From 0d1814a5c00b956bcf64bfe69246dbe133fb02eb Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 18 Dec 2024 22:46:44 +0800 Subject: [PATCH] fix test --- dm/config/security/security.go | 20 +++--- dm/config/security_test.go | 3 + dm/config/task_converters.go | 1 + dm/loader/lightning.go | 1 - dm/loader/lightning_test.go | 125 ++++++++++++++++----------------- dm/loader/tls_conf/ca.pem | 8 --- dm/loader/tls_conf/ca2.pem | 10 --- dm/loader/tls_conf/dm.key | 8 --- dm/loader/tls_conf/dm.pem | 10 --- dm/loader/tls_conf/tidb.key | 8 --- dm/loader/tls_conf/tidb.pem | 12 ---- dm/tests/openapi/run.sh | 10 +-- 12 files changed, 76 insertions(+), 140 deletions(-) delete mode 100644 dm/loader/tls_conf/ca.pem delete mode 100644 dm/loader/tls_conf/ca2.pem delete mode 100644 dm/loader/tls_conf/dm.key delete mode 100644 dm/loader/tls_conf/dm.pem delete mode 100644 dm/loader/tls_conf/tidb.key delete mode 100644 dm/loader/tls_conf/tidb.pem diff --git a/dm/config/security/security.go b/dm/config/security/security.go index b662543a29c..a3670902877 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -17,6 +17,8 @@ import ( "encoding/base64" "fmt" "os" + + certificate "github.com/pingcap/tiflow/pkg/security" ) // Security config. @@ -105,19 +107,15 @@ func (s *Security) Clone() *Security { } func (s *Security) WriteFiles(name string) error { - // Initialize file paths in temp dir - s.SSLCA = fmt.Sprintf("%s/%s_ca.pem", os.TempDir(), name) - s.SSLKey = fmt.Sprintf("%s/%s_dm.pem", os.TempDir(), name) - s.SSLCert = fmt.Sprintf("%s/%s_dm.key", os.TempDir(), name) - - if err := os.WriteFile(s.SSLCA, s.SSLCABytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL CA: %w", err) + var err error + if s.SSLCA, err = certificate.WriteFile(fmt.Sprintf("%s_ca.pem", name), s.SSLCABytes); err != nil { + return err } - if err := os.WriteFile(s.SSLKey, s.SSLKeyBytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL Key: %w", err) + if s.SSLCert, err = certificate.WriteFile(fmt.Sprintf("%s_dm.pem", name), s.SSLCertBytes); err != nil { + return err } - if err := os.WriteFile(s.SSLCert, s.SSLCertBytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL Cert: %w", err) + if s.SSLKey, err = certificate.WriteFile(fmt.Sprintf("%s_dm.key", name), s.SSLKeyBytes); err != nil { + return err } return nil } diff --git a/dm/config/security_test.go b/dm/config/security_test.go index 40e4c833c9a..c713229d6c0 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -106,6 +106,9 @@ func (c *testTLSConfig) TestLoadAndClearContent() { c.Require().Len(s.SSLCABytes, 0) c.Require().Len(s.SSLCertBytes, 0) c.Require().Len(s.SSLKeyBytes, 0) + c.Require().Equal(s.SSLCA, "") + c.Require().Equal(s.SSLCert, "") + c.Require().Equal(s.SSLKey, "") s.SSLCABase64 = "MTIz" err = s.LoadTLSContent() diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index ff401acd158..1d365507f84 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -253,6 +253,7 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), CertAllowedCN: certAllowedCN, } + // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server if err := subTaskCfg.LoaderConfig.Security.WriteFiles(subTaskCfg.Name); err != nil { return nil, terror.ErrOpenAPICommonError.Generatef("Save tls config files files, message=%s", err.Error()) } diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 14b2b510fa5..ab4dd26cd7a 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,7 +106,6 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - // use loader's security as global security config if cfg.LoaderConfig.Security != nil { lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index c1d0f2aec37..b154b1ee99c 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -21,6 +21,8 @@ import ( "github.com/pingcap/tidb/pkg/lightning/common" lcfg "github.com/pingcap/tidb/pkg/lightning/config" "github.com/pingcap/tiflow/dm/config" + certificate "github.com/pingcap/tiflow/pkg/security" + "github.com/pingcap/tiflow/dm/config/dbconfig" "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/pkg/terror" @@ -29,15 +31,6 @@ import ( "github.com/stretchr/testify/require" ) -var ( - caPath = "tls_conf/ca.pem" - caPath2 = "tls_conf/ca2.pem" - certPath = "tls_conf/dm.pem" - certPath2 = "tls_conf/tidb.pem" - keyPath = "tls_conf/dm.key" - keyPath2 = "tls_conf/tidb.key" -) - func TestSetLightningConfig(t *testing.T) { t.Parallel() @@ -111,60 +104,66 @@ func TestGetLightiningConfig(t *testing.T) { require.NoError(t, err) require.Equal(t, lcfg.CheckpointDriverMySQL, conf.Checkpoint.Driver) - cases := []struct { - globalSecurityCfg *lcfg.Security - loaderSecurityCfg *security.Security - toSecurityCfg *security.Security - }{ - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, - loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, - toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, - toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{}, - toSecurityCfg: &security.Security{}, - }, - } - // GetLightningConfig will varify certificates formate, so using real certificates. - for _, c := range cases { - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: *c.globalSecurityCfg}, - &config.SubTaskConfig{ - LoaderConfig: config.LoaderConfig{Security: c.loaderSecurityCfg}, - To: dbconfig.DBConfig{Security: c.toSecurityCfg}, - }) - require.NoError(t, err) - require.Equal(t, c.globalSecurityCfg.CAPath, conf.TiDB.Security.CAPath) - require.Equal(t, c.globalSecurityCfg.CertPath, conf.TiDB.Security.CertPath) - require.Equal(t, c.globalSecurityCfg.KeyPath, conf.TiDB.Security.KeyPath) - if c.loaderSecurityCfg == nil { - require.Equal(t, c.globalSecurityCfg.CAPath, conf.Security.CAPath) - require.Equal(t, c.globalSecurityCfg.CertPath, conf.Security.CertPath) - require.Equal(t, c.globalSecurityCfg.KeyPath, conf.Security.KeyPath) - } else { - require.Equal(t, c.loaderSecurityCfg.SSLCA, conf.Security.CAPath) - require.Equal(t, c.loaderSecurityCfg.SSLCert, conf.Security.CertPath) - require.Equal(t, c.loaderSecurityCfg.SSLKey, conf.Security.KeyPath) - } - } + ca, err := certificate.NewCA() + require.NoError(t, err) + cert, key, err := ca.GenerateCerts("dm") + require.NoError(t, err) + caPath, err := certificate.WriteFile("dm-test-client-cert", ca.CAPEM) + require.NoError(t, err) + certPath, err := certificate.WriteFile("dm-test-client-cert", cert) + require.NoError(t, err) + keyPath, err := certificate.WriteFile("dm-test-client-key", key) + require.NoError(t, err) + ca, err = certificate.NewCA() + require.NoError(t, err) + cert, key, err = ca.GenerateCerts("dm") + require.NoError(t, err) + caPath2, err := certificate.WriteFile("dm-test-client-cert2", ca.CAPEM) + require.NoError(t, err) + certPath2, err := certificate.WriteFile("dm-test-client-cert2", cert) + require.NoError(t, err) + keyPath2, err := certificate.WriteFile("dm-test-client-key2", key) + require.NoError(t, err) + + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, caPath) + require.Equal(t, conf.Security.CertPath, certPath) + require.Equal(t, conf.Security.KeyPath, keyPath) + require.Equal(t, conf.TiDB.Security.CAPath, caPath2) + require.Equal(t, conf.TiDB.Security.CertPath, certPath2) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + To: dbconfig.DBConfig{}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, caPath) + require.Equal(t, conf.Security.CertPath, certPath) + require.Equal(t, conf.Security.KeyPath, keyPath) + require.Equal(t, conf.TiDB.Security.CAPath, caPath) + require.Equal(t, conf.TiDB.Security.CertPath, certPath) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{}, + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, "") + require.Equal(t, conf.Security.CertPath, "") + require.Equal(t, conf.Security.KeyPath, "") + require.Equal(t, conf.TiDB.Security.CAPath, caPath2) + require.Equal(t, conf.TiDB.Security.CertPath, certPath2) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) // invalid security file path _, err = GetLightningConfig( &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}}, diff --git a/dm/loader/tls_conf/ca.pem b/dm/loader/tls_conf/ca.pem deleted file mode 100644 index 9fc215fa83b..00000000000 --- a/dm/loader/tls_conf/ca.