Skip to content

Commit 32c78c7

Browse files
author
Brett Hazen
authored
Merge pull request #1242 from basho/jg-fix-flappy-pb_security
Fix flappy pb_security test
2 parents 2b3c280 + 456f19f commit 32c78c7

File tree

1 file changed

+101
-78
lines changed

1 file changed

+101
-78
lines changed

tests/pb_security.erl

Lines changed: 101 additions & 78 deletions
Original file line numberDiff line numberDiff line change
@@ -82,8 +82,7 @@ confirm() ->
8282

8383
lager:info("Checking non-SSL results in error"),
8484
%% can connect without credentials, but not do anything
85-
{ok, PB0} = riakc_pb_socket:start("127.0.0.1", Port,
86-
[]),
85+
{ok, PB0} = pbc([{host, "127.0.0.1"}, {port, Port}], []),
8786
?assertEqual({error, <<"Security is enabled, please STARTTLS first">>},
8887
riakc_pb_socket:ping(PB0)),
8988

@@ -95,16 +94,17 @@ confirm() ->
9594

9695
lager:info("Checking SSL requires peer cert validation"),
9796
%% can't connect without specifying cacert to validate the server
98-
?assertMatch({error, _}, riakc_pb_socket:start("127.0.0.1", Port,
99-
[{credentials, UsernameBin,
100-
"pass"}])),
97+
?assertMatch({error, _}, pbc([{host, "127.0.0.1"}, {port, Port}],
98+
[{credentials, UsernameBin,
99+
"pass"}])),
101100

102101
lager:info("Checking that authentication is required"),
103102
%% invalid credentials should be invalid
104-
?assertEqual({error, {tcp, <<"Authentication failed">>}}, riakc_pb_socket:start("127.0.0.1", Port,
105-
[{credentials, UsernameBin,
106-
"pass"}, {cacertfile,
107-
filename:join([CertDir, "rootCA/cert.pem"])}])),
103+
?assertEqual({error, {tcp, <<"Authentication failed">>}},
104+
pbc([{host, "127.0.0.1"}, {port, Port}],
105+
[{credentials, UsernameBin,
106+
"pass"}, {cacertfile,
107+
filename:join([CertDir, "rootCA/cert.pem"])}])),
108108

109109
lager:info("Creating user"),
110110
%% grant the user credentials
@@ -117,10 +117,10 @@ confirm() ->
117117

118118
lager:info("Checking that credentials are ignored in trust mode"),
119119
%% invalid credentials should be ignored in trust mode
120-
{ok, PB1} = riakc_pb_socket:start("127.0.0.1", Port,
121-
[{credentials, UsernameBin,
122-
"pass"}, {cacertfile,
123-
filename:join([CertDir, "rootCA/cert.pem"])}]),
120+
{ok, PB1} = pbc([{host, "127.0.0.1"}, {port, Port}],
121+
[{credentials, UsernameBin,
122+
"pass"}, {cacertfile,
123+
filename:join([CertDir, "rootCA/cert.pem"])}]),
124124
?assertEqual(pong, riakc_pb_socket:ping(PB1)),
125125
riakc_pb_socket:stop(PB1),
126126

@@ -131,17 +131,18 @@ confirm() ->
131131

132132
lager:info("Checking that incorrect password fails auth"),
133133
%% invalid credentials should be invalid
134-
?assertEqual({error, {tcp, <<"Authentication failed">>}}, riakc_pb_socket:start("127.0.0.1", Port,
135-
[{credentials, UsernameBin,
136-
"pass"}, {cacertfile,
137-
filename:join([CertDir, "rootCA/cert.pem"])}])),
134+
?assertEqual({error, {tcp, <<"Authentication failed">>}},
135+
pbc([{host, "127.0.0.1"}, {port, Port}],
136+
[{credentials, UsernameBin,
137+
"pass"}, {cacertfile,
138+
filename:join([CertDir, "rootCA/cert.pem"])}])),
138139

