Skip to content

Commit fc91c93

Browse files
junarugajunaruga
committed
Add an option to use certifications generated from localhost.
In the Fedora project, we are running the mysql2 tests on the build environment with a user permission, without root permission and without `sudo`. In this case, we couldn't set up the custom domain "mysql2gem.example.com" required to run SSL tests. This feature to create a set of the certifications from the localhost gives an option to run the SSL tests executed in the environment. How to generate the certificaton files: ``` $ cd spec/ssl/ $ bash gen_certs.sh ``` The files are generated in the `spec/ssl/<host name>`. Added the new files generated from the domain localhost in the `spec/ssl/localhost`. How to use: ``` $ TEST_RUBY_MYSQL2_SSL_CERT_HOST=localhost \ bundle exec rake spec ```
1 parent 89b4f15 commit fc91c93

29 files changed

+316
-21
lines changed

.github/workflows/container.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
# Fedora latest stable version
1717
- {distro: fedora, image: 'fedora:latest'}
1818
# Fedora development version
19-
- {distro: fedora, image: 'fedora:rawhide'}
19+
- {distro: fedora, image: 'fedora:rawhide', ssl_cert_host: 'localhost'}
2020
# On the fail-fast: true, it cancels all in-progress jobs
2121
# if any matrix job fails unlike Travis fast_finish.
2222
fail-fast: false
@@ -27,4 +27,10 @@ jobs:
2727
# as a temporary workaround to avoid the following issue
2828
# in the Fedora >= 34 containers.
2929
# https://bugzilla.redhat.com/show_bug.cgi?id=1900021
30-
- run: docker run --add-host=mysql2gem.example.com:127.0.0.1 -t --cap-add=SYS_PTRACE --security-opt seccomp=unconfined mysql2
30+
- run: |
31+
docker run \
32+
--add-host=mysql2gem.example.com:127.0.0.1 \
33+
-t \
34+
-e TEST_RUBY_MYSQL2_SSL_CERT_HOST="${{ matrix.ssl_cert_host || '' }}" \
35+
--cap-add=SYS_PTRACE --security-opt seccomp=unconfined \
36+
mysql2

ci/ssl.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,14 @@
22

33
set -eux
44

5+
# TEST_RUBY_MYSQL2_SSL_CERT_HOST: custom host for the SSL certificates.
6+
SSL_CERT_HOST=${TEST_RUBY_MYSQL2_SSL_CERT_HOST:-mysql2gem.example.com}
7+
58
# Make sure there is an /etc/mysql
69
mkdir -p /etc/mysql
710

811
# Copy the local certs to /etc/mysql
9-
cp spec/ssl/*pem /etc/mysql/
12+
cp spec/ssl/${SSL_CERT_HOST}/*pem /etc/mysql/
1013

1114
# Wherever MySQL configs live, go there (this is for cross-platform)
1215
cd $(my_print_defaults --help | grep my.cnf | xargs find 2>/dev/null | xargs dirname)

spec/mysql2/client_spec.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ def connect(*args)
153153

154154
let(:option_overrides) do
155155
{
156-
'host' => 'mysql2gem.example.com', # must match the certificates
156+
'host' => ssl_cert_host, # must match the certificates
157157
:sslkey => '/etc/mysql/client-key.pem',
158158
:sslcert => '/etc/mysql/client-cert.pem',
159159
:sslca => '/etc/mysql/ca-cert.pem',

spec/spec_helper.rb

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,18 @@ def clock_time
6060
end
6161
end
6262

