forked from apache/cassandra-dtest
-
Notifications
You must be signed in to change notification settings - Fork 0
/
native_transport_ssl_test.py
141 lines (116 loc) · 5.36 KB
/
native_transport_ssl_test.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
import os
import pytest
import logging
from cassandra import ConsistencyLevel
from cassandra.cluster import NoHostAvailable
from dtest import Tester, create_ks, create_cf
from tools.data import putget
from tools.misc import generate_ssl_stores
since = pytest.mark.since
logger = logging.getLogger(__name__)
class TestNativeTransportSSL(Tester):
"""
Native transport integration tests, specifically for ssl and port configurations.
"""
def test_connect_to_ssl(self):
"""
Connecting to SSL enabled native transport port should only be possible using SSL enabled client
"""
cluster = self._populateCluster(enableSSL=True)
node1 = cluster.nodelist()[0]
cluster.start()
try: # hack around assertRaise's lack of msg parameter
# try to connect without ssl options
self.patient_cql_connection(node1)
self.fail('Should not be able to connect to SSL socket without SSL enabled client')
except NoHostAvailable:
pass
if cluster.version() >= '4.0':
assert len(node1.grep_log("javax.net.ssl.SSLHandshakeException")) > 0, \
"Missing SSL handshake exception while connecting with non-SSL enabled client"
else:
assert len(node1.grep_log("io.netty.handler.ssl.NotSslRecordException.*")) > 0, \
"Missing SSL handshake exception while connecting with non-SSL enabled client"
# enabled ssl on the client and try again (this should work)
session = self.patient_cql_connection(node1, ssl_opts={'ca_certs': os.path.join(self.fixture_dtest_setup.test_path, 'ccm_node.cer')})
self._putget(cluster, session)
def test_connect_to_ssl_optional(self):
"""
Connecting to SSL optional native transport port must be possible with SSL and non-SSL native clients
@jira_ticket CASSANDRA-10559
"""
cluster = self._populateCluster(enableSSL=True, sslOptional=True)
node1 = cluster.nodelist()[0]
# try to connect without ssl options
cluster.start()
session = self.patient_cql_connection(node1)
self._putget(cluster, session)
# enabled ssl on the client and try again (this should work)
session = self.patient_cql_connection(node1, ssl_opts={'ca_certs': os.path.join(self.fixture_dtest_setup.test_path, 'ccm_node.cer')})
self._putget(cluster, session, ks='ks2')
def test_use_custom_port(self):
"""
Connect to non-default native transport port
"""
cluster = self._populateCluster(nativePort=9567)
node1 = cluster.nodelist()[0]
cluster.start()
try: # hack around assertRaise's lack of msg parameter
self.patient_cql_connection(node1)
self.fail('Should not be able to connect to non-default port')
except NoHostAvailable:
pass
session = self.patient_cql_connection(node1, port=9567)
self._putget(cluster, session)
@since('3.0')
def test_use_custom_ssl_port(self):
"""
Connect to additional ssl enabled native transport port
@jira_ticket CASSANDRA-9590
"""
cluster = self._populateCluster(enableSSL=True, nativePortSSL=9666)
node1 = cluster.nodelist()[0]
cluster.start()
# we should be able to connect to default non-ssl port
session = self.patient_cql_connection(node1)
self._putget(cluster, session)
# connect to additional dedicated ssl port
session = self.patient_cql_connection(node1, port=9666, ssl_opts={'ca_certs': os.path.join(self.fixture_dtest_setup.test_path, 'ccm_node.cer')})
self._putget(cluster, session, ks='ks2')
def _populateCluster(self, enableSSL=False, nativePort=None, nativePortSSL=None, sslOptional=False):
cluster = self.cluster
if enableSSL:
generate_ssl_stores(self.fixture_dtest_setup.test_path)
# C* versions before 3.0 (CASSANDRA-10559) do not know about
# 'client_encryption_options.optional' - so we must not add that parameter
if sslOptional:
cluster.set_configuration_options({
'client_encryption_options': {
'enabled': True,
'optional': sslOptional,
'keystore': os.path.join(self.fixture_dtest_setup.test_path, 'keystore.jks'),
'keystore_password': 'cassandra'
}
})
else:
cluster.set_configuration_options({
'client_encryption_options': {
'enabled': True,
'keystore': os.path.join(self.fixture_dtest_setup.test_path, 'keystore.jks'),
'keystore_password': 'cassandra'
}
})
if nativePort:
cluster.set_configuration_options({
'native_transport_port': nativePort
})
if nativePortSSL:
cluster.set_configuration_options({
'native_transport_port_ssl': nativePortSSL
})
cluster.populate(1)
return cluster
def _putget(self, cluster, session, ks='ks', cf='cf'):
create_ks(session, ks, 1)
create_cf(session, cf, compression=None)
putget(cluster, session, cl=ConsistencyLevel.ONE)