gfapi: SSL connection for mgmt connection is not working

Problem: libgfapi does not enable SSL on mgmt connection.

Fix: Enable SSL when it is enabled on mgmt connection is enabled,
i.e. presence of /var/lib/glusterd/secure-access file

Change-Id: I1ce4935b04e6140aeab819e42076defd580b0727
BUG: 1362602
Signed-off-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-on: http://review.gluster.org/15073
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Kaushal M <kaushal@redhat.com>

5 files changed, 228 insertions, 1 deletions

diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c
index 21da06889d1..f476ce14d54 100644
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@@ -36,6 +36,7 @@
 #include "glfs-internal.h"
 #include "glfs-mem-types.h"
 #include "gfapi-messages.h"
+#include "syscall.h"
 
 int glfs_volfile_fetch (struct glfs *fs);
 int32_t glfs_get_volume_info_rpc (call_frame_t *frame, xlator_t *this,
@@ -916,6 +917,10 @@ glfs_mgmt_init (struct glfs *fs)
 	if (ret)
 		goto out;
 
+        if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
+                ctx->secure_mgmt = 1;
+        }
+
 	rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
 	if (!rpc) {
 		ret = -1;
diff --git a/tests/basic/gfapi/Makefile.am b/tests/basic/gfapi/Makefile.am
index 8ca03c72639..3cad969672e 100644
--- a/tests/basic/gfapi/Makefile.am
+++ b/tests/basic/gfapi/Makefile.am
@@ -5,7 +5,7 @@ CFLAGS   = -Wall -g $(shell pkg-config --cflags glusterfs-api)
 LDFLAGS  = $(shell pkg-config --libs glusterfs-api)
 
 BINARIES = upcall-cache-invalidate libgfapi-fini-hang anonymous_fd seek \
-	bug1283983 bug1291259
+	bug1283983 bug1291259 gfapi-ssl-test
 
