WL#15524 Patch #1 "START TLS" for management API

jdduncan · jdduncan · commit 4ba9baa3fcaf · 2023-07-21T10:00:36.000-07:00
Add an MGM protocol command to turn a plaintext mgm api session
into a TLS session. Add three new MGM API functions:
  ndb_mgm_set_ssl_ctx()
  ndb_mgm_start_tls()
  ndb_mgm_connect_tls()

Define two client TLS requirement levels:
 CLIENT_TLS_RELAXED, CLIENT_TLS_STRICT

This adds a new test: testMgmd -n StartTls

Change-Id: Ib46faacd9198c474558e46c3fa0538c7e759f3fb
diff --git a/storage/ndb/include/mgmapi/mgmapi.h b/storage/ndb/include/mgmapi/mgmapi.h
@@ -1573,6 +1573,60 @@ extern "C" {
   ndb_mgm_dump_events(NdbMgmHandle handle, enum Ndb_logevent_type type,
                       int no_of_nodes, const int * node_list);
 
+  /** @} *********************************************************************/
+  /**
+   * @name Functions: Transport Layer Security (TLS)
+   * @{
+   */
+
+  /**
+   * Set an SSL CTX for a handle.
+   *
+   * @param handle          Management handle
+   * @param ctx             SSL_ctx to be used for TLS and HTTPS connections
+   *
+   * @return                True on success, false if ctx has already been set
+   *
+   */
+  bool ndb_mgm_set_ssl_ctx(NdbMgmHandle handle, struct ssl_ctx_st *ctx);
+
+   /**
+   * Start TLS. Upgrade an open, unencrypted connection to a secure one.
+   *
+   * @param handle          Management handle
+   *
+   * @return                0 on success.
+   */
+  int ndb_mgm_start_tls(NdbMgmHandle handle);
+
+  /**
+   * Connects to a management server. This function wraps a call to
+   * ndb_mgm_connect(), followed by a call to ndb_mgm_start_tls().
+   *
+   * In order to attempt TLS, the user must first have called
+   * ndb_mgm_set_ssl_ctx().
+   *
+   * If tls_req_level is CLIENT_TLS_RELAXED, TLS authentication failures still
+   * result in errors, but a missing certificate or server refusal will result
+   * in a succesful cleartext connection.
+   *
+   * If tls_req_level is CLIENT_TLS_STRICT, then any failure to establish TLS
+   * will be treated as an error, and the connection will be closed.
+   *
+   * @param   handle        Management handle.
+   * @param   no_retries    Number of retries to connect
+   *                        (0 means connect once).
+   * @param   retry_delay_in_seconds
+   *                        How long to wait until retry is performed.
+   * @param   verbose       Make printout regarding connect retries.
+   * @param   tls_req_level TLS requirement level
+   *
+   * @return                0 on success, -1 on failure.
+   */
+  int ndb_mgm_connect_tls(NdbMgmHandle handle, int no_retries,
+                          int retry_delay_in_seconds, int verbose,
+                          int tls_req_level);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/storage/ndb/include/mgmapi/mgmapi_config_parameters.h b/storage/ndb/include/mgmapi/mgmapi_config_parameters.h
@@ -390,4 +390,7 @@
 #define OPERATION_REDO_PROBLEM_ACTION_ABORT 0
 #define OPERATION_REDO_PROBLEM_ACTION_QUEUE 1
 
+#define CLIENT_TLS_RELAXED            0
+#define CLIENT_TLS_STRICT             1
+
 #endif
diff --git a/storage/ndb/include/mgmapi/mgmapi_error.h b/storage/ndb/include/mgmapi/mgmapi_error.h
@@ -56,9 +56,13 @@ extern "C" {
     NDB_MGM_BIND_ADDRESS = 1012,
     /** Supplied bind-address is illegal */
     NDB_MGM_ILLEGAL_BIND_ADDRESS = 1013,
-    /** Cannot convert TLS MGM connection to transporter */
-    NDB_MGM_CANNOT_CONVERT_TO_TRANSPORTER = 1014,
-    
+    /** TLS is not available; client-side error */
+    NDB_MGM_TLS_ERROR = 1014,
+    /** Server refused to upgrade connection to TLS */
+    NDB_MGM_TLS_REFUSED = 1015,
+    /** TLS handshake failed; connection closed */
+    NDB_MGM_TLS_HANDSHAKE_FAILED = 1016,
+
     /* Alloc node id failures */
     /** Generic error, retry may succeed */
     NDB_MGM_ALLOCID_ERROR = 1101,
diff --git a/storage/ndb/src/mgmapi/mgmapi.cpp b/storage/ndb/src/mgmapi/mgmapi.cpp
@@ -47,6 +47,7 @@
 #include <EventLogger.hpp>
 #include <memory>
 #include "portlib/ndb_sockaddr.h"
+#include "mgmcommon/NdbMgm.hpp"
 
