From 39eafe7fa985ead26c8213d890dff57c2e81fd98 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 5 Dec 2024 15:32:18 +0800 Subject: [PATCH 01/63] generate api client and server --- dm/openapi/gen.server.go | 86 ++++++++++++++++++++-------------------- dm/openapi/gen.types.go | 3 ++ dm/openapi/spec/dm.yaml | 6 ++- 3 files changed, 51 insertions(+), 44 deletions(-) diff --git a/dm/openapi/gen.server.go b/dm/openapi/gen.server.go index 74152c051bf..ca4641cc2f3 100644 --- a/dm/openapi/gen.server.go +++ b/dm/openapi/gen.server.go @@ -1314,49 +1314,49 @@ var swaggerSpec = []string{ "vD0z5lfB15wWGcmaR4P5FVDPFPiO/SxXejF765pdLx+IFUMwqtdeHjatnZIH/YLcnZASEwu5g2IFg8+7", "qHZGj1PGoBS6Fj8mdCkRk/JncKwzYvW8haGBw4Xh/MiJooGoH0XbXAQFCH1cWLwhlYwKrXKdVFwhAlKE", "RDkAAUZvuNpYM7dLTv3unnVIU47q9DqDkrbbwMGvbAglSMWsJG/uq3nUPm2Mgt6eNZmzYQuTpj4oN7ZQ", - "G756Ywtx9Saw3uxUUXbKhKpiQI960A9L9dAryHtT+Yq70Mln+85IyDazfZYX5jF9kqmCBRRh/QbEvF04", - "bc/F1yRcMUrwv8ul1BwA/YFCzUXSE/iaQyKwWspd9ZwlAyW6iUivWPtoWL8s6Q73KmdBXdVs0cz4ilXQ", - "2luKZd4QRS2FFUn6btwpn3WDJcwbQ5dwn8CZ9RoAN8FpLOZzlv0pnzKo7kz48KvB+Z4qyGyfwDSylNUK", - "s4M4nO0fHUz2X4TPJ/M5ej6BR88OJkfhbPHiMHr2Mj6YHc8nz2eH88P9g/Hs2eHzw+ggtIa/OHi2P9mf", - "HUSL/cOjKDqIjueT+fOZs4dVvdDY6kmlHlQV3743M1on0KFbR23lcLjjuNa3+bWw3wPKhKEESqet+0aJ", - "tOZluBaaPe4LZZtxwq0OSTeep6lz6ykQL5GbGA2O6y1O7ssq23B4t6E4TCus9IWgWaYigqo09jdzD3M0", - "Hn2EOa8VjlV86Mw6+Mu6dXpDUPvw3E528IHZ2IZnpx6qCQpGdugO+XhYVQjvrIYbyKB29tKT2R6DG5xE", - "IWRRkbKtpyUXk1/veY7aqorxna+KqqCvnY4aAKtwwtpZ0WHZDZ/BEB6DXHHPQ25GRBHXl3hM/rzAmDe2", - "ZX5HCg5cwGeaG+QZ3n7NkcXrIGmVQO+m6ZOqYdxOzeJdSgm3VGfnrKwraeLddZRmUj68FTb0GrEbhsVm", - "CfHyLe12C7NK+Uf/Pdlq3X7QfTfZY4gT1YWNX7VPDjpq9ZzX1Ut12t+nsVBg1aRO3dU0KnkYIs494G5W", - "+d2ea9ymhgsofXn6QVtHDldDevFH7gLZ6IXWVVzTEXf4ixbbG12t6L0la67DclBYL0FNISXvajnZVxp0", - "hyLLvrLKRkPih2+V4W2pu9VeGbcqPSqkMk5OaOjIX5+8Ax8yRF59PAMnH95IlcuS0fGorxvsRBrPiXZp", - "MSWmOawONGKqWBwLhXhrgeJ4/Hh0JAmoMngZIjDDo+PRgfpJanyxUtBOYYan1/Op6RA0LaY3/lLZvO8s", - "Umu9+nhWb4Cnqky0ZlXz7c9m6npVdTUIZmUicPovrksnKz+qs3u3u9WeonrDLGpFpjaR52kK2Xp0LHEA", - "Zas9ElPA83AFIAe1/nsCLrnVG2/0WV0y8GGvlU+TAEoMX9No/WC4tzv5tZA2y4KFXPf2Ce9DrmhW24o9", - "J+Fvxy1+1BVCfChLVn0LH4cxHX0Su8gyHh0+IBit3puOpbU57xAMq1V7Ybg22ZjpN/2Highvtf5LkPYD", - "HTv1IY4TTJAm23t94J5BBlOkd/mfrUIAC7wiJlcNhqBYjQpDMLJgGNlqXJdQuBKd/i8ifG4xzqHDD39i", - "O0o1XRuN9wdtZOEwDJSwqqnm40iYo4nnjkmY9cGAjSTMbMz0m/HCNpIw4z0OkDAbPL+EWTD82BJW//xD", - "50ZG6V4BnFOy3iJxQsP/uvjw3iNKdbDkXOXN8Da7RTQEarkKqoiGDYiMj9oBzt8u350PAkcO7AFnJXSN", - "kA8cHeT1q56qFW4fM0v5Km4Iq14T5aU7xdNfc8TWFlNjsQrKEQ4mdpfg3Y4dnwFaA4ZEznTzL13pNzF9", - "f4rLay4Qau1uNoHh83a1r6P7sENS7JYMSdEjvMEHzSEVPxQxvorRuG//7c9UbMvZdnwJY3OHe/5g8JQ5", - "kSdv53SrVQBJVFS3QkDQjb3rrg1v64DpN+tkod/KnaiHJVN06oRlQheqAVtO8Ne83kfEb/DqBx2DDJ73", - "HndbYcRU3wimWQEJTLhpdlZ0slEJHVNX4VIdao576owdMLyaDwDs46nxEBuyi7zyODZtm/akQ5+VPekP", - "nbxoKE8FiNXntdr2pYsh+tI4O8MTn7dj91xp/Nt6IlSCe/t9WOOJ6SGTxYL3tW3TSH9QSiXB/W6P+ezU", - "brFoX8zw5GyLJvIDbGrVyqhjT/VXmH5u6Ta3tHRD77ujKiTbTFg/FR1Nf0xz4vpS3q2xJ7uqGaqWknFO", - "dFPi4jrswzDYBorjB2cvxzfsdpW7jJLaOnOVzdI6eKvqxv3jsla7I/lwN/hpc5rigFoj5c15yfpu/IAQ", - "W7edHZKs3QLr+Ju2bTfArbfa3ZEDqqIvnS5e9SVnh7LH9Jv+o8rgDWAWVfP99Hhl3FHg61m+wn3g8s76", - "361yab1Xym4xqa5/vjuPln2ohmiwslHj07GGnTdoHuUsqPFhvh1hH/XJiVoL96Ir9X09LMEg4bEu0u5w", - "ry7NsB8919guZ/2zuFgFI5SqigKov6CjawV6uEsf8fRppuK7pL0MJHke8qvHPP0296YW66LdpW4M6Fqz", - "eDbUYJWNGLtWdchHc9lmA9DxRulpy2ZuWdW2Pj/rYEJF5MQ0Jn06iraEqmJ3XU0/5Hj/UndQ297hvn1d", - "4Hse7bu+rbhD5/zllwXrO9xUZ9OQkmvEisrdru3XA7e5/wUoPSyAY83DmANMslzobvxGl+ovkxRY6b7U", - "kF+Zlk76qxaUgWscInCNGIdbZaIGSrvDRpeqQEpRmZjW3uYDJDQGsPlVlxZR9wZwXnF3bJhJLW6HPUI9", - "646r9vJy3r10/GV1s28bsm7udH0/9e4D4Inq89rObiJcU9N1plu5n6lBj7TvzTuqm7PB/pbg2R39bNpa", - "3Z0tvqnmpZvU8DW4Y6Po2O6f6giLS1gGBsW+xqs7XTfnv1ndVOCDjeXubNPsh1PsbXvdteXeArnqjvXP", - "Td+Z0rSh+97S33fT2k+VI7qKrRUM6BoRgGP1XRPA80UR9rGyadHPcmtfpD/ATOwMXzxCrvR7aKdGEHno", - "a5HXUVTt3/2+kuqnzABbraK+X4Jx9qMnGMvq6oEJRstkec7nimZ8RaPNIemgWgNPvjOK7NGLI5xnLLpR", - "vmnQPvIVPfw6fEbdS797QjXm18c/E29zy86djKuzOru6ApLItKU1PzCaC3MXDdcuFt9dKgfXkpVVZK/X", - "ktavSHS3E/QfRCh/Vrd18be7xO3eXLxhyVtZ7PaTpX8W4e2sLDkr8R5YlOR7iwRtmJJYJOhCsDwUOfsp", - "U09Npsb+jrY+khccMJjm7q/47X76viZ53GLxTZMzPyXkp4TMv0+wVGe+3Q+WOsXQnyUr0zM/RXHjxX8U", - "QXz4FKWVFGzK4Z+rFltL3IZms9trFbC3zuVCjvkBM98l3rt+H1dt8h2Tz8NuFlmfmN1BZV+2NN/12vod", - "vcRkrlVo7tmMO2nWq7xo9kPqLo327qsumvk1l/r4CLsudrTefH5N872IphAT1Xp+JEltJnDrglFft/uI", - "hoNb3Jue9tOvOQ6vJkoDT3RZ6qTqClbTMSOXZ6bQ3i5UN1isJlFqwaOWbUNTdIEtxxU/3H6+/b8AAAD/", - "/8CxKAKNvQAA", + "G756Ywtx9Saw3uxUUfV0yx0OG1UBoUel6IelSukV/r2pfMVdHOWzl2ckZJvZS8tz85hLyYjBAoqwfmti", + "3i62tufiaxKuGCX43+VSag6A/kCh5jzpPXzNIRFYLeWulM6SgVqgiUivKvDRsH7B0h0iVg6Gut7Zopnx", + "L6tAt7d8y7whivoLK/r03dJTfu4GS5g3hi7hPrUz6zUAboLTWMznYPvTRGUg3pkk4leDc0RVYNo+tWlk", + "NqsVZgdxONs/OpjsvwifT+Zz9HwCj54dTI7C2eLFYfTsZXwwO55Pns8O54f7B+PZs8Pnh9FBaA1/cfBs", + "f7I/O4gW+4dHUXQQHc8n8+czZ9+renGy1cdKPaiqxH1vZrROoEOnXtvOgXLHEa9v82upAg8oE4YSKB29", + "7lso0gMoQ7zQ7HFf+NuMLW51GLvxPE2dW0+beIncxGhwLsDi5L5MtA2HdxuKA7jCsl8ImmUqiqjKaX8z", + "dzdH49FHmPNasVnFh85Mhb8UXKdEBLUP3O0ECR+YwW14g+qhmqBgZIfukI+HVZLwzgq6gQxqZzw92fAx", + "uMFJFEIWFWneeipzMfn1nmevrUoa35msqIoA2ymsAbAKJ6ydVSCW3fAZDOExyBX3PORmRBRxffHH5NwL", + "jHljW+Z3pODABXymuUGe4S3bHJm/DpJWSfdumj6pusft1DneJSLYUm2esxqvpIl311GaSfnwVuXQa8Ru", + "GBabJdHLt7TbLcwq5R/9d2urdftB991+jyFOVOc2ftU+beio73NecS/VaX9vx0KBVZM6dVfTqORhiDj3", + "gLtZtXh7rnGbGi6g9IXrB203OVwN6cUfuXNko39aV0FOR9zhL3Rsb3S1ovdmrblCy0FhvQQ1xZe8q01l", + "XznRHQoz+0oxG02MH769hrcN71b7a9yqlKqQyjg5oaEj533yDnzIEHn18QycfHgjVS5LRsejvg6yE2k8", + "J9qlxZSYhrI60IipYnEsFOKtBYoj9ePRkSSgyvpliMAMj45HB+onqfHFSkE7hRmeXs+npqvQtJje+Etl", + "w7+zSK316uNZvWmeqkzRmlXNtz+bqStZ1XUimJXJw+m/uC63rPyozo7f7vZ8iuoNs6gVmdpEnqcpZOvR", + "scQBlO35SEwBz8MVgBzUevYJuORWP73RZ3UxwYe9Vj5NAigxfE2j9YPh3u7+10LaLAsWct3bJ7wPuaJZ", + "bSv2nIS/Hbf4UVcV8aEsWfU6fBzGdPRW7CLLeHT4gGC0+nU6ltbmvEMwrPbuheHaZGOm3/QfKiK81fov", + "QdoPdOzUhzhOMEGabO/1IX0GGUyR3uV/tooHLPCKmFw1JYJiNSoMwciCYWSrcV124Up0+r+i8LnFOIcO", + "P/yJ7SjVdG006x+0kYXDMFDCqkacjyNhjsafOyZh1kcGNpIwszHTb8YL20jCjPc4QMJs8PwSZsHwY0tY", + "/ZMRnRsZpXsFcE7JeovECQ3/6+LDe48o1cGSc5W3ydvsFtEQqOUqqCIaNiAyPmoHOH+7fHc+CBw5sAec", + "ldB1RT5wdJDXr3qq9rl9zCzlq7hVrPpTlBf1FE9/zRFbW0yNxSooRziY2F22dzt2fDpoDRgSOdMNw3R1", + "4MT0CiouvLlAqLXI2QSGz9vVvo6OxQ5Jsds4JEVf8QYfNIdU/FDE+CpG4779tz9tsS1n2/H1jM0d7vmD", + "wVPmRJ68ndPtWQEkUVERCwFBN/auuza8rQOm36yThX4rd6IelkzRqROWCV2opm05wV/zeu8Rv8GrH3QM", + "Mnjeu99thRFTfYuYZgUkMOGmQVrR/UYldExdhUt1qDnuqTN2wPBqPgCwj6fGQ2zILvLK49i0bdqTDn1W", + "9rE/dPKioTwVIFaf5Grbly6G6Evj7AxPfN6O3XOl8W/riVAJ7u33YY0npodMFgve17ZNI/0RKpUE97s9", + "5lNVu8WifTHDk7MtmsgPsKlV+6OOPdVfbvq5pdvc0tINve+OqpBsM2H9VHRB/THNievrerfGnuyqZqja", + "UMY50Y2Miyu0D8NgGyiOH5y9HN+921XuMkpq68xVNljr4K2qg/ePy1rtLubD3eCnzWmKA2rNlzfnJetb", + "8wNCbN2qdkiydgus42/0tt0At96ed0cOqIpedrp41ZecHcoe02/6jyqDN4BZVM330+OVcUeBr2f5CveB", + "yzvrf7fKpfX+KrvFpLr++e48WvauGqLByuaOT8cadt6geZSzoMbH/HaEfdRnKmpt34tO1vf1sASDhMe6", + "SLvDvbo0w370XGO7nPXP4mIVjFCqKgqg/uqOrhXo4S59xNOnmYpvmfYykOR5yK8e8/Tb3JtarIsWmbqZ", + "oGvN4tlQg1U2b+xa1SEfzWWbTUPHG6WnLZu5ZVXb+mStgwkVkRPTzPTpKNoSqorddTX9kOP9S911bXuH", + "+/Z1ge95tO/6HuMOnfOXXyOs73BTnU1DSq4RKyp3u7ZfD9zm/heg9LAAjjUPYw4wyXKhO/gbXaq/ZlJg", + "pXtZQ35l2kDpL2FQBq5xiMA1YhxulYkaKO0OG12qAilFZWLagZuPltAYwOaXYFpE3RvAecXdsWEmtbgd", + "9gj1rDuu2svLeffS8ZfVzb5tyLq50/X91LsPgCeqz2s7u4lwTU3XmW7lfqYGPdK+N++obs4G+1uCZ3f0", + "s2mFdXe2+KYanm5Sw9fgjo2iY7vnqiMsLmEZGBT7mrXudN2c/2Z1U4EPNpa7s02zH06xt+1115Z7C+Sq", + "O9Y/N31nStOG7ntLf99Naz9VjugqtlYwoGtEAI7Vt1AAzxdF2MfKpkU/y619kf4AM7EzfPEIudLvoZ0a", + "QeShr0VeR1G1f/f7SqqfMgNstYr6fgnG2Y+eYCyrqwcmGC2T5TmfK5rxFY02h6SDag08+c4oskcvjnCe", + "sejm+qap+8hX9PDr8Bl1//3uCdWYXx//TLzNLTt3Mq7O6uzqCkgi05bW/MBoLsxdNFy7WHx3qRxcS1ZW", + "kb1eS1q/ItHdTtB/EKH8Wd3Wxd/uErd7c/GGJW9lsdtPlv5ZhLezsuSsxHtgUZLvLRK0YUpikaALwfJQ", + "5OynTD01mRr7O9r6SF5wwGCau7/8t/vp+5rkcYvFN03O/JSQnxIy/z7BUp35dj9Y6hRDf5asTM/8FMWN", + "F/9RBPHhU5RWUrAph3+uWmwtcRuazW6vVcDeOpcLOeYHzHyXeO/6fVy1yXdMPg+7WWR9lnYHlX3Z0nzX", + "a+t39BKTuVahuWcz7qRZr/Ki2Q+puzTau6+6aObXXOrjI+y62NF68/k1zfcimkJMVOv5kSS1mcCtC0Z9", + "3e4jGg5ucW962k+/5ji8migNPNFlqZOqK1hNx4xcnplCe7tQ3WCxmkSpBY9atg1N0QW2HFf8cPv59v8C", + "AAD//1srtbHBvQAA", } // GetSwagger returns the content of the embedded swagger specification file diff --git a/dm/openapi/gen.types.go b/dm/openapi/gen.types.go index 507c18c2105..a9ee114dc0a 100644 --- a/dm/openapi/gen.types.go +++ b/dm/openapi/gen.types.go @@ -628,6 +628,9 @@ type TaskFullMigrateConf struct { // to control range concurrency of physical import RangeConcurrency *int `json:"range_concurrency,omitempty"` + // data source ssl configuration, the field will be hidden when getting the data source configuration from the interface + Security *Security `json:"security"` + // sorting dir name for physical import SortingDir *string `json:"sorting_dir,omitempty"` } diff --git a/dm/openapi/spec/dm.yaml b/dm/openapi/spec/dm.yaml index ae212570a82..64dc5044559 100644 --- a/dm/openapi/spec/dm.yaml +++ b/dm/openapi/spec/dm.yaml @@ -1617,6 +1617,7 @@ components: description: "source password" security: $ref: "#/components/schemas/Security" + description: "downstram database ssl config" required: - "host" - "port" @@ -1744,7 +1745,10 @@ components: description: "to control compress kv pairs of physical import" pd_addr: type: string - description: "address of pd" + description: "address of pd" + security: + $ref: "#/components/schemas/Security" + description: "downstram tidb cluster ssl config" on_duplicate_logical: type: string example: "replace" From 5c1f5a0da2cbed3b7391d61b07e629f0d5e87190 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:01:38 +0800 Subject: [PATCH 02/63] use different tls config --- dm/config/task.go | 2 ++ dm/config/task_converters.go | 12 ++++++++++++ dm/loader/lightning.go | 18 ++++++++++++++++-- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/dm/config/task.go b/dm/config/task.go index 8cedfbd5e65..3919a4b587c 100644 --- a/dm/config/task.go +++ b/dm/config/task.go @@ -33,6 +33,7 @@ import ( "github.com/pingcap/tidb/pkg/util/filter" router "github.com/pingcap/tidb/pkg/util/table-router" "github.com/pingcap/tiflow/dm/config/dbconfig" + "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/pkg/log" "github.com/pingcap/tiflow/dm/pkg/terror" "github.com/pingcap/tiflow/dm/pkg/utils" @@ -301,6 +302,7 @@ type LoaderConfig struct { RangeConcurrency int `yaml:"range-concurrency" toml:"range-concurrency" json:"range-concurrency"` CompressKVPairs string `yaml:"compress-kv-pairs" toml:"compress-kv-pairs" json:"compress-kv-pairs"` PDAddr string `yaml:"pd-addr" toml:"pd-addr" json:"pd-addr"` + Security *security.Security `toml:"security" json:"security" yaml:"security"` } // DefaultLoaderConfig return default loader config for task. diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 98a9373e066..1e0265dd547 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -239,6 +239,18 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, if fullCfg.PdAddr != nil { subTaskCfg.LoaderConfig.PDAddr = *fullCfg.PdAddr } + if fullCfg.Security != nil { + var certAllowedCN []string + if fullCfg.Security.CertAllowedCn != nil { + certAllowedCN = *fullCfg.Security.CertAllowedCn + } + subTaskCfg.LoaderConfig.Security = &security.Security{ + SSLCABytes: []byte(fullCfg.Security.SslCaContent), + SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), + SSLCertBytes: []byte(fullCfg.Security.SslCertContent), + CertAllowedCN: certAllowedCN, + } + } if fullCfg.RangeConcurrency != nil { subTaskCfg.LoaderConfig.RangeConcurrency = *fullCfg.RangeConcurrency } diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 16a6b7685b7..b247de980fd 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -329,6 +329,17 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask if err := cfg.LoadFromGlobal(globalCfg); err != nil { return nil, err } + if subtaskCfg.LoaderConfig.Security != nil { + cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes + cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCABytes + cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes + } + if subtaskCfg.To.Security != nil { + cfg.TiDB.Security.CABytes = subtaskCfg.To.Security.SSLCABytes + cfg.TiDB.Security.CertBytes = subtaskCfg.To.Security.SSLCABytes + cfg.TiDB.Security.KeyBytes = subtaskCfg.To.Security.SSLKeyBytes + } + // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. // TODO: should we set the TableConcurrency separately. @@ -342,6 +353,9 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask if err := cfg.Security.BuildTLSConfig(); err != nil { return nil, err } + if err := cfg.TiDB.Security.BuildTLSConfig(); err != nil { + return nil, err + } // To enable the loader worker failover, we need to use jobID+sourceID to isolate the checkpoint schema cfg.Checkpoint.Schema = cputil.LightningCheckpointSchema(subtaskCfg.Name, subtaskCfg.SourceID) cfg.Checkpoint.Driver = lcfg.CheckpointDriverMySQL @@ -657,7 +671,7 @@ func connParamFromConfig(config *lcfg.Config) *common.MySQLConnectParam { SQLMode: mysql.DefaultSQLMode, // TODO: keep same as Lightning defaultMaxAllowedPacket later MaxAllowedPacket: 64 * 1024 * 1024, - TLSConfig: config.Security.TLSConfig, - AllowFallbackToPlaintext: config.Security.AllowFallbackToPlaintext, + TLSConfig: config.TiDB.Security.TLSConfig, + AllowFallbackToPlaintext: config.TiDB.Security.AllowFallbackToPlaintext, } } From ef1e4fb5be03308979f132487053ad919ad9e1ee Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 6 Dec 2024 16:47:28 +0800 Subject: [PATCH 03/63] add ca2 tls key --- dm/tests/tls/conf/ca2.pem | 9 +++++++++ dm/tests/tls/conf/generate_tls.sh | 10 ++++++++++ dm/tests/tls/conf/tidb.key | 8 ++++++++ dm/tests/tls/conf/tidb.pem | 10 ++++++++++ 4 files changed, 37 insertions(+) create mode 100644 dm/tests/tls/conf/ca2.pem create mode 100644 dm/tests/tls/conf/tidb.key create mode 100644 dm/tests/tls/conf/tidb.pem diff --git a/dm/tests/tls/conf/ca2.pem b/dm/tests/tls/conf/ca2.pem new file mode 100644 index 00000000000..415657b813c --- /dev/null +++ b/dm/tests/tls/conf/ca2.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBJDCBywIUbGNy8sBYxuHIVsTzXw3j3YBRHnAwCgYIKoZIzj0EAwIwFDESMBAG +A1UEAwwJbG9jYWxob3N0MCAXDTI0MTIwNjAzNDUyN1oYDzIyOTgwOTIxMDM0NTI3 +WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AARy/P20i39q2rbtfOKrtLUZdYfP36BW10pWn6W+qRYTNRBXCLmc0Bkh/iU+GMdW +qFtReV/U+Btq/4lFi7aNy9ZIMAoGCCqGSM49BAMCA0gAMEUCIQCTVL7kpiO2FNpw +CaUjRnDfC9bxYke1N9JSz1iaHb9jAAIgcrXrkY/eNJZRLdP2G1nonwIDUV/bAw+1 +SWhEa0Gp+HI= +-----END CERTIFICATE----- diff --git a/dm/tests/tls/conf/generate_tls.sh b/dm/tests/tls/conf/generate_tls.sh index 8f8410690e0..9363a3d4d10 100644 --- a/dm/tests/tls/conf/generate_tls.sh +++ b/dm/tests/tls/conf/generate_tls.sh @@ -25,3 +25,13 @@ for role in dm other; do openssl req -new -batch -sha256 -subj "/CN=${role}" -key "$role.key" -out "$role.csr" openssl x509 -req -sha256 -days 100000 -extensions EXT -extfile "ipsan.cnf" -in "$role.csr" -CA "ca.pem" -CAkey "ca.key" -CAcreateserial -out "$role.pem" 2>/dev/null done + +openssl ecparam -out "ca2.key" -name prime256v1 -genkey +openssl req -new -batch -sha256 -subj '/CN=localhost' -key "ca2.key" -out "ca2.csr" +openssl x509 -req -sha256 -days 100000 -in "ca2.csr" -signkey "ca2.key" -out "ca2.pem" 2>/dev/null + +for role in tidb; do + openssl ecparam -out "$role.key" -name prime256v1 -genkey + openssl req -new -batch -sha256 -subj "/CN=${role}" -key "$role.key" -out "$role.csr" + openssl x509 -req -sha256 -days 100000 -extensions EXT -extfile "ipsan.cnf" -in "$role.csr" -CA "ca2.pem" -CAkey "ca2.key" -CAcreateserial -out "$role.pem" 2>/dev/null +done diff --git a/dm/tests/tls/conf/tidb.key b/dm/tests/tls/conf/tidb.key new file mode 100644 index 00000000000..63a4df9c3b8 --- /dev/null +++ b/dm/tests/tls/conf/tidb.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 +AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W +SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== +-----END EC PRIVATE KEY----- diff --git a/dm/tests/tls/conf/tidb.pem b/dm/tests/tls/conf/tidb.pem new file mode 100644 index 00000000000..7480fa59d4b --- /dev/null +++ b/dm/tests/tls/conf/tidb.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz +NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT +lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG +CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d +BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e +-----END CERTIFICATE----- From c2974c3904807cfb3ffab8d54ea38f1319b8a2fa Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 9 Dec 2024 14:54:49 +0800 Subject: [PATCH 04/63] add comment and fix --- dm/config/task.go | 4 +++- dm/loader/lightning.go | 15 +++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/dm/config/task.go b/dm/config/task.go index 3919a4b587c..13e0106dd4e 100644 --- a/dm/config/task.go +++ b/dm/config/task.go @@ -302,7 +302,9 @@ type LoaderConfig struct { RangeConcurrency int `yaml:"range-concurrency" toml:"range-concurrency" json:"range-concurrency"` CompressKVPairs string `yaml:"compress-kv-pairs" toml:"compress-kv-pairs" json:"compress-kv-pairs"` PDAddr string `yaml:"pd-addr" toml:"pd-addr" json:"pd-addr"` - Security *security.Security `toml:"security" json:"security" yaml:"security"` + // now only creating task by OpenAPI will use the `Security` field to connect PD. + // TODO: support setting `Security` by dmctl + Security *security.Security `toml:"security" json:"security" yaml:"security"` } // DefaultLoaderConfig return default loader config for task. diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index b247de980fd..1fb97e2dc76 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,6 +106,9 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() + // Global config will use downstream TiDB security config as default. + // If the downstream TiDB and PD use certificates issued by different CAs, it may affect the physical import mode. + // To resolve this issue, need to specify the TLS certificates for PD when creating task. if cfg.To.Security != nil { lightningCfg.Security.CABytes = cfg.To.Security.SSLCABytes lightningCfg.Security.CertBytes = cfg.To.Security.SSLCertBytes @@ -329,16 +332,16 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask if err := cfg.LoadFromGlobal(globalCfg); err != nil { return nil, err } - if subtaskCfg.LoaderConfig.Security != nil { - cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes - cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCABytes - cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes - } if subtaskCfg.To.Security != nil { cfg.TiDB.Security.CABytes = subtaskCfg.To.Security.SSLCABytes - cfg.TiDB.Security.CertBytes = subtaskCfg.To.Security.SSLCABytes + cfg.TiDB.Security.CertBytes = subtaskCfg.To.Security.SSLCertBytes cfg.TiDB.Security.KeyBytes = subtaskCfg.To.Security.SSLKeyBytes } + if subtaskCfg.LoaderConfig.Security != nil { + cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes + cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCertBytes + cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes + } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. From cd4590391c02ae02d5f4f62633c9b7c90f4d7f86 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 9 Dec 2024 15:05:14 +0800 Subject: [PATCH 05/63] add test --- dm/config/task_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dm/config/task_test.go b/dm/config/task_test.go index fd41681df56..90c5b9c7daf 100644 --- a/dm/config/task_test.go +++ b/dm/config/task_test.go @@ -532,6 +532,12 @@ func TestGenAndFromSubTaskConfigs(t *testing.T) { "sql_mode": " NO_AUTO_VALUE_ON_ZERO,ANSI_QUOTES", "time_zone": "+00:00", } + security2 = security.Security{ + SSLCA: "/path/to/ca2", + SSLCert: "/path/to/cert2", + SSLKey: "/path/to/key2", + CertAllowedCN: []string{"allowed-cn"}, + } security = security.Security{ SSLCA: "/path/to/ca", SSLCert: "/path/to/cert", @@ -674,6 +680,7 @@ func TestGenAndFromSubTaskConfigs(t *testing.T) { PDAddr: "http://test:2379", RangeConcurrency: 32, CompressKVPairs: "gzip", + Security: &security2, }, SyncerConfig: SyncerConfig{ WorkerCount: 32, From 17331f52108bb1f0a4fbf8d1ebed5826608b2ee5 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:13:35 +0800 Subject: [PATCH 06/63] add ut --- dm/config/task_converters_test.go | 25 +++++++++++++++++++++++++ dm/openapi/fixtures/task.go | 21 +++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index fc368db2384..b381f24b724 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -20,6 +20,7 @@ import ( "github.com/pingcap/check" "github.com/pingcap/tidb/pkg/util/filter" "github.com/pingcap/tiflow/dm/config/dbconfig" + "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/openapi" "github.com/pingcap/tiflow/dm/openapi/fixtures" "github.com/pingcap/tiflow/dm/pkg/terror" @@ -65,6 +66,12 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { Port: task.TargetConfig.Port, User: task.TargetConfig.User, Password: task.TargetConfig.Password, + Security: &security.Security{ + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, + }, } // change meta newMeta := "new_dm_meta" @@ -125,6 +132,12 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(subTaskConfig.DumpIOTotalBytes.Load(), check.Equals, uint64(0)) c.Assert(subTaskConfig.UUID, check.HasLen, len(uuid.NewString())) c.Assert(subTaskConfig.DumpUUID, check.HasLen, len(uuid.NewString())) + // check security items + c.Assert(string(subTaskConfig.To.Security.SSLCABytes), check.Equals, task.TargetConfig.Security.SslCaContent) + c.Assert(string(subTaskConfig.To.Security.SSLCertBytes), check.Equals, task.TargetConfig.Security.SslCertContent) + c.Assert(string(subTaskConfig.To.Security.SSLKeyBytes), check.Equals, task.TargetConfig.Security.SslKeyContent) + c.Assert(subTaskConfig.To.Security.CertAllowedCN, check.Equals, task.TargetConfig.Security.CertAllowedCn) + c.Assert(subTaskConfig.LoaderConfig.Security, check.IsNil) } func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { @@ -215,6 +228,12 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { c.Assert(subTask1Config.BAList, check.DeepEquals, bAListFromOpenAPITask) // check ignore check items c.Assert(subTask1Config.IgnoreCheckingItems, check.IsNil) + // check security items + c.Assert(string(subTask1Config.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTask1Config.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTask1Config.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) + c.Assert(subTask1Config.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) + c.Assert(subTask1Config.To.Security, check.IsNil) // check sub task 2 subTask2Config := subTaskConfigList[1] @@ -264,6 +283,12 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { c.Assert(subTask2Config.BAList, check.DeepEquals, bAListFromOpenAPITask) // check ignore check items c.Assert(subTask2Config.IgnoreCheckingItems, check.IsNil) + // check security items + c.Assert(string(subTask2Config.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTask2Config.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTask2Config.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) + c.Assert(subTask2Config.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) + c.Assert(subTask2Config.To.Security, check.IsNil) } func (t *testConfig) TestSubTaskConfigsToOpenAPITask(c *check.C) { diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 9c238658801..d9b0f245eb5 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -50,8 +50,13 @@ var ( "host": "root", "password": "123456", "port": 4000, - "security": null, - "user": "root" + "user": "root", + "security": { + "ssl_ca_content": "fake_ssl_ca_content", + "ssl_cert_content": "fake_ssl_cert_content", + "ssl_key_content": "fake_ssl_key_content", + "cert_allowed_cn": ["TiDB1", "TiDB2"] + } }, "task_mode": "all", "strict_optimistic_shard_mode": false @@ -155,6 +160,18 @@ var ( "user": "root" }, "task_mode": "all" + "task_source_config": { + "full_migrate_conf": { + "import_mode": "physical", + "pd_addr": "https://127.0.0.1:2379", + "security": { + "ssl_ca_content": "fake_ssl_ca_content_2", + "ssl_cert_content": "fake_ssl_cert_content_2", + "ssl_key_content": "fake_ssl_key_content_2", + "cert_allowed_cn": ["PD1", "PD2"] + } + } + }, } ` ) From ee0bd4c5c569de40282b21f494170b36aa7ca564 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 10 Dec 2024 17:41:56 +0800 Subject: [PATCH 07/63] add ut --- dm/loader/lightning.go | 7 +-- dm/loader/lightning_test.go | 113 ++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+), 6 deletions(-) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 1fb97e2dc76..951fd4ef2eb 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -332,17 +332,12 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask if err := cfg.LoadFromGlobal(globalCfg); err != nil { return nil, err } - if subtaskCfg.To.Security != nil { - cfg.TiDB.Security.CABytes = subtaskCfg.To.Security.SSLCABytes - cfg.TiDB.Security.CertBytes = subtaskCfg.To.Security.SSLCertBytes - cfg.TiDB.Security.KeyBytes = subtaskCfg.To.Security.SSLKeyBytes - } + cfg.TiDB.Security = &globalCfg.Security if subtaskCfg.LoaderConfig.Security != nil { cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCertBytes cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes } - // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. // TODO: should we set the TableConcurrency separately. diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index d0bebdc36b3..0dd669bd1ed 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -21,12 +21,75 @@ import ( "github.com/pingcap/tidb/pkg/lightning/common" lcfg "github.com/pingcap/tidb/pkg/lightning/config" "github.com/pingcap/tiflow/dm/config" + "github.com/pingcap/tiflow/dm/config/dbconfig" + "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/pkg/terror" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/stretchr/testify/require" ) +var ( + caContent = []byte(`-----BEGIN CERTIFICATE----- +MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs +aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE +AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD +kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J +xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL +GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= +-----END CERTIFICATE----- +`) + certContent = []byte(`-----BEGIN CERTIFICATE----- +MIIBZDCCAQqgAwIBAgIJAIT/lgXUc1JqMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM +CWxvY2FsaG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owDTEL +MAkGA1UEAwwCZG0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBA6/ltA7vErXq +9laHAmqXPa+XX34BdbZCXspDIaIElVK8tvIMs6uQh4WUc3TiKpDf1IpI5J94ZJ9G +3p2hTohwo0owSDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCwYDVR0PBAQD +AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAKBggqhkjOPQQDAgNI +ADBFAiEAx6ljJ+tNa55ypWLGNqmXlB4UdMmKmE4RSKJ8mmEelfECIG2ZmCE59rv5 +wImM6KnK+vM2QnEiISH3PeYyyRzQzycu +-----END CERTIFICATE----- +`) + keyContent = []byte(`-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEICF/GDtVxhTPTP501nOu4jgwGSDY01xN+61xd9MfChw+oAoGCCqGSM49 +AwEHoUQDQgAEgQOv5bQO7xK16vZWhwJqlz2vl19+AXW2Ql7KQyGiBJVSvLbyDLOr +kIeFlHN04iqQ39SKSOSfeGSfRt6doU6IcA== +-----END EC PRIVATE KEY----- +`) + caContent2 = []byte(`-----BEGIN CERTIFICATE----- +MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs +aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE +AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD +kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J +xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL +GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= +-----END CERTIFICATE----- +`) + certContent2 = []byte(`-----BEGIN CERTIFICATE----- +MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz +NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT +lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG +CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d +BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e +-----END CERTIFICATE----- +`) + keyContent2 = []byte(`-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 +AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W +SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== +-----END EC PRIVATE KEY----- +`) +) + func TestSetLightningConfig(t *testing.T) { t.Parallel() @@ -99,6 +162,56 @@ func TestGetLightiningConfig(t *testing.T) { }) require.NoError(t, err) require.Equal(t, lcfg.CheckpointDriverMySQL, conf.Checkpoint.Driver) + + cases := []struct { + globalSecurityCfg *lcfg.Security + loaderSecurityCfg *security.Security + toSecurityCfg *security.Security + }{ + { + globalSecurityCfg: &lcfg.Security{CABytes: caContent, CertBytes: certContent, KeyBytes: keyContent}, + loaderSecurityCfg: &security.Security{SSLCABytes: caContent2, SSLCertBytes: certContent2, SSLKeyBytes: keyContent2}, + toSecurityCfg: &security.Security{SSLCABytes: caContent, SSLCertBytes: certContent, SSLKeyBytes: keyContent}, + }, + { + globalSecurityCfg: &lcfg.Security{CABytes: caContent}, + loaderSecurityCfg: &security.Security{SSLCABytes: caContent2, SSLCertBytes: certContent2, SSLKeyBytes: keyContent2}, + toSecurityCfg: &security.Security{SSLCABytes: caContent}, + }, + { + globalSecurityCfg: &lcfg.Security{CABytes: caContent, CertBytes: certContent, KeyBytes: keyContent}, + toSecurityCfg: &security.Security{SSLCABytes: caContent, SSLCertBytes: certContent, SSLKeyBytes: keyContent}, + }, + { + globalSecurityCfg: &lcfg.Security{CABytes: caContent}, + toSecurityCfg: &security.Security{SSLCABytes: caContent}, + }, + { + globalSecurityCfg: &lcfg.Security{}, + toSecurityCfg: &security.Security{}, + }, + } + for _, c := range cases { + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: *c.globalSecurityCfg}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{Security: c.loaderSecurityCfg}, + To: dbconfig.DBConfig{Security: c.toSecurityCfg}, + }) + require.NoError(t, err) + require.Equal(t, c.globalSecurityCfg.CABytes, conf.TiDB.Security.CABytes) + require.Equal(t, c.globalSecurityCfg.CertBytes, conf.TiDB.Security.CertBytes) + require.Equal(t, c.globalSecurityCfg.KeyBytes, conf.TiDB.Security.KeyBytes) + if c.loaderSecurityCfg == nil { + require.Equal(t, c.globalSecurityCfg.CABytes, conf.Security.CABytes) + require.Equal(t, c.globalSecurityCfg.CertBytes, conf.Security.CertBytes) + require.Equal(t, c.globalSecurityCfg.KeyBytes, conf.Security.KeyBytes) + } else { + require.Equal(t, c.loaderSecurityCfg.SSLCABytes, conf.Security.CABytes) + require.Equal(t, c.loaderSecurityCfg.SSLCertBytes, conf.Security.CertBytes) + require.Equal(t, c.loaderSecurityCfg.SSLKeyBytes, conf.Security.KeyBytes) + } + } } func TestMetricProxies(t *testing.T) { From c853e28f560b9983f33262aba2cd773496e8a696 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 10 Dec 2024 17:44:47 +0800 Subject: [PATCH 08/63] add test --- dm/openapi/fixtures/task.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index d9b0f245eb5..caa06b40974 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -51,12 +51,7 @@ var ( "password": "123456", "port": 4000, "user": "root", - "security": { - "ssl_ca_content": "fake_ssl_ca_content", - "ssl_cert_content": "fake_ssl_cert_content", - "ssl_key_content": "fake_ssl_key_content", - "cert_allowed_cn": ["TiDB1", "TiDB2"] - } + "security": null, }, "task_mode": "all", "strict_optimistic_shard_mode": false @@ -156,7 +151,12 @@ var ( "host": "root", "password": "123456", "port": 4000, - "security": null, + "security": { + "ssl_ca_content": "fake_ssl_ca_content", + "ssl_cert_content": "fake_ssl_cert_content", + "ssl_key_content": "fake_ssl_key_content", + "cert_allowed_cn": ["TiDB1", "TiDB2"] + }, "user": "root" }, "task_mode": "all" From 52d71ffcba327fb7aeac56f3e912931a9df5046d Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 10 Dec 2024 17:56:45 +0800 Subject: [PATCH 09/63] fix test --- dm/config/task_converters_test.go | 23 ++++++++---------- dm/openapi/fixtures/task.go | 40 +++++++++++++++---------------- 2 files changed, 30 insertions(+), 33 deletions(-) diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index b381f24b724..2dc9e0edbf0 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -137,7 +137,10 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(string(subTaskConfig.To.Security.SSLCertBytes), check.Equals, task.TargetConfig.Security.SslCertContent) c.Assert(string(subTaskConfig.To.Security.SSLKeyBytes), check.Equals, task.TargetConfig.Security.SslKeyContent) c.Assert(subTaskConfig.To.Security.CertAllowedCN, check.Equals, task.TargetConfig.Security.CertAllowedCn) - c.Assert(subTaskConfig.LoaderConfig.Security, check.IsNil) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) + c.Assert(subTaskConfig.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) } func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { @@ -157,6 +160,12 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { Port: task.TargetConfig.Port, User: task.TargetConfig.User, Password: task.TargetConfig.Password, + Security: &security.Security{ + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, + }, } sourceCfgMap := map[string]*SourceConfig{source1Name: sourceCfg1, source2Name: sourceCfg2} subTaskConfigList, err := OpenAPITaskToSubTaskConfigs(&task, toDBCfg, sourceCfgMap) @@ -228,12 +237,6 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { c.Assert(subTask1Config.BAList, check.DeepEquals, bAListFromOpenAPITask) // check ignore check items c.Assert(subTask1Config.IgnoreCheckingItems, check.IsNil) - // check security items - c.Assert(string(subTask1Config.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTask1Config.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTask1Config.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) - c.Assert(subTask1Config.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) - c.Assert(subTask1Config.To.Security, check.IsNil) // check sub task 2 subTask2Config := subTaskConfigList[1] @@ -283,12 +286,6 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { c.Assert(subTask2Config.BAList, check.DeepEquals, bAListFromOpenAPITask) // check ignore check items c.Assert(subTask2Config.IgnoreCheckingItems, check.IsNil) - // check security items - c.Assert(string(subTask2Config.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTask2Config.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTask2Config.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) - c.Assert(subTask2Config.