139140
lager:info("Checking that correct password is successful"),
140141
%% valid credentials should be valid
141-
{ok, PB2} = riakc_pb_socket:start("127.0.0.1", Port,
142-
[{credentials, UsernameBin,
143-
"password"}, {cacertfile,
144-
filename:join([CertDir, "rootCA/cert.pem"])}]),
142+
{ok, PB2} = pbc([{host, "127.0.0.1"}, {port, Port}],
143+
[{credentials, UsernameBin,
144+
"password"}, {cacertfile,
145+
filename:join([CertDir, "rootCA/cert.pem"])}]),
145146
?assertEqual(pong, riakc_pb_socket:ping(PB2)),
146147
riakc_pb_socket:stop(PB2),
147148

@@ -156,13 +157,13 @@ confirm() ->
156157

157158
lager:info("Checking certificate authentication"),
158159
%% valid credentials should be valid
159-
{ok, PB3} = riakc_pb_socket:start("127.0.0.1", Port,
160-
[{credentials, "site4.basho.com",
161-
"password"},
162-
{cacertfile, filename:join([CertDir, "site4.basho.com/cacerts.pem"])},
163-
{certfile, filename:join([CertDir, "site4.basho.com/cert.pem"])},
164-
{keyfile, filename:join([CertDir, "site4.basho.com/key.pem"])}
165-
]),
160+
{ok, PB3} = pbc([{host, "127.0.0.1"}, {port, Port}],
161+
[{credentials, "site4.basho.com",
162+
"password"},
163+
{cacertfile, filename:join([CertDir, "site4.basho.com/cacerts.pem"])},
164+
{certfile, filename:join([CertDir, "site4.basho.com/cert.pem"])},
165+
{keyfile, filename:join([CertDir, "site4.basho.com/key.pem"])}
166+
]),
166167
?assertEqual(pong, riakc_pb_socket:ping(PB3)),
167168
riakc_pb_socket:stop(PB3),
168169

@@ -177,35 +178,38 @@ confirm() ->
177178

178179
lager:info("Checking auth with mismatched user/cert fails"),
179180
%% authing with mismatched user should fail
180-
?assertEqual({error, {tcp, <<"Authentication failed">>}}, riakc_pb_socket:start("127.0.0.1", Port,
181-
[{credentials, "site5.basho.com",
182-
"password"},
183-
{cacertfile, filename:join([CertDir, "rootCA/cert.pem"])},
184-
{certfile, filename:join([CertDir, "site4.basho.com/cert.pem"])},
185-
{keyfile, filename:join([CertDir, "site4.basho.com/key.pem"])}
186-
])),
181+
?assertEqual({error, {tcp, <<"Authentication failed">>}},
182+
pbc([{host, "127.0.0.1"}, {port, Port}],
183+
[{credentials, "site5.basho.com",
184+
"password"},
185+
{cacertfile, filename:join([CertDir, "rootCA/cert.pem"])},
186+
{certfile, filename:join([CertDir, "site4.basho.com/cert.pem"])},
187+
{keyfile, filename:join([CertDir, "site4.basho.com/key.pem"])}
188+
])),
187189

188190
lager:info("Checking revoked certificates are denied"),
189-
?assertMatch({error, {tcp, _Reason}}, riakc_pb_socket:start("127.0.0.1", Port,
190-
[{credentials, "site5.basho.com",
191-
"password"},
192-
{cacertfile, filename:join([CertDir, "rootCA/cert.pem"])},
193-
{certfile, filename:join([CertDir, "site5.basho.com/cert.pem"])},
194-
{keyfile, filename:join([CertDir, "site5.basho.com/key.pem"])}
195-
])),
191+
?assertMatch({error, {tcp, _Reason}},
192+
pbc([{host, "127.0.0.1"}, {port, Port}],
193+
[{credentials, "site5.basho.com",
194+
"password"},
195+
{cacertfile, filename:join([CertDir, "rootCA/cert.pem"])},
196+
{certfile, filename:join([CertDir, "site5.basho.com/cert.pem"])},
197+
{keyfile, filename:join([CertDir, "site5.basho.com/key.pem"])}
198+
])),
196199

