From 62f4e41e9eafd2838d2a11989f08b0e7627284b4 Mon Sep 17 00:00:00 2001 From: Rajesh Joseph Date: Tue, 2 Aug 2016 15:33:34 +0000 Subject: gfapi: SSL connection for mgmt connection is not working Problem: libgfapi does not enable SSL on mgmt connection. Fix: Enable SSL when it is enabled on mgmt connection is enabled, i.e. presence of /var/lib/glusterd/secure-access file Change-Id: I1ce4935b04e6140aeab819e42076defd580b0727 BUG: 1362602 Signed-off-by: Rajesh Joseph Reviewed-on: http://review.gluster.org/15073 Smoke: Gluster Build System NetBSD-regression: NetBSD Build System CentOS-regression: Gluster Build System Reviewed-by: Niels de Vos Reviewed-by: Kaushal M --- api/src/glfs-mgmt.c | 5 ++ tests/basic/gfapi/Makefile.am | 2 +- tests/basic/gfapi/gfapi-ssl-test.c | 126 +++++++++++++++++++++++++++++++++++++ tests/basic/gfapi/gfapi-ssl-test.t | 61 ++++++++++++++++++ tests/ssl.rc | 35 +++++++++++ 5 files changed, 228 insertions(+), 1 deletion(-) create mode 100644 tests/basic/gfapi/gfapi-ssl-test.c create mode 100755 tests/basic/gfapi/gfapi-ssl-test.t create mode 100644 tests/ssl.rc diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c index 21da06889d1..f476ce14d54 100644 --- a/api/src/glfs-mgmt.c +++ b/api/src/glfs-mgmt.c @@ -36,6 +36,7 @@ #include "glfs-internal.h" #include "glfs-mem-types.h" #include "gfapi-messages.h" +#include "syscall.h" int glfs_volfile_fetch (struct glfs *fs); int32_t glfs_get_volume_info_rpc (call_frame_t *frame, xlator_t *this, @@ -916,6 +917,10 @@ glfs_mgmt_init (struct glfs *fs) if (ret) goto out; + if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { + ctx->secure_mgmt = 1; + } + rpc = rpc_clnt_new (options, THIS, THIS->name, 8); if (!rpc) { ret = -1; diff --git a/tests/basic/gfapi/Makefile.am b/tests/basic/gfapi/Makefile.am index 8ca03c72639..3cad969672e 100644 --- a/tests/basic/gfapi/Makefile.am +++ b/tests/basic/gfapi/Makefile.am @@ -5,7 +5,7 @@ CFLAGS = -Wall -g $(shell pkg-config --cflags glusterfs-api) LDFLAGS = $(shell pkg-config --libs glusterfs-api) BINARIES = upcall-cache-invalidate libgfapi-fini-hang anonymous_fd seek \ - bug1283983 bug1291259 + bug1283983 bug1291259 gfapi-ssl-test %: %.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ diff --git a/tests/basic/gfapi/gfapi-ssl-test.c b/tests/basic/gfapi/gfapi-ssl-test.c new file mode 100644 index 00000000000..41126bdc6db --- /dev/null +++ b/tests/basic/gfapi/gfapi-ssl-test.c @@ -0,0 +1,126 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define LOG_ERR(msg) do { \ + fprintf (stderr, "%s : Error (%s)\n", msg, strerror (errno)); \ + } while (0) + +glfs_t * +init_glfs (const char *hostname, const char *volname, + const char *logfile) +{ + int ret = -1; + glfs_t *fs = NULL; + + fs = glfs_new (volname); + if (!fs) { + LOG_ERR ("glfs_new failed"); + return NULL; + } + + ret = glfs_set_volfile_server (fs, "tcp", hostname, 24007); + if (ret < 0) { + LOG_ERR ("glfs_set_volfile_server failed"); + goto out; + } + + ret = glfs_set_logging (fs, logfile, 7); + if (ret < 0) { + LOG_ERR ("glfs_set_logging failed"); + goto out; + } + + ret = glfs_init (fs); + if (ret < 0) { + LOG_ERR ("glfs_init failed"); + goto out; + } + + ret = 0; +out: + if (ret) { + glfs_fini (fs); + fs = NULL; + } + + return fs; +} + +int +glfs_test_function (const char *hostname, const char *volname, + const char *logfile) +{ + int ret = -1; + int flags = O_CREAT | O_RDWR; + glfs_t *fs = NULL; + glfs_fd_t *glfd = NULL; + const char *buff = "This is from my prog\n"; + const char *filename = "glfs_test.txt"; + + fs = init_glfs (hostname, volname, logfile); + if (fs == NULL) { + LOG_ERR ("init_glfs failed"); + return -1; + } + + glfd = glfs_creat (fs, filename, flags, 0644); + if (glfd == NULL) { + LOG_ERR ("glfs_creat failed"); + goto out; + } + + ret = glfs_write (glfd, buff, strlen (buff), flags); + if (ret < 0) { + LOG_ERR ("glfs_write failed"); + goto out; + } + + ret = glfs_close (glfd); + if (ret < 0) { + LOG_ERR ("glfs_write failed"); + goto out; + } + +out: + ret = glfs_fini (fs); + if (ret) { + LOG_ERR ("glfs_fini failed"); + } + + return ret; +} + +int +main (int argc, char *argv[]) +{ + int ret = 0; + char *hostname = NULL; + char *volname = NULL; + char *logfile = NULL; + + if (argc != 4) { + fprintf (stderr, "Invalid argument\n"); + exit(1); + } + + hostname = argv[1]; + volname = argv[2]; + logfile = argv[3]; + + ret = glfs_test_function (hostname, volname, logfile); + if (ret) { + LOG_ERR ("glfs_test_function failed"); + } + + return ret; +} + + diff --git a/tests/basic/gfapi/gfapi-ssl-test.t b/tests/basic/gfapi/gfapi-ssl-test.t new file mode 100755 index 00000000000..3236625357d --- /dev/null +++ b/tests/basic/gfapi/gfapi-ssl-test.t @@ -0,0 +1,61 @@ +#!/bin/bash + +. $(dirname $0)/../../include.rc +. $(dirname $0)/../../volume.rc +. $(dirname $0)/../../traps.rc +. $(dirname $0)/../../ssl.rc + +cleanup; + +TEST create_self_signed_certs + +TEST glusterd + +TEST $CLI volume create $V0 $H0:$B0/brick1; +EXPECT 'Created' volinfo_field $V0 'Status'; + +TEST $CLI volume start $V0; +EXPECT 'Started' volinfo_field $V0 'Status'; +EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count + +logdir=`gluster --print-logdir` + +TEST build_tester $(dirname $0)/gfapi-ssl-test.c -lgfapi + +# Run test without I/O or management encryption +TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log + +# Enable management encryption +touch $GLUSTERD_WORKDIR/secure-access + +killall_gluster + +TEST glusterd +EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count + +# Run test with management encryption (No I/O encryption) +TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log + +# Enable I/O encryption +TEST $CLI volume set $V0 client.ssl on +TEST $CLI volume set $V0 server.ssl on + +killall_gluster + +TEST glusterd +EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count + +# Run test without I/O or management encryption +TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log + +cleanup_tester $(dirname $0)/gfapi-ssl-test + +TEST $CLI volume stop $V0 +TEST $CLI volume delete $V0 + +cleanup; + +# NetBSD build scripts are not upto date therefore this test +# is failing in NetBSD. Therefore skipping the test in NetBSD +# as of now. +#G_TESTDEF_TEST_STATUS_NETBSD7=KNOWN_ISSUE,BUG=000000 diff --git a/tests/ssl.rc b/tests/ssl.rc new file mode 100644 index 00000000000..127f83f7577 --- /dev/null +++ b/tests/ssl.rc @@ -0,0 +1,35 @@ +#!/bin/bash + +for d in /etc/ssl /etc/openssl /usr/local/etc/openssl ; do + if test -d $d ; then + SSL_BASE=$d + break + fi +done + +if [ ! -d "$SSL_BASE" ]; then + echo "Skip test! SSL certificate path missing in the system" >&2 + SKIP_TESTS + exit 0 +fi + +SSL_KEY=$SSL_BASE/glusterfs.key +SSL_CERT=$SSL_BASE/glusterfs.pem +SSL_CA=$SSL_BASE/glusterfs.ca + + +# Create self-signed certificates +function create_self_signed_certs (){ + openssl genrsa -out $SSL_KEY 1024 + openssl req -new -x509 -key $SSL_KEY -subj /CN=Anyone -out $SSL_CERT + ln $SSL_CERT $SSL_CA + return $? +} + +function cleanup_certs () { + rm -f $SSL_BASE/glusterfs.* +} + +push_trapfunc cleanup_certs + +cleanup_certs -- cgit