summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRajesh Joseph <rjoseph@redhat.com>2016-08-02 15:33:34 +0000
committerKaushal M <kaushal@redhat.com>2016-08-28 23:19:33 -0700
commit62f4e41e9eafd2838d2a11989f08b0e7627284b4 (patch)
tree99780d4086823c5c4a51b2efcef8e0291f01c638
parent70dabd796c04eb6e95fbf83e73219e671cc05dd3 (diff)
gfapi: SSL connection for mgmt connection is not working
Problem: libgfapi does not enable SSL on mgmt connection. Fix: Enable SSL when it is enabled on mgmt connection is enabled, i.e. presence of /var/lib/glusterd/secure-access file Change-Id: I1ce4935b04e6140aeab819e42076defd580b0727 BUG: 1362602 Signed-off-by: Rajesh Joseph <rjoseph@redhat.com> Reviewed-on: http://review.gluster.org/15073 Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Niels de Vos <ndevos@redhat.com> Reviewed-by: Kaushal M <kaushal@redhat.com>
-rw-r--r--api/src/glfs-mgmt.c5
-rw-r--r--tests/basic/gfapi/Makefile.am2
-rw-r--r--tests/basic/gfapi/gfapi-ssl-test.c126
-rwxr-xr-xtests/basic/gfapi/gfapi-ssl-test.t61
-rw-r--r--tests/ssl.rc35
5 files changed, 228 insertions, 1 deletions
diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c
index 21da06889d1..f476ce14d54 100644
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@@ -36,6 +36,7 @@
#include "glfs-internal.h"
#include "glfs-mem-types.h"
#include "gfapi-messages.h"
+#include "syscall.h"
int glfs_volfile_fetch (struct glfs *fs);
int32_t glfs_get_volume_info_rpc (call_frame_t *frame, xlator_t *this,
@@ -916,6 +917,10 @@ glfs_mgmt_init (struct glfs *fs)
if (ret)
goto out;
+ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
+ ctx->secure_mgmt = 1;
+ }
+
rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
if (!rpc) {
ret = -1;
diff --git a/tests/basic/gfapi/Makefile.am b/tests/basic/gfapi/Makefile.am
index 8ca03c72639..3cad969672e 100644
--- a/tests/basic/gfapi/Makefile.am
+++ b/tests/basic/gfapi/Makefile.am
@@ -5,7 +5,7 @@ CFLAGS = -Wall -g $(shell pkg-config --cflags glusterfs-api)
LDFLAGS = $(shell pkg-config --libs glusterfs-api)
BINARIES = upcall-cache-invalidate libgfapi-fini-hang anonymous_fd seek \
- bug1283983 bug1291259
+ bug1283983 bug1291259 gfapi-ssl-test
%: %.c
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
diff --git a/tests/basic/gfapi/gfapi-ssl-test.c b/tests/basic/gfapi/gfapi-ssl-test.c
new file mode 100644
index 00000000000..41126bdc6db
--- /dev/null
+++ b/tests/basic/gfapi/gfapi-ssl-test.c
@@ -0,0 +1,126 @@
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <limits.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <glusterfs/api/glfs.h>
+#include <glusterfs/api/glfs-handles.h>
+
+#define LOG_ERR(msg) do { \
+ fprintf (stderr, "%s : Error (%s)\n", msg, strerror (errno)); \
+ } while (0)
+
+glfs_t *
+init_glfs (const char *hostname, const char *volname,
+ const char *logfile)
+{
+ int ret = -1;
+ glfs_t *fs = NULL;
+
+ fs = glfs_new (volname);
+ if (!fs) {
+ LOG_ERR ("glfs_new failed");
+ return NULL;
+ }
+
+ ret = glfs_set_volfile_server (fs, "tcp", hostname, 24007);
+ if (ret < 0) {
+ LOG_ERR ("glfs_set_volfile_server failed");
+ goto out;
+ }
+
+ ret = glfs_set_logging (fs, logfile, 7);
+ if (ret < 0) {
+ LOG_ERR ("glfs_set_logging failed");
+ goto out;
+ }
+
+ ret = glfs_init (fs);
+ if (ret < 0) {
+ LOG_ERR ("glfs_init failed");
+ goto out;
+ }
+
+ ret = 0;
+out:
+ if (ret) {
+ glfs_fini (fs);
+ fs = NULL;
+ }
+
+ return fs;
+}
+
+int
+glfs_test_function (const char *hostname, const char *volname,
+ const char *logfile)
+{
+ int ret = -1;
+ int flags = O_CREAT | O_RDWR;
+ glfs_t *fs = NULL;
+ glfs_fd_t *glfd = NULL;
