def optional_outbound_tls_test(self): """listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption.""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) # first, start cluster without TLS (either listening or connecting self.setup_nodes(credNode1, credNode2, internode_encryption='none', encryption_enabled=False) self.cluster.start() self.cql_connection(self.node1) # next bounce the cluster to listen on both plain/secure sockets (do not connect secure port, yet, though) self.bounce_node_with_updated_config(credNode1, self.node1, 'none', True, True) self.bounce_node_with_updated_config(credNode2, self.node2, 'none', True, True) # next connect with TLS for the outbound connections self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, True) self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, True) # now shutdown the plaintext port self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, False) self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, False) self.cluster.stop()
def test_ssl_enabled(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2) self.cluster.start() self.cql_connection(self.node1)
def test_ssl_wrong_hostname_no_validation(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.80") credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpoint_verification=False) self.cluster.start() time.sleep(2) self.cql_connection(self.node1)
def ssl_enabled_test(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2) self.cluster.start() self.cql_connection(self.node1)
def ssl_wrong_hostname_no_validation_test(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.80") credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpointVerification=False) self.cluster.start() time.sleep(2) self.cql_connection(self.node1)
def test_ssl_correct_hostname_with_validation(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpoint_verification=True) self.fixture_dtest_setup.allow_log_errors = False self.cluster.start() time.sleep(2) self.cql_connection(self.node1)
def test_ssl_client_auth_required_succeed(self): """peers need to perform mutual auth (cient auth required), but do not supply the loca cert""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) sslkeygen.import_cert(credNode1.basedir, 'ca127.0.0.2', credNode2.cacert, credNode1.cakeystore) sslkeygen.import_cert(credNode2.basedir, 'ca127.0.0.1', credNode1.cacert, credNode2.cakeystore) self.setup_nodes(credNode1, credNode2, client_auth=True) self.cluster.start() self.cql_connection(self.node1)
def ssl_correct_hostname_with_validation_test(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpointVerification=True) self.allow_log_errors = False self.cluster.start() time.sleep(2) self.cql_connection(self.node1)
def ssl_client_auth_required_succeed_test(self): """peers need to perform mutual auth (cient auth required), but do not supply the loca cert""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) sslkeygen.import_cert(credNode1.basedir, 'ca127.0.0.2', credNode2.cacert, credNode1.cakeystore) sslkeygen.import_cert(credNode2.basedir, 'ca127.0.0.1', credNode1.cacert, credNode2.cakeystore) self.setup_nodes(credNode1, credNode2, client_auth=True) self.cluster.start() self.cql_connection(self.node1)
def test_ca_mismatch(self): """CA mismatch should cause nodes to fail to connect""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2") # mismatching CA! self.setup_nodes(credNode1, credNode2) self.fixture_dtest_setup.allow_log_errors = True self.cluster.start(no_wait=True) found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE) self.cluster.stop() assert found
def ca_mismatch_test(self): """CA mismatch should cause nodes to fail to connect""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2") # mismatching CA! self.setup_nodes(credNode1, credNode2) self.allow_log_errors = True self.cluster.start(no_wait=True) found = self._grep_msg(self.node1, _LOG_ERR_SIG) self.cluster.stop() self.assertTrue(found)
def ca_mismatch_test(self): """CA mismatch should cause nodes to fail to connect""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials( "127.0.0.2") # mismatching CA! self.setup_nodes(credNode1, credNode2) self.allow_log_errors = True self.cluster.start(no_wait=True) found = self._grep_msg(self.node1, _LOG_ERR_SIG) self.cluster.stop() self.assertTrue(found)
def test_ssl_wrong_hostname_with_validation(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.80") credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpoint_verification=True) self.fixture_dtest_setup.allow_log_errors = True self.cluster.start(no_wait=True) found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) assert found found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) assert found self.cluster.stop()
def test_ssl_client_auth_required_fail(self): """peers need to perform mutual auth (cient auth required), but do not supply the local cert""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2") self.setup_nodes(credNode1, credNode2, client_auth=True) self.fixture_dtest_setup.allow_log_errors = True self.cluster.start(no_wait=True) time.sleep(2) found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) assert found found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) assert found self.cluster.stop() assert found
def ssl_wrong_hostname_with_validation_test(self): """Should be able to start with valid ssl options""" credNode1 = sslkeygen.generate_credentials("127.0.0.80") credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert) self.setup_nodes(credNode1, credNode2, endpointVerification=True) self.allow_log_errors = True self.cluster.start(no_wait=True) found = self._grep_msg(self.node1, _LOG_ERR_IP, _LOG_ERR_HOST) self.assertTrue(found) found = self._grep_msg(self.node2, _LOG_ERR_IP, _LOG_ERR_HOST) self.assertTrue(found) self.cluster.stop() self.assertTrue(found)
def ssl_client_auth_required_fail_test(self): """peers need to perform mutual auth (cient auth required), but do not supply the local cert""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2") self.setup_nodes(credNode1, credNode2, client_auth=True) self.allow_log_errors = True self.cluster.start(no_wait=True) time.sleep(2) found = self._grep_msg(self.node1, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) self.assertTrue(found) found = self._grep_msg(self.node2, _LOG_ERR_HANDSHAKE, _LOG_ERR_GENERAL) self.assertTrue(found) self.cluster.stop() self.assertTrue(found)
def ssl_client_auth_required_fail_test(self): """peers need to perform mutual auth (cient auth required), but do not supply the local cert""" credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2") self.setup_nodes(credNode1, credNode2, client_auth=True) self.allow_log_errors = True self.cluster.start(no_wait=True) time.sleep(2) found = self._grep_msg(self.node1, _LOG_ERR_CERT) self.assertTrue(found) found = self._grep_msg(self.node2, _LOG_ERR_CERT) self.assertTrue(found) self.cluster.stop() self.assertTrue(found)
def test_optional_outbound_tls(self): """listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption. @jira_ticket CASSANDRA-10404 """ credNode1 = sslkeygen.generate_credentials("127.0.0.1") credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) # first, start cluster without TLS (either listening or connecting) # Optional should be true by default in 4.0 thanks to CASSANDRA-15262 self.setup_nodes(credNode1, credNode2, internode_encryption='none') self.cluster.start() self.cql_connection(self.node1) # next connect with TLS for the outbound connections self.bounce_node_with_updated_config(credNode1, self.node1, 'all', encryption_optional=True) self.bounce_node_with_updated_config(credNode2, self.node2, 'all', encryption_optional=True) # now shutdown the plaintext port self.bounce_node_with_updated_config(credNode1, self.node1, 'all', encryption_optional=False) self.bounce_node_with_updated_config(credNode2, self.node2, 'all', encryption_optional=False) self.cluster.stop()
def test_hsha_with_ssl(self): """Enables hsha with ssl""" cluster = self.cluster logger.debug("Starting cluster..") cred = sslkeygen.generate_credentials("127.0.0.1") cluster.set_configuration_options( values={ 'rpc_server_type': 'hsha', # seems 1 causes a dead lock... heh... 'rpc_min_threads': 16, 'rpc_max_threads': 2048, 'client_encryption_options': { 'enabled': True, 'optional': False, 'keystore': cred.cakeystore, 'keystore_password': '******' } }) cluster.populate(1).start(wait_for_binary_proto=True) self._assert_binary_actually_found(cluster) self._assert_startup(cluster) node = cluster.nodelist()[0] self._assert_client_enable(node)