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) - c.Assert(subTask2Config.To.Security, check.IsNil) } func (t *testConfig) TestSubTaskConfigsToOpenAPITask(c *check.C) { diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index caa06b40974..00ae8d094bc 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -50,10 +50,27 @@ var ( "host": "root", "password": "123456", "port": 4000, - "user": "root", - "security": null, + "security": { + "ssl_ca_content": "fake_ssl_ca_content", + "ssl_cert_content": "fake_ssl_cert_content", + "ssl_key_content": "fake_ssl_key_content", + "cert_allowed_cn": ["TiDB1", "TiDB2"] + }, + "user": "root" }, "task_mode": "all", + "task_source_config": { + "full_migrate_conf": { + "import_mode": "physical", + "pd_addr": "https://127.0.0.1:2379", + "security": { + "ssl_ca_content": "fake_ssl_ca_content_2", + "ssl_cert_content": "fake_ssl_cert_content_2", + "ssl_key_content": "fake_ssl_key_content_2", + "cert_allowed_cn": ["PD1", "PD2"] + } + } + }, "strict_optimistic_shard_mode": false } ` @@ -151,27 +168,10 @@ var ( "host": "root", "password": "123456", "port": 4000, - "security": { - "ssl_ca_content": "fake_ssl_ca_content", - "ssl_cert_content": "fake_ssl_cert_content", - "ssl_key_content": "fake_ssl_key_content", - "cert_allowed_cn": ["TiDB1", "TiDB2"] - }, + "security": null, "user": "root" }, "task_mode": "all" - "task_source_config": { - "full_migrate_conf": { - "import_mode": "physical", - "pd_addr": "https://127.0.0.1:2379", - "security": { - "ssl_ca_content": "fake_ssl_ca_content_2", - "ssl_cert_content": "fake_ssl_cert_content_2", - "ssl_key_content": "fake_ssl_key_content_2", - "cert_allowed_cn": ["PD1", "PD2"] - } - } - }, } ` ) From 729d265626801f304d04b0efc0295ed25d9c16c4 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:34:20 +0800 Subject: [PATCH 10/63] fix test --- dm/config/task_converters.go | 30 ++++++++++++++++++++++++++++++ dm/config/task_converters_test.go | 22 +++++++++++++--------- dm/openapi/fixtures/task.go | 22 +++++++++------------- 3 files changed, 52 insertions(+), 22 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 1e0265dd547..c8c8eafdca2 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -551,6 +551,11 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta ExportThreads: &oneSubtaskConfig.MydumperConfig.Threads, DataDir: &oneSubtaskConfig.LoaderConfig.Dir, ImportThreads: &oneSubtaskConfig.LoaderConfig.PoolSize, + PdAddr: &oneSubtaskConfig.LoaderConfig.PDAddr, + } + importMode := openapi.TaskFullMigrateConfImportMode(oneSubtaskConfig.LoaderConfig.ImportMode) + if importMode != "" { + taskSourceConfig.FullMigrateConf.ImportMode = &importMode } consistencyInTask := oneSubtaskConfig.MydumperConfig.ExtraArgs consistency := strings.Replace(consistencyInTask, "--consistency ", "", 1) @@ -561,6 +566,18 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta ReplBatch: &oneSubtaskConfig.SyncerConfig.Batch, ReplThreads: &oneSubtaskConfig.SyncerConfig.WorkerCount, } + if oneSubtaskConfig.LoaderConfig.Security != nil { + var certAllowedCN []string + if oneSubtaskConfig.LoaderConfig.Security.CertAllowedCN != nil { + certAllowedCN = oneSubtaskConfig.LoaderConfig.Security.CertAllowedCN + } + taskSourceConfig.FullMigrateConf.Security = &openapi.Security{ + CertAllowedCn: &certAllowedCN, + SslCaContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCABytes), + SslCertContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCertBytes), + SslKeyContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLKeyBytes), + } + } // set filter rules filterRuleMap := openapi.Task_BinlogFilterRule{} for sourceName, ruleList := range filterMap { @@ -672,6 +689,19 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta ignoreItems := oneSubtaskConfig.IgnoreCheckingItems task.IgnoreCheckingItems = &ignoreItems } + if oneSubtaskConfig.To.Security != nil { + var certAllowedCN []string + if oneSubtaskConfig.To.Security.CertAllowedCN != nil { + certAllowedCN = oneSubtaskConfig.To.Security.CertAllowedCN + } + task.TargetConfig.Security = &openapi.Security{ + CertAllowedCn: &certAllowedCN, + SslCaContent: string(oneSubtaskConfig.To.Security.SSLCABytes), + SslCertContent: string(oneSubtaskConfig.To.Security.SSLCertBytes), + SslKeyContent: string(oneSubtaskConfig.To.Security.SSLKeyBytes), + } + } + return &task } diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 2dc9e0edbf0..48b4e15070b 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -136,11 +136,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(string(subTaskConfig.To.Security.SSLCABytes), check.Equals, task.TargetConfig.Security.SslCaContent) c.Assert(string(subTaskConfig.To.Security.SSLCertBytes), check.Equals, task.TargetConfig.Security.SslCertContent) c.Assert(string(subTaskConfig.To.Security.SSLKeyBytes), check.Equals, task.TargetConfig.Security.SslKeyContent) - c.Assert(subTaskConfig.To.Security.CertAllowedCN, check.Equals, task.TargetConfig.Security.CertAllowedCn) - c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCert), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) - c.Assert(subTaskConfig.LoaderConfig.Security.CertAllowedCN, check.Equals, task.SourceConfig.FullMigrateConf.Security.CertAllowedCn) } func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { @@ -160,12 +158,6 @@ func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { Port: task.TargetConfig.Port, User: task.TargetConfig.User, Password: task.TargetConfig.Password, - Security: &security.Security{ - SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), - SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), - SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), - CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, - }, } sourceCfgMap := map[string]*SourceConfig{source1Name: sourceCfg1, source2Name: sourceCfg2} subTaskConfigList, err := OpenAPITaskToSubTaskConfigs(&task, toDBCfg, sourceCfgMap) @@ -306,6 +298,12 @@ func testNoShardSubTaskConfigsToOpenAPITask(c *check.C) { Port: task.TargetConfig.Port, User: task.TargetConfig.User, Password: task.TargetConfig.Password, + Security: &security.Security{ + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, + }, } subTaskConfigList, err := OpenAPITaskToSubTaskConfigs(&task, toDBCfg, sourceCfgMap) c.Assert(err, check.IsNil) @@ -392,6 +390,12 @@ func TestConvertWithIgnoreCheckItems(t *testing.T) { Port: task.TargetConfig.Port, User: task.TargetConfig.User, Password: task.TargetConfig.Password, + Security: &security.Security{ + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, + }, } subTaskConfigList, err := OpenAPITaskToSubTaskConfigs(&task, toDBCfg, sourceCfgMap) require.NoError(t, err) diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 00ae8d094bc..8629a42a4a5 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -31,7 +31,15 @@ var ( "full_migrate_conf": { "data_dir": "./exported_data", "export_threads": 4, - "import_threads": 16 + "import_threads": 16, + "import_mode": "physical", + "pd_addr": "https://127.0.0.1:2379", + "security": { + "ssl_ca_content": "fake_ssl_ca_content_2", + "ssl_cert_content": "fake_ssl_cert_content_2", + "ssl_key_content": "fake_ssl_key_content_2", + "cert_allowed_cn": ["PD1", "PD2"] + } }, "incr_migrate_conf": { "repl_batch": 200, "repl_threads": 32 }, "source_conf": [{ "source_name": "mysql-replica-01" }] @@ -59,18 +67,6 @@ var ( "user": "root" }, "task_mode": "all", - "task_source_config": { - "full_migrate_conf": { - "import_mode": "physical", - "pd_addr": "https://127.0.0.1:2379", - "security": { - "ssl_ca_content": "fake_ssl_ca_content_2", - "ssl_cert_content": "fake_ssl_cert_content_2", - "ssl_key_content": "fake_ssl_key_content_2", - "cert_allowed_cn": ["PD1", "PD2"] - } - } - }, "strict_optimistic_shard_mode": false } ` From 6a00b34e665c460af90472363817d5827ae9b478 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:36:15 +0800 Subject: [PATCH 11/63] fix test --- dm/tests/{tls/conf => openapi/tls_conf}/ca2.pem | 0 dm/tests/{tls/conf => openapi/tls_conf}/tidb.key | 0 dm/tests/{tls/conf => openapi/tls_conf}/tidb.pem | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename dm/tests/{tls/conf => openapi/tls_conf}/ca2.pem (100%) rename dm/tests/{tls/conf => openapi/tls_conf}/tidb.key (100%) rename dm/tests/{tls/conf => openapi/tls_conf}/tidb.pem (100%) diff --git a/dm/tests/tls/conf/ca2.pem b/dm/tests/openapi/tls_conf/ca2.pem similarity index 100% rename from dm/tests/tls/conf/ca2.pem rename to dm/tests/openapi/tls_conf/ca2.pem diff --git a/dm/tests/tls/conf/tidb.key b/dm/tests/openapi/tls_conf/tidb.key similarity index 100% rename from dm/tests/tls/conf/tidb.key rename to dm/tests/openapi/tls_conf/tidb.key diff --git a/dm/tests/tls/conf/tidb.pem b/dm/tests/openapi/tls_conf/tidb.pem similarity index 100% rename from dm/tests/tls/conf/tidb.pem rename to dm/tests/openapi/tls_conf/tidb.pem From d1c5ea10eb0caf9644e35b18372528a300e044c5 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 12 Dec 2024 11:44:15 +0800 Subject: [PATCH 12/63] add test --- .../_utils/run_downstream_cluster_with_tls | 166 ++++++++++++++++++ dm/tests/openapi/client/openapi_task_check | 51 ++++++ dm/tests/openapi/run.sh | 38 ++++ dm/tests/openapi/tls_conf/ca2.pem | 14 +- dm/tests/openapi/tls_conf/tidb.key | 6 +- dm/tests/openapi/tls_conf/tidb.pem | 18 +- 6 files changed, 275 insertions(+), 18 deletions(-) create mode 100755 dm/tests/_utils/run_downstream_cluster_with_tls diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls new file mode 100755 index 00000000000..63cfb823d1a --- /dev/null +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -0,0 +1,166 @@ +#!/usr/bin/env bash +# tools to run a TiDB cluster +# parameter 1: work directory +set -eux +WORK_DIR=$1 +CONF_DIR=$2 + +export PD_PEER_ADDR_TLS="127.0.0.1:23801" +export PD_ADDR_TLS="127.0.0.1:23791" + +export TIDB_IP_TLS="127.0.0.1" +export TIDB_PORT_TLS="40001" +export TIDB_ADDR_TLS="127.0.0.1:40001" + +export TIDB_STATUS_ADDR_TLS="127.0.0.1:10081" +export TIKV_ADDR_TLS="127.0.0.1:20161" +export TIKV_STATUS_ADDR_TLS="127.0.0.1:20181" + +start_pd() { + echo "Starting PD..." + + cat >"$WORK_DIR/pd-tls.toml" <&1); then + echo "$output" + fi +} + +start_tikv() { + echo "Starting TiKV..." + + cat >"$WORK_DIR/tikv-tls.toml" <"$WORK_DIR/tidb-tls-config.toml" <&1 & + sleep 5 + i=0 + while true; do + response=$(curl -s -o /dev/null -w "%{http_code}" --cacert "$CONF_DIR/ca.pem" \ + --cert "$CONF_DIR/dm.pem" --key "$CONF_DIR/dm.key" "https://$TIDB_IP_TLS:10090/status" || echo "") + echo "curl response: $response" + if [ "$response" -eq 200 ]; then + echo 'Start TiDB success' + break + fi + i=$((i + 1)) + if [ "$i" -gt 50 ]; then + echo 'Failed to start TiDB' + return 1 + fi + echo 'Waiting for TiDB ready...' + sleep 3 + done +} + +start_pd +start_tikv +start_tidb + +echo "Show databases without TLS" +mysql -uroot -h$TIDB_IP_TLS -P$TIDB_PORT_TLS --default-character-set utf8 -E -e "SHOW DATABASES;" +echo "Show database with TLS" +mysql -uroot -h$TIDB_IP_TLS -P$TIDB_PORT_TLS --default-character-set utf8 --ssl-ca $CONF_DIR/ca2.pem \ + --ssl-cert $CONF_DIR/tidb.pem --ssl-key $CONF_DIR/tidb.key -E -e "SHOW DATABASES;" +echo "Show databases with invalid TLS" +if ! output=$(mysql -uroot -h"$TIDB_IP_TLS" -P"$TIDB_PORT_TLS" --default-character-set=utf8 \ + --ssl-ca "$CONF_DIR/ca.pem" --ssl-cert "$CONF_DIR/dm.pem" --ssl-key "$CONF_DIR/dm.key" \ + -E -e "SHOW DATABASES;" 2>&1); then + echo "$output" +fi diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index d3df2411eec..7a5b26ad421 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -10,6 +10,7 @@ SOURCE2_NAME = "mysql-02" API_ENDPOINT = "http://127.0.0.1:8361/api/v1/tasks" +API_ENDPOINT_HTTPS = "httpS://127.0.0.1:8361/api/v1/tasks" def create_task_failed(): @@ -147,6 +148,56 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all print("create_noshard_task_success resp=", resp.json()) assert resp.status_code == 201 +def create_noshard_task_with_security_success( + ssl_ca, ssl_cert, ssl_key, task_name, tartget_table_name="", + pd_ca_content="",pd_cert_content="",pd_key_content="", + tidb_ca_content="",tidb_cert_content="",tidb_key_content="",): + task = { + "name": task_name, + "task_mode": "all", + "meta_schema": "dm-meta", + "enhance_online_schema_change": True, + "on_duplicate": "error", + "target_config": { + "host": "127.0.0.1", + "port": 4000, + "user": "root", + "password": "", + "security":{ + "ssl_ca_content": tidb_ca_content, + "ssl_cert_content": tidb_cert_content, + "ssl_key_content": tidb_key_content, + } + }, + "table_migrate_rule": [ + { + "source": { + "source_name": SOURCE1_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": tartget_table_name}, + }, + { + "source": { + "source_name": SOURCE2_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": tartget_table_name}, + }, + ], + "source_config": { + "source_conf": [ + {"source_name": SOURCE1_NAME}, + {"source_name": SOURCE2_NAME}, + ], + }, + } + resp = requests.post(url=API_ENDPOINT_HTTPS, json={"task": task}, verify=ssl_ca, cert=(ssl_cert, ssl_key)) + print("create_noshard_task_with_security_success resp=", resp.json()) + assert resp.status_code == 201 + def create_incremental_task_with_gtid_success(task_name,binlog_name1,binlog_pos1,binlog_gtid1,binlog_name2,binlog_pos2,binlog_gtid2): task = { "name": task_name, diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 5ef503ef3dd..bdd228b34cf 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1129,6 +1129,42 @@ function test_cluster() { openapi_cluster_check "list_worker_success" 1 } +function test_tls() { + killall tidb-server 2>/dev/null || true + killall tikv-server 2>/dev/null || true + killall pd-server 2>/dev/null || true + run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf + + cleanup_process + + cp $cur/tls_conf/dm-master1.toml $WORK_DIR/ + cp $cur/tls_conf/dm-worker1.toml $WORK_DIR/ + cp $cur/tls_conf/dm-worker2.toml $WORK_DIR/ + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml + + # run dm-master1 + run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $WORK_DIR/dm-master1.toml + check_rpc_alive $cur/../bin/check_master_online 127.0.0.1:$MASTER_PORT1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # run dm-worker1 + run_dm_worker $WORK_DIR/worker1 $WORKER1_PORT $WORK_DIR/dm-worker1.toml + check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER1_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # run dm-worker2 + run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $WORK_DIR/dm-worker2.toml + check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + + prepare_database + + # create source successfully + openapi_source_check "create_source_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # get source list success + openapi_source_check "list_source_success_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # send request to not leader node + openapi_source_check "list_source_with_reverse_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + +} + function run() { # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $cur/conf/dm-master1.toml @@ -1143,6 +1179,8 @@ function run() { run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $cur/conf/dm-worker2.toml check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT + test_tls + exit 0 test_relay test_source diff --git a/dm/tests/openapi/tls_conf/ca2.pem b/dm/tests/openapi/tls_conf/ca2.pem index 415657b813c..c2dd8177417 100644 --- a/dm/tests/openapi/tls_conf/ca2.pem +++ b/dm/tests/openapi/tls_conf/ca2.pem @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBJDCBywIUbGNy8sBYxuHIVsTzXw3j3YBRHnAwCgYIKoZIzj0EAwIwFDESMBAG -A1UEAwwJbG9jYWxob3N0MCAXDTI0MTIwNjAzNDUyN1oYDzIyOTgwOTIxMDM0NTI3 -WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AARy/P20i39q2rbtfOKrtLUZdYfP36BW10pWn6W+qRYTNRBXCLmc0Bkh/iU+GMdW -qFtReV/U+Btq/4lFi7aNy9ZIMAoGCCqGSM49BAMCA0gAMEUCIQCTVL7kpiO2FNpw -CaUjRnDfC9bxYke1N9JSz1iaHb9jAAIgcrXrkY/eNJZRLdP2G1nonwIDUV/bAw+1 -SWhEa0Gp+HI= +MIIBSzCB86ADAgECAhRvXotQgOI/cZUyD23tqJAbvb8h0zAKBggqhkjOPQQDAjAU +MRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMjQxMjEyMDM0MjAwWhgPMjI5ODA5Mjcw +MzQyMDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABKnTkPmwgnm8Y8WwYS9Q+m6n+eYE8pw8vI+vW287tfIGRqeKK11Ex+bK +IAeVRGIfI58Vf+pMO6kBLq6h5/ZN7RejITAfMB0GA1UdDgQWBBT9HiDDvBaT46x4 +g7Um8Ad/eeoOnjAKBggqhkjOPQQDAgNHADBEAiAkwD/LxJixBVU9WfII95eTESMt +nwYtBLnOG6oWluzEYAIgfqnlg1NrjDUv7O0nWWRBmer18ry/5nNaqgwdVnInXkA= -----END CERTIFICATE----- diff --git a/dm/tests/openapi/tls_conf/tidb.key b/dm/tests/openapi/tls_conf/tidb.key index 63a4df9c3b8..b786648dd4c 100644 --- a/dm/tests/openapi/tls_conf/tidb.key +++ b/dm/tests/openapi/tls_conf/tidb.key @@ -2,7 +2,7 @@ BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 -AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W -SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== +MHcCAQEEIO+b7zavB7M2zKrDA7kwyfIkDSBEgmqPUa4gLfM6n7r2oAoGCCqGSM49 +AwEHoUQDQgAE8+zVq/r8ggSjn3BsiPhyL839C38F6K9K4VuRtc0VdhRoX3sHO6rX +O0eDBhAu9iaX5wJ89/BzYu/HzHpX3KobmQ== -----END EC PRIVATE KEY----- diff --git a/dm/tests/openapi/tls_conf/tidb.pem b/dm/tests/openapi/tls_conf/tidb.pem index 7480fa59d4b..bd58d22367a 100644 --- a/dm/tests/openapi/tls_conf/tidb.pem +++ b/dm/tests/openapi/tls_conf/tidb.pem @@ -1,10 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw -FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz -NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA -BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT -lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA -ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG -CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d -BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e +MIIBszCCAVmgAwIBAgIUWYL5MSc/MzhfACjANiFT0AT4oy0wCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI0MTIxMjAzNDIwMFoYDzIyOTgwOTI3 +MDM0MjAwWjAPMQ0wCwYDVQQDDAR0aWRiMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAE8+zVq/r8ggSjn3BsiPhyL839C38F6K9K4VuRtc0VdhRoX3sHO6rXO0eDBhAu +9iaX5wJ89/BzYu/HzHpX3KobmaOBizCBiDAaBgNVHREEEzARgglsb2NhbGhvc3SH +BH8AAAEwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATAdBgNVHQ4EFgQU/hd5+WMt/HjDPUlyiM5aCqNIVgswHwYDVR0jBBgwFoAU/R4g +w7wWk+OseIO1JvAHf3nqDp4wCgYIKoZIzj0EAwIDSAAwRQIhAN13uJHUDiwa1h+C +RnkTjHV7FPskvO9S5wTKktH5bDWpAiA7polT4bUmUtsYuBIGlbQHE6KMPXIg/8/w +x51MG8OvCw== -----END CERTIFICATE----- From dcdac1ecfaffa70271a40da89d414c9f28ee36bf Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 12 Dec 2024 12:01:35 +0800 Subject: [PATCH 13/63] fix certificates --- dm/tests/openapi/tls_conf/ca2.pem | 14 +++++++------- dm/tests/openapi/tls_conf/tidb.key | 6 +++--- dm/tests/openapi/tls_conf/tidb.pem | 18 ++++++++---------- 3 files changed, 18 insertions(+), 20 deletions(-) diff --git a/dm/tests/openapi/tls_conf/ca2.pem b/dm/tests/openapi/tls_conf/ca2.pem index c2dd8177417..415657b813c 100644 --- a/dm/tests/openapi/tls_conf/ca2.pem +++ b/dm/tests/openapi/tls_conf/ca2.pem @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBSzCB86ADAgECAhRvXotQgOI/cZUyD23tqJAbvb8h0zAKBggqhkjOPQQDAjAU -MRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMjQxMjEyMDM0MjAwWhgPMjI5ODA5Mjcw -MzQyMDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49 -AwEHA0IABKnTkPmwgnm8Y8WwYS9Q+m6n+eYE8pw8vI+vW287tfIGRqeKK11Ex+bK -IAeVRGIfI58Vf+pMO6kBLq6h5/ZN7RejITAfMB0GA1UdDgQWBBT9HiDDvBaT46x4 -g7Um8Ad/eeoOnjAKBggqhkjOPQQDAgNHADBEAiAkwD/LxJixBVU9WfII95eTESMt -nwYtBLnOG6oWluzEYAIgfqnlg1NrjDUv7O0nWWRBmer18ry/5nNaqgwdVnInXkA= +MIIBJDCBywIUbGNy8sBYxuHIVsTzXw3j3YBRHnAwCgYIKoZIzj0EAwIwFDESMBAG +A1UEAwwJbG9jYWxob3N0MCAXDTI0MTIwNjAzNDUyN1oYDzIyOTgwOTIxMDM0NTI3 +WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AARy/P20i39q2rbtfOKrtLUZdYfP36BW10pWn6W+qRYTNRBXCLmc0Bkh/iU+GMdW +qFtReV/U+Btq/4lFi7aNy9ZIMAoGCCqGSM49BAMCA0gAMEUCIQCTVL7kpiO2FNpw +CaUjRnDfC9bxYke1N9JSz1iaHb9jAAIgcrXrkY/eNJZRLdP2G1nonwIDUV/bAw+1 +SWhEa0Gp+HI= -----END CERTIFICATE----- diff --git a/dm/tests/openapi/tls_conf/tidb.key b/dm/tests/openapi/tls_conf/tidb.key index b786648dd4c..63a4df9c3b8 100644 --- a/dm/tests/openapi/tls_conf/tidb.key +++ b/dm/tests/openapi/tls_conf/tidb.key @@ -2,7 +2,7 @@ BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIO+b7zavB7M2zKrDA7kwyfIkDSBEgmqPUa4gLfM6n7r2oAoGCCqGSM49 -AwEHoUQDQgAE8+zVq/r8ggSjn3BsiPhyL839C38F6K9K4VuRtc0VdhRoX3sHO6rX -O0eDBhAu9iaX5wJ89/BzYu/HzHpX3KobmQ== +MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 +AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W +SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== -----END EC PRIVATE KEY----- diff --git a/dm/tests/openapi/tls_conf/tidb.pem b/dm/tests/openapi/tls_conf/tidb.pem index bd58d22367a..7480fa59d4b 100644 --- a/dm/tests/openapi/tls_conf/tidb.pem +++ b/dm/tests/openapi/tls_conf/tidb.pem @@ -1,12 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBszCCAVmgAwIBAgIUWYL5MSc/MzhfACjANiFT0AT4oy0wCgYIKoZIzj0EAwIw -FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI0MTIxMjAzNDIwMFoYDzIyOTgwOTI3 -MDM0MjAwWjAPMQ0wCwYDVQQDDAR0aWRiMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD -QgAE8+zVq/r8ggSjn3BsiPhyL839C38F6K9K4VuRtc0VdhRoX3sHO6rXO0eDBhAu -9iaX5wJ89/BzYu/HzHpX3KobmaOBizCBiDAaBgNVHREEEzARgglsb2NhbGhvc3SH -BH8AAAEwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATAdBgNVHQ4EFgQU/hd5+WMt/HjDPUlyiM5aCqNIVgswHwYDVR0jBBgwFoAU/R4g -w7wWk+OseIO1JvAHf3nqDp4wCgYIKoZIzj0EAwIDSAAwRQIhAN13uJHUDiwa1h+C -RnkTjHV7FPskvO9S5wTKktH5bDWpAiA7polT4bUmUtsYuBIGlbQHE6KMPXIg/8/w -x51MG8OvCw== +MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz +NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT +lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG +CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d +BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e -----END CERTIFICATE----- From bf1992d39a169dd9ddac942faf5b5d4ca21f7050 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:50:21 +0800 Subject: [PATCH 14/63] add test --- .../_utils/run_downstream_cluster_with_tls | 3 ++ dm/tests/openapi/run.sh | 50 ++++--------------- dm/tests/openapi/tls_conf/ca2.pem | 15 +++--- dm/tests/openapi/tls_conf/tidb.key | 6 +-- dm/tests/openapi/tls_conf/tidb.pem | 18 ++++--- 5 files changed, 34 insertions(+), 58 deletions(-) diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 63cfb823d1a..51a8059ed61 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -27,6 +27,7 @@ max-replicas = 1 cacert-path = "$CONF_DIR/ca.pem" cert-path = "$CONF_DIR/dm.pem" key-path = "$CONF_DIR/dm.key" +cert-verify-cn = ["TiDB", "dm"] EOF bin/pd-server --version @@ -70,6 +71,7 @@ start_tikv() { ca-path = "$CONF_DIR/ca.pem" cert-path = "$CONF_DIR/dm.pem" key-path = "$CONF_DIR/dm.key" +cert-verify-cn = ["TiDB", "dm"] EOF mkdir -p "$WORK_DIR/tikv-tls" bin/tikv-server --version @@ -121,6 +123,7 @@ ssl-key = "$CONF_DIR/tidb.key" cluster-ssl-ca = "$CONF_DIR/ca.pem" cluster-ssl-cert = "$CONF_DIR/dm.pem" cluster-ssl-key = "$CONF_DIR/dm.key" +cluster-verify-cn = ["TiDB", "dm"] EOF mkdir -p "$WORK_DIR/tidb-tls" bin/tidb-server \ diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index bdd228b34cf..150804abc26 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1053,8 +1053,8 @@ function test_stop_task_with_condition() { echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: START TASK WITH CONDITION SUCCESS" } -function test_reverse_https() { - echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: REVERSE HTTPS" +function test_reverse_https_and_tls() { + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: REVERSE HTTPS AND TLS" cleanup_data openapi cleanup_process @@ -1093,6 +1093,12 @@ function test_reverse_https() { cleanup_data openapi cleanup_process + killall -9 tidb-server 2>/dev/null || true + killall -9 tikv-server 2>/dev/null || true + killall -9 pd-server 2>/dev/null || true + run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf + + # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $cur/conf/dm-master1.toml check_rpc_alive $cur/../bin/check_master_online 127.0.0.1:$MASTER_PORT1 @@ -1106,7 +1112,7 @@ function test_reverse_https() { run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $cur/conf/dm-worker2.toml check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT - echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: REVERSE HTTPS" + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: REVERSE HTTPS AND TLS" } function test_cluster() { @@ -1129,42 +1135,6 @@ function test_cluster() { openapi_cluster_check "list_worker_success" 1 } -function test_tls() { - killall tidb-server 2>/dev/null || true - killall tikv-server 2>/dev/null || true - killall pd-server 2>/dev/null || true - run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf - - cleanup_process - - cp $cur/tls_conf/dm-master1.toml $WORK_DIR/ - cp $cur/tls_conf/dm-worker1.toml $WORK_DIR/ - cp $cur/tls_conf/dm-worker2.toml $WORK_DIR/ - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml - - # run dm-master1 - run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $WORK_DIR/dm-master1.toml - check_rpc_alive $cur/../bin/check_master_online 127.0.0.1:$MASTER_PORT1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # run dm-worker1 - run_dm_worker $WORK_DIR/worker1 $WORKER1_PORT $WORK_DIR/dm-worker1.toml - check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER1_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # run dm-worker2 - run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $WORK_DIR/dm-worker2.toml - check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - - prepare_database - - # create source successfully - openapi_source_check "create_source_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # get source list success - openapi_source_check "list_source_success_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # send request to not leader node - openapi_source_check "list_source_with_reverse_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - -} - function run() { # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $cur/conf/dm-master1.toml @@ -1179,7 +1149,7 @@ function run() { run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $cur/conf/dm-worker2.toml check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT - test_tls + test_reverse_https exit 0 test_relay test_source diff --git a/dm/tests/openapi/tls_conf/ca2.pem b/dm/tests/openapi/tls_conf/ca2.pem index 415657b813c..bd1ad59f121 100644 --- a/dm/tests/openapi/tls_conf/ca2.pem +++ b/dm/tests/openapi/tls_conf/ca2.pem @@ -1,9 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBJDCBywIUbGNy8sBYxuHIVsTzXw3j3YBRHnAwCgYIKoZIzj0EAwIwFDESMBAG -A1UEAwwJbG9jYWxob3N0MCAXDTI0MTIwNjAzNDUyN1oYDzIyOTgwOTIxMDM0NTI3 -WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AARy/P20i39q2rbtfOKrtLUZdYfP36BW10pWn6W+qRYTNRBXCLmc0Bkh/iU+GMdW -qFtReV/U+Btq/4lFi7aNy9ZIMAoGCCqGSM49BAMCA0gAMEUCIQCTVL7kpiO2FNpw -CaUjRnDfC9bxYke1N9JSz1iaHb9jAAIgcrXrkY/eNJZRLdP2G1nonwIDUV/bAw+1 -SWhEa0Gp+HI= +MIIBdzCCAR6gAwIBAgIUFlKn4vgSaM5PPi5fdfHZjNsPvt0wCgYIKoZIzj0EAwIw +HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP +MjI5ODA5MjcwNjMwMjZaMBwxGjAYBgNVBAMMEVRpREIgU2Vjb25kYXJ5IENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJoSquED75L7UgmezyHBUJlv7sGvHfeuR +RnU0SJVYZzftIAfzL6kwF1LGaezaY9aL/cCiULWMDddo1bLzNjB4vqM8MDowDAYD +VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFLJmpVHrylfdqLu6lpR +ZOJgderfMAoGCCqGSM49BAMCA0cAMEQCIF2mBuhLfo42ynjoy0Fhz3Qch8huQrkx +mGKxdkBuS+rPAiAglztWHSmUCtqEMdTuds2ETsVVichpxdFh/aXiCb/BeQ== -----END CERTIFICATE----- diff --git a/dm/tests/openapi/tls_conf/tidb.key b/dm/tests/openapi/tls_conf/tidb.key index 63a4df9c3b8..b63b20db793 100644 --- a/dm/tests/openapi/tls_conf/tidb.key +++ b/dm/tests/openapi/tls_conf/tidb.key @@ -2,7 +2,7 @@ BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 -AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W -SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== +MHcCAQEEIB+YLzteL9sk+PZPEFf7sw+hhehG2bRV5TUV4NJgVsWXoAoGCCqGSM49 +AwEHoUQDQgAELO1031XONFkiJPFm7Kbb974443lSM8eGEZzVUUWK/WAZ3p03W5o/ +jeFgesLPuKqcV+9p7bG7McVKDsC42OFg4w== -----END EC PRIVATE KEY----- diff --git a/dm/tests/openapi/tls_conf/tidb.pem b/dm/tests/openapi/tls_conf/tidb.pem index 7480fa59d4b..e59a9eae172 100644 --- a/dm/tests/openapi/tls_conf/tidb.pem +++ b/dm/tests/openapi/tls_conf/tidb.pem @@ -1,10 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw -FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz -NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA -BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT -lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA -ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG -CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d -BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e +MIIBxjCCAWygAwIBAgIUJGaNzv0WzN4CfSj7LaNQN8arHvMwCgYIKoZIzj0EAwIw +HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP +MjI5ODA5MjcwNjMwMjZaMA8xDTALBgNVBAMMBFRpREIwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAAQs7XTfVc40WSIk8Wbsptv3vjjjeVIzx4YRnNVRRYr9YBnenTdb +mj+N4WB6ws+4qpxX72ntsbsxxUoOwLjY4WDjo4GWMIGTMBoGA1UdEQQTMBGCCWxv +Y2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG +CCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLK+e+wKHWmmXPiHjMApdKwf +KhcpMB8GA1UdIwQYMBaAFFLJmpVHrylfdqLu6lpRZOJgderfMAoGCCqGSM49BAMC +A0gAMEUCIC2xVpVTSqMMl38Lu7wTfX8iv/5hcjKoH8v69cZGsyDKAiEA6NIpjV7D +lBnFi5oiKpdJIWD53D2A/yFrI6VEDprblyw= -----END CERTIFICATE----- From 47b2015b86e71b9c69694079c3ffdcecf1a8bd0f Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:06:50 +0800 Subject: [PATCH 15/63] add test --- .../_utils/run_downstream_cluster_with_tls | 14 ++-- dm/tests/openapi/client/openapi_task_check | 70 +++++++++++++++---- dm/tests/openapi/run.sh | 25 ++++--- 3 files changed, 77 insertions(+), 32 deletions(-) diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 51a8059ed61..89332db449a 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -5,16 +5,16 @@ set -eux WORK_DIR=$1 CONF_DIR=$2 -export PD_PEER_ADDR_TLS="127.0.0.1:23801" -export PD_ADDR_TLS="127.0.0.1:23791" +export PD_PEER_ADDR_TLS="127.0.0.1:2380" +export PD_ADDR_TLS="127.0.0.1:2379" export TIDB_IP_TLS="127.0.0.1" -export TIDB_PORT_TLS="40001" -export TIDB_ADDR_TLS="127.0.0.1:40001" +export TIDB_PORT_TLS="4000" +export TIDB_ADDR_TLS="127.0.0.1:4000" -export TIDB_STATUS_ADDR_TLS="127.0.0.1:10081" -export TIKV_ADDR_TLS="127.0.0.1:20161" -export TIKV_STATUS_ADDR_TLS="127.0.0.1:20181" +export TIDB_STATUS_ADDR_TLS="127.0.0.1:10080" +export TIKV_ADDR_TLS="127.0.0.1:2016" +export TIKV_STATUS_ADDR_TLS="127.0.0.1:2018" start_pd() { echo "Starting PD..." diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 7a5b26ad421..42bfc579998 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import sys import requests +import time SHARD_TASK_NAME = "test-shard" ILLEGAL_CHAR_TASK_NAME = "t-Ë!s`t" @@ -148,10 +149,11 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all print("create_noshard_task_success resp=", resp.json()) assert resp.status_code == 201 -def create_noshard_task_with_security_success( - ssl_ca, ssl_cert, ssl_key, task_name, tartget_table_name="", - pd_ca_content="",pd_cert_content="",pd_key_content="", - tidb_ca_content="",tidb_cert_content="",tidb_key_content="",): +def create_noshard_task_success_https( + task_name, ssl_ca, ssl_cert, ssl_key, + tidb_ca_content="",tidb_cert_content="",tidb_key_content="", + cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): + task = { "name": task_name, "task_mode": "all", @@ -167,6 +169,7 @@ def create_noshard_task_with_security_success( "ssl_ca_content": tidb_ca_content, "ssl_cert_content": tidb_cert_content, "ssl_key_content": tidb_key_content, + "cert_allowed_cn": ["TiDB"], } }, "table_migrate_rule": [ @@ -176,26 +179,29 @@ def create_noshard_task_with_security_success( "schema": "openapi", "table": "*", }, - "target": {"schema": "openapi", "table": tartget_table_name}, - }, - { - "source": { - "source_name": SOURCE2_NAME, - "schema": "openapi", - "table": "*", - }, - "target": {"schema": "openapi", "table": tartget_table_name}, + "target": {"schema": "openapi", "table": ""}, }, ], "source_config": { "source_conf": [ {"source_name": SOURCE1_NAME}, - {"source_name": SOURCE2_NAME}, ], }, + "task_source_config": { + "full_migrate_conf": { + "import_mode": "physical", + "pd_addr": "https://127.0.0.1:2379", + "security": { + "ssl_ca_content": cluster_ca_content, + "ssl_cert_content": cluster_cert_content, + "ssl_key_content": cluster_key_content, + "cert_allowed_cn": ["dm"], + } + } + }, } resp = requests.post(url=API_ENDPOINT_HTTPS, json={"task": task}, verify=ssl_ca, cert=(ssl_cert, ssl_key)) - print("create_noshard_task_with_security_success resp=", resp.json()) + print("create_noshard_task_success_https resp=", resp.json()) assert resp.status_code == 201 def create_incremental_task_with_gtid_success(task_name,binlog_name1,binlog_pos1,binlog_gtid1,binlog_name2,binlog_pos2,binlog_gtid2): @@ -369,6 +375,15 @@ def start_task_success(task_name, source_name): print("start_task_failed resp=", resp.json()) assert resp.status_code == 200 +def start_task_success_https(task_name, ssl_ca, ssl_cert, ssl_key): + url = API_ENDPOINT_HTTPS + "/" + task_name + "/start" + resp = requests.post(url=url,verify=ssl_ca, cert=(ssl_cert, ssl_key)) + if resp.status_code != 200: + print("start_task_success_https resp=", resp.json()) + else: + print("start_task_success_https_success=") + assert resp.status_code == 200 + def start_task_failed(task_name, source_name, check_result): url = API_ENDPOINT + "/" + task_name + "/start" req = {} @@ -464,6 +479,27 @@ def get_task_status_success(task_name, total): print("get_task_status_success resp=", data) assert data["total"] == int(total) +def get_task_status_success_https(task_name, total, ssl_ca, ssl_cert, ssl_key): + url = API_ENDPOINT_HTTPS + "/" + task_name + "/status" + resp = requests.get(url=url,verify=ssl_ca, cert=(ssl_cert, ssl_key)) + data = resp.json() + assert resp.status_code == 200 + print("get_task_status_success resp=", data) + assert data["total"] == int(total) + +def get_task_status_with_retry(task_name, ssl_ca, ssl_cert, ssl_key, expected_unit, expected_stage, retries=50): + url = API_ENDPOINT_HTTPS + "/" + task_name + "/status" + for _ in range(int(retries)): + resp = requests.get(url=url,verify=ssl_ca, cert=(ssl_cert, ssl_key)) + data = resp.json() + assert resp.status_code == 200 + print("get_task_status_with_retry resp=", data) + for item in data.get("data", []): + if item.get("stage") == expected_unit and item.get("stage") == expected_stage: + return + time.sleep(2) + assert False + def check_sync_task_status_success( task_name, min_dump_io_total_bytes=2000, @@ -891,6 +927,10 @@ if __name__ == "__main__": "check_sync_task_status_success": check_sync_task_status_success, "check_load_task_finished_status_success": check_load_task_finished_status_success, "check_dump_task_finished_status_success": check_dump_task_finished_status_success, + "create_noshard_task_success_https": create_noshard_task_success_https, + "start_task_success_https": start_task_success_https, + "get_task_status_success_https" : get_task_status_success_https, + "get_task_status_with_retry":get_task_status_with_retry, } func = FUNC_MAP[sys.argv[1]] diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 150804abc26..824ebcbc02e 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1062,10 +1062,10 @@ function test_reverse_https_and_tls() { cp $cur/tls_conf/dm-master2.toml $WORK_DIR/ cp $cur/tls_conf/dm-worker1.toml $WORK_DIR/ cp $cur/tls_conf/dm-worker2.toml $WORK_DIR/ - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master2.toml - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml - sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml + sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml + sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master2.toml + sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml + sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $WORK_DIR/dm-master1.toml @@ -1081,6 +1081,7 @@ function test_reverse_https_and_tls() { check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" prepare_database + init_noshard_data # create source successfully openapi_source_check "create_source_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" @@ -1090,14 +1091,20 @@ function test_reverse_https_and_tls() { # send request to not leader node openapi_source_check "list_source_with_reverse_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - cleanup_data openapi - cleanup_process - + echo "kill all tidb process and start downstream TiDB cluster with TLS" killall -9 tidb-server 2>/dev/null || true killall -9 tikv-server 2>/dev/null || true killall -9 pd-server 2>/dev/null || true run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf + task_name="task-tls" + openapi_task_check "create_noshard_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_success_https" $task_name 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 + cleanup_process # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $cur/conf/dm-master1.toml @@ -1149,8 +1156,6 @@ function run() { run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $cur/conf/dm-worker2.toml check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT - test_reverse_https - exit 0 test_relay test_source @@ -1165,7 +1170,7 @@ function run() { test_delete_task_with_stopped_downstream test_start_task_with_condition test_stop_task_with_condition - test_reverse_https + test_reverse_https_and_tls test_full_mode_task # NOTE: this test case MUST running at last, because it will offline some members of cluster From 64de0cfbef72b59f4e7254d5f39cded7dde251e1 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:13:24 +0800 Subject: [PATCH 16/63] fix test --- dm/tests/openapi/client/openapi_task_check | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 42bfc579998..ab4caa48ef7 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -495,7 +495,7 @@ def get_task_status_with_retry(task_name, ssl_ca, ssl_cert, ssl_key, expected_un assert resp.status_code == 200 print("get_task_status_with_retry resp=", data) for item in data.get("data", []): - if item.get("stage") == expected_unit and item.get("stage") == expected_stage: + if item.get("unit") == expected_unit and item.get("stage") == expected_stage: return time.sleep(2) assert False From 5df23078710efcbe45407067e9ad77d6d10e72bd Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 13 Dec 2024 00:42:27 +0800 Subject: [PATCH 17/63] fix test --- dm/tests/openapi/client/openapi_source_check | 24 +++++- dm/tests/openapi/client/openapi_task_check | 79 +++++++++++++++++--- dm/tests/openapi/run.sh | 67 +++++++++++++++-- 3 files changed, 150 insertions(+), 20 deletions(-) diff --git a/dm/tests/openapi/client/openapi_source_check b/dm/tests/openapi/client/openapi_source_check index aeff6762da2..cd5778977cc 100755 --- a/dm/tests/openapi/client/openapi_source_check +++ b/dm/tests/openapi/client/openapi_source_check @@ -58,7 +58,7 @@ def create_source2_success(): print("create_source1_success resp=", resp.json()) assert resp.status_code == 201 -def create_source_success_https(ssl_ca, ssl_cert, ssl_key): +def create_source1_success_https(ssl_ca, ssl_cert, ssl_key): req = { "source": { "case_sensitive": False, @@ -72,9 +72,26 @@ def create_source_success_https(ssl_ca, ssl_cert, ssl_key): } } resp = requests.post(url=API_ENDPOINT_HTTPS, json=req, verify=ssl_ca, cert=(ssl_cert, ssl_key)) - print("create_source_success_https resp=", resp.json()) + print("create_source1_success_https resp=", resp.json()) assert resp.status_code == 201 +def create_source2_success_https(ssl_ca, ssl_cert, ssl_key): + req = { + "source": { + "case_sensitive": False, + "enable": True, + "enable_gtid": False, + "host": "127.0.0.1", + "password": "123456", + "port": 3307, + "source_name": SOURCE2_NAME, + "user": "root", + } + } + resp = requests.post(url=API_ENDPOINT_HTTPS, json=req, verify=ssl_ca, cert=(ssl_cert, ssl_key)) + print("create_source2_success_https resp=", resp.json()) + assert resp.status_code == 201 + def update_source1_without_password_success(): req = { "source": { @@ -269,7 +286,8 @@ if __name__ == "__main__": "create_source_failed": create_source_failed, "create_source1_success": create_source1_success, "create_source2_success": create_source2_success, - "create_source_success_https": create_source_success_https, + "create_source1_success_https": create_source1_success_https, + "create_source2_success_https":create_source2_success_https, "update_source1_without_password_success": update_source1_without_password_success, "list_source_success": list_source_success, "list_source_success_https": list_source_success_https, diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index ab4caa48ef7..1c7219cafd8 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -149,11 +149,73 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all print("create_noshard_task_success resp=", resp.json()) assert resp.status_code == 201 -def create_noshard_task_success_https( +def create_task_success_https( + task_name, target_table, ssl_ca, ssl_cert, ssl_key, + tidb_ca_content="",tidb_cert_content="",tidb_key_content="", + cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): + task = { + "name": task_name, + "task_mode": "all", + "meta_schema": "dm-meta", + "enhance_online_schema_change": True, + "on_duplicate": "error", + "target_config": { + "host": "127.0.0.1", + "port": 4000, + "user": "root", + "password": "", + "security":{ + "ssl_ca_content": tidb_ca_content, + "ssl_cert_content": tidb_cert_content, + "ssl_key_content": tidb_key_content, + "cert_allowed_cn": ["TiDB"], + } + }, + "table_migrate_rule": [ + { + "source": { + "source_name": SOURCE1_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": target_table}, + }, + { + "source": { + "source_name": SOURCE2_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": target_table}, + }, + ], + "source_config": { + "source_conf": [ + {"source_name": SOURCE1_NAME}, + {"source_name": SOURCE2_NAME}, + ], + }, + "task_source_config": { + "full_migrate_conf": { + "import_mode": "physical", + "pd_addr": "https://127.0.0.1:2379", + "security": { + "ssl_ca_content": cluster_ca_content, + "ssl_cert_content": cluster_cert_content, + "ssl_key_content": cluster_key_content, + "cert_allowed_cn": ["dm"], + } + } + }, + } + resp = requests.post(url=API_ENDPOINT_HTTPS, json={"task": task}, verify=ssl_ca, cert=(ssl_cert, ssl_key)) + print("create_task_success_https resp=", resp.json()) + assert resp.status_code == 201 + +def create_noshard_task_failed_https( task_name, ssl_ca, ssl_cert, ssl_key, tidb_ca_content="",tidb_cert_content="",tidb_key_content="", - cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): - + cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): task = { "name": task_name, "task_mode": "all", @@ -201,8 +263,8 @@ def create_noshard_task_success_https( }, } resp = requests.post(url=API_ENDPOINT_HTTPS, json={"task": task}, verify=ssl_ca, cert=(ssl_cert, ssl_key)) - print("create_noshard_task_success_https resp=", resp.json()) - assert resp.status_code == 201 + print("create_noshard_task_failed_https resp=", resp.json()) + assert resp.status_code == 400 def create_incremental_task_with_gtid_success(task_name,binlog_name1,binlog_pos1,binlog_gtid1,binlog_name2,binlog_pos2,binlog_gtid2): task = { @@ -380,8 +442,6 @@ def start_task_success_https(task_name, ssl_ca, ssl_cert, ssl_key): resp = requests.post(url=url,verify=ssl_ca, cert=(ssl_cert, ssl_key)) if resp.status_code != 200: print("start_task_success_https resp=", resp.json()) - else: - print("start_task_success_https_success=") assert resp.status_code == 200 def start_task_failed(task_name, source_name, check_result): @@ -484,7 +544,7 @@ def get_task_status_success_https(task_name, total, ssl_ca, ssl_cert, ssl_key): resp = requests.get(url=url,verify=ssl_ca, cert=(ssl_cert, ssl_key)) data = resp.json() assert resp.status_code == 200 - print("get_task_status_success resp=", data) + print("get_task_status_success_https resp=", data) assert data["total"] == int(total) def get_task_status_with_retry(task_name, ssl_ca, ssl_cert, ssl_key, expected_unit, expected_stage, retries=50): @@ -927,7 +987,8 @@ if __name__ == "__main__": "check_sync_task_status_success": check_sync_task_status_success, "check_load_task_finished_status_success": check_load_task_finished_status_success, "check_dump_task_finished_status_success": check_dump_task_finished_status_success, - "create_noshard_task_success_https": create_noshard_task_success_https, + "create_task_success_https": create_task_success_https, + "create_noshard_task_failed_https": create_noshard_task_failed_https, "start_task_success_https": start_task_success_https, "get_task_status_success_https" : get_task_status_success_https, "get_task_status_with_retry":get_task_status_with_retry, diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 824ebcbc02e..459c9fd5818 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -74,7 +74,7 @@ function test_source() { # recreate source will failed openapi_source_check "create_source_failed" - # update source1 without password success + # update source1 without password successt openapi_source_check "update_source1_without_password_success" # get source list success @@ -1082,8 +1082,8 @@ function test_reverse_https_and_tls() { prepare_database init_noshard_data - # create source successfully - openapi_source_check "create_source_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # create source1 successfully + openapi_source_check "create_source1_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # get source list success openapi_source_check "list_source_success_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" @@ -1091,19 +1091,70 @@ function test_reverse_https_and_tls() { # send request to not leader node openapi_source_check "list_source_with_reverse_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # create source2 successfully + openapi_source_check "create_source2_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + echo "kill all tidb process and start downstream TiDB cluster with TLS" killall -9 tidb-server 2>/dev/null || true killall -9 tikv-server 2>/dev/null || true killall -9 pd-server 2>/dev/null || true run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf - task_name="task-tls" - openapi_task_check "create_noshard_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + task_name="task-tls-1" + openapi_task_check "create_task_success_https" $task_name "" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_success_https" $task_name 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 + + check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml + + task_name="task-tls-2" + openapi_task_check "create_task_success_https" $task_name "t3" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "" "" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 + + task_name="task-tls-3" + openapi_task_check "create_task_success_https" $task_name "t4" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "" "" \ + "$(cat $cur/tls_conf/ca.pem)" "" "" + openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 + + task_name="task-tls-4" + # use incorect tidb certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + # use incorect pd certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" + # miss tidb cert certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + # miss tidb key certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + # miss pd key certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "" + # miss pd cert certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)" + # miss pd all certificate + openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "" "" "" cleanup_process # run dm-master1 @@ -1174,7 +1225,7 @@ function run() { test_full_mode_task # NOTE: this test case MUST running at last, because it will offline some members of cluster - test_cluster + # test_cluster } cleanup_data openapi From ec1b94fe00d63e2251ffc0c47a32bffa09667bc7 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 13 Dec 2024 00:45:27 +0800 Subject: [PATCH 18/63] fmt --- dm/tests/openapi/run.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 459c9fd5818..80f6623e10b 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -74,7 +74,7 @@ function test_source() { # recreate source will failed openapi_source_check "create_source_failed" - # update source1 without password successt + # update source1 without password success openapi_source_check "update_source1_without_password_success" # get source list success @@ -1062,10 +1062,10 @@ function test_reverse_https_and_tls() { cp $cur/tls_conf/dm-master2.toml $WORK_DIR/ cp $cur/tls_conf/dm-worker1.toml $WORK_DIR/ cp $cur/tls_conf/dm-worker2.toml $WORK_DIR/ - sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml - sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master2.toml - sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml - sed -i '' "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master1.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-master2.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker1.toml + sed -i "s%dir-placeholer%$cur\/tls_conf%g" $WORK_DIR/dm-worker2.toml # run dm-master1 run_dm_master $WORK_DIR/master1 $MASTER_PORT1 $WORK_DIR/dm-master1.toml @@ -1225,7 +1225,7 @@ function run() { test_full_mode_task # NOTE: this test case MUST running at last, because it will offline some members of cluster - # test_cluster + test_cluster } cleanup_data openapi From c8aea0508669c8ed745055b5439da0d3060bf704 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 13 Dec 2024 12:22:30 +0800 Subject: [PATCH 19/63] fix test --- dm/config/task_converters.go | 5 ++++- dm/openapi/fixtures/task.go | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index c8c8eafdca2..130fc89d857 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -551,7 +551,10 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta ExportThreads: &oneSubtaskConfig.MydumperConfig.Threads, DataDir: &oneSubtaskConfig.LoaderConfig.Dir, ImportThreads: &oneSubtaskConfig.LoaderConfig.PoolSize, - PdAddr: &oneSubtaskConfig.LoaderConfig.PDAddr, + } + // only load task use physical mode need PD address + if oneSubtaskConfig.LoaderConfig.ImportMode == LoadModePhysical { + taskSourceConfig.FullMigrateConf.PdAddr = &oneSubtaskConfig.LoaderConfig.PDAddr } importMode := openapi.TaskFullMigrateConfImportMode(oneSubtaskConfig.LoaderConfig.ImportMode) if importMode != "" { diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 8629a42a4a5..d80a8268fe4 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -123,6 +123,7 @@ var ( "full_migrate_conf": { "data_dir": "./exported_data", "export_threads": 4, + "import_mode": "logical", "import_threads": 16 }, "incr_migrate_conf": { "repl_batch": 200, "repl_threads": 32 }, From 0650f6b3c620d9208e20267f3bd6cf7055c8347a Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 13 Dec 2024 15:23:12 +0800 Subject: [PATCH 20/63] fix test --- dm/tests/_utils/run_downstream_cluster_with_tls | 4 ++-- dm/tests/openapi/client/openapi_task_check | 8 ++------ dm/tests/tls/run.sh | 2 +- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 89332db449a..a695f654837 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -115,7 +115,7 @@ start_tidb() { cat - >"$WORK_DIR/tidb-tls-config.toml" < Date: Mon, 16 Dec 2024 13:33:08 +0800 Subject: [PATCH 21/63] support set ssl by file path --- dm/config/task_converters.go | 14 +- dm/loader/lightning.go | 6 +- dm/openapi/fixtures/task.go | 2 +- dm/openapi/gen.server.go | 218 +++++++++--------- dm/openapi/gen.types.go | 9 + dm/openapi/spec/dm.yaml | 12 + .../_utils/run_downstream_cluster_with_tls | 6 +- dm/tests/openapi/client/openapi_task_check | 24 +- dm/tests/openapi/run.sh | 20 +- 9 files changed, 169 insertions(+), 142 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 130fc89d857..484e9cf45bd 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -245,9 +245,9 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, certAllowedCN = *fullCfg.Security.CertAllowedCn } subTaskCfg.LoaderConfig.Security = &security.Security{ - SSLCABytes: []byte(fullCfg.Security.SslCaContent), - SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), - SSLCertBytes: []byte(fullCfg.Security.SslCertContent), + SSLCA: *fullCfg.Security.SslCa, + SSLKey: *fullCfg.Security.SslKey, + SSLCert: *fullCfg.Security.SslCert, CertAllowedCN: certAllowedCN, } } @@ -575,10 +575,10 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta certAllowedCN = oneSubtaskConfig.LoaderConfig.Security.CertAllowedCN } taskSourceConfig.FullMigrateConf.Security = &openapi.Security{ - CertAllowedCn: &certAllowedCN, - SslCaContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCABytes), - SslCertContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCertBytes), - SslKeyContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLKeyBytes), + CertAllowedCn: &certAllowedCN, + SslCa: &oneSubtaskConfig.LoaderConfig.Security.SSLCA, + SslCert: &oneSubtaskConfig.LoaderConfig.Security.SSLCert, + SslKey: &oneSubtaskConfig.LoaderConfig.Security.SSLKey, } } // set filter rules diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 951fd4ef2eb..b0dfa7c339f 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -334,9 +334,9 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask } cfg.TiDB.Security = &globalCfg.Security if subtaskCfg.LoaderConfig.Security != nil { - cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes - cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCertBytes - cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes + cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index d80a8268fe4..b984647bb8e 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -33,7 +33,7 @@ var ( "export_threads": 4, "import_threads": 16, "import_mode": "physical", - "pd_addr": "https://127.0.0.1:2379", + "pd_addr": "127.0.0.1:2379", "security": { "ssl_ca_content": "fake_ssl_ca_content_2", "ssl_cert_content": "fake_ssl_cert_content_2", diff --git a/dm/openapi/gen.server.go b/dm/openapi/gen.server.go index ca4641cc2f3..2942934cc68 100644 --- a/dm/openapi/gen.server.go +++ b/dm/openapi/gen.server.go @@ -1248,115 +1248,115 @@ func RegisterHandlersWithOptions(router *gin.Engine, si ServerInterface, options // Base64 encoded, gzipped, json marshaled Swagger object var swaggerSpec = []string{ - "H4sIAAAAAAAC/+x9bXPbOJLwX8Gj5z7sTEmWZDtO4qv9kMSerO+cl4o9tbe1lWMgEpSwJgEGAO3Rpvzf", - "r/BCEiQBkrItx5pkP+w4Igh0N/odjea3UUjTjBJEBB8dfxvxcIVSqP58lSAm3kECl4hd0owmdLmWv2eM", - "ZogJjNSoFeVC/hf9AdMsQaPj0Xz/+d5sb7Y3H41HYp3Jn7hgmCxHt+NRRll9+MvZy4NyHCYCLREb3d6O", - "Rwx9zTFD0ej4n3oR8/LncjRd/AuFQs76Jsm5QOwdlP/fhhFGkfo1QjxkOBOYktGx+hVxDmgMxAqBMGcM", - "EQFSNQkgNEKjsQut4xf7R07cYIKvUXsdShJMEOACityshrlZxl5BsByVsy4oTRAkctoEwQg54Mfcnknh", - "YIYOmJTAFNW3TU/jQKyxF+rNAtkSurEmcsfm+FkISkYLUs1pgbDG/QdD8eh49P+nFZNODYdOnex5Ox4t", - "GYwhgYPneavH21NoUpQzBAnWPI4FSnnffJoJ7ekMRSBjUP07YzRFYoVyPhjIj+Ur9sQ3lF3dGc6/q5f9", - "cN76t1K/+t3kbEFzEgWc5ixEQcHI9TX1QyAfAjUcCKqlRdOsvWy65l+TyaxrQQGXjqX09OphKdy+RdRY", - "1wptcdRTDBdHSfo6pC5COeWTkmvEJM9CfvUJfc2R5qL63grIr/pYSk6gGAnyqyCkJMbLIMaJg2j6IZAP", - "ASZgDdMExJSlUICVEBk/nk4jGvK9DJNlCLO9kKbTf6+mAkeLKRdwkaCpXGSi58kZlPNO5HSTOE+SPSfZ", - "+jDnGSUc/SlRtzlGoeOA1MkbDEGBLhQHeVlDM1gfhfQkltry8fykn+nNin6IH4iVXZRzLXqCudyYTyiB", - "a2vZhh4M5R9SEXFBMwABk8MBM+PHDSgtKpWKvV+fv4cpOpejnQx/kqfZhfJDHCqz9E+iPM1ATnAbpkWm", - "/qPZVftrR4ejtvs2Vl5lggSKAsWy9dcimi8SVL1H8nShX0Nc4BQKFAgqYBIwejP0zRgTzFcoChZrgTZ+", - "aYOFMkaX0p4pTmrqcQ22A2UfpZocZr/voGILzyYObhKO1c5ZsLuY+JRsxsOQiV4mVk+DBSYJXQZLgSMn", - "3zGByRK8vTw7KZyEPOOCIZgC/WrNiKKXcB6H+/sTFM5eTOZz9HKy2IfhZLZ/uA/D+Xw2mx0czyfPXxy+", - "HI1HJE8SiVfDFa62rAaix5soQJR6UvkUA8DUDsUCk72Z/N/+cFgibLyoGOaJZJ69qX6gl6jDJsGIMEOh", - "oGwNblaIIQWa3peELgHmUuFIBhsAwTa0ziljlP0di9U7xLnTh5Iso+wYQHJsi43Ur0Eo3anWu+oZCLWr", - "1VZE+tWUL31vpgaoPptTTTS24XFJ0lskjKd8RmLqdyxCPShwiYV5BrDctlKN5H6NOzSUaIZjTTwtoLpx", - "04GO3HY/hhEUcHBEUo/iHYGT0miW3u3UolJS5OrdSGj+fXgkTIi0ZSS0T/WA0FdO2vbB1o7IgwJufJst", - "gy99wwekeRk6bBnkd3jJlGvMlkjwBwS+NvFjYPKwnJMvqjkfA/pLaYAvBMtDkTPkx0IDGIQqoAn416Qe", - "LL35dPrq8hRcvnp9fgq+iPkX8JcvOPoCMBF/mc9/Ae8/XIL3v5+fg1e/X34Izt6/+XT67vT95fjjp7N3", - "rz79A/z36T/0G7+A6a+X/++fRu+jKMAkQn98Bm/Of7+4PP10egJ+nf4CTt+/PXt/+tczQujJa3By+tur", - "388vwZu/vfp0cXr511zEL9LFIXjz4fz81eVp8W/pVrnSHQa1dgQYLZwJGOX9Ooar3+cDIt7y9WIui6rO", - "rWokBR887X0wm83unfY+pzDqD+cSCqP7hnMd0ZX/pRQJaBxrZ7BkPS9jgzbl+sOt4TA16NuKpez5rKXr", - "qDgA1/GVa4sa2eD78pEvbT+I517sH817aWKkpI/1PiiPHXUnzsIVCq8ChrgKY5ocmjE0USOAGWFHT9VD", - "zEEGOUfRHnCrhvskc8Z1GHswbWru3iBZxzUIKJ3jDZLjJOerWsSng7P6rH9nWCCuYjuNl05pI6AwyCgm", - "AnD5CxTg5B0IIdGSjwWAsYwkGCrjWPlakQZsHQ3xr0kQUiIQceDGvyZgTXNwA4mwMKztncMygS/hvDJN", - "hfWQ5mkMvoT7/kcH7kf3sEf/6TRIaxK2kf09i2BBc5oJnGIucAj4CrJIklHqAWntwQ0WK535N1tDSbIG", - "OUeRjMgJgCawBTQMc8YBJt45T07OQVoLZsutaSZBrX1yMa7jzGgbp7f3N2Mfc+ZKClQZjFDin2cgowkO", - "16CW+W7nCv7IMDN+YCFPs6YwqUE64yCwzueUy9nxdmFIPHkTy9jJP9m1dhTLdQ+OZq2lL1cIFIOlBGWI", - "YRrhECbJGhiVF7dTOBqtaAzM5OAaJjk6BmoJyVAchZRE/G7QM5RCTAKewRDVMJg/a8L/DhOc5imIGUIg", - "wvwKqLcUDG9f32X5Wx9PPGg+/RHzfH15vdqaGQpxvDbA83xhZfNiykAL7D1wFgNCBdBvYskT6uxfqioB", - "KEHgBicJWCClgPbAhYLUnDEdg32Inh8dHhxO4ucv48l8jl5MFhHaL9Kn0jF9oVGZ9ycMG5LeprFL3tW2", - "vlFC3KaHsmj6iKwQyraIq0x1oB9WfqFlw37mnXcq73zr45L+6MZW23UuMVUcVQBSn6JBw+JAVouJNiwV", - "Uf/SoOp8DOYvn7/8xSXstXU9zOfiuXswWzdzuUHQhCuqMSRADw9ACEW4CvIsSMvKrDoQNyvpoTCpxNVY", - "kGfamSp3xwrCfGLu1Kub8WeF996U5ws1pctNdJeAFETUXFmb7lNOiHy5T3PWmdXJRDa6rh32Eb0A26WK", - "L5S7Wh7ftOVMu7NK96jjoHGVVOvP2jQSaRcozBkW6/Yyyok2NTucJ3UPT5u3GKMkKi3bCkcRItq5XiJR", - "BjX2RLVJQMxoqoYo3yuWfk5bLTXCV8REAJOE3qAoCEkb7Dc0TSkB741mvrg4B/IdHOMQ6hRCSaxe4nCe", - "BCH0B17WxFpVFSNtbnPyrJxYYuKd+jdrOonHx9N3xluY/s+z2cuiOqWBWv+qV2jtX/RNtZ7clYzha4na", - "FVqXpTHW4j3rNSOjOi0dNGgD6JQOE5S9ZTTPHGnmKGmX3PVudIwZF0FCQ21lXK/IaBRFm00rdPbdNTQn", - "m0/YSpao2ccVzi1ESrCtBZ1ELauFXCV7Hl+v5pfEMOGt9EhpSVQUrjWADJvU6zUVb15vWxPjVlbmctB6", - "VLrZ2omU0VwuFZTSylzrHJd594IQJ/CaOqyZ/r2sLyxp1XD7XJJYhPjOAklTm+kuwHRmACDnN5RF3hnL", - "AfUpDw6fHQ3xRIsMg3tu+dCa9+BgduSKZrMiodBZUqsGVa5KGY90vWSHLlJQLYvWecZUjJPvDKxbHVyd", - "qr2OzYp/e49LIb8aXgRyCflVVQIyHuXc5esZ3OTDFn6MUjGw6i9wZKjNknURLv7VoYU6HB+rgNjv+OhR", - "k2Hej01y33qlB+mqf+kvYtEOEVd5P+kS3TDq8j0LnuclML08X7HKPfiXoSzBIfTwcaMstJ01M1XVxttO", - "1nZlN3LpxA3rSQvOsgFx8o4MyzsrTBlK6TUKUqTPoQdbEv2eyisrV3YBufKEInpDTDxU/OxO3cMYBSmN", - "UCBwioKoyJG2oyOcIlA8lmZFvlnknS29PeNOjVORa5B+aAib1llMKCAdsEF+ZcoL1QAboP3Z7Ggym09m", - "+2D+7Hh2eDx7NqzU+0LQrHPL7o+TBJbmYjDVbyDWcYvGl2Z10j/jAzGr1S+0ndQ8zQYKulUdvEHh3GCd", - "k1AYDYTEOti2Dj0dbFKc6XdwaJ+S8gf5fSbvQg00/vpAzC7WJKwwU6fybszkI6Bgs7lCnVONXS4+Q5wm", - "1ygKlIdOw6vAc6DeqWaLiytO0rhPiv26syClwdOpSitydOT4JNaeCgad/9DzOpBdSEpgspRUcS1hn7rd", - "rHC4KhNimIPi5Y3ieCVvmAa+0oSOCs67vdVKcw5MSDp8ghAREYjBRSHmxClYoBUmkZXjG/JuGZE6rJh8", - "1olRbYQfI01NdF1cbh0AlynAH0wDS/CWjOZZF5PpAQ0+gwyBnEyKWWxe69QjtdREb/huE8JGsrbr42FZ", - "yPr2ODejKXguOln5AluKfWzVEg+3qLmUjCrbuG+O01dq1tYAl6Yipa3UfeorxokkM8t1ogNGEZZvweRj", - "bXSfPXqNyTld/qYm+yTncrkLiKwgCVGgbyUHRZHhCpIl6q1BsVxVHVsBnmcyAlNHlaqkQV92jqIEZEm+", - "xGTIZWS8JJShQB1+S54pyd+48KyGgYwhc0yuhjl36xoxrpNSvdulirk0GeqnX1E6UQ58kwgOZ1yhzwVl", - "RVWI9yCpmtRb2+V3c2xu5FfusJOSIMpVmCUcs63ojdy8FSSRzvnGCQ4FihQmKmLOU32QmyU6RV5cyNDE", - "t+TL0sZSF6mww30McwPX6oCHUqmyoEDS3FqLZYhzUwczGo+qohj3YtrdGJauUV6aesHK2dwlXdJXIyzh", - "C0VQwR40iTIwAizESs3XKhBqRWg+idJFrqkuzC4VS5Oz5EpmDFBjxsOLvpVSNZXfDWXTyElvsFe6hPwE", - "CvhahrhFIsrNWgXkBU0MN8V5kkhESMhQioiuyYbqN2kwJFNVcqR/H+TnVpD0KNGGDDbJ4NycJl+7zZhD", - "xbsOcwRSekhOzAEUxQF3gq5R0jJBRvcq38AR6cmfizDEo5ZrY2qkBVGaDFHBBgZT4t4uOMygEIipUh9t", - "Kv3A+IZXcP3vCVOhdv8BiHMHfsuTxLC91Cm++91WakUyZClmkova+T1IYLL+t0tGqTqYYzTRpWE8T+WU", - "2WrNcQgTgNMiJ14qbsO4WpFKJ0L+Gcd1vreetehQLPREoKFpxhDnk6vrSQYx491gmdHg6hqo0W74HKsQ", - "jrlAJFx3zl+YM0yMG68OnHV5HmXSkMbqMmI5G4Cc50wqi7pw5IK64JDTeerEBGVwqWoa2u7A3rRYPzCG", - "vD0z5lfB15wWGcmaR4P5FVDPFPiO/SxXejF765pdLx+IFUMwqtdeHjatnZIH/YLcnZASEwu5g2IFg8+7", - "qHZGj1PGoBS6Fj8mdCkRk/JncKwzYvW8haGBw4Xh/MiJooGoH0XbXAQFCH1cWLwhlYwKrXKdVFwhAlKE", - "RDkAAUZvuNpYM7dLTv3unnVIU47q9DqDkrbbwMGvbAglSMWsJG/uq3nUPm2Mgt6eNZmzYQuTpj4oN7ZQ", - "G756Ywtx9Saw3uxUUfV0yx0OG1UBoUel6IelSukV/r2pfMVdHOWzl2ckZJvZS8tz85hLyYjBAoqwfmti", - "3i62tufiaxKuGCX43+VSag6A/kCh5jzpPXzNIRFYLeWulM6SgVqgiUivKvDRsH7B0h0iVg6Gut7Zopnx", - "L6tAt7d8y7whivoLK/r03dJTfu4GS5g3hi7hPrUz6zUAboLTWMznYPvTRGUg3pkk4leDc0RVYNo+tWlk", - "NqsVZgdxONs/OpjsvwifT+Zz9HwCj54dTI7C2eLFYfTsZXwwO55Pns8O54f7B+PZs8Pnh9FBaA1/cfBs", - "f7I/O4gW+4dHUXQQHc8n8+czZ9+renGy1cdKPaiqxH1vZrROoEOnXtvOgXLHEa9v82upAg8oE4YSKB29", - "7lso0gMoQ7zQ7HFf+NuMLW51GLvxPE2dW0+beIncxGhwLsDi5L5MtA2HdxuKA7jCsl8ImmUqiqjKaX8z", - "dzdH49FHmPNasVnFh85Mhb8UXKdEBLUP3O0ECR+YwW14g+qhmqBgZIfukI+HVZLwzgq6gQxqZzw92fAx", - "uMFJFEIWFWneeipzMfn1nmevrUoa35msqIoA2ymsAbAKJ6ydVSCW3fAZDOExyBX3PORmRBRxffHH5NwL", - "jHljW+Z3pODABXymuUGe4S3bHJm/DpJWSfdumj6pusft1DneJSLYUm2esxqvpIl311GaSfnwVuXQa8Ru", - "GBabJdHLt7TbLcwq5R/9d2urdftB991+jyFOVOc2ftU+beio73NecS/VaX9vx0KBVZM6dVfTqORhiDj3", - "gLtZtXh7rnGbGi6g9IXrB203OVwN6cUfuXNko39aV0FOR9zhL3Rsb3S1ovdmrblCy0FhvQQ1xZe8q01l", - "XznRHQoz+0oxG02MH769hrcN71b7a9yqlKqQyjg5oaEj533yDnzIEHn18QycfHgjVS5LRsejvg6yE2k8", - "J9qlxZSYhrI60IipYnEsFOKtBYoj9ePRkSSgyvpliMAMj45HB+onqfHFSkE7hRmeXs+npqvQtJje+Etl", - "w7+zSK316uNZvWmeqkzRmlXNtz+bqStZ1XUimJXJw+m/uC63rPyozo7f7vZ8iuoNs6gVmdpEnqcpZOvR", - "scQBlO35SEwBz8MVgBzUevYJuORWP73RZ3UxwYe9Vj5NAigxfE2j9YPh3u7+10LaLAsWct3bJ7wPuaJZ", - "bSv2nIS/Hbf4UVcV8aEsWfU6fBzGdPRW7CLLeHT4gGC0+nU6ltbmvEMwrPbuheHaZGOm3/QfKiK81fov", - "QdoPdOzUhzhOMEGabO/1IX0GGUyR3uV/tooHLPCKmFw1JYJiNSoMwciCYWSrcV124Up0+r+i8LnFOIcO", - "P/yJ7SjVdG006x+0kYXDMFDCqkacjyNhjsafOyZh1kcGNpIwszHTb8YL20jCjPc4QMJs8PwSZsHwY0tY", - "/ZMRnRsZpXsFcE7JeovECQ3/6+LDe48o1cGSc5W3ydvsFtEQqOUqqCIaNiAyPmoHOH+7fHc+CBw5sAec", - "ldB1RT5wdJDXr3qq9rl9zCzlq7hVrPpTlBf1FE9/zRFbW0yNxSooRziY2F22dzt2fDpoDRgSOdMNw3R1", - "4MT0CiouvLlAqLXI2QSGz9vVvo6OxQ5Jsds4JEVf8QYfNIdU/FDE+CpG4779tz9tsS1n2/H1jM0d7vmD", - "wVPmRJ68ndPtWQEkUVERCwFBN/auuza8rQOm36yThX4rd6IelkzRqROWCV2opm05wV/zeu8Rv8GrH3QM", - "Mnjeu99thRFTfYuYZgUkMOGmQVrR/UYldExdhUt1qDnuqTN2wPBqPgCwj6fGQ2zILvLK49i0bdqTDn1W", - "9rE/dPKioTwVIFaf5Grbly6G6Evj7AxPfN6O3XOl8W/riVAJ7u33YY0npodMFgve17ZNI/0RKpUE97s9", - "5lNVu8WifTHDk7MtmsgPsKlV+6OOPdVfbvq5pdvc0tINve+OqpBsM2H9VHRB/THNievrerfGnuyqZqja", - "UMY50Y2Miyu0D8NgGyiOH5y9HN+921XuMkpq68xVNljr4K2qg/ePy1rtLubD3eCnzWmKA2rNlzfnJetb", - "8wNCbN2qdkiydgus42/0tt0At96ed0cOqIpedrp41ZecHcoe02/6jyqDN4BZVM330+OVcUeBr2f5CveB", - "yzvrf7fKpfX+KrvFpLr++e48WvauGqLByuaOT8cadt6geZSzoMbH/HaEfdRnKmpt34tO1vf1sASDhMe6", - "SLvDvbo0w370XGO7nPXP4mIVjFCqKgqg/uqOrhXo4S59xNOnmYpvmfYykOR5yK8e8/Tb3JtarIsWmbqZ", - "oGvN4tlQg1U2b+xa1SEfzWWbTUPHG6WnLZu5ZVXb+mStgwkVkRPTzPTpKNoSqorddTX9kOP9S911bXuH", - "+/Z1ge95tO/6HuMOnfOXXyOs73BTnU1DSq4RKyp3u7ZfD9zm/heg9LAAjjUPYw4wyXKhO/gbXaq/ZlJg", - "pXtZQ35l2kDpL2FQBq5xiMA1YhxulYkaKO0OG12qAilFZWLagZuPltAYwOaXYFpE3RvAecXdsWEmtbgd", - "9gj1rDuu2svLeffS8ZfVzb5tyLq50/X91LsPgCeqz2s7u4lwTU3XmW7lfqYGPdK+N++obs4G+1uCZ3f0", - "s2mFdXe2+KYanm5Sw9fgjo2iY7vnqiMsLmEZGBT7mrXudN2c/2Z1U4EPNpa7s02zH06xt+1115Z7C+Sq", - "O9Y/N31nStOG7ntLf99Naz9VjugqtlYwoGtEAI7Vt1AAzxdF2MfKpkU/y619kf4AM7EzfPEIudLvoZ0a", - "QeShr0VeR1G1f/f7SqqfMgNstYr6fgnG2Y+eYCyrqwcmGC2T5TmfK5rxFY02h6SDag08+c4oskcvjnCe", - "sejm+qap+8hX9PDr8Bl1//3uCdWYXx//TLzNLTt3Mq7O6uzqCkgi05bW/MBoLsxdNFy7WHx3qRxcS1ZW", - "kb1eS1q/ItHdTtB/EKH8Wd3Wxd/uErd7c/GGJW9lsdtPlv5ZhLezsuSsxHtgUZLvLRK0YUpikaALwfJQ", - "5OynTD01mRr7O9r6SF5wwGCau7/8t/vp+5rkcYvFN03O/JSQnxIy/z7BUp35dj9Y6hRDf5asTM/8FMWN", - "F/9RBPHhU5RWUrAph3+uWmwtcRuazW6vVcDeOpcLOeYHzHyXeO/6fVy1yXdMPg+7WWR9lnYHlX3Z0nzX", - "a+t39BKTuVahuWcz7qRZr/Ki2Q+puzTau6+6aObXXOrjI+y62NF68/k1zfcimkJMVOv5kSS1mcCtC0Z9", - "3e4jGg5ucW962k+/5ji8migNPNFlqZOqK1hNx4xcnplCe7tQ3WCxmkSpBY9atg1N0QW2HFf8cPv59v8C", - "AAD//1srtbHBvQAA", + "H4sIAAAAAAAC/+x9W3PbOJb/V8Ff/32Y7pIsyXacxFvzkMTujHedS8Xump2ayjIQCUoYkwADgHZrUv7u", + "W7iQBEmApGzLsTqZh2lHBIGDgx/ODQeH30YhTTNKEBF8dPxtxMMVSqH681WCmHgHCVwidkkzmtDlWv6e", + "MZohJjBSrVaUC/lf9AdMswSNjkfz/ed7s73Z3nw0Hol1Jn/igmGyHN2ORxll9eYvZy8PynaYCLREbHR7", + "Ox4x9DXHDEWj43/qQczLn8vWdPEvFArZ65sk5wKxd1D+f5tGGEXq1wjxkOFMYEpGx+pXxDmgMRArBMKc", + "MUQESFUngNAIjcauaR2/2D9yzg0m+Bq1x6EkwQQBLqDIzWiYm2HsEQTLUdnrgtIEQSK7TRCMkIN+zO2e", + "1BxM0wGdEpii+rLpbhwTa6yFerOYbEndWDO5Y3H8EIISaEGqkRYIq91/MBSPjkf/f1qBdGoQOnXC83Y8", + "WjIYQwIH9/NWt7e70KwoewgSrDGOBUp5X38ahHZ3hiOQMaj+nTGaIrFCOR9M5MfyFbvjG8qu7kzn39XL", + "fjpv/UupX/1u+2xBcxIFnOYsREEB5PqY+iGQD4FqDgTVu0XzrD1suuZfk8msa0ABl46hdPfqYbm5fYOo", + "tq4R2ttRdzF8O0rW1yl1Mcq5Pym5RkxiFvKrT+hrjjSK6msrIL/qg5TsQAEJ8qsgpCTGyyDGiYNp+iGQ", + "DwEmYA3TBMSUpVCAlRAZP55OIxryvQyTZQizvZCm03+vpgJHiykXcJGgqRxkovvJGZT9TmR3kzhPkj0n", + "2/pmzjNKOPpTTt1GjJqOg1InNhiCAl0oBHmhoQHWxyHdiSW2fJif9IPejOin+IGg7OKca9ATzOXCfEIJ", + "XFvDNuRgKP+QgogLmgEImGwOmGk/blBpcakU7P3y/D1M0bls7QT8SZ5mF8oOcYjM0j6J8jQDOcFtmhaZ", + "+o+Gq7bXjg5HbfNtrKzKBAkUBQqy9dcimi8SVL1H8nShX0Nc4BQKFAgqYBIwejP0zRgTzFcoChZrgTZ+", + "aYOBMkaXUp8pJDXluCbbMWUfp5oIs993cLE1z+Yc3Cwcq5WzaHeB+JRshmHIRC+I1dNggUlCl8FS4MiJ", + "OyYwWYK3l2cnhZGQZ1wwBFOgX60pUfQSzuNwf3+CwtmLyXyOXk4W+zCczPYP92E4n89ms4Pj+eT5i8OX", + "o/GI5Eki59Uwhaslq5HosSYKEqWcVDbFADK1QbHAZG8m/7c/nJYIGysqhnkiwbM31Q/0EHXaJBkRZigU", + "lK3BzQoxpEjT65LQJcBcChwJsAEUbEPqnDJG2d+xWL1DnDttKAkZpccAkm1bMFK/BqE0p1rvqmcg1KZW", + "WxDpV1O+9L2ZGqL6dE7V0dimx7WT3iJhLOUzElO/YRHqRoFrW5hnAMtlK8VI7pe4Q12JpjvWnKdFVPfc", + "tKMjl90/wwgKONgjqXvxDsdJSTRL7nZKUblT5Ojdk9D4ffhJGBdpy5PQNtUDUl8ZadsnWxsiD0q4sW22", + "TL60DR+Q56XrsGWS3+ElU6YxWyLBH5D4WsePMZOHRU6+qPp8DOovpQK+ECwPRc6QfxaawCBUDk3AvyZ1", + "Z+nNp9NXl6fg8tXr81PwRcy/gL98wdEXgIn4y3z+C3j/4RK8//38HLz6/fJDcPb+zafTd6fvL8cfP529", + "e/XpH+C/T/+h3/gFTH+9/H//NHIfRQEmEfrjM3hz/vvF5emn0xPw6/QXcPr+7dn707+eEUJPXoOT099e", + "/X5+Cd787dWni9PLv+YifpEuDsGbD+fnry5Pi39Ls8oV7jBTa3uA0cIZgFHWr6O5+n0+wOMtXy/6srjq", + "XKpGUPDBw94Hs9ns3mHvcwqjfncuoTC6rzvX4V35X0qRgMawdjpL1vPSN2hzrt/dGk5Tg78tX8ruzxq6", + "PhUH4dq/ci1RIxp8Xxz5wvaDMPdi/2jeyxOzS/qg90FZ7Kg7cBauUHgVMMSVG9NEaMbQRLUApoXtPVUP", + "MQcZ5BxFe8AtGu4TzBnXaeyZaVNy9zrJ2q9BQMkcr5McJzlf1Tw+7ZzVe/07wwJx5dvpeemQNgJqBhnF", + "RAAuf4ECnLwDISR652MBYCw9CYZKP1a+VoQBW0dD/GsShJQIRBxz418TsKY5uIFEWDOsrZ1DM4Ev4bxS", + "TYX2kOppDL6E+/5HB+5H99BH/+lUSGsStif7exbBguc0EzjFXOAQ8BVkkWSjlANS24MbLFY68m+WhpJk", + "DXKOIumREwCNYwtoGOaMA0y8fZ6cnIO05syWS9MMglrr5AKu48xoG6e391djH3PmCgpUEYxQzj/PQEYT", + "HK5BLfLdjhX8kWFm7MBiP82am0k10hEHgXU8pxzO9rcLReKJm1jKTv7JrrWhWI57cDRrDX25QqBoLHdQ", + "hhimEQ5hkqyBEXlxO4SjpxWNgekcXMMkR8dADSEBxVFIScTvRj1DKcQk4BkMUW0G82dN+t9hgtM8BTFD", + "CESYXwH1lqLh7eu7DH/rw8SDxtMfMc7XF9erjZmhEMdrQzzPF1Y0L6YMtMjeA2cxIFQA/SaWmFBn/1JU", + "CUAJAjc4ScACKQG0By4UpeaM6RjsQ/T86PDgcBI/fxlP5nP0YrKI0H4RPpWG6Qs9lXl/wLCx09s8du13", + "taxv1CZu80NpNH1EVmzK9hZXkepAP6zsQkuH/Yw771Tc+daHkn7vxhbbdZSYLI7KAal30eBhcSCrt4lW", + "LBVT/9Lg6nwM5i+fv/zFtdlr43rA58LcPcDWDS43CZpxRTaGJOjhCQihCFdBngVpmZlVJ+JmJS0UJoW4", + "agvyTBtT5epYTphvmzvl6mb4rOa9N+X5QnXpMhPdKSAFEzUqa919ygmRL/dJzjpYnSCyp+taYR/TC7Jd", + "ovhCmavl8U17n2lzVskedRw0roJq/VGbRiDtAoU5w2LdHkYZ0SZnh/OkbuFp9RZjlESlZlvhKEJEG9dL", + "JEqnxu6o1gmIGU1VE2V7xdLOaYulhvuKmAhgktAbFAUhaZP9hqYpJeC9kcwXF+dAvoNjHEIdQiiZ1csc", + "zpMghA5sVR1qEZVBsapBzAlU1ZvfjWv1WrQc1DFiji5/K4iTrPh4+s4YHNP/eTZ7WSS4NLgzbCj/LH6z", + "KH/IUa+QA6MfzdQkhjKGryXrrtC6TOSxRhw6iH9mb6pJ3X+8pt9Yx4aD0W0CnbLDuKxvGc0zRxA+StoJ", + "ib3bIMaMiyChodbBrlekr46izboV+mzC1TQnm3fYCiWp3sfVnFsTKcm2BnQytcylciU0eizhmtUWw4S3", + "gkelnlUxCi0fpVOpXq8pQPN6W9cao7syJgaNR6UTok1s6evmUnwrncW1RHYZP14S4gReU4eu17+X2Zcl", + "rxpGsWsnFgEQZ/qoyVx1p6c64yOQ8xvKIm+PZYN6lweHz46G2OlF/MXdt3xo9XtwMDty+fpZEW7pTDhW", + "jSpDrvTWul6yHTu5US1933kCV7ST7wzM6h2cu6ttss1So3sPkyG/Gp4icwn5VZUgMx7l3GUJm7nJh635", + "MUrFwJzIwBG/N0PWt3Dxrw4p1GEWWunVfrNQt5oMsw1tlvvGK+1rV3ZQf4qPNhe5iopKg/GGUZdlXmCe", + "l8T0Yr6Cyj3wy1CW4BB6cNxImm3HFE3OufFFkrWd945cMnHDbNsCWTYhTuwIyERn/i1DKb1GQYoE3EiT", + "6PdU1F0Z+gvIlSUU0RtivMXiZ/fBBoxRkNIIBQKnKIiKCHLbd8QpAsVjqVbkm0VU3pLbM+6UOBW7BsmH", + "xmbTMosJRaSDNsivTPKlamATtD+bHU1m88lsH8yfHc8Oj2fPhiXCXwiadS7Z/eckiaW5GMz1G4i1V6fn", + "S7M665/xgTOrZXe0jdQ8zQZudCt3eoO0wsEyJ6EwGkiJdexvHQk7YFJkPHQgtE9I+UMgfSrvQjU09vrA", + "mV2sSVjNTOUsuGcmHwFFm40KdYo3dpn4DHGaXKMoUBY6Da8CT7pBp5gtrvU4WeM+R/fLzoKVZp5OUVqx", + "oyMCKmftye/Q0SHdr2OyC8kJTJaSK64h7DPJmxUOV2W4EHNQvLxRlEPtN0wDX+JGR37r3d5qBYEHhmsd", + "NkGIiAjE4JQZcx4XLNAKk8iKgA55t/RIHVpMPuucUa2Ff0aam+i6uPo7gC5zPWEwD6yNt2Q0z7pAphs0", + "cAYZAjmZFL3YWOuUI7XQRK/7bjPCnmRt1cfDYrT15XEuRnPjufhkxQvsXeyDVWt7uLeaS8iopJb7RoB9", + "iXhtCXBp8nXaQt0nvmKcSDazXAc6YBRh+RZMPtZa9+mj15ic0+VvqrNPsi+XuYDICpIQBfrOdlCkYK4g", + "WaLeDB3LVNW+FeB5Jj0wdZCrEj70VfAoSkCW5EtMhlzVxktCGQpUaoDETMn+xnVw1QxkDJkkAtXMuVrX", + "iHEdlOpdLpXqptlQPxuM0oky4JtMcBjjavpcUFbkzHiP2apOvZlvfjPHRiO/crudlARRrtws4ehtRW/k", + "4q0giXRgOU5wKFCkZqI85jzVx9xZog8QiusqmvnW/rKksZRFyu1wH1LdwLU6/qJUiiwokFS31mAZ4txk", + "CY3GoyplyD2YNjeGhWuUlaZesGI2dwmX9GVQS/pCEVS0B02mDPQAi22l+mulT7U8NN+O0inAqU5bLwVL", + "E1lyJNMGqDbj4SnxSqiavPiGsGnEpDdYK51gfwIFfC1d3CIQ5YZWQXnBE4OmOE8SORESMpQiojPWofpN", + "KgwJqmof6d8H2bkVJT1CtLEHm2xwLk4T12415hDxrhMjgZQckh1zAEVx/J+ga5S0VJCRvco2cHh68ufC", + "DfGI5VqbGmtBlCZDRLChwVwAaKdjZlAIxFQilFaVfmJ8zSu6/veEKVe7/wDEuQK/5UliYC9liu/2uxVa", + "kYAst5lEUTu+BwlM1v927VGqTv8YTXTiHM9T2WW2WnMcwgTgtIiJl4LbAFcLUmlEyD/juI5761mLD8VA", + "T4QammYMcT65up5kEDPeTZZpDa6ugWrtps8xCuGYC0TCdWf/hTrDxJjx6jheJy9SJhVprK5qlr0ByHnO", + "pLCob45cUBcdsjtPFp2gDC5VxkfbHNibFuMHRpG3e8b8KviaU+E4gVc5juqZIt+xnuVIL2ZvXb3r4QOx", + "YghG9czUw6a2U/tBvyBXJ6TE+EJup1jR4LMuqpXR7ZQyKDddC48JXcqJyf1n5lgHYvW8NUNDh2uG8yPn", + "FA1F/VO01UVQkNCHwuINKWSUa5XroOIKEZAiJMoGCDB6w9XCmr5d+9Rv7lmHNGWrTqszKHm7jTn4hQ2h", + "BCmfleTNdTWP2qeNUdBb0SdzlrNhUtUH5cIWYsOXjW1NXL0JrDc7RVQ93HKHw0aVXukRKfphKVJ6N//e", + "VL7iTh3z6cszErLN9KVluXnUpQRisIAirN8pmbdT0e2++JqEK0YJ/nc5lOoDoD9QqJEnrYevOSQCq6Hc", + "eeRZMlAKNCfSKwp8PKxfP3W7iJWBoS6/tnhm7MvK0e1NbjNviCL/wvI+fXcYlZ27wRDmjaFDuE/tzHgN", + "gpvkNAbzGdj+MFHpiHcGifjV4BhR5Zi2T20akc1qhNlBHM72jw4m+y/C55P5HD2fwKNnB5OjcLZ4cRg9", + "exkfzI7nk+ezw/nh/sF49uzw+WF0EFrNXxw825/szw6ixf7hURQdRMfzyfz5zFkVrJ66bVX5Ug+qHHrf", + "mxmtM+jQKde2c6DcccTrW/xaqMBDyoShBEpDr/uOjrQAShcvNGvc5/42fYtb7cZu3E9T5tbDJl4mN2c0", + "OBZgIbkvEm3T4V2G4gCu0OwXgmaZ8iKqZOPfzM3W0Xj0Eea8lmxW4dAZqfAnyuuQiKD2gbsdIOEDI7gN", + "a1A9VB0UQHbIDvl4WCYJ78ygGwhQO+LpiYaPwQ1OohCyqAjz1kOZi8mv9zx7bWXS+M5kRZUE2A5hDaBV", + "OGntzAKx9IZPYQiPQq7Q85CLEVHE9bUoE3MvZswbyzK/IwcHDuBTzQ32DC9o54j8dbC0Crp38/RJ5T1u", + "J8/xLh7BlnLznNl4JU+8q47STO4Pb1YOvUbshmGxWRC9fEub3cKMUv7Rf/O4GrefdF9tgBjiRNW141ft", + "04aO/D5nAYBSnPZXviwEWNWpU3Y1lUoehohzD7mbZYu3+xq3ueEiSl9Hf9BinMPFkB78ketqNqrLdSXk", + "dPgd/kTH9kJXI3rvHZsLxhwU2ktQk3zJu4p49qUT3SExsy8Vs1Hi+eGLj3iLFG+1+sitCqkKKYyTExo6", + "Yt4n78CHDJFXH8/AyYc3UuSyZHQ86quvO5HKc6JNWkyJKberHY2YKohjoSbeGqA4Uj8eHUkGqqhfhgjM", + "8Oh4dKB+khJfrBS1U5jh6fV8amouTYvujb1UlkM8i9RYrz6e1UsKqswULVlVf/uzmbqwVl0nglkZPJz+", + "i+t0y8qO6qyH7i5eqLjeUItakKlF5HmaQrYeHcs5gLJ4IYkp4Hm4ApCDWkVDAZfcqjY4+qwuJvhmr4VP", + "kwFqG76m0frB5t6ujdiatBkWLOS4t094HXLFs9pS7DkZfztu4VFnFfGhkKwqQT4OMB2VJ7vYMh4dPiAZ", + "rWqmjqG1Ou/YGFbx+0JxbbIw02/6D+UR3mr5lyBtBzpW6kMcJ5ggzbb3+pA+gwymSK/yP1vJAxZ5hU+u", + "Sjbpu6daEYwsGka2GNdpF65Ap/8bE59bwDl02OFPbEWp5mvjUwaDFrIwGAbusKpM6ePsMEdZ1B3bYdYn", + "GDbaYWZhpt+MFbbRDjPW44AdZpPn32EWDT/2Dqt/UKNzIaN0ryDOubPeInFCw/+6+PDes5XqZMm+ytvx", + "bbhFNARquIqqiIYNioyN2kHO3y7fnQ8iRzbsIWcldF6Rjxzt5PWLnqq4cB+Y5f4qbhWr6h3lRT2F6a85", + "YmsL1FisgrKFA8TutL3bsePDSmvAkMiZLqemswMnppJSceHNRUKtgNAmNHzervR11HN27BS7yEVSVF1v", + "4KDZpMJD4eMrH4371t/+8Me2jG3Ht0U2N7jnD0ZPGRN58npOF68FkERFRiwEBN3Yq+5a8LYMmH6zThb6", + "tdyJeliColMmLBO6UCXtcoK/5vXKLH6FVz/oGKTwvHe/2wIjpvoWMc0KSmDCTfm4ojaQCuiYvAqX6FB9", + "3FNm7IDi1TgAsA9T4yE6ZBex8jg6bZv6pEOelVX+D51YNJynAsTqg2Vt/dIFiL4wzs5g4vN29J4rjH9b", + "D4RKcm+/DzSemBwyUSx4X902jfQnulQQ3G/2mA957RZE+3yGJ6dbNJMfYFGr8kcda6q/a/VzSbe5pKUZ", + "et8VVS7ZZpv1U1Ej9sdUJ65vD94afbKrkqEq0hnnRJd5Lq7QPgzANhAcPzi8HF8F3FV0GSG1dXCVBdY6", + "sFXVN/9xodWu8T7cDH7aSFMIqJWm3hxL1pf4B7jYupDvkGDtFqDjL/S2XQe3Xrx4Rw6oilp2OnnVF5wd", + "Co/pN/1HFcEbABaV8/30sDLuSPD1DF/NfeDwzvzfraK0Xl9lt0Cq85/vjtGydtUQCVYWd3w62rDzBs2j", + "nAU1PnW4I/BRH/GoFcUvKlnf18ISDBIe6yTtDvPq0jT70WON7XTWP4uJVQChFFUUQP1NIp0r0IMufcTT", + "J5mKL732AkhiHvKrxzz9NvemFuuiRKYuJugas3g2VGGVxRu7RnXsj+awzaKh443C05bO3LKobX3Q1wFC", + "xeTEFDN9OoK2pKqCu86mH3K8f6mrrm3vcN++LvA9j/ZdX6vcoXP+8luN9RVuirNpSMk1YkXmbtfy64bb", + "XP+ClB4I4FhjGHOASZYLXcHfyFL9rZdiVrqWNeRXpgyU/hIGZeAahwhcI8bhVkHUmNLuwOhSJUgpLhNT", + "Dtx8GYXGADa/k9Ni6t4A5BV3x4ap1OJ22CPks+64aC8v591Lxl9WN/u2sdfNna7vJ959BDxReV5b2U02", + "19RUnekW7meq0SOte/OO6uYw2N8SPbsjn00prLvD4psqeLpJDl8DHRt5x3bNVYdbXNIy0Cn2FWvd6bw5", + "/83qpgAfrCx3Z5lmP5xgb+vrriX3JshVd6x/LvrOpKYNXfeW/L6b1H6qiOhKtlY0oGtEAI7Vt1AAzxeF", + "28fKokU/0619nv4ANbEzuHiEWOn3kE4NJ/LQVyKvI6nav/p9KdVPGQBbzaK+X4Bx9qMHGMvs6oEBRktl", + "ec7nimJ8RaHNIeGgWgFPvjOC7NGTI5xnLLq4vinqPvIlPfw6vEddf7+7Q9Xm18c/E2+jZedOxtVZnZ1d", + "AUlkytKaHxjNhbmLhmsXi+++KwfnkpVZZK/XktevSHS3E/QfZFP+zG7rwrc7xe3eKN4w5a1MdvsJ6Z9J", + "eDu7l5yZeA+8leR7iwRtGJJYJOhCsDwUOfu5p57anhr7K9r6WF4gYDDP3V/+2/3wfW3ncQvimwZnfu6Q", + "nztk/n2cpTr4dt9Z6tyG/ihZGZ75uRU3HvxH2YgPH6K0goLNffjnysXWO25DtdlttQrYm+dyIdv8gJHv", + "ct67fh9XLfIdg8/DbhZZn6XdQWFfljTf9dz6Hb3EZK5VaPRshk6a9Qovmv2QsktPe/dFF838kkt9fIRd", + "FytaLz6/pvleRFOIiSo9P5KsNh24ZcGor9p9RMPBJe5NTfvp1xyHVxMlgSc6LXVSVQWryZiRyzJT094u", + "VTdYrCZRatGjhm1TU1SBLdsVP9x+vv2/AAAA//8zYms2374AAA==", } // GetSwagger returns the content of the embedded swagger specification file diff --git a/dm/openapi/gen.types.go b/dm/openapi/gen.types.go index a9ee114dc0a..430b603ede2 100644 --- a/dm/openapi/gen.types.go +++ b/dm/openapi/gen.types.go @@ -370,12 +370,21 @@ type Security struct { // Common Name of SSL certificates CertAllowedCn *[]string `json:"cert_allowed_cn,omitempty"` + // certificate file path + SslCa *string `json:"ssl_ca,omitempty"` + // certificate file content SslCaContent string `json:"ssl_ca_content"` + // File path of PEM format/X509 format certificates + SslCert *string `json:"ssl_cert,omitempty"` + // File content of PEM format/X509 format certificates SslCertContent string `json:"ssl_cert_content"` + // Path of the private key file in X509 format + SslKey *string `json:"ssl_key,omitempty"` + // Content of the private key file in X509 format SslKeyContent string `json:"ssl_key_content"` } diff --git a/dm/openapi/spec/dm.yaml b/dm/openapi/spec/dm.yaml index 64dc5044559..af5500c193b 100644 --- a/dm/openapi/spec/dm.yaml +++ b/dm/openapi/spec/dm.yaml @@ -1251,6 +1251,18 @@ components: description: "data source ssl configuration, the field will be hidden when getting the data source configuration from the interface" nullable: true properties: + ssl_ca: + type: string + example: "" + description: "certificate file path" + ssl_cert: + type: string + example: "" + description: "File path of PEM format/X509 format certificates" + ssl_key: + type: string + example: "" + description: "Path of the private key file in X509 format" ssl_ca_content: type: string example: "" diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index a695f654837..b841cd7fc58 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -27,7 +27,7 @@ max-replicas = 1 cacert-path = "$CONF_DIR/ca.pem" cert-path = "$CONF_DIR/dm.pem" key-path = "$CONF_DIR/dm.key" -cert-verify-cn = ["TiDB", "dm"] +cert-verify-cn = ["TiDB", "dm", "localhost"] EOF bin/pd-server --version @@ -71,7 +71,7 @@ start_tikv() { ca-path = "$CONF_DIR/ca.pem" cert-path = "$CONF_DIR/dm.pem" key-path = "$CONF_DIR/dm.key" -cert-verify-cn = ["TiDB", "dm"] +cert-verify-cn = ["TiDB", "dm", "localhost"] EOF mkdir -p "$WORK_DIR/tikv-tls" bin/tikv-server --version @@ -123,7 +123,7 @@ ssl-key = "$CONF_DIR/tidb.key" cluster-ssl-ca = "$CONF_DIR/ca.pem" cluster-ssl-cert = "$CONF_DIR/dm.pem" cluster-ssl-key = "$CONF_DIR/dm.key" -cluster-verify-cn = ["TiDB", "dm"] +cluster-verify-cn = ["TiDB", "dm" , "localhost"] EOF mkdir -p "$WORK_DIR/tidb-tls" bin/tidb-server \ diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index a5666bb4410..ab85fc44cda 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -151,8 +151,8 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all def create_task_success_https( task_name, target_table, ssl_ca, ssl_cert, ssl_key, - tidb_ca_content="",tidb_cert_content="",tidb_key_content="", - cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): + tidb_ca="",tidb_cert="",tidb_key="", + cluster_ca="",cluster_cert="",cluster_key=""): task = { "name": task_name, "task_mode": "all", @@ -165,10 +165,13 @@ def create_task_success_https( "user": "root", "password": "", "security":{ - "ssl_ca_content": tidb_ca_content, - "ssl_cert_content": tidb_cert_content, - "ssl_key_content": tidb_key_content, - "cert_allowed_cn": ["TiDB"], + "ssl_ca": tidb_ca, + "ssl_cert": tidb_cert, + "ssl_key": tidb_key, + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", + "cert_allowed_cn": ["TiDB", "dm", "locahost"], } }, "table_migrate_rule": [ @@ -198,9 +201,12 @@ def create_task_success_https( "import_mode": "physical", "pd_addr": "127.0.0.1:2379", "security": { - "ssl_ca_content": cluster_ca_content, - "ssl_cert_content": cluster_cert_content, - "ssl_key_content": cluster_key_content, + "ssl_ca": cluster_ca, + "ssl_cert": cluster_cert, + "ssl_key": cluster_key, + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", "cert_allowed_cn": ["dm"], } } diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 80f6623e10b..9e54db2c57a 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1102,8 +1102,8 @@ function test_reverse_https_and_tls() { task_name="task-tls-1" openapi_task_check "create_task_success_https" $task_name "" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 @@ -1112,16 +1112,16 @@ function test_reverse_https_and_tls() { task_name="task-tls-2" openapi_task_check "create_task_success_https" $task_name "t3" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "" "" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + "$cur/tls_conf/ca2.pem" "" "" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 task_name="task-tls-3" openapi_task_check "create_task_success_https" $task_name "t4" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "" "" \ - "$(cat $cur/tls_conf/ca.pem)" "" "" + "$$cur/tls_conf/ca2.pem" "" "" \ + "$cur/tls_conf/ca.pem" "" "" openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 @@ -1129,12 +1129,12 @@ function test_reverse_https_and_tls() { task_name="task-tls-4" # use incorect tidb certificate openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # use incorect pd certificate openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # miss tidb cert certificate openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ From 645b7267c121ac334d5ef2f86772ba3c0e6d38e2 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:39:14 +0800 Subject: [PATCH 22/63] fmt --- dm/tests/openapi/client/openapi_task_check | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index db82e4b075e..983b1539b99 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -167,8 +167,8 @@ def create_task_success_https( "password": "", "security":{ "ssl_ca": tidb_ca, - "ssl_cert": tidb_cert, - "ssl_key": tidb_key, + "ssl_cert": tidb_cert, + "ssl_key": tidb_key, "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", From f87a1106ce962e102c2585a9c945886d1290bebe Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:40:13 +0800 Subject: [PATCH 23/63] fmt --- dm/tests/openapi/client/openapi_task_check | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 983b1539b99..9755c01271c 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -206,8 +206,8 @@ def create_task_success_https( "ssl_cert": cluster_cert, "ssl_key": cluster_key, "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", "cert_allowed_cn": ["dm"], } } From edf188f0bae9ee8c402bc591688bde44fad31558 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 14:08:00 +0800 Subject: [PATCH 24/63] fix test --- dm/config/task_converters.go | 20 ++-- dm/openapi/fixtures/task.go | 6 + dm/openapi/gen.server.go | 218 +++++++++++++++++------------------ dm/openapi/gen.types.go | 6 +- dm/openapi/spec/dm.yaml | 3 + 5 files changed, 131 insertions(+), 122 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 484e9cf45bd..66e3bac1a00 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -245,9 +245,9 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, certAllowedCN = *fullCfg.Security.CertAllowedCn } subTaskCfg.LoaderConfig.Security = &security.Security{ - SSLCA: *fullCfg.Security.SslCa, - SSLKey: *fullCfg.Security.SslKey, - SSLCert: *fullCfg.Security.SslCert, + SSLCA: fullCfg.Security.SslCa, + SSLKey: fullCfg.Security.SslKey, + SSLCert: fullCfg.Security.SslCert, CertAllowedCN: certAllowedCN, } } @@ -576,9 +576,9 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta } taskSourceConfig.FullMigrateConf.Security = &openapi.Security{ CertAllowedCn: &certAllowedCN, - SslCa: &oneSubtaskConfig.LoaderConfig.Security.SSLCA, - SslCert: &oneSubtaskConfig.LoaderConfig.Security.SSLCert, - SslKey: &oneSubtaskConfig.LoaderConfig.Security.SSLKey, + SslCa: oneSubtaskConfig.LoaderConfig.Security.SSLCA, + SslCert: oneSubtaskConfig.LoaderConfig.Security.SSLCert, + SslKey: oneSubtaskConfig.LoaderConfig.Security.SSLKey, } } // set filter rules @@ -698,10 +698,10 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta certAllowedCN = oneSubtaskConfig.To.Security.CertAllowedCN } task.TargetConfig.Security = &openapi.Security{ - CertAllowedCn: &certAllowedCN, - SslCaContent: string(oneSubtaskConfig.To.Security.SSLCABytes), - SslCertContent: string(oneSubtaskConfig.To.Security.SSLCertBytes), - SslKeyContent: string(oneSubtaskConfig.To.Security.SSLKeyBytes), + CertAllowedCn: &certAllowedCN, + SslCa: oneSubtaskConfig.To.Security.SSLCert, + SslCert: oneSubtaskConfig.To.Security.SSLCert, + SslKey: oneSubtaskConfig.To.Security.SSLKey, } } diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index b984647bb8e..d9d2d286a09 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -38,6 +38,9 @@ var ( "ssl_ca_content": "fake_ssl_ca_content_2", "ssl_cert_content": "fake_ssl_cert_content_2", "ssl_key_content": "fake_ssl_key_content_2", + "ssl_ca": "fake_ssl_ca/ca.pem", + "ssl_cert": "fake_ssl_cert/dm.pem", + "ssl_key": "fake_ssl_key/dm.key:", "cert_allowed_cn": ["PD1", "PD2"] } }, @@ -62,6 +65,9 @@ var ( "ssl_ca_content": "fake_ssl_ca_content", "ssl_cert_content": "fake_ssl_cert_content", "ssl_key_content": "fake_ssl_key_content", + "ssl_ca": "fake_ssl_ca/ca.pem", + "ssl_cert": "fake_ssl_ca/dm.pem", + "ssl_key": "fake_ssl_ca/dm.key", "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" diff --git a/dm/openapi/gen.server.go b/dm/openapi/gen.server.go index a58bf408f7f..ff681a66ef0 100644 --- a/dm/openapi/gen.server.go +++ b/dm/openapi/gen.server.go @@ -1248,115 +1248,115 @@ func RegisterHandlersWithOptions(router *gin.Engine, si ServerInterface, options // Base64 encoded, gzipped, json marshaled Swagger object var swaggerSpec = []string{ - "H4sIAAAAAAAC/+x9W3PbOJb/V8Ff/32Y7pIsyXacxFvzkMTujHedS8Xump2ayjIQCUoYkwADgHZrUv7u", - "W7iQBEmApGzLsTqZh2lHBIGDgx/ODQeH30YhTTNKEBF8dPxtxMMVSqH681WCmHgHCVwidkkzmtDlWv6e", - "MZohJjBSrVaUC/lf9AdMswSNjkfz/ed7s73Z3nw0Hol1Jn/igmGyHN2ORxll9eYvZy8PynaYCLREbHR7", - "Ox4x9DXHDEWj43/qQczLn8vWdPEvFArZ65sk5wKxd1D+f5tGGEXq1wjxkOFMYEpGx+pXxDmgMRArBMKc", - "MUQESFUngNAIjcauaR2/2D9yzg0m+Bq1x6EkwQQBLqDIzWiYm2HsEQTLUdnrgtIEQSK7TRCMkIN+zO2e", - "1BxM0wGdEpii+rLpbhwTa6yFerOYbEndWDO5Y3H8EIISaEGqkRYIq91/MBSPjkf/f1qBdGoQOnXC83Y8", - "WjIYQwIH9/NWt7e70KwoewgSrDGOBUp5X38ahHZ3hiOQMaj+nTGaIrFCOR9M5MfyFbvjG8qu7kzn39XL", - "fjpv/UupX/1u+2xBcxIFnOYsREEB5PqY+iGQD4FqDgTVu0XzrD1suuZfk8msa0ABl46hdPfqYbm5fYOo", - "tq4R2ttRdzF8O0rW1yl1Mcq5Pym5RkxiFvKrT+hrjjSK6msrIL/qg5TsQAEJ8qsgpCTGyyDGiYNp+iGQ", - "DwEmYA3TBMSUpVCAlRAZP55OIxryvQyTZQizvZCm03+vpgJHiykXcJGgqRxkovvJGZT9TmR3kzhPkj0n", - "2/pmzjNKOPpTTt1GjJqOg1InNhiCAl0oBHmhoQHWxyHdiSW2fJif9IPejOin+IGg7OKca9ATzOXCfEIJ", - "XFvDNuRgKP+QgogLmgEImGwOmGk/blBpcakU7P3y/D1M0bls7QT8SZ5mF8oOcYjM0j6J8jQDOcFtmhaZ", - "+o+Gq7bXjg5HbfNtrKzKBAkUBQqy9dcimi8SVL1H8nShX0Nc4BQKFAgqYBIwejP0zRgTzFcoChZrgTZ+", - "aYOBMkaXUp8pJDXluCbbMWUfp5oIs993cLE1z+Yc3Cwcq5WzaHeB+JRshmHIRC+I1dNggUlCl8FS4MiJ", - "OyYwWYK3l2cnhZGQZ1wwBFOgX60pUfQSzuNwf3+CwtmLyXyOXk4W+zCczPYP92E4n89ms4Pj+eT5i8OX", - "o/GI5Eki59Uwhaslq5HosSYKEqWcVDbFADK1QbHAZG8m/7c/nJYIGysqhnkiwbM31Q/0EHXaJBkRZigU", - "lK3BzQoxpEjT65LQJcBcChwJsAEUbEPqnDJG2d+xWL1DnDttKAkZpccAkm1bMFK/BqE0p1rvqmcg1KZW", - "WxDpV1O+9L2ZGqL6dE7V0dimx7WT3iJhLOUzElO/YRHqRoFrW5hnAMtlK8VI7pe4Q12JpjvWnKdFVPfc", - "tKMjl90/wwgKONgjqXvxDsdJSTRL7nZKUblT5Ojdk9D4ffhJGBdpy5PQNtUDUl8ZadsnWxsiD0q4sW22", - "TL60DR+Q56XrsGWS3+ElU6YxWyLBH5D4WsePMZOHRU6+qPp8DOovpQK+ECwPRc6QfxaawCBUDk3AvyZ1", - "Z+nNp9NXl6fg8tXr81PwRcy/gL98wdEXgIn4y3z+C3j/4RK8//38HLz6/fJDcPb+zafTd6fvL8cfP529", - "e/XpH+C/T/+h3/gFTH+9/H//NHIfRQEmEfrjM3hz/vvF5emn0xPw6/QXcPr+7dn707+eEUJPXoOT099e", - "/X5+Cd787dWni9PLv+YifpEuDsGbD+fnry5Pi39Ls8oV7jBTa3uA0cIZgFHWr6O5+n0+wOMtXy/6srjq", - "XKpGUPDBw94Hs9ns3mHvcwqjfncuoTC6rzvX4V35X0qRgMawdjpL1vPSN2hzrt/dGk5Tg78tX8ruzxq6", - "PhUH4dq/ci1RIxp8Xxz5wvaDMPdi/2jeyxOzS/qg90FZ7Kg7cBauUHgVMMSVG9NEaMbQRLUApoXtPVUP", - "MQcZ5BxFe8AtGu4TzBnXaeyZaVNy9zrJ2q9BQMkcr5McJzlf1Tw+7ZzVe/07wwJx5dvpeemQNgJqBhnF", - "RAAuf4ECnLwDISR652MBYCw9CYZKP1a+VoQBW0dD/GsShJQIRBxz418TsKY5uIFEWDOsrZ1DM4Ev4bxS", - "TYX2kOppDL6E+/5HB+5H99BH/+lUSGsStif7exbBguc0EzjFXOAQ8BVkkWSjlANS24MbLFY68m+WhpJk", - "DXKOIumREwCNYwtoGOaMA0y8fZ6cnIO05syWS9MMglrr5AKu48xoG6e391djH3PmCgpUEYxQzj/PQEYT", - "HK5BLfLdjhX8kWFm7MBiP82am0k10hEHgXU8pxzO9rcLReKJm1jKTv7JrrWhWI57cDRrDX25QqBoLHdQ", - "hhimEQ5hkqyBEXlxO4SjpxWNgekcXMMkR8dADSEBxVFIScTvRj1DKcQk4BkMUW0G82dN+t9hgtM8BTFD", - "CESYXwH1lqLh7eu7DH/rw8SDxtMfMc7XF9erjZmhEMdrQzzPF1Y0L6YMtMjeA2cxIFQA/SaWmFBn/1JU", - "CUAJAjc4ScACKQG0By4UpeaM6RjsQ/T86PDgcBI/fxlP5nP0YrKI0H4RPpWG6Qs9lXl/wLCx09s8du13", - "taxv1CZu80NpNH1EVmzK9hZXkepAP6zsQkuH/Yw771Tc+daHkn7vxhbbdZSYLI7KAal30eBhcSCrt4lW", - "LBVT/9Lg6nwM5i+fv/zFtdlr43rA58LcPcDWDS43CZpxRTaGJOjhCQihCFdBngVpmZlVJ+JmJS0UJoW4", - "agvyTBtT5epYTphvmzvl6mb4rOa9N+X5QnXpMhPdKSAFEzUqa919ygmRL/dJzjpYnSCyp+taYR/TC7Jd", - "ovhCmavl8U17n2lzVskedRw0roJq/VGbRiDtAoU5w2LdHkYZ0SZnh/OkbuFp9RZjlESlZlvhKEJEG9dL", - "JEqnxu6o1gmIGU1VE2V7xdLOaYulhvuKmAhgktAbFAUhaZP9hqYpJeC9kcwXF+dAvoNjHEIdQiiZ1csc", - "zpMghA5sVR1qEZVBsapBzAlU1ZvfjWv1WrQc1DFiji5/K4iTrPh4+s4YHNP/eTZ7WSS4NLgzbCj/LH6z", - "KH/IUa+QA6MfzdQkhjKGryXrrtC6TOSxRhw6iH9mb6pJ3X+8pt9Yx4aD0W0CnbLDuKxvGc0zRxA+StoJ", - "ib3bIMaMiyChodbBrlekr46izboV+mzC1TQnm3fYCiWp3sfVnFsTKcm2BnQytcylciU0eizhmtUWw4S3", - "gkelnlUxCi0fpVOpXq8pQPN6W9cao7syJgaNR6UTok1s6evmUnwrncW1RHYZP14S4gReU4eu17+X2Zcl", - "rxpGsWsnFgEQZ/qoyVx1p6c64yOQ8xvKIm+PZYN6lweHz46G2OlF/MXdt3xo9XtwMDty+fpZEW7pTDhW", - "jSpDrvTWul6yHTu5US1933kCV7ST7wzM6h2cu6ttss1So3sPkyG/Gp4icwn5VZUgMx7l3GUJm7nJh635", - "MUrFwJzIwBG/N0PWt3Dxrw4p1GEWWunVfrNQt5oMsw1tlvvGK+1rV3ZQf4qPNhe5iopKg/GGUZdlXmCe", - "l8T0Yr6Cyj3wy1CW4BB6cNxImm3HFE3OufFFkrWd945cMnHDbNsCWTYhTuwIyERn/i1DKb1GQYoE3EiT", - "6PdU1F0Z+gvIlSUU0RtivMXiZ/fBBoxRkNIIBQKnKIiKCHLbd8QpAsVjqVbkm0VU3pLbM+6UOBW7BsmH", - "xmbTMosJRaSDNsivTPKlamATtD+bHU1m88lsH8yfHc8Oj2fPhiXCXwiadS7Z/eckiaW5GMz1G4i1V6fn", - "S7M665/xgTOrZXe0jdQ8zQZudCt3eoO0wsEyJ6EwGkiJdexvHQk7YFJkPHQgtE9I+UMgfSrvQjU09vrA", - "mV2sSVjNTOUsuGcmHwFFm40KdYo3dpn4DHGaXKMoUBY6Da8CT7pBp5gtrvU4WeM+R/fLzoKVZp5OUVqx", - "oyMCKmftye/Q0SHdr2OyC8kJTJaSK64h7DPJmxUOV2W4EHNQvLxRlEPtN0wDX+JGR37r3d5qBYEHhmsd", - "NkGIiAjE4JQZcx4XLNAKk8iKgA55t/RIHVpMPuucUa2Ff0aam+i6uPo7gC5zPWEwD6yNt2Q0z7pAphs0", - "cAYZAjmZFL3YWOuUI7XQRK/7bjPCnmRt1cfDYrT15XEuRnPjufhkxQvsXeyDVWt7uLeaS8iopJb7RoB9", - "iXhtCXBp8nXaQt0nvmKcSDazXAc6YBRh+RZMPtZa9+mj15ic0+VvqrNPsi+XuYDICpIQBfrOdlCkYK4g", - "WaLeDB3LVNW+FeB5Jj0wdZCrEj70VfAoSkCW5EtMhlzVxktCGQpUaoDETMn+xnVw1QxkDJkkAtXMuVrX", - "iHEdlOpdLpXqptlQPxuM0oky4JtMcBjjavpcUFbkzHiP2apOvZlvfjPHRiO/crudlARRrtws4ehtRW/k", - "4q0giXRgOU5wKFCkZqI85jzVx9xZog8QiusqmvnW/rKksZRFyu1wH1LdwLU6/qJUiiwokFS31mAZ4txk", - "CY3GoyplyD2YNjeGhWuUlaZesGI2dwmX9GVQS/pCEVS0B02mDPQAi22l+mulT7U8NN+O0inAqU5bLwVL", - "E1lyJNMGqDbj4SnxSqiavPiGsGnEpDdYK51gfwIFfC1d3CIQ5YZWQXnBE4OmOE8SORESMpQiojPWofpN", - "KoyRdkQktqrtpB8PMncrgnpkaWMrNrnhXKMmvN3azCHpXQdHAilxJDvmAIoiCyBB1yhpaSIjgpWJ4HD4", - "5M+FN+KRzrU2NdaCKE2GSGJDg7kH0M7KzKAQiKl8KK0x/cT4mld0/e8JUx53/zmIcwV+y5PEoF+KFt8l", - "eCvCInFZ7jaJonaYDxKYrP/t2qpUHQIymuj8OZ6nsststeY4hAnAaREaL+W3Aa6Wp9KWkH/GcR331rMW", - "H4qBngg1NM0Y4nxydT3JIGa8myzTGlxdA9XaTZ9jFMIxF4iE687+C62GibHm1am8zmGkTOrTWN3YLHsD", - "kPOcSWFR3xy5oC46ZHeeZDpBGVyqxI+2VbA3LcYPjD5v94z5VfA1p8JxEK9SHdUzRb5jPcuRXszeunrX", - "wwdixRCM6gmqh02lp/aDfkGuTkiJcYncvrGiwWdkVCuj2ymdUG66Fh4TupQTk/vPzLEOxOp5a4aGDtcM", - "50fOKRqK+qdoq4ugIKEPhcUbUsgoDyvXscUVIiBFSJQNEGD0hquFNX279qnf6rPOaspWncZnUPJ2G3Pw", - "CxtCCVKuK8mb62oetQ8do6C3sE/mrGrDpKoPyoUtxIYvKduauHoTWG92iqh61OUOZ44qy9IjUvTDUqT0", - "bv69qXzFnUHm05dnJGSb6UvLgPOoSwnEYAFFWL9aMm9npNt98TUJV4wS/O9yKNUHQH+gUCNPWg9fc0gE", - "VkO508mzZKAUaE6kVxT4eFi/her2FCsDQ92BbfHM2JeVv9ub42beEEUahuWE+q4yKjt3gyHMG0OHcB/e", - "mfEaBDfJaQzmM7D90aLSH++MFfGrwaGiyj9tH940ApzVCLODOJztHx1M9l+EzyfzOXo+gUfPDiZH4Wzx", - "4jB69jI+mB3PJ89nh/PD/YPx7Nnh88PoILSavzh4tj/Znx1Ei/3Doyg6iI7nk/nzmbM4WD2D2yr2pR5U", - "qfS+NzNaZ9ChU65t51y546TXt/i1iIGHlAlDCZSGXvdVHWkBlC5eaNa4zwtu+ha32pvduJ+mzK1HT7xM", - "bs5ocEjAQnJfQNqmw7sMxTlcodkvBM0y5UVUOce/mQuuo/HoI8x5LeeswqEzYOHPl9eREUHtc3c7TsIH", - "BnIb1qB6qDoogOyQHfLxsIQS3plINxCgduDTExQfgxucRCFkURHtrUc0F5Nf73kE20qo8R3NiioXsB3J", - "GkCrcNLamQxi6Q2fwhAehVyh5yEXI6KI69tRJvRezJg3lmV+Rw4OHMCnmhvsGV7XzhEA7GBpFXvv5umT", - "Sn/cTrrjXTyCLaXoOZPySp54Vx2lmdwf3uQceo3YDcNis1h6+ZY2u4UZpfyj/wJyNW4/6b4SATHEiSpv", - "x6/ahw4daX7OOgClOO0vgFkIsKpTp+xqKpU8DBHnHnI3Sxpv9zVuc8NFlL6V/qA1OYeLIT34I5fXbBSZ", - "68rL6fA7/PmO7YWuRvRePzb3jDkotJegJgeTd9Xy7MsqukN+Zl9GZqPS88PXIPHWKt5qEZJbFVIVUhgn", - "JzR0xLxP3oEPGSKvPp6Bkw9vpMhlyeh41FdmdyKV50SbtJgSU3VXOxoxVRDHQk28NUBxsn48OpIMVFG/", - "DBGY4dHx6ED9JCW+WClqpzDD0+v51JRemhbdG3uprIp4FqmxXn08q1cWVAkqWrKq/vZnM3VvrbpVBLMy", - "eDj9F9dZl5Ud1VkW3V3DUHG9oRa1IFOLyPM0hWw9OpZzAGUNQxJTwPNwBSAHtcKGAi65VXRw9FndT/DN", - "XgufJgPUNnxNo/WDzb1dIrE1aTMsWMhxb5/wOuSKZ7Wl2HMy/nbcwqNOLuJDIVkVhHwcYDoKUHaxZTw6", - "fEAyWkVNHUNrdd6xMawa+IXi2mRhpt/0H8ojvNXyL0HaDnSs1Ic4TjBBmm3v9SF9BhlMkV7lf7ZyCCzy", - "Cp9cVW7SV1C1IhhZNIxsMa6zL1yBTv+nJj63gHPosMOf2IpSzdfGFw0GLWRhMAzcYVW10sfZYY7qqDu2", - "w6wvMWy0w8zCTL8ZK2yjHWasxwE7zCbPv8MsGn7sHVb/rkbnQkbpXkGcc2e9ReKEhv918eG9ZyvVyZJ9", - "lZfk23CLaAjUcBVVEQ0bFBkbtYOcv12+Ox9EjmzYQ85K6LwiHznayesXPVWN4T4wy/1VXC5WRTzK+3oK", - "019zxNYWqLFYBWULB4jd2Xu3Y8f3ldaAIZEzXVVNJwlOTEGl4t6bi4RaHaFNaPi8XenrKOvs2Cl2rYuk", - "KL7ewEGzSYWHwsdXPhr3rb/9/Y9tGduOT4xsbnDPH4yeMiby5PWcrmELIImKxFgICLqxV9214G0ZMP1m", - "nSz0a7kT9bAERadMWCZ0oSrb5QR/zesFWvwKr37QMUjhea+AtwVGTPVlYpoVlMCEmypyRYkgFdAxeRUu", - "0aH6uKfM2AHFq3EAYB+mxkN0yC5i5XF02jb1SYc8K4v9HzqxaDhPBYjVd8va+qULEH1hnJ3BxOft6D1X", - "GP+2HgiV5N5+H2g8MTlkoljwvrptGukvdakguN/sMd/z2i2I9vkMT063aCY/wKJWVZA61lR/3urnkm5z", - "SUsz9L4rqlyyzTbrp6JU7I+pTlyfILw1+mRXJUNVqzPOia72XNykfRiAbSA4fnB4OT4OuKvoMkJq6+Aq", - "66x1YKsqc/7jQqtd6n24Gfy0kaYQUKtQvTmWrA/yD3CxdT3fIcHaLUDHX+9tuw5uvYbxjhxQFSXtdPKq", - "Lzg7FB7Tb/qPKoI3ACwq5/vpYWXckeDrGb6a+8Dhnfm/W0VpvczKboFU5z/fHaNlCashEqys8fh0tGHn", - "DZpHOQtqfPFwR+CjvuVRq41fFLS+r4UlGCQ81knaHebVpWn2o8ca2+msfxYTqwBCKaoogPrTRDpXoAdd", - "+oinTzIVH3ztBZDEPORXj3n6be5NLdZFpUxdU9A1ZvFsqMIqazh2jerYH81hm7VDxxuFpy2duWVR2/qu", - "rwOEismJqWn6dARtSVUFd51NP+R4/1IXX9ve4b59XeB7Hu27Plq5Q+f85Scb6yvcFGfTkJJrxIrM3a7l", - "1w23uf4FKT0QwLHGMOYAkywXupC/kaX6ky/FrHRJa8ivTBko/UEMysA1DhG4RozDrYKoMaXdgdGlSpBS", - "XCamKrj5QAqNAWx+LqfF1L0ByCvujg1TqcXtsEfIZ91x0V5ezruXjL+sbvZtY6+bO13fT7z7CHii8ry2", - "sptsrqmpOtMt3M9Uo0da9+Yd1c1hsL8lenZHPptSWHeHxTdV93STHL4GOjbyju3Sqw63uKRloFPsq9m6", - "03lz/pvVTQE+WFnuzjLNfjjB3tbXXUvuTZCr7lj/XPSdSU0buu4t+X03qf1UEdGVbK1oQNeIAByrT6IA", - "ni8Kt4+VRYt+plv7PP0BamJncPEIsdLvIZ0aTuShr0ReR1K1f/X7UqqfMgC2mkV9vwDj7EcPMJbZ1QMD", - "jJbK8pzPFcX4ikKbQ8JBtQKefGcE2aMnRzjPWHRxfVPUfeRLevh1eI+6/n53h6rNr49/Jt5Gy86djKuz", - "Oju7ApLIlKU1PzCaC3MXDdcuFt99Vw7OJSuzyF6vJa9fkehuJ+g/yKb8md3WhW93itu9UbxhyluZ7PYT", - "0j+T8HZ2Lzkz8R54K8n3FgnaMCSxSNCFYHkocvZzTz21PTX2V7T1sbxAwGCeuz8AuPvh+9rO4xbENw3O", - "/NwhP3fI/Ps4S3Xw7b6z1LkN/VGyMjzzcytuPPiPshEfPkRpBQWb+/DPlYutd9yGarPbahWwN8/lQrb5", - "ASPf5bx3/T6uWuQ7Bp+H3Syyvk67g8K+LGm+67n1O3qJyVyr0OjZDJ006xVeNPshZZee9u6LLpr5JZf6", - "+Ai7Lla0Xnx+TfO9iKYQE1V6fiRZbTpwy4JRX7X7iIaDS9ybmvbTrzkOryZKAk90WuqkqgpWkzEjl2Wm", - "pr1dqm6wWE2i1KJHDdumpqgCW7Yrfrj9fPt/AQAA//+Xl7ma5r4AAA==", + "H4sIAAAAAAAC/+x9bXPbOJL/V8Ff/3uxMyVZku04ia/2RRJ7sr5zHir21N7WVo6BSFDCmgQYALRHm/J3", + "v8IDSZAESMq2HGuSfbHjiCDQaPy60d1oNL+NQppmlCAi+Oj424iHK5RC9eerBDHxDhK4ROySZjShy7X8", + "PWM0Q0xgpFqtKBfyv+gPmGYJGh2P5vvP92Z7s735aDwS60z+xAXDZDm6HY8yyurNX85eHpTtMBFoidjo", + "9nY8YuhrjhmKRsf/1IOYlz+XreniXygUstc3Sc4FYu+g/P82jTCK1K8R4iHDmcCUjI7Vr4hzQGMgVgiE", + "OWOICJCqTgChERqNXdM6frF/5JwbTPA1ao9DSYIJAlxAkZvRMDfD2CMIlqOy1wWlCYJEdpsgGCEH/Zjb", + "Pak5mKYDOiUwRfVl0904JtZYC/VmMdmSurFmcsfi+CEEJdCCVCMtEFa7/2AoHh2P/v+0AunUIHTqhOft", + "eLRkMIYEDu7nrW5vd6FZUfYQJFhjHAuU8r7+NAjt7gxHIGNQ/TtjNEVihXI+mMiP5St2xzeUXd2Zzr+r", + "l/103vqXUr/63eRsQXMSBZzmLERBAeT6mPohkA+Bag4E1dKiedYeNl3zr8lk1jWggEvHULp79bAUbt8g", + "qq1rhLY46i6Gi6NkfZ1SF6Oc8knJNWISs5BffUJfc6RRVF9bAflVH6RkBwpIkF8FISUxXgYxThxM0w+B", + "fAgwAWuYJiCmLIUCrITI+PF0GtGQ72WYLEOY7YU0nf57NRU4Wky5gIsETeUgE91PzqDsdyK7m8R5kuw5", + "2dY3c55RwtGfcuo2YtR0HJQ6scEQFOhCIcgLDQ2wPg7pTiy15cP8pB/0ZkQ/xQ8EZRfnXIOeYC4X5hNK", + "4NoatqEHQ/mHVERc0AxAwGRzwEz7cYNKi0ulYu/X5+9his5layfgT/I0u1B2iENllvZJlKcZyAlu07TI", + "1H80XLW9dnQ4aptvY2VVJkigKFCQrb8W0XyRoOo9kqcL/RriAqdQoEBQAZOA0Zuhb8aYYL5CUbBYC7Tx", + "SxsMlDG6lPuZQlJTj2uyHVP2caqJMPt9Bxdb82zOwc3CsVo5i3YXiE/JZhiGTPSCWD0NFpgkdBksBY6c", + "uGMCkyV4e3l2UhgJecYFQzAF+tXaJopewnkc7u9PUDh7MZnP0cvJYh+Gk9n+4T4M5/PZbHZwPJ88f3H4", + "cjQekTxJ5LwapnC1ZDUSPdZEQaLUk8qmGECmNigWmOzN5P/2h9MSYWNFxTBPJHj2pvqBHqJOmyQjwgyF", + "grI1uFkhhhRpel0SugSYS4UjATaAgm1onVPGKPs7Fqt3iHOnDSUho/YxgGTbFozUr0EozanWu+oZCLWp", + "1VZE+tWUL31vpoaovj2n6mhs0+OSpLdIGEv5jMTUb1iEulHgEgvzDGC5bKUayf0ad6gr0XTHmvO0iOqe", + "m3Z05LL7ZxhBAQd7JHUv3uE4KY1m6d1OLSolRY7ePQmN34efhHGRtjwJbVM9IPWVkbZ9srUh8qCEG9tm", + "y+RL2/ABeV66Dlsm+R1eMmUasyUS/AGJr3X8GDN5WOTki6rPx6D+Um7AF4LlocgZ8s9CExiEyqEJ+Nek", + "7iy9+XT66vIUXL56fX4Kvoj5F/CXLzj6AjARf5nPfwHvP1yC97+fn4NXv19+CM7ev/l0+u70/eX446ez", + "d68+/QP89+k/9Bu/gOmvl//vn0bvoyjAJEJ/fAZvzn+/uDz9dHoCfp3+Ak7fvz17f/rXM0LoyWtwcvrb", + "q9/PL8Gbv736dHF6+ddcxC/SxSF48+H8/NXlafFvaVa5wh1mam0PMFo4AzDK+nU0V7/PB3i85etFXxZX", + "nUvVCAo+eNj7YDab3TvsfU5h1O/OJRRG93XnOrwr/0spEtAY1k5nyXpe+gZtzvW7W8NpavC35UvZ/VlD", + "16fiIFz7V64lakSD74sjX9h+EOZe7B/Ne3lipKQPeh+UxY66A2fhCoVXAUNcuTFNhGYMTVQLYFrY3lP1", + "EHOQQc5RtAfcquE+wZxxncaemTY1d6+TrP0aBJTO8TrJcZLzVc3j085Zvde/MywQV76dnpcOaSOgZpBR", + "TATg8hcowMk7EEKiJR8LAGPpSTBU+rHytSIM2Doa4l+TIKREIOKYG/+agDXNwQ0kwpphbe0cOxP4Es6r", + "ranYPeT2NAZfwn3/owP3o3vsR//p3JDWJGxP9vcsggXPaSZwirnAIeAryCLJRqkH5G4PbrBY6ci/WRpK", + "kjXIOYqkR04ANI4toGGYMw4w8fZ5cnIO0pozWy5NMwhqrZMLuI4zo22c3t5/G/uYM1dQoIpghHL+eQYy", + "muBwDWqR73as4I8MM2MHFvI0awqTaqQjDgLreE45nO1vFxuJJ25ibXbyT3atDcVy3IOjWWvoyxUCRWMp", + "QRlimEY4hEmyBkblxe0Qjp5WNAamc3ANkxwdAzWEBBRHISURvxv1DKUQk4BnMES1GcyfNel/hwlO8xTE", + "DCEQYX4F1FuKhrev7zL8rQ8TDxpPf8Q4X19crzZmhkIcrw3xPF9Y0byYMtAiew+cxYBQAfSbWGJCnf1L", + "VSUAJQjc4CQBC6QU0B64UJSaM6ZjsA/R86PDg8NJ/PxlPJnP0YvJIkL7RfhUGqYv9FTm/QHDhqS3eeyS", + "d7Wsb5QQt/mhdjR9RFYIZVvEVaQ60A8ru9Daw37GnXcq7nzrQ0m/d2Or7TpKTBZH5YDUu2jwsDiQ1WKi", + "N5aKqX9pcHU+BvOXz1/+4hL22rge8Lkwdw+wdYPLTYJmXJGNIQl6eAJCKMJVkGdBWmZm1Ym4WUkLhUkl", + "rtqCPNPGVLk6lhPmE3OnXt0Mn9W896Y8X6guXWaiOwWkYKJGZa27Tzkh8uU+zVkHqxNE9nRdK+xjekG2", + "SxVfKHO1PL5py5k2Z5XuUcdB4yqo1h+1aQTSLlCYMyzW7WGUEW1ydjhP6hae3t5ijJKo3NlWOIoQ0cb1", + "EonSqbE7qnUCYkZT1UTZXrG0c9pqqeG+IiYCmCT0BkVBSNpkv6FpSgl4bzTzxcU5kO/gGIdQhxBKZvUy", + "h/MkCKEDW1WHWkVlUKxqEHMCVfXmd+NavRYtB3WMmKPL3wriJCs+nr4zBsf0f57NXhYJLg3uDBvKP4vf", + "LMofctQr5MDoRzM1iaGM4WvJuiu0LhN5rBGHDuKf2ZtqUvcfr+k31rHhYHSbwBKfFgIqXjk1i3Fo3zKa", + "Z44QfZS00xV7hSTGjIsgoaHeoV2vSE8eRZt1K/TJhatpTjbvsBVoUr2Pqzm3JlKSbQ3oZGqZaeVKd/TY", + "yTWbLoYJb4WWyl1YRTC09pQup3q9tj2a19s7sTHJK1Nj0HhUuijaAJeecC6Vu9rRuNbXLtPIS0KcwGvq", + "sAT072VuZsmrhsnsktMiPOJMLjV5re7kVWf0BHJ+Q1nk7bFsUO/y4PDZ0RArvojOuPumrKYnDg5mR65I", + "QFYEYzrTkVWjyswrfbmul2y3TwqqZQ10ns8V7eQ7A3N+B2f2aotts8Tp3qNmyK+GJ9BcQn5Vpc+MRzl3", + "2clmbvJha36MUjEwYzJwRPfNkHURLv7VoYU6jEYr+dpvNOpWk2GWo81y33il9e3KHepPANLGJFcxU2lO", + "3jDqstsLzPOSmF7MV1C5B34ZyhIcQg+OGym17YijyUg3nkqytrPikUsnbpiLWyDLJsSJHQGZ6MzOZSil", + "1yhIkYAb7ST6PRWTV27AAnJlJ0X0hhhfsvjZfewBYxSkNEKBwCkKoiK+3PYscYpA8VhuK/LNImZv6e0Z", + "d2qcil2D9END2LTOYkIR6aAN8iuTmqka2ATtz2ZHk9l8MtsH82fHs8Pj2bNhafIXgmadS3b/OUliaS4G", + "c/0GYu3z6fnSrM76Z3zgzGq5H20jNU+zgYJuZVZvkHQ4WOckFEYDKbGSAqwDYwdMinyIDoT2KSl/gKRv", + "y7tQDY29PnBmF2sSVjNTGQ3umclHQNFmo0Kd8Y1dJj5DnCbXKAqUhU7Dq8CTjNCpZotLP07WuE/Z/bqz", + "YKWZp1OVVuzoiI/KWXuyP3TsSPfrmOxCcgKTpeSKawj7xPJmhcNVGUzEHBQvbxQDUfKGaeBL6+jIfr3b", + "W60Q8cBgrsMmCBERgRicUGNO64IFWmESWfHRIe+WHqljF5PPOmdUa+GfkeYmui4uBg+gy1xeGMwDS/CW", + "jOZZF8h0gwbOIEMgJ5OiFxtrnXqkFprodd9tRtiTrK36eFgEt748zsVoCp6LT1a8wJZiH6xa4uEWNZeS", + "USkv940P+9L02hrg0mTztJW6T33FOJFsZrkOdMAowvItmHyste7bj15jck6Xv6nOPsm+XOYCIitIQhTo", + "G91BkaC5gmSJevN3LFNV+1aA55n0wNQxr0oH0RfFoygBWZIvMRlykRsvCWUoUIkDEjMl+xuXxVUzkDFk", + "UgxUM+dqXSPGdVCqd7lUIpxmQ/3kMEonyoBvMsFhjKvpc0FZkVHjPYSrOvXmxfnNHBuN/MrtdlISRLly", + "s4SjtxW9kYu3giTSYec4waFAkZqJ8pjzVB+CZ4k+Xigus2jmW/JlaWOpi5Tb4T7CuoFrdThGqVRZUCC5", + "3VqDZYhzk0M0Go+qhCL3YNrcGBauUVaaesGK2dwlXNKXXy3pC0VQ0R40mTLQAyzESvXXSq5qeWg+idIJ", + "wqlOai8VSxNZciTTBqg24+EJ80qpmqz5hrJpxKQ3WCudfn8CBXwtXdwiEOWGVkF5wRODpjhPEjkREjKU", + "IqLz2aH6TW4YI+2ISGxV4qQfDzJ3K4J6dGlDFJvccK5RE97u3cyh6V3HSgIpdSQ75gCKIkcgQdcoae1E", + "RgUrE8Hh8MmfC2/Eo51rbWqsBVGaDNHEhgZzS6Cds5lBIRBT2VJ6x/QT42te0fW/J0x53P3nIM4V+C1P", + "EoN+qVp8V+StCIvEZSltEkXtMB8kMFn/2yWqVB0RMpro7Dqep7LLbLXmOIQJwGkRGi/1twGu1qfSlpB/", + "xnEd99azFh+KgZ4INTTNGOJ8cnU9ySBmvJss0xpcXQPV2k2fYxTCMReIhOvO/otdDRNjzasze53hSJnc", + "T2N1n7PsDUDOcyaVRV04ckFddMjuPKl2gjK4VGkhbatgb1qMH5j9vN0z5lfB15wKxzG9SoRUzxT5jvUs", + "R3oxe+vqXQ8fiBVDMKqnrx42Nz0lD/oFuTohJcYlcvvGigafkVGtjG6n9oRS6Fp4TOhSTkzKn5ljHYjV", + "89YMDR2uGc6PnFM0FPVP0d4ugoKEPhQWb0glozysXMcWV4iAFCFRNkCA0RuuFtb07ZJTv9VnndWUrTqN", + "z6Dk7Tbm4Fc2hBKkXFeSN9fVPGofOkZBb9mfzFnzhsmtPigXtlAbvpRta+LqTWC92ami6lGXO5w5qhxM", + "j0rRD0uV0iv8e1P5iju/zLdfnpGQbbZfWgacZ7uUQAwWUIT1iyfzdr663Rdfk3DFKMH/LodSfQD0Bwo1", + "8qT18DWHRGA1lDvZPEsGaoHmRHpVgY+H9Tuqbk+xMjDUDdkWz4x9Wfm7vRlw5g1RpGFYTqjvoqOyczcY", + "wrwxdAj34Z0Zr0Fwk5zGYD4D2x8tKv3xzlgRvxocKqr80/bhTSPAWY0wO4jD2f7RwWT/Rfh8Mp+j5xN4", + "9OxgchTOFi8Oo2cv44PZ8XzyfHY4P9w/GM+eHT4/jA5Cq/mLg2f7k/3ZQbTYPzyKooPoeD6ZP585S4fV", + "87utUmDqQZVo73szo3UGHTr12nbOlTtOen2LX4sYeEiZMJRAaeh1X+SRFkDp4oVmjfu84KZvcau92Y37", + "aercevTEy+TmjAaHBCwk9wWkbTq8y1CcwxU7+4WgWaa8iCoj+Tdz/XU0Hn2EOa/lnFU4dAYs/Nn0OjIi", + "qH3ubsdJ+MBAbsMaVA9VBwWQHbpDPh6WUMI7E+kGAtQOfHqC4mNwg5MohCwqor31iOZi8us9j2BbCTW+", + "o1lR5QK2I1kDaBVOWjuTQax9w7dhCM+GXKHnIRcjoojru1Mm9F7MmDeWZX5HDg4cwLc1N9gzvOqdIwDY", + "wdIq9t7N0yeV/riddMe7eARbStFzJuWVPPGuOkozKR/e5Bx6jdgNw2KzWHr5lja7hRml/KP/enI1bj/p", + "vgICMcSJKn7Hr9qHDh1pfs4qAaU67S+PWSiwqlOn7mpuKnkYIs495G6WNN7ua9zmhosofWf9QSt2DldD", + "evBHLr7ZKEHXlZfT4Xf48x3bC12N6L2cbG4hc1DsXoKaHEzeVemzL6voDvmZfRmZjTrQD1+hxFvJeKsl", + "Sm5VSFVIZZyc0NAR8z55Bz5kiLz6eAZOPryRKpclo+NRXxHeidw8J9qkxZSYmrza0YipgjgWauKtAYqT", + "9ePRkWSgivpliMAMj45HB+onqfHFSlE7hRmeXs+npjDTtOje2EtlzcSzSI316uNZve6gSlDRmlX1tz+b", + "qVtt1Z0jmJXBw+m/uM66rOyozqLp7gqHiuuNbVErMrWIPE9TyNajYzkHUFY4JDEFPA9XAHJQK3so4JJb", + "JQlHn9X9BN/stfJpMkCJ4WsarR9s7u0Ciq1Jm2HBQo57+4TXIVc8qy3FnpPxt+MWHnVyER8Kyapc5OMA", + "01Gesost49HhA5LRKnnqGFpv5x2CYVXILzauTRZm+k3/oTzCW63/EqTtQMdKfYjjBBOk2fZeH9JnkMEU", + "6VX+ZyuHwCKv8MlVXSd9QVVvBCOLhpGtxnX2hSvQ6f8QxecWcA4ddvgTW1Gq+dr43sGghSwMhoESVtUy", + "fRwJc9RO3TEJs77TsJGEmYWZfjNW2EYSZqzHARJmk+eXMIuGH1vC6l/d6FzIKN0riHNK1lskTmj4Xxcf", + "3ntEqU6W7Ku8Qt+GW0RDoIarqIpo2KDI2Kgd5Pzt8t35IHJkwx5yVkLnFfnI0U5ev+qpKhD3gVnKV3G5", + "WJX4KO/rKUx/zRFbW6DGYhWULRwgdmfv3Y4dX19aA4ZEznTNNZ0kODHllop7by4SalWGNqHh83a1r6Po", + "s0NS7EoYSVGavYGDZpMKD4WPr3w07lt/++sg2zK2HR8g2dzgnj8YPWVM5Mnvc7rCLYAkKhJjISDoxl51", + "14K3dcD0m3Wy0L/LnaiHJSg6dcIyoQtV9y4n+GteL9/i3/DqBx2DNjzvFfC2woipvkxMs4ISmHBTY64o", + "IKQCOiavwqU6VB/31Bk7sPFqHADYh6nxkD1kF7HyOHvaNveTDn1Wfgrg0IlFw3kqQKy+atbeX7oA0RfG", + "2RlMfN7OvucK49/WA6GS3NvvA40npodMFAved2+bRvo7XioI7jd7zNe+dguifT7Dk9tbNJMfYFGrKkgd", + "a6o/fvVzSbe5pKUZet8VVS7ZZsL6qSgk+2NuJ64PFN6a/WRXNUNVyTPOia4FXdykfRiAbaA4fnB4OT4d", + "uKvoMkpq6+Aq66x1YKsqgv7jQqtdCH64Gfy0kaYQUKtfvTmWrM/1D3CxdbXfIcHaLUDHX+9tuw5uvcLx", + "jhxQFSXtdPKqLzg7FB7Tb/qPKoI3ACwq5/vpYWXckeDrGb6a+8Dhnfm/W0VpvczKboFU5z/fHaNlCash", + "Gqys8fh0dsPOGzSPchbU+B7ijsBHfemjVjm/KHd9XwtLMEh4rJO0O8yrS9PsR481ttNZ/ywmVgGEUlVR", + "APWHi3SuQA+69BFPn2YqPgfbCyCJecivHvP029ybWqyLSpm6pqBrzOLZ0A2rrOHYNapDPprDNmuHjjcK", + "T1t75pZVbeurvw4QKiYnpqbp01G0JVUV3HU2/ZDj/UtdfG17h/v2dYHvebTv+qTlDp3zlx90rK9wU51N", + "Q0quESsyd7uWXzfc5voXpPRAAMcaw5gDTLJc6EL+RpfqD8IUs9IlrSG/MmWg9OcyKAPXOETgGjEOtwqi", + "xpR2B0aXKkFKcZmYquDm8yk0BrD5MZ0WU/cGIK+4OzZsSy1uhz1CPuuOq/byct69dPxldbNvG7Ju7nR9", + "P/XuI+CJ6vPaym4iXFNTdaZbuZ+pRo+07s07qpvDYH9L9OyOfjalsO4Oi2+q7ukmOXwNdGzkHdulVx1u", + "cUnLQKfYV7N1p/Pm/Dermwp88Ga5O8s0++EUe3u/7lpyb4Jcdcf656LvTGra0HVv6e+7ae2nioiuZGtF", + "A7pGBOBYfRIF8HxRuH2sLFr0M93a5+kP2CZ2BhePECv9Htqp4UQe+krkdSRV+1e/L6X6KQNgq1nU9wsw", + "zn70AGOZXT0wwGhtWZ7zuaIYX1Foc0g4qFbAk++MInv05AjnGYsurm+Kuo98SQ+/Du9R19/v7lC1+fXx", + "z8TbaNm5k3F1VmdnV0ASmbK05gdGc2HuouHaxeK7S+XgXLIyi+z1WvL6FYnudoL+gwjlz+y2Lny7U9zu", + "jeINU97KZLefkP6ZhLezsuTMxHtgUZLvLRK0YUhikaALwfJQ5OynTD01mRr7K9r6WF4gYDDP3R8A3P3w", + "fU3yuAXxTYMzPyXkp4TMv4+zVAff7jtLnWLoj5KV4Zmforjx4D+KID58iNIKCjbl8M+Vi60lbsNts9tq", + "FbA3z+VCtvkBI9/lvHf9Pq5a5DsGn4fdLLK+TruDyr4sab7rufU7eonJXKvQ6NkMnTTrVV40+yF1l572", + "7qsumvk1l/r4CLsuVrRefH5N872IphATVXp+JFltOnDrglFftfuIhoNL3Jua9tOvOQ6vJkoDT3Ra6qSq", + "ClbTMSOXZaamvV2qbrBYTaLUokcN26amqAJbtit+uP18+38BAAD//zUyAOgEvwAA", } // GetSwagger returns the content of the embedded swagger specification file diff --git a/dm/openapi/gen.types.go b/dm/openapi/gen.types.go index 0d9deed3257..274f71141ff 100644 --- a/dm/openapi/gen.types.go +++ b/dm/openapi/gen.types.go @@ -373,19 +373,19 @@ type Security struct { CertAllowedCn *[]string `json:"cert_allowed_cn,omitempty"` // certificate file path - SslCa *string `json:"ssl_ca,omitempty"` + SslCa string `json:"ssl_ca"` // certificate file content SslCaContent string `json:"ssl_ca_content"` // File path of PEM format/X509 format certificates - SslCert *string `json:"ssl_cert,omitempty"` + SslCert string `json:"ssl_cert"` // File content of PEM format/X509 format certificates SslCertContent string `json:"ssl_cert_content"` // Path of the private key file in X509 format - SslKey *string `json:"ssl_key,omitempty"` + SslKey string `json:"ssl_key"` // Content of the private key file in X509 format SslKeyContent string `json:"ssl_key_content"` diff --git a/dm/openapi/spec/dm.yaml b/dm/openapi/spec/dm.yaml index a85530e60e4..046a7b1ec3c 100644 --- a/dm/openapi/spec/dm.yaml +++ b/dm/openapi/spec/dm.yaml @@ -1284,6 +1284,9 @@ components: - "ssl_ca_content" - "ssl_cert_content" - "ssl_key_content" + - "ssl_ca" + - "ssl_cert" + - "ssl_key" Purge: description: "relay log cleanup policy configuration" type: object From 9bfeac347e94b0bb164b5625774a81d198ee10e0 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 14:10:17 +0800 Subject: [PATCH 25/63] fix test --- dm/openapi/fixtures/source.go | 3 +++ dm/tests/openapi/client/openapi_task_check | 22 ++++++++++++++-------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/dm/openapi/fixtures/source.go b/dm/openapi/fixtures/source.go index a055bebe60a..0cbb9c74bde 100644 --- a/dm/openapi/fixtures/source.go +++ b/dm/openapi/fixtures/source.go @@ -31,6 +31,9 @@ var sourceStr = ` "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", + "ssl_ca": "", + "ssl_cert": "", + "ssl_key": "", "cert_allowed_cn": [ "string" ] diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 9755c01271c..ac156c4699d 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -219,8 +219,8 @@ def create_task_success_https( def create_noshard_task_failed_https( task_name, ssl_ca, ssl_cert, ssl_key, - tidb_ca_content="",tidb_cert_content="",tidb_key_content="", - cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): + tidb_ca="",tidb_cert="",tidb_key="", + cluster_ca="",cluster_cert="",cluster_key=""): task = { "name": task_name, "task_mode": "all", @@ -233,9 +233,12 @@ def create_noshard_task_failed_https( "user": "root", "password": "", "security":{ - "ssl_ca_content": tidb_ca_content, - "ssl_cert_content": tidb_cert_content, - "ssl_key_content": tidb_key_content, + "ssl_ca": tidb_ca, + "ssl_cert": tidb_cert, + "ssl_key": tidb_key, + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", "cert_allowed_cn": ["TiDB"], } }, @@ -257,9 +260,12 @@ def create_noshard_task_failed_https( "import_mode": "physical", "pd_addr": "127.0.0.1:2379", "security": { - "ssl_ca_content": cluster_ca_content, - "ssl_cert_content": cluster_cert_content, - "ssl_key_content": cluster_key_content, + "ssl_ca": cluster_ca, + "ssl_cert": cluster_cert, + "ssl_key": cluster_key, + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", "cert_allowed_cn": ["dm"], } } From fb654e8eff1959767e851a60f6f22ce03c62e798 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 18:33:03 +0800 Subject: [PATCH 26/63] fix test --- dm/config/task_converters.go | 23 +-- dm/config/task_converters_test.go | 31 ++-- dm/loader/lightning_test.go | 113 +++++-------- dm/loader/tls_conf/ca.pem | 8 + dm/loader/tls_conf/ca2.pem | 10 ++ dm/loader/tls_conf/dm.key | 8 + dm/loader/tls_conf/dm.pem | 10 ++ dm/loader/tls_conf/tidb.key | 8 + dm/loader/tls_conf/tidb.pem | 12 ++ dm/openapi/fixtures/task.go | 2 +- .../_utils/run_downstream_cluster_with_tls | 15 +- dm/tests/openapi/client/openapi_source_check | 6 +- dm/tests/openapi/client/openapi_task_check | 60 +++---- dm/tests/openapi/run.sh | 148 +++++++++--------- dm/tests/tls/run.sh | 2 +- 15 files changed, 233 insertions(+), 223 deletions(-) create mode 100644 dm/loader/tls_conf/ca.pem create mode 100644 dm/loader/tls_conf/ca2.pem create mode 100644 dm/loader/tls_conf/dm.key create mode 100644 dm/loader/tls_conf/dm.pem create mode 100644 dm/loader/tls_conf/tidb.key create mode 100644 dm/loader/tls_conf/tidb.pem diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 66e3bac1a00..b5f44120906 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -240,15 +240,19 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, subTaskCfg.LoaderConfig.PDAddr = *fullCfg.PdAddr } if fullCfg.Security != nil { - var certAllowedCN []string - if fullCfg.Security.CertAllowedCn != nil { - certAllowedCN = *fullCfg.Security.CertAllowedCn - } - subTaskCfg.LoaderConfig.Security = &security.Security{ - SSLCA: fullCfg.Security.SslCa, - SSLKey: fullCfg.Security.SslKey, - SSLCert: fullCfg.Security.SslCert, - CertAllowedCN: certAllowedCN, + if fullCfg.Security.SslCa == "" || fullCfg.Security.SslKey == "" || fullCfg.Security.SslCert == "" { + return nil, terror.ErrOpenAPICommonError.Generatef("Invalid security config, need to set all of ca/cert/key file path.") + } else { + var certAllowedCN []string + if fullCfg.Security.CertAllowedCn != nil { + certAllowedCN = *fullCfg.Security.CertAllowedCn + } + subTaskCfg.LoaderConfig.Security = &security.Security{ + SSLCA: fullCfg.Security.SslCa, + SSLKey: fullCfg.Security.SslKey, + SSLCert: fullCfg.Security.SslCert, + CertAllowedCN: certAllowedCN, + } } } if fullCfg.RangeConcurrency != nil { @@ -704,7 +708,6 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta SslKey: oneSubtaskConfig.To.Security.SSLKey, } } - return &task } diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 48b4e15070b..81d7f9e1695 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -67,9 +67,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), - SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), - SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLCA: task.TargetConfig.Security.SslCa, + SSLKey: task.TargetConfig.Security.SslKey, + SSLCert: task.TargetConfig.Security.SslCert, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -133,12 +133,12 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(subTaskConfig.UUID, check.HasLen, len(uuid.NewString())) c.Assert(subTaskConfig.DumpUUID, check.HasLen, len(uuid.NewString())) // check security items - c.Assert(string(subTaskConfig.To.Security.SSLCABytes), check.Equals, task.TargetConfig.Security.SslCaContent) - c.Assert(string(subTaskConfig.To.Security.SSLCertBytes), check.Equals, task.TargetConfig.Security.SslCertContent) - c.Assert(string(subTaskConfig.To.Security.SSLKeyBytes), check.Equals, task.TargetConfig.Security.SslKeyContent) - c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) - c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) + c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, task.TargetConfig.Security.SslCa) + c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, task.TargetConfig.Security.SslCertContent) + c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, task.TargetConfig.Security.SslKeyContent) + c.Assert(subTaskConfig.LoaderConfig.Security.SSLCA, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCa) + c.Assert(subTaskConfig.LoaderConfig.Security.SSLCert, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCert) + c.Assert(subTaskConfig.LoaderConfig.Security.SSLKey, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKey) } func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { @@ -299,9 +299,9 @@ func testNoShardSubTaskConfigsToOpenAPITask(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), - SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), - SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLCA: task.TargetConfig.Security.SslCa, + SSLCert: task.TargetConfig.Security.SslCert, + SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -371,7 +371,6 @@ func testShardAndFilterSubTaskConfigsToOpenAPITask(c *check.C) { if task.TableMigrateRule[0].Source.SourceName != newTask.TableMigrateRule[0].Source.SourceName { task.TableMigrateRule[0], task.TableMigrateRule[1] = task.TableMigrateRule[1], task.TableMigrateRule[0] } - c.Assert(&task, check.DeepEquals, newTask) } @@ -391,9 +390,9 @@ func TestConvertWithIgnoreCheckItems(t *testing.T) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), - SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), - SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLCA: task.TargetConfig.Security.SslCa, + SSLCert: task.TargetConfig.Security.SslCert, + SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index 0dd669bd1ed..835b1c4f82b 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -30,64 +30,12 @@ import ( ) var ( - caContent = []byte(`-----BEGIN CERTIFICATE----- -MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs -aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE -AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD -kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J -xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL -GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= ------END CERTIFICATE----- -`) - certContent = []byte(`-----BEGIN CERTIFICATE----- -MIIBZDCCAQqgAwIBAgIJAIT/lgXUc1JqMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM -CWxvY2FsaG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owDTEL -MAkGA1UEAwwCZG0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBA6/ltA7vErXq -9laHAmqXPa+XX34BdbZCXspDIaIElVK8tvIMs6uQh4WUc3TiKpDf1IpI5J94ZJ9G -3p2hTohwo0owSDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCwYDVR0PBAQD -AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAKBggqhkjOPQQDAgNI -ADBFAiEAx6ljJ+tNa55ypWLGNqmXlB4UdMmKmE4RSKJ8mmEelfECIG2ZmCE59rv5 -wImM6KnK+vM2QnEiISH3PeYyyRzQzycu ------END CERTIFICATE----- -`) - keyContent = []byte(`-----BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICF/GDtVxhTPTP501nOu4jgwGSDY01xN+61xd9MfChw+oAoGCCqGSM49 -AwEHoUQDQgAEgQOv5bQO7xK16vZWhwJqlz2vl19+AXW2Ql7KQyGiBJVSvLbyDLOr -kIeFlHN04iqQ39SKSOSfeGSfRt6doU6IcA== ------END EC PRIVATE KEY----- -`) - caContent2 = []byte(`-----BEGIN CERTIFICATE----- -MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs -aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE -AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD -kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J -xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL -GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= ------END CERTIFICATE----- -`) - certContent2 = []byte(`-----BEGIN CERTIFICATE----- -MIIBcDCCARWgAwIBAgIUNC83r8QT87G4uCeW2wUMzaDbCvAwCgYIKoZIzj0EAwIw -FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTIwNjAzNDgxMloXDTM0MTIwNDAz -NDgxMlowDzENMAsGA1UEAwwEdGlkYjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA -BOWs95/gIDUG116NoBZhABn6uWbSIvDva3mwsHnw9PGevSb23Q9t1kl7y1dQpMpT -lSQ/31FOIgCul/RTMYre95CjSjBIMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA -ATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAoG -CCqGSM49BAMCA0kAMEYCIQDDPgmo3olaw1D/7YW3463jvuSBd4w2Z3Ai/BHgZB7d -BAIhALKIhAqB1ffI5XdSdfnznqfwX6FY9c9POlJNfkghB07e ------END CERTIFICATE----- -`) - keyContent2 = []byte(`-----BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMdUrYsjfC9TNSMKAcGWYB9hmKKzyxuxMfRwDGkc03PzoAoGCCqGSM49 -AwEHoUQDQgAE5az3n+AgNQbXXo2gFmEAGfq5ZtIi8O9rebCwefD08Z69JvbdD23W -SXvLV1CkylOVJD/fUU4iAK6X9FMxit73kA== ------END EC PRIVATE KEY----- -`) + caPath = "tls_conf/ca.pem" + caPath2 = "tls_conf/ca2.pem" + certPath = "tls_conf/dm.pem" + certPath2 = "tls_conf/tidb.pem" + keyPath = "tls_conf/dm.key" + keyPath2 = "tls_conf/tidb.key" ) func TestSetLightningConfig(t *testing.T) { @@ -169,22 +117,26 @@ func TestGetLightiningConfig(t *testing.T) { toSecurityCfg *security.Security }{ { - globalSecurityCfg: &lcfg.Security{CABytes: caContent, CertBytes: certContent, KeyBytes: keyContent}, - loaderSecurityCfg: &security.Security{SSLCABytes: caContent2, SSLCertBytes: certContent2, SSLKeyBytes: keyContent2}, - toSecurityCfg: &security.Security{SSLCABytes: caContent, SSLCertBytes: certContent, SSLKeyBytes: keyContent}, + globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, + loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, + toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, }, { - globalSecurityCfg: &lcfg.Security{CABytes: caContent}, - loaderSecurityCfg: &security.Security{SSLCABytes: caContent2, SSLCertBytes: certContent2, SSLKeyBytes: keyContent2}, - toSecurityCfg: &security.Security{SSLCABytes: caContent}, + globalSecurityCfg: &lcfg.Security{CAPath: caPath}, + loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, + toSecurityCfg: &security.Security{SSLCA: caPath}, }, { - globalSecurityCfg: &lcfg.Security{CABytes: caContent, CertBytes: certContent, KeyBytes: keyContent}, - toSecurityCfg: &security.Security{SSLCABytes: caContent, SSLCertBytes: certContent, SSLKeyBytes: keyContent}, + globalSecurityCfg: &lcfg.Security{CAPath: caPath}, + toSecurityCfg: &security.Security{SSLCA: caPath}, }, { - globalSecurityCfg: &lcfg.Security{CABytes: caContent}, - toSecurityCfg: &security.Security{SSLCABytes: caContent}, + globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, + toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, + }, + { + globalSecurityCfg: &lcfg.Security{CAPath: caPath}, + toSecurityCfg: &security.Security{SSLCA: caPath}, }, { globalSecurityCfg: &lcfg.Security{}, @@ -199,19 +151,26 @@ func TestGetLightiningConfig(t *testing.T) { To: dbconfig.DBConfig{Security: c.toSecurityCfg}, }) require.NoError(t, err) - require.Equal(t, c.globalSecurityCfg.CABytes, conf.TiDB.Security.CABytes) - require.Equal(t, c.globalSecurityCfg.CertBytes, conf.TiDB.Security.CertBytes) - require.Equal(t, c.globalSecurityCfg.KeyBytes, conf.TiDB.Security.KeyBytes) + require.Equal(t, c.globalSecurityCfg.CAPath, conf.TiDB.Security.CAPath) + require.Equal(t, c.globalSecurityCfg.CertPath, conf.TiDB.Security.CertPath) + require.Equal(t, c.globalSecurityCfg.KeyPath, conf.TiDB.Security.KeyPath) if c.loaderSecurityCfg == nil { - require.Equal(t, c.globalSecurityCfg.CABytes, conf.Security.CABytes) - require.Equal(t, c.globalSecurityCfg.CertBytes, conf.Security.CertBytes) - require.Equal(t, c.globalSecurityCfg.KeyBytes, conf.Security.KeyBytes) + require.Equal(t, c.globalSecurityCfg.CAPath, conf.Security.CAPath) + require.Equal(t, c.globalSecurityCfg.CertPath, conf.Security.CertPath) + require.Equal(t, c.globalSecurityCfg.KeyPath, conf.Security.KeyPath) } else { - require.Equal(t, c.loaderSecurityCfg.SSLCABytes, conf.Security.CABytes) - require.Equal(t, c.loaderSecurityCfg.SSLCertBytes, conf.Security.CertBytes) - require.Equal(t, c.loaderSecurityCfg.SSLKeyBytes, conf.Security.KeyBytes) + require.Equal(t, c.loaderSecurityCfg.SSLCA, conf.Security.CAPath) + require.Equal(t, c.loaderSecurityCfg.SSLCert, conf.Security.CertPath) + require.Equal(t, c.loaderSecurityCfg.SSLKey, conf.Security.KeyPath) } } + // invalid security file path + _, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}}, + &config.SubTaskConfig{ + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: "caPath"}}, + }) + require.EqualError(t, err, "could not read ca certificate: open caPath: no such file or directory") } func TestMetricProxies(t *testing.T) { diff --git a/dm/loader/tls_conf/ca.pem b/dm/loader/tls_conf/ca.pem new file mode 100644 index 00000000000..9fc215fa83b --- /dev/null +++ b/dm/loader/tls_conf/ca.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE----- +MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs +aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE +AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD +kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J +xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL +GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= +-----END CERTIFICATE----- diff --git a/dm/loader/tls_conf/ca2.pem b/dm/loader/tls_conf/ca2.pem new file mode 100644 index 00000000000..bd1ad59f121 --- /dev/null +++ b/dm/loader/tls_conf/ca2.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdzCCAR6gAwIBAgIUFlKn4vgSaM5PPi5fdfHZjNsPvt0wCgYIKoZIzj0EAwIw +HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP +MjI5ODA5MjcwNjMwMjZaMBwxGjAYBgNVBAMMEVRpREIgU2Vjb25kYXJ5IENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJoSquED75L7UgmezyHBUJlv7sGvHfeuR +RnU0SJVYZzftIAfzL6kwF1LGaezaY9aL/cCiULWMDddo1bLzNjB4vqM8MDowDAYD +VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFLJmpVHrylfdqLu6lpR +ZOJgderfMAoGCCqGSM49BAMCA0cAMEQCIF2mBuhLfo42ynjoy0Fhz3Qch8huQrkx +mGKxdkBuS+rPAiAglztWHSmUCtqEMdTuds2ETsVVichpxdFh/aXiCb/BeQ== +-----END CERTIFICATE----- diff --git a/dm/loader/tls_conf/dm.key b/dm/loader/tls_conf/dm.key new file mode 100644 index 00000000000..dfdc077bc4d --- /dev/null +++ b/dm/loader/tls_conf/dm.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEICF/GDtVxhTPTP501nOu4jgwGSDY01xN+61xd9MfChw+oAoGCCqGSM49 +AwEHoUQDQgAEgQOv5bQO7xK16vZWhwJqlz2vl19+AXW2Ql7KQyGiBJVSvLbyDLOr +kIeFlHN04iqQ39SKSOSfeGSfRt6doU6IcA== +-----END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/dm.pem b/dm/loader/tls_conf/dm.pem new file mode 100644 index 00000000000..d4f846e3a22 --- /dev/null +++ b/dm/loader/tls_conf/dm.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZDCCAQqgAwIBAgIJAIT/lgXUc1JqMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM +CWxvY2FsaG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owDTEL +MAkGA1UEAwwCZG0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBA6/ltA7vErXq +9laHAmqXPa+XX34BdbZCXspDIaIElVK8tvIMs6uQh4WUc3TiKpDf1IpI5J94ZJ9G +3p2hTohwo0owSDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCwYDVR0PBAQD +AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAKBggqhkjOPQQDAgNI +ADBFAiEAx6ljJ+tNa55ypWLGNqmXlB4UdMmKmE4RSKJ8mmEelfECIG2ZmCE59rv5 +wImM6KnK+vM2QnEiISH3PeYyyRzQzycu +-----END CERTIFICATE----- diff --git a/dm/loader/tls_conf/tidb.key b/dm/loader/tls_conf/tidb.key new file mode 100644 index 00000000000..b63b20db793 --- /dev/null +++ b/dm/loader/tls_conf/tidb.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIB+YLzteL9sk+PZPEFf7sw+hhehG2bRV5TUV4NJgVsWXoAoGCCqGSM49 +AwEHoUQDQgAELO1031XONFkiJPFm7Kbb974443lSM8eGEZzVUUWK/WAZ3p03W5o/ +jeFgesLPuKqcV+9p7bG7McVKDsC42OFg4w== +-----END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/tidb.pem b/dm/loader/tls_conf/tidb.pem new file mode 100644 index 00000000000..e59a9eae172 --- /dev/null +++ b/dm/loader/tls_conf/tidb.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBxjCCAWygAwIBAgIUJGaNzv0WzN4CfSj7LaNQN8arHvMwCgYIKoZIzj0EAwIw +HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP +MjI5ODA5MjcwNjMwMjZaMA8xDTALBgNVBAMMBFRpREIwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAAQs7XTfVc40WSIk8Wbsptv3vjjjeVIzx4YRnNVRRYr9YBnenTdb +mj+N4WB6ws+4qpxX72ntsbsxxUoOwLjY4WDjo4GWMIGTMBoGA1UdEQQTMBGCCWxv +Y2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG +CCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLK+e+wKHWmmXPiHjMApdKwf +KhcpMB8GA1UdIwQYMBaAFFLJmpVHrylfdqLu6lpRZOJgderfMAoGCCqGSM49BAMC +A0gAMEUCIC2xVpVTSqMMl38Lu7wTfX8iv/5hcjKoH8v69cZGsyDKAiEA6NIpjV7D +lBnFi5oiKpdJIWD53D2A/yFrI6VEDprblyw= +-----END CERTIFICATE----- diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index d9d2d286a09..13ce72081f4 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -40,7 +40,7 @@ var ( "ssl_key_content": "fake_ssl_key_content_2", "ssl_ca": "fake_ssl_ca/ca.pem", "ssl_cert": "fake_ssl_cert/dm.pem", - "ssl_key": "fake_ssl_key/dm.key:", + "ssl_key": "fake_ssl_key/dm.key", "cert_allowed_cn": ["PD1", "PD2"] } }, diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index b841cd7fc58..3bdb874c567 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -5,16 +5,17 @@ set -eux WORK_DIR=$1 CONF_DIR=$2 -export PD_PEER_ADDR_TLS="127.0.0.1:2380" -export PD_ADDR_TLS="127.0.0.1:2379" +export PD_PEER_ADDR_TLS="127.0.0.1:23800" +export PD_ADDR_TLS="127.0.0.1:23790" export TIDB_IP_TLS="127.0.0.1" export TIDB_PORT_TLS="4000" export TIDB_ADDR_TLS="127.0.0.1:4000" - +export TIDB_STATUS_PORT_TLS="10080" export TIDB_STATUS_ADDR_TLS="127.0.0.1:10080" -export TIKV_ADDR_TLS="127.0.0.1:2016" -export TIKV_STATUS_ADDR_TLS="127.0.0.1:2018" + +export TIKV_ADDR_TLS="127.0.0.1:20160" +export TIKV_STATUS_ADDR_TLS="127.0.0.1:20180" start_pd() { echo "Starting PD..." @@ -115,7 +116,7 @@ start_tidb() { cat - >"$WORK_DIR/tidb-tls-config.toml" <>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: START TASK WITH CONDITION SUCCESS" } -function test_reverse_https_and_tls() { - echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: REVERSE HTTPS AND TLS" +function test_tls() { + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: TLS" + prepare_database + init_noshard_data + # create source1 successfully + openapi_source_check "create_source1_success" + + # get source list success + openapi_source_check "list_source_success" 1 + + # create source2 successfully + openapi_source_check "create_source2_success" + + echo "start downstream TiDB cluster with TLS" + killall tidb-server 2>/dev/null || true + run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf + + task_name="task-tls-1" + openapi_task_check "create_noshard_task_with_security_success" $task_name "" \ + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "start_task_success" $task_name "" + openapi_task_check "get_task_status_success" $task_name 2 + openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 + + check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml + + task_name="task-tls-2" + openapi_task_check "create_noshard_task_with_security_success" $task_name "t3" \ + "$cur/tls_conf/ca2.pem" "" "" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + openapi_task_check "start_task_success" $task_name "" + openapi_task_check "get_task_status_success" $task_name 2 + openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 + + task_name="task-tls-error" + # use incorect pd certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name "t4" \ + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" + # miss pd cert and key certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$$cur/tls_conf/ca2.pem" "" "" \ + "$cur/tls_conf/ca.pem" "" "" + # use incorect pd certificate + openapi_task_check "create_noshard_task_with_security_failed" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # miss tidb cert certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$cur/tls_conf/ca2.pem""" "$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" + # miss tidb key certificatete + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""" \ + "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" + # miss pd key certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""" + # miss pd cert certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca.pem""" "$cur/tls_conf/dm.key)" + # miss pd all certificate + openapi_task_check "create_noshard_task_with_security_failed" $task_name \ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "" "" "" + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS" +} + + +function test_reverse_https() { + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: REVERSE HTTPS" cleanup_data openapi cleanup_process @@ -1099,9 +1171,8 @@ function test_reverse_https_and_tls() { check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" prepare_database - init_noshard_data - # create source1 successfully - openapi_source_check "create_source1_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + # create source successfully + openapi_source_check "create_source_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # get source list success openapi_source_check "list_source_success_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" @@ -1109,70 +1180,7 @@ function test_reverse_https_and_tls() { # send request to not leader node openapi_source_check "list_source_with_reverse_https" 1 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # create source2 successfully - openapi_source_check "create_source2_success_https" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - - echo "kill all tidb process and start downstream TiDB cluster with TLS" - killall -9 tidb-server 2>/dev/null || true - killall -9 tikv-server 2>/dev/null || true - killall -9 pd-server 2>/dev/null || true - run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf - - task_name="task-tls-1" - openapi_task_check "create_task_success_https" $task_name "" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 - - check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml - - task_name="task-tls-2" - openapi_task_check "create_task_success_https" $task_name "t3" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca2.pem" "" "" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 - - task_name="task-tls-3" - openapi_task_check "create_task_success_https" $task_name "t4" "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$$cur/tls_conf/ca2.pem" "" "" \ - "$cur/tls_conf/ca.pem" "" "" - openapi_task_check "start_task_success_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_success_https" $task_name 2 "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - openapi_task_check "get_task_status_with_retry" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" "Sync" "Running" 50 - - task_name="task-tls-4" - # use incorect tidb certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # use incorect pd certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" - # miss tidb cert certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - # miss tidb key certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - # miss pd key certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "" - # miss pd cert certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)" - # miss pd all certificate - openapi_task_check "create_noshard_task_failed_https" $task_name "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "" "" "" + cleanup_data openapi cleanup_process # run dm-master1 @@ -1188,7 +1196,7 @@ function test_reverse_https_and_tls() { run_dm_worker $WORK_DIR/worker2 $WORKER2_PORT $cur/conf/dm-worker2.toml check_rpc_alive $cur/../bin/check_worker_online 127.0.0.1:$WORKER2_PORT - echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: REVERSE HTTPS AND TLS" + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: REVERSE HTTPS" } function test_cluster() { diff --git a/dm/tests/tls/run.sh b/dm/tests/tls/run.sh index 7684a5ba26e..199bc478c5c 100644 --- a/dm/tests/tls/run.sh +++ b/dm/tests/tls/run.sh @@ -22,7 +22,7 @@ function setup_tidb_with_tls() { socket = "/tmp/tidb-tls.sock" [status] -status-port = 10080 +status-port = 10090 [security] # set the path for certificates. Empty string means disabling secure connections. From 7e92d4073139dfaa3ba9dd84955727a582654475 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 18:39:52 +0800 Subject: [PATCH 27/63] fix test --- dm/loader/lightning_test.go | 1 + dm/openapi/fixtures/task.go | 12 +++++------ dm/tests/openapi/client/openapi_source_check | 22 +++----------------- dm/tests/openapi/run.sh | 3 ++- 4 files changed, 12 insertions(+), 26 deletions(-) diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index 835b1c4f82b..c1d0f2aec37 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -143,6 +143,7 @@ func TestGetLightiningConfig(t *testing.T) { toSecurityCfg: &security.Security{}, }, } + // GetLightningConfig will varify certificates formate, so using real certificates. for _, c := range cases { conf, err = GetLightningConfig( &lcfg.GlobalConfig{Security: *c.globalSecurityCfg}, diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 13ce72081f4..216df570b24 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -62,12 +62,12 @@ var ( "password": "123456", "port": 4000, "security": { - "ssl_ca_content": "fake_ssl_ca_content", - "ssl_cert_content": "fake_ssl_cert_content", - "ssl_key_content": "fake_ssl_key_content", - "ssl_ca": "fake_ssl_ca/ca.pem", - "ssl_cert": "fake_ssl_ca/dm.pem", - "ssl_key": "fake_ssl_ca/dm.key", + "ssl_ca_content": "fake_ssl_ca_content", + "ssl_cert_content": "fake_ssl_cert_content", + "ssl_key_content": "fake_ssl_key_content", + "ssl_ca": "fake_ssl_ca/ca.pem", + "ssl_cert": "fake_ssl_ca/dm.pem", + "ssl_key": "fake_ssl_ca/dm.key", "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" diff --git a/dm/tests/openapi/client/openapi_source_check b/dm/tests/openapi/client/openapi_source_check index 75899c36377..c55736b2939 100755 --- a/dm/tests/openapi/client/openapi_source_check +++ b/dm/tests/openapi/client/openapi_source_check @@ -58,7 +58,7 @@ def create_source2_success(): print("create_source2_success resp=", resp.json()) assert resp.status_code == 201 -def create_source1_success_https(ssl_ca, ssl_cert, ssl_key): +def create_source_success_https(ssl_ca, ssl_cert, ssl_key): req = { "source": { "case_sensitive": False, @@ -72,26 +72,9 @@ def create_source1_success_https(ssl_ca, ssl_cert, ssl_key): } } resp = requests.post(url=API_ENDPOINT_HTTPS, json=req, verify=ssl_ca, cert=(ssl_cert, ssl_key)) - print("create_source1_success_https resp=", resp.json()) + print("create_source_success_https resp=", resp.json()) assert resp.status_code == 201 -def create_source2_success_https(ssl_ca, ssl_cert, ssl_key): - req = { - "source": { - "case_sensitive": False, - "enable": True, - "enable_gtid": False, - "host": "127.0.0.1", - "password": "123456", - "port": 3307, - "source_name": SOURCE2_NAME, - "user": "root", - } - } - resp = requests.post(url=API_ENDPOINT_HTTPS, json=req, verify=ssl_ca, cert=(ssl_cert, ssl_key)) - print("create_source2_success_https resp=", resp.json()) - assert resp.status_code == 201 - def update_source1_without_password_success(): req = { "source": { @@ -286,6 +269,7 @@ if __name__ == "__main__": "create_source_failed": create_source_failed, "create_source1_success": create_source1_success, "create_source2_success": create_source2_success, + "create_source_success_https": create_source_success_https, "update_source1_without_password_success": update_source1_without_password_success, "list_source_success": list_source_success, "list_source_success_https": list_source_success_https, diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 1c0476755da..1cbdad2811f 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1247,8 +1247,9 @@ function run() { test_delete_task_with_stopped_downstream test_start_task_with_condition test_stop_task_with_condition - test_reverse_https_and_tls + test_reverse_https test_full_mode_task + test_tls # NOTE: this test case MUST running at last, because it will offline some members of cluster test_cluster From c04aeb9c2840fd7d3e2c32c9e14d56a9727f0372 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 18:43:25 +0800 Subject: [PATCH 28/63] revert --- dm/config/task_converters_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 81d7f9e1695..6910bd1abf5 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -371,6 +371,7 @@ func testShardAndFilterSubTaskConfigsToOpenAPITask(c *check.C) { if task.TableMigrateRule[0].Source.SourceName != newTask.TableMigrateRule[0].Source.SourceName { task.TableMigrateRule[0], task.TableMigrateRule[1] = task.TableMigrateRule[1], task.TableMigrateRule[0] } + c.Assert(&task, check.DeepEquals, newTask) } From a2b0494191249e8bbbb331b9c383687da0e03d4b Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 22:28:40 +0800 Subject: [PATCH 29/63] fmt --- dm/tests/openapi/run.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 1cbdad2811f..e5c01bef85c 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1093,7 +1093,7 @@ function test_tls() { "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" openapi_task_check "start_task_success" $task_name "" - openapi_task_check "get_task_status_success" $task_name 2 + openapi_task_check "get_task_status_success" $task_name 2 openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml @@ -1114,14 +1114,14 @@ function test_tls() { # miss pd cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$$cur/tls_conf/ca2.pem" "" "" \ - "$cur/tls_conf/ca.pem" "" "" + "$cur/tls_conf/ca.pem" "" "" # use incorect pd certificate openapi_task_check "create_noshard_task_with_security_failed" \ "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # miss tidb cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""" "$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca2.pem""" "$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" # miss tidb key certificatete openapi_task_check "create_noshard_task_with_security_failed" $task_name \ @@ -1129,20 +1129,19 @@ function test_tls() { "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" # miss pd key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""" # miss pd cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem""" "$cur/tls_conf/dm.key)" # miss pd all certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key"\ + "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ "" "" "" echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS" } - function test_reverse_https() { echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>START TEST OPENAPI: REVERSE HTTPS" cleanup_data openapi From 33b326c018c355b958d8d95e0b2e514c321e0c58 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 22:37:43 +0800 Subject: [PATCH 30/63] fix test --- dm/tests/dmctl_basic/conf/get_task.yaml | 1 + dm/tests/import_v10x/conf/task.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/dm/tests/dmctl_basic/conf/get_task.yaml b/dm/tests/dmctl_basic/conf/get_task.yaml index d4ab9919fc8..b7d01a680dc 100644 --- a/dm/tests/dmctl_basic/conf/get_task.yaml +++ b/dm/tests/dmctl_basic/conf/get_task.yaml @@ -132,6 +132,7 @@ loaders: range-concurrency: 0 compress-kv-pairs: "" pd-addr: "" + security: null syncers: sync-01: meta-file: "" diff --git a/dm/tests/import_v10x/conf/task.yaml b/dm/tests/import_v10x/conf/task.yaml index 07285965df5..13f46390543 100644 --- a/dm/tests/import_v10x/conf/task.yaml +++ b/dm/tests/import_v10x/conf/task.yaml @@ -101,6 +101,7 @@ loaders: range-concurrency: 0 compress-kv-pairs: "" pd-addr: "" + security: null syncers: sync-01: meta-file: "" From eb1a6093cf28035086ad17f994d0ab90f540b68b Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:31:17 +0800 Subject: [PATCH 31/63] fix test --- dm/config/task_converters_test.go | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 6910bd1abf5..62fed16799d 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -67,9 +67,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLKey: task.TargetConfig.Security.SslKey, - SSLCert: task.TargetConfig.Security.SslCert, + SSLCA: *task.TargetConfig.Security.SslCa, + SSLKey: *task.TargetConfig.Security.SslKey, + SSLCert: *task.TargetConfig.Security.SslCert, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -133,9 +133,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(subTaskConfig.UUID, check.HasLen, len(uuid.NewString())) c.Assert(subTaskConfig.DumpUUID, check.HasLen, len(uuid.NewString())) // check security items - c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, task.TargetConfig.Security.SslCa) - c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, task.TargetConfig.Security.SslCertContent) - c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, task.TargetConfig.Security.SslKeyContent) + c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, *task.TargetConfig.Security.SslCa) + c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, *task.TargetConfig.Security.SslCert) + c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, *task.TargetConfig.Security.SslKey) c.Assert(subTaskConfig.LoaderConfig.Security.SSLCA, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCa) c.Assert(subTaskConfig.LoaderConfig.Security.SSLCert, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCert) c.Assert(subTaskConfig.LoaderConfig.Security.SSLKey, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKey) @@ -299,9 +299,9 @@ func testNoShardSubTaskConfigsToOpenAPITask(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLCert: task.TargetConfig.Security.SslCert, - SSLKey: task.TargetConfig.Security.SslKey, + SSLCA: *task.TargetConfig.Security.SslCa, + SSLCert: *task.TargetConfig.Security.SslCert, + SSLKey: *task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -391,9 +391,9 @@ func TestConvertWithIgnoreCheckItems(t *testing.T) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLCert: task.TargetConfig.Security.SslCert, - SSLKey: task.TargetConfig.Security.SslKey, + SSLCA: *task.TargetConfig.Security.SslCa, + SSLCert: *task.TargetConfig.Security.SslCert, + SSLKey: *task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -430,6 +430,7 @@ func TestConvertBetweenOpenAPITaskAndTaskConfig(t *testing.T) { task1, err := TaskConfigToOpenAPITask(taskCfg, sourceCfgMap) require.NoError(t, err) require.NotNil(t, task1) + require.Equal(t, task1.SourceConfig.FullMigrateConf.Security.SslCa, task.SourceConfig.FullMigrateConf.Security.SslCa) require.EqualValues(t, task1, &task) // test update some fields in task From faf557d4a7d20677de5f1a0f4449b914025aa0d1 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:32:26 +0800 Subject: [PATCH 32/63] fix test --- dm/config/task_converters_test.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 62fed16799d..63449fddf16 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -67,9 +67,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: *task.TargetConfig.Security.SslCa, - SSLKey: *task.TargetConfig.Security.SslKey, - SSLCert: *task.TargetConfig.Security.SslCert, + SSLCA: task.TargetConfig.Security.SslCa, + SSLKey: task.TargetConfig.Security.SslKey, + SSLCert: task.TargetConfig.Security.SslCert, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -133,9 +133,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(subTaskConfig.UUID, check.HasLen, len(uuid.NewString())) c.Assert(subTaskConfig.DumpUUID, check.HasLen, len(uuid.NewString())) // check security items - c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, *task.TargetConfig.Security.SslCa) - c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, *task.TargetConfig.Security.SslCert) - c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, *task.TargetConfig.Security.SslKey) + c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, task.TargetConfig.Security.SslCa) + c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, task.TargetConfig.Security.SslCert) + c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, task.TargetConfig.Security.SslKey) c.Assert(subTaskConfig.LoaderConfig.Security.SSLCA, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCa) c.Assert(subTaskConfig.LoaderConfig.Security.SSLCert, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCert) c.Assert(subTaskConfig.LoaderConfig.Security.SSLKey, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKey) @@ -299,9 +299,9 @@ func testNoShardSubTaskConfigsToOpenAPITask(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: *task.TargetConfig.Security.SslCa, - SSLCert: *task.TargetConfig.Security.SslCert, - SSLKey: *task.TargetConfig.Security.SslKey, + SSLCA: task.TargetConfig.Security.SslCa, + SSLCert: task.TargetConfig.Security.SslCert, + SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -391,9 +391,9 @@ func TestConvertWithIgnoreCheckItems(t *testing.T) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: *task.TargetConfig.Security.SslCa, - SSLCert: *task.TargetConfig.Security.SslCert, - SSLKey: *task.TargetConfig.Security.SslKey, + SSLCA: task.TargetConfig.Security.SslCa, + SSLCert: task.TargetConfig.Security.SslCert, + SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } From 60ff2312ebf99fa325db2b6c92ecb091157b6c6c Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:35:42 +0800 Subject: [PATCH 33/63] fix test --- dm/tests/openapi/client/openapi_task_check | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index e82137b4230..536bf7953d6 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -271,12 +271,8 @@ def create_noshard_task_with_security_failed( }, } resp = requests.post(url=API_ENDPOINT, json={"task": task}) - if resp.status_code == 502: - print("create_noshard_task_with_security_failed return 502") - assert resp.status_code == 502 - else: - print("create_noshard_task_with_security_failed resp=", resp.json()) - assert resp.status_code == 400 + assert resp.status_code != 201 + print("create_noshard_task_with_security_failed return ", resp.status_code) def create_incremental_task_with_gtid_success(task_name,binlog_name1,binlog_pos1,binlog_gtid1,binlog_name2,binlog_pos2,binlog_gtid2): task = { From 2ecd31b8e47f0d29ce0ab38864b06cb7c5f8ce64 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 00:30:39 +0800 Subject: [PATCH 34/63] fix test --- dm/config/task_converters.go | 26 ++++++++++++++------------ dm/config/task_converters_test.go | 1 - dm/openapi/fixtures/task.go | 24 ++++++++++++------------ 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index b5f44120906..d3997f83da7 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -242,17 +242,16 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, if fullCfg.Security != nil { if fullCfg.Security.SslCa == "" || fullCfg.Security.SslKey == "" || fullCfg.Security.SslCert == "" { return nil, terror.ErrOpenAPICommonError.Generatef("Invalid security config, need to set all of ca/cert/key file path.") - } else { - var certAllowedCN []string - if fullCfg.Security.CertAllowedCn != nil { - certAllowedCN = *fullCfg.Security.CertAllowedCn - } - subTaskCfg.LoaderConfig.Security = &security.Security{ - SSLCA: fullCfg.Security.SslCa, - SSLKey: fullCfg.Security.SslKey, - SSLCert: fullCfg.Security.SslCert, - CertAllowedCN: certAllowedCN, - } + } + var certAllowedCN []string + if fullCfg.Security.CertAllowedCn != nil { + certAllowedCN = *fullCfg.Security.CertAllowedCn + } + subTaskCfg.LoaderConfig.Security = &security.Security{ + SSLCA: fullCfg.Security.SslCa, + SSLKey: fullCfg.Security.SslKey, + SSLCert: fullCfg.Security.SslCert, + CertAllowedCN: certAllowedCN, } } if fullCfg.RangeConcurrency != nil { @@ -354,6 +353,9 @@ func GetTargetDBCfgFromOpenAPITask(task *openapi.Task) *dbconfig.DBConfig { SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLCA: task.TargetConfig.Security.SslCa, + SSLCert: task.TargetConfig.Security.SslCert, + SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: certAllowedCN, } } @@ -703,7 +705,7 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta } task.TargetConfig.Security = &openapi.Security{ CertAllowedCn: &certAllowedCN, - SslCa: oneSubtaskConfig.To.Security.SSLCert, + SslCa: oneSubtaskConfig.To.Security.SSLCA, SslCert: oneSubtaskConfig.To.Security.SSLCert, SslKey: oneSubtaskConfig.To.Security.SSLKey, } diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 63449fddf16..73c4fff7b59 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -430,7 +430,6 @@ func TestConvertBetweenOpenAPITaskAndTaskConfig(t *testing.T) { task1, err := TaskConfigToOpenAPITask(taskCfg, sourceCfgMap) require.NoError(t, err) require.NotNil(t, task1) - require.Equal(t, task1.SourceConfig.FullMigrateConf.Security.SslCa, task.SourceConfig.FullMigrateConf.Security.SslCa) require.EqualValues(t, task1, &task) // test update some fields in task diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 216df570b24..771fcf930f2 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -35,12 +35,12 @@ var ( "import_mode": "physical", "pd_addr": "127.0.0.1:2379", "security": { - "ssl_ca_content": "fake_ssl_ca_content_2", - "ssl_cert_content": "fake_ssl_cert_content_2", - "ssl_key_content": "fake_ssl_key_content_2", - "ssl_ca": "fake_ssl_ca/ca.pem", - "ssl_cert": "fake_ssl_cert/dm.pem", - "ssl_key": "fake_ssl_key/dm.key", + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", + "ssl_ca": "ca.pem", + "ssl_cert": "dm.pem", + "ssl_key": "dm.key", "cert_allowed_cn": ["PD1", "PD2"] } }, @@ -62,12 +62,12 @@ var ( "password": "123456", "port": 4000, "security": { - "ssl_ca_content": "fake_ssl_ca_content", - "ssl_cert_content": "fake_ssl_cert_content", - "ssl_key_content": "fake_ssl_key_content", - "ssl_ca": "fake_ssl_ca/ca.pem", - "ssl_cert": "fake_ssl_ca/dm.pem", - "ssl_key": "fake_ssl_ca/dm.key", + "ssl_ca_content": "", + "ssl_cert_content": "", + "ssl_key_content": "", + "ssl_ca": "ca.pem", + "ssl_cert": "dm.pem", + "ssl_key": "dm.key", "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" From bb77e93f59c101e5ed95281a666ff7725ec0e4ed Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 00:38:04 +0800 Subject: [PATCH 35/63] fix test --- dm/tests/openapi/run.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index e5c01bef85c..fc605ff794c 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1115,10 +1115,6 @@ function test_tls() { openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$$cur/tls_conf/ca2.pem" "" "" \ "$cur/tls_conf/ca.pem" "" "" - # use incorect pd certificate - openapi_task_check "create_noshard_task_with_security_failed" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" # miss tidb cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$cur/tls_conf/ca2.pem""" "$cur/tls_conf/tidb.key" \ @@ -1139,6 +1135,11 @@ function test_tls() { openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ "" "" "" + + killall tidb-server 2>/dev/null || true + killall tikv-server 2>/dev/null || true + killall pd-server 2>/dev/null || true + cleanup_data openapi echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS" } From 85acc9b43a46d3f88b4f46427f6f925eef1639fa Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 12:54:06 +0800 Subject: [PATCH 36/63] fix test --- dm/config/task_converters.go | 3 --- .../_utils/run_downstream_cluster_with_tls | 10 +++---- dm/tests/openapi/run.sh | 26 +++++++------------ 3 files changed, 15 insertions(+), 24 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index d3997f83da7..0057e33f97e 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -353,9 +353,6 @@ func GetTargetDBCfgFromOpenAPITask(task *openapi.Task) *dbconfig.DBConfig { SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), - SSLCA: task.TargetConfig.Security.SslCa, - SSLCert: task.TargetConfig.Security.SslCert, - SSLKey: task.TargetConfig.Security.SslKey, CertAllowedCN: certAllowedCN, } } diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 3bdb874c567..14624677dcc 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -2,7 +2,7 @@ # tools to run a TiDB cluster # parameter 1: work directory set -eux -WORK_DIR=$1 +WORK_DIR="${1}_deploy_tidb" CONF_DIR=$2 export PD_PEER_ADDR_TLS="127.0.0.1:23800" @@ -132,7 +132,7 @@ EOF --store tikv \ --path "$PD_ADDR_TLS" \ --config $WORK_DIR/tidb-tls-config.toml \ - --log-file "$WORK_DIR/tidb-tls.log" 2>&1 & + --log-file "$WORK_DIR/tidb-tls.log" >/dev/null 2>&1 & sleep 5 i=0 while true; do @@ -152,7 +152,7 @@ EOF sleep 3 done } - +mkdir $WORK_DIR start_pd start_tikv start_tidb @@ -161,10 +161,10 @@ echo "Show databases without TLS" mysql -uroot -h$TIDB_IP_TLS -P$TIDB_PORT_TLS --default-character-set utf8 -E -e "SHOW DATABASES;" echo "Show database with TLS" mysql -uroot -h$TIDB_IP_TLS -P$TIDB_PORT_TLS --default-character-set utf8 --ssl-ca $CONF_DIR/ca2.pem \ - --ssl-cert $CONF_DIR/tidb.pem --ssl-key $CONF_DIR/tidb.key -E -e "SHOW DATABASES;" + --ssl-cert $CONF_DIR/tidb.pem --ssl-key $CONF_DIR/tidb.key --ssl-mode=VERIFY_CA -E -e "SHOW DATABASES;" echo "Show databases with invalid TLS" if ! output=$(mysql -uroot -h"$TIDB_IP_TLS" -P"$TIDB_PORT_TLS" --default-character-set=utf8 \ --ssl-ca "$CONF_DIR/ca.pem" --ssl-cert "$CONF_DIR/dm.pem" --ssl-key "$CONF_DIR/dm.key" \ - -E -e "SHOW DATABASES;" 2>&1); then + --ssl-mode=VERIFY_CA -E -e "SHOW DATABASES;" 2>&1); then echo "$output" fi diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index fc605ff794c..bbb5c958a83 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1085,7 +1085,9 @@ function test_tls() { openapi_source_check "create_source2_success" echo "start downstream TiDB cluster with TLS" - killall tidb-server 2>/dev/null || true + killall -9 tidb-server 2>/dev/null || true + killall -9 tikv-server 2>/dev/null || true + killall -9 pd-server 2>/dev/null || true run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf task_name="task-tls-1" @@ -1107,39 +1109,31 @@ function test_tls() { openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 task_name="task-tls-error" - # use incorect pd certificate - openapi_task_check "create_noshard_task_with_security_failed" $task_name "t4" \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" # miss pd cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$$cur/tls_conf/ca2.pem" "" "" \ "$cur/tls_conf/ca.pem" "" "" # miss tidb cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""" "$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca2.pem" "" "$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" # miss tidb key certificatete openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""" \ - "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "" \ + "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key)" # miss pd key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""" # miss pd cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem""" "$cur/tls_conf/dm.key)" + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca.pem" "" "$cur/tls_conf/dm.key)" # miss pd all certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem""$cur/tls_conf/tidb.pem""$cur/tls_conf/tidb.key" \ + "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ "" "" "" - killall tidb-server 2>/dev/null || true - killall tikv-server 2>/dev/null || true - killall pd-server 2>/dev/null || true - cleanup_data openapi echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS" } From 9298b974f095a110be524764575d1b159d556edd Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:13:59 +0800 Subject: [PATCH 37/63] fmt --- dm/tests/openapi/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index bbb5c958a83..d87565f6860 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1087,7 +1087,7 @@ function test_tls() { echo "start downstream TiDB cluster with TLS" killall -9 tidb-server 2>/dev/null || true killall -9 tikv-server 2>/dev/null || true - killall -9 pd-server 2>/dev/null || true + killall -9 pd-server 2>/dev/null || true run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf task_name="task-tls-1" From 2389c330982fa92bca8636bbc901bbdc52ae8357 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 15:02:41 +0800 Subject: [PATCH 38/63] fix test --- dm/config/security/security.go | 6 ++++++ dm/config/security_test.go | 3 +++ dm/openapi/fixtures/task.go | 6 +++--- dm/tests/_utils/run_downstream_cluster_with_tls | 1 + dm/tests/openapi/client/openapi_task_check | 5 +++-- 5 files changed, 16 insertions(+), 5 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index 6854bb3cea0..b7b3e89c2a4 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -83,6 +83,9 @@ func (s *Security) ClearSSLBytesData() { s.SSLCABytes = s.SSLCABytes[:0] s.SSLKeyBytes = s.SSLKeyBytes[:0] s.SSLCertBytes = s.SSLCertBytes[:0] + s.SSLCA = "" + s.SSLCert = "" + s.SSLKey = "" } // Clone returns a deep copy of Security. @@ -95,5 +98,8 @@ func (s *Security) Clone() *Security { clone.SSLCABytes = append([]byte(nil), s.SSLCABytes...) clone.SSLKeyBytes = append([]byte(nil), s.SSLKeyBytes...) clone.SSLCertBytes = append([]byte(nil), s.SSLCertBytes...) + clone.SSLCA = s.SSLCA + clone.SSLCert = s.SSLCert + clone.SSLKey = s.SSLKey return &clone } diff --git a/dm/config/security_test.go b/dm/config/security_test.go index 40e4c833c9a..c713229d6c0 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -106,6 +106,9 @@ func (c *testTLSConfig) TestLoadAndClearContent() { c.Require().Len(s.SSLCABytes, 0) c.Require().Len(s.SSLCertBytes, 0) c.Require().Len(s.SSLKeyBytes, 0) + c.Require().Equal(s.SSLCA, "") + c.Require().Equal(s.SSLCert, "") + c.Require().Equal(s.SSLKey, "") s.SSLCABase64 = "MTIz" err = s.LoadTLSContent() diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 771fcf930f2..51875b5f672 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -65,9 +65,9 @@ var ( "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", - "ssl_ca": "ca.pem", - "ssl_cert": "dm.pem", - "ssl_key": "dm.key", + "ssl_ca": "", + "ssl_cert": "", + "ssl_key": "", "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 14624677dcc..3f0cf58d3f6 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -152,6 +152,7 @@ EOF sleep 3 done } +rm -rf $WORK_DIR mkdir $WORK_DIR start_pd start_tikv diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 536bf7953d6..7d7b50bddbe 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -271,8 +271,9 @@ def create_noshard_task_with_security_failed( }, } resp = requests.post(url=API_ENDPOINT, json={"task": task}) - assert resp.status_code != 201 - print("create_noshard_task_with_security_failed return ", resp.status_code) + print("create_noshard_task_with_security_failed resp=", resp.json()) + assert resp.status_code == 400 + def create_incremental_task_with_gtid_success(task_name,binlog_name1,binlog_pos1,binlog_gtid1,binlog_name2,binlog_pos2,binlog_gtid2): task = { From b7225d81b7ef4b6569ddd85f5f361b9e5b68011c Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 15:12:18 +0800 Subject: [PATCH 39/63] fmt --- dm/openapi/fixtures/task.