fix test

pingcap · Dec 18, 2024 · 0d1814a · 0d1814a
1 parent fa8fb73
commit 0d1814a
Show file tree

Hide file tree

Showing 12 changed files with 76 additions and 140 deletions.
diff --git a/dm/config/security/security.go b/dm/config/security/security.go
@@ -17,6 +17,8 @@ import (
 	"encoding/base64"
 	"fmt"
 	"os"
+
+	certificate "github.com/pingcap/tiflow/pkg/security"
 )
 
 // Security config.
@@ -105,19 +107,15 @@ func (s *Security) Clone() *Security {
 }
 
 func (s *Security) WriteFiles(name string) error {
-	// Initialize file paths in temp dir
-	s.SSLCA = fmt.Sprintf("%s/%s_ca.pem", os.TempDir(), name)
-	s.SSLKey = fmt.Sprintf("%s/%s_dm.pem", os.TempDir(), name)
-	s.SSLCert = fmt.Sprintf("%s/%s_dm.key", os.TempDir(), name)
-
-	if err := os.WriteFile(s.SSLCA, s.SSLCABytes, 0644); err != nil {
-		return fmt.Errorf("failed to save SSL CA: %w", err)
+	var err error
+	if s.SSLCA, err = certificate.WriteFile(fmt.Sprintf("%s_ca.pem", name), s.SSLCABytes); err != nil {
+		return err
 	}
-	if err := os.WriteFile(s.SSLKey, s.SSLKeyBytes, 0644); err != nil {
-		return fmt.Errorf("failed to save SSL Key: %w", err)
+	if s.SSLCert, err = certificate.WriteFile(fmt.Sprintf("%s_dm.pem", name), s.SSLCertBytes); err != nil {
+		return err
 	}
-	if err := os.WriteFile(s.SSLCert, s.SSLCertBytes, 0644); err != nil {
-		return fmt.Errorf("failed to save SSL Cert: %w", err)
+	if s.SSLKey, err = certificate.WriteFile(fmt.Sprintf("%s_dm.key", name), s.SSLKeyBytes); err != nil {
+		return err
 	}
 	return nil
 }
diff --git a/dm/config/security_test.go b/dm/config/security_test.go
@@ -106,6 +106,9 @@ func (c *testTLSConfig) TestLoadAndClearContent() {
 	c.Require().Len(s.SSLCABytes, 0)
 	c.Require().Len(s.SSLCertBytes, 0)
 	c.Require().Len(s.SSLKeyBytes, 0)
+	c.Require().Equal(s.SSLCA, "")
+	c.Require().Equal(s.SSLCert, "")
+	c.Require().Equal(s.SSLKey, "")
 
 	s.SSLCABase64 = "MTIz"
 	err = s.LoadTLSContent()

diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go
@@ -253,6 +253,7 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig,
 					SSLKeyBytes:   []byte(fullCfg.Security.SslKeyContent),
 					CertAllowedCN: certAllowedCN,
 				}
+				// TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server
 				if err := subTaskCfg.LoaderConfig.Security.WriteFiles(subTaskCfg.Name); err != nil {
 					return nil, terror.ErrOpenAPICommonError.Generatef("Save tls config files files, message=%s", err.Error())
 				}

diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go
@@ -106,7 +106,6 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st
 // MakeGlobalConfig converts subtask config to lightning global config.
 func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig {
 	lightningCfg := lcfg.NewGlobalConfig()
-	// use loader's security as global security config
 	if cfg.LoaderConfig.Security != nil {
 		lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA
 		lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert

diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go
@@ -21,6 +21,8 @@ import (
 	"github.com/pingcap/tidb/pkg/lightning/common"
 	lcfg "github.com/pingcap/tidb/pkg/lightning/config"
 	"github.com/pingcap/tiflow/dm/config"
+	certificate "github.com/pingcap/tiflow/pkg/security"
+
 	"github.com/pingcap/tiflow/dm/config/dbconfig"
 	"github.com/pingcap/tiflow/dm/config/security"
 	"github.com/pingcap/tiflow/dm/pkg/terror"
@@ -29,15 +31,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var (
-	caPath    = "tls_conf/ca.pem"
-	caPath2   = "tls_conf/ca2.pem"
-	certPath  = "tls_conf/dm.pem"
-	certPath2 = "tls_conf/tidb.pem"
-	keyPath   = "tls_conf/dm.key"
-	keyPath2  = "tls_conf/tidb.key"
-)
-
 func TestSetLightningConfig(t *testing.T) {
 	t.Parallel()
 
@@ -111,60 +104,66 @@ func TestGetLightiningConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, lcfg.CheckpointDriverMySQL, conf.Checkpoint.Driver)
 
-	cases := []struct {
-		globalSecurityCfg *lcfg.Security
-		loaderSecurityCfg *security.Security
-		toSecurityCfg     *security.Security
-	}{
-		{
-			globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath},
-			loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2},
-			toSecurityCfg:     &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath},
-		},
-		{
-			globalSecurityCfg: &lcfg.Security{CAPath: caPath},
-			loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2},
-			toSecurityCfg:     &security.Security{SSLCA: caPath},
-		},
-		{
-			globalSecurityCfg: &lcfg.Security{CAPath: caPath},
-			toSecurityCfg:     &security.Security{SSLCA: caPath},
-		},
-		{
-			globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath},
-			toSecurityCfg:     &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath},
-		},
-		{
-			globalSecurityCfg: &lcfg.Security{CAPath: caPath},
-			toSecurityCfg:     &security.Security{SSLCA: caPath},
-		},
-		{
-			globalSecurityCfg: &lcfg.Security{},
-			toSecurityCfg:     &security.Security{},
-		},
-	}
-	// GetLightningConfig will varify certificates formate, so using real certificates.
-	for _, c := range cases {
-		conf, err = GetLightningConfig(
-			&lcfg.GlobalConfig{Security: *c.globalSecurityCfg},
-			&config.SubTaskConfig{
-				LoaderConfig: config.LoaderConfig{Security: c.loaderSecurityCfg},
-				To:           dbconfig.DBConfig{Security: c.toSecurityCfg},
-			})
-		require.NoError(t, err)
-		require.Equal(t, c.globalSecurityCfg.CAPath, conf.TiDB.Security.CAPath)
-		require.Equal(t, c.globalSecurityCfg.CertPath, conf.TiDB.Security.CertPath)
-		require.Equal(t, c.globalSecurityCfg.KeyPath, conf.TiDB.Security.KeyPath)
-		if c.loaderSecurityCfg == nil {
-			require.Equal(t, c.globalSecurityCfg.CAPath, conf.Security.CAPath)
-			require.Equal(t, c.globalSecurityCfg.CertPath, conf.Security.CertPath)
-			require.Equal(t, c.globalSecurityCfg.KeyPath, conf.Security.KeyPath)
-		} else {
-			require.Equal(t, c.loaderSecurityCfg.SSLCA, conf.Security.CAPath)
-			require.Equal(t, c.loaderSecurityCfg.SSLCert, conf.Security.CertPath)
-			require.Equal(t, c.loaderSecurityCfg.SSLKey, conf.Security.KeyPath)
-		}
-	}
+	ca, err := certificate.NewCA()
+	require.NoError(t, err)
+	cert, key, err := ca.GenerateCerts("dm")
+	require.NoError(t, err)
+	caPath, err := certificate.WriteFile("dm-test-client-cert", ca.CAPEM)
+	require.NoError(t, err)
+	certPath, err := certificate.WriteFile("dm-test-client-cert", cert)
+	require.NoError(t, err)
+	keyPath, err := certificate.WriteFile("dm-test-client-key", key)
+	require.NoError(t, err)
+	ca, err = certificate.NewCA()
+	require.NoError(t, err)
+	cert, key, err = ca.GenerateCerts("dm")
+	require.NoError(t, err)
+	caPath2, err := certificate.WriteFile("dm-test-client-cert2", ca.CAPEM)
+	require.NoError(t, err)
+	certPath2, err := certificate.WriteFile("dm-test-client-cert2", cert)
+	require.NoError(t, err)
+	keyPath2, err := certificate.WriteFile("dm-test-client-key2", key)
+	require.NoError(t, err)
+
+	conf, err = GetLightningConfig(
+		&lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}},
+		&config.SubTaskConfig{
+			LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}},
+			To:           dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}},
+		})
+	require.NoError(t, err)
+	require.Equal(t, conf.Security.CAPath, caPath)
+	require.Equal(t, conf.Security.CertPath, certPath)
+	require.Equal(t, conf.Security.KeyPath, keyPath)
+	require.Equal(t, conf.TiDB.Security.CAPath, caPath2)
+	require.Equal(t, conf.TiDB.Security.CertPath, certPath2)
+	require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2)
+	conf, err = GetLightningConfig(
+		&lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}},
+		&config.SubTaskConfig{
+			LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}},
+			To:           dbconfig.DBConfig{},
+		})
+	require.NoError(t, err)
+	require.Equal(t, conf.Security.CAPath, caPath)
+	require.Equal(t, conf.Security.CertPath, certPath)
+	require.Equal(t, conf.Security.KeyPath, keyPath)
+	require.Equal(t, conf.TiDB.Security.CAPath, caPath)
+	require.Equal(t, conf.TiDB.Security.CertPath, certPath)
+	require.Equal(t, conf.TiDB.Security.KeyPath, keyPath)
+	conf, err = GetLightningConfig(
+		&lcfg.GlobalConfig{},
+		&config.SubTaskConfig{
+			LoaderConfig: config.LoaderConfig{},
+			To:           dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}},
+		})
+	require.NoError(t, err)
+	require.Equal(t, conf.Security.CAPath, "")
+	require.Equal(t, conf.Security.CertPath, "")
+	require.Equal(t, conf.Security.KeyPath, "")
+	require.Equal(t, conf.TiDB.Security.CAPath, caPath2)
+	require.Equal(t, conf.TiDB.Security.CertPath, certPath2)
+	require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2)
 	// invalid security file path
 	_, err = GetLightningConfig(
 		&lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}},

