeout, pool.sslConfig); err != nil { + return err + } } newConn.close() return nil @@ -260,9 +269,14 @@ func (pool *ConnectionPool) newConnToHost() (*connection, error) { host := pool.getHost() newConn := newConnection(host) // Open connection to host - err := newConn.open(newConn.severAddress, pool.conf.TimeOut) - if err != nil { - return nil, err + if pool.sslConfig != nil { + if err := newConn.open(newConn.severAddress, pool.conf.TimeOut); err != nil { + return nil, err + } + } else { + if err := newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, pool.sslConfig); err != nil { + return nil, err + } } // Add connection to active queue pool.activeConnectionQueue.PushBack(newConn) diff --git a/nebula-docker-compose/.env b/nebula-docker-compose/.env index cb75f733..d7c7929c 100644 --- a/nebula-docker-compose/.env +++ b/nebula-docker-compose/.env @@ -1,4 +1,6 @@ +enable_ssl=false +ca_signed=true ca_path=/secrets/test.ca.pem +password_path=/secrets/test.ca.password cert_path=/secrets/test.client.crt key_path=/secrets/test.client.key -enable_ssl=false diff --git a/nebula-docker-compose/docker-compose.yaml b/nebula-docker-compose/docker-compose.yaml index a5b28dbd..62d48926 100644 --- a/nebula-docker-compose/docker-compose.yaml +++ b/nebula-docker-compose/docker-compose.yaml @@ -22,6 +22,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad0:11000/status"] interval: 30s @@ -64,6 +66,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad1:11000/status"] interval: 30s @@ -106,6 +110,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad2:11000/status"] interval: 30s @@ -148,6 +154,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} depends_on: - metad0 - metad1 @@ -194,6 +202,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} depends_on: - metad0 - metad1 @@ -240,6 +250,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} depends_on: - metad0 - metad1 @@ -286,6 +298,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} depends_on: - metad0 - metad1 @@ -331,6 +345,8 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} depends_on: - metad0 - metad1 @@ -376,6 +392,10 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} + - --ca_signed=${ca_signed} + - --password_path=${password_path} + + depends_on: - metad0 - metad1 diff --git a/nebula-docker-compose/secrets/test.ca.password b/nebula-docker-compose/secrets/test.ca.password new file mode 100644 index 00000000..143be9ab --- /dev/null +++ b/nebula-docker-compose/secrets/test.ca.password @@ -0,0 +1 @@ +vesoft diff --git a/nebula-docker-compose/secrets/test.self-signed.key b/nebula-docker-compose/secrets/test.self-signed.key new file mode 100644 index 00000000..41ebbf5a --- /dev/null +++ b/nebula-docker-compose/secrets/test.self-signed.