diff --git a/contrib/tlstest/Makefile b/contrib/tlstest/Makefile index a5c1276cfaf..2db83c0e00e 100644 --- a/contrib/tlstest/Makefile +++ b/contrib/tlstest/Makefile @@ -1,63 +1,60 @@ -KEYBITS=2048 -PASS=secret - -KEYS=ca.key server.key client.key server_pass.key client_pass.key server3.key -CERTS=ca.crt server.crt client.crt server_pass.crt client_pass.crt server3.crt +# +# Copyright 2017-2018 Dgraph Labs, Inc. and Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +DGRAPH_PATH = $(GOPATH)/src/github.com/dgraph-io/dgraph/dgraph +DGRAPH_BIN = $(DGRAPH_PATH)/dgraph + +TARGETS = test1 test2 test3 test4 test5 test6 +KEYBITS = 2048 + +.PHONY: all +all: cert $(TARGETS) test: all - @echo -e "\n\n\nTESTING...\n" - @echo "Basic TLS communication, unencrypted keys" - @./test.sh ./server_nopass.sh ./client_nocert.sh 0 - @echo "Basic TLS communication, encrypted keys (with password)" - @./test.sh ./server_pass.sh ./client_pass.sh 0 - @echo "TLS client authentication, unencrypted key" - @./test.sh ./server_nopass_client_auth.sh ./client_nopass.sh 0 - @echo "TLS client authentication, no client cert (failure expected)" - @./test.sh ./server_nopass_client_auth.sh ./client_nocert.sh 1 - @echo "Invalid server name (failure expected)" - @./test.sh ./server_nopass.sh ./client_pass.sh 1 - @echo "TLS protocol versions mismatch (failure expected)" - @./test.sh ./server_11.sh ./client_12.sh 1 - @echo "TLS certificate reloading" - @./test_reload.sh - -all: ca $(KEYS) $(CERTS) - -clean: - git clean -d -f -ca: - @mkdir -p newcerts - @touch index.txt - @touch index.txt.attr - @echo 1000 > serial +cert: + @echo "Generating CA cert in 'tls' dir." + @$(MAKE) -C $(DGRAPH_PATH) all + @$(DGRAPH_BIN) cert --keysize $(KEYBITS) -d $(PWD)/tls -n localhost -c live -ca.crt: ca.key - openssl req -key ca.key -new -x509 -extensions v3_ca -out ca.crt -nodes -subj "/C=AU/L=Sydney/O=Dgraph/CN=ca.dgraph.io" +test1: cert + @echo "Test 1: Alpha non-TLS, Live non-TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) ./test.sh ./alpha_notls.sh ./live_notls.sh 0) -ca.key: - openssl genrsa -out ca.key $(KEYBITS) +test2: cert + @echo "Test 2: Alpha non-TLS, Live TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) ./test.sh ./alpha_notls.sh ./live_tls.sh 1) -server.csr server.key: - openssl req -new -newkey rsa:$(KEYBITS) -keyout server.key -out server.csr -nodes -subj "/C=AU/L=Sydney/O=Dgraph/CN=server1.dgraph.io" +test3: cert + @echo "Test 3: Alpha TLS, Live non-TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) ./test.sh ./alpha_tls.sh ./live_notls.sh 1) -server3.csr server3.key: - openssl req -new -newkey rsa:$(KEYBITS) -keyout server3.key -out server3.csr -nodes -subj "/C=AU/L=Sydney/O=Dgraph/CN=server3.dgraph.io" +test4: cert + @echo "Test 4: Alpha TLS, Live TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) ./test.sh ./alpha_tls.sh ./live_tls.sh 0) -client.csr client.key: - openssl req -new -newkey rsa:$(KEYBITS) -keyout client.key -out client.csr -nodes -subj "/C=AU/L=Sydney/O=Dgraph/CN=client1.dgraph.io" +test5: cert + @echo "Test 5: Alpha TLS Auth, Live TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) ./test.sh ./alpha_tls_auth.sh ./live_tls_auth.sh 0) -server_pass.key: - openssl genrsa -aes256 -out server_pass.key -passout pass:$(PASS) $(KEYBITS) +test6: cert + @echo "Test 6: Alpha TLS reload, Live TLS" + @(DGRAPH_BIN=$(DGRAPH_BIN) RELOAD_TEST=1 ./test.sh ./alpha_tls.sh ./live_tls.sh 1) -client_pass.key: - openssl genrsa -aes256 -out client_pass.key -passout