 //#define MGMAPI_LOG
 #define MGM_CMD(name, fun, desc) \
@@ -113,6 +114,7 @@ struct ndb_mgm_handle {
   int mgmd_version_major;
   int mgmd_version_minor;
   int mgmd_version_build;
+  struct ssl_ctx_st * ssl_ctx;
 
   int mgmd_version(void) const {
     // Must be connected
@@ -252,6 +254,7 @@ ndb_mgm_create_handle()
   h->m_bindaddress   = nullptr;
   h->m_bindaddress_port = 0;
   h->ignore_sigpipe  = true;
+  h->ssl_ctx         = nullptr;
 
   strncpy(h->last_error_desc, "No error", NDB_MGM_MAX_ERR_DESC_SIZE);
 
@@ -2521,21 +2524,25 @@ ndb_mgm_listen_event_internal(NdbMgmHandle handle, const int filter[],
   }
 
   {
-    ndb_mgm_handle * tmp_handle = ndb_mgm_create_handle();
+    ndb_mgm::handle_ptr tmp_handle(ndb_mgm_create_handle());
     tmp_handle->socket.init_from_new(sockfd);
 
+    if(handle->ssl_ctx)
+    {
+      ndb_mgm_set_ssl_ctx(tmp_handle.get(), handle->ssl_ctx);
+      ndb_mgm_start_tls(tmp_handle.get());
+    }
+
     const Properties *reply;
-    reply = ndb_mgm_call(tmp_handle, stat_reply, "listen event", &args);
+    reply = ndb_mgm_call(tmp_handle.get(), stat_reply, "listen event", &args);
 
     if(reply == nullptr) {
       ndb_socket_close(sockfd);
-      CHECK_REPLY(tmp_handle, reply, -1)
+      CHECK_REPLY(tmp_handle.get(), reply, -1)
     } else {
       delete reply;
-      tmp_handle->connected = 0;  // so that destroy_handle() doesn't close it.
+      tmp_handle.get()->connected = 0;  // so that destructor doesn't close it.
     }
-
-    ndb_mgm_destroy_handle(&tmp_handle);
   }
 
   *sock= sockfd;
@@ -2607,6 +2614,95 @@ ndb_mgm_get_configuration_from_node(NdbMgmHandle handle,
                                     NDB_MGM_NODE_TYPE_UNKNOWN, nodeid);
 }
 
+extern "C"
+bool
+ndb_mgm_set_ssl_ctx(NdbMgmHandle handle, struct ssl_ctx_st *ctx)
+{
+  if(handle && (handle->ssl_ctx == nullptr)) {
+    handle->ssl_ctx = ctx;
+    return true;
+  }
+  return false;
+}
+
+extern "C"
+int
+ndb_mgm_start_tls(NdbMgmHandle handle)
+{
+  bool server_ok = false;
+
+  if(handle->ssl_ctx == nullptr) {
+    SET_ERROR(handle, NDB_MGM_TLS_ERROR, "SSL CTX required");
+    return -1;
+  }
+
+  if(handle->socket.has_tls()) {
+    SET_ERROR(handle, NDB_MGM_TLS_ERROR, "Socket already has TLS");
+    return -2;
+  }
+
+  const ParserRow<ParserDummy> start_tls_reply[] = {
+    MGM_CMD("start tls reply", NULL, ""),
+    MGM_ARG("result", String, Mandatory, "Error message"),
+    MGM_END()
+  };
+
+  Properties args;
+  const Properties * reply =
+    ndb_mgm_call(handle, start_tls_reply, "start tls", &args);
+
+  if(reply) {
+    BaseString result;
+    reply->get("result", result);
+    if(strcmp(result.c_str(), "Ok") == 0) server_ok = true;
+    delete reply;
+  }
+
+  if(! server_ok) {
+    SET_ERROR(handle, NDB_MGM_TLS_REFUSED, "Server refused upgrade");
+    return -3;
+  }
+
+  struct ssl_st * ssl = NdbSocket::get_client_ssl(handle->ssl_ctx);
+  if(! (ssl && handle->socket.associate(ssl))) {
+    SET_ERROR(handle, NDB_MGM_TLS_ERROR, "Failed in client");
+    NdbSocket::free_ssl(ssl);
+    return -4;
+  }
+
+  /* Now run handshake */
+  bool r = handle->socket.do_tls_handshake();
+  if(r) return 0; // success
+
+  SET_ERROR(handle, NDB_MGM_TLS_HANDSHAKE_FAILED, "Handshake failed");
+  return -5;
+}
+
+extern "C"
+int
+ndb_mgm_connect_tls(NdbMgmHandle handle, int retries,
+	            int retry_delay, int verbose, int tls_level)
+{
+  if(tls_level < CLIENT_TLS_RELAXED || tls_level > CLIENT_TLS_STRICT) {
+    SET_ERROR(handle, NDB_MGM_USAGE_ERROR, "Invalid TLS level");
+    return -1;
+  }
+
+  int r = ndb_mgm_connect(handle, retries, retry_delay, verbose);
+  if(r != 0)
+    return r;
+
+  r = ndb_mgm_start_tls(handle);
+
+  if(r == 0)
+    return 0;  // TLS started successfully
+
+  if((tls_level == CLIENT_TLS_RELAXED) && (r != -5))
+    return 0;  // -5 is fatal (handshake failed); otherwise okay.
+
+  return -1;
+}
+
 extern "C"
 int 
 ndb_mgm_start_signallog(NdbMgmHandle handle, int nodeId, 
@@ -3667,13 +3763,6 @@ ndb_mgm_convert_to_transporter(NdbMgmHandle *handle)
     DBUG_RETURN(s);
   }
 
-  if ((*handle)->socket.has_tls())
-  {
-    SET_ERROR(*handle, NDB_MGM_CANNOT_CONVERT_TO_TRANSPORTER, "");
-    ndb_socket_invalidate(&s);
-    DBUG_RETURN(s);
-  }
-
   (*handle)->connected= 0;   // we pretend we're disconnected
   s= (*handle)->socket.ndb_socket();
 
diff --git a/storage/ndb/src/mgmsrv/Services.cpp b/storage/ndb/src/mgmsrv/Services.cpp
@@ -245,6 +245,8 @@ ParserRow<MgmApiSession> commands[] = {
 
   MGM_CMD("start all", &MgmApiSession::startAll, ""),
 
+  MGM_CMD("start tls", &MgmApiSession::startTls, ""),
+
   MGM_CMD("bye", &MgmApiSession::bye, ""),
 
   MGM_CMD("end session", &MgmApiSession::endSession, ""),
@@ -1448,6 +1450,39 @@ MgmApiSession::startAll(Parser<MgmApiSession>::Context &,
   m_output->println("%s", "");
 }
 
+void
+MgmApiSession::startTls(Parser<MgmApiSession>::Context &,
+                       Properties const &) {
+  struct ssl_ctx_st * ctx = nullptr;
+  struct ssl_st * ssl = nullptr;
+  const char * result = "Failed";
+
+  if(m_secure_socket.has_tls()) {
+    result = "Already Connected";
+  } else {
+    ctx = m_mgmsrv.theFacade->get_registry()->getTlsKeyManager()->ctx();
+  }
+
+  if(ctx)
+    ssl = NdbSocket::get_server_ssl(ctx);
+
+  if(ssl)
+    result = "Ok";
+
+  /* Send the reply to the client */
+  m_output->println("start tls reply");
+  m_output->println("result: %s", result);
+  m_output->println("%s", "");
+  m_output->flush();
+
+  /* Run the TLS handshake */
+  if(ssl) {
+    if(m_secure_socket.associate(ssl))
+      m_secure_socket.do_tls_handshake();
+    else
+      NdbSocket::free_ssl(ssl);
+  }
+}
 
