ccm: add possibility to enable tls

muzarski · muzarski · commit bc94af63d531 · 2025-02-12T14:38:08.000+01:00
diff --git a/scylla/tests/ccm_integration/ccm/cluster.rs b/scylla/tests/ccm_integration/ccm/cluster.rs
@@ -2,6 +2,7 @@ use crate::ccm::{IP_ALLOCATOR, ROOT_CCM_DIR};
 
 use super::ip_allocator::NetPrefix;
 use super::logged_cmd::{LoggedCmd, RunOptions};
+use super::{DB_TLS_CERT_PATH, DB_TLS_KEY_PATH};
 use anyhow::{Context, Error};
 use scylla::client::session_builder::SessionBuilder;
 use std::collections::HashMap;
@@ -313,6 +314,18 @@ impl Node {
         Ok(())
     }
 
+    /// Configures TLS based on the paths provided in the environment variables `DB_TLS_CERT_PATH` and `DB_TLS_KEY_PATH`.
+    /// If the paths are not provided, the default certificate and key are taken from `./test/tls/db.crt` and `./test/tls/db.key`.
+    pub(crate) async fn configure_tls(&self) -> Result<(), Error> {
+        let args = [
+            ("client_encryption_options.enabled", "true"),
+            ("client_encryption_options.certificate", &DB_TLS_CERT_PATH),
+            ("client_encryption_options.keyfile", &DB_TLS_KEY_PATH),
+        ];
+
+        self.updateconf(args).await
+    }
+
     /// This method starts the node. User can provide optional [`NodeStartOptions`] to control the behavior of the node start.
     /// If `None` is provided, the default options are used (see the implementation of Default for [`NodeStartOptions`]).
     pub(crate) async fn start(&mut self, opts: Option<NodeStartOptions>) -> Result<(), Error> {
@@ -679,6 +692,18 @@ impl Cluster {
         Ok(())
     }
 
+    /// Configures TLS based on the paths provided in the environment variables `DB_TLS_CERT_PATH` and `DB_TLS_KEY_PATH`.
+    /// If the paths are not provided, the default certificate and key are taken from `./test/tls/db.crt` and `./test/tls/db.key`.
+    pub(crate) async fn configure_tls(&self) -> Result<(), Error> {
+        let args = [
+            ("client_encryption_options.enabled", "true"),
+            ("client_encryption_options.certificate", &DB_TLS_CERT_PATH),
+            ("client_encryption_options.keyfile", &DB_TLS_KEY_PATH),
+        ];
+
+        self.updateconf(args).await
+    }
+
     fn get_ccm_env(&self) -> HashMap<String, String> {
         let mut env: HashMap<String, String> = HashMap::new();
         env.insert(
diff --git a/scylla/tests/ccm_integration/ccm/mod.rs b/scylla/tests/ccm_integration/ccm/mod.rs
@@ -55,6 +55,73 @@ static ROOT_CCM_DIR: LazyLock<String> = LazyLock::new(|| {
     ccm_root_dir
 });
 