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,6D12ED8559E80FA3 + +tv9epnwlt4dP6Q5ee0dACOyFA5BTwYTdoMykQRJrKGwfaNeXUXn+sQ/U/oFHp1Wx +O8VZE+z2aHpiFSTw+Eh6MPt86X5yVG3tpeVO6dErvr8Kd+NpuI8zn7rNoOFRh8wD +33EFcQMLQPneDl10O18hooIoi0qwp1pd63hYZPwEhB3eOrM5Mnv9OVJs65bzYfyf +Wku33YWYxeqlDvMCsou8PZnv/M2wYsr7+QoTcNmGKP45igMthMDBzwgF+q0p9ZZU +N11c6ojAs01kfuqFf3vKfHNYe6zsBiNhnUuEy8enXSxD5E7tR/OI8aEzPLdk7fmN +/UsMK2LE0Yd5iS3O1x/1ZjSBxJ+M/UzzCO692GTAiD6Hc13iJOavq/vt1mEPjfCD +neF38Bhb5DfFi+UAHrz6EHMreamGCzP82us2maIs7mSTq7nXDZfbBc7mBDLAUUnT +J6tlrTyc+DQXzkJa6jmbxJhcsWm6XvjIBEzSXVHxEDPLnZICQk3VXODjCXTD75Rg +0WaS78Ven7DW8wn07q3VzWAFDKaet3VI+TVTv7EfIavlfiA6LSshaENdFLeHahNE +s/V/j5K3Pg6+WQcZRgOsfqIwUCSQxY13R6TTdaaCkLay5BggF5iiAO3pkqsJiadf +w843Ak4USBptymJxoZgJyFtQHpQyNiFfsAbs9BaYbg2evvE7/VQhLk0gQ7HgQMeJ +wgxEQqZQKDCCSugSzY1YEGXKnrZYCKyipzyyH936mE15zNwhYp/Pi2020+gmtP3h +CDfcPs1yeLI2/1JuimafbuKsv9xchWa6ASU8p8Q7wTLtUj9ylLKyA4A/75pK0DXG +Hv/q0O+UfhAMD438SoPBle7RSvIsDU1VjUqstlNybBglBZxGIME7/18+Ms7U32wh +4xFkZwxT2nqFgyk37tXMdMz9UBh12/AXR9NU4XY37C3Ao2TDT7/0DvU6KdJhsDpv +rGcaC2zzhko+0CPrLlk52KbqP003JXiWvOSI+FylyPPDB/YGitmndJUuQblf3u/E +l+tGi9MeSBQeWKV6D3AVnO05AZjfTUzSK0vw4DgNh5YPNJvLy31B7kDAS88vyGI1 +t6MBwjW4/tz/nS/p1Go3mSzBhPkIsCrZE+ar7lH8p8JqkLl4fXIMaVKIfyfJdzyS +lkh3K7bOGDPegxxxaWdb+EnC7k+1R3EOU7uJFW61HyrGI3q6Y7kOl5aYSJ5Ge1Uv +PycFWHWVTHq/R7HRE6HIJzGe/PnLIbStXLDFeivjfcYq1YaSaF8Vl+xg+0u3ULOl +P6IuPTph6dlcgttRZVl3ETcF0T+2wfbUwgjf0ZiguCJfR2jLGhPl1KBg0Kd9cTSY +zI3YMMd2G8hApt/QFlm4Ry8CqaJUmDcjDNIJT3M+RldUgfz37NsX05cA5e9+I1AL +2406F/v5U9gWsYx7HuwJtQrDzYYDbl1GD4H+qHFJE5JYhPP4AyWYxJ1NR5dqyvrt ++3r5+xlwZrS76c10RsBWL7th8ZEzRxOZxbtLwbf4bG/tIGfQP2sTnWwA+qym6b2S +sRduqOTP+xwnhOq/ZKn8lfsDfhT8CPnKHBsd09kM9y/UWuxFe0upLydRLE/Wsb9s +-----END RSA PRIVATE KEY----- diff --git a/nebula-docker-compose/secrets/test.self-signed.password b/nebula-docker-compose/secrets/test.self-signed.password new file mode 100644 index 00000000..143be9ab --- /dev/null +++ b/nebula-docker-compose/secrets/test.self-signed.password @@ -0,0 +1 @@ +vesoft diff --git a/nebula-docker-compose/secrets/test.self-signed.pem b/nebula-docker-compose/secrets/test.self-signed.pem new file mode 100644 index 00000000..85eb39f6 --- /dev/null +++ b/nebula-docker-compose/secrets/test.self-signed.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIUDcmZFpL4PcdCXfLRBK8bR2vb39cwDQYJKoZIhvcNAQEL +BQAwgZwxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI +SGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9u +MRYwFAYDVQQDDA1zaHlsb2NrIGh1YW5nMScwJQYJKoZIhvcNAQkBFhhzaHlsb2Nr +Lmh1YW5nQHZlc29mdC5jb20wHhcNMjEwODE5MDkyNDQ3WhcNMjUwODE4MDkyNDQ3 +WjCBnDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI +YW5nemhvdTEUMBIGA1UECgwLVmVzb2Z0IEluYy4xEDAOBgNVBAsMB3NlY3Rpb24x +FjAUBgNVBAMMDXNoeWxvY2sgaHVhbmcxJzAlBgkqhkiG9w0BCQEWGHNoeWxvY2su +aHVhbmdAdmVzb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMEAgpamCQHl+8JnUHI6/VmJHjDLYJLTliN/CwpFrhMqIVjJ8wG57WYLpXpn91Lz +eHu52LkVzcikybIJ2a+LOTvnhNFdbmTbqDtrb+s6wM/sO+nF6tU2Av4e5zhyKoeR +LL+rHMk3nymohbdN4djySFmOOU5A1O/4b0bZz4Ylu995kUawdiaEo13BzxxOC7Ik +Gge5RyDcm0uLXZqTAPy5Sjv/zpOyj0AqL1CJUH7XBN9OMRhVU0ZX9nHWl1vgLRld +J6XT17Y9QbbHhCNEdAmFE5kEFgCvZc+MungUYABlkvoj86TLmC/FMV6fWdxQssyd +hS+ssfJFLaTDaEFz5a/Tr48CAwEAAaNTMFEwHQYDVR0OBBYEFK0GVrQx+wX1GCHy +e+6fl4X+prmYMB8GA1UdIwQYMBaAFK0GVrQx+wX1GCHye+6fl4X+prmYMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHqP8P+ZUHmngviHLSSN1ln5 +Mx4BCkVeFRUaFx0yFXytV/iLXcG2HpFg3A9rAFoYgCDwi1xpsERnBZ/ShTv/eFOc +IxBY5yggx3/lGi8tAgvUdarhd7mQO67UJ0V4YU3hAkbnZ8grHHXj+4hfgUpY4ok6 +yaed6HXwknBb9W8N1jZI8ginhkhjaeRCHdMiF+fBvNCtmeR1bCml1Uz7ailrpcaT +Mf84+5VYuFEnaRZYWFNsWNCOBlJ/6/b3V10vMXzMmYHqz3xgAq0M3fVTFTzopnAX +DLSzorL/dYVdqEDCQi5XI9YAlgWN4VeGzJI+glkLOCNzHxRNP6Qev+YI+7Uxz6I= +-----END CERTIFICATE----- diff --git a/ssl_connection_test.go b/ssl_connection_test.go index 0328a9e0..6db2d498 100644 --- a/ssl_connection_test.go +++ b/ssl_connection_test.go @@ -16,12 +16,12 @@ import ( "time" ) -func TestSSLConnection(t *testing.T) { +func TestSslConnection(t *testing.T) { // skip test when ssl_test is not set to true - skipCI(t) + skipSsl(t) - hostAdress := HostAddress{Host: address, Port: port} - // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} + // hostAdress := HostAddress{Host: address, Port: port} + hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} hostList = append(hostList, hostAdress) @@ -64,7 +64,88 @@ func TestSSLConnection(t *testing.T) { if err != nil { t.Fatalf("fail to initialize the connection pool, host: %s, port: %d, %s", address, port, err.Error()) } - // close all connections in the pool + // Close all connections in the pool + defer pool.Close() + + // Create session + session, err := pool.GetSession(username, password) + if err != nil { + t.Fatalf("fail to create a new session from connection pool, username: %s, password: %s, %s", + username, password, err.Error()) + } + defer session.Release() + // Excute a query + resp, err := tryToExecute(session, "SHOW HOSTS;") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResultSet(t, "show hosts", resp) + // Create a new space + resp, err = tryToExecute(session, "CREATE SPACE client_test(partition_num=1024, replica_factor=1, vid_type = FIXED_STRING(30));") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResultSet(t, "create space", resp) + + resp, err = tryToExecute(session, "DROP SPACE client_test;") + if err != nil { + t.Fatalf(err.Error()) + return + } + checkResultSet(t, "drop space", resp) +} + +// TODO: generate certificate with hostName info and disable InsecureSkipVerify +func TestSslConnectionSelfSigned(t *testing.T) { + // skip test when ssl_test is not set to true + skipSslSelfSigned(t) + + // hostAdress := HostAddress{Host: address, Port: port} + hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} + hostList := []HostAddress{} + hostList = append(hostList, hostAdress) + + testPoolConfig = PoolConfig{ + TimeOut: 0 * time.Millisecond, + IdleTime: 0 * time.Millisecond, + MaxConnPoolSize: 10, + MinConnPoolSize: 1, + } + + var ( + cert = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.crt") + privateKey = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.key") + ) + + // generate the client certificate + clientCert, err := tls.X509KeyPair(cert, privateKey) + if err != nil { + panic(err) + } + + // parse root CA pem and add into CA pool + rootCAPool := x509.NewCertPool() + ok := rootCAPool.AppendCertsFromPEM(cert) + if !ok { + t.Fatal("unable to append supplied cert into tls.Config, are you sure it is a valid certificate") + } + + // set tls config + // InsecureSkipVerify is set to true for test purpose ONLY. DO NOT use it in production. + sslConfig := &tls.Config{ + Certificates: []tls.Certificate{clientCert}, + // RootCAs: rootCAPool, + InsecureSkipVerify: true, // This is only used for testing + } + + // Initialize connectin pool + pool, err := NewSslConnectionPool(hostList, testPoolConfig, sslConfig, nebulaLog) + if err != nil { + t.Fatalf("fail to initialize the connection pool, host: %s, port: %d, %s", address, port, err.Error()) + } + // Close all connections in the pool defer pool.Close() // Create session @@ -111,8 +192,14 @@ func openAndReadFile(t *testing.T, path string) []byte { return b } -func skipCI(t *testing.T) { +func skipSsl(t *testing.T) { if os.Getenv("ssl_test") != "true" { t.Skip("Skipping SSL testing in CI environment") } } + +func skipSslSelfSigned(t *testing.T) { + if os.Getenv("self_signed") != "true" { + t.Skip("Skipping SSL testing in CI environment") + } +} From 8168e0f034bc32d5f8c9b2e4bef8e490174b267e Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Mon, 11 Oct 2021 16:39:33 +0800 Subject: [PATCH 6/7] Fix ci Fix ci again --- .github/workflows/test.yaml | 3 +- Makefile | 2 +- connection_pool.go | 10 ++-- nebula-docker-compose/.env | 1 - nebula-docker-compose/docker-compose.yaml | 9 --- .../secrets/test.self-signed.key | 55 +++++++++---------- ssl_connection_test.go | 12 ++-- 7 files changed, 39 insertions(+), 53 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index aa8a34ea..129618de 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -30,7 +30,7 @@ jobs: - name: Test SSL connection self-signed run: | pushd nebula-docker-compose/ - enable_ssl=true ca_signed docker-compose up -d + enable_ssl=true docker-compose up -d sleep 10 popd self_signed=true go test -v -run TestSslConnectionSelfSigned @@ -38,4 +38,3 @@ jobs: run: | go run basic_example/graph_client_basic_example.go go run gorountines_example/graph_client_goroutines_example.go - diff --git a/Makefile b/Makefile index 33ad4c9b..ef45ab49 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,7 @@ ssl-test: go test -v -run TestSslConnection; \ cd ./nebula-docker-compose && docker-compose down -v -ssl-test: +ssl-test-self-signed: cd ./nebula-docker-compose && enable_ssl=true docker-compose up -d && \ sleep 5 && \ cd .. && \ diff --git a/connection_pool.go b/connection_pool.go index 23728133..5c740894 100644 --- a/connection_pool.go +++ b/connection_pool.go @@ -102,10 +102,10 @@ func (pool *ConnectionPool) initPool() error { // Open connection to host err := errors.New("") - if pool.sslConfig != nil { - err = newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, pool.sslConfig) - } else { + if pool.sslConfig == nil { err = newConn.open(newConn.severAddress, pool.conf.TimeOut) + } else { + err = newConn.openSSL(newConn.severAddress, pool.conf.TimeOut, pool.sslConfig) } if err != nil { // If initialization failed, clean idle queue @@ -210,7 +210,7 @@ func (pool *ConnectionPool) release(conn *connection) { func (pool *ConnectionPool) Ping(host