test: add certificate authenticate tests

Signed-off-by: themanforfree <[email protected]>
xline-kv · Feb 27, 2024 · c01af08 · c01af08
1 parent db48e7a
commit c01af08
Show file tree

Hide file tree

Showing 19 changed files with 347 additions and 194 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/utils/src/lib.rs b/crates/utils/src/lib.rs
@@ -198,6 +198,7 @@ pub mod tokio_lock;
 /// utils for pass span context
 pub mod tracing;
 
+use ::tracing::debug;
 pub use parser::*;
 
 /// Get current timestamp in seconds
@@ -219,6 +220,14 @@ pub fn build_endpoint(
     addr: &str,
     tls_config: Option<&ClientTlsConfig>,
 ) -> Result<Endpoint, tonic::transport::Error> {
+    debug!(
+        "connect to {addr}{}",
+        if tls_config.is_some() {
+            " with tls_config"
+        } else {
+            ""
+        }
+    );
     let scheme_str = addr.split_once("://").map(|(scheme, _)| scheme);
     let endpoint = match scheme_str {
         Some(_scheme) => Endpoint::from_str(addr)?,

diff --git a/crates/xline-test-utils/Cargo.toml b/crates/xline-test-utils/Cargo.toml
@@ -23,6 +23,7 @@ tokio = { version = "0.2.23", package = "madsim-tokio", features = [
     "net",
     "signal",
 ] }
+tonic = "0.10.2"
 utils = { path = "../utils", features = ["parking_lot"] }
 workspace-hack = { version = "0.1", path = "../../workspace-hack" }
 xline = { path = "../xline" }

diff --git a/crates/xline-test-utils/private.pem b/crates/xline-test-utils/private.pem
diff --git a/crates/xline-test-utils/public.pem b/crates/xline-test-utils/public.pem
diff --git a/crates/xline-test-utils/src/lib.rs b/crates/xline-test-utils/src/lib.rs
@@ -14,6 +14,10 @@ use utils::config::{
     LogConfig, MetricsConfig, StorageConfig, TlsConfig, TraceConfig, XlineServerConfig,
 };
 use xline::server::XlineServer;
+use xline_client::types::auth::{
+    AuthRoleAddRequest, AuthRoleGrantPermissionRequest, AuthUserAddRequest,
+    AuthUserGrantRoleRequest, Permission, PermissionType,
+};
 pub use xline_client::{types, Client, ClientOptions};
 
 /// Cluster
@@ -28,8 +32,6 @@ pub struct Cluster {
     configs: Vec<XlineServerConfig>,
     /// Xline servers
     servers: Vec<Arc<XlineServer>>,
-    /// Client tls config
-    client_tls_config: Option<ClientTlsConfig>,
     /// Client of cluster
     client: Option<Client>,
 }
@@ -79,16 +81,10 @@ impl Cluster {
             all_members_client_urls,
             configs,
             servers: Vec::new(),
-            client_tls_config: None,
             client: None,
         }
     }
 
-    /// set cluster client tls config
-    pub fn set_client_tls_config(&mut self, client_tls_config: ClientTlsConfig) {
-        self.client_tls_config = Some(client_tls_config);
-    }
-
     /// Start `Cluster`
     pub async fn start(&mut self) {
         let mut futs = Vec::new();
@@ -200,34 +196,27 @@ impl Cluster {
     /// Create or get the client with the specified index
     pub async fn client(&mut self) -> &mut Client {
         if self.client.is_none() {
-            let opts = if let Some(ref ctf) = self.client_tls_config {
-                ClientOptions::default().with_tls_config(ctf.clone())
-            } else {
-                ClientOptions::default()
-            };
-            let client = Client::connect(self.all_members_client_urls.clone(), opts)
-                .await
-                .unwrap_or_else(|e| {
-                    panic!("Client connect error: {:?}", e);
-                });
+            let client = Client::connect(
+                self.all_members_client_urls.clone(),
+                ClientOptions::default(),
+            )
+            .await
+            .unwrap_or_else(|e| {
+                panic!("Client connect error: {:?}", e);
+            });
             self.client = Some(client);
         }
         self.client.as_mut().unwrap()
     }
 
