fix some of the ssl tests

Author: kiryazovi-redis

src/test/java/io/lettuce/core/SslIntegrationTests.java

@@ -42,6 +42,8 @@
 import java.io.File;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.time.Duration;
 import java.util.List;
 import java.util.function.Function;
@@ -50,6 +52,7 @@
 
 import static io.lettuce.TestTags.INTEGRATION_TEST;
 import static io.lettuce.test.settings.TestSettings.sslPort;
+import static io.lettuce.test.settings.TlsSettings.*;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
@@ -66,11 +69,9 @@ class SslIntegrationTests extends TestSupport {
 
     private static final String KEYSTORE = "work/keystore.jks";
 
-    private static final String TRUSTSTORE = "work/truststore.jks";
+    private static File truststoreFile;
 
-    private static final File TRUSTSTORE_FILE = new File(TRUSTSTORE);
-
-    private static final File CA_CERT_FILE = new File("work/ca/certs/ca.cert.pem");
+    private static File cacertFile;
 
     private static final int MASTER_SLAVE_BASE_PORT_OFFSET = 2000;
 
@@ -111,9 +112,12 @@ class SslIntegrationTests extends TestSupport {
 
     @BeforeAll
     static void beforeClass() {
-
+        Path path = createAndSaveTestTruststore("redis-standalone-1", Paths.get("work/tls"), "changeit");
+        truststoreFile = path.toFile();
+        cacertFile = envCa(Paths.get("redis-standalone-1/work/tls")).toFile();
+        // do for 6444 and 8444
         assumeTrue(CanConnect.to(TestSettings.host(), sslPort()), "Assume that stunnel runs on port 6443");
-        assertThat(TRUSTSTORE_FILE).exists();
+        assertThat(truststoreFile).exists();
     }
 
     @Test
@@ -130,7 +134,7 @@ void standaloneWithJdkSsl() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -142,7 +146,7 @@ void standaloneWithVerifyCaOnly() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -153,7 +157,7 @@ void standaloneWithVerifyCaOnly() {
     void standaloneWithPemCert() {
 
         SslOptions sslOptions = SslOptions.builder() //
-                .trustManager(CA_CERT_FILE) //
+                .trustManager(cacertFile) //
                 .build();
         setOptions(sslOptions);
         verifyConnection(URI_VERIFY);
@@ -164,7 +168,7 @@ void standaloneWithPemCertAndImpossibleTimeout() {
 
         Assertions.setMaxStackTraceElementsDisplayed(30);
         SslOptions sslOptions = SslOptions.builder() //
-                .trustManager(CA_CERT_FILE) //
+                .trustManager(cacertFile) //
                 .build();
         setOptions(sslOptions);
         redisClient.setOptions(ClientOptions.builder().protocolVersion(ProtocolVersion.RESP3).sslOptions(sslOptions).build());
@@ -196,7 +200,7 @@ void standaloneWithClientCertificates() {
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
                 .keystore(new File(KEYSTORE), "changeit".toCharArray()) //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -208,7 +212,7 @@ void standaloneWithClientCertificatesWithoutKeystore() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -245,7 +249,7 @@ void standaloneWithOpenSsl() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .openSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -298,7 +302,7 @@ void masterSlaveWithJdkSsl() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -363,7 +367,7 @@ void masterSlaveSslWithOneInvalidHostWillSucceed() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -375,7 +379,7 @@ void masterSlaveSslWithAllInvalidHostsWillFail() {
 
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .truststore(TRUSTSTORE_FILE) //
+                .truststore(truststoreFile, "changeit") //
                 .build();
         setOptions(sslOptions);
 
@@ -416,7 +420,7 @@ private static List<RedisURI> sslUris(IntStream masterSlaveOffsets,
     }
 
     private URL truststoreURL() throws MalformedURLException {
-        return TRUSTSTORE_FILE.toURI().toURL();
+        return truststoreFile.toURI().toURL();
     }
 
