def optional_outbound_tls_test(self):
"""listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption."""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2",
credNode1.cakeystore,
credNode1.cacert)
# first, start cluster without TLS (either listening or connecting
self.setup_nodes(credNode1,
credNode2,
internode_encryption='none',
encryption_enabled=False)
self.cluster.start()
self.cql_connection(self.node1)
# next bounce the cluster to listen on both plain/secure sockets (do not connect secure port, yet, though)
self.bounce_node_with_updated_config(credNode1, self.node1, 'none',
True, True)
self.bounce_node_with_updated_config(credNode2, self.node2, 'none',
True, True)
# next connect with TLS for the outbound connections
self.bounce_node_with_updated_config(credNode1, self.node1, 'all',
True, True)
self.bounce_node_with_updated_config(credNode2, self.node2, 'all',
True, True)
# now shutdown the plaintext port
self.bounce_node_with_updated_config(credNode1, self.node1, 'all',
True, False)
self.bounce_node_with_updated_config(credNode2, self.node2, 'all',
True, False)
self.cluster.stop()
def test_ssl_enabled(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2)
self.cluster.start()
self.cql_connection(self.node1)
def test_ssl_wrong_hostname_no_validation(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpoint_verification=False)
self.cluster.start()
time.sleep(2)
self.cql_connection(self.node1)
def ssl_enabled_test(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2)
self.cluster.start()
self.cql_connection(self.node1)
def ssl_wrong_hostname_no_validation_test(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpointVerification=False)
self.cluster.start()
time.sleep(2)
self.cql_connection(self.node1)
def test_ssl_correct_hostname_with_validation(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
self.fixture_dtest_setup.allow_log_errors = False
self.cluster.start()
time.sleep(2)
self.cql_connection(self.node1)
def test_ssl_client_auth_required_succeed(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the loca cert"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
sslkeygen.import_cert(credNode1.basedir, 'ca127.0.0.2', credNode2.cacert, credNode1.cakeystore)
sslkeygen.import_cert(credNode2.basedir, 'ca127.0.0.1', credNode1.cacert, credNode2.cakeystore)
self.setup_nodes(credNode1, credNode2, client_auth=True)
self.cluster.start()
self.cql_connection(self.node1)
def ssl_correct_hostname_with_validation_test(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpointVerification=True)
self.allow_log_errors = False
self.cluster.start()
time.sleep(2)
self.cql_connection(self.node1)
def ssl_client_auth_required_succeed_test(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the loca cert"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
sslkeygen.import_cert(credNode1.basedir, 'ca127.0.0.2', credNode2.cacert, credNode1.cakeystore)
sslkeygen.import_cert(credNode2.basedir, 'ca127.0.0.1', credNode1.cacert, credNode2.cakeystore)
self.setup_nodes(credNode1, credNode2, client_auth=True)
self.cluster.start()
self.cql_connection(self.node1)
def test_ca_mismatch(self):
"""CA mismatch should cause nodes to fail to connect"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2") # mismatching CA!
self.setup_nodes(credNode1, credNode2)
self.fixture_dtest_setup.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE)
self.cluster.stop()
assert found
def ca_mismatch_test(self):
"""CA mismatch should cause nodes to fail to connect"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2") # mismatching CA!
self.setup_nodes(credNode1, credNode2)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_SIG)
self.cluster.stop()
self.assertTrue(found)
def ca_mismatch_test(self):
"""CA mismatch should cause nodes to fail to connect"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials(
"127.0.0.2") # mismatching CA!
self.setup_nodes(credNode1, credNode2)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_SIG)
self.cluster.stop()
self.assertTrue(found)
def test_ssl_wrong_hostname_with_validation(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
self.fixture_dtest_setup.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
assert found
found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
assert found
self.cluster.stop()
def test_ssl_client_auth_required_fail(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the local cert"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2")
self.setup_nodes(credNode1, credNode2, client_auth=True)
self.fixture_dtest_setup.allow_log_errors = True
self.cluster.start(no_wait=True)
time.sleep(2)
found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
assert found
found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
assert found
self.cluster.stop()
assert found
def ssl_wrong_hostname_with_validation_test(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpointVerification=True)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_IP, _LOG_ERR_HOST)
self.assertTrue(found)
found = self._grep_msg(self.node2, _LOG_ERR_IP, _LOG_ERR_HOST)
self.assertTrue(found)
self.cluster.stop()
self.assertTrue(found)
def ssl_client_auth_required_fail_test(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the local cert"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2")
self.setup_nodes(credNode1, credNode2, client_auth=True)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
time.sleep(2)
found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
self.assertTrue(found)
found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL)
self.assertTrue(found)
self.cluster.stop()
self.assertTrue(found)
def ssl_client_auth_required_fail_test(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the local cert"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2")
self.setup_nodes(credNode1, credNode2, client_auth=True)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
time.sleep(2)
found = self._grep_msg(self.node1, _LOG_ERR_CERT)
self.assertTrue(found)
found = self._grep_msg(self.node2, _LOG_ERR_CERT)
self.assertTrue(found)
self.cluster.stop()
self.assertTrue(found)
def ssl_wrong_hostname_with_validation_test(self):
"""Should be able to start with valid ssl options"""
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81",
credNode1.cakeystore,
credNode1.cacert)
self.setup_nodes(credNode1, credNode2, endpointVerification=True)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
found = self._grep_msg(self.node1, _LOG_ERR_IP, _LOG_ERR_HOST)
self.assertTrue(found)
found = self._grep_msg(self.node2, _LOG_ERR_IP, _LOG_ERR_HOST)
self.assertTrue(found)
self.cluster.stop()
self.assertTrue(found)
def test_optional_outbound_tls(self):
"""listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption.
@jira_ticket CASSANDRA-10404
"""
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
# first, start cluster without TLS (either listening or connecting)
# Optional should be true by default in 4.0 thanks to CASSANDRA-15262
self.setup_nodes(credNode1, credNode2, internode_encryption='none')
self.cluster.start()
self.cql_connection(self.node1)
# next connect with TLS for the outbound connections
self.bounce_node_with_updated_config(credNode1, self.node1, 'all', encryption_optional=True)
self.bounce_node_with_updated_config(credNode2, self.node2, 'all', encryption_optional=True)
# now shutdown the plaintext port
self.bounce_node_with_updated_config(credNode1, self.node1, 'all', encryption_optional=False)
self.bounce_node_with_updated_config(credNode2, self.node2, 'all', encryption_optional=False)
self.cluster.stop()
def test_hsha_with_ssl(self):
"""Enables hsha with ssl"""
cluster = self.cluster
logger.debug("Starting cluster..")
cred = sslkeygen.generate_credentials("127.0.0.1")
cluster.set_configuration_options(
values={
'rpc_server_type': 'hsha',
# seems 1 causes a dead lock... heh...
'rpc_min_threads': 16,
'rpc_max_threads': 2048,
'client_encryption_options': {
'enabled': True,
'optional': False,
'keystore': cred.cakeystore,
'keystore_password': '******'
}
})
cluster.populate(1).start(wait_for_binary_proto=True)
self._assert_binary_actually_found(cluster)
self._assert_startup(cluster)
node = cluster.nodelist()[0]
self._assert_client_enable(node)