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs -aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE -AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD -kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J -xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL -GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/ca2.pem b/dm/loader/tls_conf/ca2.pem deleted file mode 100644 index bd1ad59f121..00000000000 --- a/dm/loader/tls_conf/ca2.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBdzCCAR6gAwIBAgIUFlKn4vgSaM5PPi5fdfHZjNsPvt0wCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMBwxGjAYBgNVBAMMEVRpREIgU2Vjb25kYXJ5IENBMFkw -EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJoSquED75L7UgmezyHBUJlv7sGvHfeuR -RnU0SJVYZzftIAfzL6kwF1LGaezaY9aL/cCiULWMDddo1bLzNjB4vqM8MDowDAYD -VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFLJmpVHrylfdqLu6lpR -ZOJgderfMAoGCCqGSM49BAMCA0cAMEQCIF2mBuhLfo42ynjoy0Fhz3Qch8huQrkx -mGKxdkBuS+rPAiAglztWHSmUCtqEMdTuds2ETsVVichpxdFh/aXiCb/BeQ== ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/dm.key b/dm/loader/tls_conf/dm.key deleted file mode 100644 index dfdc077bc4d..00000000000 --- a/dm/loader/tls_conf/dm.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICF/GDtVxhTPTP501nOu4jgwGSDY01xN+61xd9MfChw+oAoGCCqGSM49 -AwEHoUQDQgAEgQOv5bQO7xK16vZWhwJqlz2vl19+AXW2Ql7KQyGiBJVSvLbyDLOr -kIeFlHN04iqQ39SKSOSfeGSfRt6doU6IcA== ------END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/dm.pem b/dm/loader/tls_conf/dm.pem deleted file mode 100644 index d4f846e3a22..00000000000 --- a/dm/loader/tls_conf/dm.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBZDCCAQqgAwIBAgIJAIT/lgXUc1JqMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM -CWxvY2FsaG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owDTEL -MAkGA1UEAwwCZG0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBA6/ltA7vErXq -9laHAmqXPa+XX34BdbZCXspDIaIElVK8tvIMs6uQh4WUc3TiKpDf1IpI5J94ZJ9G -3p2hTohwo0owSDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCwYDVR0PBAQD -AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAKBggqhkjOPQQDAgNI -ADBFAiEAx6ljJ+tNa55ypWLGNqmXlB4UdMmKmE4RSKJ8mmEelfECIG2ZmCE59rv5 -wImM6KnK+vM2QnEiISH3PeYyyRzQzycu ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/tidb.key b/dm/loader/tls_conf/tidb.key deleted file mode 100644 index b63b20db793..00000000000 --- a/dm/loader/tls_conf/tidb.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIB+YLzteL9sk+PZPEFf7sw+hhehG2bRV5TUV4NJgVsWXoAoGCCqGSM49 -AwEHoUQDQgAELO1031XONFkiJPFm7Kbb974443lSM8eGEZzVUUWK/WAZ3p03W5o/ -jeFgesLPuKqcV+9p7bG7McVKDsC42OFg4w== ------END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/tidb.pem b/dm/loader/tls_conf/tidb.pem deleted file mode 100644 index e59a9eae172..00000000000 --- a/dm/loader/tls_conf/tidb.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBxjCCAWygAwIBAgIUJGaNzv0WzN4CfSj7LaNQN8arHvMwCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMA8xDTALBgNVBAMMBFRpREIwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQs7XTfVc40WSIk8Wbsptv3vjjjeVIzx4YRnNVRRYr9YBnenTdb -mj+N4WB6ws+4qpxX72ntsbsxxUoOwLjY4WDjo4GWMIGTMBoGA1UdEQQTMBGCCWxv -Y2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG -CCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLK+e+wKHWmmXPiHjMApdKwf -KhcpMB8GA1UdIwQYMBaAFFLJmpVHrylfdqLu6lpRZOJgderfMAoGCCqGSM49BAMC -A0gAMEUCIC2xVpVTSqMMl38Lu7wTfX8iv/5hcjKoH8v69cZGsyDKAiEA6NIpjV7D -lBnFi5oiKpdJIWD53D2A/yFrI6VEDprblyw= ------END CERTIFICATE----- diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 192a6cd7a3e..decdea265d8 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1105,7 +1105,7 @@ function test_tls() { openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 task_name="task-tls-error" - # miss pd cert and key certificate + # miss cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "" "" \ "$(cat $cur/tls_conf/ca.pem)" "" "" @@ -1113,18 +1113,10 @@ function test_tls() { openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - # miss tidb key certificatete - openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$cur/tls_conf/dm.key)" # miss pd key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "" - # miss pd cert certificate - openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)" # miss pd all certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \