Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Riak 2 Feature: Security #149

Merged
merged 43 commits into from
May 7, 2014
Merged

Riak 2 Feature: Security #149

merged 43 commits into from
May 7, 2014

Conversation

bkerley
Copy link
Contributor

@bkerley bkerley commented Feb 18, 2014

The Ruby client needs to support security per basho/riak#355 .

  • configure local and tls credentials
c = Riak::Client.new(
                     pb_port: 17017,
                     authentication: {
                       user: 'user',
                       password: 'password',
                       server_ca: File.read('ca.crt'),
                       server_cert: File.read('server.crt')
                     }
                    )
  • upgrade a protobuffs connection to tls
  • kill the connection if the server doesn't have a valid cert
  • kill the connection if the server doesn't support tls
  • kill the conncetion if the server's cert is revoked
  • work correctly when requests succeed

(copied from #110 )

bkerley added 22 commits January 30, 2014 12:58
@bkerley
Add hook for test_client configuration
b3d463a
@bkerley
failing basic security integration tests
81a7efe
@bkerley
Merge branch 'bk-crdt' into bk-security
8970009
@bkerley
Pull the socket creation into a new ProtobuffsSocket class
f354a6f
@bkerley
Remove the Node#ssl_options accessor, nothing uses it.
033c551
@bkerley
document ProtobuffsSocket's TlsInitiator a bit more
bc1ef83
@bkerley
The socket is more properly beefcake, and not protobuffs in general
0360c50
@bkerley
Merge branch 'bk-crdt' into bk-security
ee24346
@bkerley
spec out BeefcakeSocket
1790e72
@bkerley
socket needs to pass options to ssl, this is a spec
d0996d6
@bkerley
fix spec for security enabled but not configured
ee24756
@bkerley
security-enabled specs pass
3b8ee55
@bkerley
fix the no_security integration tests
3511930
@bkerley
Squelch an i18n warning
c964dbf
@bkerley
add context configuration
cded4c3
@bkerley
fill out security-enabled tests
fff1370
@bkerley
Testing certificates and keys
b507576
@bkerley
start validation of certs
12cc28c
@bkerley
r509 gem for cert metadata
0fc75f5
@bkerley
validate crl/ocsp with r509
b4d910d
@bkerley
fix gem name
412ce3b
@bkerley
only run yes_security or no_security specs in cases when we have conf…
6349715 
…iguration
@bkerley bkerley mentioned this pull request Feb 18, 2014
Closed
7 tasks
@bkerley bkerley added this to the 2.0.0 milestone Apr 16, 2014
seancribbs
seancribbs reviewed Apr 16, 2014
View reviewed changes
spec/riak/beefcake_protobuffs_backend/socket_spec.rb

describe 'without authentication configured' do
let(:options){ Hash.new }
it 'should start a tcp connection and not start a tls connection' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I worry that these tests basically describe an implementation (too many doubles). Is there a way to exercise the class at a higher level, or more like blackbox? Integration tests are fine.

Another option might be like the "mock server" we had previously where it would actually create a server-side version and you could verify what came across the wire.

You can also tell me to buzz off. 😁

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there's already an integration test that hits these parts. The problem with those is that they require many different Riak configurations, and right now that means they basically don't get run on a regular basis. I'd prefer to keep these as a safety net, and I'm not sure if there's a much better way to express these.

@bkerley
Copy link
Contributor Author

bkerley commented May 6, 2014

  • put server cert in crl for pending spec
  • make other specs pass

@seancribbs
Copy link
Contributor

This works as advertised when using this PR to riak-ruby-vagrant: basho-labs/riak-ruby-vagrant#4

👍

bkerley added a commit that referenced this pull request May 7, 2014
@bkerley
Merge pull request #149 from basho/bk-security
c708777 
Riak 2 Feature: Security
@bkerley bkerley merged commit c708777 into master May 7, 2014
@bkerley bkerley deleted the bk-security branch May 7, 2014 22:50
@bkerley bkerley mentioned this pull request Feb 9, 2015
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
in progress
Projects
None yet
Milestone
2.0-RC
Development

Successfully merging this pull request may close these issues.
2 participants
@bkerley @seancribbs