197200
lager:info("Checking auth with non-peer certificate fails"),
198201
%% authing with non-peer certificate should fail
199-
?assertMatch({error, {tcp, _Reason}}, riakc_pb_socket:start("127.0.0.1", Port,
200-
[{credentials, "site5.basho.com",
201-
"password"},
202-
{cacertfile, filename:join([PrivDir,
203-
"certs/CA/rootCA/cert.pem"])},
204-
{certfile, filename:join([PrivDir,
205-
"certs/cacert.org/ca-cert.pem"])},
206-
{keyfile, filename:join([PrivDir,
207-
"certs/cacert.org/ca-key.pem"])}
208-
])),
202+
?assertMatch({error, {tcp, _Reason}},
203+
pbc([{host, "127.0.0.1"}, {port, Port}],
204+
[{credentials, "site5.basho.com",
205+
"password"},
206+
{cacertfile, filename:join([PrivDir,
207+
"certs/CA/rootCA/cert.pem"])},
208+
{certfile, filename:join([PrivDir,
209+
"certs/cacert.org/ca-cert.pem"])},
210+
{keyfile, filename:join([PrivDir,
211+
"certs/cacert.org/ca-key.pem"])}
212+
])),
209213

210214
lager:info("cert from intermediate CA should work"),
211215
%% grant the user credential
@@ -216,12 +220,12 @@ confirm() ->
216220
"127.0.0.1/32",
217221
"certificate"]]),
218222

219-
{ok, PB4} = riakc_pb_socket:start("127.0.0.1", Port,
220-
[{credentials, "site1.basho.com", "password"},
221-
{cacertfile, filename:join([CertDir, "site1.basho.com/cacerts.pem"])},
222-
{certfile, filename:join([CertDir, "site1.basho.com/cert.pem"])},
223-
{keyfile, filename:join([CertDir, "site1.basho.com/key.pem"])}
224-
]),
223+
{ok, PB4} = pbc([{host, "127.0.0.1"}, {port, Port}],
224+
[{credentials, "site1.basho.com", "password"},
225+
{cacertfile, filename:join([CertDir, "site1.basho.com/cacerts.pem"])},
226+
{certfile, filename:join([CertDir, "site1.basho.com/cert.pem"])},
227+
{keyfile, filename:join([CertDir, "site1.basho.com/key.pem"])}
228+
]),
225229

226230
?assertEqual(pong, riakc_pb_socket:ping(PB4)),
227231
riakc_pb_socket:stop(PB4),
@@ -235,12 +239,13 @@ confirm() ->
235239
"127.0.0.1/32",
236240
"certificate"]]),
237241

238-
?assertMatch({error, {tcp, _Reason}}, riakc_pb_socket:start("127.0.0.1", Port,
239-
[{credentials, "site6.basho.com", "password"},
240-
{cacertfile, filename:join([CertDir, "site6.basho.com/cacerts.pem"])},
241-
{certfile, filename:join([CertDir, "site6.basho.com/cert.pem"])},
242-
{keyfile, filename:join([CertDir, "site6.basho.com/key.pem"])}
243-
])),
242+
?assertMatch({error, {tcp, _Reason}},
243+
pbc([{host, "127.0.0.1"}, {port, Port}],
244+
[{credentials, "site6.basho.com", "password"},
245+
{cacertfile, filename:join([CertDir, "site6.basho.com/cacerts.pem"])},
246+
{certfile, filename:join([CertDir, "site6.basho.com/cert.pem"])},
247+
{keyfile, filename:join([CertDir, "site6.basho.com/key.pem"])}
248+
])),
244249

245250
lager:info("checking a certificate signed by a leaf CA is not honored"),
246251
%% grant the user credential
@@ -251,18 +256,19 @@ confirm() ->
251256
"127.0.0.1/32",
252257
"certificate"]]),
253258