     /// Create or get the client with the specified index
-    pub async fn client2(&mut self, tls_config: ClientTlsConfig) -> &mut Client {
-        let opts = ClientOptions::default().with_tls_config(tls_config);
-        let urls = self.all_members_client_urls.clone();
-        println!("urls: {:?}", urls);
-
-        if self.client.is_none() {
-            let client = Client::connect(urls, opts).await.unwrap_or_else(|e| {
+    pub async fn client_with_tls_config(&mut self, client_tls_config: ClientTlsConfig) -> Client {
+        let opts = ClientOptions::default().with_tls_config(client_tls_config);
+        Client::connect(self.all_members_client_urls.clone(), opts)
+            .await
+            .unwrap_or_else(|e| {
                 panic!("Client connect error: {:?}", e);
-            });
-            self.client = Some(client);
-        }
-        self.client.as_mut().unwrap()
+            })
     }
 
     pub fn all_members_client_urls_map(&self) -> HashMap<usize, String> {
@@ -349,3 +338,36 @@ fn random_id() -> String {
         .map(char::from)
         .collect()
 }
+
+pub async fn set_user(
+    client: &Client,
+    name: &str,
+    password: &str,
+    role: &str,
+    key: &[u8],
+    range_end: &[u8],
+) -> Result<(), Box<dyn std::error::Error>> {
+    let client = client.auth_client();
+    client
+        .user_add(AuthUserAddRequest::new(name).with_pwd(password))
+        .await?;
+    client.role_add(AuthRoleAddRequest::new(role)).await?;
+    client
+        .user_grant_role(AuthUserGrantRoleRequest::new(name, role))
+        .await?;
+    if !key.is_empty() {
+        client
+            .role_grant_permission(AuthRoleGrantPermissionRequest::new(
+                role,
+                Permission::new(PermissionType::Readwrite, key).with_range_end(range_end),
+            ))
+            .await?;
+    }
+    Ok(())
+}
+
+pub async fn enable_auth(client: &Client) -> Result<(), Box<dyn std::error::Error>> {
+    set_user(client, "root", "123", "root", &[], &[]).await?;
+    client.auth_client().auth_enable().await?;
+    Ok(())
+}
diff --git a/crates/xline/src/server/xline_server.rs b/crates/xline/src/server/xline_server.rs
@@ -635,28 +635,58 @@ impl XlineServer {
     async fn read_tls_config(
         tls_config: &TlsConfig,
     ) -> Result<(Option<ClientTlsConfig>, Option<ServerTlsConfig>)> {
-        let client_tls_config =
-            if let Some(ca_cert_path) = tls_config.client_ca_cert_path().as_ref() {
-                let ca = Certificate::from_pem(fs::read(ca_cert_path).await?);
-                Some(ClientTlsConfig::new().ca_certificate(ca))
-            } else {
-                None
-            };
+        let client_tls_config = match (
+            tls_config.client_ca_cert_path().as_ref(),
+            tls_config.client_cert_path().as_ref(),
+            tls_config.client_key_path().as_ref(),
+        ) {
+            (Some(ca_path), Some(cert_path), Some(key_path)) => {
+                let ca = fs::read(ca_path).await?;
+                let cert = fs::read(cert_path).await?;
+                let key = fs::read(key_path).await?;
+                Some(
+                    ClientTlsConfig::new()
+                        .ca_certificate(Certificate::from_pem(ca))
+                        .identity(Identity::from_pem(cert, key)),
+                )
+            }
+            (Some(ca_path), None, None) => {
+                let ca = fs::read(ca_path).await?;
+                Some(ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca)))
+            }
+            (_, Some(_), None) | (_, None, Some(_)) => {
+                return Err(anyhow!(
+                    "client_cert_path and client_key_path must be both set"
+                ))
+            }
+            _ => None,
+        };
         let server_tls_config = match (
+            tls_config.server_ca_cert_path().as_ref(),
             tls_config.server_cert_path().as_ref(),
             tls_config.server_key_path().as_ref(),
         ) {
-            (Some(cert_path), Some(key_path)) => {
+            (Some(ca_path), Some(cert_path), Some(key_path)) => {
+                let ca = fs::read(ca_path).await?;
+                let cert = fs::read_to_string(cert_path).await?;
+                let key = fs::read_to_string(key_path).await?;
+                Some(
+                    ServerTlsConfig::new()
+                        .client_ca_root(Certificate::from_pem(ca))
+                        .identity(Identity::from_pem(cert, key)),
+                )
+            }
+            (None, Some(cert_path), Some(key_path)) => {
                 let cert = fs::read_to_string(cert_path).await?;
                 let key = fs::read_to_string(key_path).await?;
                 Some(ServerTlsConfig::new().identity(Identity::from_pem(cert, key)))
             }
-            (None, None) => None,
-            _ => {
+            (_, Some(_), None) | (_, None, Some(_)) => {
                 return Err(anyhow!(
-                    "server_cert_path and server_key_path must be both set"
+                    "client_cert_path and client_key_path must be both set"
                 ))
             }
+            _ => None,
         };
         Ok((client_tls_config, server_tls_config))
     }

