Merge pull request #1319 from dantengsky/fix-1174

TLS http api tests
databendlabs · Aug 6, 2021 · dd03f12 · dd03f12
2 parents b83f0e5 + f2a8a41
commit dd03f12
Show file tree

Hide file tree

Showing 21 changed files with 209 additions and 170 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/fusequery/query/Cargo.toml b/fusequery/query/Cargo.toml
@@ -90,6 +90,7 @@ lru = "0.6.6"
 pretty_assertions = "0.7"
 criterion = "0.3"
 mysql = "21.0.1"
+reqwest = { version = "0.11", features = ["json"] }
 
 [build-dependencies]
 common-building = {path = "../../common/building"}

diff --git a/fusequery/query/src/api/http_service.rs b/fusequery/query/src/api/http_service.rs
@@ -24,7 +24,7 @@ pub struct HttpService {
 }
 
 impl HttpService {
-    pub fn create(cfg: Config, cluster: ClusterRef) -> Box<dyn Server> {
+    pub fn create(cfg: Config, cluster: ClusterRef) -> Box<Self> {
         Box::new(HttpService {
             cfg,
             cluster,
@@ -61,8 +61,8 @@ impl Server for HttpService {
         let server = warp::serve(router.router()?);
 
         let conf = self.cfg.clone();
-        let tls_cert = conf.tls_server_cert;
-        let tls_key = conf.tls_server_key;
+        let tls_cert = conf.api_tls_server_cert;
+        let tls_key = conf.api_tls_server_key;
 
         if !tls_cert.is_empty() && !tls_key.is_empty() {
             log::info!("Http API TLS enabled");

diff --git a/fusequery/query/src/api/http_service_test.rs b/fusequery/query/src/api/http_service_test.rs
@@ -0,0 +1,56 @@
+// Copyright 2020-2021 The Datafuse Authors.
+//
+// SPDX-License-Identifier: Apache-2.0.
+
+//use std::net::SocketAddr;
+//use std::sync::Arc;
+//
+use std::fs::File;
+use std::io::Read;
+
+use common_exception::Result;
+use common_runtime::tokio;
+
+use crate::api::HttpService;
+use crate::clusters::Cluster;
+use crate::configs::Config;
+use crate::servers::Server;
+use crate::tests::tls_constants::TEST_CA_CERT;
+use crate::tests::tls_constants::TEST_CN_NAME;
+use crate::tests::tls_constants::TEST_SERVER_CERT;
+use crate::tests::tls_constants::TEST_SERVER_KEY;
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+async fn test_http_service_tls_server() -> Result<()> {
+    let mut conf = Config::default();
+
+    conf.api_tls_server_key = TEST_SERVER_KEY.to_owned();
+    conf.api_tls_server_cert = TEST_SERVER_CERT.to_owned();
+
+    let addr_str = "127.0.0.1:0";
+    let cluster = Cluster::create_global(conf.clone())?;
+    let mut srv = HttpService::create(conf.clone(), cluster.clone());
+    let listening = srv.start(addr_str.parse()?).await?;
+    let port = listening.port();
+
+    // test cert is issued for "localhost"
+    let url = format!("https://{}:{}/v1/hello", TEST_CN_NAME, port);
+
+    // load cert
+    let mut buf = Vec::new();
+    File::open(TEST_CA_CERT)?.read_to_end(&mut buf)?;
+    let cert = reqwest::Certificate::from_pem(&buf).unwrap();
+
+    // kick off
+    let client = reqwest::Client::builder()
+        .add_root_certificate(cert)
+        .build()
+        .unwrap();
+    let resp = client.get(url).send().await;
+    assert!(resp.is_ok());
+    let resp = resp.unwrap();
+    assert!(resp.status().is_success());
+    assert_eq!("/v1/hello", resp.url().path());
+
+    Ok(())
+}
diff --git a/fusequery/query/src/api/mod.rs b/fusequery/query/src/api/mod.rs
@@ -17,5 +17,7 @@ mod http_service;
 mod rpc;
 mod rpc_service;
 
+#[cfg(test)]
+mod http_service_test;
 #[cfg(test)]
 mod rpc_service_test;
diff --git a/fusequery/query/src/api/rpc_service.rs b/fusequery/query/src/api/rpc_service.rs
@@ -102,8 +102,8 @@ impl FuseQueryServer for RpcService {
     }
 
     async fn start(&mut self, listening: SocketAddr) -> Result<SocketAddr> {
-        let (listener_stream, listening) = Self::listener_tcp(listening).await?;
+        let (listener_stream, listener_addr) = Self::listener_tcp(listening).await?;
         self.start_with_incoming(listener_stream).await?;
-        Ok(listening)
+        Ok(listener_addr)
     }
 }
diff --git a/fusequery/query/src/api/rpc_service_test.rs b/fusequery/query/src/api/rpc_service_test.rs
@@ -20,13 +20,17 @@ use crate::clusters::Cluster;
 use crate::configs::Config;
 use crate::configs::RpcClientTlsConfig;
 use crate::sessions::SessionManager;
+use crate::tests::tls_constants::TEST_CA_CERT;
+use crate::tests::tls_constants::TEST_CN_NAME;
+use crate::tests::tls_constants::TEST_SERVER_CERT;
+use crate::tests::tls_constants::TEST_SERVER_KEY;
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
 async fn test_tls_rpc_server() -> Result<()> {
     // setup
     let mut conf = Config::default();
-    conf.rpc_tls_server_key = "../../tests/data/certs/server.key".to_owned();
-    conf.rpc_tls_server_cert = "../../tests/data/certs/server.pem".to_owned();
+    conf.rpc_tls_server_key = TEST_SERVER_KEY.to_owned();
+    conf.rpc_tls_server_cert = TEST_SERVER_CERT.to_owned();
 
     let cluster = Cluster::create_global(conf.clone())?;
     let session_manager = SessionManager::from_conf(conf.clone(), cluster.clone())?;
@@ -43,8 +47,8 @@ async fn test_tls_rpc_server() -> Result<()> {
     srv.start_with_incoming(stream).await?;
 
     let client_conf = RpcClientTlsConfig {
-        rpc_tls_server_root_ca_cert: "../../tests/data/certs/ca.pem".to_string(),
-        domain_name: "localhost".to_string(),
+        rpc_tls_server_root_ca_cert: TEST_CA_CERT.to_string(),
+        domain_name: TEST_CN_NAME.to_string(),
     };
 
