Merge pull request #57483 from joelynch/stop-listen-tcp-secure

bugfix: correctly parse SYSTEM STOP LISTEN TCP SECURE
2024-11-21 15:12:02 +00:00 · 2023-12-05 15:25:34 +01:00 · 2023-12-05 15:25:34 +01:00 · a776a5cac5
commit a776a5cac5
parent 7f59eb438d f346667956
7 changed files with 102 additions and 8 deletions
--- a/docs/en/sql-reference/statements/system.md
+++ b/docs/en/sql-reference/statements/system.md
@ -150,7 +150,7 @@ SYSTEM RELOAD CONFIG [ON CLUSTER cluster_name]

 ## RELOAD USERS

-Reloads all access storages, including: users.xml, local disk access storage, replicated (in ZooKeeper) access storage. 
+Reloads all access storages, including: users.xml, local disk access storage, replicated (in ZooKeeper) access storage.

 ```sql
 SYSTEM RELOAD USERS [ON CLUSTER cluster_name]
@ -354,7 +354,7 @@ After running this statement the `[db.]replicated_merge_tree_family_table_name`

 ### SYNC DATABASE REPLICA

-Waits until the specified [replicated database](https://clickhouse.com/docs/en/engines/database-engines/replicated) applies all schema changes from the DDL queue of that database. 
+Waits until the specified [replicated database](https://clickhouse.com/docs/en/engines/database-engines/replicated) applies all schema changes from the DDL queue of that database.

 **Syntax**
 ```sql
@ -451,12 +451,12 @@ SYSTEM SYNC FILE CACHE [ON CLUSTER cluster_name]

 ### SYSTEM STOP LISTEN

-Closes the socket and gracefully terminates the existing connections to the server on the specified port with the specified protocol. 
+Closes the socket and gracefully terminates the existing connections to the server on the specified port with the specified protocol.

 However, if the corresponding protocol settings were not specified in the clickhouse-server configuration, this command will have no effect.

 ```sql
-SYSTEM STOP LISTEN [ON CLUSTER cluster_name] [QUERIES ALL | QUERIES DEFAULT | QUERIES CUSTOM | TCP | TCP_WITH_PROXY | TCP_SECURE | HTTP | HTTPS | MYSQL | GRPC | POSTGRESQL | PROMETHEUS | CUSTOM 'protocol']
+SYSTEM STOP LISTEN [ON CLUSTER cluster_name] [QUERIES ALL | QUERIES DEFAULT | QUERIES CUSTOM | TCP | TCP WITH PROXY | TCP SECURE | HTTP | HTTPS | MYSQL | GRPC | POSTGRESQL | PROMETHEUS | CUSTOM 'protocol']
 ```

 - If `CUSTOM 'protocol'` modifier is specified, the custom protocol with the specified name defined in the protocols section of the server configuration will be stopped.
@ -471,5 +471,5 @@ Allows new connections to be established on the specified protocols.
 However, if the server on the specified port and protocol was not stopped using the SYSTEM STOP LISTEN command, this command will have no effect.

 ```sql
-SYSTEM START LISTEN [ON CLUSTER cluster_name] [QUERIES ALL | QUERIES DEFAULT | QUERIES CUSTOM | TCP | TCP_WITH_PROXY | TCP_SECURE | HTTP | HTTPS | MYSQL | GRPC | POSTGRESQL | PROMETHEUS | CUSTOM 'protocol']
+SYSTEM START LISTEN [ON CLUSTER cluster_name] [QUERIES ALL | QUERIES DEFAULT | QUERIES CUSTOM | TCP | TCP WITH PROXY | TCP SECURE | HTTP | HTTPS | MYSQL | GRPC | POSTGRESQL | PROMETHEUS | CUSTOM 'protocol']
 ```
--- a/src/Server/ServerType.h
+++ b/src/Server/ServerType.h
@ -11,9 +11,9 @@ class ServerType
 public:
    enum Type
    {
-        TCP,
        TCP_WITH_PROXY,
        TCP_SECURE,
+        TCP,
        HTTP,
        HTTPS,
        MYSQL,
--- a/tests/integration/test_system_start_stop_listen/configs/client.xml
+++ b/tests/integration/test_system_start_stop_listen/configs/client.xml
@ -0,0 +1,10 @@
+<clickhouse>
+    <openSSL>
+        <client>
+            <verificationMode>none</verificationMode>
+            <invalidCertificateHandler>
+                <name>AcceptCertificateHandler</name>
+            </invalidCertificateHandler>
+        </client>
+    </openSSL>
+</clickhouse>
--- a/tests/integration/test_system_start_stop_listen/configs/protocols.xml
+++ b/tests/integration/test_system_start_stop_listen/configs/protocols.xml
@ -5,6 +5,14 @@
    <tcp_port>9000</tcp_port>
    <http_port>8123</http_port>
    <mysql_port>9004</mysql_port>
+    <tcp_port_secure>9440</tcp_port_secure>
+
+    <openSSL>
+        <server>
+            <certificateFile>/etc/clickhouse-server/config.d/server.crt</certificateFile>
+            <privateKeyFile>/etc/clickhouse-server/config.d/server.key</privateKeyFile>
+        </server>
+    </openSSL>

