WL#15154 patch #9 Implement rules for node startup

If a data node starts up with RequireCertificate, it must
have a valid TLS certificate.

This adds three new tests:
  testMgmd -n NdbdWithoutCertificate
  testMgmd -n NdbdWithCertificate
  testMgmd -n NdbdWithExpiredCertificate

Change-Id: I23cb96e14136c78cc295d586b044a99b13ec50bc

Author: jdduncan

storage/ndb/include/portlib/ndb_openssl_version.h

@@ -26,16 +26,17 @@
    In general, OpenSSL 1.1 is required for the availability of TLS 1.3.
    1.1.1d is chosen as a 1.1 release that is mature, but not unreasonably new
    (about three years old at the time the TLS feature is released).
-*/
-
-#define NDB_TLS_MINIMUM_OPENSSL 0x1010104fL
+   This version is represented as 0x1010104fL
 
-/* Ubuntu 18.04 maintains an OpenSSL 1.1 tree that backports
+   Ubuntu 18.04 maintains an OpenSSL 1.1 tree that backports
    patches from OpenSSL 1.1 but is always identified as
-   "OpenSSL 1.1.1 Sep 2018."
-*/
-#define UBUNTU18_OPENSSL_VER_ID 0x1010100fL
+   "OpenSSL 1.1.1 Sep 2018."  This version is also usable.
+   It version is represented as 0x1010100fL
 
+   Use the Ubuntu 18.04 OpenSSL version number as the minimum
+   supported version for NDB TLS.
+*/
+#define NDB_TLS_MINIMUM_OPENSSL 0x1010100fL
 
 /* NDB_OPENSSL_TOO_OLD is used as an error return value from functions
    to report a OpenSSL library version less than NDB_TLS_MINIMUM_OPENSSL

storage/ndb/src/common/util/NdbSocket.cpp

@@ -33,8 +33,7 @@
 #include "portlib/ndb_openssl_version.h"
 
 static constexpr bool openssl_version_ok =
-  ((OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL) ||
-   (OPENSSL_VERSION_NUMBER == UBUNTU18_OPENSSL_VER_ID));
+  (OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL);
 
 /* Utility Functions */
 

storage/ndb/src/common/util/NodeCertificate.cpp

@@ -1351,8 +1351,7 @@ static constexpr bool isWin32 = 0;
 #endif
 
 static constexpr bool openssl_version_ok =
-  ((OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL) ||
-   (OPENSSL_VERSION_NUMBER == UBUNTU18_OPENSSL_VER_ID));
+  (OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL);
 
 /*
   Test name parsing

storage/ndb/src/kernel/ndbd.cpp

@@ -1171,6 +1171,22 @@ ndbd_run(bool foreground, int report_fd,
 
   globalTransporterRegistry.init_tls(tls_search_path, NODE_TYPE_DB, true);
 
+  const ndb_mgm_configuration_iterator *p =
+      globalEmulatorData.theConfiguration->getOwnConfigIterator();
+  require(p != nullptr);
+
+  {
+    Uint32 require_cert = 0;
+    ndb_mgm_get_int_parameter(p, CFG_NODE_REQUIRE_CERT, &require_cert);
+    if(require_cert && ! globalTransporterRegistry.hasTlsCert())
+    {
+      g_eventLogger->error(
+        "Shutting down. This node does not have a valid TLS certificate.");
+      stop_async_log_func(log_threadvar, thread_args);
+      ndbd_exit(-1);
+    }
+  }
+
   /**
     Printout various information about the threads in the
     run-time environment
@@ -1213,10 +1229,6 @@ ndbd_run(bool foreground, int report_fd,
 
   log_memusage("Global memory pools allocated");
 
-  const ndb_mgm_configuration_iterator *p =
-      globalEmulatorData.theConfiguration->getOwnConfigIterator();
-  require(p != nullptr);
-
   bool have_password_option = g_filesystem_password_state.have_password_option();
   Uint32 encrypted_file_system = 0;
   ndb_mgm_get_int_parameter(p, CFG_DB_ENCRYPTED_FILE_SYSTEM,

storage/ndb/test/ndbapi/testMgmd.cpp

@@ -27,7 +27,9 @@
 #include <iostream>
 #include <string>
 
+#include "util/ndb_openssl3_compat.h"
 #include "util/require.h"
+#include "util/TlsKeyManager.hpp"
 #include <NDBT.hpp>
 #include <NDBT_Test.hpp>
 #include <portlib/NdbDir.hpp>
@@ -167,10 +169,8 @@ class Mgmd
     return (m_proc != NULL);
   }
 
