From 5af84206af1f6c9f727b340ccab4c6d587762edb Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Mon, 23 Aug 2021 17:44:22 +0800 Subject: [PATCH 01/12] Add the ssl support. --- src/clients/meta/test/CMakeLists.txt | 1 + src/codec/test/CMakeLists.txt | 1 + src/common/CMakeLists.txt | 1 + src/common/ssl/CMakeLists.txt | 10 +++++++ src/common/ssl/SSLConfig.cpp | 32 +++++++++++++++++++++ src/common/ssl/SSLConfig.h | 25 ++++++++++++++++ src/common/thrift/ThriftClientManager-inl.h | 13 +++++++-- src/common/thrift/ThriftClientManager.h | 1 + src/daemons/CMakeLists.txt | 1 + src/daemons/GraphDaemon.cpp | 8 ++++++ src/daemons/MetaDaemon.cpp | 8 ++++++ src/daemons/StorageDaemon.cpp | 4 +++ src/graph/context/test/CMakeLists.txt | 1 + src/graph/executor/test/CMakeLists.txt | 1 + src/graph/optimizer/test/CMakeLists.txt | 1 + src/graph/util/test/CMakeLists.txt | 1 + src/graph/validator/test/CMakeLists.txt | 1 + src/graph/visitor/test/CMakeLists.txt | 1 + src/kvstore/raftex/RaftexService.cpp | 4 +++ src/kvstore/raftex/test/CMakeLists.txt | 1 + src/kvstore/test/CMakeLists.txt | 1 + src/meta/CMakeLists.txt | 1 + src/parser/test/CMakeLists.txt | 1 + src/storage/StorageServer.cpp | 10 +++++++ src/storage/test/CMakeLists.txt | 1 + src/tools/db-dump/CMakeLists.txt | 1 + src/tools/db-upgrade/CMakeLists.txt | 1 + src/tools/meta-dump/CMakeLists.txt | 1 + src/tools/storage-perf/CMakeLists.txt | 1 + tests/Makefile | 4 ++- tests/cert/test.ca.key | 30 +++++++++++++++++++ tests/cert/test.ca.pem | 24 ++++++++++++++++ tests/cert/test.password | 1 + tests/common/nebula_service.py | 17 +++++++++-- tests/nebula-test-run.py | 10 ++++++- 35 files changed, 214 insertions(+), 6 deletions(-) create mode 100644 src/common/ssl/CMakeLists.txt create mode 100644 src/common/ssl/SSLConfig.cpp create mode 100644 src/common/ssl/SSLConfig.h create mode 100644 tests/cert/test.ca.key create mode 100644 tests/cert/test.ca.pem create mode 100644 tests/cert/test.password diff --git a/src/clients/meta/test/CMakeLists.txt b/src/clients/meta/test/CMakeLists.txt index b732a4748b6..80fc0bf0434 100644 --- a/src/clients/meta/test/CMakeLists.txt +++ b/src/clients/meta/test/CMakeLists.txt @@ -10,5 +10,6 @@ nebula_add_test( $ $ $ + $ LIBRARIES gtest ) diff --git a/src/codec/test/CMakeLists.txt b/src/codec/test/CMakeLists.txt index 2ce9788956e..05581db1c94 100644 --- a/src/codec/test/CMakeLists.txt +++ b/src/codec/test/CMakeLists.txt @@ -31,6 +31,7 @@ set(CODEC_TEST_LIBS $ $ $ + $ ) diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index 9122bd1f76f..fe404277c93 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -25,3 +25,4 @@ nebula_add_subdirectory(function) nebula_add_subdirectory(graph) nebula_add_subdirectory(plugin) nebula_add_subdirectory(utils) +nebula_add_subdirectory(ssl) diff --git a/src/common/ssl/CMakeLists.txt b/src/common/ssl/CMakeLists.txt new file mode 100644 index 00000000000..eb19ddc3442 --- /dev/null +++ b/src/common/ssl/CMakeLists.txt @@ -0,0 +1,10 @@ +# Copyright (c) 2021 vesoft inc. All rights reserved. +# +# This source code is licensed under Apache 2.0 License, +# attached with Common Clause Condition 1.0, found in the LICENSES directory. + +nebula_add_library( + ssl_obj + OBJECT + SSLConfig.cpp +) diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp new file mode 100644 index 00000000000..cb116590488 --- /dev/null +++ b/src/common/ssl/SSLConfig.cpp @@ -0,0 +1,32 @@ +/* Copyright (c) 2021 vesoft inc. All rights reserved. + * + * This source code is licensed under Apache 2.0 License, + * attached with Common Clause Condition 1.0, found in the LICENSES directory. + */ + +#include "common/ssl/SSLConfig.h" + +DEFINE_string(cert_path, "", "Path to cert pem."); +DEFINE_string(key_path, "", "Path to cert key."); +DEFINE_string(ca_path, "", "Path to trusted CA file."); +DEFINE_string(password_path, "", "Path to password file."); +DEFINE_bool(enable_ssl, false, "Wether enable ssl."); +DEFINE_bool(enable_graph_ssl, false, "Wether enable ssl."); + +namespace nebula { + +std::shared_ptr sslContextConfig() { + auto sslCfg = std::make_shared(); + sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, FLAGS_password_path); + sslCfg->clientCAFile = FLAGS_ca_path; + sslCfg->isDefault = true; + return sslCfg; +} + +std::shared_ptr createSSLContext() { + auto context = std::make_shared(); + folly::ssl::setSignatureAlgorithms(*context); + return context; +} + +} // namespace nebula diff --git a/src/common/ssl/SSLConfig.h b/src/common/ssl/SSLConfig.h new file mode 100644 index 00000000000..485f32552e9 --- /dev/null +++ b/src/common/ssl/SSLConfig.h @@ -0,0 +1,25 @@ + +/* Copyright (c) 2021 vesoft inc. All rights reserved. + * + * This source code is licensed under Apache 2.0 License, + * attached with Common Clause Condition 1.0, found in the LICENSES directory. + */ + +#pragma once + +#include +#include +#include + +#include + +DECLARE_bool(enable_ssl); +DECLARE_bool(enable_graph_ssl); + +namespace nebula { + +extern std::shared_ptr sslContextConfig(); + +extern std::shared_ptr createSSLContext(); + +} // namespace nebula diff --git a/src/common/thrift/ThriftClientManager-inl.h b/src/common/thrift/ThriftClientManager-inl.h index d47e19e60b5..1823a3a0345 100644 --- a/src/common/thrift/ThriftClientManager-inl.h +++ b/src/common/thrift/ThriftClientManager-inl.h @@ -6,11 +6,13 @@ #pragma once +#include #include #include #include #include "common/network/NetworkUtils.h" +#include "common/ssl/SSLConfig.h" DECLARE_int32(conn_timeout_ms); @@ -71,9 +73,16 @@ std::shared_ptr ThriftClientManager::client(const HostAd VLOG(2) << "Connecting to " << host << " for " << ++connectionCount << " times"; std::shared_ptr socket; + if (FLAGS_enable_ssl) { + socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb); + } evb->runImmediatelyOrRunInEventBaseThreadAndWait([&socket, evb, resolved]() { - socket = - folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms); + if (FLAGS_enable_ssl) { + socket->connect(nullptr, resolved.host, resolved.port, FLAGS_conn_timeout_ms); + } else { + socket = + folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms); + } }); auto headerClientChannel = apache::thrift::HeaderClientChannel::newChannel(socket); if (timeout > 0) { diff --git a/src/common/thrift/ThriftClientManager.h b/src/common/thrift/ThriftClientManager.h index da5c16dcaf4..230244e221d 100644 --- a/src/common/thrift/ThriftClientManager.h +++ b/src/common/thrift/ThriftClientManager.h @@ -7,6 +7,7 @@ #ifndef COMMON_THRIFT_THRIFTCLIENTMANAGER_H_ #define COMMON_THRIFT_THRIFTCLIENTMANAGER_H_ +#include #include #include "common/base/Base.h" diff --git a/src/daemons/CMakeLists.txt b/src/daemons/CMakeLists.txt index 65439480f29..22f433893c2 100644 --- a/src/daemons/CMakeLists.txt +++ b/src/daemons/CMakeLists.txt @@ -29,6 +29,7 @@ set(common_deps $ $ $ + $ ) set(storage_meta_deps diff --git a/src/daemons/GraphDaemon.cpp b/src/daemons/GraphDaemon.cpp index dccf4a0cae9..74403d3fd36 100644 --- a/src/daemons/GraphDaemon.cpp +++ b/src/daemons/GraphDaemon.cpp @@ -5,6 +5,7 @@ */ #include +#include #include #include #include @@ -15,6 +16,7 @@ #include "common/fs/FileUtils.h" #include "common/network/NetworkUtils.h" #include "common/process/ProcessUtils.h" +#include "common/ssl/SSLConfig.h" #include "common/time/TimezoneInfo.h" #include "graph/service/GraphFlags.h" #include "graph/service/GraphService.h" @@ -52,6 +54,9 @@ int main(int argc, char *argv[]) { } folly::init(&argc, &argv, true); + if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl) { + folly::ssl::init(); + } nebula::initCounters(); if (FLAGS_flagfile.empty()) { @@ -149,6 +154,9 @@ int main(int argc, char *argv[]) { gServer->setIdleTimeout(std::chrono::seconds(FLAGS_client_idle_timeout_secs)); gServer->setNumAcceptThreads(FLAGS_num_accept_threads); gServer->setListenBacklog(FLAGS_listen_backlog); + if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl) { + gServer->setSSLConfig(nebula::sslContextConfig()); + } setupThreadManager(); // Setup the signal handlers diff --git a/src/daemons/MetaDaemon.cpp b/src/daemons/MetaDaemon.cpp index e2c176a8083..5233d2678a0 100644 --- a/src/daemons/MetaDaemon.cpp +++ b/src/daemons/MetaDaemon.cpp @@ -4,6 +4,7 @@ * attached with Common Clause Condition 1.0, found in the LICENSES directory. */ +#include #include #include "common/base/Base.h" @@ -12,6 +13,7 @@ #include "common/hdfs/HdfsHelper.h" #include "common/network/NetworkUtils.h" #include "common/process/ProcessUtils.h" +#include "common/ssl/SSLConfig.h" #include "common/thread/GenericThreadPool.h" #include "common/time/TimezoneInfo.h" #include "kvstore/NebulaStore.h" @@ -204,6 +206,9 @@ int main(int argc, char* argv[]) { } folly::init(&argc, &argv, true); + if (FLAGS_enable_ssl) { + folly::ssl::init(); + } if (FLAGS_data_path.empty()) { LOG(ERROR) << "Meta Data Path should not empty"; return EXIT_FAILURE; @@ -307,6 +312,9 @@ int main(int argc, char* argv[]) { gServer->setPort(FLAGS_port); gServer->setIdleTimeout(std::chrono::seconds(0)); // No idle timeout on client connection gServer->setInterface(std::move(handler)); + if (FLAGS_enable_ssl) { + gServer->setSSLConfig(nebula::sslContextConfig()); + } gServer->serve(); // Will wait until the server shuts down } catch (const std::exception& e) { LOG(ERROR) << "Exception thrown: " << e.what(); diff --git a/src/daemons/StorageDaemon.cpp b/src/daemons/StorageDaemon.cpp index 70b2930cb84..e75c16c12be 100644 --- a/src/daemons/StorageDaemon.cpp +++ b/src/daemons/StorageDaemon.cpp @@ -4,6 +4,7 @@ * attached with Common Clause Condition 1.0, found in the LICENSES directory. */ +#include #include #include "common/base/Base.h" @@ -69,6 +70,9 @@ int main(int argc, char *argv[]) { } folly::init(&argc, &argv, true); + if (FLAGS_enable_ssl) { + folly::ssl::init(); + } if (FLAGS_daemonize) { google::SetStderrLogging(google::FATAL); } else { diff --git a/src/graph/context/test/CMakeLists.txt b/src/graph/context/test/CMakeLists.txt index fc579f8a74a..02d05be1d42 100644 --- a/src/graph/context/test/CMakeLists.txt +++ b/src/graph/context/test/CMakeLists.txt @@ -40,6 +40,7 @@ SET(CONTEXT_TEST_LIBS $ $ $ + $ ) nebula_add_test( diff --git a/src/graph/executor/test/CMakeLists.txt b/src/graph/executor/test/CMakeLists.txt index 030f6b43dd9..1e24b2b61da 100644 --- a/src/graph/executor/test/CMakeLists.txt +++ b/src/graph/executor/test/CMakeLists.txt @@ -47,6 +47,7 @@ SET(EXEC_QUERY_TEST_OBJS $ $ $ + $ ) SET(EXEC_QUERY_TEST_LIBS diff --git a/src/graph/optimizer/test/CMakeLists.txt b/src/graph/optimizer/test/CMakeLists.txt index 7a5ed87dcb6..a1fa426ac72 100644 --- a/src/graph/optimizer/test/CMakeLists.txt +++ b/src/graph/optimizer/test/CMakeLists.txt @@ -43,6 +43,7 @@ set(OPTIMIZER_TEST_LIB $ $ $ + $ ) nebula_add_test( diff --git a/src/graph/util/test/CMakeLists.txt b/src/graph/util/test/CMakeLists.txt index f87291477e9..745ab224efe 100644 --- a/src/graph/util/test/CMakeLists.txt +++ b/src/graph/util/test/CMakeLists.txt @@ -32,6 +32,7 @@ nebula_add_test( $ $ $ + $ $ $ $ diff --git a/src/graph/validator/test/CMakeLists.txt b/src/graph/validator/test/CMakeLists.txt index d0b9077c44d..487e7791f4a 100644 --- a/src/graph/validator/test/CMakeLists.txt +++ b/src/graph/validator/test/CMakeLists.txt @@ -51,6 +51,7 @@ set(VALIDATOR_TEST_LIBS $ $ $ + $ ) nebula_add_test( diff --git a/src/graph/visitor/test/CMakeLists.txt b/src/graph/visitor/test/CMakeLists.txt index b5b61c02e28..159e50b613a 100644 --- a/src/graph/visitor/test/CMakeLists.txt +++ b/src/graph/visitor/test/CMakeLists.txt @@ -56,6 +56,7 @@ nebula_add_test( $ $ $ + $ LIBRARIES gtest ${THRIFT_LIBRARIES} diff --git a/src/kvstore/raftex/RaftexService.cpp b/src/kvstore/raftex/RaftexService.cpp index e48f545d34e..e8aba1fb432 100644 --- a/src/kvstore/raftex/RaftexService.cpp +++ b/src/kvstore/raftex/RaftexService.cpp @@ -9,6 +9,7 @@ #include #include "common/base/Base.h" +#include "common/ssl/SSLConfig.h" #include "kvstore/raftex/RaftPart.h" namespace nebula { @@ -60,6 +61,9 @@ void RaftexService::initThriftServer(std::shared_ptr workers, uint16_t port) { LOG(INFO) << "Init thrift server for raft service, port: " << port; + if (FLAGS_enable_ssl) { + server_->setSSLConfig(nebula::sslContextConfig()); + } server_->setPort(port); server_->setIdleTimeout(std::chrono::seconds(0)); if (pool != nullptr) { diff --git a/src/kvstore/raftex/test/CMakeLists.txt b/src/kvstore/raftex/test/CMakeLists.txt index 0a62fe2cabc..3a0abe49b43 100644 --- a/src/kvstore/raftex/test/CMakeLists.txt +++ b/src/kvstore/raftex/test/CMakeLists.txt @@ -10,6 +10,7 @@ set(RAFTEX_TEST_LIBS $ $ $ + $ ) diff --git a/src/kvstore/test/CMakeLists.txt b/src/kvstore/test/CMakeLists.txt index 1f7f7401502..7765a916f85 100644 --- a/src/kvstore/test/CMakeLists.txt +++ b/src/kvstore/test/CMakeLists.txt @@ -31,6 +31,7 @@ set(KVSTORE_TEST_LIBS $ $ $ + $ ) nebula_add_test( diff --git a/src/meta/CMakeLists.txt b/src/meta/CMakeLists.txt index 5870f0c12af..03d013c3060 100644 --- a/src/meta/CMakeLists.txt +++ b/src/meta/CMakeLists.txt @@ -150,6 +150,7 @@ set(meta_test_deps $ $ $ + $ ) nebula_add_subdirectory(http) diff --git a/src/parser/test/CMakeLists.txt b/src/parser/test/CMakeLists.txt index 0280f76d346..260722922d4 100644 --- a/src/parser/test/CMakeLists.txt +++ b/src/parser/test/CMakeLists.txt @@ -42,6 +42,7 @@ set(PARSER_TEST_LIBS $ $ $ + $ ) nebula_add_test( diff --git a/src/storage/StorageServer.cpp b/src/storage/StorageServer.cpp index f707db2bdcf..961f4f58703 100644 --- a/src/storage/StorageServer.cpp +++ b/src/storage/StorageServer.cpp @@ -13,6 +13,7 @@ #include "common/meta/ServerBasedIndexManager.h" #include "common/meta/ServerBasedSchemaManager.h" #include "common/network/NetworkUtils.h" +#include "common/ssl/SSLConfig.h" #include "common/thread/GenericThreadPool.h" #include "common/utils/Utils.h" #include "kvstore/PartManager.h" @@ -182,6 +183,9 @@ bool StorageServer::start() { storageServer_->setThreadManager(workers_); storageServer_->setStopWorkersOnStopListening(false); storageServer_->setInterface(std::move(handler)); + if (FLAGS_enable_ssl) { + storageServer_->setSSLConfig(nebula::sslContextConfig()); + } ServiceStatus expected = STATUS_UNINITIALIZED; if (!storageSvcStatus_.compare_exchange_strong(expected, STATUS_RUNNING)) { @@ -208,6 +212,9 @@ bool StorageServer::start() { adminServer_->setThreadManager(workers_); adminServer_->setStopWorkersOnStopListening(false); adminServer_->setInterface(std::move(handler)); + if (FLAGS_enable_ssl) { + adminServer_->setSSLConfig(nebula::sslContextConfig()); + } ServiceStatus expected = STATUS_UNINITIALIZED; if (!adminSvcStatus_.compare_exchange_strong(expected, STATUS_RUNNING)) { @@ -234,6 +241,9 @@ bool StorageServer::start() { internalStorageServer_->setThreadManager(workers_); internalStorageServer_->setStopWorkersOnStopListening(false); internalStorageServer_->setInterface(std::move(handler)); + if (FLAGS_enable_ssl) { + internalStorageServer_->setSSLConfig(nebula::sslContextConfig()); + } internalStorageSvcStatus_.store(STATUS_RUNNING); LOG(INFO) << "The internal storage service start(same with admin) on " << internalAddr; diff --git a/src/storage/test/CMakeLists.txt b/src/storage/test/CMakeLists.txt index 8590de90e3f..760d0b756f4 100644 --- a/src/storage/test/CMakeLists.txt +++ b/src/storage/test/CMakeLists.txt @@ -44,6 +44,7 @@ set(storage_test_deps $ $ $ + $ ) nebula_add_test( diff --git a/src/tools/db-dump/CMakeLists.txt b/src/tools/db-dump/CMakeLists.txt index d5f419ffad2..18e9e06bd5d 100644 --- a/src/tools/db-dump/CMakeLists.txt +++ b/src/tools/db-dump/CMakeLists.txt @@ -40,6 +40,7 @@ set(tools_test_deps $ $ $ + $ ) nebula_add_executable( diff --git a/src/tools/db-upgrade/CMakeLists.txt b/src/tools/db-upgrade/CMakeLists.txt index bf7a64c065f..faf81200f49 100644 --- a/src/tools/db-upgrade/CMakeLists.txt +++ b/src/tools/db-upgrade/CMakeLists.txt @@ -48,6 +48,7 @@ nebula_add_executable( $ $ $ + $ LIBRARIES ${ROCKSDB_LIBRARIES} ${THRIFT_LIBRARIES} diff --git a/src/tools/meta-dump/CMakeLists.txt b/src/tools/meta-dump/CMakeLists.txt index 64758a8b4f6..146d77efb6d 100644 --- a/src/tools/meta-dump/CMakeLists.txt +++ b/src/tools/meta-dump/CMakeLists.txt @@ -45,6 +45,7 @@ nebula_add_executable( $ $ $ + $ LIBRARIES ${ROCKSDB_LIBRARIES} ${THRIFT_LIBRARIES} diff --git a/src/tools/storage-perf/CMakeLists.txt b/src/tools/storage-perf/CMakeLists.txt index d9b5c80370c..dd29e4b3284 100644 --- a/src/tools/storage-perf/CMakeLists.txt +++ b/src/tools/storage-perf/CMakeLists.txt @@ -40,6 +40,7 @@ set(perf_test_deps $ $ $ + $ ) nebula_add_executable( diff --git a/tests/Makefile b/tests/Makefile index 10fc66d046b..ac9777f63d4 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -16,6 +16,8 @@ TEST_DIR ?= $(CURR_DIR) BUILD_DIR ?= $(CURR_DIR)/../build DEBUG ?= true J ?= 10 +ENABLE_SSL ?= false +ENABLE_GRAPH_SSL ?= false install-deps: pip3 install --user -U setuptools wheel -i $(PYPI_MIRROR) @@ -49,7 +51,7 @@ check: up: clean @mkdir -p $(CURR_DIR)/.pytest - PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true + PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) down: PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=stop --rm_dir=$(RM_DIR) diff --git a/tests/cert/test.ca.key b/tests/cert/test.ca.key new file mode 100644 index 00000000000..6006d0f275f --- /dev/null +++ b/tests/cert/test.ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,6D12ED8559E80FA3 + +tv9epnwlt4dP6Q5ee0dACOyFA5BTwYTdoMykQRJrKGwfaNeXUXn+sQ/U/oFHp1Wx +O8VZE+z2aHpiFSTw+Eh6MPt86X5yVG3tpeVO6dErvr8Kd+NpuI8zn7rNoOFRh8wD +33EFcQMLQPneDl10O18hooIoi0qwp1pd63hYZPwEhB3eOrM5Mnv9OVJs65bzYfyf +Wku33YWYxeqlDvMCsou8PZnv/M2wYsr7+QoTcNmGKP45igMthMDBzwgF+q0p9ZZU +N11c6ojAs01kfuqFf3vKfHNYe6zsBiNhnUuEy8enXSxD5E7tR/OI8aEzPLdk7fmN +/UsMK2LE0Yd5iS3O1x/1ZjSBxJ+M/UzzCO692GTAiD6Hc13iJOavq/vt1mEPjfCD +neF38Bhb5DfFi+UAHrz6EHMreamGCzP82us2maIs7mSTq7nXDZfbBc7mBDLAUUnT +J6tlrTyc+DQXzkJa6jmbxJhcsWm6XvjIBEzSXVHxEDPLnZICQk3VXODjCXTD75Rg +0WaS78Ven7DW8wn07q3VzWAFDKaet3VI+TVTv7EfIavlfiA6LSshaENdFLeHahNE +s/V/j5K3Pg6+WQcZRgOsfqIwUCSQxY13R6TTdaaCkLay5BggF5iiAO3pkqsJiadf +w843Ak4USBptymJxoZgJyFtQHpQyNiFfsAbs9BaYbg2evvE7/VQhLk0gQ7HgQMeJ +wgxEQqZQKDCCSugSzY1YEGXKnrZYCKyipzyyH936mE15zNwhYp/Pi2020+gmtP3h +CDfcPs1yeLI2/1JuimafbuKsv9xchWa6ASU8p8Q7wTLtUj9ylLKyA4A/75pK0DXG +Hv/q0O+UfhAMD438SoPBle7RSvIsDU1VjUqstlNybBglBZxGIME7/18+Ms7U32wh +4xFkZwxT2nqFgyk37tXMdMz9UBh12/AXR9NU4XY37C3Ao2TDT7/0DvU6KdJhsDpv +rGcaC2zzhko+0CPrLlk52KbqP003JXiWvOSI+FylyPPDB/YGitmndJUuQblf3u/E +l+tGi9MeSBQeWKV6D3AVnO05AZjfTUzSK0vw4DgNh5YPNJvLy31B7kDAS88vyGI1 +t6MBwjW4/tz/nS/p1Go3mSzBhPkIsCrZE+ar7lH8p8JqkLl4fXIMaVKIfyfJdzyS +lkh3K7bOGDPegxxxaWdb+EnC7k+1R3EOU7uJFW61HyrGI3q6Y7kOl5aYSJ5Ge1Uv +PycFWHWVTHq/R7HRE6HIJzGe/PnLIbStXLDFeivjfcYq1YaSaF8Vl+xg+0u3ULOl +P6IuPTph6dlcgttRZVl3ETcF0T+2wfbUwgjf0ZiguCJfR2jLGhPl1KBg0Kd9cTSY +zI3YMMd2G8hApt/QFlm4Ry8CqaJUmDcjDNIJT3M+RldUgfz37NsX05cA5e9+I1AL +2406F/v5U9gWsYx7HuwJtQrDzYYDbl1GD4H+qHFJE5JYhPP4AyWYxJ1NR5dqyvrt ++3r5+xlwZrS76c10RsBWL7th8ZEzRxOZxbtLwbf4bG/tIGfQP2sTnWwA+qym6b2S +sRduqOTP+xwnhOq/ZKn8lfsDfhT8CPnKHBsd09kM9y/UWuxFe0upLydRLE/Wsb9s +-----END RSA PRIVATE KEY----- diff --git a/tests/cert/test.ca.pem b/tests/cert/test.ca.pem new file mode 100644 index 00000000000..412ba31619d --- /dev/null +++ b/tests/cert/test.ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIUDcmZFpL4PcdCXfLRBK8bR2vb39cwDQYJKoZIhvcNAQEL +BQAwgZwxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI +SGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9u +MRYwFAYDVQQDDA1zaHlsb2NrIGh1YW5nMScwJQYJKoZIhvcNAQkBFhhzaHlsb2Nr +Lmh1YW5nQHZlc29mdC5jb20wHhcNMjEwODE5MDkyNDQ3WhcNMjUwODE4MDkyNDQ3 +WjCBnDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI +YW5nemhvdTEUMBIGA1UECgwLVmVzb2Z0IEluYy4xEDAOBgNVBAsMB3NlY3Rpb24x +FjAUBgNVBAMMDXNoeWxvY2sgaHVhbmcxJzAlBgkqhkiG9w0BCQEWGHNoeWxvY2su +aHVhbmdAdmVzb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMEAgpamCQHl+8JnUHI6/VmJHjDLYJLTliN/CwpFrhMqIVjJ8wG57WYLpXpn91Lz +eHu52LkVzcikybIJ2a+LOTvnhNFdbmTbqDtrb+s6wM/sO+nF6tU2Av4e5zhyKoeR +LL+rHMk3nymohbdN4djySFmOOU5A1O/4b0bZz4Ylu995kUawdiaEo13BzxxOC7Ik +Gge5RyDcm0uLXZqTAPy5Sjv/zpOyj0AqL1CJUH7XBN9OMRhVU0ZX9nHWl1vgLRld +J6XT17Y9QbbHhCNEdAmFE5kEFgCvZc+MungUYABlkvoj86TLmC/FMV6fWdxQssyd +hS+ssfJFLaTDaEFz5a/Tr48CAwEAAaNTMFEwHQYDVR0OBBYEFK0GVrQx+wX1GCHy +e+6fl4X+prmYMB8GA1UdIwQYMBaAFK0GVrQx+wX1GCHye+6fl4X+prmYMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHqP8P+ZUHmngviHLSSN1ln5 +Mx4BCkVeFRUaFx0yFXytV/iLXcG2HpFg3A9rAFoYgCDwi1xpsERnBZ/ShTv/eFOc +IxBY5yggx3/lGi8tAgvUdarhd7mQO67UJ0V4YU3hAkbnZ8grHHXj+4hfgUpY4ok6 +yaed6HXwknBb9W8N1jZI8ginhkhjaeRCHdMiF+fBvNCtmeR1bCml1Uz7ailrpcaT +Mf84+5VYuFEnaRZYWFNsWNCOBlJ/6/b3V10vMXzMmYHqz3xgAq0M3fVTFTzopnAX +DLSzorL/dYVdqEDCQi5XI9YAlgWN4VeGzJI+glkLOCNzHxRNP6Qev+YI+7Uxz6I= +-----END CERTIFICATE----- diff --git a/tests/cert/test.password b/tests/cert/test.password new file mode 100644 index 00000000000..60b7570cd13 --- /dev/null +++ b/tests/cert/test.password @@ -0,0 +1 @@ +vesoft \ No newline at end of file diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py index 86d3f6b36f4..60302bd7efd 100644 --- a/tests/common/nebula_service.py +++ b/tests/common/nebula_service.py @@ -60,6 +60,14 @@ def _copy_nebula_conf(self): os.makedirs(resources_dir) shutil.copy(self.build_dir + '/../resources/gflags.json', resources_dir) + # cert files + shutil.copy(self.src_dir + '/tests/cert/test.ca.key', + resources_dir) + shutil.copy(self.src_dir + '/tests/cert/test.ca.pem', + resources_dir) + shutil.copy(self.src_dir + '/tests/cert/test.password', + resources_dir) + def _format_nebula_command(self, name, meta_port, ports, debug_log=True): params = [ "--meta_server_addrs={}", @@ -67,7 +75,10 @@ def _format_nebula_command(self, name, meta_port, ports, debug_log=True): "--ws_http_port={}", "--ws_h2_port={}", "--heartbeat_interval_secs=1", - "--expired_time_factor=60" + "--expired_time_factor=60", + '--cert_path=share/resources/test.ca.pem', + '--key_path=share/resources/test.ca.key', + '--password_path=share/resources/test.password', ] if name == 'graphd': params.append('--local_config=false') @@ -150,7 +161,7 @@ def _check_servers_status(self, ports): time.sleep(1) return False - def start(self, debug_log=True, multi_graphd=False): + def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False): os.chdir(self.work_dir) metad_ports = self._find_free_port() @@ -187,6 +198,8 @@ def start(self, debug_log=True, multi_graphd=False): if server_name == 'graphd1': command += ' --log_dir=logs1' command += ' --pid_file=pids1/nebula-graphd.pid' + command += ' --enable_ssl={}'.format(enable_ssl) + command += ' --enable_graph_ssl={}'.format(enable_graph_ssl) print("exec: " + command) p = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE) p.wait() diff --git a/tests/nebula-test-run.py b/tests/nebula-test-run.py index 1b38d3cba14..1082b66a3d3 100755 --- a/tests/nebula-test-run.py +++ b/tests/nebula-test-run.py @@ -52,6 +52,14 @@ def init_parser(): dest='debug', default=True, help='Print verbose debug logs') + opt_parser.add_option('--enable_ssl', + dest='enable_ssl', + default=False, + help='Wether enable SSL for cluster.') + opt_parser.add_option('--enable_graph_ssl', + dest='enable_graph_ssl', + default=False, + help='Wether enable SSL for graph server.') return opt_parser @@ -70,7 +78,7 @@ def start_nebula(nb, configs): nb.install() address = "localhost" debug = opt_is(configs.debug, "true") - ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd) + ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl) # Load csv data pool = get_conn_pool(address, ports[0]) From ec1b09365e6489ece51af48c76c43be15a4585bf Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Mon, 23 Aug 2021 17:50:08 +0800 Subject: [PATCH 02/12] Add tests to tck. --- .github/workflows/pull_request.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1c1e32777f2..2844b6ce5c1 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -123,14 +123,30 @@ jobs: timeout-minutes: 20 - name: Pytest run: | - make up + case ${{ matrix.compiler }} in + gcc-*) + case ${{ matrix.os }} in + centos7) + # normal cluster + make up + ;; + ubuntu2004) + # ssl cluster + make ENABLE_SSL=true up + ;; + esac + ;; + clang-*) + # graph ssl only cluster + make ENABLE_SSL=false ENABLE_GRAPH_SSL=true up + ;; + esac make RM_DIR=false DEBUG=false J=${{ steps.cmake.outputs.j }} test make down working-directory: tests/ timeout-minutes: 15 - name: TCK run: | - make up make RM_DIR=false DEBUG=false J=${{ steps.cmake.outputs.j }} tck make down working-directory: tests/ From 5d4426ac20546a4e47edd6e6a45f7fbc0b31367b Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 25 Aug 2021 13:41:10 +0800 Subject: [PATCH 03/12] Support CA signed certificate. --- src/common/ssl/SSLConfig.cpp | 8 +++++- tests/Makefile | 3 +- .../cert/{test.password => test.ca.password} | 0 tests/cert/test.ca.srl | 1 + tests/cert/test.derive.crt | 23 +++++++++++++++ tests/cert/test.derive.csr | 19 +++++++++++++ tests/cert/test.derive.key | 27 ++++++++++++++++++ tests/cert/test.derive.password | 1 + tests/common/nebula_service.py | 28 ++++++++++++++----- tests/nebula-test-run.py | 6 +++- 10 files changed, 106 insertions(+), 10 deletions(-) rename tests/cert/{test.password => test.ca.password} (100%) create mode 100644 tests/cert/test.ca.srl create mode 100644 tests/cert/test.derive.crt create mode 100644 tests/cert/test.derive.csr create mode 100644 tests/cert/test.derive.key create mode 100644 tests/cert/test.derive.password diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp index cb116590488..67582ccbc2d 100644 --- a/src/common/ssl/SSLConfig.cpp +++ b/src/common/ssl/SSLConfig.cpp @@ -18,13 +18,19 @@ namespace nebula { std::shared_ptr sslContextConfig() { auto sslCfg = std::make_shared(); sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, FLAGS_password_path); - sslCfg->clientCAFile = FLAGS_ca_path; sslCfg->isDefault = true; return sslCfg; } std::shared_ptr createSSLContext() { auto context = std::make_shared(); + if (!FLAGS_ca_path.empty()) { + context->loadTrustedCertificates(FLAGS_ca_path.c_str()); + // don't do peer name validation + context->authenticate(true, false); + // verify the server cert + context->setVerificationOption(folly::SSLContext::SSLVerifyPeerEnum::VERIFY); + } folly::ssl::setSignatureAlgorithms(*context); return context; } diff --git a/tests/Makefile b/tests/Makefile index ac9777f63d4..75de7ce6a52 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -18,6 +18,7 @@ DEBUG ?= true J ?= 10 ENABLE_SSL ?= false ENABLE_GRAPH_SSL ?= false +CA_SIGNED ?= false install-deps: pip3 install --user -U setuptools wheel -i $(PYPI_MIRROR) @@ -51,7 +52,7 @@ check: up: clean @mkdir -p $(CURR_DIR)/.pytest - PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) + PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) --ca_signed=$(CA_SIGNED) down: PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=stop --rm_dir=$(RM_DIR) diff --git a/tests/cert/test.password b/tests/cert/test.ca.password similarity index 100% rename from tests/cert/test.password rename to tests/cert/test.ca.password diff --git a/tests/cert/test.ca.srl b/tests/cert/test.ca.srl new file mode 100644 index 00000000000..877d296b7c1 --- /dev/null +++ b/tests/cert/test.ca.srl @@ -0,0 +1 @@ +4AF2EBB941EA7EE8358ECC7E51C2F1A38EE18873 diff --git a/tests/cert/test.derive.crt b/tests/cert/test.derive.crt new file mode 100644 index 00000000000..8f03073e2ff --- /dev/null +++ b/tests/cert/test.derive.