WL#15154 patch #7 MTR tests

Add MTR test cases for Transporter TLS Off and Required.

In these tests, transporter connections to mgmd (which are "upgraded"
from MGM connections) still use cleartext, even in the "Required"
scenario. This will be fixed later, in WL#15524, by starting TLS on
the MGM connection before the upgrade.

Change-Id: Id710f47a19ab930914ccf9013d5045d46e51d32d

Author: jdduncan

mysql-test/std_data/ndb-tls/active/ndb-api-cert

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICGDCCAQCgAwIBAgIKe6gT+9hCjqPJBjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMBwxGjAYBgNVBAMMEU5EQiBOb2RlIE1hciAyMDIz
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOyNOrCPzL3D9s+4jgVwBI7haMMto
+JhCqIi4fFOi/zvt41jfiAl1+U+lUs1scjotlXQCGhjleIM3qL40RYqcv4aMbMBkw
+FwYDVR0RAQH/BA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQB54m3T
+Jh/X0dx0FBwSbvC02sXWYF84rxI8332lttGIcN88IVjO0vMGJJhMm98r97RlE95M
+MY09MYm/yKemXVe+szNANLDfZ/SLkDaUZyJrI6lhznMljj8xnDJN0fRhAnm4iwcT
+vHG0osyTiDm/4CXLr5V3UVDDoDfpktCVSsrstaKOPLMzXhGgat/Y3/hvC0QvvnuC
+/bGcF+5ZJTJTx1lbXE5ef/51oU4u/hi0c6UhuO63+oNM3v+Fdg9wmOz3ITdHfuXp
+MiEjMzY2L5vuB1DrOwlpK9K+PijkbDCjHcntZuDQrviyN/l8VpCuGoUTU53/o4K7
+BV1g75aefCy1+y8s
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----

mysql-test/std_data/ndb-tls/active/ndb-api-private-key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQ3qE2Dcmyz4pGEtB
+/GC2+lE0er1DhWbIYV82wFoUosuhRANCAAQ7I06sI/MvcP2z7iOBXAEjuFowy2gm
+EKoiLh8U6L/O+3jWN+ICXX5T6VSzWxyOi2VdAIaGOV4gzeovjRFipy/h
+-----END PRIVATE KEY-----

mysql-test/std_data/ndb-tls/active/ndb-data-node-cert

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIICADCB6aADAgECAgsAtxUy1a7/x+HiSjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMCExHzAdBgNVBAMMFk5EQiBEYXRhIE5vZGUgTWFy
+IDIwMjMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATbVN3EfgsY8mAgD9WCkRiI
+OOzFtdS91cvi5QBsnMIvoeLa7pylcncNA7hVHJoAny8IkhY1KbIlIkoBxi21lxFT
+MA0GCSqGSIb3DQEBCwUAA4IBAQARaCq4DFBZGaZk5uKYKUBEqmkaTy6zOGSu+754
+2D8a2kpmk41BJh+gxUkOMGK4cIUHB+QZA8TgekDZR0OXQMrueDkAoj9IvmoQSw6X
+7HOGK0HOhdHGYcMKcQ15npYWcwKTxFbbllwtNDG1EdLOa0zGxeIdN5mEWm2spAhu
+kGRE/Zxii2tB1EChPBZyS09gNSqEOTj7N30phqX9omEIVZixxGGMGq1j059YZDET
+y6Z33YfYCsB0GybD6hFYArLRUkGgSOE3TJ2mE021tcklirWG9hi626BxPDlbwLbj
+NahfVZgv7QBPn2N+ZFVq8rhzh+W7LF6rJadmSgF9oG+sMxr4
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----

mysql-test/std_data/ndb-tls/active/ndb-data-node-private-key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcLBjUXRm1C3yc0+U
+s3k0GbR2l+2rnYqUFkzRG7OUSkuhRANCAATbVN3EfgsY8mAgD9WCkRiIOOzFtdS9
+1cvi5QBsnMIvoeLa7pylcncNA7hVHJoAny8IkhY1KbIlIkoBxi21lxFT
+-----END PRIVATE KEY-----

mysql-test/std_data/ndb-tls/active/ndb-mgm-server-cert

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICIzCCAQugAwIBAgIKIHADuL5fx/uoPjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMCcxJTAjBgNVBAMMHE5EQiBNYW5hZ2VtZW50IE5v
+ZGUgTWFyIDIwMjMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmsuHpwU+xx8o7
+AV9Pn2TZ3HNvr9p311Ix4lJjc68d2jZHEQnh/U9ymVB4aDCxbFpTG5c4xPEz6Jdo
+nHrsonskoxswGTAXBgNVHREBAf8EDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEL
+BQADggEBAGrk2sWxAvrp7XfcawerV2oAQhvRXplhxWzY3wS0VinbJSGCnqCeHHvC
+fJ4oYwhcqobkA1hMD0uQepdH2nLs5TTHEncwF2s++n565sqw/Vj77Ew1ayqo/6ml
+/Np5ccnzCks7eas+mIKi+Z/0YAtUSbZHkjCyhkGDnHpXAD4ZhM3rlXcLBbWhfmLT
+v/bua1W/MkyLBfI0zR7VSi+t/DzsF1Ga8tHzi/ZrMYmRayqVw8xB1cVeoPqPK++i
+J7pTnOokfBrqVv26D5ne6fNVLp4iWhTTmp+BinMFNOmCGcrvMzUfOFoeaOoh6pG/
+18qS23O6VP2GdGwxomZggluykKc+TFA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----