 static bool
 setEventLogFilter(int severity, int enable)
diff --git a/storage/ndb/src/mgmsrv/Services.hpp b/storage/ndb/src/mgmsrv/Services.hpp
@@ -108,6 +108,7 @@ class MgmApiSession : public SocketServer::Session
   void stopAll(Parser_t::Context &ctx, const class Properties &args);
   void start(Parser_t::Context &ctx, const class Properties &args);
   void startAll(Parser_t::Context &ctx, const class Properties &args);
+  void startTls(Parser_t::Context &ctx, const class Properties &args);
   void bye(Parser_t::Context &ctx, const class Properties &args);
   void endSession(Parser_t::Context &ctx, const class Properties &args);
   void setLogLevel(Parser_t::Context &ctx, const class Properties &args);
diff --git a/storage/ndb/test/ndbapi/testMgmd.cpp b/storage/ndb/test/ndbapi/testMgmd.cpp
@@ -2027,6 +2027,64 @@ runTestNdbdWithCert(NDBT_Context* ctx, NDBT_Step* step)
   return NDBT_OK;
 }
 
+int runTestStartTls(NDBT_Context* ctx, NDBT_Step* step)
+{
+  NDBT_Workingdir wd("test_tls"); // temporary working directory
+  TlsKeyManager tls_km;
+  int major, minor, build, r;
+  char ver[128];
+  static constexpr int len = sizeof(ver);
+
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+  Properties config = ConfigFactory::create();
+  CHECK(ConfigFactory::write_config_ini(config, cfg_path.c_str()));
+
+  sign_tls_keys(wd);
+
+  Mgmd mgmd(1);
+
+  NdbProcess::Args mgmdArgs;
+  mgmd.common_args(mgmdArgs, wd.path());
+  mgmdArgs.add("--ndb-tls-search-path=", wd.path());
+
+  CHECK(mgmd.start(wd.path(), mgmdArgs));          // Start management node
+  CHECK(mgmd.connect(config));                     // Connect to management node
+  CHECK(mgmd.wait_confirmed_config());             // Wait for configuration
+
+  tls_km.init(wd.path(), 0, NODE_TYPE_API, true);
+  CHECK(tls_km.ctx());
+
+  r = ndb_mgm_get_version(mgmd.handle(), &major, &minor, &build, len, ver);
+  CHECK(r == 1);
+  printf("Version: %d.%d.%d %s\n", major, minor, build, ver);
+
+  r = ndb_mgm_start_tls(mgmd.handle());
+  CHECK(r == -1);  // -1 is "SSL CTX required"
+  CHECK(ndb_mgm_get_latest_error(mgmd.handle()) == NDB_MGM_TLS_ERROR);
+
+  r = ndb_mgm_set_ssl_ctx(mgmd.handle(), tls_km.ctx());
+  CHECK(r);       // first time setting ctx succeeds
+  r = ndb_mgm_set_ssl_ctx(mgmd.handle(), nullptr);
+  CHECK(r == 0);  // second time setting ctx fails
+
+  r = ndb_mgm_start_tls(mgmd.handle());
+  printf("ndb_mgm_start_tls(): %d\n", r);
+  CHECK(r == 0);
+
+  r = ndb_mgm_start_tls(mgmd.handle());
+  CHECK(r == -2); // -2 is "Socket already has TLS"
+
+  /* We have switched to TLS. Now run a command. */
+  r = ndb_mgm_get_version(mgmd.handle(), &major, &minor, &build, len, ver);
+  CHECK(r == 1);
+
+  /* And run another command. */
+  struct ndb_mgm_cluster_state *state = ndb_mgm_get_status(mgmd.handle());
+  CHECK(state != nullptr);
+
+  return NDBT_OK;
+}
+
 NDBT_TESTSUITE(testMgmd);
 DRIVER(DummyDriver); /* turn off use of NdbApi */
 
@@ -2146,6 +2204,11 @@ TESTCASE("NdbdWithCertificate", "Test data node startup with certificate")
   INITIALIZER(runTestNdbdWithCert)
 }
 
+TESTCASE("StartTls", "Test START TLS in MGM protocol")
+{
+  INITIALIZER(runTestStartTls);
+}
+
 #endif
 
 NDBT_TESTSUITE_END(testMgmd)