+ const char *buff = "This is from my prog\n";
+ const char *filename = "glfs_test.txt";
+
+ fs = init_glfs (hostname, volname, logfile);
+ if (fs == NULL) {
+ LOG_ERR ("init_glfs failed");
+ return -1;
+ }
+
+ glfd = glfs_creat (fs, filename, flags, 0644);
+ if (glfd == NULL) {
+ LOG_ERR ("glfs_creat failed");
+ goto out;
+ }
+
+ ret = glfs_write (glfd, buff, strlen (buff), flags);
+ if (ret < 0) {
+ LOG_ERR ("glfs_write failed");
+ goto out;
+ }
+
+ ret = glfs_close (glfd);
+ if (ret < 0) {
+ LOG_ERR ("glfs_write failed");
+ goto out;
+ }
+
+out:
+ ret = glfs_fini (fs);
+ if (ret) {
+ LOG_ERR ("glfs_fini failed");
+ }
+
+ return ret;
+}
+
+int
+main (int argc, char *argv[])
+{
+ int ret = 0;
+ char *hostname = NULL;
+ char *volname = NULL;
+ char *logfile = NULL;
+
+ if (argc != 4) {
+ fprintf (stderr, "Invalid argument\n");
+ exit(1);
+ }
+
+ hostname = argv[1];
+ volname = argv[2];
+ logfile = argv[3];
+
+ ret = glfs_test_function (hostname, volname, logfile);
+ if (ret) {
+ LOG_ERR ("glfs_test_function failed");
+ }
+
+ return ret;
+}
+
+
diff --git a/tests/basic/gfapi/gfapi-ssl-test.t b/tests/basic/gfapi/gfapi-ssl-test.t
new file mode 100755
index 00000000000..3236625357d
--- /dev/null
+++ b/tests/basic/gfapi/gfapi-ssl-test.t
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+. $(dirname $0)/../../traps.rc
+. $(dirname $0)/../../ssl.rc
+
+cleanup;
+
+TEST create_self_signed_certs
+
+TEST glusterd
+
+TEST $CLI volume create $V0 $H0:$B0/brick1;
+EXPECT 'Created' volinfo_field $V0 'Status';
+
+TEST $CLI volume start $V0;
+EXPECT 'Started' volinfo_field $V0 'Status';
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+logdir=`gluster --print-logdir`
+
+TEST build_tester $(dirname $0)/gfapi-ssl-test.c -lgfapi
+
+# Run test without I/O or management encryption
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+# Enable management encryption
+touch $GLUSTERD_WORKDIR/secure-access
+
+killall_gluster
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test with management encryption (No I/O encryption)
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+# Enable I/O encryption
+TEST $CLI volume set $V0 client.ssl on
+TEST $CLI volume set $V0 server.ssl on
+
+killall_gluster
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test without I/O or management encryption
+TEST ./$(dirname $0)/gfapi-ssl-test $H0 $V0 $logdir/gfapi-ssl-test.log
+
+cleanup_tester $(dirname $0)/gfapi-ssl-test
+
+TEST $CLI volume stop $V0
+TEST $CLI volume delete $V0
+
+cleanup;
+
+# NetBSD build scripts are not upto date therefore this test
+# is failing in NetBSD. Therefore skipping the test in NetBSD
+# as of now.
+#G_TESTDEF_TEST_STATUS_NETBSD7=KNOWN_ISSUE,BUG=000000
diff --git a/tests/ssl.rc b/tests/ssl.rc
new file mode 100644
index 00000000000..127f83f7577
--- /dev/null
+++ b/tests/ssl.rc
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for d in /etc/ssl /etc/openssl /usr/local/etc/openssl ; do
+ if test -d $d ; then
+ SSL_BASE=$d
+ break
+ fi
+done
+
+if [ ! -d "$SSL_BASE" ]; then
+ echo "Skip test! SSL certificate path missing in the system" >&2
+ SKIP_TESTS
+ exit 0
+fi
+
+SSL_KEY=$SSL_BASE/glusterfs.key
+SSL_CERT=$SSL_BASE/glusterfs.pem
+SSL_CA=$SSL_BASE/glusterfs.ca
+
+
+# Create self-signed certificates
+function create_self_signed_certs (){
+ openssl genrsa -out $SSL_KEY 1024
+ openssl req -new -x509 -key $SSL_KEY -subj /CN=Anyone -out $SSL_CERT
+ ln $SSL_CERT $SSL_CA
+ return $?
+}
+
+function cleanup_certs () {
+ rm -f $SSL_BASE/glusterfs.*
+}
+
+push_trapfunc cleanup_certs
+
+cleanup_certs