     // normal case
@@ -95,7 +99,7 @@ async fn test_tls_rpc_server_invalid_client_config() -> Result<()> {
     // setup, invalid cert locations
     let client_conf = RpcClientTlsConfig {
         rpc_tls_server_root_ca_cert: "../../tests/data/certs/nowhere.pem".to_string(),
-        domain_name: "localhost".to_string(),
+        domain_name: TEST_CN_NAME.to_string(),
     };
 
     let r = ConnectionFactory::create_flight_channel("fake:1234", None, Some(client_conf)).await;

diff --git a/fusequery/query/src/bin/fuse-query.rs b/fusequery/query/src/bin/fuse-query.rs
@@ -13,6 +13,7 @@ use fuse_query::configs::Config;
 use fuse_query::metrics::MetricService;
 use fuse_query::servers::ClickHouseHandler;
 use fuse_query::servers::MySQLHandler;
+use fuse_query::servers::Server;
 use fuse_query::servers::ShutdownHandle;
 use fuse_query::sessions::SessionManager;
 use log::info;

diff --git a/fusequery/query/src/configs/config.rs b/fusequery/query/src/configs/config.rs
@@ -63,8 +63,8 @@ const STORE_API_ADDRESS: &str = "STORE_API_ADDRESS";
 const STORE_API_USERNAME: &str = "STORE_API_USERNAME";
 const STORE_API_PASSWORD: &str = "STORE_API_PASSWORD";
 
-const TLS_SERVER_CERT: &str = "TLS_SERVER_CERT";
-const TLS_SERVER_KEY: &str = "TLS_SERVER_KEY";
+const API_TLS_SERVER_CERT: &str = "API_TLS_SERVER_CERT";
+const API_TLS_SERVER_KEY: &str = "API_TLS_SERVER_KEY";
 
 const DISABLE_REMOTE_CATALOG: &str = "DISABLE_REMOTE_CATALOG";
 
@@ -153,32 +153,32 @@ pub struct Config {
     #[structopt(long, short = "c", env = CONFIG_FILE, default_value = "")]
     pub config_file: String,
 
-    #[structopt(long, env = TLS_SERVER_CERT, default_value = "")]
-    pub tls_server_cert: String,
+    #[structopt(long, env = API_TLS_SERVER_CERT, default_value = "")]
+    pub api_tls_server_cert: String,
 
-    #[structopt(long, env = TLS_SERVER_KEY, default_value = "")]
-    pub tls_server_key: String,
+    #[structopt(long, env = API_TLS_SERVER_KEY, default_value = "")]
+    pub api_tls_server_key: String,
 
     #[structopt(
         long,
         env = "RPC_TLS_SERVER_CERT",
         default_value = "",
-        help = "server cert"
+        help = "rpc server cert"
     )]
     pub rpc_tls_server_cert: String,
 
     #[structopt(
         long,
         env = "RPC_TLS_SERVER_KEY",
-        default_value = "key for server cert"
+        default_value = "key for rpc server cert"
     )]
     pub rpc_tls_server_key: String,
 
     #[structopt(
         long,
         env = "RPC_TLS_QUERY_SERVER_ROOT_CA_CERT",
         default_value = "",
-        help = "Certificate for client to identify query server"
+        help = "Certificate for client to identify query rpc server"
     )]
     pub rpc_tls_query_server_root_ca_cert: String,
 
@@ -193,7 +193,7 @@ pub struct Config {
         long,
         env = "RPC_TLS_STORE_SERVER_ROOT_CA_CERT",
         default_value = "",
-        help = "Certificate for client to identify query server"
+        help = "Certificate for client to identify store rpc server"
     )]
     pub rpc_tls_store_server_root_ca_cert: String,
 
@@ -297,8 +297,8 @@ impl Config {
                 store_api_password: "root".to_string(),
             },
             config_file: "".to_string(),
-            tls_server_cert: "".to_string(),
-            tls_server_key: "".to_string(),
+            api_tls_server_cert: "".to_string(),
+            api_tls_server_key: "".to_string(),
             rpc_tls_server_cert: "".to_string(),
             rpc_tls_server_key: "".to_string(),
             rpc_tls_query_server_root_ca_cert: "".to_string(),
@@ -363,6 +363,11 @@ impl Config {
         env_helper!(mut_config, store_api_username, User, STORE_API_USERNAME);
         env_helper!(mut_config, store_api_password, Password, STORE_API_PASSWORD);
 
+        // for api http service
+        env_helper!(mut_config, api_tls_server_cert, String, API_TLS_SERVER_CERT);
+
+        env_helper!(mut_config, api_tls_server_key, String, API_TLS_SERVER_KEY);
+
         // for query rpc server
         env_helper!(mut_config, rpc_tls_server_cert, String, RPC_TLS_SERVER_CERT);