63+
def ssl_cert_host
64+
return @ssl_cert_host if @ssl_cert_host
65+
66+
host = ENV['TEST_RUBY_MYSQL2_SSL_CERT_HOST']
67+
@ssl_cert_host = if host && !host.empty?
68+
host
69+
else
70+
'mysql2gem.example.com'
71+
end
72+
@ssl_cert_host
73+
end
74+
6375
config.before(:suite) do
6476
begin
6577
new_client

spec/ssl/gen_certs.sh

Lines changed: 26 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,13 @@
22

33
set -eux
44

5-
echo "
5+
# Note that we generate a set of certificates for localhost to assist the
6+
# testing environment where the domain "mysql2gem.example.com" can not be set.
7+
for HOST in mysql2gem.example.com localhost; do
8+
mkdir -p "${HOST}"
9+
pushd "${HOST}"
10+
11+
echo "
612
[ ca ]
713
# January 1, 2015
814
default_startdate = 2015010360000Z
@@ -22,27 +28,30 @@ organizationalUnitName_default = Mysql2Gem
2228
emailAddress_default = [email protected]
2329
" | tee ca.cnf cert.cnf
2430

25-
# The client and server certs must have a different common name than the CA
26-
# to avoid "SSL connection error: error:00000001:lib(0):func(0):reason(1)"
31+
# The client and server certs must have a different common name than the CA
32+
# to avoid "SSL connection error: error:00000001:lib(0):func(0):reason(1)"
2733

28-
echo "
34+
echo "
2935
commonName_default = ca_mysql2gem
3036
" >> ca.cnf
3137

32-
echo "
33-
commonName_default = mysql2gem.example.com
38+
echo "
39+
commonName_default = ${HOST}
3440
" >> cert.cnf
3541

36-
# Generate a set of certificates
37-
openssl genrsa -out ca-key.pem 2048
38-
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -batch -config ca.cnf
39-
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout pkcs8-server-key.pem -out server-req.pem -batch -config cert.cnf
40-
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
41-
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout pkcs8-client-key.pem -out client-req.pem -batch -config cert.cnf
42-
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
43-
44-
# Convert format from PKCS#8 to PKCS#1
45-
openssl rsa -in pkcs8-server-key.pem -out server-key.pem
46-
openssl rsa -in pkcs8-client-key.pem -out client-key.pem
42+
# Generate a set of certificates
43+
openssl genrsa -out ca-key.pem 2048
44+
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -batch -config ca.cnf
45+
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout pkcs8-server-key.pem -out server-req.pem -batch -config cert.cnf
46+
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
47+
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout pkcs8-client-key.pem -out client-req.pem -batch -config cert.cnf
48+
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
49+
50+
# Convert format from PKCS#8 to PKCS#1
51+
openssl rsa -in pkcs8-server-key.pem -out server-key.pem
52+
openssl rsa -in pkcs8-client-key.pem -out client-key.pem
53+
54+
popd
55+
done
4756

4857
echo "done"

spec/ssl/localhost/ca-cert.pem

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIICtTCCAZ0CFAwnppExyVZKvNYuoDiG+1VfU8qoMA0GCSqGSIb3DQEBCwUAMBcx
3+
FTATBgNVBAMMDGNhX215c3FsMmdlbTAeFw0yMjEyMjMxNTMwNThaFw0zMjEwMzEx
4+
NTMwNThaMBcxFTATBgNVBAMMDGNhX215c3FsMmdlbTCCASIwDQYJKoZIhvcNAQEB
5+
BQADggEPADCCAQoCggEBALjIBExDu99Q4uvMi4ikmhQkhKyK4X/+NALos8iFXFbq
6+
a6B8Yeho2rRzfdxnAXg3RW/3t7a/sU/V/KfPHgUcBmDNp6ZGS0bGK6uFWU963aI7
7+
vn/B4yiXLM3CeHzRgLisvIySJ2PYGNW9I4Sunwwl9V+juAJ1iZemfKGNcQ10VWw0
8+
zRD0TV3/6wQrdasEkf7t1Zv+HOg9zrPKM0uRX4F7sXdcoatFpOmvNZGiTfJCeCfP
9+
tMkjyhncO48z3+es0yr1/574CDxB7Stc30ce528k8wZwQFPe4vlLVDzdxVD02Bcj
10+
jhQQkadRWiuRtUXBFFIx5QOvzNrZmD6mWeL1TSSdNlECAwEAATANBgkqhkiG9w0B
11+
AQsFAAOCAQEANHFob2ypSKhMF9vQVWbs7c8oqRSNkMVcRqoc8wbRREKKLkmqoXRm
12+
FcaPVXd2Y3O6Milw4lFLzQbTr7wf7Fhab69LNDaEj42KMxCPqMJyvHyD1AGeBcIc
13+
dCagd3ZA+DrBjBvmHDAwkBBlM/P7FukhL1NoVNP9eqz2/9yOOPwlTLo1YCQwV/gN
14+
WdWWtD4r9sbm2nGNXZ85yZAQHfIdUQZhHU/SFdLy1oSsPQMgPe8N58QvP/UcpdHe
15+
RT4DqAu2MlfHWXFarjSakCLYsbvyeFvb+qg69snO0FVUT5IZQQ/3xbFh3o0bqeyo
16+
LUbvUMmXgVacmlOWmwrcxvJvvFEBzEBkNA==
17+
-----END CERTIFICATE-----