diff --git a/dm/loader/tls_conf/ca.pem b/dm/loader/tls_conf/ca.pem
diff --git a/dm/loader/tls_conf/ca2.pem b/dm/loader/tls_conf/ca2.pem
diff --git a/dm/loader/tls_conf/dm.key b/dm/loader/tls_conf/dm.key
diff --git a/dm/loader/tls_conf/dm.pem b/dm/loader/tls_conf/dm.pem
diff --git a/dm/loader/tls_conf/tidb.key b/dm/loader/tls_conf/tidb.key
diff --git a/dm/loader/tls_conf/tidb.pem b/dm/loader/tls_conf/tidb.pem
diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh
@@ -1105,26 +1105,18 @@ function test_tls() {
 	openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50
 
 	task_name="task-tls-error"
-	# miss pd cert and key certificate
+	# miss cert and key certificate
 	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
 		"$(cat $cur/tls_conf/ca2.pem)" "" "" \
 		"$(cat $cur/tls_conf/ca.pem)" "" ""
 	# miss tidb cert certificate
 	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
 		"$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \
 		"$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)"
-	# miss tidb key certificatete
-	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
-		"$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \
-		"$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$cur/tls_conf/dm.key)"
 	# miss pd key certificate
 	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
 		"$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \
 		"$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" ""
-	# miss pd cert certificate
-	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
-		"$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \
-		"$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)"
 	# miss pd all certificate
 	openapi_task_check "create_noshard_task_with_security_failed" $task_name \
 		"$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \