added tests for mutual auth (require_client_auth) on internode connections
Project: http://git-wip-us.apache.org/repos/asf/cassandra-dtest/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra-dtest/commit/8513c478 Tree: http://git-wip-us.apache.org/repos/asf/cassandra-dtest/tree/8513c478 Diff: http://git-wip-us.apache.org/repos/asf/cassandra-dtest/diff/8513c478 Branch: refs/heads/master Commit: 8513c4784fb9b7bcf54118f0f5b173c93b62978c Parents: 704c7b0 Author: Jason Brown <[email protected]> Authored: Thu Apr 6 06:25:34 2017 -0700 Committer: Philip Thompson <[email protected]> Committed: Thu Apr 6 15:13:11 2017 -0400 ---------------------------------------------------------------------- sslnodetonode_test.py | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra-dtest/blob/8513c478/sslnodetonode_test.py ---------------------------------------------------------------------- diff --git a/sslnodetonode_test.py b/sslnodetonode_test.py index a2a3e41..c4a9184 100644 --- a/sslnodetonode_test.py +++ b/sslnodetonode_test.py @@ -10,6 +10,7 @@ from tools.decorators import since _LOG_ERR_SIG = "^javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed$" _LOG_ERR_IP = "^javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address [0-9.]+ found$" _LOG_ERR_HOST = "^javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching \S+ found$" +_LOG_ERR_CERT = "^javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown$" @since('3.6') @@ -56,6 +57,40 @@ class TestNodeToNodeSSLEncryption(Tester): self.cluster.stop() self.assertTrue(found) + def ssl_client_auth_required_fail_test(self): + """peers need to perform mutual auth (cient auth required), but do not supply the local cert""" + + credNode1 = sslkeygen.generate_credentials("127.0.0.1") + credNode2 = sslkeygen.generate_credentials("127.0.0.2") + + self.setup_nodes(credNode1, credNode2, client_auth=True) + + self.allow_log_errors = True + self.cluster.start(no_wait=True) + time.sleep(2) + + found = self._grep_msg(self.node1, _LOG_ERR_CERT) + self.assertTrue(found) + + found = self._grep_msg(self.node2, _LOG_ERR_CERT) + self.assertTrue(found) + + self.cluster.stop() + self.assertTrue(found) + + def ssl_client_auth_required_succeed_test(self): + """peers need to perform mutual auth (cient auth required), but do not supply the loca cert""" + + credNode1 = sslkeygen.generate_credentials("127.0.0.1") + credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert) + sslkeygen.import_cert(credNode1.basedir, 'ca127.0.0.2', credNode2.cacert, credNode1.cakeystore) + sslkeygen.import_cert(credNode2.basedir, 'ca127.0.0.1', credNode1.cacert, credNode2.cakeystore) + + self.setup_nodes(credNode1, credNode2, client_auth=True) + + self.cluster.start() + self.cql_connection(self.node1) + def ca_mismatch_test(self): """CA mismatch should cause nodes to fail to connect""" @@ -88,7 +123,7 @@ class TestNodeToNodeSSLEncryption(Tester): return False - def setup_nodes(self, credentials1, credentials2, endpointVerification=False): + def setup_nodes(self, credentials1, credentials2, endpointVerification=False, client_auth=False): cluster = self.cluster @@ -107,7 +142,8 @@ class TestNodeToNodeSSLEncryption(Tester): 'keystore_password': 'cassandra', 'truststore': tspath, 'truststore_password': 'cassandra', - 'require_endpoint_verification': endpointVerification + 'require_endpoint_verification': endpointVerification, + 'require_client_auth': client_auth } }) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