+pub(crate) static DB_TLS_CERT_PATH: LazyLock<String> = LazyLock::new(|| {
+    let cargo_manifest_dir = env!("CARGO_MANIFEST_DIR");
+    let db_cert_path_env = std::env::var("DB_TLS_CERT_PATH");
+    let db_cert_path = match db_cert_path_env {
+        Ok(x) => x,
+        Err(e) => {
+            info!(
+                "DB_TLS_CERT_PATH env malformed or not present: {}. Using {}/../test/tls/db.crt for db cert.",
+                e, cargo_manifest_dir
+            );
+            cargo_manifest_dir.to_string() + "/../test/tls/db.crt"
+        }
+    };
+
+    let path = PathBuf::from(&db_cert_path);
+    if !path.try_exists().unwrap() {
+        panic!("DB cert file {:?} not found", path);
+    }
+
+    db_cert_path
+});
+
+pub(crate) static DB_TLS_KEY_PATH: LazyLock<String> = LazyLock::new(|| {
+    let cargo_manifest_dir = env!("CARGO_MANIFEST_DIR");
+    let db_key_path_env = std::env::var("DB_TLS_KEY_PATH");
+    let db_key_path = match db_key_path_env {
+        Ok(x) => x,
+        Err(e) => {
+            info!(
+                "DB_TLS_KEY_PATH env malformed or not present: {}. Using {}/../test/tls/db.key for db key.",
+                e, cargo_manifest_dir
+            );
+            cargo_manifest_dir.to_string() + "/../test/tls/db.key"
+        }
+    };
+
+    let path = PathBuf::from(&db_key_path);
+    if !path.try_exists().unwrap() {
+        panic!("DB key file {:?} not found", path);
+    }
+
+    db_key_path
+});
+
+#[cfg(feature = "ssl")]
+pub(crate) static CA_TLS_CERT_PATH: LazyLock<String> = LazyLock::new(|| {
+    let cargo_manifest_dir = env!("CARGO_MANIFEST_DIR");
+    let ca_cert_path_env = std::env::var("CA_TLS_CERT_PATH");
+    let ca_cert_path = match ca_cert_path_env {
+        Ok(x) => x,
+        Err(e) => {
+            info!(
+                "CA_TLS_CERT_PATH env malformed or not present: {}. Using {}/../test/tls/ca.crt for ca cert.",
+                e, cargo_manifest_dir
+            );
+            cargo_manifest_dir.to_string() + "/../test/tls/ca.crt"
+        }
+    };
+
+    let path = PathBuf::from(&ca_cert_path);
+    if !path.try_exists().unwrap() {
+        panic!("DB cert file {:?} not found", path);
+    }
+
+    ca_cert_path
+});
+
 pub(crate) async fn run_ccm_test<C, T, Fut>(make_cluster_options: C, test_body: T)
 where
     C: FnOnce() -> ClusterOptions,
diff --git a/scylla/tests/ccm_integration/main.rs b/scylla/tests/ccm_integration/main.rs
@@ -3,3 +3,5 @@ mod common;
 
 pub(crate) mod ccm;
 mod test_example;
+#[cfg(feature = "ssl")]
+mod tls;
diff --git a/scylla/tests/ccm_integration/tls.rs b/scylla/tests/ccm_integration/tls.rs
@@ -0,0 +1,70 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use openssl::ssl::{SslContextBuilder, SslMethod, SslVerifyMode};
+use tokio::sync::Mutex;
+
+use crate::ccm::cluster::{Cluster, ClusterOptions};
+use crate::ccm::{run_ccm_test_with_configuration, CA_TLS_CERT_PATH, CLUSTER_VERSION};
+use crate::common::utils::setup_tracing;
+
+fn cluster_1_node() -> ClusterOptions {
+    ClusterOptions {
+        name: "cluster_1_node".to_string(),
+        version: CLUSTER_VERSION.clone(),
+        nodes: vec![1],
+        ..ClusterOptions::default()
+    }
+}
+
+#[tokio::test]
+#[cfg_attr(not(ccm_tests), ignore)]
+async fn test_tls_cluster_one_node_connects() {
+    setup_tracing();
+    async fn test(cluster: Arc<Mutex<Cluster>>) {
+        let mut context_builder =
+            SslContextBuilder::new(SslMethod::tls()).expect("Failed to create ssl context builder");
+        let ca_dir = tokio::fs::canonicalize(PathBuf::from(&*CA_TLS_CERT_PATH))
+            .await
+            .expect("Failed to find ca cert file");
+        context_builder
+            .set_ca_file(ca_dir.as_path())
+            .expect("Failed to set ca file");
+        context_builder.set_verify(SslVerifyMode::PEER);
+
+        let cluster = cluster.lock().await;
+        let session = cluster
+            .make_session_builder()
+            .await
+            .ssl_context(Some(context_builder.build()))
+            .build()
+            .await
+            .unwrap();
+
+        let rows = session
+            .query_unpaged("select data_center from system.local", &[])
+            .await
+            .expect("failed to execute query")
+            .into_rows_result()
+            .expect("failed to get rows")
+            .rows::<(String,)>()
+            .expect("failed to deserialize rows")
+            .map(|res| res.map(|row| row.0))
+            .collect::<Result<Vec<_>, _>>()
+            .unwrap();
+        println!("{:?}", rows);
+    }
+
+    run_ccm_test_with_configuration(
+        cluster_1_node,
+        |cluster| async move {
+            cluster
+                .configure_tls()
+                .await
+                .expect("failed to configure tls");
+            cluster
+        },
+        test,
+    )
+    .await;
+}
