ClickHouse/tests/integration/test_reload_certificate/test.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

178 lines
4.8 KiB
Python
Raw Normal View History

2022-01-28 17:37:52 +00:00
import pytest
import os
from helpers.cluster import ClickHouseCluster
SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
cluster = ClickHouseCluster(__file__)
node = cluster.add_instance(
"node",
main_configs=[
"configs/first.crt",
"configs/first.key",
"configs/second.crt",
"configs/second.key",
"configs/ECcert.crt",
"configs/ECcert.key",
"configs/WithChain.crt",
"configs/WithChain.key",
2022-04-21 12:26:30 +00:00
"configs/WithPassPhrase.crt",
"configs/WithPassPhrase.key",
"configs/cert.xml",
],
)
2022-04-21 12:57:05 +00:00
PASS_PHRASE_TEMPLATE = """<privateKeyPassphraseHandler>
2022-04-21 12:26:30 +00:00
<name>KeyFileHandler</name>
<options>
<password>{pass_phrase}</password>
</options>
</privateKeyPassphraseHandler>
2022-04-21 12:48:00 +00:00
"""
2022-01-28 17:37:52 +00:00
@pytest.fixture(scope="module", autouse=True)
def started_cluster():
try:
cluster.start()
yield cluster
finally:
cluster.shutdown()
2022-04-21 12:26:30 +00:00
def change_config_to_key(name, pass_phrase=""):
"""
* Generate config with certificate/key name from args.
* Reload config.
"""
node.exec_in_container(
[
"bash",
"-c",
"""cat > /etc/clickhouse-server/config.d/cert.xml << EOF
2022-01-28 17:37:52 +00:00
<clickhouse>
<https_port>8443</https_port>
<openSSL>
<server>
<certificateFile>/etc/clickhouse-server/config.d/{cur_name}.crt</certificateFile>
<privateKeyFile>/etc/clickhouse-server/config.d/{cur_name}.key</privateKeyFile>
<loadDefaultCAFile>true</loadDefaultCAFile>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
2022-04-21 12:26:30 +00:00
{pass_phrase}
2022-01-28 17:37:52 +00:00
</server>
</openSSL>
</clickhouse>
EOF""".format(
2022-04-21 12:48:00 +00:00
cur_name=name, pass_phrase=pass_phrase
),
]
)
2022-01-28 17:37:52 +00:00
node.query("SYSTEM RELOAD CONFIG")
2022-04-21 12:57:05 +00:00
2022-04-21 12:48:00 +00:00
def check_certificate_switch(
first, second, pass_phrase_first="", pass_phrase_second=""
):
2022-04-21 12:57:05 +00:00
# Set first key
2022-04-21 12:26:30 +00:00
change_config_to_key(first, pass_phrase_first)
2022-01-28 17:37:52 +00:00
# Command with correct certificate
assert (
node.exec_in_container(
[
"curl",
"--silent",
"--cacert",
2022-04-21 12:48:00 +00:00
"/etc/clickhouse-server/config.d/{cur_name}.crt".format(cur_name=first),
"https://localhost:8443/",
]
)
== "Ok.\n"
)
2022-01-28 17:37:52 +00:00
# Command with wrong certificate
# This command don't use option '-k', so it will lead to error while execution.
2022-01-28 17:37:52 +00:00
# That's why except will always work
try:
node.exec_in_container(
[
"curl",
"--silent",
"--cacert",
2022-04-21 12:57:05 +00:00
"/etc/clickhouse-server/config.d/{cur_name}.crt".format(
cur_name=second
),
"https://localhost:8443/",
]
)
2022-01-28 17:37:52 +00:00
assert False
except:
assert True
2022-01-28 17:37:52 +00:00
# Change to other key
2022-04-21 12:26:30 +00:00
change_config_to_key(second, pass_phrase_second)
2022-01-28 17:37:52 +00:00
# Command with correct certificate
assert (
node.exec_in_container(
[
"curl",
"--silent",
"--cacert",
"/etc/clickhouse-server/config.d/{cur_name}.crt".format(
2022-04-21 12:26:30 +00:00
cur_name=second
),
"https://localhost:8443/",
]
)
== "Ok.\n"
)
2022-01-28 17:37:52 +00:00
# Command with wrong certificate
# Same as previous
try:
node.exec_in_container(
[
"curl",
"--silent",
"--cacert",
2022-04-21 12:57:05 +00:00
"/etc/clickhouse-server/config.d/{cur_name}.crt".format(cur_name=first),
"https://localhost:8443/",
]
)
2022-01-28 17:37:52 +00:00
assert False
except:
assert True
2022-04-21 12:48:00 +00:00
2022-04-21 12:26:30 +00:00
def test_first_than_second_cert():
"""Consistently set first key and check that only it will be accepted, then repeat same for second key."""
check_certificate_switch("first", "second")
2022-04-21 12:48:00 +00:00
def test_ECcert_reload():
2022-04-21 12:48:00 +00:00
"""Check EC certificate"""
2022-04-21 12:26:30 +00:00
check_certificate_switch("first", "ECcert")
2022-04-21 12:48:00 +00:00
2022-04-21 12:26:30 +00:00
def test_cert_with_pass_phrase():
pass_phrase_for_cert = PASS_PHRASE_TEMPLATE.format(pass_phrase="test")
2022-04-21 12:48:00 +00:00
check_certificate_switch(
"first", "WithPassPhrase", pass_phrase_second=pass_phrase_for_cert
)
def test_chain_reload():
"""Check cert chain reload"""
check_certificate_switch("first", "WithChain")
assert (
2024-03-21 08:58:20 +00:00
node.exec_in_container(
[
"bash",
"-c",
"openssl s_client -showcerts -servername localhost -connect localhost:8443 </dev/null 2>/dev/null | grep 'BEGIN CERTIFICATE' | wc -l",
]
)
== "2\n"
)