diff --git a/crates/xline/src/storage/auth_store/store.rs b/crates/xline/src/storage/auth_store/store.rs
@@ -16,7 +16,6 @@ use pbkdf2::{
     password_hash::{PasswordHash, PasswordVerifier},
     Pbkdf2,
 };
-use tonic::transport::Certificate;
 use utils::parking_lot_lock::RwLockMap;
 use xlineapi::{
     command::{CommandResponse, KeyRange, SyncResponse},
@@ -108,7 +107,7 @@ where
     }
 
     /// Get enabled of Auth store
-    pub(super) fn is_enabled(&self) -> bool {
+    pub(crate) fn is_enabled(&self) -> bool {
         self.enabled.load(AtomicOrdering::Relaxed)
     }
 
@@ -138,6 +137,9 @@ where
         &self,
         request: &tonic::Request<T>,
     ) -> Result<Option<AuthInfo>, tonic::Status> {
+        if !self.is_enabled() {
+            return Ok(None);
+        }
         if let Some(token) = get_token(request.metadata()) {
             let auth_info = self.verify(&token)?;
             return Ok(Some(auth_info));

diff --git a/crates/xline/tests/it/auth_test.rs b/crates/xline/tests/it/auth_test.rs
@@ -6,12 +6,9 @@ use utils::config::{
     TraceConfig, XlineServerConfig,
 };
 use xline_test_utils::{
+    enable_auth, set_user,
     types::{
-        auth::{
-            AuthRoleAddRequest, AuthRoleDeleteRequest, AuthRoleGrantPermissionRequest,
-            AuthUserAddRequest, AuthUserGetRequest, AuthUserGrantRoleRequest, Permission,
-            PermissionType,
-        },
+        auth::{AuthRoleDeleteRequest, AuthUserAddRequest, AuthUserGetRequest},
         kv::{PutRequest, RangeRequest},
     },
     Client, ClientOptions, Cluster,
@@ -228,39 +225,6 @@ async fn test_auth_wrong_password() -> Result<(), Box<dyn Error>> {
     Ok(())
 }
 
-async fn set_user(
-    client: &Client,
-    name: &str,
-    password: &str,
-    role: &str,
-    key: &[u8],
-    range_end: &[u8],
-) -> Result<(), Box<dyn Error>> {
-    let client = client.auth_client();
-    client
-        .user_add(AuthUserAddRequest::new(name).with_pwd(password))
-        .await?;
-    client.role_add(AuthRoleAddRequest::new(role)).await?;
-    client
-        .user_grant_role(AuthUserGrantRoleRequest::new(name, role))
-        .await?;
-    if !key.is_empty() {
-        client
-            .role_grant_permission(AuthRoleGrantPermissionRequest::new(
-                role,
-                Permission::new(PermissionType::Readwrite, key).with_range_end(range_end),
-            ))
-            .await?;
-    }
-    Ok(())
-}
-
-async fn enable_auth(client: &Client) -> Result<(), Box<dyn Error>> {
-    set_user(client, "root", "123", "root", &[], &[]).await?;
-    client.auth_client().auth_enable().await?;
-    Ok(())
-}
-
 fn configs_with_auth(size: usize) -> Vec<XlineServerConfig> {
     iter::repeat_with(|| {
         (