 %: %.c
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
diff --git a/tests/basic/gfapi/gfapi-ssl-test.c b/tests/basic/gfapi/gfapi-ssl-test.c
new file mode 100644
index 00000000000..41126bdc6db
--- /dev/null
+++ b/tests/basic/gfapi/gfapi-ssl-test.c
@@ -0,0 +1,126 @@
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <limits.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <glusterfs/api/glfs.h>
+#include <glusterfs/api/glfs-handles.h>
+
+#define LOG_ERR(msg) do { \
+        fprintf (stderr, "%s : Error (%s)\n", msg, strerror (errno)); \
+        } while (0)
+
+glfs_t *
+init_glfs (const char *hostname, const char *volname,
+           const char *logfile)
+{
+        int     ret     = -1;
+        glfs_t *fs      = NULL;
+
+        fs = glfs_new (volname);
+        if (!fs) {
+                LOG_ERR ("glfs_new failed");
+                return NULL;
+        }
+
+        ret = glfs_set_volfile_server (fs, "tcp", hostname, 24007);
+        if (ret < 0) {
+                LOG_ERR ("glfs_set_volfile_server failed");
+                goto out;
+        }
+
+        ret = glfs_set_logging (fs, logfile, 7);
+        if (ret < 0) {
+                LOG_ERR ("glfs_set_logging failed");
+                goto out;
+        }
+
+        ret = glfs_init (fs);
+        if (ret < 0) {
+                LOG_ERR ("glfs_init failed");
+                goto out;
+        }
+
+        ret = 0;
+out:
+        if (ret) {
+                glfs_fini (fs);
+                fs = NULL;
+        }
+
+        return fs;
+}
+
+int
+glfs_test_function (const char *hostname, const char *volname,
+                    const char *logfile)
+{
+        int             ret      = -1;
+        int             flags    = O_CREAT | O_RDWR;
+        glfs_t         *fs       = NULL;
+        glfs_fd_t      *glfd     = NULL;
+        const char     *buff     = "This is from my prog\n";
+        const char     *filename = "glfs_test.txt";
+
+        fs = init_glfs (hostname, volname, logfile);
+        if (fs == NULL) {
+                LOG_ERR ("init_glfs failed");
+                return -1;
+        }
+
+        glfd = glfs_creat (fs, filename, flags, 0644);
+        if (glfd == NULL) {
+                LOG_ERR ("glfs_creat failed");
+                goto out;
+        }
+
+        ret = glfs_write (glfd, buff, strlen (buff), flags);
+        if (ret < 0) {
+                LOG_ERR ("glfs_write failed");
+                goto out;
+        }
+
+        ret = glfs_close (glfd);
+        if (ret < 0) {
+                LOG_ERR ("glfs_write failed");
+                goto out;
+        }
+
+out:
+        ret = glfs_fini (fs);
+        if (ret) {
+                LOG_ERR ("glfs_fini failed");
+        }
+
+        return ret;
+}
+
+int
+main (int argc, char *argv[])
+{
+        int   ret = 0;
+        char *hostname = NULL;
+        char *volname = NULL;
+        char *logfile = NULL;
+
+        if (argc != 4) {
+                fprintf (stderr, "Invalid argument\n");
+                exit(1);
+        }
+
+        hostname = argv[1];
+        volname = argv[2];
+        logfile = argv[3];
+
+        ret = glfs_test_function (hostname, volname, logfile);
+        if (ret) {
+                LOG_ERR ("glfs_test_function failed");
+        }
+
+        return ret;
+}
+
+
diff --git a/tests/basic/gfapi/gfapi-ssl-test.t b/tests/basic/gfapi/gfapi-ssl-test.t
new file mode 100755
index 00000000000..3236625357d
--- /dev/null
+++ b/tests/basic/gfapi/gfapi-ssl-test.t
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+. $(dirname $0)/../../traps.rc
+. $(dirname $0)/../../ssl.rc
+
+cleanup;
+
+TEST create_self_signed_certs
+
+TEST glusterd
+
+TEST $CLI volume create $V0 $H0:$B0/brick1;
+EXPECT 'Created' volinfo_field $V0 'Status';
+
+TEST $CLI volume start $V0;
+EXPECT 'Started' volinfo_field $V0 'Status';
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+logdir=`gluster --print-logdir`
+
+TEST build_tester $(dirname $0)/gfapi-ssl-test.c -lgfapi
+
+# Run test without I/O or management encryption
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+# Enable management encryption
+touch  $GLUSTERD_WORKDIR/secure-access
+
+killall_gluster
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test with management encryption (No I/O encryption)
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+# Enable I/O encryption
+TEST $CLI volume set $V0 client.ssl on
+TEST $CLI volume set $V0 server.ssl on
+
+killall_gluster
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test without I/O or management encryption
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+cleanup_tester $(dirname $0)/gfapi-ssl-test
+
+TEST $CLI volume stop $V0
+TEST $CLI volume delete $V0
+
+cleanup;
+
+# NetBSD build scripts are not upto date therefore this test
+# is failing in NetBSD. Therefore skipping the test in NetBSD
+# as of now.
+#G_TESTDEF_TEST_STATUS_NETBSD7=KNOWN_ISSUE,BUG=000000
diff --git a/tests/ssl.rc b/tests/ssl.rc
new file mode 100644
index 00000000000..127f83f7577
--- /dev/null
+++ b/tests/ssl.rc
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for d in /etc/ssl /etc/openssl /usr/local/etc/openssl ; do
+        if test -d $d ; then
+                SSL_BASE=$d
+                break
+        fi
+done
+
+if [ ! -d "$SSL_BASE" ]; then
+        echo "Skip test! SSL certificate path missing in the system" >&2
+        SKIP_TESTS
+        exit 0
+fi
+
+SSL_KEY=$SSL_BASE/glusterfs.key
+SSL_CERT=$SSL_BASE/glusterfs.pem
+SSL_CA=$SSL_BASE/glusterfs.ca
+
+
+# Create self-signed certificates
+function create_self_signed_certs (){
+        openssl genrsa -out $SSL_KEY 1024
+        openssl req -new -x509 -key $SSL_KEY -subj /CN=Anyone -out $SSL_CERT
+        ln $SSL_CERT $SSL_CA
+        return $?
+}
+
+function cleanup_certs () {
+        rm -f $SSL_BASE/glusterfs.*
+}
+
+push_trapfunc cleanup_certs
+
+cleanup_certs