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvjCCAqYCFEry67lB6n7oNY7MflHC8aOO4YhzMA0GCSqGSIb3DQEBCwUAMIGc +MQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6 +aG91MRQwEgYDVQQKDAtWZXNvZnQgSW5jLjEQMA4GA1UECwwHc2VjdGlvbjEWMBQG +A1UEAwwNc2h5bG9jayBodWFuZzEnMCUGCSqGSIb3DQEJARYYc2h5bG9jay5odWFu +Z0B2ZXNvZnQuY29tMB4XDTIxMDgyNDEwNTExMloXDTIzMTEyNzEwNTExMlowgZkx +CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3po +b3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9uMRMwEQYD +VQQDDApTaHlsb2NrIEhnMScwJQYJKoZIhvcNAQkBFhhzaHlsb2NrLmh1YW5nQHZl +c29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHk1PQtaCG +S31nvxKuT6pzVQuOsA2hEIDzBZuoBK3blezBB16fjUWG2wHG/r9Oss5YzOly4viL +1oFLsNdYg27EFH7pcGfdSUmZa6LHILegJTmLa1aB4lRG9EsvPIxNuo637CW2z6EW +ElVKXn2N1G1vW3fpKGxJ+d1ovaFfBliO0sK+myW+vYdKrNg70WqKKCoCIlIjEWw3 +vQdrmvhuhIBbG1bXkXbJwIepBdb4wGSx8qsgs93I6/je/K/iJaPJIqdH8loo6fSo +DBUiNA87ZsQdtbBeuk7QuF71SxD5+E8wCMtFMwRGmL0vYMPwkaurKxwEs49e8eTz +RvIrNtyYgVo7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGBpm5OLXn02kWr1ENU5 +FOOVryD41SCmPy8hLwQ2MCXd446UfTXc5TTlllksaePn373ZANLUe78vUCoVPjOh +dU5GxyOKtubXovI+yuvMS11u00KtgiAd5qa+IhX3c/P60bh4+fdKZ9ViyLsG+IpQ ++XDYT2uekLyjXXJU6h1raW7M1VY9FcDC63moXz0WgWJ/9tJgB0ZQkVcL+2UpveoZ +Whf9P0xAzCmNSrR7CMhdeRN2vBQQaHXk/64wkHncdkz/NglVl00rh4MtBKZ6Cqze +uZvgrxOJNzB4aXBMHO7sWzw1VSfS79CZm4H39hBWGiVEkr3yZYQbboDRY6F5dQyc +BZc= +-----END CERTIFICATE----- diff --git a/tests/cert/test.derive.csr b/tests/cert/test.derive.csr new file mode 100644 index 00000000000..89b26237ec7 --- /dev/null +++ b/tests/cert/test.derive.csr @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDEjCCAfoCAQAwgZkxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzER +MA8GA1UEBwwISGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQL +DAdzZWN0aW9uMRMwEQYDVQQDDApTaHlsb2NrIEhnMScwJQYJKoZIhvcNAQkBFhhz +aHlsb2NrLmh1YW5nQHZlc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDHk1PQtaCGS31nvxKuT6pzVQuOsA2hEIDzBZuoBK3blezBB16fjUWG +2wHG/r9Oss5YzOly4viL1oFLsNdYg27EFH7pcGfdSUmZa6LHILegJTmLa1aB4lRG +9EsvPIxNuo637CW2z6EWElVKXn2N1G1vW3fpKGxJ+d1ovaFfBliO0sK+myW+vYdK +rNg70WqKKCoCIlIjEWw3vQdrmvhuhIBbG1bXkXbJwIepBdb4wGSx8qsgs93I6/je +/K/iJaPJIqdH8loo6fSoDBUiNA87ZsQdtbBeuk7QuF71SxD5+E8wCMtFMwRGmL0v +YMPwkaurKxwEs49e8eTzRvIrNtyYgVo7AgMBAAGgMzAVBgkqhkiG9w0BCQcxCAwG +dmVzb2Z0MBoGCSqGSIb3DQEJAjENDAtWZXNvZnQgSW5jLjANBgkqhkiG9w0BAQsF +AAOCAQEAjmyCyxziJMR8NILRAwmfYcBB90CbTFMMEyWy402KxoXcyVZBGO2eukIq +gaF2ywuh6yuTPtGsdVMVTWDQ4RLYpoQoR5Blu+M8Or8rhZSfMYXi79Ne3abSF28E +eWjBmh2Ys0GtaThlufJBWE+vWPH2iEGrSRTg1fvBLBzAW6nXU2svoTrKfDcEoY5z +xB0CKhBoewoIZ2FPBmBAnIWHfXR/vQ76QIoNdfQ4nT8iXuLRoNjRlvVU4AUDwKtu +keRDrnmJ7A5eqTlleCMzra2MAp9Na9gojXlGQP9q9V8nFtSvbjYAoH0ezWpdWj4+ +Rtu9EK4JkDymmmZcneFapExZrRLt0A== +-----END CERTIFICATE REQUEST----- diff --git a/tests/cert/test.derive.key b/tests/cert/test.derive.key new file mode 100644 index 00000000000..a011917b3af --- /dev/null +++ b/tests/cert/test.derive.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAx5NT0LWghkt9Z78Srk+qc1ULjrANoRCA8wWbqASt25XswQde +n41FhtsBxv6/TrLOWMzpcuL4i9aBS7DXWINuxBR+6XBn3UlJmWuixyC3oCU5i2tW +geJURvRLLzyMTbqOt+wlts+hFhJVSl59jdRtb1t36ShsSfndaL2hXwZYjtLCvpsl +vr2HSqzYO9FqiigqAiJSIxFsN70Ha5r4boSAWxtW15F2ycCHqQXW+MBksfKrILPd +yOv43vyv4iWjySKnR/JaKOn0qAwVIjQPO2bEHbWwXrpO0Lhe9UsQ+fhPMAjLRTME +Rpi9L2DD8JGrqyscBLOPXvHk80byKzbcmIFaOwIDAQABAoIBAEZ50URHjzs9VziW +sdsaSN/XbXBi3T0+Xbr0BQatOFPtuqBjoNeJBL9dgWArP5Vj8RhMrDekzQ5cnmYD +OdiI+UmGz1ZSGmt7YOErsFzPQejsnEiOjArryMURqacxo34jXhi27I6E/aaUrMfJ +XF8EX+zOCSct3ie1c6l0JZMv43/zbzP2vMFEdfnVfZA2Kxo5l3I4rjuxHUEWHzrb +EgM4a2+y7LQrut75zP9zWEZAqim/VEIEj24Gqj+Vocb6cHlc31KzKaEz7Ra5ha2J +kN2CQRKCzoMupVL5E6dWMiDVjUyUXdUgjSCIW2H+E1ONgvxA78jJx7+Dzj+/bWxH +h/vr3dkCgYEA9Aev7PGoGF0eapZY3crehvtCn1v4YLheh0dk4EpbpbEx0rQaG3h7 +YYCf7euxMvoTsKPETHAUG/s/RZV1DNOjxs8GKgEIVaRYEf1VZeDXudtnyKBwCMAL +5CKHRBvfmNG9n+PpQQlrIAZGej7HU+/IzEVsrD2A5DeH9IVpMNvrX10CgYEA0V1r +aydbBP+Ma/fiG5UDa8l4GdLzvAoW2cY6ZhQX4NiLTK91MwA/QOQcVMvJAN2KpPHC +kGDRT7IhMs66cMxl0ImIJ2QSnv8HRNmBBSdUtJx1S6nV2u0VfgP61oNT/YbLR/Jk +CAIl1qe7Q8IsrMbPxCbt8g+D8Wr9C3pdYYqFvncCgYEAicGdKmDwx3Apr3nYCLxx +CjnkzhkZCWCK3EsNQyA2xD5XJd7NrhxBajU2ExUuHtzVKK4KLixG7dTTTvCj9u2y +UpSjoiqbDd2MaftcrfpTTXPyDmujUw02qT5kpaomexpLtWrvTeuHMbjZKEEwPM3r +yISYaFL/49UFRp/ZVd+P63ECgYAX1B0ctf77A6bUxwK6Buy7wNNlhQful+tf39rX +sWPCWIMKOFILevS4Cv5afFMlQRG9kjKFwi8wdeKnaLX5jpnr8StI6G/iHr6SDHtN +vds7Ly9+bBcF8sPmcseC0LGngkbyqljOPIhX9QEwRhJVm88b0R511WQ7/uRMASJN +rrloIwKBgCxYlu1xvvEuQNoIux/yKAEJ1h4Ta2zc5upjw0uDKMi0UNIbNhgdFOvj +LuVbxTRU8WktrLNk3T0rsopKsTbEZVg6Yuv8ZLkEiNYTzhUbn2Y5yM3bnoVwyOns +pTtqmBtvDZxaRCYdIQG3b09IvrewDk26AOtNHdeKw883G2muP/vA +-----END RSA PRIVATE KEY----- diff --git a/tests/cert/test.derive.password b/tests/cert/test.derive.password new file mode 100644 index 00000000000..60b7570cd13 --- /dev/null +++ b/tests/cert/test.derive.password @@ -0,0 +1 @@ +vesoft \ No newline at end of file diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py index 60302bd7efd..b6e66da0a09 100644 --- a/tests/common/nebula_service.py +++ b/tests/common/nebula_service.py @@ -65,10 +65,16 @@ def _copy_nebula_conf(self): resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.ca.pem', resources_dir) - shutil.copy(self.src_dir + '/tests/cert/test.password', + shutil.copy(self.src_dir + '/tests/cert/test.ca.password', + resources_dir) + shutil.copy(self.src_dir + '/tests/cert/test.derive.key', + resources_dir) + shutil.copy(self.src_dir + '/tests/cert/test.derive.crt', + resources_dir) + shutil.copy(self.src_dir + '/tests/cert/test.derive.password', resources_dir) - def _format_nebula_command(self, name, meta_port, ports, debug_log=True): + def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_signed=False): params = [ "--meta_server_addrs={}", "--port={}", @@ -76,10 +82,17 @@ def _format_nebula_command(self, name, meta_port, ports, debug_log=True): "--ws_h2_port={}", "--heartbeat_interval_secs=1", "--expired_time_factor=60", - '--cert_path=share/resources/test.ca.pem', - '--key_path=share/resources/test.ca.key', - '--password_path=share/resources/test.password', ] + if ca_signed: + params.append('--ca_path=share/resources/test.ca.pem') + params.append('--cert_path=share/resources/test.derive.crt') + params.append('--key_path=share/resources/test.derive.key') + params.append('--password_path=share/resources/test.derive.password') + else: + params.append('--cert_path=share/resources/test.ca.pem') + params.append('--key_path=share/resources/test.ca.key') + params.append('--password_path=share/resources/test.ca.password') + if name == 'graphd': params.append('--local_config=false') params.append('--enable_authorize=true') @@ -161,7 +174,7 @@ def _check_servers_status(self, ports): time.sleep(1) return False - def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False): + def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False, ca_signed=False): os.chdir(self.work_dir) metad_ports = self._find_free_port() @@ -194,7 +207,8 @@ def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_gra command = self._format_nebula_command(new_name, metad_ports[0], ports, - debug_log) + debug_log, + ca_signed=ca_signed) if server_name == 'graphd1': command += ' --log_dir=logs1' command += ' --pid_file=pids1/nebula-graphd.pid' diff --git a/tests/nebula-test-run.py b/tests/nebula-test-run.py index 1082b66a3d3..6996a613d20 100755 --- a/tests/nebula-test-run.py +++ b/tests/nebula-test-run.py @@ -60,6 +60,10 @@ def init_parser(): dest='enable_graph_ssl', default=False, help='Wether enable SSL for graph server.') + opt_parser.add_option('--ca_signed', + dest='ca_signed', + default=False, + help='Wether enable CA signed SSL/TLS mode.') return opt_parser @@ -78,7 +82,7 @@ def start_nebula(nb, configs): nb.install() address = "localhost" debug = opt_is(configs.debug, "true") - ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl) + ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl, ca_signed=configs.ca_signed) # Load csv data pool = get_conn_pool(address, ports[0]) From 364b276acddfff7e4cec3dbd1adf84bcd6719e41 