spec/ssl/localhost/ca-key.pem

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4yARMQ7vfUOLr
3+
zIuIpJoUJISsiuF//jQC6LPIhVxW6mugfGHoaNq0c33cZwF4N0Vv97e2v7FP1fyn
4+
zx4FHAZgzaemRktGxiurhVlPet2iO75/weMolyzNwnh80YC4rLyMkidj2BjVvSOE
5+
rp8MJfVfo7gCdYmXpnyhjXENdFVsNM0Q9E1d/+sEK3WrBJH+7dWb/hzoPc6zyjNL
6+
kV+Be7F3XKGrRaTprzWRok3yQngnz7TJI8oZ3DuPM9/nrNMq9f+e+Ag8Qe0rXN9H
7+
HudvJPMGcEBT3uL5S1Q83cVQ9NgXI44UEJGnUVorkbVFwRRSMeUDr8za2Zg+plni
8+
9U0knTZRAgMBAAECggEABEWxnb7KKvdgi8Gir0HZAyK2A5RBcvdiZffR4k69DBBm
9+
9SKzE8/K0LXD4PLrvIcQnq5cS8giVh11Nj8Ka2VSu2291NEWv/fofhJ69mS5l5zo
10+
gmUt9pwKL+axaPdiEcMCqABgE0Wli1mQZuqvqDT/d5reMAZeLEiv5H9T8BLyv6nt
11+
y5N/EiSsPx67cGDGFBlNATDl1xUApxkQe0EVsBfpku3r/2UiVGtra7k0kOA4a8UL
12+
tx8O4mED2b46DWed2+zNbKcXOvXLjlkjZTudfVi6p6B8dsSopP+gJxVnpiY8QxN9
13+
xctPw/IlFzIlriMm2U2/JLHxdJP4Gyz393oavPLDAQKBgQDP9IDemtQjKlN8PmOO
14+
4MZtl9+Y6nx3ZyEK1Jky7ncyFMlfCAqGY8+RbT2FvxV2FR+qhinzY/UYmV/eQF6S
15+
AgMHKM8wkolF4G2xoUDnwZRG53+pzlJTemXu/sayzu0chQ05Ru+KdKkuL9Qv42zt
16+
KwMme6mPGKXCSi5EQypI0l6NwQKBgQDjeOa3LPn1li7jfA1GCwp00LuiBnuRUQRK
17+
6zH25yMiMbUay+zmbDxWMLSlYffzP9hLcp2XcySNkNNoT2Gjm6Ng9s/IqP+8beqI
18+
haNrmcLZl6wbJVqmnXjyaAWhmTzso9OJl4QFrRNdIdcjQtkeP58wVA7VDIK0LtQN
19+
m7nqrKHskQKBgHj5ZuKYtWIDpG95p9cdYbGtkTDW8DNR9kHjrX+YhBTJTOAQwHav
20+
p7eVEh41LBn2beZ4h/0EIDgAOWoEjj9oFjTbA7Tg+iSBS67y/NwVm9mnoHe7A992
21+
K8hdxF+Oyxc1O50fbAhil2y7/DcjmWFbDUkc1WXeU8dz+fhSDk4wuzrBAoGBAKAh
22+
QREb6U54DcP4VQPEy/SV6DBULfKLPOFclkzAQ5xTr7EQc1F2SjdGjDSMNdcYT7Q1
23+
GDlARjAeDqS0lQBulOGyfW09guHr4pl+sh8SG/e/bNmjPyBhZH4IukYbMKdJYKXQ
24+
cpDoWORL6T4aVeuUUATed56E8xHSkVaPFJ7eLhLxAoGBAMtB/grTYP7YHzPDH8T+
25+
SfJ05OoFB1MR1JzqdDLwzI60c041RdVZ/StpXjK7th2MAK4zymuzXRgTklvsRRTc
26+
RV+2REWqGpSNO4eTPLM6j8TvAwAaI+WzSRCW/4XDAkQHnVN7M4Bg6gWiEX+Xi6pr
27+
FMC+/PNymu450sLrLA+9kByf
28+
-----END PRIVATE KEY-----