254-
?assertMatch({error, {tcp, _Reason}}, riakc_pb_socket:start("127.0.0.1", Port,
255-
[{credentials, "site7.basho.com", "password"},
256-
{cacertfile, filename:join([CertDir, "site7.basho.com/cacerts.pem"])},
257-
{certfile, filename:join([CertDir, "site7.basho.com/cert.pem"])},
258-
{keyfile, filename:join([CertDir, "site7.basho.com/key.pem"])}
259-
])),
259+
?assertMatch({error, {tcp, _Reason}},
260+
pbc([{host, "127.0.0.1"}, {port, Port}],
261+
[{credentials, "site7.basho.com", "password"},
262+
{cacertfile, filename:join([CertDir, "site7.basho.com/cacerts.pem"])},
263+
{certfile, filename:join([CertDir, "site7.basho.com/cert.pem"])},
264+
{keyfile, filename:join([CertDir, "site7.basho.com/key.pem"])}
265+
])),
260266

261267
%% time to actually do some stuff
262-
{ok, PB} = riakc_pb_socket:start("127.0.0.1", Port,
263-
[{credentials, UsernameBin, "password"},
264-
{cacertfile,
265-
filename:join([CertDir, "rootCA/cert.pem"])}]),
268+
{ok, PB} = pbc([{host, "127.0.0.1"}, {port, Port}],
269+
[{credentials, UsernameBin, "password"},
270+
{cacertfile,
271+
filename:join([CertDir, "rootCA/cert.pem"])}]),
266272
?assertEqual(pong, riakc_pb_socket:ping(PB)),
267273

268274
lager:info("verifying that user cannot get/put without grants"),
@@ -734,10 +740,10 @@ group_test(Node, Port, CertDir) ->
734740
ok = rpc:call(Node, riak_core_console, add_source, [["myuser", "127.0.0.1/32",
735741
"trust"]]),
736742

737-
{ok, PB} = riakc_pb_socket:start("127.0.0.1", Port,
738-
[{credentials, "myuser", "password"},
739-
{cacertfile,
740-
filename:join([CertDir, "rootCA/cert.pem"])}]),
743+
{ok, PB} = pbc([{host, "127.0.0.1"}, {port, Port}],
744+
[{credentials, "myuser", "password"},
745+
{cacertfile,
746+
filename:join([CertDir, "rootCA/cert.pem"])}]),
741747

742748
?assertMatch({error, notfound}, (riakc_pb_socket:get(PB, {<<"mytype2">>,
743749
<<"hello">>},
@@ -818,3 +824,20 @@ reduce_set_union(List, A) ->
818824
mapred_modfun_input(Pipe, _Args, _Timeout) ->
819825
riak_pipe:queue_work(Pipe, {{<<"hello">>, <<"world">>}, {struct, []}}),
820826
riak_pipe:eoi(Pipe).
827+
828+
%% TODO: consider factoring down as an alternative to rt:pbc/2
829+
pbc([{host, Host}, {port, Port}], Options) ->
830+
Retries = 3,
831+
%% NOTE: no rt:wait_for_service(Node, riak_kv), this connection timeout
832+
%% pattern matches better how clients are expected to interact w/ Riak
833+
pb_socket_start(Host, Port, Options, Retries, undefined).
834+
pb_socket_start(_Host, _Port, _Options, _Retries = 0, Err) ->
835+
Err;
836+
pb_socket_start(Host, Port, Options, Retries, _Err) ->
837+
case riakc_pb_socket:start(Host, Port, Options) of
838+
Err0 = {error, {tcp, timeout}} ->
839+
timer:sleep(100),
840+
pb_socket_start(Host, Port, Options, Retries - 1, Err0);
841+
Res = {ok, _Pid} -> Res;
842+
Err1 = {error, _Reason} -> Err1
843+
end.

0 commit comments

Comments
 (0)