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 51875b5f672..8da8740fe3b 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -69,7 +69,7 @@ var ( "ssl_cert": "", "ssl_key": "", "cert_allowed_cn": ["TiDB1", "TiDB2"] - }, + }, "user": "root" }, "task_mode": "all", From 96414d992d15babc26d9bde6ba4e0004631822d4 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 17 Dec 2024 17:58:10 +0800 Subject: [PATCH 40/63] use tls content --- dm/config/security/security.go | 6 - dm/config/security_test.go | 3 - dm/config/task_converters.go | 25 ++- dm/config/task_converters_test.go | 30 +-- dm/loader/lightning.go | 12 +- dm/openapi/fixtures/source.go | 3 - dm/openapi/fixtures/task.go | 18 +- dm/openapi/gen.server.go | 218 ++++++++++----------- dm/openapi/gen.types.go | 9 - dm/openapi/spec/dm.yaml | 15 -- dm/tests/openapi/client/openapi_task_check | 38 ++-- dm/tests/openapi/run.sh | 32 +-- 12 files changed, 178 insertions(+), 231 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index b7b3e89c2a4..6854bb3cea0 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -83,9 +83,6 @@ func (s *Security) ClearSSLBytesData() { s.SSLCABytes = s.SSLCABytes[:0] s.SSLKeyBytes = s.SSLKeyBytes[:0] s.SSLCertBytes = s.SSLCertBytes[:0] - s.SSLCA = "" - s.SSLCert = "" - s.SSLKey = "" } // Clone returns a deep copy of Security. @@ -98,8 +95,5 @@ func (s *Security) Clone() *Security { clone.SSLCABytes = append([]byte(nil), s.SSLCABytes...) clone.SSLKeyBytes = append([]byte(nil), s.SSLKeyBytes...) clone.SSLCertBytes = append([]byte(nil), s.SSLCertBytes...) - clone.SSLCA = s.SSLCA - clone.SSLCert = s.SSLCert - clone.SSLKey = s.SSLKey return &clone } diff --git a/dm/config/security_test.go b/dm/config/security_test.go index c713229d6c0..40e4c833c9a 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -106,9 +106,6 @@ func (c *testTLSConfig) TestLoadAndClearContent() { c.Require().Len(s.SSLCABytes, 0) c.Require().Len(s.SSLCertBytes, 0) c.Require().Len(s.SSLKeyBytes, 0) - c.Require().Equal(s.SSLCA, "") - c.Require().Equal(s.SSLCert, "") - c.Require().Equal(s.SSLKey, "") s.SSLCABase64 = "MTIz" err = s.LoadTLSContent() diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 0057e33f97e..b267834f618 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -240,17 +240,14 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, subTaskCfg.LoaderConfig.PDAddr = *fullCfg.PdAddr } if fullCfg.Security != nil { - if fullCfg.Security.SslCa == "" || fullCfg.Security.SslKey == "" || fullCfg.Security.SslCert == "" { - return nil, terror.ErrOpenAPICommonError.Generatef("Invalid security config, need to set all of ca/cert/key file path.") - } var certAllowedCN []string if fullCfg.Security.CertAllowedCn != nil { certAllowedCN = *fullCfg.Security.CertAllowedCn } subTaskCfg.LoaderConfig.Security = &security.Security{ - SSLCA: fullCfg.Security.SslCa, - SSLKey: fullCfg.Security.SslKey, - SSLCert: fullCfg.Security.SslCert, + SSLCABytes: []byte(fullCfg.Security.SslCaContent), + SSLCertBytes: []byte(fullCfg.Security.SslCertContent), + SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), CertAllowedCN: certAllowedCN, } } @@ -578,10 +575,10 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta certAllowedCN = oneSubtaskConfig.LoaderConfig.Security.CertAllowedCN } taskSourceConfig.FullMigrateConf.Security = &openapi.Security{ - CertAllowedCn: &certAllowedCN, - SslCa: oneSubtaskConfig.LoaderConfig.Security.SSLCA, - SslCert: oneSubtaskConfig.LoaderConfig.Security.SSLCert, - SslKey: oneSubtaskConfig.LoaderConfig.Security.SSLKey, + SslCaContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCABytes), + SslCertContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLCertBytes), + SslKeyContent: string(oneSubtaskConfig.LoaderConfig.Security.SSLKeyBytes), + CertAllowedCn: &certAllowedCN, } } // set filter rules @@ -701,10 +698,10 @@ func SubTaskConfigsToOpenAPITask(subTaskConfigList []*SubTaskConfig) *openapi.Ta certAllowedCN = oneSubtaskConfig.To.Security.CertAllowedCN } task.TargetConfig.Security = &openapi.Security{ - CertAllowedCn: &certAllowedCN, - SslCa: oneSubtaskConfig.To.Security.SSLCA, - SslCert: oneSubtaskConfig.To.Security.SSLCert, - SslKey: oneSubtaskConfig.To.Security.SSLKey, + SslCaContent: string(oneSubtaskConfig.To.Security.SSLCABytes), + SslCertContent: string(oneSubtaskConfig.To.Security.SSLCertBytes), + SslKeyContent: string(oneSubtaskConfig.To.Security.SSLKeyBytes), + CertAllowedCn: &certAllowedCN, } } return &task diff --git a/dm/config/task_converters_test.go b/dm/config/task_converters_test.go index 73c4fff7b59..44562c47697 100644 --- a/dm/config/task_converters_test.go +++ b/dm/config/task_converters_test.go @@ -67,9 +67,9 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLKey: task.TargetConfig.Security.SslKey, - SSLCert: task.TargetConfig.Security.SslCert, + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -133,12 +133,12 @@ func testNoShardTaskToSubTaskConfigs(c *check.C) { c.Assert(subTaskConfig.UUID, check.HasLen, len(uuid.NewString())) c.Assert(subTaskConfig.DumpUUID, check.HasLen, len(uuid.NewString())) // check security items - c.Assert(subTaskConfig.To.Security.SSLCA, check.Equals, task.TargetConfig.Security.SslCa) - c.Assert(subTaskConfig.To.Security.SSLCert, check.Equals, task.TargetConfig.Security.SslCert) - c.Assert(subTaskConfig.To.Security.SSLKey, check.Equals, task.TargetConfig.Security.SslKey) - c.Assert(subTaskConfig.LoaderConfig.Security.SSLCA, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCa) - c.Assert(subTaskConfig.LoaderConfig.Security.SSLCert, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCert) - c.Assert(subTaskConfig.LoaderConfig.Security.SSLKey, check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKey) + c.Assert(string(subTaskConfig.To.Security.SSLCABytes), check.Equals, task.TargetConfig.Security.SslCaContent) + c.Assert(string(subTaskConfig.To.Security.SSLCertBytes), check.Equals, task.TargetConfig.Security.SslCertContent) + c.Assert(string(subTaskConfig.To.Security.SSLKeyBytes), check.Equals, task.TargetConfig.Security.SslKeyContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCABytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCaContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLCertBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslCertContent) + c.Assert(string(subTaskConfig.LoaderConfig.Security.SSLKeyBytes), check.Equals, task.SourceConfig.FullMigrateConf.Security.SslKeyContent) } func testShardAndFilterTaskToSubTaskConfigs(c *check.C) { @@ -299,9 +299,9 @@ func testNoShardSubTaskConfigsToOpenAPITask(c *check.C) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLCert: task.TargetConfig.Security.SslCert, - SSLKey: task.TargetConfig.Security.SslKey, + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } @@ -391,9 +391,9 @@ func TestConvertWithIgnoreCheckItems(t *testing.T) { User: task.TargetConfig.User, Password: task.TargetConfig.Password, Security: &security.Security{ - SSLCA: task.TargetConfig.Security.SslCa, - SSLCert: task.TargetConfig.Security.SslCert, - SSLKey: task.TargetConfig.Security.SslKey, + SSLCABytes: []byte(task.TargetConfig.Security.SslCaContent), + SSLCertBytes: []byte(task.TargetConfig.Security.SslCertContent), + SSLKeyBytes: []byte(task.TargetConfig.Security.SslKeyContent), CertAllowedCN: *task.TargetConfig.Security.CertAllowedCn, }, } diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index b0dfa7c339f..bc4ea378655 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,13 +106,11 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - // Global config will use downstream TiDB security config as default. - // If the downstream TiDB and PD use certificates issued by different CAs, it may affect the physical import mode. - // To resolve this issue, need to specify the TLS certificates for PD when creating task. - if cfg.To.Security != nil { - lightningCfg.Security.CABytes = cfg.To.Security.SSLCABytes - lightningCfg.Security.CertBytes = cfg.To.Security.SSLCertBytes - lightningCfg.Security.KeyBytes = cfg.To.Security.SSLKeyBytes + // lightning will use cluster certificates as global security config + if cfg.LoaderConfig.Security != nil { + lightningCfg.Security.CABytes = cfg.LoaderConfig.Security.SSLCABytes + lightningCfg.Security.CertBytes = cfg.LoaderConfig.Security.SSLCertBytes + lightningCfg.Security.KeyBytes = cfg.LoaderConfig.Security.SSLKeyBytes } lightningCfg.TiDB.Host = cfg.To.Host lightningCfg.TiDB.Psw = cfg.To.Password diff --git a/dm/openapi/fixtures/source.go b/dm/openapi/fixtures/source.go index 0cbb9c74bde..a055bebe60a 100644 --- a/dm/openapi/fixtures/source.go +++ b/dm/openapi/fixtures/source.go @@ -31,9 +31,6 @@ var sourceStr = ` "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", - "ssl_ca": "", - "ssl_cert": "", - "ssl_key": "", "cert_allowed_cn": [ "string" ] diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 8da8740fe3b..9355997142a 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -35,12 +35,9 @@ var ( "import_mode": "physical", "pd_addr": "127.0.0.1:2379", "security": { - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", - "ssl_ca": "ca.pem", - "ssl_cert": "dm.pem", - "ssl_key": "dm.key", + "ssl_ca_content": "ca1", + "ssl_cert_content": "cert1", + "ssl_key_content": "key1", "cert_allowed_cn": ["PD1", "PD2"] } }, @@ -62,12 +59,9 @@ var ( "password": "123456", "port": 4000, "security": { - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", - "ssl_ca": "", - "ssl_cert": "", - "ssl_key": "", + "ssl_ca_content": "ca2", + "ssl_cert_content": "cert2", + "ssl_key_content": "key2", "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" diff --git a/dm/openapi/gen.server.go b/dm/openapi/gen.server.go index ff681a66ef0..1b1b4d48027 100644 --- a/dm/openapi/gen.server.go +++ b/dm/openapi/gen.server.go @@ -1248,115 +1248,115 @@ func RegisterHandlersWithOptions(router *gin.Engine, si ServerInterface, options // Base64 encoded, gzipped, json marshaled Swagger object var swaggerSpec = []string{ - "H4sIAAAAAAAC/+x9bXPbOJL/V8Ff/3uxMyVZku04ia/2RRJ7sr5zHir21N7WVo6BSFDCmgQYALRHm/J3", - "v8IDSZAESMq2HGuSfbHjiCDQaPy60d1oNL+NQppmlCAi+Oj424iHK5RC9eerBDHxDhK4ROySZjShy7X8", - "PWM0Q0xgpFqtKBfyv+gPmGYJGh2P5vvP92Z7s735aDwS60z+xAXDZDm6HY8yyurNX85eHpTtMBFoidjo", - "9nY8YuhrjhmKRsf/1IOYlz+XreniXygUstc3Sc4FYu+g/P82jTCK1K8R4iHDmcCUjI7Vr4hzQGMgVgiE", - "OWOICJCqTgChERqNXdM6frF/5JwbTPA1ao9DSYIJAlxAkZvRMDfD2CMIlqOy1wWlCYJEdpsgGCEH/Zjb", - "Pak5mKYDOiUwRfVl0904JtZYC/VmMdmSurFmcsfi+CEEJdCCVCMtEFa7/2AoHh2P/v+0AunUIHTqhOft", - "eLRkMIYEDu7nrW5vd6FZUfYQJFhjHAuU8r7+NAjt7gxHIGNQ/TtjNEVihXI+mMiP5St2xzeUXd2Zzr+r", - "l/103vqXUr/63eRsQXMSBZzmLERBAeT6mPohkA+Bag4E1dKiedYeNl3zr8lk1jWggEvHULp79bAUbt8g", - "qq1rhLY46i6Gi6NkfZ1SF6Oc8knJNWISs5BffUJfc6RRVF9bAflVH6RkBwpIkF8FISUxXgYxThxM0w+B", - "fAgwAWuYJiCmLIUCrITI+PF0GtGQ72WYLEOY7YU0nf57NRU4Wky5gIsETeUgE91PzqDsdyK7m8R5kuw5", - "2dY3c55RwtGfcuo2YtR0HJQ6scEQFOhCIcgLDQ2wPg7pTiy15cP8pB/0ZkQ/xQ8EZRfnXIOeYC4X5hNK", - "4NoatqEHQ/mHVERc0AxAwGRzwEz7cYNKi0ulYu/X5+9his5layfgT/I0u1B2iENllvZJlKcZyAlu07TI", - "1H80XLW9dnQ4aptvY2VVJkigKFCQrb8W0XyRoOo9kqcL/RriAqdQoEBQAZOA0Zuhb8aYYL5CUbBYC7Tx", - "SxsMlDG6lPuZQlJTj2uyHVP2caqJMPt9Bxdb82zOwc3CsVo5i3YXiE/JZhiGTPSCWD0NFpgkdBksBY6c", - "uGMCkyV4e3l2UhgJecYFQzAF+tXaJopewnkc7u9PUDh7MZnP0cvJYh+Gk9n+4T4M5/PZbHZwPJ88f3H4", - "cjQekTxJ5LwapnC1ZDUSPdZEQaLUk8qmGECmNigWmOzN5P/2h9MSYWNFxTBPJHj2pvqBHqJOmyQjwgyF", - "grI1uFkhhhRpel0SugSYS4UjATaAgm1onVPGKPs7Fqt3iHOnDSUho/YxgGTbFozUr0EozanWu+oZCLWp", - "1VZE+tWUL31vpoaovj2n6mhs0+OSpLdIGEv5jMTUb1iEulHgEgvzDGC5bKUayf0ad6gr0XTHmvO0iOqe", - "m3Z05LL7ZxhBAQd7JHUv3uE4KY1m6d1OLSolRY7ePQmN34efhHGRtjwJbVM9IPWVkbZ9srUh8qCEG9tm", - "y+RL2/ABeV66Dlsm+R1eMmUasyUS/AGJr3X8GDN5WOTki6rPx6D+Um7AF4LlocgZ8s9CExiEyqEJ+Nek", - "7iy9+XT66vIUXL56fX4Kvoj5F/CXLzj6AjARf5nPfwHvP1yC97+fn4NXv19+CM7ev/l0+u70/eX446ez", - "d68+/QP89+k/9Bu/gOmvl//vn0bvoyjAJEJ/fAZvzn+/uDz9dHoCfp3+Ak7fvz17f/rXM0LoyWtwcvrb", - "q9/PL8Gbv736dHF6+ddcxC/SxSF48+H8/NXlafFvaVa5wh1mam0PMFo4AzDK+nU0V7/PB3i85etFXxZX", - "nUvVCAo+eNj7YDab3TvsfU5h1O/OJRRG93XnOrwr/0spEtAY1k5nyXpe+gZtzvW7W8NpavC35UvZ/VlD", - "16fiIFz7V64lakSD74sjX9h+EOZe7B/Ne3lipKQPeh+UxY66A2fhCoVXAUNcuTFNhGYMTVQLYFrY3lP1", - "EHOQQc5RtAfcquE+wZxxncaemTY1d6+TrP0aBJTO8TrJcZLzVc3j085Zvde/MywQV76dnpcOaSOgZpBR", - "TATg8hcowMk7EEKiJR8LAGPpSTBU+rHytSIM2Doa4l+TIKREIOKYG/+agDXNwQ0kwpphbe0cOxP4Es6r", - "ranYPeT2NAZfwn3/owP3o3vsR//p3JDWJGxP9vcsggXPaSZwirnAIeAryCLJRqkH5G4PbrBY6ci/WRpK", - "kjXIOYqkR04ANI4toGGYMw4w8fZ5cnIO0pozWy5NMwhqrZMLuI4zo22c3t5/G/uYM1dQoIpghHL+eQYy", - "muBwDWqR73as4I8MM2MHFvI0awqTaqQjDgLreE45nO1vFxuJJ25ibXbyT3atDcVy3IOjWWvoyxUCRWMp", - "QRlimEY4hEmyBkblxe0Qjp5WNAamc3ANkxwdAzWEBBRHISURvxv1DKUQk4BnMES1GcyfNel/hwlO8xTE", - "DCEQYX4F1FuKhrev7zL8rQ8TDxpPf8Q4X19crzZmhkIcrw3xPF9Y0byYMtAiew+cxYBQAfSbWGJCnf1L", - "VSUAJQjc4CQBC6QU0B64UJSaM6ZjsA/R86PDg8NJ/PxlPJnP0YvJIkL7RfhUGqYv9FTm/QHDhqS3eeyS", - "d7Wsb5QQt/mhdjR9RFYIZVvEVaQ60A8ru9Daw37GnXcq7nzrQ0m/d2Or7TpKTBZH5YDUu2jwsDiQ1WKi", - "N5aKqX9pcHU+BvOXz1/+4hL22rge8Lkwdw+wdYPLTYJmXJGNIQl6eAJCKMJVkGdBWmZm1Ym4WUkLhUkl", - "rtqCPNPGVLk6lhPmE3OnXt0Mn9W896Y8X6guXWaiOwWkYKJGZa27Tzkh8uU+zVkHqxNE9nRdK+xjekG2", - "SxVfKHO1PL5py5k2Z5XuUcdB4yqo1h+1aQTSLlCYMyzW7WGUEW1ydjhP6hae3t5ijJKo3NlWOIoQ0cb1", - "EonSqbE7qnUCYkZT1UTZXrG0c9pqqeG+IiYCmCT0BkVBSNpkv6FpSgl4bzTzxcU5kO/gGIdQhxBKZvUy", - "h/MkCKEDW1WHWkVlUKxqEHMCVfXmd+NavRYtB3WMmKPL3wriJCs+nr4zBsf0f57NXhYJLg3uDBvKP4vf", - "LMofctQr5MDoRzM1iaGM4WvJuiu0LhN5rBGHDuKf2ZtqUvcfr+k31rHhYHSbwBKfFgIqXjk1i3Fo3zKa", - "Z44QfZS00xV7hSTGjIsgoaHeoV2vSE8eRZt1K/TJhatpTjbvsBVoUr2Pqzm3JlKSbQ3oZGqZaeVKd/TY", - "yTWbLoYJb4WWyl1YRTC09pQup3q9tj2a19s7sTHJK1Nj0HhUuijaAJeecC6Vu9rRuNbXLtPIS0KcwGvq", - "sAT072VuZsmrhsnsktMiPOJMLjV5re7kVWf0BHJ+Q1nk7bFsUO/y4PDZ0RArvojOuPumrKYnDg5mR65I", - "QFYEYzrTkVWjyswrfbmul2y3TwqqZQ10ns8V7eQ7A3N+B2f2aotts8Tp3qNmyK+GJ9BcQn5Vpc+MRzl3", - "2clmbvJha36MUjEwYzJwRPfNkHURLv7VoYU6jEYr+dpvNOpWk2GWo81y33il9e3KHepPANLGJFcxU2lO", - "3jDqstsLzPOSmF7MV1C5B34ZyhIcQg+OGym17YijyUg3nkqytrPikUsnbpiLWyDLJsSJHQGZ6MzOZSil", - "1yhIkYAb7ST6PRWTV27AAnJlJ0X0hhhfsvjZfewBYxSkNEKBwCkKoiK+3PYscYpA8VhuK/LNImZv6e0Z", - "d2qcil2D9END2LTOYkIR6aAN8iuTmqka2ATtz2ZHk9l8MtsH82fHs8Pj2bNhafIXgmadS3b/OUliaS4G", - "c/0GYu3z6fnSrM76Z3zgzGq5H20jNU+zgYJuZVZvkHQ4WOckFEYDKbGSAqwDYwdMinyIDoT2KSl/gKRv", - "y7tQDY29PnBmF2sSVjNTGQ3umclHQNFmo0Kd8Y1dJj5DnCbXKAqUhU7Dq8CTjNCpZotLP07WuE/Z/bqz", - "YKWZp1OVVuzoiI/KWXuyP3TsSPfrmOxCcgKTpeSKawj7xPJmhcNVGUzEHBQvbxQDUfKGaeBL6+jIfr3b", - "W60Q8cBgrsMmCBERgRicUGNO64IFWmESWfHRIe+WHqljF5PPOmdUa+GfkeYmui4uBg+gy1xeGMwDS/CW", - "jOZZF8h0gwbOIEMgJ5OiFxtrnXqkFprodd9tRtiTrK36eFgEt748zsVoCp6LT1a8wJZiH6xa4uEWNZeS", - "USkv940P+9L02hrg0mTztJW6T33FOJFsZrkOdMAowvItmHyste7bj15jck6Xv6nOPsm+XOYCIitIQhTo", - "G91BkaC5gmSJevN3LFNV+1aA55n0wNQxr0oH0RfFoygBWZIvMRlykRsvCWUoUIkDEjMl+xuXxVUzkDFk", - "UgxUM+dqXSPGdVCqd7lUIpxmQ/3kMEonyoBvMsFhjKvpc0FZkVHjPYSrOvXmxfnNHBuN/MrtdlISRLly", - "s4SjtxW9kYu3giTSYec4waFAkZqJ8pjzVB+CZ4k+Xigus2jmW/JlaWOpi5Tb4T7CuoFrdThGqVRZUCC5", - "3VqDZYhzk0M0Go+qhCL3YNrcGBauUVaaesGK2dwlXNKXXy3pC0VQ0R40mTLQAyzESvXXSq5qeWg+idIJ", - "wqlOai8VSxNZciTTBqg24+EJ80qpmqz5hrJpxKQ3WCudfn8CBXwtXdwiEOWGVkF5wRODpjhPEjkREjKU", - "IqLz2aH6TW4YI+2ISGxV4qQfDzJ3K4J6dGlDFJvccK5RE97u3cyh6V3HSgIpdSQ75gCKIkcgQdcoae1E", - "RgUrE8Hh8MmfC2/Eo51rbWqsBVGaDNHEhgZzS6Cds5lBIRBT2VJ6x/QT42te0fW/J0x53P3nIM4V+C1P", - "EoN+qVp8V+StCIvEZSltEkXtMB8kMFn/2yWqVB0RMpro7Dqep7LLbLXmOIQJwGkRGi/1twGu1qfSlpB/", - "xnEd99azFh+KgZ4INTTNGOJ8cnU9ySBmvJss0xpcXQPV2k2fYxTCMReIhOvO/otdDRNjzasze53hSJnc", - "T2N1n7PsDUDOcyaVRV04ckFddMjuPKl2gjK4VGkhbatgb1qMH5j9vN0z5lfB15wKxzG9SoRUzxT5jvUs", - "R3oxe+vqXQ8fiBVDMKqnrx42Nz0lD/oFuTohJcYlcvvGigafkVGtjG6n9oRS6Fp4TOhSTkzKn5ljHYjV", - "89YMDR2uGc6PnFM0FPVP0d4ugoKEPhQWb0glozysXMcWV4iAFCFRNkCA0RuuFtb07ZJTv9VnndWUrTqN", - "z6Dk7Tbm4Fc2hBKkXFeSN9fVPGofOkZBb9mfzFnzhsmtPigXtlAbvpRta+LqTWC92ami6lGXO5w5qhxM", - "j0rRD0uV0iv8e1P5iju/zLdfnpGQbbZfWgacZ7uUQAwWUIT1iyfzdr663Rdfk3DFKMH/LodSfQD0Bwo1", - "8qT18DWHRGA1lDvZPEsGaoHmRHpVgY+H9Tuqbk+xMjDUDdkWz4x9Wfm7vRlw5g1RpGFYTqjvoqOyczcY", - "wrwxdAj34Z0Zr0Fwk5zGYD4D2x8tKv3xzlgRvxocKqr80/bhTSPAWY0wO4jD2f7RwWT/Rfh8Mp+j5xN4", - "9OxgchTOFi8Oo2cv44PZ8XzyfHY4P9w/GM+eHT4/jA5Cq/mLg2f7k/3ZQbTYPzyKooPoeD6ZP585S4fV", - "87utUmDqQZVo73szo3UGHTr12nbOlTtOen2LX4sYeEiZMJRAaeh1X+SRFkDp4oVmjfu84KZvcau92Y37", - "aercevTEy+TmjAaHBCwk9wWkbTq8y1CcwxU7+4WgWaa8iCoj+Tdz/XU0Hn2EOa/lnFU4dAYs/Nn0OjIi", - "qH3ubsdJ+MBAbsMaVA9VBwWQHbpDPh6WUMI7E+kGAtQOfHqC4mNwg5MohCwqor31iOZi8us9j2BbCTW+", - "o1lR5QK2I1kDaBVOWjuTQax9w7dhCM+GXKHnIRcjoojru1Mm9F7MmDeWZX5HDg4cwLc1N9gzvOqdIwDY", - "wdIq9t7N0yeV/riddMe7eARbStFzJuWVPPGuOkozKR/e5Bx6jdgNw2KzWHr5lja7hRml/KP/enI1bj/p", - "vgICMcSJKn7Hr9qHDh1pfs4qAaU67S+PWSiwqlOn7mpuKnkYIs495G6WNN7ua9zmhosofWf9QSt2DldD", - "evBHLr7ZKEHXlZfT4Xf48x3bC12N6L2cbG4hc1DsXoKaHEzeVemzL6voDvmZfRmZjTrQD1+hxFvJeKsl", - "Sm5VSFVIZZyc0NAR8z55Bz5kiLz6eAZOPryRKpclo+NRXxHeidw8J9qkxZSYmrza0YipgjgWauKtAYqT", - "9ePRkWSgivpliMAMj45HB+onqfHFSlE7hRmeXs+npjDTtOje2EtlzcSzSI316uNZve6gSlDRmlX1tz+b", - "qVtt1Z0jmJXBw+m/uM66rOyozqLp7gqHiuuNbVErMrWIPE9TyNajYzkHUFY4JDEFPA9XAHJQK3so4JJb", - "JQlHn9X9BN/stfJpMkCJ4WsarR9s7u0Ciq1Jm2HBQo57+4TXIVc8qy3FnpPxt+MWHnVyER8Kyapc5OMA", - "01Gesost49HhA5LRKnnqGFpv5x2CYVXILzauTRZm+k3/oTzCW63/EqTtQMdKfYjjBBOk2fZeH9JnkMEU", - "6VX+ZyuHwCKv8MlVXSd9QVVvBCOLhpGtxnX2hSvQ6f8QxecWcA4ddvgTW1Gq+dr43sGghSwMhoESVtUy", - "fRwJc9RO3TEJs77TsJGEmYWZfjNW2EYSZqzHARJmk+eXMIuGH1vC6l/d6FzIKN0riHNK1lskTmj4Xxcf", - "3ntEqU6W7Ku8Qt+GW0RDoIarqIpo2KDI2Kgd5Pzt8t35IHJkwx5yVkLnFfnI0U5ev+qpKhD3gVnKV3G5", - "WJX4KO/rKUx/zRFbW6DGYhWULRwgdmfv3Y4dX19aA4ZEznTNNZ0kODHllop7by4SalWGNqHh83a1r6Po", - "s0NS7EoYSVGavYGDZpMKD4WPr3w07lt/++sg2zK2HR8g2dzgnj8YPWVM5Mnvc7rCLYAkKhJjISDoxl51", - "14K3dcD0m3Wy0L/LnaiHJSg6dcIyoQtV9y4n+GteL9/i3/DqBx2DNjzvFfC2woipvkxMs4ISmHBTY64o", - "IKQCOiavwqU6VB/31Bk7sPFqHADYh6nxkD1kF7HyOHvaNveTDn1Wfgrg0IlFw3kqQKy+atbeX7oA0RfG", - "2RlMfN7OvucK49/WA6GS3NvvA40npodMFAved2+bRvo7XioI7jd7zNe+dguifT7Dk9tbNJMfYFGrKkgd", - "a6o/fvVzSbe5pKUZet8VVS7ZZsL6qSgk+2NuJ64PFN6a/WRXNUNVyTPOia4FXdykfRiAbaA4fnB4OT4d", - "uKvoMkpq6+Aq66x1YKsqgv7jQqtdCH64Gfy0kaYQUKtfvTmWrM/1D3CxdbXfIcHaLUDHX+9tuw5uvcLx", - "jhxQFSXtdPKqLzg7FB7Tb/qPKoI3ACwq5/vpYWXckeDrGb6a+8Dhnfm/W0VpvczKboFU5z/fHaNlCash", - "Gqys8fh0dsPOGzSPchbU+B7ijsBHfemjVjm/KHd9XwtLMEh4rJO0O8yrS9PsR481ttNZ/ywmVgGEUlVR", - "APWHi3SuQA+69BFPn2YqPgfbCyCJecivHvP029ybWqyLSpm6pqBrzOLZ0A2rrOHYNapDPprDNmuHjjcK", - "T1t75pZVbeurvw4QKiYnpqbp01G0JVUV3HU2/ZDj/UtdfG17h/v2dYHvebTv+qTlDp3zlx90rK9wU51N", - "Q0quESsyd7uWXzfc5voXpPRAAMcaw5gDTLJc6EL+RpfqD8IUs9IlrSG/MmWg9OcyKAPXOETgGjEOtwqi", - "xpR2B0aXKkFKcZmYquDm8yk0BrD5MZ0WU/cGIK+4OzZsSy1uhz1CPuuOq/byct69dPxldbNvG7Ju7nR9", - "P/XuI+CJ6vPaym4iXFNTdaZbuZ+pRo+07s07qpvDYH9L9OyOfjalsO4Oi2+q7ukmOXwNdGzkHdulVx1u", - "cUnLQKfYV7N1p/Pm/Dermwp88Ga5O8s0++EUe3u/7lpyb4Jcdcf656LvTGra0HVv6e+7ae2nioiuZGtF", - "A7pGBOBYfRIF8HxRuH2sLFr0M93a5+kP2CZ2BhePECv9Htqp4UQe+krkdSRV+1e/L6X6KQNgq1nU9wsw", - "zn70AGOZXT0wwGhtWZ7zuaIYX1Foc0g4qFbAk++MInv05AjnGYsurm+Kuo98SQ+/Du9R19/v7lC1+fXx", - "z8TbaNm5k3F1VmdnV0ASmbK05gdGc2HuouHaxeK7S+XgXLIyi+z1WvL6FYnudoL+gwjlz+y2Lny7U9zu", - "jeINU97KZLefkP6ZhLezsuTMxHtgUZLvLRK0YUhikaALwfJQ5OynTD01mRr7K9r6WF4gYDDP3R8A3P3w", - "fU3yuAXxTYMzPyXkp4TMv4+zVAff7jtLnWLoj5KV4Zmforjx4D+KID58iNIKCjbl8M+Vi60lbsNts9tq", - "FbA3z+VCtvkBI9/lvHf9Pq5a5DsGn4fdLLK+TruDyr4sab7rufU7eonJXKvQ6NkMnTTrVV40+yF1l572", - "7qsumvk1l/r4CLsuVrRefH5N872IphATVXp+JFltOnDrglFftfuIhoNL3Jua9tOvOQ6vJkoDT3Ra6qSq", - "ClbTMSOXZaamvV2qbrBYTaLUokcN26amqAJbtit+uP18+38BAAD//zUyAOgEvwAA", + "H4sIAAAAAAAC/+x9bXPbOJLwX8Gj5z7sTEmWZDtO4qv9kMSerO+cl4o9tbe1lWMgEpSwJgEGAO3Rpvzf", + "r/BCEiQBkrItx5pkP+w4Igh0N/odjea3UUjTjBJEBB8dfxvxcIVSqP58lSAm3kECl4hd0owmdLmWv2eM", + "ZogJjNSoFeVC/hf9AdMsQaPj0Xz/+d5sb7Y3H41HYp3Jn7hgmCxHt+NRRll9+MvZy4NyHCYCLREb3d6O", + "Rwx9zTFD0ej4n3oR8/LncjRd/AuFQs76Jsm5QOwdlP/fhhFGkfo1QjxkOBOYktGx+hVxDmgMxAqBMGcM", + "EQFSNQkgNEKjsQut4xf7R07cYIKvUXsdShJMEOACityshrlZxl5BsByVsy4oTRAkctoEwQg54Mfcnknh", + "YIYOmJTAFNW3TU/jQKyxF+rNAtkSurEmcsfm+FkISkYLUs1pgbDG/QdD8eh49P+nFZNODYdOnex5Ox4t", + "GYwhgYPneavH21NoUpQzBAnWPI4FSnnffJoJ7ekMRSBjUP07YzRFYoVyPhjIj+Ur9sQ3lF3dGc6/q5f9", + "cN76t1K/+t3kbEFzEgWc5ixEQcHI9TX1QyAfAjUcCKqlRdOsvWy65l+TyaxrQQGXjqX09OphKdy+RdRY", + "1wptcdRTDBdHSfo6pC5COeWTkmvEJM9CfvUJfc2R5qL63grIr/pYSk6gGAnyqyCkJMbLIMaJg2j6IZAP", + "ASZgDdMExJSlUICVEBk/nk4jGvK9DJNlCLO9kKbTf6+mAkeLKRdwkaCpXGSi58kZlPNO5HSTOE+SPSfZ", + "+jDnGSUc/SlRtzlGoeOA1MkbDEGBLhQHeVlDM1gfhfQkltry8fykn+nNin6IH4iVXZRzLXqCudyYTyiB", + "a2vZhh4M5R9SEXFBMwABk8MBM+PHDSgtKpWKvV+fv4cpOpejnQx/kqfZhfJDHCqz9E+iPM1ATnAbpkWm", + "/qPZVftrR4ejtvs2Vl5lggSKAsWy9dcimi8SVL1H8nShX0Nc4BQKFAgqYBIwejP0zRgTzFcoChZrgTZ+", + "aYOFMkaX0p4pTmrqcQ22A2UfpZocZr/voGILzyYObhKO1c5ZsLuY+JRsxsOQiV4mVk+DBSYJXQZLgSMn", + "3zGByRK8vTw7KZyEPOOCIZgC/WrNiKKXcB6H+/sTFM5eTOZz9HKy2IfhZLZ/uA/D+Xw2mx0czyfPXxy+", + "HI1HJE8SiVfDFa62rAaix5soQJR6UvkUA8DUDsUCk72Z/N/+cFgibLyoGOaJZJ69qX6gl6jDJsGIMEOh", + "oGwNblaIIQWa3peELgHmUuFIBhsAwTa0ziljlP0di9U7xLnTh5Iso+wYQHJsi43Ur0Eo3anWu+oZCLWr", + "1VZE+tWUL31vpgaoPptTTTS24XFJ0lskjKd8RmLqdyxCPShwiYV5BrDctlKN5H6NOzSUaIZjTTwtoLpx", + "04GO3HY/hhEUcHBEUo/iHYGT0miW3u3UolJS5OrdSGj+fXgkTIi0ZSS0T/WA0FdO2vbB1o7IgwJufJst", + "gy99wwekeRk6bBnkd3jJlGvMlkjwBwS+NvFjYPKwnJMvqjkfA/pLaYAvBMtDkTPkx0IDGIQqoAn416Qe", + "LL35dPrq8hRcvnp9fgq+iPkX8JcvOPoCMBF/mc9/Ae8/XIL3v5+fg1e/X34Izt6/+XT67vT95fjjp7N3", + "rz79A/z36T/0G7+A6a+X/++fRu+jKMAkQn98Bm/Of7+4PP10egJ+nf4CTt+/PXt/+tczQujJa3By+tur", + "388vwZu/vfp0cXr511zEL9LFIXjz4fz81eVp8W/pVrnSHQa1dgQYLZwJGOX9Ooar3+cDIt7y9WIui6rO", + "rWokBR887X0wm83unfY+pzDqD+cSCqP7hnMd0ZX/pRQJaBxrZ7BkPS9jgzbl+sOt4TA16NuKpez5rKXr", + "qDgA1/GVa4sa2eD78pEvbT+I517sH817aWKkpI/1PiiPHXUnzsIVCq8ChrgKY5ocmjE0USOAGWFHT9VD", + "zEEGOUfRHnCrhvskc8Z1GHswbWru3iBZxzUIKJ3jDZLjJOerWsSng7P6rH9nWCCuYjuNl05pI6AwyCgm", + "AnD5CxTg5B0IIdGSjwWAsYwkGCrjWPlakQZsHQ3xr0kQUiIQceDGvyZgTXNwA4mwMKztncMygS/hvDJN", + "hfWQ5mkMvoT7/kcH7kf3sEf/6TRIaxK2kf09i2BBc5oJnGIucAj4CrJIklHqAWntwQ0WK535N1tDSbIG", + "OUeRjMgJgCawBTQMc8YBJt45T07OQVoLZsutaSZBrX1yMa7jzGgbp7f3N2Mfc+ZKClQZjFDin2cgowkO", + "16CW+W7nCv7IMDN+YCFPs6YwqUE64yCwzueUy9nxdmFIPHkTy9jJP9m1dhTLdQ+OZq2lL1cIFIOlBGWI", + "YRrhECbJGhiVF7dTOBqtaAzM5OAaJjk6BmoJyVAchZRE/G7QM5RCTAKewRDVMJg/a8L/DhOc5imIGUIg", + "wvwKqLcUDG9f32X5Wx9PPGg+/RHzfH15vdqaGQpxvDbA83xhZfNiykAL7D1wFgNCBdBvYskT6uxfqioB", + "KEHgBicJWCClgPbAhYLUnDEdg32Inh8dHhxO4ucv48l8jl5MFhHaL9Kn0jF9oVGZ9ycMG5LeprFL3tW2", + "vlFC3KaHsmj6iKwQyraIq0x1oB9WfqFlw37mnXcq73zr45L+6MZW23UuMVUcVQBSn6JBw+JAVouJNiwV", + "Uf/SoOp8DOYvn7/8xSXstXU9zOfiuXswWzdzuUHQhCuqMSRADw9ACEW4CvIsSMvKrDoQNyvpoTCpxNVY", + "kGfamSp3xwrCfGLu1Kub8WeF996U5ws1pctNdJeAFETUXFmb7lNOiHy5T3PWmdXJRDa6rh32Eb0A26WK", + "L5S7Wh7ftOVMu7NK96jjoHGVVOvP2jQSaRcozBkW6/Yyyok2NTucJ3UPT5u3GKMkKi3bCkcRItq5XiJR", + "BjX2RLVJQMxoqoYo3yuWfk5bLTXCV8REAJOE3qAoCEkb7Dc0TSkB741mvrg4B/IdHOMQ6hRCSaxe4nCe", + "BCH0B17WxFpVFSNtbnPyrJxYYuKd+jdrOonHx9N3xluY/s+z2cuiOqWBWv+qV2jtX/RNtZ7clYzha4na", + "FVqXpTHW4j3rNSOjOi0dNGgD6JQOE5S9ZTTPHGnmKGmX3PVudIwZF0FCQ21lXK/IaBRFm00rdPbdNTQn", + "m0/YSpao2ccVzi1ESrCtBZ1ELauFXCV7Hl+v5pfEMOGt9EhpSVQUrjWADJvU6zUVb15vWxPjVlbmctB6", + "VLrZ2omU0VwuFZTSylzrHJd594IQJ/CaOqyZ/r2sLyxp1XD7XJJYhPjOAklTm+kuwHRmACDnN5RF3hnL", + "AfUpDw6fHQ3xRIsMg3tu+dCa9+BgduSKZrMiodBZUqsGVa5KGY90vWSHLlJQLYvWecZUjJPvDKxbHVyd", + "qr2OzYp/e49LIb8aXgRyCflVVQIyHuXc5esZ3OTDFn6MUjGw6i9wZKjNknURLv7VoYU6HB+rgNjv+OhR", + "k2Hej01y33qlB+mqf+kvYtEOEVd5P+kS3TDq8j0LnuclML08X7HKPfiXoSzBIfTwcaMstJ01M1XVxttO", + "1nZlN3LpxA3rSQvOsgFx8o4MyzsrTBlK6TUKUqTPoQdbEv2eyisrV3YBufKEInpDTDxU/OxO3cMYBSmN", + "UCBwioKoyJG2oyOcIlA8lmZFvlnknS29PeNOjVORa5B+aAib1llMKCAdsEF+ZcoL1QAboP3Z7Ggym09m", + "+2D+7Hh2eDx7NqzU+0LQrHPL7o+TBJbmYjDVbyDWcYvGl2Z10j/jAzGr1S+0ndQ8zQYKulUdvEHh3GCd", + "k1AYDYTEOti2Dj0dbFKc6XdwaJ+S8gf5fSbvQg00/vpAzC7WJKwwU6fybszkI6Bgs7lCnVONXS4+Q5wm", + "1ygKlIdOw6vAc6DeqWaLiytO0rhPiv26syClwdOpSitydOT4JNaeCgad/9DzOpBdSEpgspRUcS1hn7rd", + "rHC4KhNimIPi5Y3ieCVvmAa+0oSOCs67vdVKcw5MSDp8ghAREYjBRSHmxClYoBUmkZXjG/JuGZE6rJh8", + "1olRbYQfI01NdF1cbh0AlynAH0wDS/CWjOZZF5PpAQ0+gwyBnEyKWWxe69QjtdREb/huE8JGsrbr42FZ", + "yPr2ODejKXguOln5AluKfWzVEg+3qLmUjCrbuG+O01dq1tYAl6Yipa3UfeorxokkM8t1ogNGEZZvweRj", + "bXSfPXqNyTld/qYm+yTncrkLiKwgCVGgbyUHRZHhCpIl6q1BsVxVHVsBnmcyAlNHlaqkQV92jqIEZEm+", + "xGTIZWS8JJShQB1+S54pyd+48KyGgYwhc0yuhjl36xoxrpNSvdulirk0GeqnX1E6UQ58kwgOZ1yhzwVl", + "RVWI9yCpmtRb2+V3c2xu5FfusJOSIMpVmCUcs63ojdy8FSSRzvnGCQ4FihQmKmLOU32QmyU6RV5cyNDE", + "t+TL0sZSF6mww30McwPX6oCHUqmyoEDS3FqLZYhzUwczGo+qohj3YtrdGJauUV6aesHK2dwlXdJXIyzh", + "C0VQwR40iTIwAizESs3XKhBqRWg+idJFrqkuzC4VS5Oz5EpmDFBjxsOLvpVSNZXfDWXTyElvsFe6hPwE", + "CvhahrhFIsrNWgXkBU0MN8V5kkhESMhQioiuyYbqN2kwRjoQkbxViZN+PMjdrQDq0aUNUWxSw7lHTfZ2", + "WzOHpned6Qik1JGcmAMoinPuBF2jpGWJjApWLoIj4JM/F9GIRzvXxtRIC6I0GaKJDQym0r1dd5hBIRBT", + "FT/aYvqB8Q2v4PrfE6Yi7v5zEOcO/JYnieF+qVp817ytDIvky1LaJBe103yQwGT9b5eoUnU+x2iiK8R4", + "nsops9Wa4xAmAKdFarzU34ZxtT6VvoT8M47rfG89a9GhWOiJQEPTjCHOJ1fXkwxixrvBMqPB1TVQo93w", + "OVYhHHOBSLjunL+wapgYb16dO+sqPcqkPY3VncRyNgA5z5lUFnXhyAV1wSGn85SLCcrgUpU2tL2CvWmx", + "fmDseXtmzK+CrzktEpM1xwbzK6CeKfAd+1mu9GL21jW7Xj4QK4ZgVC/BPGwaPSUP+gW5OyElJiRyx8YK", + "Bp+TUe2MHqdsQil0LX5M6FIiJuXP4FhnxOp5C0MDhwvD+ZETRQNRP4q2uQgKEPq4sHhDKhkVYeU6t7hC", + "BKQIiXIAAozecLWxZm6XnPq9PuusphzV6XwGJW23gYNf2RBKkApdSd7cV/OofegYBb2tazJn3xYmTX1Q", + "bmyhNnxlxxbi6k1gvdmpoupZlzucOao6Qo9K0Q9LldIr/HtT+Yq7RspnL89IyDazl5YD5zGXkhGDBRRh", + "/fLEvF1zbc/F1yRcMUrwv8ul1BwA/YFCzXnSe/iaQyKwWspdMJ0lA7VAE5FeVeCjYf2epTtSrBwMdcuz", + "RTPjX1bxbm8Vl3lDFGUYVhDqu6yn/NwNljBvDF3CfXhn1msA3ASnsZjPwfZni8p4vDNXxK8Gp4qq+LR9", + "eNNIcFYrzA7icLZ/dDDZfxE+n8zn6PkEHj07mByFs8WLw+jZy/hgdjyfPJ8dzg/3D8azZ4fPD6OD0Br+", + "4uDZ/mR/dhAt9g+PouggOp5P5s9nzvZX9Rplq52VelAVi/vezGidQIdOvbadc+WOk17f5tcyBh5QJgwl", + "UDp63ZdRpAdQhnih2eO+KLgZW9zqaHbjeZo6t5498RK5idHglIDFyX0JaRsO7zYU53CFZb8QNMtUFFFV", + "1f5mrnCOxqOPMOe1mrOKD50JC39FuM6MCGqfu9t5Ej4wkdvwBtVDNUHByA7dIR8PKyjhnYV0AxnUTnx6", + "kuJjcIOTKIQsKrK99YzmYvLrPY9gWwU1vqNZUdUCtjNZA2AVTlg7i0Esu+EzGMJjkCvuecjNiCji+v6P", + "Sb0XGPPGtszvSMGBC/hMc4M8wzu3ORKAHSStcu/dNH1S5Y/bKXe8S0SwpRI9Z1FeSRPvrqM0k/LhLc6h", + "14jdMCw2y6WXb2m3W5hVyj/6r9hW6/aD7rsEH0OcqAZu/Kp96NBR5ue86V6q0/4Wj4UCqyZ16q6mUcnD", + "EHHuAXezovH2XOM2NVxA6XvXD9p1crga0os/cgPJRhu1rrqcjrjDX+/Y3uhqRe8FW3OTloPCeglqajB5", + "V7fKvqqiO9Rn9lVkNnoZP3yXDW833q222bhVKVUhlXFyQkNHzvvkHfiQIfLq4xk4+fBGqlyWjI5HfY1k", + "J9J4TrRLiykxfWV1oBFTxeJYKMRbCxQn68ejI0lAlfXLEIEZHh2PDtRPUuOLlYJ2CjM8vZ5PTXOhaTG9", + "8ZfKvn9nkVrr1cezeu88VaCiNauab382UzezqltFMCuTh9N/cV11WflRnY2/3V36FNUbZlErMrWJPE9T", + "yNajY4kDKLv0kZgCnocrADmote4TcMmttnqjz+p+gg97rXyaBFBi+JpG6wfDvd0EsIW0WRYs5Lq3T3gf", + "ckWz2lbsOQl/O27xoy4u4kNZsmp5+DiM6Wix2EWW8ejwAcFote10LK3NeYdgWF3eC8O1ycZMv+k/VER4", + "q/VfgrQf6NipD3GcYII02d7rQ/oMMpgivcv/bNUQWOAVMbnqTQTFalQYgpEFw8hW47r6wpXo9H9M4XOL", + "cQ4dfvgT21Gq6dro2T9oIwuHYaCEVf04H0fCHP0/d0zCrG8NbCRhZmOm34wXtpGEGe9xgITZ4PklzILh", + "x5aw+pcjOjcySvcK4JyS9RaJExr+18WH9x5RqoMl5yovlbfZLaIhUMtVUEU0bEBkfNQOcP52+e58EDhy", + "YA84K6Hrinzg6CCvX/VUXXT7mFnKV3G5WLWpKO/rKZ7+miO2tpgai1VQjnAwsbt673bs+ILQGjAkcqb7", + "hukiwYlpGVTce3OBUOuUswkMn7erfR2Nix2SYndzSIr24g0+aA6p+KGI8VWMxn37b3/hYlvOtuMjGps7", + "3PMHg6fMiTx5O6e7tAJIoqIwFgKCbuxdd214WwdMv1knC/1W7kQ9LJmiUycsE7pQvdtygr/m9RYkfoNX", + "P+gYZPC8V8DbCiOm+jIxzQpIYMJNn7SiCY5K6Ji6CpfqUHPcU2fsgOHVfABgH0+Nh9iQXeSVx7Fp27Qn", + "HfqsbGd/6ORFQ3kqQKy+zNW2L10M0ZfG2Rme+Lwdu+dK49/WE6ES3NvvwxpPTA+ZLBa8r22bRvpbVCoJ", + "7nd7zBerdotF+2KGJ2dbNJEfYFOrLkgde6o/4PRzS7e5paUbet8dVSHZZsL6qWiG+mOaE9dH9m6NPdlV", + "zVB1o4xzovsZFzdpH4bBNlAcPzh7OT5/t6vcZZTU1pmr7LPWwVtVI+8fl7XazcyHu8FPm9MUB9R6MG/O", + "S9Yn5weE2Lpj7ZBk7RZYx9/vbbsBbr1L744cUBUt7XTxqi85O5Q9pt/0H1UGbwCzqJrvp8cr444CX8/y", + "Fe4Dl3fW/26VS+ttVnaLSXX98915tGxhNUSDlT0en4417LxB8yhnQY1v+u0I+6ivVdS6vxcNre/rYQkG", + "CY91kXaHe3Vphv3oucZ2OeufxcUqGKFUVRRA/fEdXSvQw136iKdPMxWfNO1lIMnzkF895um3uTe1WBed", + "MnVPQdeaxbOhBqvs4di1qkM+mss2e4eON0pPWzZzy6q29eVaBxMqIiemp+nTUbQlVBW762r6Icf7l7r5", + "2vYO9+3rAt/zaN/1WcYdOucvP0pY3+GmOpuGlFwjVlTudm2/HrjN/S9A6WEBHGsexhxgkuVCN/I3ulR/", + "1KTASre0hvzKtIHSH8SgDFzjEIFrxDjcKhM1UNodNrpUBVKKysR0BTffLqExgM0PwrSIujeA84q7Y8NM", + "anE77BHqWXdctZeX8+6l4y+rm33bkHVzp+v7qXcfAE9Un9d2dhPhmpquM93K/UwNeqR9b95R3ZwN9rcE", + "z+7oZ9MK6+5s8U31Pd2khq/BHRtFx3brVUdYXMIyMCj29Wzd6bo5/83qpgIfbCx3Z5tmP5xib9vrri33", + "FshVd6x/bvrOlKYN3feW/r6b1n6qHNFVbK1gQNeIAByrT6IAni+KsI+VTYt+llv7Iv0BZmJn+OIRcqXf", + "Qzs1gshDX4u8jqJq/+73lVQ/ZQbYahX1/RKMsx89wVhWVw9MMFomy3M+VzTjKxptDkkH1Rp48p1RZI9e", + "HOE8Y9HN9U1T95Gv6OHX4TPq/vvdE6oxvz7+mXibW3buZFyd1dnVFZBEpi2t+YHRXJi7aLh2sfjuUjm4", + "lqysInu9lrR+RaK7naD/IEL5s7qti7/dJW735uINS97KYrefLP2zCG9nZclZiffAoiTfWyRow5TEIkEX", + "guWhyNlPmXpqMjX2d7T1kbzggME0d38AcPfT9zXJ4xaLb5qc+SkhPyVk/n2CpTrz7X6w1CmG/ixZmZ75", + "KYobL/6jCOLDpyitpGBTDv9ctdha4jY0m91eq4C9dS4XcswPmPku8d71+7hqk++YfB52s8j6Ou0OKvuy", + "pfmu19bv6CUmc61Cc89m3EmzXuVFsx9Sd2m0d1910cyvudTHR9h1saP15vNrmu9FNIWYqNbzI0lqM4Fb", + "F4z6ut1HNBzc4t70tJ9+zXF4NVEaeKLLUidVV7Cajhm5PDOF9nahusFiNYlSCx61bBuaogtsOa744fbz", + "7f8FAAD//wuB/EzIvQAA", } // GetSwagger returns the content of the embedded swagger specification file diff --git a/dm/openapi/gen.types.go b/dm/openapi/gen.types.go index 274f71141ff..3af0810e682 100644 --- a/dm/openapi/gen.types.go +++ b/dm/openapi/gen.types.go @@ -372,21 +372,12 @@ type Security struct { // Common Name of SSL certificates CertAllowedCn *[]string `json:"cert_allowed_cn,omitempty"` - // certificate file path - SslCa string `json:"ssl_ca"` - // certificate file content SslCaContent string `json:"ssl_ca_content"` - // File path of PEM format/X509 format certificates - SslCert string `json:"ssl_cert"` - // File content of PEM format/X509 format certificates SslCertContent string `json:"ssl_cert_content"` - // Path of the private key file in X509 format - SslKey string `json:"ssl_key"` - // Content of the private key file in X509 format SslKeyContent string `json:"ssl_key_content"` } diff --git a/dm/openapi/spec/dm.yaml b/dm/openapi/spec/dm.yaml index 046a7b1ec3c..b6de1b9c9db 100644 --- a/dm/openapi/spec/dm.yaml +++ b/dm/openapi/spec/dm.yaml @@ -1251,18 +1251,6 @@ components: description: "data source ssl configuration, the field will be hidden when getting the data source configuration from the interface" nullable: true properties: - ssl_ca: - type: string - example: "" - description: "certificate file path" - ssl_cert: - type: string - example: "" - description: "File path of PEM format/X509 format certificates" - ssl_key: - type: string - example: "" - description: "Path of the private key file in X509 format" ssl_ca_content: type: string example: "" @@ -1284,9 +1272,6 @@ components: - "ssl_ca_content" - "ssl_cert_content" - "ssl_key_content" - - "ssl_ca" - - "ssl_cert" - - "ssl_key" Purge: description: "relay log cleanup policy configuration" type: object diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 7d7b50bddbe..1489e6b69f7 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -151,8 +151,8 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all def create_noshard_task_with_security_success( task_name, target_table, - tidb_ca="",tidb_cert="",tidb_key="", - cluster_ca="",cluster_cert="",cluster_key=""): + tidb_ca_content="",tidb_cert_content="",tidb_key_content="", + cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): task = { "name": task_name, "task_mode": "all", @@ -165,9 +165,9 @@ def create_noshard_task_with_security_success( "user": "root", "password": "", "security":{ - "ssl_ca": tidb_ca, - "ssl_cert": tidb_cert, - "ssl_key": tidb_key, + "ssl_ca": tidb_ca_content, + "ssl_cert": tidb_cert_content, + "ssl_key": tidb_key_content, "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", @@ -201,9 +201,9 @@ def create_noshard_task_with_security_success( "import_mode": "physical", "pd_addr": "127.0.0.1:23790", "security": { - "ssl_ca": cluster_ca, - "ssl_cert": cluster_cert, - "ssl_key": cluster_key, + "ssl_ca": cluster_ca_content, + "ssl_cert": cluster_cert_content, + "ssl_key": cluster_key_content, "ssl_ca_content": "", "ssl_cert_content": "", "ssl_key_content": "", @@ -218,8 +218,8 @@ def create_noshard_task_with_security_success( def create_noshard_task_with_security_failed( task_name, target_table, - tidb_ca="",tidb_cert="",tidb_key="", - cluster_ca="",cluster_cert="",cluster_key=""): + tidb_ca_content="",tidb_cert_content="",tidb_key_content="", + cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): task = { "name": task_name, "task_mode": "all", @@ -232,12 +232,9 @@ def create_noshard_task_with_security_failed( "user": "root", "password": "", "security":{ - "ssl_ca": tidb_ca, - "ssl_cert": tidb_cert, - "ssl_key": tidb_key, - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", + "ssl_ca_content": tidb_ca_content, + "ssl_cert_content": tidb_cert_content, + "ssl_key_content": tidb_key_content, "cert_allowed_cn": ["TiDB"], } }, @@ -259,12 +256,9 @@ def create_noshard_task_with_security_failed( "import_mode": "physical", "pd_addr": "127.0.0.1:23790", "security": { - "ssl_ca": cluster_ca, - "ssl_cert": cluster_cert, - "ssl_key": cluster_key, - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", + "ssl_ca_content": cluster_ca_content, + "ssl_cert_content": cluster_cert_content, + "ssl_key_content": cluster_key_content, "cert_allowed_cn": ["dm"], } } diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index d87565f6860..0611d82f376 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1092,8 +1092,8 @@ function test_tls() { task_name="task-tls-1" openapi_task_check "create_noshard_task_with_security_success" $task_name "" \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" openapi_task_check "start_task_success" $task_name "" openapi_task_check "get_task_status_success" $task_name 2 openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 @@ -1102,8 +1102,8 @@ function test_tls() { task_name="task-tls-2" openapi_task_check "create_noshard_task_with_security_success" $task_name "t3" \ - "$cur/tls_conf/ca2.pem" "" "" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key" + "$(cat $cur/tls_conf/ca2.pem)" "" "" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" openapi_task_check "start_task_success" $task_name "" openapi_task_check "get_task_status_success" $task_name 2 openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 @@ -1111,30 +1111,30 @@ function test_tls() { task_name="task-tls-error" # miss pd cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$$cur/tls_conf/ca2.pem" "" "" \ - "$cur/tls_conf/ca.pem" "" "" + "$(cat $cur/tls_conf/ca2.pem)" "" "" \ + "$(cat $cur/tls_conf/ca.pem)" "" "" # miss tidb cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem" "" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""$cur/tls_conf/dm.key)" + "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" # miss tidb key certificatete openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "" \ - "$cur/tls_conf/ca.pem" "$cur/tls_conf/dm.pem" "$cur/tls_conf/dm.key)" + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$cur/tls_conf/dm.key)" # miss pd key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem""$cur/tls_conf/dm.pem""" + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "" # miss pd cert certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ - "$cur/tls_conf/ca.pem" "" "$cur/tls_conf/dm.key)" + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ + "$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)" # miss pd all certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$cur/tls_conf/ca2.pem" "$cur/tls_conf/tidb.pem" "$cur/tls_conf/tidb.key" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "" "" "" - echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS" + echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS SUCCESS" } function test_reverse_https() { From 008383afc0fe90b6c92a24c5eab336660aed10bb Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 18 Dec 2024 16:37:27 +0800 Subject: [PATCH 41/63] write certificate files --- dm/config/security/security.go | 24 +++++++++++++++++++++ dm/config/task_converters.go | 6 ++++++ dm/loader/lightning.go | 23 +++++++++++++------- dm/tests/openapi/client/openapi_task_check | 25 +++++++++++----------- dm/tests/openapi/run.sh | 4 ---- 5 files changed, 57 insertions(+), 25 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index 6854bb3cea0..b662543a29c 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -83,6 +83,9 @@ func (s *Security) ClearSSLBytesData() { s.SSLCABytes = s.SSLCABytes[:0] s.SSLKeyBytes = s.SSLKeyBytes[:0] s.SSLCertBytes = s.SSLCertBytes[:0] + s.SSLCA = "" + s.SSLCert = "" + s.SSLKey = "" } // Clone returns a deep copy of Security. @@ -95,5 +98,26 @@ func (s *Security) Clone() *Security { clone.SSLCABytes = append([]byte(nil), s.SSLCABytes...) clone.SSLKeyBytes = append([]byte(nil), s.SSLKeyBytes...) clone.SSLCertBytes = append([]byte(nil), s.SSLCertBytes...) + clone.SSLCA = s.SSLCA + clone.SSLCert = s.SSLCert + clone.SSLKey = s.SSLKey return &clone } + +func (s *Security) WriteFiles(name string) error { + // Initialize file paths in temp dir + s.SSLCA = fmt.Sprintf("%s/%s_ca.pem", os.TempDir(), name) + s.SSLKey = fmt.Sprintf("%s/%s_dm.pem", os.TempDir(), name) + s.SSLCert = fmt.Sprintf("%s/%s_dm.key", os.TempDir(), name) + + if err := os.WriteFile(s.SSLCA, s.SSLCABytes, 0644); err != nil { + return fmt.Errorf("failed to save SSL CA: %w", err) + } + if err := os.WriteFile(s.SSLKey, s.SSLKeyBytes, 0644); err != nil { + return fmt.Errorf("failed to save SSL Key: %w", err) + } + if err := os.WriteFile(s.SSLCert, s.SSLCertBytes, 0644); err != nil { + return fmt.Errorf("failed to save SSL Cert: %w", err) + } + return nil +} diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index b267834f618..ff401acd158 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -240,6 +240,9 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, subTaskCfg.LoaderConfig.PDAddr = *fullCfg.PdAddr } if fullCfg.Security != nil { + if fullCfg.Security.SslCaContent == "" || fullCfg.Security.SslCertContent == "" || fullCfg.Security.SslKeyContent == "" { + return nil, terror.ErrOpenAPICommonError.Generatef("Invalid security config, full migrate conf's security fields should not be \"\"") + } var certAllowedCN []string if fullCfg.Security.CertAllowedCn != nil { certAllowedCN = *fullCfg.Security.CertAllowedCn @@ -250,6 +253,9 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), CertAllowedCN: certAllowedCN, } + if err := subTaskCfg.LoaderConfig.Security.WriteFiles(subTaskCfg.Name); err != nil { + return nil, terror.ErrOpenAPICommonError.Generatef("Save tls config files files, message=%s", err.Error()) + } } if fullCfg.RangeConcurrency != nil { subTaskCfg.LoaderConfig.RangeConcurrency = *fullCfg.RangeConcurrency diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index bc4ea378655..0b41e44a18c 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,11 +106,18 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - // lightning will use cluster certificates as global security config + // if cfg.To.Security != nil { + // lightningCfg.Security.CABytes = cfg.To.Security.SSLCABytes + // lightningCfg.Security.CertBytes = cfg.To.Security.SSLCertBytes + // lightningCfg.Security.KeyBytes = cfg.To.Security.SSLKeyBytes + // } if cfg.LoaderConfig.Security != nil { - lightningCfg.Security.CABytes = cfg.LoaderConfig.Security.SSLCABytes - lightningCfg.Security.CertBytes = cfg.LoaderConfig.Security.SSLCertBytes - lightningCfg.Security.KeyBytes = cfg.LoaderConfig.Security.SSLKeyBytes + lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA + lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert + lightningCfg.Security.KeyPath = cfg.LoaderConfig.Security.SSLKey + // lightningCfg.Security.CABytes = cfg.LoaderConfig.Security.SSLCABytes + // lightningCfg.Security.CertBytes = cfg.LoaderConfig.Security.SSLCertBytes + // lightningCfg.Security.KeyBytes = cfg.LoaderConfig.Security.SSLKeyBytes } lightningCfg.TiDB.Host = cfg.To.Host lightningCfg.TiDB.Psw = cfg.To.Password @@ -331,10 +338,10 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask return nil, err } cfg.TiDB.Security = &globalCfg.Security - if subtaskCfg.LoaderConfig.Security != nil { - cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA - cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert - cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey + if subtaskCfg.To.Security != nil { + cfg.TiDB.Security.CAPath = subtaskCfg.To.Security.SSLCA + cfg.TiDB.Security.CertPath = subtaskCfg.To.Security.SSLCert + cfg.TiDB.Security.KeyPath = subtaskCfg.To.Security.SSLKey } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 1489e6b69f7..0e35b158b58 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -158,6 +158,9 @@ def create_noshard_task_with_security_success( "task_mode": "all", "meta_schema": "dm-meta", "enhance_online_schema_change": True, + "ignore_checking_items": [ + "all" + ], "on_duplicate": "error", "target_config": { "host": "127.0.0.1", @@ -165,12 +168,9 @@ def create_noshard_task_with_security_success( "user": "root", "password": "", "security":{ - "ssl_ca": tidb_ca_content, - "ssl_cert": tidb_cert_content, - "ssl_key": tidb_key_content, - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", + "ssl_ca_content": tidb_ca_content, + "ssl_cert_content": tidb_cert_content, + "ssl_key_content": tidb_key_content, "cert_allowed_cn": ["TiDB", "dm", "locahost"], } }, @@ -199,14 +199,10 @@ def create_noshard_task_with_security_success( ], "full_migrate_conf": { "import_mode": "physical", - "pd_addr": "127.0.0.1:23790", "security": { - "ssl_ca": cluster_ca_content, - "ssl_cert": cluster_cert_content, - "ssl_key": cluster_key_content, - "ssl_ca_content": "", - "ssl_cert_content": "", - "ssl_key_content": "", + "ssl_ca_content": cluster_ca_content, + "ssl_cert_content": cluster_cert_content, + "ssl_key_content": cluster_key_content, "cert_allowed_cn": ["dm"], } } @@ -224,6 +220,9 @@ def create_noshard_task_with_security_failed( "name": task_name, "task_mode": "all", "meta_schema": "dm-meta", + "ignore_checking_items": [ + "all" + ], "enhance_online_schema_change": True, "on_duplicate": "error", "target_config": { diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 0611d82f376..192a6cd7a3e 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1077,10 +1077,6 @@ function test_tls() { init_noshard_data # create source1 successfully openapi_source_check "create_source1_success" - - # get source list success - openapi_source_check "list_source_success" 1 - # create source2 successfully openapi_source_check "create_source2_success" From fa8fb737cc15018b19881f514cd75b581dfe978a Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 18 Dec 2024 16:41:24 +0800 Subject: [PATCH 42/63] add comment --- dm/loader/lightning.go | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 0b41e44a18c..14b2b510fa5 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,18 +106,11 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - // if cfg.To.Security != nil { - // lightningCfg.Security.CABytes = cfg.To.Security.SSLCABytes - // lightningCfg.Security.CertBytes = cfg.To.Security.SSLCertBytes - // lightningCfg.Security.KeyBytes = cfg.To.Security.SSLKeyBytes - // } + // use loader's security as global security config if cfg.LoaderConfig.Security != nil { lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert lightningCfg.Security.KeyPath = cfg.LoaderConfig.Security.SSLKey - // lightningCfg.Security.CABytes = cfg.LoaderConfig.Security.SSLCABytes - // lightningCfg.Security.CertBytes = cfg.LoaderConfig.Security.SSLCertBytes - // lightningCfg.Security.KeyBytes = cfg.LoaderConfig.Security.SSLKeyBytes } lightningCfg.TiDB.Host = cfg.To.Host lightningCfg.TiDB.Psw = cfg.To.Password From 0d1814a5c00b956bcf64bfe69246dbe133fb02eb Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 18 Dec 2024 22:46:44 +0800 Subject: [PATCH 43/63] fix test --- dm/config/security/security.go | 20 +++--- dm/config/security_test.go | 3 + dm/config/task_converters.go | 1 + dm/loader/lightning.go | 1 - dm/loader/lightning_test.go | 125 ++++++++++++++++----------------- dm/loader/tls_conf/ca.pem | 8 --- dm/loader/tls_conf/ca2.pem | 10 --- dm/loader/tls_conf/dm.key | 8 --- dm/loader/tls_conf/dm.pem | 10 --- dm/loader/tls_conf/tidb.key | 8 --- dm/loader/tls_conf/tidb.pem | 12 ---- dm/tests/openapi/run.sh | 10 +-- 12 files changed, 76 insertions(+), 140 deletions(-) delete mode 100644 dm/loader/tls_conf/ca.pem delete mode 100644 dm/loader/tls_conf/ca2.pem delete mode 100644 dm/loader/tls_conf/dm.key delete mode 100644 dm/loader/tls_conf/dm.pem delete mode 100644 dm/loader/tls_conf/tidb.key delete mode 100644 dm/loader/tls_conf/tidb.pem diff --git a/dm/config/security/security.go b/dm/config/security/security.go index b662543a29c..a3670902877 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -17,6 +17,8 @@ import ( "encoding/base64" "fmt" "os" + + certificate "github.com/pingcap/tiflow/pkg/security" ) // Security config. @@ -105,19 +107,15 @@ func (s *Security) Clone() *Security { } func (s *Security) WriteFiles(name string) error { - // Initialize file paths in temp dir - s.SSLCA = fmt.Sprintf("%s/%s_ca.pem", os.TempDir(), name) - s.SSLKey = fmt.Sprintf("%s/%s_dm.pem", os.TempDir(), name) - s.SSLCert = fmt.Sprintf("%s/%s_dm.key", os.TempDir(), name) - - if err := os.WriteFile(s.SSLCA, s.SSLCABytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL CA: %w", err) + var err error + if s.SSLCA, err = certificate.WriteFile(fmt.Sprintf("%s_ca.pem", name), s.SSLCABytes); err != nil { + return err } - if err := os.WriteFile(s.SSLKey, s.SSLKeyBytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL Key: %w", err) + if s.SSLCert, err = certificate.WriteFile(fmt.Sprintf("%s_dm.pem", name), s.SSLCertBytes); err != nil { + return err } - if err := os.WriteFile(s.SSLCert, s.SSLCertBytes, 0644); err != nil { - return fmt.Errorf("failed to save SSL Cert: %w", err) + if s.SSLKey, err = certificate.WriteFile(fmt.Sprintf("%s_dm.key", name), s.SSLKeyBytes); err != nil { + return err } return nil } diff --git a/dm/config/security_test.go b/dm/config/security_test.go index 40e4c833c9a..c713229d6c0 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -106,6 +106,9 @@ func (c *testTLSConfig) TestLoadAndClearContent() { c.Require().Len(s.SSLCABytes, 0) c.Require().Len(s.SSLCertBytes, 0) c.Require().Len(s.SSLKeyBytes, 0) + c.Require().Equal(s.SSLCA, "") + c.Require().Equal(s.SSLCert, "") + c.Require().Equal(s.SSLKey, "") s.SSLCABase64 = "MTIz" err = s.LoadTLSContent() diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index ff401acd158..1d365507f84 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -253,6 +253,7 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), CertAllowedCN: certAllowedCN, } + // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server if err := subTaskCfg.LoaderConfig.Security.WriteFiles(subTaskCfg.Name); err != nil { return nil, terror.ErrOpenAPICommonError.Generatef("Save tls config files files, message=%s", err.Error()) } diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 14b2b510fa5..ab4dd26cd7a 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,7 +106,6 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - // use loader's security as global security config if cfg.LoaderConfig.Security != nil { lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index c1d0f2aec37..b154b1ee99c 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -21,6 +21,8 @@ import ( "github.com/pingcap/tidb/pkg/lightning/common" lcfg "github.com/pingcap/tidb/pkg/lightning/config" "github.com/pingcap/tiflow/dm/config" + certificate "github.com/pingcap/tiflow/pkg/security" + "github.com/pingcap/tiflow/dm/config/dbconfig" "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/pkg/terror" @@ -29,15 +31,6 @@ import ( "github.com/stretchr/testify/require" ) -var ( - caPath = "tls_conf/ca.pem" - caPath2 = "tls_conf/ca2.pem" - certPath = "tls_conf/dm.pem" - certPath2 = "tls_conf/tidb.pem" - keyPath = "tls_conf/dm.key" - keyPath2 = "tls_conf/tidb.key" -) - func TestSetLightningConfig(t *testing.T) { t.Parallel() @@ -111,60 +104,66 @@ func TestGetLightiningConfig(t *testing.T) { require.NoError(t, err) require.Equal(t, lcfg.CheckpointDriverMySQL, conf.Checkpoint.Driver) - cases := []struct { - globalSecurityCfg *lcfg.Security - loaderSecurityCfg *security.Security - toSecurityCfg *security.Security - }{ - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, - loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, - toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - loaderSecurityCfg: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}, - toSecurityCfg: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, - }, - { - globalSecurityCfg: &lcfg.Security{CAPath: caPath}, - toSecurityCfg: &security.Security{SSLCA: caPath}, - }, - { - globalSecurityCfg: &lcfg.Security{}, - toSecurityCfg: &security.Security{}, - }, - } - // GetLightningConfig will varify certificates formate, so using real certificates. - for _, c := range cases { - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: *c.globalSecurityCfg}, - &config.SubTaskConfig{ - LoaderConfig: config.LoaderConfig{Security: c.loaderSecurityCfg}, - To: dbconfig.DBConfig{Security: c.toSecurityCfg}, - }) - require.NoError(t, err) - require.Equal(t, c.globalSecurityCfg.CAPath, conf.TiDB.Security.CAPath) - require.Equal(t, c.globalSecurityCfg.CertPath, conf.TiDB.Security.CertPath) - require.Equal(t, c.globalSecurityCfg.KeyPath, conf.TiDB.Security.KeyPath) - if c.loaderSecurityCfg == nil { - require.Equal(t, c.globalSecurityCfg.CAPath, conf.Security.CAPath) - require.Equal(t, c.globalSecurityCfg.CertPath, conf.Security.CertPath) - require.Equal(t, c.globalSecurityCfg.KeyPath, conf.Security.KeyPath) - } else { - require.Equal(t, c.loaderSecurityCfg.SSLCA, conf.Security.CAPath) - require.Equal(t, c.loaderSecurityCfg.SSLCert, conf.Security.CertPath) - require.Equal(t, c.loaderSecurityCfg.SSLKey, conf.Security.KeyPath) - } - } + ca, err := certificate.NewCA() + require.NoError(t, err) + cert, key, err := ca.GenerateCerts("dm") + require.NoError(t, err) + caPath, err := certificate.WriteFile("dm-test-client-cert", ca.CAPEM) + require.NoError(t, err) + certPath, err := certificate.WriteFile("dm-test-client-cert", cert) + require.NoError(t, err) + keyPath, err := certificate.WriteFile("dm-test-client-key", key) + require.NoError(t, err) + ca, err = certificate.NewCA() + require.NoError(t, err) + cert, key, err = ca.GenerateCerts("dm") + require.NoError(t, err) + caPath2, err := certificate.WriteFile("dm-test-client-cert2", ca.CAPEM) + require.NoError(t, err) + certPath2, err := certificate.WriteFile("dm-test-client-cert2", cert) + require.NoError(t, err) + keyPath2, err := certificate.WriteFile("dm-test-client-key2", key) + require.NoError(t, err) + + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, caPath) + require.Equal(t, conf.Security.CertPath, certPath) + require.Equal(t, conf.Security.KeyPath, keyPath) + require.Equal(t, conf.TiDB.Security.CAPath, caPath2) + require.Equal(t, conf.TiDB.Security.CertPath, certPath2) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + To: dbconfig.DBConfig{}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, caPath) + require.Equal(t, conf.Security.CertPath, certPath) + require.Equal(t, conf.Security.KeyPath, keyPath) + require.Equal(t, conf.TiDB.Security.CAPath, caPath) + require.Equal(t, conf.TiDB.Security.CertPath, certPath) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{}, + &config.SubTaskConfig{ + LoaderConfig: config.LoaderConfig{}, + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, "") + require.Equal(t, conf.Security.CertPath, "") + require.Equal(t, conf.Security.KeyPath, "") + require.Equal(t, conf.TiDB.Security.CAPath, caPath2) + require.Equal(t, conf.TiDB.Security.CertPath, certPath2) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) // invalid security file path _, err = GetLightningConfig( &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}}, diff --git a/dm/loader/tls_conf/ca.pem b/dm/loader/tls_conf/ca.pem deleted file mode 100644 index 9fc215fa83b..00000000000 --- a/dm/loader/tls_conf/ca.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBGDCBwAIJAOjYXLFw5V1HMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMMCWxvY2Fs -aG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owFDESMBAGA1UE -AwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEglCIJD8uVBfD -kuM+UQP+VA7Srbz17WPLA0Sqc+sQ2p6fT6HYKCW60EXiZ/yEC0925iyVbXEEbX4J -xCc2Heow5TAKBggqhkjOPQQDAgNHADBEAiAILL3Zt/3NFeDW9c9UAcJ9lc92E0ZL -GNDuH6i19Fex3wIgT0ZMAKAFSirGGtcLu0emceuk+zVKjJzmYbsLdpj/JuQ= ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/ca2.pem b/dm/loader/tls_conf/ca2.pem deleted file mode 100644 index bd1ad59f121..00000000000 --- a/dm/loader/tls_conf/ca2.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBdzCCAR6gAwIBAgIUFlKn4vgSaM5PPi5fdfHZjNsPvt0wCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMBwxGjAYBgNVBAMMEVRpREIgU2Vjb25kYXJ5IENBMFkw -EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJoSquED75L7UgmezyHBUJlv7sGvHfeuR -RnU0SJVYZzftIAfzL6kwF1LGaezaY9aL/cCiULWMDddo1bLzNjB4vqM8MDowDAYD -VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFLJmpVHrylfdqLu6lpR -ZOJgderfMAoGCCqGSM49BAMCA0cAMEQCIF2mBuhLfo42ynjoy0Fhz3Qch8huQrkx -mGKxdkBuS+rPAiAglztWHSmUCtqEMdTuds2ETsVVichpxdFh/aXiCb/BeQ== ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/dm.key b/dm/loader/tls_conf/dm.key deleted file mode 100644 index dfdc077bc4d..00000000000 --- a/dm/loader/tls_conf/dm.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICF/GDtVxhTPTP501nOu4jgwGSDY01xN+61xd9MfChw+oAoGCCqGSM49 -AwEHoUQDQgAEgQOv5bQO7xK16vZWhwJqlz2vl19+AXW2Ql7KQyGiBJVSvLbyDLOr -kIeFlHN04iqQ39SKSOSfeGSfRt6doU6IcA== ------END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/dm.pem b/dm/loader/tls_conf/dm.pem deleted file mode 100644 index d4f846e3a22..00000000000 --- a/dm/loader/tls_conf/dm.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBZDCCAQqgAwIBAgIJAIT/lgXUc1JqMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM -CWxvY2FsaG9zdDAgFw0yMDAzMTcxMjAwMzNaGA8yMjkzMTIzMTEyMDAzM1owDTEL -MAkGA1UEAwwCZG0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBA6/ltA7vErXq -9laHAmqXPa+XX34BdbZCXspDIaIElVK8tvIMs6uQh4WUc3TiKpDf1IpI5J94ZJ9G -3p2hTohwo0owSDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCwYDVR0PBAQD -AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAKBggqhkjOPQQDAgNI -ADBFAiEAx6ljJ+tNa55ypWLGNqmXlB4UdMmKmE4RSKJ8mmEelfECIG2ZmCE59rv5 -wImM6KnK+vM2QnEiISH3PeYyyRzQzycu ------END CERTIFICATE----- diff --git a/dm/loader/tls_conf/tidb.key b/dm/loader/tls_conf/tidb.key deleted file mode 100644 index b63b20db793..00000000000 --- a/dm/loader/tls_conf/tidb.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIB+YLzteL9sk+PZPEFf7sw+hhehG2bRV5TUV4NJgVsWXoAoGCCqGSM49 -AwEHoUQDQgAELO1031XONFkiJPFm7Kbb974443lSM8eGEZzVUUWK/WAZ3p03W5o/ -jeFgesLPuKqcV+9p7bG7McVKDsC42OFg4w== ------END EC PRIVATE KEY----- diff --git a/dm/loader/tls_conf/tidb.pem b/dm/loader/tls_conf/tidb.pem deleted file mode 100644 index e59a9eae172..00000000000 --- a/dm/loader/tls_conf/tidb.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBxjCCAWygAwIBAgIUJGaNzv0WzN4CfSj7LaNQN8arHvMwCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMA8xDTALBgNVBAMMBFRpREIwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQs7XTfVc40WSIk8Wbsptv3vjjjeVIzx4YRnNVRRYr9YBnenTdb -mj+N4WB6ws+4qpxX72ntsbsxxUoOwLjY4WDjo4GWMIGTMBoGA1UdEQQTMBGCCWxv -Y2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG -CCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLK+e+wKHWmmXPiHjMApdKwf -KhcpMB8GA1UdIwQYMBaAFFLJmpVHrylfdqLu6lpRZOJgderfMAoGCCqGSM49BAMC -A0gAMEUCIC2xVpVTSqMMl38Lu7wTfX8iv/5hcjKoH8v69cZGsyDKAiEA6NIpjV7D -lBnFi5oiKpdJIWD53D2A/yFrI6VEDprblyw= ------END CERTIFICATE----- diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 192a6cd7a3e..decdea265d8 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1105,7 +1105,7 @@ function test_tls() { openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 task_name="task-tls-error" - # miss pd cert and key certificate + # miss cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "" "" \ "$(cat $cur/tls_conf/ca.pem)" "" "" @@ -1113,18 +1113,10 @@ function test_tls() { openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - # miss tidb key certificatete - openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$cur/tls_conf/dm.key)" # miss pd key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "" - # miss pd cert certificate - openapi_task_check "create_noshard_task_with_security_failed" $task_name \ - "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ - "$(cat $cur/tls_conf/ca.pem)" "" "$(cat $cur/tls_conf/dm.key)" # miss pd all certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ From 8eb23201ae74af238f5052e288e0d1255db4a7f0 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 18 Dec 2024 23:01:18 +0800 Subject: [PATCH 44/63] fmt --- dm/loader/lightning_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index b154b1ee99c..85142b2e4e3 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -21,11 +21,10 @@ import ( "github.com/pingcap/tidb/pkg/lightning/common" lcfg "github.com/pingcap/tidb/pkg/lightning/config" "github.com/pingcap/tiflow/dm/config" - certificate "github.com/pingcap/tiflow/pkg/security" - "github.com/pingcap/tiflow/dm/config/dbconfig" "github.com/pingcap/tiflow/dm/config/security" "github.com/pingcap/tiflow/dm/pkg/terror" + certificate "github.com/pingcap/tiflow/pkg/security" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/stretchr/testify/require" From f97959d8accd2ec096901ff4aa3049ae6bc8a5b0 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:44:46 +0800 Subject: [PATCH 45/63] fix test --- dm/tests/openapi/run.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index decdea265d8..0bf6561dd17 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1122,6 +1122,10 @@ function test_tls() { "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "" "" "" + killall -9 tidb-server 2>/dev/null || true + killall -9 tikv-server 2>/dev/null || true + killall -9 pd-server 2>/dev/null || true + run_tidb_server 4000 $TIDB_PASSWORD echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TEST OPENAPI: TLS SUCCESS" } From 5863835a67e3919c94073944666b224ed90feaaf Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 19 Dec 2024 16:16:41 +0800 Subject: [PATCH 46/63] fix test --- dm/tests/openapi/run.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 0bf6561dd17..7341734f0cf 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1096,14 +1096,6 @@ function test_tls() { check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml - task_name="task-tls-2" - openapi_task_check "create_noshard_task_with_security_success" $task_name "t3" \ - "$(cat $cur/tls_conf/ca2.pem)" "" "" \ - "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" - openapi_task_check "start_task_success" $task_name "" - openapi_task_check "get_task_status_success" $task_name 2 - openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 - task_name="task-tls-error" # miss cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ From 6dc9d5f4177c04661d8a5791f42403e470b8a050 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Thu, 19 Dec 2024 16:32:28 +0800 Subject: [PATCH 47/63] fix test --- dm/config/security/security.go | 3 --- dm/config/security_test.go | 3 --- dm/loader/lightning.go | 19 ++++++++------ dm/loader/lightning_test.go | 46 +++++++++++++++++----------------- 4 files changed, 34 insertions(+), 37 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index a3670902877..4ec521d23eb 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -85,9 +85,6 @@ func (s *Security) ClearSSLBytesData() { s.SSLCABytes = s.SSLCABytes[:0] s.SSLKeyBytes = s.SSLKeyBytes[:0] s.SSLCertBytes = s.SSLCertBytes[:0] - s.SSLCA = "" - s.SSLCert = "" - s.SSLKey = "" } // Clone returns a deep copy of Security. diff --git a/dm/config/security_test.go b/dm/config/security_test.go index c713229d6c0..40e4c833c9a 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -106,9 +106,6 @@ func (c *testTLSConfig) TestLoadAndClearContent() { c.Require().Len(s.SSLCABytes, 0) c.Require().Len(s.SSLCertBytes, 0) c.Require().Len(s.SSLKeyBytes, 0) - c.Require().Equal(s.SSLCA, "") - c.Require().Equal(s.SSLCert, "") - c.Require().Equal(s.SSLKey, "") s.SSLCABase64 = "MTIz" err = s.LoadTLSContent() diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index ab4dd26cd7a..61e5e437c00 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -106,10 +106,10 @@ func NewLightning(cfg *config.SubTaskConfig, cli *clientv3.Client, workerName st // MakeGlobalConfig converts subtask config to lightning global config. func MakeGlobalConfig(cfg *config.SubTaskConfig) *lcfg.GlobalConfig { lightningCfg := lcfg.NewGlobalConfig() - if cfg.LoaderConfig.Security != nil { - lightningCfg.Security.CAPath = cfg.LoaderConfig.Security.SSLCA - lightningCfg.Security.CertPath = cfg.LoaderConfig.Security.SSLCert - lightningCfg.Security.KeyPath = cfg.LoaderConfig.Security.SSLKey + if cfg.To.Security != nil { + lightningCfg.Security.CABytes = cfg.To.Security.SSLCABytes + lightningCfg.Security.CertBytes = cfg.To.Security.SSLCertBytes + lightningCfg.Security.KeyBytes = cfg.To.Security.SSLKeyBytes } lightningCfg.TiDB.Host = cfg.To.Host lightningCfg.TiDB.Psw = cfg.To.Password @@ -330,10 +330,13 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask return nil, err } cfg.TiDB.Security = &globalCfg.Security - if subtaskCfg.To.Security != nil { - cfg.TiDB.Security.CAPath = subtaskCfg.To.Security.SSLCA - cfg.TiDB.Security.CertPath = subtaskCfg.To.Security.SSLCert - cfg.TiDB.Security.KeyPath = subtaskCfg.To.Security.SSLKey + if subtaskCfg.LoaderConfig.Security != nil { + cfg.Security.CABytes = cfg.Security.CABytes[:0] + cfg.Security.CertBytes = cfg.Security.CertBytes[:0] + cfg.Security.KeyBytes = cfg.Security.KeyBytes[:0] + cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index 85142b2e4e3..83f8e99e8bf 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -127,21 +127,34 @@ func TestGetLightiningConfig(t *testing.T) { conf, err = GetLightningConfig( &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, &config.SubTaskConfig{ - LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, - To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, }) require.NoError(t, err) - require.Equal(t, conf.Security.CAPath, caPath) - require.Equal(t, conf.Security.CertPath, certPath) - require.Equal(t, conf.Security.KeyPath, keyPath) - require.Equal(t, conf.TiDB.Security.CAPath, caPath2) - require.Equal(t, conf.TiDB.Security.CertPath, certPath2) - require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) + require.Equal(t, conf.Security.CAPath, caPath2) + require.Equal(t, conf.Security.CertPath, certPath2) + require.Equal(t, conf.Security.KeyPath, keyPath2) + require.Equal(t, conf.TiDB.Security.CAPath, caPath) + require.Equal(t, conf.TiDB.Security.CertPath, certPath) + require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) conf, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &lcfg.GlobalConfig{}, &config.SubTaskConfig{ - LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, To: dbconfig.DBConfig{}, + LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, + }) + require.NoError(t, err) + require.Equal(t, conf.Security.CAPath, caPath2) + require.Equal(t, conf.Security.CertPath, certPath2) + require.Equal(t, conf.Security.KeyPath, keyPath2) + require.Equal(t, conf.TiDB.Security.CAPath, "") + require.Equal(t, conf.TiDB.Security.CertPath, "") + require.Equal(t, conf.TiDB.Security.KeyPath, "") + conf, err = GetLightningConfig( + &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, + &config.SubTaskConfig{ + To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, + LoaderConfig: config.LoaderConfig{}, }) require.NoError(t, err) require.Equal(t, conf.Security.CAPath, caPath) @@ -150,19 +163,6 @@ func TestGetLightiningConfig(t *testing.T) { require.Equal(t, conf.TiDB.Security.CAPath, caPath) require.Equal(t, conf.TiDB.Security.CertPath, certPath) require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{}, - &config.SubTaskConfig{ - LoaderConfig: config.LoaderConfig{}, - To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, - }) - require.NoError(t, err) - require.Equal(t, conf.Security.CAPath, "") - require.Equal(t, conf.Security.CertPath, "") - require.Equal(t, conf.Security.KeyPath, "") - require.Equal(t, conf.TiDB.Security.CAPath, caPath2) - require.Equal(t, conf.TiDB.Security.CertPath, certPath2) - require.Equal(t, conf.TiDB.Security.KeyPath, keyPath2) // invalid security file path _, err = GetLightningConfig( &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}}, From 1e887f8338e472e0728cbdd1d8996b78d0947de6 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 20 Dec 2024 11:51:44 +0800 Subject: [PATCH 48/63] fix --- dm/config/security/security.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index 4ec521d23eb..84143fab0ae 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -103,15 +103,15 @@ func (s *Security) Clone() *Security { return &clone } -func (s *Security) WriteFiles(name string) error { +func (s *Security) WriteFiles(fileName string) error { var err error - if s.SSLCA, err = certificate.WriteFile(fmt.Sprintf("%s_ca.pem", name), s.SSLCABytes); err != nil { + if s.SSLCA, err = certificate.WriteFile(fileName, s.SSLCABytes); err != nil { return err } - if s.SSLCert, err = certificate.WriteFile(fmt.Sprintf("%s_dm.pem", name), s.SSLCertBytes); err != nil { + if s.SSLCert, err = certificate.WriteFile(fileName, s.SSLCertBytes); err != nil { return err } - if s.SSLKey, err = certificate.WriteFile(fmt.Sprintf("%s_dm.key", name), s.SSLKeyBytes); err != nil { + if s.SSLKey, err = certificate.WriteFile(fileName, s.SSLKeyBytes); err != nil { return err } return nil From 038f1fcb0061036f39a43fa6eb7a8b69673a5545 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:30:48 +0800 Subject: [PATCH 49/63] fix --- dm/loader/lightning.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 61e5e437c00..41d82172bdd 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -331,6 +331,11 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask } cfg.TiDB.Security = &globalCfg.Security if subtaskCfg.LoaderConfig.Security != nil { + // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server + // To avoid loss certificate files due to worker restart, rewrite the certificate files when getting the lightning configuration + if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { + return nil, err + } cfg.Security.CABytes = cfg.Security.CABytes[:0] cfg.Security.CertBytes = cfg.Security.CertBytes[:0] cfg.Security.KeyBytes = cfg.Security.KeyBytes[:0] From bddf2dcc77818bcbd67ca1ab9a8761a1eae2308c Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 20 Dec 2024 17:50:37 +0800 Subject: [PATCH 50/63] fix --- dm/config/task_converters.go | 4 ---- dm/loader/lightning.go | 26 ++++++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/dm/config/task_converters.go b/dm/config/task_converters.go index 1d365507f84..a05ca5856f8 100644 --- a/dm/config/task_converters.go +++ b/dm/config/task_converters.go @@ -253,10 +253,6 @@ func OpenAPITaskToSubTaskConfigs(task *openapi.Task, toDBCfg *dbconfig.DBConfig, SSLKeyBytes: []byte(fullCfg.Security.SslKeyContent), CertAllowedCN: certAllowedCN, } - // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server - if err := subTaskCfg.LoaderConfig.Security.WriteFiles(subTaskCfg.Name); err != nil { - return nil, terror.ErrOpenAPICommonError.Generatef("Save tls config files files, message=%s", err.Error()) - } } if fullCfg.RangeConcurrency != nil { subTaskCfg.LoaderConfig.RangeConcurrency = *fullCfg.RangeConcurrency diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 41d82172bdd..21d19e26c61 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -331,17 +331,23 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask } cfg.TiDB.Security = &globalCfg.Security if subtaskCfg.LoaderConfig.Security != nil { - // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server - // To avoid loss certificate files due to worker restart, rewrite the certificate files when getting the lightning configuration - if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { - return nil, err + if subtaskCfg.LoaderConfig.Security.SSLCA != "" && subtaskCfg.LoaderConfig.Security.SSLCert != "" && subtaskCfg.LoaderConfig.Security.SSLKey != "" { + cfg.Security.CAPath = subtaskCfg.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.Security.SSLKey + } else { + // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server + // To avoid loss certificate files due to worker restart, rewrite the certificate files when getting the lightning configuration + if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { + return nil, err + } + cfg.Security.CABytes = cfg.Security.CABytes[:0] + cfg.Security.CertBytes = cfg.Security.CertBytes[:0] + cfg.Security.KeyBytes = cfg.Security.KeyBytes[:0] + cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } - cfg.Security.CABytes = cfg.Security.CABytes[:0] - cfg.Security.CertBytes = cfg.Security.CertBytes[:0] - cfg.Security.KeyBytes = cfg.Security.KeyBytes[:0] - cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA - cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert - cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. From 0c17c5cc3e7e16f9768ce1c0f4533e9e4f95ea4e Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:02:34 +0800 Subject: [PATCH 51/63] fix --- dm/loader/lightning.go | 34 ++++++---- .../_utils/run_downstream_cluster_with_tls | 62 +++++++++-------- dm/tests/openapi/client/openapi_task_check | 67 +++++++++++++++++-- dm/tests/openapi/run.sh | 21 +++++- dm/tests/openapi/tls_conf/ca2.pem | 15 ++--- dm/tests/openapi/tls_conf/tidb.key | 6 +- dm/tests/openapi/tls_conf/tidb.pem | 18 +++-- 7 files changed, 153 insertions(+), 70 deletions(-) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 21d19e26c61..52e974d15b9 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -330,24 +330,32 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask return nil, err } cfg.TiDB.Security = &globalCfg.Security + // TODO: Just a workround since using SslContent cannot verify certificates correctly when lightning use pdctl lib access PD server. + // Write certificates content to file when loader using SslContent or set db security only. if subtaskCfg.LoaderConfig.Security != nil { - if subtaskCfg.LoaderConfig.Security.SSLCA != "" && subtaskCfg.LoaderConfig.Security.SSLCert != "" && subtaskCfg.LoaderConfig.Security.SSLKey != "" { - cfg.Security.CAPath = subtaskCfg.Security.SSLCA - cfg.Security.CertPath = subtaskCfg.Security.SSLCert - cfg.Security.KeyPath = subtaskCfg.Security.SSLKey - } else { - // TODO: Just a workround for using SslContent cannot verify ceritificates when lightning use pdctl lib access PD server - // To avoid loss certificate files due to worker restart, rewrite the certificate files when getting the lightning configuration + if len(subtaskCfg.LoaderConfig.Security.SSLCABytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLCertBytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLKeyBytes) != 0 { if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { return nil, err } - cfg.Security.CABytes = cfg.Security.CABytes[:0] - cfg.Security.CertBytes = cfg.Security.CertBytes[:0] - cfg.Security.KeyBytes = cfg.Security.KeyBytes[:0] - cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA - cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert - cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } + cfg.Security.CABytes = subtaskCfg.LoaderConfig.Security.SSLCABytes + cfg.Security.CertBytes = subtaskCfg.LoaderConfig.Security.SSLCertBytes + cfg.Security.KeyBytes = subtaskCfg.LoaderConfig.Security.SSLKeyBytes + cfg.Security.CAPath = subtaskCfg.LoaderConfig.