WL#15524 patch #13 ndb_waiter and new MTR tests

As a prerequisite for MTR testing, add support for the
--ndb-tls-search-path and --ndb-mgm-tls options in ndb_waiter.

A new MTR test require_mgm_tls demonstrates that cluster can run
with [MGM]RequireTls=1 and --ndb-mgm-tls=strict

A new MTR test api_require_trp demonstrates that an API node
(ndb_desc) fails to connect to cluster when it does not have
a certificate, but some data node requires TLS.

Change-Id: I50595a7d9d2bbb8bb3a47d7640017a4101c41a30

Author: jdduncan

mysql-test/suite/ndb_tls/api_require_trp.cnf

@@ -0,0 +1,19 @@
+!include suite/ndbcluster/my.cnf
+
+[cluster_config.ndbd.1.1]
+RequireTls=On
+
+[cluster_config.ndbd.2.1]
+RequireTls=On
+
+# In this test, ndb_desc does *not* have a certificate available
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+

mysql-test/suite/ndb_tls/api_require_trp.result

@@ -0,0 +1,7 @@
+SELECT 1;
+1
+1
+Unable to connect to management server.
+
+NDBT_ProgramExit: 1 - Failed
+

mysql-test/suite/ndb_tls/api_require_trp.test

@@ -0,0 +1,13 @@
+--source include/have_ndb.inc
+
+# Transporter TLS is required, but ndb_desc does not have a certificate
+
+# The server is up
+#
+SELECT 1;
+
+# ndb_desc fails without TLS
+--replace_regex /^.*--//
+--error 1
+--exec $NDB_DESC --connect-retries=0
+

mysql-test/suite/ndb_tls/require_mgm_tls.cnf

@@ -0,0 +1,28 @@
+!include suite/ndb_tls/my.cnf
+
+[cluster_config.ndb_mgmd.1.1]
+RequireTls=true
+
+# In this test, ndb_desc does *not* have a certificate available
+
+# MTR stops cluster using ndb_mgm, but with no group suffix:
+[ndb_mgm]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+# MTR internally uses ndb_waiter:
+[ndb_waiter.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+ndb-cluster-connection-pool=2
+ndb-cluster-connection-pool-nodeids=51,52

mysql-test/suite/ndb_tls/require_mgm_tls.result

@@ -0,0 +1,19 @@
+SELECT 1;
+1
+1
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+node_id	remote_node_id	encrypted
+1	2	0
+1	3	1
+1	51	0
+1	52	0
+2	1	0
+2	3	1
+2	51	0
+2	52	0
+ Configuration error: Not Authorized: TLS Required: Executing: ndb_mgm_alloc_nodeid
+Unable to connect to management server.
+
+NDBT_ProgramExit: 1 - Failed
+

mysql-test/suite/ndb_tls/require_mgm_tls.test

@@ -0,0 +1,17 @@
+--source include/have_ndb.inc
+
+# Require MGM TLS, but not transporter TLS
+
+# The server is up
+#
+SELECT 1;
+
+## Expect 2 encrypted links
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+
+# ndb_desc fails without TLS
+--replace_regex /^.*--//
+--error 1
+--exec $NDB_DESC --connect-retries=0
+

storage/ndb/tools/waiter.cpp

@@ -33,6 +33,8 @@
 #include <NdbTick.h>
 #include <portlib/ndb_localtime.h>
 
+#include "util/TlsKeyManager.hpp"
+
 #include <NdbToolsProgramExitCodes.hpp>
 
 #include <kernel/NodeBitmask.hpp>
@@ -50,6 +52,8 @@ static const char* _wait_nodes = 0;
 static const char* _nowait_nodes = 0;
 static NdbNodeBitmask nowait_nodes_bitmask;
 
+static TlsKeyManager tlsKeyManager;
+
 static struct my_option my_long_options[] =
 {
   NdbStdOpt::usage,
@@ -60,6 +64,8 @@ static struct my_option my_long_options[] =
   NdbStdOpt::connectstring,
   NdbStdOpt::connect_retry_delay,
   NdbStdOpt::connect_retries,
+  NdbStdOpt::tls_search_path,
+  NdbStdOpt::mgm_tls,
   NDB_STD_OPT_DEBUG
   { "no-contact", 'n', "Wait for cluster no contact",
     &_no_contact, nullptr, nullptr, GET_BOOL, NO_ARG,
@@ -93,7 +99,8 @@ void catch_signal(int signum)
 
 int main(int argc, char** argv){
   NDB_INIT(argv[0]);
-  Ndb_opts opts(argc, argv, my_long_options);
+  const char * groups[] = {"mysql_cluster", "ndb_waiter", nullptr};
+  Ndb_opts opts(argc, argv, my_long_options, groups);
 
 #ifndef NDEBUG
   opt_debug= "d:t:O,/tmp/ndb_waiter.trace";
@@ -173,6 +180,10 @@ int main(int argc, char** argv){
     nowait_nodes_bitmask.bitNOT();
   }
 
+  tlsKeyManager.init_mgm_client(opt_tls_search_path);
+  if(tlsKeyManager.ctx())
+    ndbout_c("Using TLS.");
+
   if (waitClusterStatus(connect_string, wait_status) != 0)
     return NdbToolsProgramExitCode::FAILED;
 
@@ -203,7 +214,9 @@ getStatus(){
       MGMERR(handle);
       retries++;
       ndb_mgm_disconnect(handle);
-      if (ndb_mgm_connect(handle, opt_connect_retries - 1, opt_connect_retry_delay, 1)) {
+      if (ndb_mgm_connect_tls(handle,
+                              opt_connect_retries - 1, opt_connect_retry_delay,
+                              1, opt_mgm_tls)) {
         MGMERR(handle);
         ndberr  << "Reconnect failed" << endl;
         break;
@@ -302,10 +315,14 @@ waitClusterStatus(const char* _addr,
     }
     return -1;
   }
+  ndb_mgm_set_ssl_ctx(handle, tlsKeyManager.ctx());
+
   char buf[1024];
   ndbout << "Connecting to management server at "
          << ndb_mgm_get_connectstring(handle, buf, sizeof(buf)) << endl;
-  if (ndb_mgm_connect(handle, opt_connect_retries - 1, opt_connect_retry_delay, 1)) {
+  if (ndb_mgm_connect_tls(handle,
+                          opt_connect_retries - 1, opt_connect_retry_delay, 1,
+                          opt_mgm_tls)) {
     MGMERR(handle);
     ndberr << "Connection to "
            << ndb_mgm_get_connectstring(handle, buf, sizeof(buf)) << " failed"