mysql-test/std_data/ndb-tls/active/ndb-mgm-server-private-key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA/Q1pd10WI3oLjR5
+flzbpFS2Rg+8NIgEZTXb94McjpihRANCAATmsuHpwU+xx8o7AV9Pn2TZ3HNvr9p3
+11Ix4lJjc68d2jZHEQnh/U9ymVB4aDCxbFpTG5c4xPEz6JdonHrsonsk
+-----END PRIVATE KEY-----

mysql-test/suite/ndb_tls/my.cnf

@@ -24,6 +24,7 @@ ndbcluster
 ndb-wait-connected=30
 ndb-wait-setup=120
 ndb-extra-logging=99
+ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1
 
 [cluster_config.mysqld.1.1]
 NodeId=51

mysql-test/suite/ndb_tls/no_path.cnf

@@ -0,0 +1,14 @@
+!include suite/ndb_tls/my.cnf
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=
+
+[ndbd.1.1]
+ndb-tls-search-path=
+
+[ndbd.2.1]
+ndb-tls-search-path=
+
+[mysqld]
+ndb-tls-search-path=
+

mysql-test/suite/ndb_tls/no_path.result

@@ -0,0 +1,5 @@
+SHOW VARIABLES LIKE 'ndb_tls_search_path';
+Variable_name	Value
+ndb_tls_search_path	
+SELECT * FROM ndbinfo.certificates;
+Node_id	Name	Expires	Serial

mysql-test/suite/ndb_tls/no_path.test

@@ -0,0 +1,11 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Test with TLS search path set to an empty string
+
+# The MySQL server is up
+SHOW VARIABLES LIKE 'ndb_tls_search_path';
+
+# The certificates table is empty.
+SELECT * FROM ndbinfo.certificates;
+

mysql-test/suite/ndb_tls/tls_off_certs.cnf

@@ -0,0 +1,16 @@
+!include suite/ndb_tls/my.cnf
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+
+

mysql-test/suite/ndb_tls/tls_off_certs.result

@@ -0,0 +1,13 @@
+SELECT * FROM ndbinfo.certificates order by Node_id;
+Node_id	Name	Expires	Serial
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+node_id	remote_node_id	encrypted
+1	2	0
+1	3	0
+1	51	0
+2	1	0
+2	3	0
+2	51	0

mysql-test/suite/ndb_tls/tls_off_certs.test

@@ -0,0 +1,15 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Data node certs exist and are visible in ndbinfo
+
+# Expect 2 node certificates.
+# ndbinfo is aware of DB certs that belong to each data node, but it
+# is not aware of any API or MGM certs because no data node has a TLS
+# connection to an MGM or API node.
+#
+SELECT * FROM ndbinfo.certificates order by Node_id;
+
+# Expect all connections unencrypted 
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;

mysql-test/suite/ndb_tls/tls_required.cnf

@@ -0,0 +1,22 @@
+!include suite/ndb_tls/my.cnf
+
+[cluster_config.ndbd.1.1]
+RequireTls=true
+
+[cluster_config.ndbd.2.1]
+RequireTls=true
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+ndb-cluster-connection-pool=2
+ndb-cluster-connection-pool-nodeids=51,52
+

mysql-test/suite/ndb_tls/tls_required.result

@@ -0,0 +1,24 @@
+SELECT * FROM ndbinfo.certificates order by Node_id;
+Node_id	Name	Expires	Serial
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+51	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
+52	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+node_id	remote_node_id	encrypted
+1	2	1
+1	3	0
+1	51	1
+1	52	1
+2	1	1
+2	3	0
+2	51	1
+2	52	1
+Use test;
+CREATE TABLE t (i int primary key not null, j int) engine = ndb;
+INSERT INTO t VALUES(1, 1);
+SELECT * FROM t;
+i	j
+1	1
+DROP TABLE t;

mysql-test/suite/ndb_tls/tls_required.test

@@ -0,0 +1,39 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Test with RequireTls=true.
+
+# This test uses two NDB cluster connections from the mysql server
+
+# At startup, all nodes have active certificates in std_data/
+#
+# To refresh these:
+#
+# mtr --start ndb_tls.tls_required    (TO START MGMD)
+# Then, in the source tree:
+#
+#   cd mysql-test/std_data/ndb-tls
+#   ndb_sign_keys -C CA-cert.pem -K CA-key.pem -c localhost:13000 \
+#    --CA-search-path=. --ndb-tls-search-path=active \
+#    --schedule=400,0,400,0,400,0
+#
+# Then enter the CA passphrase, which is "Stockholm".
+#
+# Commit the three new cert files, and discard the retired files.
+
+
+# Expect 3 keys and 3 certificates for 7 nodes
+#
+SELECT * FROM ndbinfo.certificates order by Node_id;
+
+## Expect 6 encrypted links, plus two unencrypted links to node 3
+#
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+
+# Manage some data
+Use test;
+CREATE TABLE t (i int primary key not null, j int) engine = ndb;
+INSERT INTO t VALUES(1, 1);
+SELECT * FROM t;
+DROP TABLE t;