HostAddress, timeout time.Duration) error { newConn := newConnection(host) // Open connection to host - if pool.sslConfig != nil { + if pool.sslConfig == nil { if err := newConn.open(newConn.severAddress, timeout); err != nil { return err } @@ -269,7 +269,7 @@ func (pool *ConnectionPool) newConnToHost() (*connection, error) { host := pool.getHost() newConn := newConnection(host) // Open connection to host - if pool.sslConfig != nil { + if pool.sslConfig == nil { if err := newConn.open(newConn.severAddress, pool.conf.TimeOut); err != nil { return nil, err } diff --git a/nebula-docker-compose/.env b/nebula-docker-compose/.env index d7c7929c..c5124223 100644 --- a/nebula-docker-compose/.env +++ b/nebula-docker-compose/.env @@ -1,5 +1,4 @@ enable_ssl=false -ca_signed=true ca_path=/secrets/test.ca.pem password_path=/secrets/test.ca.password cert_path=/secrets/test.client.crt diff --git a/nebula-docker-compose/docker-compose.yaml b/nebula-docker-compose/docker-compose.yaml index 62d48926..b1bbfa41 100644 --- a/nebula-docker-compose/docker-compose.yaml +++ b/nebula-docker-compose/docker-compose.yaml @@ -22,7 +22,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad0:11000/status"] @@ -66,7 +65,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad1:11000/status"] @@ -110,7 +108,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} healthcheck: test: ["CMD", "curl", "-sf", "http://metad2:11000/status"] @@ -154,7 +151,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} depends_on: - metad0 @@ -202,7 +198,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} depends_on: - metad0 @@ -250,7 +245,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} depends_on: - metad0 @@ -298,7 +292,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} depends_on: - metad0 @@ -345,7 +338,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} depends_on: - metad0 @@ -392,7 +384,6 @@ services: - --cert_path=${cert_path} - --key_path=${key_path} - --enable_ssl=${enable_ssl} - - --ca_signed=${ca_signed} - --password_path=${password_path} diff --git a/nebula-docker-compose/secrets/test.self-signed.key b/nebula-docker-compose/secrets/test.self-signed.key index 41ebbf5a..5a94b69a 100644 --- a/nebula-docker-compose/secrets/test.self-signed.key +++ b/nebula-docker-compose/secrets/test.self-signed.key @@ -1,30 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,6D12ED8559E80FA3 - -tv9epnwlt4dP6Q5ee0dACOyFA5BTwYTdoMykQRJrKGwfaNeXUXn+sQ/U/oFHp1Wx -O8VZE+z2aHpiFSTw+Eh6MPt86X5yVG3tpeVO6dErvr8Kd+NpuI8zn7rNoOFRh8wD -33EFcQMLQPneDl10O18hooIoi0qwp1pd63hYZPwEhB3eOrM5Mnv9OVJs65bzYfyf -Wku33YWYxeqlDvMCsou8PZnv/M2wYsr7+QoTcNmGKP45igMthMDBzwgF+q0p9ZZU -N11c6ojAs01kfuqFf3vKfHNYe6zsBiNhnUuEy8enXSxD5E7tR/OI8aEzPLdk7fmN -/UsMK2LE0Yd5iS3O1x/1ZjSBxJ+M/UzzCO692GTAiD6Hc13iJOavq/vt1mEPjfCD -neF38Bhb5DfFi+UAHrz6EHMreamGCzP82us2maIs7mSTq7nXDZfbBc7mBDLAUUnT -J6tlrTyc+DQXzkJa6jmbxJhcsWm6XvjIBEzSXVHxEDPLnZICQk3VXODjCXTD75Rg -0WaS78Ven7DW8wn07q3VzWAFDKaet3VI+TVTv7EfIavlfiA6LSshaENdFLeHahNE -s/V/j5K3Pg6+WQcZRgOsfqIwUCSQxY13R6TTdaaCkLay5BggF5iiAO3pkqsJiadf -w843Ak4USBptymJxoZgJyFtQHpQyNiFfsAbs9BaYbg2evvE7/VQhLk0gQ7HgQMeJ -wgxEQqZQKDCCSugSzY1YEGXKnrZYCKyipzyyH936mE15zNwhYp/Pi2020+gmtP3h -CDfcPs1yeLI2/1JuimafbuKsv9xchWa6ASU8p8Q7wTLtUj9ylLKyA4A/75pK0DXG -Hv/q0O+UfhAMD438SoPBle7RSvIsDU1VjUqstlNybBglBZxGIME7/18+Ms7U32wh -4xFkZwxT2nqFgyk37tXMdMz9UBh12/AXR9NU4XY37C3Ao2TDT7/0DvU6KdJhsDpv -rGcaC2zzhko+0CPrLlk52KbqP003JXiWvOSI+FylyPPDB/YGitmndJUuQblf3u/E -l+tGi9MeSBQeWKV6D3AVnO05AZjfTUzSK0vw4DgNh5YPNJvLy31B7kDAS88vyGI1 -t6MBwjW4/tz/nS/p1Go3mSzBhPkIsCrZE+ar7lH8p8JqkLl4fXIMaVKIfyfJdzyS -lkh3K7bOGDPegxxxaWdb+EnC7k+1R3EOU7uJFW61HyrGI3q6Y7kOl5aYSJ5Ge1Uv -PycFWHWVTHq/R7HRE6HIJzGe/PnLIbStXLDFeivjfcYq1YaSaF8Vl+xg+0u3ULOl -P6IuPTph6dlcgttRZVl3ETcF0T+2wfbUwgjf0ZiguCJfR2jLGhPl1KBg0Kd9cTSY -zI3YMMd2G8hApt/QFlm4Ry8CqaJUmDcjDNIJT3M+RldUgfz37NsX05cA5e9+I1AL -2406F/v5U9gWsYx7HuwJtQrDzYYDbl1GD4H+qHFJE5JYhPP4AyWYxJ1NR5dqyvrt -+3r5+xlwZrS76c10RsBWL7th8ZEzRxOZxbtLwbf4bG/tIGfQP2sTnWwA+qym6b2S -sRduqOTP+xwnhOq/ZKn8lfsDfhT8CPnKHBsd09kM9y/UWuxFe0upLydRLE/Wsb9s ------END RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAwQCClqYJAeX7wmdQcjr9WYkeMMtgktOWI38LCkWuEyohWMnz +AbntZgulemf3UvN4e7nYuRXNyKTJsgnZr4s5O+eE0V1uZNuoO2tv6zrAz+w76cXq +1TYC/h7nOHIqh5Esv6scyTefKaiFt03h2PJIWY45TkDU7/hvRtnPhiW733mRRrB2 +JoSjXcHPHE4LsiQaB7lHINybS4tdmpMA/LlKO//Ok7KPQCovUIlQftcE304xGFVT +Rlf2cdaXW+AtGV0npdPXtj1BtseEI0R0CYUTmQQWAK9lz4y6eBRgAGWS+iPzpMuY +L8UxXp9Z3FCyzJ2FL6yx8kUtpMNoQXPlr9OvjwIDAQABAoIBAFcIFNs8OhmaDQJo +NlWcljx24Z9dRspPEYgmNONH8qx/thPk1Wk034HBxLhDA7trQSyB7OHhnC9bZ/ya +Bojrfj6uMy16NVrT1rQcyZZIo0PfolDTyAanWYgghWHl0ZnadFRmJA/0vhg5/zpe +q3Z6IvgHc33/LEaeQAeyFqvGfkbSMZz2cj9na9MgW5usMHrQxtBdtuwVrtj4dKY+ +SXhQz7G5gaq5byromeE7U0fhPwGVqHy/QvHJbIQhowzu2cCFAQaBOMcgy8hqKVB3 +dZlcRkFU1/iS0MsLmsv7rRAt/r43zW0dvFqZ7WzN9McQGF7Og4CN/GNGul0Q1bIu +NcKdJLkCgYEA4RXEGLzR1gTolYXImRdXmeTU7XqoXt/CNtg5dumqUYRDD1WmOtp5 +XfEZdcEHTCfPQWIXsC8dM6+MFujHcnZV+NPx7xPe/pKJ4adAe+yHH1gsj4elvl7z +shcgT3/0fsj3dGFnsxBww1djIBH+gf5Niz44+QaqDlDNEkYBXdBmB6sCgYEA24Kr +fYaU7qP+SPamVC6p8NU6nddmuJl+n5XBmnDwbYaM6OyCEetCH3LQHYSkxjtJ3q/O +iSezxZzcBReP1MbZZbn2oqo8w/nE/LKrJytClLyDoJYaF5WigInaZ/D3QGLFH4J+ +kjYrjTuJGXq5LJjJ1hsxIowi+CQcAr67wSrcg60CgYEA2VVa80felPhIW5fCCZAw +VbhOoL8+s9z6elptohQdEHjVB4l76HfrmHmkS78GfNIznL5KgSP83lsyuSwq6Kq6 +eHitsltNhiGYYPpNmVrZXbqVzED+GMM2K0+JMzopqgICba1fo9bMCtHmNKErTflu +hnSeLlXw/cGnQW23BA6ldeECgYEA0NsfeCvZAMagZ6Pm1iogH7mCMDSG1BWX2ReQ +QfY7jLp80BJYH9yL6YhAZBWVAdffjTYReYaBEgERhvbIL1eT+apa9KKtdnnr59PH +7VjH3OURCHZJFS+Wkl6XpFYtquFPVY/ABjXsclC3Pbr6/WfSgxkUQx67FwakcCgy +VLUHY3ECgYEAnCZybgd3rpZwqSdljHne4xvvDFRwRev4JKAkXhXehQa8Yeb/vEBp +9unBdzWR8EbE/QmyiUAKKaqFVHtsneGCwtzB08tJeb9QXZ09rtf5dRAMUbQW/gHg +Bj3Uz0ZzisnXqy6JTXQzaCveVQlLzsmVsCoe5nA3yrkOam3BG3i16KI= +-----END RSA PRIVATE KEY----- diff --git a/ssl_connection_test.go b/ssl_connection_test.go index 6db2d498..d387ae27 100644 --- a/ssl_connection_test.go +++ b/ssl_connection_test.go @@ -20,8 +20,8 @@ func TestSslConnection(t *testing.T) { // skip test when ssl_test is not set to true skipSsl(t) - // hostAdress := HostAddress{Host: address, Port: port} - hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} + hostAdress := HostAddress{Host: address, Port: port} + // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} hostList = append(hostList, hostAdress) @@ -102,8 +102,8 @@ func TestSslConnectionSelfSigned(t *testing.T) { // skip test when ssl_test is not set to true skipSslSelfSigned(t) - // hostAdress := HostAddress{Host: address, Port: port} - hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} + hostAdress := HostAddress{Host: address, Port: port} + // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} hostList = append(hostList, hostAdress) @@ -115,8 +115,8 @@ func TestSslConnectionSelfSigned(t *testing.T) { } var ( - cert = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.crt") - privateKey = openAndReadFile(t, "./nebula-docker-compose/secrets/test.client.key") + cert = openAndReadFile(t, "./nebula-docker-compose/secrets/test.self-signed.pem") + privateKey = openAndReadFile(t, "./nebula-docker-compose/secrets/test.self-signed.key") ) // generate the client certificate From c2fbcc7cfd78af1c86f652e7f6af9fbcde23922f Mon Sep 17 00:00:00 2001 From: Aiee <18348405+Aiee@users.noreply.github.com> Date: Mon, 11 Oct 2021 20:14:21 +0800 Subject: [PATCH 7/7] Clean up --- ssl_connection_test.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ssl_connection_test.go b/ssl_connection_test.go index d387ae27..c1af70a7 100644 --- a/ssl_connection_test.go +++ b/ssl_connection_test.go @@ -21,7 +21,6 @@ func TestSslConnection(t *testing.T) { skipSsl(t) hostAdress := HostAddress{Host: address, Port: port} - // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} hostList = append(hostList, hostAdress) @@ -103,7 +102,6 @@ func TestSslConnectionSelfSigned(t *testing.T) { skipSslSelfSigned(t) hostAdress := HostAddress{Host: address, Port: port} - // hostAdress := HostAddress{Host: "192.168.8.6", Port: 29562} hostList := []HostAddress{} hostList = append(hostList, hostAdress) @@ -115,6 +113,8 @@ func TestSslConnectionSelfSigned(t *testing.T) { } var ( + // for self-signed cert, use the local cert as the root ca + rootCA = openAndReadFile(t, "./nebula-docker-compose/secrets/test.self-signed.pem") cert = openAndReadFile(t, "./nebula-docker-compose/secrets/test.self-signed.pem") privateKey = openAndReadFile(t, "./nebula-docker-compose/secrets/test.self-signed.key") ) @@ -126,8 +126,9 @@ func TestSslConnectionSelfSigned(t *testing.T) { } // parse root CA pem and add into CA pool + // for self-signed cert, use the local cert as the root ca rootCAPool := x509.NewCertPool() - ok := rootCAPool.AppendCertsFromPEM(cert) + ok := rootCAPool.AppendCertsFromPEM(rootCA) if !ok { t.Fatal("unable to append supplied cert into tls.Config, are you sure it is a valid certificate") } @@ -135,8 +136,8 @@ func TestSslConnectionSelfSigned(t *testing.T) { // set tls config // InsecureSkipVerify is set to true for test purpose ONLY. DO NOT use it in production. sslConfig := &tls.Config{ - Certificates: []tls.Certificate{clientCert}, - // RootCAs: rootCAPool, + Certificates: []tls.Certificate{clientCert}, + RootCAs: rootCAPool, InsecureSkipVerify: true, // This is only used for testing }