-  bool start_from_config_ini(const char* working_dir,
-                             const char* first_extra_arg = NULL, ...)
+  void common_args(NdbProcess::Args & args, const char * working_dir)
   {
-    NdbProcess::Args args;
     args.add("--no-defaults");
     args.add("--configdir=", working_dir);
     args.add("-f config.ini");
@@ -181,6 +181,13 @@ class Mgmd
     args.add("--nodaemon");
     args.add("--log-name=", name());
     args.add("--verbose");
+  }
+
+  bool start_from_config_ini(const char* working_dir,
+                             const char* first_extra_arg = NULL, ...)
+  {
+    NdbProcess::Args args;
+    common_args(args, working_dir);
 
     if (first_extra_arg)
     {
@@ -238,7 +245,7 @@ class Mgmd
       return false; // Can't kill with -9 -> fatal error
     }
     int ret;
-    if (!m_proc->wait(ret, 300))
+    if (!m_proc->wait(ret, 1000))
     {
       fprintf(stderr, "Failed to wait for process %s\n", name());
       return false; // Can't wait after kill with -9 -> fatal error
@@ -387,20 +394,26 @@ class MgmdProcessList : public Vector<Mgmd*>
 class Ndbd : public Mgmd
 {
 public:
-  Ndbd(int nodeid) : Mgmd(nodeid)
+  Ndbd(int nodeid) : Mgmd(nodeid), m_args()
   {
+    m_args.add("--ndb-nodeid=", m_nodeid);
+    m_args.add("--foreground");
     m_name.assfmt("ndbd_%d", nodeid);
     NDBT_find_ndbd(m_exe);
   }
 
+  NdbProcess::Args & args() { return m_args; }
+
+  void set_connect_string(BaseString connect_string)
+  {
+    m_args.add("-c");
+    m_args.add(connect_string.c_str());
+  }
+
   bool start(const char *working_dir, BaseString connect_string)
   {
-    NdbProcess::Args args;
-    args.add("-c");
-    args.add(connect_string.c_str());
-    args.add("--ndb-nodeid=", m_nodeid);
-    args.add("--foreground");
-    return Mgmd::start(working_dir, args);
+    set_connect_string(connect_string);
+    return Mgmd::start(working_dir, m_args);
   }
 
   bool wait_started(NdbMgmHandle & mgm_handle,
@@ -435,6 +448,8 @@ class Ndbd : public Mgmd
     return false;
   }
 
+private:
+  NdbProcess::Args m_args;
 };
 
 static
@@ -447,9 +462,65 @@ bool create_CA(NDBT_Workingdir & wd, const BaseString &exe)
   args.add("--create-CA");
   args.add("--CA-search-path=", wd.path());
   NdbProcess * proc = NdbProcess::create("Create CA", exe, wd.path(), args);
-  bool r = proc->wait(ret, 1000);
+  bool r = proc->wait(ret, 3000);
+  delete proc;
+
+  return (r && (ret == 0));
+}
+
+static
+bool sign_tls_keys(NDBT_Workingdir & wd)
+{
+  int ret;
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+
+  /* Find executable */
+  BaseString exe;
+  NDBT_find_sign_keys(exe);
+
+  /* Create CA */
+  if(! create_CA(wd, exe))
+    return false;
+
+  /* Create keys and certificates for all nodes in config */
+  NdbProcess::Args args;
+  args.add("--config-file=", cfg_path.c_str());
+  args.add("--passphrase=", "Trondheim");
+  args.add("--ndb-tls-search-path=", wd.path());
+  args.add("--create-key");
+  NdbProcess * proc = NdbProcess::create("Create Keys", exe, wd.path(), args);
+  bool r = proc->wait(ret, 3000);
   delete proc;
+  return (r && (ret == 0));
+}
 
+static
+bool create_expired_cert(NDBT_Workingdir & wd)
+{
+  int ret;
+
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+
+  /* Find executable */
+  BaseString exe;
+  NDBT_find_sign_keys(exe);
+
+  /* Create CA */
+  if(! create_CA(wd, exe))
+    return false;
+
+  /* Create an expired certificate for a data node */
+  NdbProcess::Args args;
+  args.add("--create-key");
+  args.add("--ndb-tls-search-path=", wd.path());
+  args.add("--passphrase=", "Trondheim");
+  args.add("-l");   // no-config mode
+  args.add("-t db"); // type db
+  args.add("--duration=", "-50000");  // negative seconds; already expired
+
+  NdbProcess * proc = NdbProcess::create("Create Keys", exe, wd.path(), args);
+  bool r = proc->wait(ret, 3000);
+  delete proc;
   return (r && (ret == 0));
 }
 
@@ -1851,7 +1922,7 @@ runTestSshKeySigning(NDBT_Context* ctx, NDBT_Step* step)
   args.add("--create-key");
   args.add("--remote-CA-host=", "localhost");
   NdbProcess * proc = NdbProcess::create("Create Keys", exe, wd.path(), args);
-  bool r = proc->wait(ret, 1500);
+  bool r = proc->wait(ret, 3000);
   CHECK(r);
   if(! r) proc->stop();
   delete proc;
@@ -1860,6 +1931,101 @@ runTestSshKeySigning(NDBT_Context* ctx, NDBT_Step* step)
   return NDBT_OK;
 }
 