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey + } else if subtaskCfg.To.Security != nil { + if len(subtaskCfg.To.Security.SSLCABytes) != 0 && len(subtaskCfg.To.Security.SSLCertBytes) != 0 && len(subtaskCfg.To.Security.SSLKeyBytes) != 0 { + if err := subtaskCfg.To.Security.WriteFiles(subtaskCfg.Name); err != nil { + return nil, err + } + } + cfg.Security.CABytes = subtaskCfg.To.Security.SSLCABytes + cfg.Security.CertBytes = subtaskCfg.To.Security.SSLCertBytes + cfg.Security.KeyBytes = subtaskCfg.To.Security.SSLKeyBytes + cfg.Security.CAPath = subtaskCfg.To.Security.SSLCA + cfg.Security.CertPath = subtaskCfg.To.Security.SSLCert + cfg.Security.KeyPath = subtaskCfg.To.Security.SSLKey } // TableConcurrency is adjusted to the value of RegionConcurrency // when using TiDB backend. diff --git a/dm/tests/_utils/run_downstream_cluster_with_tls b/dm/tests/_utils/run_downstream_cluster_with_tls index 3f0cf58d3f6..cb44465515b 100755 --- a/dm/tests/_utils/run_downstream_cluster_with_tls +++ b/dm/tests/_utils/run_downstream_cluster_with_tls @@ -4,6 +4,12 @@ set -eux WORK_DIR="${1}_deploy_tidb" CONF_DIR=$2 +CLUSTER_CA_FILE=$3 +CLUSTER_CERT_FILE=$4 +CLUSTER_KEY_FILE=$5 +DB_CA_FILE=$6 +DB_CERT_FILE=$7 +DB_KEY_FILE=$8 export PD_PEER_ADDR_TLS="127.0.0.1:23800" export PD_ADDR_TLS="127.0.0.1:23790" @@ -25,10 +31,10 @@ start_pd() { # The number of replicas for each region. max-replicas = 1 [security] -cacert-path = "$CONF_DIR/ca.pem" -cert-path = "$CONF_DIR/dm.pem" -key-path = "$CONF_DIR/dm.key" -cert-verify-cn = ["TiDB", "dm", "localhost"] +cacert-path = "$CONF_DIR/$CLUSTER_CA_FILE" +cert-path = "$CONF_DIR/$CLUSTER_CERT_FILE" +key-path = "$CONF_DIR/$CLUSTER_KEY_FILE" +cert-verify-cn = ["TiDB", "tidb", "dm", "localhost"] EOF bin/pd-server --version @@ -42,8 +48,8 @@ EOF sleep 5 i=0 while true; do - response=$(curl -s -o /dev/null -w "%{http_code}" --cacert "$CONF_DIR/ca.pem" --cert "$CONF_DIR/dm.pem" \ - --key "$CONF_DIR/dm.key" "https://$PD_ADDR_TLS/pd/api/v1/version" || echo "") + response=$(curl -s -o /dev/null -w "%{http_code}" --cacert "$CONF_DIR/$CLUSTER_CA_FILE" --cert "$CONF_DIR/$CLUSTER_CERT_FILE" \ + --key "$CONF_DIR/$CLUSTER_KEY_FILE" "https://$PD_ADDR_TLS/pd/api/v1/version" || echo "") echo "curl response: $response" if [ "$response" -eq 200 ]; then echo 'Start PD success' @@ -57,9 +63,9 @@ EOF echo 'Waiting for PD ready...' sleep 3 done - echo "curl PD port with wrong TLS config" - if ! output=$(curl --cacert "$CONF_DIR/ca2.pem" --cert "$CONF_DIR/tidb.pem" \ - --key "$CONF_DIR/tidb.key" "https://$PD_ADDR_TLS/pd/api/v1/version" 2>&1); then + echo "curl PD port with DB TLS config" + if ! output=$(curl --cacert "$CONF_DIR/$DB_CA_FILE" --cert "$CONF_DIR/$DB_CERT_FILE" \ + --key "$CONF_DIR/$DB_KEY_FILE" "https://$PD_ADDR_TLS/pd/api/v1/version" 2>&1); then echo "$output" fi } @@ -69,10 +75,10 @@ start_tikv() { cat >"$WORK_DIR/tikv-tls.toml" <&1); then echo "$output" fi diff --git a/dm/tests/openapi/client/openapi_task_check b/dm/tests/openapi/client/openapi_task_check index 0e35b158b58..c8c9b54cafe 100755 --- a/dm/tests/openapi/client/openapi_task_check +++ b/dm/tests/openapi/client/openapi_task_check @@ -149,7 +149,7 @@ def create_noshard_task_success(task_name, tartget_table_name="", task_mode="all print("create_noshard_task_success resp=", resp.json()) assert resp.status_code == 201 -def create_noshard_task_with_security_success( +def create_noshard_task_with_db_cluster_security_success( task_name, target_table, tidb_ca_content="",tidb_cert_content="",tidb_key_content="", cluster_ca_content="",cluster_cert_content="",cluster_key_content=""): @@ -171,7 +171,7 @@ def create_noshard_task_with_security_success( "ssl_ca_content": tidb_ca_content, "ssl_cert_content": tidb_cert_content, "ssl_key_content": tidb_key_content, - "cert_allowed_cn": ["TiDB", "dm", "locahost"], + "cert_allowed_cn": ["tidb", "locahost"], } }, "table_migrate_rule": [ @@ -209,7 +209,63 @@ def create_noshard_task_with_security_success( }, } resp = requests.post(url=API_ENDPOINT, json={"task": task}) - print("create_noshard_task_with_security_success resp=", resp.json()) + print("create_noshard_task_with_db_cluster_security_success resp=", resp.json()) + assert resp.status_code == 201 + +def create_noshard_task_with_db_security_success( + task_name, target_table, + tidb_ca_content="",tidb_cert_content="",tidb_key_content=""): + task = { + "name": task_name, + "task_mode": "all", + "meta_schema": "dm-meta", + "enhance_online_schema_change": True, + "ignore_checking_items": [ + "all" + ], + "on_duplicate": "error", + "target_config": { + "host": "127.0.0.1", + "port": 4000, + "user": "root", + "password": "", + "security":{ + "ssl_ca_content": tidb_ca_content, + "ssl_cert_content": tidb_cert_content, + "ssl_key_content": tidb_key_content, + "cert_allowed_cn": ["tidb", "locahost"], + } + }, + "table_migrate_rule": [ + { + "source": { + "source_name": SOURCE1_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": target_table}, + }, + { + "source": { + "source_name": SOURCE2_NAME, + "schema": "openapi", + "table": "*", + }, + "target": {"schema": "openapi", "table": target_table}, + }, + ], + "source_config": { + "source_conf": [ + {"source_name": SOURCE1_NAME}, + {"source_name": SOURCE2_NAME}, + ], + "full_migrate_conf": { + "import_mode": "physical", + } + }, + } + resp = requests.post(url=API_ENDPOINT, json={"task": task}) + print("create_noshard_task_with_db_security_success resp=", resp.json()) assert resp.status_code == 201 def create_noshard_task_with_security_failed( @@ -234,7 +290,7 @@ def create_noshard_task_with_security_failed( "ssl_ca_content": tidb_ca_content, "ssl_cert_content": tidb_cert_content, "ssl_key_content": tidb_key_content, - "cert_allowed_cn": ["TiDB"], + "cert_allowed_cn": ["tidb", "locahost"], } }, "table_migrate_rule": [ @@ -1014,7 +1070,8 @@ if __name__ == "__main__": "check_sync_task_status_success": check_sync_task_status_success, "check_load_task_finished_status_success": check_load_task_finished_status_success, "check_dump_task_finished_status_success": check_dump_task_finished_status_success, - "create_noshard_task_with_security_success": create_noshard_task_with_security_success, + "create_noshard_task_with_db_cluster_security_success": create_noshard_task_with_db_cluster_security_success, + "create_noshard_task_with_db_security_success": create_noshard_task_with_db_security_success, "create_noshard_task_with_security_failed": create_noshard_task_with_security_failed, "get_task_status_success_with_retry":get_task_status_success_with_retry, } diff --git a/dm/tests/openapi/run.sh b/dm/tests/openapi/run.sh index 7341734f0cf..83d6d6e9c6f 100644 --- a/dm/tests/openapi/run.sh +++ b/dm/tests/openapi/run.sh @@ -1080,14 +1080,14 @@ function test_tls() { # create source2 successfully openapi_source_check "create_source2_success" - echo "start downstream TiDB cluster with TLS" + echo "kill tidb and start downstream TiDB cluster with different TLS certificates" killall -9 tidb-server 2>/dev/null || true killall -9 tikv-server 2>/dev/null || true killall -9 pd-server 2>/dev/null || true - run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf + run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf ca.pem dm.pem dm.key ca2.pem tidb.pem tidb.key task_name="task-tls-1" - openapi_task_check "create_noshard_task_with_security_success" $task_name "" \ + openapi_task_check "create_noshard_task_with_db_cluster_security_success" $task_name "" \ "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" \ "$(cat $cur/tls_conf/ca.pem)" "$(cat $cur/tls_conf/dm.pem)" "$(cat $cur/tls_conf/dm.key)" openapi_task_check "start_task_success" $task_name "" @@ -1096,6 +1096,21 @@ function test_tls() { check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml + echo "kill tidb and start downstream TiDB cluster with same TLS certificates" + killall -9 tidb-server 2>/dev/null || true + killall -9 tikv-server 2>/dev/null || true + killall -9 pd-server 2>/dev/null || true + run_downstream_cluster_with_tls $WORK_DIR $cur/tls_conf ca2.pem tidb.pem tidb.key ca2.pem tidb.pem tidb.key + + task_name="task-tls-2" + openapi_task_check "create_noshard_task_with_db_security_success" $task_name "" \ + "$(cat $cur/tls_conf/ca2.pem)" "$(cat $cur/tls_conf/tidb.pem)" "$(cat $cur/tls_conf/tidb.key)" + openapi_task_check "start_task_success" $task_name "" + openapi_task_check "get_task_status_success" $task_name 2 + openapi_task_check "get_task_status_success_with_retry" $task_name "Sync" "Running" 50 + + check_sync_diff $WORK_DIR $cur/conf/diff_config_no_shard.toml + task_name="task-tls-error" # miss cert and key certificate openapi_task_check "create_noshard_task_with_security_failed" $task_name \ diff --git a/dm/tests/openapi/tls_conf/ca2.pem b/dm/tests/openapi/tls_conf/ca2.pem index bd1ad59f121..245cbe10e5f 100644 --- a/dm/tests/openapi/tls_conf/ca2.pem +++ b/dm/tests/openapi/tls_conf/ca2.pem @@ -1,10 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBdzCCAR6gAwIBAgIUFlKn4vgSaM5PPi5fdfHZjNsPvt0wCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMBwxGjAYBgNVBAMMEVRpREIgU2Vjb25kYXJ5IENBMFkw -EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJoSquED75L7UgmezyHBUJlv7sGvHfeuR -RnU0SJVYZzftIAfzL6kwF1LGaezaY9aL/cCiULWMDddo1bLzNjB4vqM8MDowDAYD -VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFLJmpVHrylfdqLu6lpR -ZOJgderfMAoGCCqGSM49BAMCA0cAMEQCIF2mBuhLfo42ynjoy0Fhz3Qch8huQrkx -mGKxdkBuS+rPAiAglztWHSmUCtqEMdTuds2ETsVVichpxdFh/aXiCb/BeQ== +MIIBIzCBywIUSLKofZyTxM3YIHYh5phrJJhA9a0wCgYIKoZIzj0EAwIwFDESMBAG +A1UEAwwJbG9jYWxob3N0MCAXDTI0MTIyMzA4NDU1MloYDzIyOTgxMDA4MDg0NTUy +WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAR9fyT+zsxW77EnAivINKqx8aVBdtau25u58GAWL1HEDjNLKMd3UCXnkGEQP2GT +5O4LrDWJN07GMR63yOj2wgkKMAoGCCqGSM49BAMCA0cAMEQCICUAFvZcvo1Ik1zb +GL9l6v6mnwT6e2DVikiMWDJ/TCsmAiALliSCU2/dOE+PKFpv1UAOy/YH+O0pdI6F +XY0nEg6LKQ== -----END CERTIFICATE----- diff --git a/dm/tests/openapi/tls_conf/tidb.key b/dm/tests/openapi/tls_conf/tidb.key index b63b20db793..c39a3f63116 100644 --- a/dm/tests/openapi/tls_conf/tidb.key +++ b/dm/tests/openapi/tls_conf/tidb.key @@ -2,7 +2,7 @@ BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIB+YLzteL9sk+PZPEFf7sw+hhehG2bRV5TUV4NJgVsWXoAoGCCqGSM49 -AwEHoUQDQgAELO1031XONFkiJPFm7Kbb974443lSM8eGEZzVUUWK/WAZ3p03W5o/ -jeFgesLPuKqcV+9p7bG7McVKDsC42OFg4w== +MHcCAQEEIBSJ1NubYUeX4Za7JTjltsIszaoDBoAPdWazQgaGeWggoAoGCCqGSM49 +AwEHoUQDQgAEIigdbF76u9HIrDOAQsIp3NICnVHsAQYvT16hfQUGSJHSvNCpPoa9 +aftJWNpCEHWb3Uu9frkQiE2B6FNtSAULRA== -----END EC PRIVATE KEY----- diff --git a/dm/tests/openapi/tls_conf/tidb.pem b/dm/tests/openapi/tls_conf/tidb.pem index e59a9eae172..b85ef2c2555 100644 --- a/dm/tests/openapi/tls_conf/tidb.pem +++ b/dm/tests/openapi/tls_conf/tidb.pem @@ -1,12 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBxjCCAWygAwIBAgIUJGaNzv0WzN4CfSj7LaNQN8arHvMwCgYIKoZIzj0EAwIw -HDEaMBgGA1UEAwwRVGlEQiBTZWNvbmRhcnkgQ0EwIBcNMjQxMjEyMDYzMDI2WhgP -MjI5ODA5MjcwNjMwMjZaMA8xDTALBgNVBAMMBFRpREIwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQs7XTfVc40WSIk8Wbsptv3vjjjeVIzx4YRnNVRRYr9YBnenTdb -mj+N4WB6ws+4qpxX72ntsbsxxUoOwLjY4WDjo4GWMIGTMBoGA1UdEQQTMBGCCWxv -Y2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG -CCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLK+e+wKHWmmXPiHjMApdKwf -KhcpMB8GA1UdIwQYMBaAFFLJmpVHrylfdqLu6lpRZOJgderfMAoGCCqGSM49BAMC -A0gAMEUCIC2xVpVTSqMMl38Lu7wTfX8iv/5hcjKoH8v69cZGsyDKAiEA6NIpjV7D -lBnFi5oiKpdJIWD53D2A/yFrI6VEDprblyw= +MIIBcTCCARegAwIBAgIUCczup8JECWleNm73awyR9oxuHrowCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI0MTIyMzA4NDU1MloYDzIyOTgxMDA4 +MDg0NTUyWjAPMQ0wCwYDVQQDDAR0aWRiMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEIigdbF76u9HIrDOAQsIp3NICnVHsAQYvT16hfQUGSJHSvNCpPoa9aftJWNpC +EHWb3Uu9frkQiE2B6FNtSAULRKNKMEgwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/ +AAABMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw +CgYIKoZIzj0EAwIDSAAwRQIgW3sErcC8LcRBDBXZaJh3VuK1b1go+r9o/4RtXoGR +fYICIQDrA8Y/0Wku/sYOUUeXn7JBXiRbuFptMNRDN3ZxOyzPFg== -----END CERTIFICATE----- From b4d92f0a8b88a711f463e3f8226ea3b0af926a7f Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 24 Dec 2024 16:49:09 +0800 Subject: [PATCH 52/63] add test --- dm/loader/lightning.go | 9 +- dm/loader/lightning_test.go | 179 +++++++++++++++++++++++++----------- 2 files changed, 134 insertions(+), 54 deletions(-) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 52e974d15b9..4e744d1c015 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -333,7 +333,10 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask // TODO: Just a workround since using SslContent cannot verify certificates correctly when lightning use pdctl lib access PD server. // Write certificates content to file when loader using SslContent or set db security only. if subtaskCfg.LoaderConfig.Security != nil { - if len(subtaskCfg.LoaderConfig.Security.SSLCABytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLCertBytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLKeyBytes) != 0 { + // Only when ssl content is set and ssl file path is not set, the file will be written + if len(subtaskCfg.LoaderConfig.Security.SSLCABytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLCertBytes) != 0 && + len(subtaskCfg.LoaderConfig.Security.SSLKeyBytes) != 0 && subtaskCfg.LoaderConfig.Security.SSLCA == "" && + subtaskCfg.LoaderConfig.Security.SSLCert == "" && subtaskCfg.LoaderConfig.Security.SSLKey == "" { if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { return nil, err } @@ -345,7 +348,9 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } else if subtaskCfg.To.Security != nil { - if len(subtaskCfg.To.Security.SSLCABytes) != 0 && len(subtaskCfg.To.Security.SSLCertBytes) != 0 && len(subtaskCfg.To.Security.SSLKeyBytes) != 0 { + // Only when ssl content is set and ssl file path is not set, the file will be written + if len(subtaskCfg.To.Security.SSLCABytes) != 0 && len(subtaskCfg.To.Security.SSLCertBytes) != 0 && len(subtaskCfg.To.Security.SSLKeyBytes) != 0 && + subtaskCfg.To.Security.SSLCA == "" && subtaskCfg.To.Security.SSLCert == "" && subtaskCfg.To.Security.SSLKey == "" { if err := subtaskCfg.To.Security.WriteFiles(subtaskCfg.Name); err != nil { return nil, err } diff --git a/dm/loader/lightning_test.go b/dm/loader/lightning_test.go index 83f8e99e8bf..f2a671f171e 100644 --- a/dm/loader/lightning_test.go +++ b/dm/loader/lightning_test.go @@ -113,63 +113,138 @@ func TestGetLightiningConfig(t *testing.T) { require.NoError(t, err) keyPath, err := certificate.WriteFile("dm-test-client-key", key) require.NoError(t, err) - ca, err = certificate.NewCA() + ca2, err := certificate.NewCA() require.NoError(t, err) - cert, key, err = ca.GenerateCerts("dm") + cert2, key2, err := ca2.GenerateCerts("dm") require.NoError(t, err) - caPath2, err := certificate.WriteFile("dm-test-client-cert2", ca.CAPEM) + caPath2, err := certificate.WriteFile("dm-test-client-cert2", ca2.CAPEM) require.NoError(t, err) - certPath2, err := certificate.WriteFile("dm-test-client-cert2", cert) + certPath2, err := certificate.WriteFile("dm-test-client-cert2", cert2) require.NoError(t, err) - keyPath2, err := certificate.WriteFile("dm-test-client-key2", key) + keyPath2, err := certificate.WriteFile("dm-test-client-key2", key2) require.NoError(t, err) - - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, - &config.SubTaskConfig{ - To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, - LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, - }) - require.NoError(t, err) - require.Equal(t, conf.Security.CAPath, caPath2) - require.Equal(t, conf.Security.CertPath, certPath2) - require.Equal(t, conf.Security.KeyPath, keyPath2) - require.Equal(t, conf.TiDB.Security.CAPath, caPath) - require.Equal(t, conf.TiDB.Security.CertPath, certPath) - require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{}, - &config.SubTaskConfig{ - To: dbconfig.DBConfig{}, - LoaderConfig: config.LoaderConfig{Security: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}}, - }) - require.NoError(t, err) - require.Equal(t, conf.Security.CAPath, caPath2) - require.Equal(t, conf.Security.CertPath, certPath2) - require.Equal(t, conf.Security.KeyPath, keyPath2) - require.Equal(t, conf.TiDB.Security.CAPath, "") - require.Equal(t, conf.TiDB.Security.CertPath, "") - require.Equal(t, conf.TiDB.Security.KeyPath, "") - conf, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: caPath, CertPath: certPath, KeyPath: keyPath}}, - &config.SubTaskConfig{ - To: dbconfig.DBConfig{Security: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}}, - LoaderConfig: config.LoaderConfig{}, - }) - require.NoError(t, err) - require.Equal(t, conf.Security.CAPath, caPath) - require.Equal(t, conf.Security.CertPath, certPath) - require.Equal(t, conf.Security.KeyPath, keyPath) - require.Equal(t, conf.TiDB.Security.CAPath, caPath) - require.Equal(t, conf.TiDB.Security.CertPath, certPath) - require.Equal(t, conf.TiDB.Security.KeyPath, keyPath) - // invalid security file path - _, err = GetLightningConfig( - &lcfg.GlobalConfig{Security: lcfg.Security{CAPath: "caPath"}}, - &config.SubTaskConfig{ - To: dbconfig.DBConfig{Security: &security.Security{SSLCA: "caPath"}}, - }) - require.EqualError(t, err, "could not read ca certificate: open caPath: no such file or directory") + cases := []struct { + dbSecurity *security.Security + pdSecurity *security.Security + checkPath bool + err error + }{ + // init security with certificates file path + { + dbSecurity: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, + pdSecurity: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, + checkPath: true, err: nil, + }, + { + dbSecurity: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, + pdSecurity: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, + checkPath: true, err: nil, + }, + { + dbSecurity: &security.Security{SSLCA: caPath, SSLCert: certPath, SSLKey: keyPath}, + pdSecurity: nil, + checkPath: true, err: nil, + }, + { + dbSecurity: nil, + pdSecurity: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, + checkPath: true, err: nil, + }, + { + dbSecurity: &security.Security{SSLCA: "invalid/path"}, + pdSecurity: &security.Security{SSLCA: caPath2, SSLCert: certPath2, SSLKey: keyPath2}, + checkPath: true, err: errors.New("could not read ca certificate: open invalid/path: no such file or directory"), + }, + // init security with certificates content + { + dbSecurity: &security.Security{SSLCABytes: ca.CAPEM, SSLCertBytes: cert, SSLKeyBytes: key}, + pdSecurity: &security.Security{SSLCABytes: ca2.CAPEM, SSLCertBytes: cert2, SSLKeyBytes: key2}, + checkPath: false, err: nil, + }, + { + dbSecurity: &security.Security{SSLCABytes: ca.CAPEM, SSLCertBytes: cert, SSLKeyBytes: key}, + pdSecurity: &security.Security{SSLCABytes: ca2.CAPEM, SSLCertBytes: cert2, SSLKeyBytes: key2, SSLCA: caPath2}, + checkPath: true, err: nil, + }, + { + dbSecurity: &security.Security{SSLCABytes: ca.CAPEM, SSLCertBytes: cert, SSLKeyBytes: key}, + pdSecurity: &security.Security{SSLCABytes: ca.CAPEM, SSLCertBytes: cert, SSLKeyBytes: key}, + checkPath: false, err: nil, + }, + { + dbSecurity: &security.Security{SSLCABytes: ca.CAPEM, SSLCertBytes: cert, SSLKeyBytes: key}, + pdSecurity: nil, + checkPath: false, err: nil, + }, + { + dbSecurity: nil, + pdSecurity: &security.Security{SSLCABytes: ca2.CAPEM, SSLCertBytes: cert2, SSLKeyBytes: key2}, + checkPath: false, err: nil, + }, + { + dbSecurity: &security.Security{SSLCABytes: []byte("fake ca"), SSLCertBytes: []byte("fake cert"), SSLKeyBytes: []byte("fake key")}, + pdSecurity: &security.Security{SSLCABytes: ca2.CAPEM, SSLCertBytes: cert2, SSLKeyBytes: key2}, + err: errors.New("could not load client key pair: tls: failed to find any PEM data in certificate input"), + }, + } + for _, c := range cases { + var ( + globalCfg lcfg.GlobalConfig + dbCfg dbconfig.DBConfig + loaderCfg config.LoaderConfig + ) + if c.dbSecurity != nil { + globalCfg.Security = lcfg.Security{ + CAPath: c.dbSecurity.SSLCA, CertPath: c.dbSecurity.SSLCert, KeyPath: c.dbSecurity.SSLKey, + CABytes: c.dbSecurity.SSLCABytes, CertBytes: c.dbSecurity.SSLCertBytes, KeyBytes: c.dbSecurity.SSLKeyBytes, + } + dbCfg.Security = &security.Security{ + SSLCA: c.dbSecurity.SSLCA, SSLCert: c.dbSecurity.SSLCert, SSLKey: c.dbSecurity.SSLKey, + SSLCABytes: c.dbSecurity.SSLCABytes, SSLCertBytes: c.dbSecurity.SSLCertBytes, SSLKeyBytes: c.dbSecurity.SSLKeyBytes, + } + } + if c.pdSecurity != nil { + loaderCfg.Security = &security.Security{ + SSLCA: c.pdSecurity.SSLCA, SSLCert: c.pdSecurity.SSLCert, SSLKey: c.pdSecurity.SSLKey, + SSLCABytes: c.pdSecurity.SSLCABytes, SSLCertBytes: c.pdSecurity.SSLCertBytes, SSLKeyBytes: c.pdSecurity.SSLKeyBytes, + } + } + conf, err = GetLightningConfig(&globalCfg, &config.SubTaskConfig{To: dbCfg, LoaderConfig: loaderCfg}) + if c.err == nil { + if c.pdSecurity != nil { + if c.checkPath { + require.Equal(t, loaderCfg.Security.SSLCA, conf.Security.CAPath) + require.Equal(t, loaderCfg.Security.SSLCert, conf.Security.CertPath) + require.Equal(t, loaderCfg.Security.SSLKey, conf.Security.KeyPath) + } + require.Equal(t, loaderCfg.Security.SSLCABytes, conf.Security.CABytes) + require.Equal(t, loaderCfg.Security.SSLCertBytes, conf.Security.CertBytes) + require.Equal(t, loaderCfg.Security.SSLKeyBytes, conf.Security.KeyBytes) + } + if c.dbSecurity != nil { + if c.checkPath { + require.Equal(t, dbCfg.Security.SSLCA, conf.TiDB.Security.CAPath) + require.Equal(t, dbCfg.Security.SSLCert, conf.TiDB.Security.CertPath) + require.Equal(t, dbCfg.Security.SSLKey, conf.TiDB.Security.KeyPath) + } + require.Equal(t, dbCfg.Security.SSLCABytes, conf.TiDB.Security.CABytes) + require.Equal(t, dbCfg.Security.SSLCertBytes, conf.TiDB.Security.CertBytes) + require.Equal(t, dbCfg.Security.SSLKeyBytes, conf.TiDB.Security.KeyBytes) + if c.pdSecurity == nil { + if c.checkPath { + require.Equal(t, dbCfg.Security.SSLCA, conf.Security.CAPath) + require.Equal(t, dbCfg.Security.SSLCert, conf.Security.CertPath) + require.Equal(t, dbCfg.Security.SSLKey, conf.Security.KeyPath) + } + require.Equal(t, dbCfg.Security.SSLCABytes, conf.Security.CABytes) + require.Equal(t, dbCfg.Security.SSLCertBytes, conf.Security.CertBytes) + require.Equal(t, dbCfg.Security.SSLKeyBytes, conf.Security.KeyBytes) + } + } + } else { + require.Equal(t, c.err.Error(), err.Error()) + } + } } func TestMetricProxies(t *testing.T) { From 7a3e139a9a1c46c5f24518ca0de33a54c95b900b Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 24 Dec 2024 16:52:11 +0800 Subject: [PATCH 53/63] fmt --- dm/openapi/fixtures/task.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/dm/openapi/fixtures/task.go b/dm/openapi/fixtures/task.go index 9355997142a..52d3b347b4c 100644 --- a/dm/openapi/fixtures/task.go +++ b/dm/openapi/fixtures/task.go @@ -35,10 +35,10 @@ var ( "import_mode": "physical", "pd_addr": "127.0.0.1:2379", "security": { - "ssl_ca_content": "ca1", - "ssl_cert_content": "cert1", - "ssl_key_content": "key1", - "cert_allowed_cn": ["PD1", "PD2"] + "ssl_ca_content": "ca1", + "ssl_cert_content": "cert1", + "ssl_key_content": "key1", + "cert_allowed_cn": ["PD1", "PD2"] } }, "incr_migrate_conf": { "repl_batch": 200, "repl_threads": 32 }, @@ -59,10 +59,10 @@ var ( "password": "123456", "port": 4000, "security": { - "ssl_ca_content": "ca2", - "ssl_cert_content": "cert2", - "ssl_key_content": "key2", - "cert_allowed_cn": ["TiDB1", "TiDB2"] + "ssl_ca_content": "ca2", + "ssl_cert_content": "cert2", + "ssl_key_content": "key2", + "cert_allowed_cn": ["TiDB1", "TiDB2"] }, "user": "root" }, From 5ea962ed72acea3360820554b6686717e44fbd40 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 24 Dec 2024 17:23:43 +0800 Subject: [PATCH 54/63] add test --- dm/config/security/security.go | 3 ++- dm/config/security_test.go | 18 ++++++++++++++++++ dm/loader/lightning.go | 4 ++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index 84143fab0ae..69fd804227c 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -103,7 +103,8 @@ func (s *Security) Clone() *Security { return &clone } -func (s *Security) WriteFiles(fileName string) error { +// WriteTLSContentToFiles will overwrite tls content to temp file and update path fields +func (s *Security) WriteTLSContentToFiles(fileName string) error { var err error if s.SSLCA, err = certificate.WriteFile(fileName, s.SSLCABytes); err != nil { return err diff --git a/dm/config/security_test.go b/dm/config/security_test.go index 40e4c833c9a..090bd5a64aa 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -171,3 +171,21 @@ func (c *testTLSConfig) TestClone() { clone.CertAllowedCN[0] = "g" c.Require().NotEqual(s, clone) } + +func (c *testTLSConfig) TestWriteTLSContentToFiles() { + taskName := "TestWriteTLSContentToFiles" + s := &security.Security{ + SSLCA: "a", + SSLCert: "b", + SSLKey: "c", + CertAllowedCN: []string{"d"}, + SSLCABytes: []byte("e"), + SSLKeyBytes: []byte("f"), + SSLCertBytes: []byte("g"), + } + err := s.WriteTLSContentToFiles(taskName) + c.Require().NoError(err) + c.Require().Contains(s.SSLCA, taskName) + c.Require().Contains(s.SSLCert, taskName) + c.Require().Contains(s.SSLKey, taskName) +} diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index 4e744d1c015..af942b22849 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -337,7 +337,7 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask if len(subtaskCfg.LoaderConfig.Security.SSLCABytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLCertBytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLKeyBytes) != 0 && subtaskCfg.LoaderConfig.Security.SSLCA == "" && subtaskCfg.LoaderConfig.Security.SSLCert == "" && subtaskCfg.LoaderConfig.Security.SSLKey == "" { - if err := subtaskCfg.LoaderConfig.Security.WriteFiles(subtaskCfg.Name); err != nil { + if err := subtaskCfg.LoaderConfig.Security.WriteTLSContentToFiles(subtaskCfg.Name); err != nil { return nil, err } } @@ -351,7 +351,7 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask // Only when ssl content is set and ssl file path is not set, the file will be written if len(subtaskCfg.To.Security.SSLCABytes) != 0 && len(subtaskCfg.To.Security.SSLCertBytes) != 0 && len(subtaskCfg.To.Security.SSLKeyBytes) != 0 && subtaskCfg.To.Security.SSLCA == "" && subtaskCfg.To.Security.SSLCert == "" && subtaskCfg.To.Security.SSLKey == "" { - if err := subtaskCfg.To.Security.WriteFiles(subtaskCfg.Name); err != nil { + if err := subtaskCfg.To.Security.WriteTLSContentToFiles(subtaskCfg.Name); err != nil { return nil, err } } From 040e37b24d8e4acebf5322b83cddb8463df5719b Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 24 Dec 2024 17:45:12 +0800 Subject: [PATCH 55/63] fmt --- dm/config/security/security.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index 69fd804227c..f0fe1129943 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -103,7 +103,7 @@ func (s *Security) Clone() *Security { return &clone } -// WriteTLSContentToFiles will overwrite tls content to temp file and update path fields +// WriteTLSContentToFiles will overwrite tls content to temp file and update path fields. func (s *Security) WriteTLSContentToFiles(fileName string) error { var err error if s.SSLCA, err = certificate.WriteFile(fileName, s.SSLCABytes); err != nil { From 86330397a342354bd9ac67dbb0b0b2927566fee7 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Wed, 25 Dec 2024 10:47:21 +0800 Subject: [PATCH 56/63] fix comment --- dm/config/security/security.go | 2 +- dm/loader/lightning.go | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/dm/config/security/security.go b/dm/config/security/security.go index f0fe1129943..86dcf2827e3 100644 --- a/dm/config/security/security.go +++ b/dm/config/security/security.go @@ -103,7 +103,7 @@ func (s *Security) Clone() *Security { return &clone } -// WriteTLSContentToFiles will overwrite tls content to temp file and update path fields. +// WriteTLSContentToFiles write tls content to temp file and update tls path fields. func (s *Security) WriteTLSContentToFiles(fileName string) error { var err error if s.SSLCA, err = certificate.WriteFile(fileName, s.SSLCABytes); err != nil { diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index af942b22849..d076f097702 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -330,8 +330,9 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask return nil, err } cfg.TiDB.Security = &globalCfg.Security - // TODO: Just a workround since using SslContent cannot verify certificates correctly when lightning use pdctl lib access PD server. - // Write certificates content to file when loader using SslContent or set db security only. + // TODO: Using TLS content cannot verify certificates correctly when lightning access PD server. + // Workround is also need to set TLS path instead of only set TLS content. + // Write TLS content to file when loader using TLS content or set db security only. if subtaskCfg.LoaderConfig.Security != nil { // Only when ssl content is set and ssl file path is not set, the file will be written if len(subtaskCfg.LoaderConfig.Security.SSLCABytes) != 0 && len(subtaskCfg.LoaderConfig.Security.SSLCertBytes) != 0 && @@ -348,7 +349,8 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask cfg.Security.CertPath = subtaskCfg.LoaderConfig.Security.SSLCert cfg.Security.KeyPath = subtaskCfg.LoaderConfig.Security.SSLKey } else if subtaskCfg.To.Security != nil { - // Only when ssl content is set and ssl file path is not set, the file will be written + // Only when ssl content is set and ssl file path is not set, the file will be written. + // Using db security as lightning default security config. if len(subtaskCfg.To.Security.SSLCABytes) != 0 && len(subtaskCfg.To.Security.SSLCertBytes) != 0 && len(subtaskCfg.To.Security.SSLKeyBytes) != 0 && subtaskCfg.To.Security.SSLCA == "" && subtaskCfg.To.Security.SSLCert == "" && subtaskCfg.To.Security.SSLKey == "" { if err := subtaskCfg.To.Security.WriteTLSContentToFiles(subtaskCfg.Name); err != nil { From 7bdc7c2f81a19111df2bb7737cd3376ff63c9dc1 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Fri, 27 Dec 2024 16:54:12 +0800 Subject: [PATCH 57/63] fix checker only with `LightningTableEmptyChecking` --- dm/checker/checker.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/dm/checker/checker.go b/dm/checker/checker.go index 530e1c5fdf3..55de71b22ed 100644 --- a/dm/checker/checker.go +++ b/dm/checker/checker.go @@ -438,9 +438,6 @@ func (c *Checker) Init(ctx context.Context) (err error) { } // Adjust will raise error when this field is empty, so we set any non empty value here. lCfg.Mydumper.SourceDir = "noop://" - if lightningCheckGroupOnlyTableEmpty(c.checkingItems) { - lCfg.TiDB.PdAddr = "noop:2379" - } err = lCfg.Adjust(ctx) if err != nil { return err @@ -550,16 +547,6 @@ func (c *Checker) Init(ctx context.Context) (err error) { return nil } -func lightningCheckGroupOnlyTableEmpty(checkingItems map[string]string) bool { - for _, item := range config.LightningPrechecks { - if _, ok := checkingItems[item]; ok && item != config.LightningTableEmptyChecking { - return false - } - } - _, ok := checkingItems[config.LightningTableEmptyChecking] - return ok -} - func (c *Checker) fetchSourceTargetDB( ctx context.Context, instance *mysqlInstance, From 829236d400f93b8ff5d54b4073d7524d8e5cad47 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:38:52 +0800 Subject: [PATCH 58/63] fix --- dm/config/task.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/config/task.go b/dm/config/task.go index a3c238aeb18..6eb3b4e68ec 100644 --- a/dm/config/task.go +++ b/dm/config/task.go @@ -304,7 +304,7 @@ type LoaderConfig struct { PDAddr string `yaml:"pd-addr" toml:"pd-addr" json:"pd-addr"` // now only creating task by OpenAPI will use the `Security` field to connect PD. // TODO: support setting `Security` by dmctl - Security *security.Security `toml:"security" json:"security" yaml:"security"` + Security *security.Security `yaml:"-" toml:"security" json:"security"` } // DefaultLoaderConfig return default loader config for task. From ca5fc73fba63465a63752f4453d96470c25cc6e5 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 31 Dec 2024 10:40:14 +0800 Subject: [PATCH 59/63] fix test --- dm/tests/dmctl_basic/conf/get_task.yaml | 1 - dm/tests/import_v10x/conf/task.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/dm/tests/dmctl_basic/conf/get_task.yaml b/dm/tests/dmctl_basic/conf/get_task.yaml index b7d01a680dc..d4ab9919fc8 100644 --- a/dm/tests/dmctl_basic/conf/get_task.yaml +++ b/dm/tests/dmctl_basic/conf/get_task.yaml @@ -132,7 +132,6 @@ loaders: range-concurrency: 0 compress-kv-pairs: "" pd-addr: "" - security: null syncers: sync-01: meta-file: "" diff --git a/dm/tests/import_v10x/conf/task.yaml b/dm/tests/import_v10x/conf/task.yaml index 13f46390543..07285965df5 100644 --- a/dm/tests/import_v10x/conf/task.yaml +++ b/dm/tests/import_v10x/conf/task.yaml @@ -101,7 +101,6 @@ loaders: range-concurrency: 0 compress-kv-pairs: "" pd-addr: "" - security: null syncers: sync-01: meta-file: "" From eec9953a0c14559362b1b784739260b8d3a208f4 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 31 Dec 2024 11:10:07 +0800 Subject: [PATCH 60/63] fix test --- dm/master/openapi_controller_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dm/master/openapi_controller_test.go b/dm/master/openapi_controller_test.go index 39c65850e24..785d04b62df 100644 --- a/dm/master/openapi_controller_test.go +++ b/dm/master/openapi_controller_test.go @@ -421,6 +421,10 @@ func (s *OpenAPIControllerSuite) TestTaskController() { s.NoError(err) s.NotNil(task2) s.NotNil(taskCfg2) + // the `security` field not support yaml format yet, it cannot marshal/unmarshal from taskCfg to string. + if task.SourceConfig.FullMigrateConf.Security != nil { + task2.SourceConfig.FullMigrateConf.Security = task.SourceConfig.FullMigrateConf.Security + } s.EqualValues(task2, task) s.Equal(taskCfg2.String(), taskCfg.String()) From a60f5bf1b4fdbae43d803b8bf41b9801fd4405d0 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 31 Dec 2024 11:58:51 +0800 Subject: [PATCH 61/63] fix test --- dm/master/openapi_controller_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dm/master/openapi_controller_test.go b/dm/master/openapi_controller_test.go index 785d04b62df..b44d9930096 100644 --- a/dm/master/openapi_controller_test.go +++ b/dm/master/openapi_controller_test.go @@ -445,6 +445,10 @@ func (s *OpenAPIControllerSuite) TestTaskController() { s.NoError(err) s.NotNil(task4) s.NotNil(taskCfg4) + // the `security` field not support yaml format yet, it cannot marshal/unmarshal from taskCfg to string. + if task3.SourceConfig.FullMigrateConf.Security != nil { + task4.SourceConfig.FullMigrateConf.Security = task3.SourceConfig.FullMigrateConf.Security + } s.EqualValues(task4, task3) s.Equal(taskCfg4.String(), taskCfg3.String()) } From 34abf8485dbc1cf3b6ac002e7e5d99132d680075 Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang Date: Tue, 31 Dec 2024 17:47:21 +0800 Subject: [PATCH 62/63] update comment Co-authored-by: D3Hunter --- dm/loader/lightning.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dm/loader/lightning.go b/dm/loader/lightning.go index d076f097702..de70da28607 100644 --- a/dm/loader/lightning.go +++ b/dm/loader/lightning.go @@ -330,7 +330,7 @@ func GetLightningConfig(globalCfg *lcfg.GlobalConfig, subtaskCfg *config.SubTask return nil, err } cfg.TiDB.Security = &globalCfg.Security - // TODO: Using TLS content cannot verify certificates correctly when lightning access PD server. + // TODO: avoid writing to local file. right now we don't know how to verify certificates correctly using TLS content in a short time, but we have a time schedule to keep. // Workround is also need to set TLS path instead of only set TLS content. // Write TLS content to file when loader using TLS content or set db security only. if subtaskCfg.LoaderConfig.Security != nil { From 7f73a4154c2c23e7691f53060ab8f10620c4c82d Mon Sep 17 00:00:00 2001 From: Jiaqiang Huang <96465211+River2000i@users.noreply.github.com> Date: Tue, 31 Dec 2024 17:51:30 +0800 Subject: [PATCH 63/63] update test use github.com/stretchr/testify/require --- dm/config/security_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dm/config/security_test.go b/dm/config/security_test.go index 090bd5a64aa..ce763f9802d 100644 --- a/dm/config/security_test.go +++ b/dm/config/security_test.go @@ -172,7 +172,7 @@ func (c *testTLSConfig) TestClone() { c.Require().NotEqual(s, clone) } -func (c *testTLSConfig) TestWriteTLSContentToFiles() { +func TestWriteTLSContentToFiles(t *testing.T) { taskName := "TestWriteTLSContentToFiles" s := &security.Security{ SSLCA: "a", @@ -184,8 +184,8 @@ func (c *testTLSConfig) TestWriteTLSContentToFiles() { SSLCertBytes: []byte("g"), } err := s.WriteTLSContentToFiles(taskName) - c.Require().NoError(err) - c.Require().Contains(s.SSLCA, taskName) - c.Require().Contains(s.SSLCert, taskName) - c.Require().Contains(s.SSLKey, taskName) + require.NoError(t, err) + require.Contains(t, s.SSLCA, taskName) + require.Contains(t, s.SSLCert, taskName) + require.Contains(t, s.SSLKey, taskName) }