pass:$(PASS) $(KEYBITS) - -server_pass.csr: server_pass.key - openssl req -new -key server_pass.key -out server_pass.csr -subj "/C=AU/L=Sydney/O=Dgraph/CN=server2.dgraph.io" -passin pass:$(PASS) -passout pass:$(PASS) - -client_pass.csr: client_pass.key - openssl req -new -key client_pass.key -out client_pass.csr -subj "/C=AU/L=Sydney/O=Dgraph/CN=client2.dgraph.io" -passin pass:$(PASS) -passout pass:$(PASS) +clean: + git clean -d -f -%.crt: %.csr ca.crt ca.key - openssl ca -config openssl.cnf -days 365 -notext -cert ca.crt -keyfile ca.key -in $< -out $@ -batch diff --git a/contrib/tlstest/alpha_notls.sh b/contrib/tlstest/alpha_notls.sh new file mode 100755 index 00000000000..9ef34c1c0a7 --- /dev/null +++ b/contrib/tlstest/alpha_notls.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN alpha --lru_mb 2048 --zero 127.0.0.1:5081 &> alpha.log diff --git a/contrib/tlstest/alpha_tls.sh b/contrib/tlstest/alpha_tls.sh new file mode 100755 index 00000000000..736ef94d58c --- /dev/null +++ b/contrib/tlstest/alpha_tls.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN alpha --tls_dir $PWD/tls --lru_mb 2048 --zero 127.0.0.1:5081 &> alpha.log \ No newline at end of file diff --git a/contrib/tlstest/alpha_tls_auth.sh b/contrib/tlstest/alpha_tls_auth.sh new file mode 100755 index 00000000000..ac3b6ac71bc --- /dev/null +++ b/contrib/tlstest/alpha_tls_auth.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN alpha --tls_dir $PWD/tls --tls_client_auth REQUIREANDVERIFY --lru_mb 2048 --zero 127.0.0.1:5081 &> alpha.log diff --git a/contrib/tlstest/client_12.sh b/contrib/tlstest/client_12.sh deleted file mode 100755 index 64e2b2a427b..00000000000 --- a/contrib/tlstest/client_12.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -../../dgraph/dgraph live -d server1.dgraph.io:9080 --tls_on --tls_ca_certs ca.crt --tls_cert client.crt --tls_cert_key client.key --tls_server_name server1.dgraph.io --tls_min_version=TLS12 -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/client_nocert.sh b/contrib/tlstest/client_nocert.sh deleted file mode 100755 index e0bbd8f6b8a..00000000000 --- a/contrib/tlstest/client_nocert.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -../../dgraph/dgraph live -d server1.dgraph.io:9080 --tls_on --tls_ca_certs ca.crt --tls_server_name server1.dgraph.io -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/client_nopass.sh b/contrib/tlstest/client_nopass.sh deleted file mode 100755 index 05a0486e255..00000000000 --- a/contrib/tlstest/client_nopass.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -../../dgraph/dgraph live -d server1.dgraph.io:9080 --tls_on --tls_ca_certs ca.crt --tls_cert client.crt --tls_cert_key client.key --tls_server_name server1.dgraph.io -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/client_pass.sh b/contrib/tlstest/client_pass.sh deleted file mode 100755 index 9b10b0381f8..00000000000 --- a/contrib/tlstest/client_pass.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -../../dgraph/dgraph live -d server2.dgraph.io:9080 --tls_on --tls_ca_certs ca.crt --tls_cert client_pass.crt --tls_cert_key client_pass.key --tls_cert_key_passphrase secret --tls_server_name server2.dgraph.io -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/live_notls.sh b/contrib/tlstest/live_notls.sh new file mode 100755 index 00000000000..b21b3d52ac6 --- /dev/null +++ b/contrib/tlstest/live_notls.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN live -d localhost:9080 -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/live_tls.sh b/contrib/tlstest/live_tls.sh new file mode 100755 index 00000000000..54334f836dd --- /dev/null +++ b/contrib/tlstest/live_tls.