spec/ssl/ca.cnf renamed to spec/ssl/localhost/ca.cnf

File renamed without changes.

spec/ssl/localhost/cert.cnf

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
2+
[ ca ]
3+
# January 1, 2015
4+
default_startdate = 2015010360000Z
5+
6+
[ req ]
7+
distinguished_name = req_distinguished_name
8+
9+
[ req_distinguished_name ]
10+
# If this isn't set, the error is error, no objects specified in config file
11+
commonName = Common Name (hostname, IP, or your name)
12+
13+
countryName_default = US
14+
stateOrProvinceName_default = CA
15+
localityName_default = San Francisco
16+
0.organizationName_default = mysql2_gem
17+
organizationalUnitName_default = Mysql2Gem
18+
emailAddress_default = [email protected]
19+
20+
21+
commonName_default = localhost
22+

spec/ssl/localhost/client-cert.pem

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIICnzCCAYcCAQEwDQYJKoZIhvcNAQELBQAwFzEVMBMGA1UEAwwMY2FfbXlzcWwy
3+
Z2VtMB4XDTIyMTIyMzE1MzA1OVoXDTMyMTAzMTE1MzA1OVowFDESMBAGA1UEAwwJ
4+
bG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1sStOpst
5+
+FCGz9V7hQmD+rQlzpcg10cfPDOVKQokEu9ZRue8/dflNGDLSy8zmCYfCYDsXZvi
6+
VEiDPgXR3AxhpbF6VBj4fG83wAFtEeO18EPyAsxBpYyCJIVuTxPWSJv7Qvv01TEA
7+
z6W1wo2G5S35B7JcY65WS5JG7Jyhg4cln4PcLEFG76ECBzvUc9kVcRdROiv5OVCN
8+
i1N6glnMjMUsc6mC7labUnQSV/1RWHt5GRvFd0G9nszL8Yxj1GHmXdcUUHGXvb71
9+
l3rj0vWCNkG+K1e17tNLP86ACWhtLMps8CFzU32+uSUaE4ol/Vs+3FH+74lpdJL8
10+
oRvdu4b2msKt9wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQChXIphVRRhl/RxLS3C
11+
gifApYt+Ou7B+lPR5+Ex929QxCgRp2Ux6GDEVF/Iyvj2RIWN0pj504JN23pEBOEK
12+
e/YNdX7A/fFr7mSrjQ38MUt18I4n1xzWAVS+l9y4QbCdMWvaYRBkm3vtBL7+3fFU
13+
6Rz++EOzkHfGFVIIEOvC7tqkt4lMELMYEhU4dMe7ZVU0cu1TfX7snlZTWTJoJQhl
14+
EIEp3Q0EuphPJlkkn3aOKhJkuPVAkIeMxXluYEc+KFj7HkSaOn0onVy2CAZIixxE
15+
T+G5SI6LVK1dzRTbvHa35vsnyLYK52BPomRC7QMDkNiUgQugqzOI1vnDjek0+2/+
16+
v5D7
17+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)