+int
+runTestNdbdWithoutCert(NDBT_Context* ctx, NDBT_Step* step)
+{
+  NDBT_Workingdir wd("test_mgmd"); // temporary working directory
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+
+  Properties config = ConfigFactory::create();
+  Properties db;
+  db.put("RequireCertificate", "true");
+  config.put("DB Default", & db);
+
+  CHECK(ConfigFactory::write_config_ini(config, cfg_path.c_str()));
+
+  Mgmd mgmd(1);
+  Ndbd ndbd(2);
+
+  CHECK(mgmd.start_from_config_ini(wd.path()));    // Start management node
+  CHECK(mgmd.connect(config));                     // Connect to management node
+  CHECK(mgmd.wait_confirmed_config());             // Wait for configuration
+
+  int exit_code;                                   // Start ndbd; it will fail
+  CHECK(ndbd.start(wd.path(), mgmd.connectstring(config)));
+  CHECK(ndbd.wait(exit_code, 100));                // should fail quickly
+  require(exit_code == 255);
+
+  CHECK(mgmd.stop());
+  return NDBT_OK;
+}
+
+int
+runTestNdbdWithExpiredCert(NDBT_Context* ctx, NDBT_Step* step)
+{
+  NDBT_Workingdir wd("test_tls"); // temporary working directory
+
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+
+  Properties config = ConfigFactory::create();
+  Properties db;
+  db.put("RequireCertificate", "true");
+  config.put("DB Default", & db);
+  CHECK(ConfigFactory::write_config_ini(config, cfg_path.c_str()));
+
+  CHECK(create_expired_cert(wd));
+
+  Mgmd mgmd(1);
+  Ndbd ndbd(2);
+
+  CHECK(mgmd.start_from_config_ini(wd.path()));    // Start management node
+  CHECK(mgmd.connect(config));                     // Connect to management node
+  CHECK(mgmd.wait_confirmed_config());             // Wait for configuration
+
+  ndbd.args().add("--ndb-tls-search-path=", wd.path());
+  ndbd.start(wd.path(), mgmd.connectstring(config)); // Start data node
+
+  int exit_code;
+  CHECK(ndbd.wait(exit_code, 100));                // should fail quickly
+  CHECK(exit_code == 255);
+
+  CHECK(mgmd.stop());
+  return NDBT_OK;
+}
+
+int
+runTestNdbdWithCert(NDBT_Context* ctx, NDBT_Step* step)
+{
+  NDBT_Workingdir wd("test_tls"); // temporary working directory
+
+  BaseString cfg_path = path(wd.path(), "config.ini", nullptr);
+  Properties config = ConfigFactory::create();
+  Properties db;
+  db.put("RequireCertificate", "true");
+  config.put("DB Default", & db);
+  CHECK(ConfigFactory::write_config_ini(config, cfg_path.c_str()));
+
+  CHECK(sign_tls_keys(wd));
+
+  Mgmd mgmd(1);
+  Ndbd ndbd(2);
+
+  NdbProcess::Args mgmdArgs;
+  mgmd.common_args(mgmdArgs, wd.path());
+  mgmdArgs.add("--ndb-tls-search-path=", wd.path());
+
+  CHECK(mgmd.start(wd.path(), mgmdArgs));          // Start management node
+  CHECK(mgmd.connect(config));                     // Connect to management node
+  CHECK(mgmd.wait_confirmed_config());             // Wait for configuration
+
+  ndbd.args().add("--ndb-tls-search-path=", wd.path());
+  ndbd.start(wd.path(), mgmd.connectstring(config)); // Start data node
+  NdbMgmHandle handle = mgmd.handle();
+  CHECK(ndbd.wait_started(handle));
+
+  CHECK(mgmd.stop());
+  return NDBT_OK;
+}
 
 NDBT_TESTSUITE(testMgmd);
 DRIVER(DummyDriver); /* turn off use of NdbApi */
@@ -1955,12 +2121,33 @@ TESTCASE("MultiMGMDDisconnection",
   INITIALIZER(runTestMultiMGMDDisconnection);
 }
 
+#if OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL
+
 TESTCASE("SshKeySigning",
          "Test remote key signing over ssh using ndb_sign_keys")
 {
   INITIALIZER(runTestSshKeySigning);
 }
 
+TESTCASE("NdbdWithoutCertificate",
+         "Test data node startup with TLS required but no certificate")
+{
+  INITIALIZER(runTestNdbdWithoutCert)
+}
+
+TESTCASE("NdbdWithExpiredCertificate",
+        "Test data node startup with expired certificate")
+{
+  INITIALIZER(runTestNdbdWithExpiredCert)
+}
+
+TESTCASE("NdbdWithCertificate", "Test data node startup with certificate")
+{
+  INITIALIZER(runTestNdbdWithCert)
+}
+
+#endif
+
 NDBT_TESTSUITE_END(testMgmd)
 
 int main(int argc, const char** argv)