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN live -d localhost:9080 --tls_dir $PWD/tls -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/live_tls_auth.sh b/contrib/tlstest/live_tls_auth.sh new file mode 100755 index 00000000000..64ee1e61131 --- /dev/null +++ b/contrib/tlstest/live_tls_auth.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +$DGRAPH_BIN live -d localhost:9080 --tls_dir $PWD/tls --tls_server_name localhost -r data.rdf.gz -z 127.0.0.1:5081 diff --git a/contrib/tlstest/server_reload.sh b/contrib/tlstest/server_reload.sh deleted file mode 100755 index a4c8d01927f..00000000000 --- a/contrib/tlstest/server_reload.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -../../cmd/dgraph/dgraph -tls_on -tls_ca_certs ca.crt -tls_cert server_reload.crt -tls_cert_key server_reload.key \ - --lru_mb 2048 --zero 127.0.0.1:5080 diff --git a/contrib/tlstest/test.sh b/contrib/tlstest/test.sh index df9bf06d4f6..0c8870b1b3c 100755 --- a/contrib/tlstest/test.sh +++ b/contrib/tlstest/test.sh @@ -1,33 +1,33 @@ #!/bin/bash +trap "cleanup" EXIT -killall -9 dgraph || true - -DGRAPH_ROOT=$GOPATH/src/github.com/dgraph-io/dgraph/dgraph -function build { - pushd $DGRAPH_ROOT > /dev/null - go build . - popd > /dev/null +cleanup() { + killall -KILL dgraph >/dev/null 2>/dev/null } -SERVER=$1 -CLIENT=$2 +ALPHA=$1 +LIVE=$2 EXPECTED=$3 -build "dgraph" - -$DGRAPH_ROOT/dgraph zero -w zw -o 1 > zero.log 2>&1 & +$DGRAPH_BIN zero -w zw -o 1 > zero.log 2>&1 & sleep 5 +$ALPHA >/dev/null 2>&1 & -$SERVER > /dev/null 2>&1 & -timeout 30s $CLIENT > client.log 2>&1 -RESULT=$? -# echo -e "Result $RESULT" +if [ "x$RELOAD_TEST" != "x" ]; then + trap '' HUP + rm -f ./tls/ca.key + $DGRAPH_BIN cert -d $PWD/tls -n localhost -c live --force + killall -HUP dgraph >/dev/null 2>/dev/null + sleep 3 +fi -echo "$SERVER <-> $CLIENT: $RESULT (expected: $EXPECTED)" +timeout 30s $LIVE > live.log 2>&1 +RESULT=$? -if [ $RESULT == $EXPECTED ]; then - exit 0 -else - exit 1 +if [ $RESULT != $EXPECTED ]; then + echo "$ALPHA <-> $LIVE, Result: $RESULT != Expected: $EXPECTED" + exit 1 fi + +exit 0 diff --git a/contrib/tlstest/test_reload.sh b/contrib/tlstest/test_reload.sh index 0e0b540565d..97e2a6bee81 100755 --- a/contrib/tlstest/test_reload.sh +++ b/contrib/tlstest/test_reload.sh @@ -1,35 +1,33 @@ #!/bin/bash -killall dgraph +trap "cleanup" EXIT -SERVER=./server_reload.sh -CLIENT=./client_nopass.sh -EXPECTED=1 - -cp server.crt server_reload.crt -cp server.key server_reload.key +cleanup() { + killall -9 dgraph >/dev/null 2>/dev/null +} +ALPHA=./alpha_tls.sh +LIVE=./live_tls.sh +EXPECTED=1 -$GOPATH/src/github.com/dgraph-io/dgraph/dgraph/dgraph zero -w zw -o 1> /dev/null 2>&1 & +$DGRAPH_BIN zero -w zw -o 1 > zero.log 2>&1 & sleep 5 # start the server -$SERVER > /dev/null 2>&1 & -P=$! -timeout 30s $CLIENT > /dev/null 2>&1 +$ALPHA > /dev/null 2>&1 & +timeout 30s $LIVE > /dev/null 2>&1 RESULT=$? -# reload server certificate -cp server3.crt server_reload.crt -cp server3.key server_reload.key +# regenerate TLS certificate +rm -f ./tls/ca.key +$DGRAPH_BIN cert -d $PWD/tls -n localhost -c live --force pkill -HUP dgraph > /dev/null 2>&1 # try to connect again -timeout 30s $CLIENT > /dev/null 2>&1 +timeout 30s $LIVE > /dev/null 2>&1 RESULT=$? if [ $RESULT == $EXPECTED ]; then - echo "TLS certificate reloaded successfully" exit 0 else echo "Error while reloading TLS certificate"