    <!-- Custom protocols -->
    <protocols>
--- a/tests/integration/test_system_start_stop_listen/configs/server.crt
+++ b/tests/integration/test_system_start_stop_listen/configs/server.crt
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIJAIhI9ozZJ+TWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0xOTA0MjIwNDMyNTJaFw0yMDA0MjEwNDMyNTJaMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAK+wVUEdqF2uXvN0MJBgnAHyXi6JTi4p/F6igsrCjSNjJWzHH0vQmK8ujfcF
+CkifW88i+W5eHctuEtQqNHK+t9x9YiZtXrj6m/XkOXs20mYgENSmbbbHbriTPnZB
+zZrq6UqMlwIHNNAa+I3NMORQxVRaI0ybXnGVO5elr70xHpk03xL0JWKHpEqYp4db
+2aBQgF6y3Ww4khxjIYqpUYXWXGFnVIRU7FKVEAM1xyKqvQzXjQ5sVM/wyHknveEF
+3b/X4ggN+KNl5KOc0cWDh1/XaatJAPaUUPqZcq76tynLbP64Xm3dxHcj+gtRkO67
+ef6MSg6l63m3XQP6Qb+MIkd06OsCAwEAAaNQME4wHQYDVR0OBBYEFDmODTO8QLDN
+ykR3x0LIOnjNhrKhMB8GA1UdIwQYMBaAFDmODTO8QLDNykR3x0LIOnjNhrKhMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAwaiJc7uqEpnH3aukbftDwX
+m8GfEnj1HVdgg+9GGNq+9rvUYBF6gdPmjRCX9dO0cclLFx8jc2org0rTSq9WoOhX
+E6qL4Eqrmc5SE3Y9jZM0h6GRD4oXK014FmtZ3T6ddZU3dQLj3BS2r1XrvmubTvGN
+ZuTJNY8nx8Hh6H5XINmsEjUF9E5hog+PwCE03xt2adIdYL+gsbxASeNYyeUFpZv5
+zcXR3VoakBWnAaOVgCHq2qh96QAnL7ZKzFkGf/MdwV10KU3dmb+ICbQUUdf9Gc17
+aaDCIRws312F433FdXBkGs2UkB7ZZme9dfn6O1QbeTNvex2VLMqYx/CTkfFbOQA=
+-----END CERTIFICATE-----
--- a/tests/integration/test_system_start_stop_listen/configs/server.key
+++ b/tests/integration/test_system_start_stop_listen/configs/server.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvsFVBHahdrl7z
+dDCQYJwB8l4uiU4uKfxeooLKwo0jYyVsxx9L0JivLo33BQpIn1vPIvluXh3LbhLU
+KjRyvrfcfWImbV64+pv15Dl7NtJmIBDUpm22x264kz52Qc2a6ulKjJcCBzTQGviN
+zTDkUMVUWiNMm15xlTuXpa+9MR6ZNN8S9CVih6RKmKeHW9mgUIBest1sOJIcYyGK
+qVGF1lxhZ1SEVOxSlRADNcciqr0M140ObFTP8Mh5J73hBd2/1+IIDfijZeSjnNHF
+g4df12mrSQD2lFD6mXKu+rcpy2z+uF5t3cR3I/oLUZDuu3n+jEoOpet5t10D+kG/
+jCJHdOjrAgMBAAECggEARF66zrxb6RkSmmt8+rKeA6PuQu3sHsr4C1vyyjUr97l9
+tvdGlpp20LWtSZQMjHZ3pARYTTsTHTeY3DgQcRcHNicVKx8k3ZepWeeW9vw+pL+V
+zSt3RsoVrH6gsCSrfr4sS3aqzX9AbjwQvh48CJ3mLQ1m70kHV+xbZIh1+4pB/hyP
+1wKyUE18ZkOptXvO/TtoHzLQCecpkXtWzmry1Eh2isvXA+NMrAtLibGsyM1mtm7i
+5ozevzHabvvCDBEe+KgZdONgVhhhvm2eOd+/s4w3rw4ETud4fI/ZAJyWXhiIKFnA
+VJbElWruSAoVBW7p2bsF5PbmVzvo8vXL+VylxYD+AQKBgQDhLoRKTVhNkn/QjKxq
+sdOh+QZra0LzjVpAmkQzu7wZMSHEz9qePQciDQQrYKrmRF1vNcIRCVUTqWYheJ/1
+lKRrCGa0ab6k96zkWMqLHD5u+UeJV7r1dJIx08ME9kNJ+x/XtB8klRIji16NiQUS
+qc6p8z0M2AnbJzsRfWZRH8FeYwKBgQDHu8dzdtVGI7MtxfPOE/bfajiopDg8BdTC
+pdug2T8XofRHRq7Q+0vYjTAZFT/slib91Pk6VvvPdo9VBZiL4omv4dAq6mOOdX/c
+U14mJe1X5GCrr8ExZ8BfNJ3t/6sV1fcxyJwAw7iBguqxA2JqdM/wFk10K8XqvzVn
+CD6O9yGt2QKBgFX1BMi8N538809vs41S7l9hCQNOQZNo/O+2M5yv6ECRkbtoQKKw
+1x03bMUGNJaLuELweXE5Z8GGo5bZTe5X3F+DKHlr+DtO1C+ieUaa9HY2MAmMdLCn
+2/qrREGLo+oEs4YKmuzC/taUp/ZNPKOAMISNdluFyFVg51pozPrgrVbTAoGBAKkE
+LBl3O67o0t0vH8sJdeVFG8EJhlS0koBMnfgVHqC++dm+5HwPyvTrNQJkyv1HaqNt
+r6FArkG3ED9gRuBIyT6+lctbIPgSUip9mbQqcBfqOCvQxGksZMur2ODncz09HLtS
+CUFUXjOqNzOnq4ZuZu/Bz7U4vXiSaXxQq6+LTUKxAoGAFZU/qrI06XxnrE9A1X0W
+l7DSkpZaDcu11NrZ473yONih/xOZNh4SSBpX8a7F6Pmh9BdtGqphML8NFPvQKcfP
+b9H2iid2tc292uyrUEb5uTMmv61zoTwtitqLzO0+tS6PT3fXobX+eyeEWKzPBljL
+HFtxG5CCXpkdnWRmaJnhTzA=
+-----END PRIVATE KEY-----
--- a/tests/integration/test_system_start_stop_listen/test.py
+++ b/tests/integration/test_system_start_stop_listen/test.py
@ -1,15 +1,23 @@
 #!/usr/bin/env python3