     private void setOptions(SslOptions sslOptions) {

src/test/java/io/lettuce/test/settings/TlsSettings.java

@@ -0,0 +1,124 @@
+package io.lettuce.test.settings;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
+public class TlsSettings {
+
+    private static final String TRUST_STORE_TYPE = "PKCS12";
+
+    private static final String TEST_WORK_FOLDER = System.getenv().getOrDefault("TEST_WORK_FOLDER", "/tmp/redis-env-work");
+
+    private static final String TEST_SERVER_CERT = "redis.crt";
+
+    private static final String TEST_CA_CERT = "ca.crt";
+
+    private static final String TEST_TRUSTSTORE = "truststore.jks";
+
+    public static Path envServerCert(Path certLocation) {
+        return Paths.get(TEST_WORK_FOLDER, certLocation.toString(), TEST_SERVER_CERT);
+    }
+
+    public static Path envCa(Path certLocation) {
+        return Paths.get(TEST_WORK_FOLDER, certLocation.toString(), TEST_CA_CERT);
+    }
+
+    public static Path testTruststorePath(String name) {
+        return Paths.get(TEST_WORK_FOLDER, name + '-' + TEST_TRUSTSTORE);
+    }
+
+    /**
+     * Creates an empty truststore.
+     *
+     * @return An empty KeyStore object.
+     * @throws KeyStoreException If there's an error initializing the truststore.
+     * @throws IOException If there's an error loading the truststore.
+     * @throws NoSuchAlgorithmException If the algorithm used to check the integrity of the truststore cannot be found.
+     * @throws CertificateException If any of the certificates in the truststore could not be loaded.
+     */
+    private static KeyStore createTruststore()
+            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+        KeyStore trustStore = KeyStore.getInstance(TRUST_STORE_TYPE);
+        trustStore.load(null, null);
+        return trustStore;
+    }
+
+    /**
+     * Loads an X.509 certificate from the given file path.
+     *
+     * @param certPath Path to the certificate file.
+     * @return An X509Certificate object.
+     * @throws Exception If there's an error loading the certificate.
+     */
+    private static X509Certificate loadCertificate(Path certPath) throws Exception {
+        try (FileInputStream fis = new FileInputStream(certPath.toFile())) {
+            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+            return (X509Certificate) certFactory.generateCertificate(fis);
+        }
+    }
+
+    /**
+     * Adds a trusted certificate to the given truststore.
+     *
+     * @param trustStore The KeyStore object.
+     * @param alias Alias for the certificate.
+     * @param certPath Path to the certificate file.
+     * @throws Exception If there's an error adding the certificate.
+     */
+    private static void addTrustedCertificate(KeyStore trustStore, String alias, Path certPath) throws Exception {
+        X509Certificate cert = loadCertificate(certPath);
+        trustStore.setCertificateEntry(alias, cert);
+    }
+
+    /**
+     * Creates a truststore, adds multiple trusted certificates, and saves it to the specified path.
+     *
+     * @param trustedCertPaths List of certificate file paths to add to the truststore.
+     * @param truststorePath Path to save the generated truststore.
+     * @param truststorePassword Password for the truststore.
+     * @return Path to the saved truststore file.
+     */
+    public static Path createAndSaveTruststore(List<Path> trustedCertPaths, Path truststorePath, String truststorePassword) {
+        try {
+            KeyStore trustStore = createTruststore();
+
+            for (Path certPath : trustedCertPaths) {
+                addTrustedCertificate(trustStore, "trusted-cert-" + UUID.randomUUID(), certPath);
+            }
+
+            try (FileOutputStream fos = new FileOutputStream(truststorePath.toFile())) {
+                trustStore.store(fos, truststorePassword.toCharArray());
+            } catch (IOException e) {
+                throw new RuntimeException("Failed to save truststore to " + truststorePath + ": " + e.getMessage(), e);
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to create and save truststore: " + e.getMessage(), e);
+        }
+
+        return truststorePath;
+    }
+
+    public static Path createAndSaveTestTruststore(String trustStoreName, Path certificateLocations,
+            String truststorePassword) {
+        List<Path> trustedCertPaths = new ArrayList<>();
+        trustedCertPaths.add(envCa(certificateLocations).toAbsolutePath());
+        trustedCertPaths.add(envServerCert(certificateLocations).toAbsolutePath());
+
+        Path trustStorePath = testTruststorePath(trustStoreName).toAbsolutePath();
+
+        return createAndSaveTruststore(trustedCertPaths, trustStorePath, truststorePassword);
+    }
+
+}

src/test/resources/docker-env/.env

@@ -0,0 +1 @@
+REDIS_ENV_WORK_DIR=/tmp/redis-env-work

src/test/resources/docker-env/docker-compose.yml

@@ -7,6 +7,7 @@ services:
       - TLS_ENABLED=yes
     volumes:
       - ./redis-standalone-1/config:/redis/config:r
+      - ${REDIS_ENV_WORK_DIR}/redis-standalone-1/work:/redis/work:rw
     ports:
       - "6479:6479"
       - "6443:6443" # TLS Port
@@ -52,10 +53,12 @@ services:
     container_name: redis-standalone-sentinel-controlled
     environment:
       - REDIS_CLUSTER=no
+      - TLS_ENABLED=yes
     volumes:
       - ./redis-standalone-sentinel-controlled/config:/redis/config:r
     ports:
       - "26380:26380"
+      - "26822:26822" # sentinel tls port
       - "26379:26379"
       - "6482:6482"
       - "6483:6483"

src/test/resources/docker-env/redis-standalone-sentinel-controlled/config/node-sentinel-26379/redis.conf

@@ -1,4 +1,6 @@
 port 26379
+tls-port 26822
+tls-auth-clients no
 sentinel monitor mymaster localhost 6482 1
 sentinel announce-hostnames yes
 sentinel resolve-hostnames yes