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 25 Aug 2021 14:29:02 +0800 Subject: [PATCH 04/12] Remove the pssword configuration. --- src/common/ssl/SSLConfig.cpp | 3 +-- tests/cert/test.ca.password | 1 - tests/cert/test.derive.password | 1 - tests/common/nebula_service.py | 12 ++++++------ 4 files changed, 7 insertions(+), 10 deletions(-) delete mode 100644 tests/cert/test.ca.password delete mode 100644 tests/cert/test.derive.password diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp index 67582ccbc2d..acf7c73bb92 100644 --- a/src/common/ssl/SSLConfig.cpp +++ b/src/common/ssl/SSLConfig.cpp @@ -9,7 +9,6 @@ DEFINE_string(cert_path, "", "Path to cert pem."); DEFINE_string(key_path, "", "Path to cert key."); DEFINE_string(ca_path, "", "Path to trusted CA file."); -DEFINE_string(password_path, "", "Path to password file."); DEFINE_bool(enable_ssl, false, "Wether enable ssl."); DEFINE_bool(enable_graph_ssl, false, "Wether enable ssl."); @@ -17,7 +16,7 @@ namespace nebula { std::shared_ptr sslContextConfig() { auto sslCfg = std::make_shared(); - sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, FLAGS_password_path); + sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, ""); sslCfg->isDefault = true; return sslCfg; } diff --git a/tests/cert/test.ca.password b/tests/cert/test.ca.password deleted file mode 100644 index 60b7570cd13..00000000000 --- a/tests/cert/test.ca.password +++ /dev/null @@ -1 +0,0 @@ -vesoft \ No newline at end of file diff --git a/tests/cert/test.derive.password b/tests/cert/test.derive.password deleted file mode 100644 index 60b7570cd13..00000000000 --- a/tests/cert/test.derive.password +++ /dev/null @@ -1 +0,0 @@ -vesoft \ No newline at end of file diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py index b6e66da0a09..a33bc7e19cc 100644 --- a/tests/common/nebula_service.py +++ b/tests/common/nebula_service.py @@ -65,14 +65,14 @@ def _copy_nebula_conf(self): resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.ca.pem', resources_dir) - shutil.copy(self.src_dir + '/tests/cert/test.ca.password', - resources_dir) + # shutil.copy(self.src_dir + '/tests/cert/test.ca.password', + # resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.derive.key', resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.derive.crt', resources_dir) - shutil.copy(self.src_dir + '/tests/cert/test.derive.password', - resources_dir) + # shutil.copy(self.src_dir + '/tests/cert/test.derive.password', + # resources_dir) def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_signed=False): params = [ @@ -87,11 +87,11 @@ def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_sign params.append('--ca_path=share/resources/test.ca.pem') params.append('--cert_path=share/resources/test.derive.crt') params.append('--key_path=share/resources/test.derive.key') - params.append('--password_path=share/resources/test.derive.password') +# params.append('--password_path=share/resources/test.derive.password') else: params.append('--cert_path=share/resources/test.ca.pem') params.append('--key_path=share/resources/test.ca.key') - params.append('--password_path=share/resources/test.ca.password') +# params.append('--password_path=share/resources/test.ca.password') if name == 'graphd': params.append('--local_config=false') From 0c842b990ee0386956450a3a58e34079df1c9e73 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 25 Aug 2021 14:29:46 +0800 Subject: [PATCH 05/12] Remove the comment. --- tests/common/nebula_service.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py index a33bc7e19cc..06a3fb37a51 100644 --- a/tests/common/nebula_service.py +++ b/tests/common/nebula_service.py @@ -65,14 +65,10 @@ def _copy_nebula_conf(self): resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.ca.pem', resources_dir) - # shutil.copy(self.src_dir + '/tests/cert/test.ca.password', - # resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.derive.key', resources_dir) shutil.copy(self.src_dir + '/tests/cert/test.derive.crt', resources_dir) - # shutil.copy(self.src_dir + '/tests/cert/test.derive.password', - # resources_dir) def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_signed=False): params = [ @@ -87,11 +83,9 @@ def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_sign params.append('--ca_path=share/resources/test.ca.pem') params.append('--cert_path=share/resources/test.derive.crt') params.append('--key_path=share/resources/test.derive.key') -# params.append('--password_path=share/resources/test.derive.password') else: params.append('--cert_path=share/resources/test.ca.pem') params.append('--key_path=share/resources/test.ca.key') -# params.append('--password_path=share/resources/test.ca.password') if name == 'graphd': params.append('--local_config=false') From d11ac19e451571b57fc33d1a013355be740a78a8 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 25 Aug 2021 16:51:15 +0800 Subject: [PATCH 06/12] Support independent meta server ssl. --- src/clients/meta/MetaClient.cpp | 4 +++- src/clients/storage/StorageClientBase-inl.h | 3 ++- src/common/ssl/SSLConfig.cpp | 3 ++- src/common/ssl/SSLConfig.h | 1 + src/common/thrift/ThriftClientManager-inl.h | 6 +++--- src/common/thrift/ThriftClientManager.h | 6 +++++- src/daemons/MetaDaemon.cpp | 2 +- src/kvstore/NebulaStore.h | 4 +++- src/kvstore/raftex/test/TestShard.cpp | 3 ++- src/meta/processors/admin/AdminClient.h | 4 +++- tests/Makefile | 3 ++- tests/common/nebula_service.py | 3 ++- tests/nebula-test-run.py | 6 +++++- 13 files changed, 34 insertions(+), 14 deletions(-) diff --git a/src/clients/meta/MetaClient.cpp b/src/clients/meta/MetaClient.cpp index 7398d92a9a2..94f7632ec43 100644 --- a/src/clients/meta/MetaClient.cpp +++ b/src/clients/meta/MetaClient.cpp @@ -19,6 +19,7 @@ #include "common/http/HttpClient.h" #include "common/meta/NebulaSchemaProvider.h" #include "common/network/NetworkUtils.h" +#include "common/ssl/SSLConfig.h" #include "common/stats/StatsManager.h" #include "version/Version.h" #include "webservice/Common.h" @@ -40,7 +41,8 @@ MetaClient::MetaClient(std::shared_ptr ioThreadPool CHECK(ioThreadPool_ != nullptr) << "IOThreadPool is required"; CHECK(!addrs_.empty()) << "No meta server address is specified or can be " "solved. Meta server is required"; - clientsMan_ = std::make_shared>(); + clientsMan_ = std::make_shared>( + FLAGS_enable_ssl || FLAGS_enable_meta_ssl); updateActive(); updateLeader(); bgThread_ = std::make_unique(); diff --git a/src/clients/storage/StorageClientBase-inl.h b/src/clients/storage/StorageClientBase-inl.h index 608639bf471..c8adf7028aa 100644 --- a/src/clients/storage/StorageClientBase-inl.h +++ b/src/clients/storage/StorageClientBase-inl.h @@ -8,6 +8,7 @@ #include +#include "common/ssl/SSLConfig.h" #include "common/time/WallClock.h" namespace nebula { @@ -72,7 +73,7 @@ template StorageClientBase::StorageClientBase( std::shared_ptr threadPool, meta::MetaClient* metaClient) : metaClient_(metaClient), ioThreadPool_(threadPool) { - clientsMan_ = std::make_unique>(); + clientsMan_ = std::make_unique>(FLAGS_enable_ssl); } template diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp index acf7c73bb92..2a03a16a453 100644 --- a/src/common/ssl/SSLConfig.cpp +++ b/src/common/ssl/SSLConfig.cpp @@ -10,7 +10,8 @@ DEFINE_string(cert_path, "", "Path to cert pem."); DEFINE_string(key_path, "", "Path to cert key."); DEFINE_string(ca_path, "", "Path to trusted CA file."); DEFINE_bool(enable_ssl, false, "Wether enable ssl."); -DEFINE_bool(enable_graph_ssl, false, "Wether enable ssl."); +DEFINE_bool(enable_graph_ssl, false, "Wether enable ssl of graph server."); +DEFINE_bool(enable_meta_ssl, false, "Wether enable ssl of meta server."); namespace nebula { diff --git a/src/common/ssl/SSLConfig.h b/src/common/ssl/SSLConfig.h index 485f32552e9..45889b86b27 100644 --- a/src/common/ssl/SSLConfig.h +++ b/src/common/ssl/SSLConfig.h @@ -15,6 +15,7 @@ DECLARE_bool(enable_ssl); DECLARE_bool(enable_graph_ssl); +DECLARE_bool(enable_meta_ssl); namespace nebula { diff --git a/src/common/thrift/ThriftClientManager-inl.h b/src/common/thrift/ThriftClientManager-inl.h index 1823a3a0345..f60b980f3e5 100644 --- a/src/common/thrift/ThriftClientManager-inl.h +++ b/src/common/thrift/ThriftClientManager-inl.h @@ -73,11 +73,11 @@ std::shared_ptr ThriftClientManager::client(const HostAd VLOG(2) << "Connecting to " << host << " for " << ++connectionCount << " times"; std::shared_ptr socket; - if (FLAGS_enable_ssl) { + if (enableSSL_) { socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb); } - evb->runImmediatelyOrRunInEventBaseThreadAndWait([&socket, evb, resolved]() { - if (FLAGS_enable_ssl) { + evb->runImmediatelyOrRunInEventBaseThreadAndWait([this, &socket, evb, resolved]() { + if (enableSSL_) { socket->connect(nullptr, resolved.host, resolved.port, FLAGS_conn_timeout_ms); } else { socket = diff --git a/src/common/thrift/ThriftClientManager.h b/src/common/thrift/ThriftClientManager.h index 230244e221d..6c47c4af24f 100644 --- a/src/common/thrift/ThriftClientManager.h +++ b/src/common/thrift/ThriftClientManager.h @@ -26,7 +26,9 @@ class ThriftClientManager final { ~ThriftClientManager() { VLOG(3) << "~ThriftClientManager"; } - ThriftClientManager() { VLOG(3) << "ThriftClientManager"; } + explicit ThriftClientManager(bool enableSSL = false) : enableSSL_(enableSSL) { + VLOG(3) << "ThriftClientManager"; + } private: using ClientMap = std::unordered_map, // @@ -35,6 +37,8 @@ class ThriftClientManager final { >; folly::ThreadLocal clientMap_; + // wether enable ssl + bool enableSSL_{false}; }; } // namespace thrift diff --git a/src/daemons/MetaDaemon.cpp b/src/daemons/MetaDaemon.cpp index 5233d2678a0..1af0a7b364a 100644 --- a/src/daemons/MetaDaemon.cpp +++ b/src/daemons/MetaDaemon.cpp @@ -312,7 +312,7 @@ int main(int argc, char* argv[]) { gServer->setPort(FLAGS_port); gServer->setIdleTimeout(std::chrono::seconds(0)); // No idle timeout on client connection gServer->setInterface(std::move(handler)); - if (FLAGS_enable_ssl) { + if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) { gServer->setSSLConfig(nebula::sslContextConfig()); } gServer->serve(); // Will wait until the server shuts down diff --git a/src/kvstore/NebulaStore.h b/src/kvstore/NebulaStore.h index 306f716827f..562226c171a 100644 --- a/src/kvstore/NebulaStore.h +++ b/src/kvstore/NebulaStore.h @@ -11,6 +11,7 @@ #include #include "common/base/Base.h" +#include "common/ssl/SSLConfig.h" #include "common/utils/Utils.h" #include "interface/gen-cpp2/RaftexServiceAsyncClient.h" #include "kvstore/DiskManager.h" @@ -65,7 +66,8 @@ class NebulaStore : public KVStore, public Handler { options_(std::move(options)) { CHECK_NOTNULL(options_.partMan_); clientMan_ = - std::make_shared>(); + std::make_shared>( + FLAGS_enable_ssl); } ~NebulaStore(); diff --git a/src/kvstore/raftex/test/TestShard.cpp b/src/kvstore/raftex/test/TestShard.cpp index 7187aa862f9..d7c4683e1b0 100644 --- a/src/kvstore/raftex/test/TestShard.cpp +++ b/src/kvstore/raftex/test/TestShard.cpp @@ -7,6 +7,7 @@ #include "kvstore/raftex/test/TestShard.h" #include "common/base/Base.h" +#include "common/ssl/SSLConfig.h" #include "kvstore/raftex/Host.h" #include "kvstore/raftex/RaftexService.h" #include "kvstore/wal/FileBasedWal.h" @@ -118,7 +119,7 @@ HostAddr decodeRemovePeer(const folly::StringPiece& log) { std::shared_ptr> getClientMan() { static std::shared_ptr> clientMan( - new thrift::ThriftClientManager()); + new thrift::ThriftClientManager(FLAGS_enable_ssl)); return clientMan; } diff --git a/src/meta/processors/admin/AdminClient.h b/src/meta/processors/admin/AdminClient.h index 946f4d11c37..51b1ec4ecc8 100644 --- a/src/meta/processors/admin/AdminClient.h +++ b/src/meta/processors/admin/AdminClient.h @@ -11,6 +11,7 @@ #include "common/base/Base.h" #include "common/base/Status.h" +#include "common/ssl/SSLConfig.h" #include "common/thrift/ThriftClientManager.h" #include "interface/gen-cpp2/StorageAdminServiceAsyncClient.h" #include "kvstore/KVStore.h" @@ -33,7 +34,8 @@ class AdminClient { explicit AdminClient(kvstore::KVStore* kv) : kv_(kv) { ioThreadPool_ = std::make_unique(10); clientsMan_ = std::make_unique< - thrift::ThriftClientManager>(); + thrift::ThriftClientManager>( + FLAGS_enable_ssl); } virtual ~AdminClient() = default; diff --git a/tests/Makefile b/tests/Makefile index 75de7ce6a52..ac7cc50beca 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -18,6 +18,7 @@ DEBUG ?= true J ?= 10 ENABLE_SSL ?= false ENABLE_GRAPH_SSL ?= false +ENABLE_META_SSL ?= false CA_SIGNED ?= false install-deps: @@ -52,7 +53,7 @@ check: up: clean @mkdir -p $(CURR_DIR)/.pytest - PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) --ca_signed=$(CA_SIGNED) + PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) --enable_meta_ssl=$(ENABLE_META_SSL) --ca_signed=$(CA_SIGNED) down: PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=stop --rm_dir=$(RM_DIR) diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py index 06a3fb37a51..fc2df702c84 100644 --- a/tests/common/nebula_service.py +++ b/tests/common/nebula_service.py @@ -168,7 +168,7 @@ def _check_servers_status(self, ports): time.sleep(1) return False - def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False, ca_signed=False): + def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False, enable_meta_ssl=False, ca_signed=False): os.chdir(self.work_dir) metad_ports = self._find_free_port() @@ -208,6 +208,7 @@ def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_gra command += ' --pid_file=pids1/nebula-graphd.pid' command += ' --enable_ssl={}'.format(enable_ssl) command += ' --enable_graph_ssl={}'.format(enable_graph_ssl) + command += ' --enable_meta_ssl={}'.format(enable_meta_ssl) print("exec: " + command) p = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE) p.wait() diff --git a/tests/nebula-test-run.py b/tests/nebula-test-run.py index 6996a613d20..999a45aa577 100755 --- a/tests/nebula-test-run.py +++ b/tests/nebula-test-run.py @@ -60,6 +60,10 @@ def init_parser(): dest='enable_graph_ssl', default=False, help='Wether enable SSL for graph server.') + opt_parser.add_option('--enable_meta_ssl', + dest='enable_meta_ssl', + default=False, + help='Wether enable SSL for meta server.') opt_parser.add_option('--ca_signed', dest='ca_signed', default=False, @@ -82,7 +86,7 @@ def start_nebula(nb, configs): nb.install() address = "localhost" debug = opt_is(configs.debug, "true") - ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl, ca_signed=configs.ca_signed) + ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl, enable_meta_ssl=configs.enable_meta_ssl, ca_signed=configs.ca_signed) # Load csv data pool = get_conn_pool(address, ports[0]) From 179662be0a5ad36fad9886504ee8f305a837307f Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Thu, 26 Aug 2021 13:36:05 +0800 Subject: [PATCH 07/12] Initialize the ssl when enable meta ssl. --- src/daemons/GraphDaemon.cpp | 2 +- src/daemons/MetaDaemon.cpp | 2 +- src/daemons/StorageDaemon.cpp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/daemons/GraphDaemon.cpp b/src/daemons/GraphDaemon.cpp index 74403d3fd36..4bfee7617e2 100644 --- a/src/daemons/GraphDaemon.cpp +++ b/src/daemons/GraphDaemon.cpp @@ -54,7 +54,7 @@ int main(int argc, char *argv[]) { } folly::init(&argc, &argv, true); - if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl) { + if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl || FLAGS_enable_meta_ssl) { folly::ssl::init(); } nebula::initCounters(); diff --git a/src/daemons/MetaDaemon.cpp b/src/daemons/MetaDaemon.cpp index 1af0a7b364a..9c534951f43 100644 --- a/src/daemons/MetaDaemon.cpp +++ b/src/daemons/MetaDaemon.cpp @@ -206,7 +206,7 @@ int main(int argc, char* argv[]) { } folly::init(&argc, &argv, true); - if (FLAGS_enable_ssl) { + if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) { folly::ssl::init(); } if (FLAGS_data_path.empty()) { diff --git a/src/daemons/StorageDaemon.cpp b/src/daemons/StorageDaemon.cpp index e75c16c12be..b8f7f933be3 100644 --- a/src/daemons/StorageDaemon.cpp +++ b/src/daemons/StorageDaemon.cpp @@ -70,7 +70,7 @@ int main(int argc, char *argv[]) { } folly::init(&argc, &argv, true); - if (FLAGS_enable_ssl) { + if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) { folly::ssl::init(); } if (FLAGS_daemonize) { From 0d03f4b44b9ae2b771dbed190b76c450f4bcd555 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 22 Sep 2021 17:04:52 +0800 Subject: [PATCH 08/12] Fix typo. --- src/common/ssl/SSLConfig.cpp | 6 +++--- src/common/thrift/ThriftClientManager.h | 2 +- tests/nebula-test-run.py | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp index 2a03a16a453..d7b98a36f01 100644 --- a/src/common/ssl/SSLConfig.cpp +++ b/src/common/ssl/SSLConfig.cpp @@ -9,9 +9,9 @@ DEFINE_string(cert_path, "", "Path to cert pem."); DEFINE_string(key_path, "", "Path to cert key."); DEFINE_string(ca_path, "", "Path to trusted CA file."); -DEFINE_bool(enable_ssl, false, "Wether enable ssl."); -DEFINE_bool(enable_graph_ssl, false, "Wether enable ssl of graph server."); -DEFINE_bool(enable_meta_ssl, false, "Wether enable ssl of meta server."); +DEFINE_bool(enable_ssl, false, "Whether enable ssl."); +DEFINE_bool(enable_graph_ssl, false, "Whether enable ssl of graph server."); +DEFINE_bool(enable_meta_ssl, false, "Whether enable ssl of meta server."); namespace nebula { diff --git a/src/common/thrift/ThriftClientManager.h b/src/common/thrift/ThriftClientManager.h index 6c47c4af24f..fa23b3678f3 100644 --- a/src/common/thrift/ThriftClientManager.h +++ b/src/common/thrift/ThriftClientManager.h @@ -37,7 +37,7 @@ class ThriftClientManager final { >; folly::ThreadLocal clientMap_; - // wether enable ssl + // whether enable ssl bool enableSSL_{false}; }; diff --git a/tests/nebula-test-run.py b/tests/nebula-test-run.py index 999a45aa577..0399a3b2139 100755 --- a/tests/nebula-test-run.py +++ b/tests/nebula-test-run.py @@ -55,19 +55,19 @@ def init_parser(): opt_parser.add_option('--enable_ssl', dest='enable_ssl', default=False, - help='Wether enable SSL for cluster.') + help='Whether enable SSL for cluster.') opt_parser.add_option('--enable_graph_ssl', dest='enable_graph_ssl', default=False, - help='Wether enable SSL for graph server.') + help='Whether enable SSL for graph server.') opt_parser.add_option('--enable_meta_ssl', dest='enable_meta_ssl', default=False, - help='Wether enable SSL for meta server.') + help='Whether enable SSL for meta server.') opt_parser.add_option('--ca_signed', dest='ca_signed', default=False, - help='Wether enable CA signed SSL/TLS mode.') + help='Whether enable CA signed SSL/TLS mode.') return opt_parser From 00bfa7148fe35b650d1fbe2d0316f17a88e7d07c Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Wed, 22 Sep 2021 17:06:08 +0800 Subject: [PATCH 09/12] Fix the header order. From cbb901a77618e8df097add6fe26630aadfd50166 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Thu, 23 Sep 2021 16:36:28 +0800 Subject: [PATCH 10/12] clear logic. --- src/common/thrift/ThriftClientManager-inl.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/common/thrift/ThriftClientManager-inl.h b/src/common/thrift/ThriftClientManager-inl.h index f0e05a270ee..caf0a27f252 100644 --- a/src/common/thrift/ThriftClientManager-inl.h +++ b/src/common/thrift/ThriftClientManager-inl.h @@ -73,11 +73,9 @@ std::shared_ptr ThriftClientManager::client(const HostAd VLOG(2) << "Connecting to " << host << " for " << ++connectionCount << " times"; std::shared_ptr socket; - if (enableSSL_) { - socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb); - } evb->runImmediatelyOrRunInEventBaseThreadAndWait([this, &socket, evb, resolved]() { if (enableSSL_) { + socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb); socket->connect(nullptr, resolved.host, resolved.port, FLAGS_conn_timeout_ms); } else { socket = From 6d9dbb9c6593f381ff1dda81aa3e4f284ca5e8b1 Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Fri, 24 Sep 2021 11:28:37 +0800 Subject: [PATCH 11/12] Add test for ca signed mode. --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index ef24d5a7b43..9f9f2d4c40b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -136,7 +136,7 @@ jobs: ;; ubuntu2004) # ssl cluster - make ENABLE_SSL=true up + make ENABLE_SSL=true CA_SIGNED=true up ;; esac ;; From 1e3b24b8819228a6c945944ba8480a63fed3503b Mon Sep 17 00:00:00 2001 From: Shylock Hg <33566796+Shylock-Hg@users.noreply.github.com> Date: Fri, 24 Sep 2021 11:30:05 +0800 Subject: [PATCH 12/12] Fix flag note. --- src/common/ssl/SSLConfig.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp index d7b98a36f01..5f39f26c5ac 100644 --- a/src/common/ssl/SSLConfig.cpp +++ b/src/common/ssl/SSLConfig.cpp @@ -9,9 +9,9 @@ DEFINE_string(cert_path, "", "Path to cert pem."); DEFINE_string(key_path, "", "Path to cert key."); DEFINE_string(ca_path, "", "Path to trusted CA file."); -DEFINE_bool(enable_ssl, false, "Whether enable ssl."); -DEFINE_bool(enable_graph_ssl, false, "Whether enable ssl of graph server."); -DEFINE_bool(enable_meta_ssl, false, "Whether enable ssl of meta server."); +DEFINE_bool(enable_ssl, false, "Whether to enable ssl."); +DEFINE_bool(enable_graph_ssl, false, "Whether to enable ssl of graph server."); +DEFINE_bool(enable_meta_ssl, false, "Whether to enable ssl of meta server."); namespace nebula {