+import os
 import pytest
 from helpers.cluster import ClickHouseCluster
-from helpers.client import Client
+from helpers.client import Client, QueryRuntimeException
 import requests

+SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
+
 cluster = ClickHouseCluster(__file__)
 main_node = cluster.add_instance(
    "main_node",
-    main_configs=["configs/cluster.xml", "configs/protocols.xml"],
+    main_configs=[
+        "configs/cluster.xml",
+        "configs/protocols.xml",
+        "configs/server.crt",
+        "configs/server.key",
+    ],
    with_zookeeper=True,
 )
 backup_node = cluster.add_instance(
@ -36,11 +44,27 @@ def http_works(port=8123):
        return False


+def tcp_secure_works(port=9440):
+    client = Client(
+        main_node.ip_address,
+        port,
+        command=cluster.client_bin_path,
+        secure=True,
+        config=f"{SCRIPT_DIR}/configs/client.xml",
+    )
+    try:
+        client.query(QUERY)
+    except QueryRuntimeException:
+        return False
+    return True
+
+
 def assert_everything_works():
    custom_client = Client(main_node.ip_address, 9001, command=cluster.client_bin_path)
    main_node.query(QUERY)
    main_node.query(MYSQL_QUERY)
    custom_client.query(QUERY)
+    assert tcp_secure_works()
    assert http_works()
    assert http_works(8124)

@ -68,6 +92,12 @@ def test_default_protocols(started_cluster):
    assert "Connections to mysql failed" in main_node.query_and_get_error(MYSQL_QUERY)
    main_node.query("SYSTEM START LISTEN MYSQL")

+    # TCP Secure
+    assert_everything_works()
+    main_node.query("SYSTEM STOP LISTEN TCP SECURE")
+    assert not tcp_secure_works()
+    main_node.query("SYSTEM START LISTEN TCP SECURE")
+
    assert_everything_works()