Fix CassandraContainer wait strategy when SSL is configured (#9419)

Fixes #9410

---------

Co-authored-by: Eddú Meléndez <[email protected]>

Author: maximevw

docs/modules/databases/cassandra.md

@@ -20,6 +20,19 @@ This example connects to the Cassandra cluster:
     [Running init script with required authentication](../../../modules/cassandra/src/test/java/org/testcontainers/cassandra/CassandraContainerTest.java) inside_block:init-with-auth
     <!--/codeinclude-->
 
+## Using secure connection (TLS)
+
+If you override the default `cassandra.yaml` with a version setting the property `client_encryption_options.optional` 
+to `false`, you have to provide a valid client certificate and key (PEM format) when you initialize your container:
+
+<!--codeinclude-->
+[SSL setup](../../../modules/cassandra/src/test/java/org/testcontainers/cassandra/CassandraContainerTest.java) inside_block:with-ssl-config
+<!--/codeinclude-->
+
+!!! hint
+    To generate the client certificate and key, please refer to
+    [this documentation](https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertificates.html). 
+
 ## Adding this module to your project dependencies
 
 Add the following dependency to your `pom.xml`/`build.gradle` file:

modules/cassandra/src/main/java/org/testcontainers/cassandra/CassandraContainer.java

@@ -1,6 +1,7 @@
 package org.testcontainers.cassandra;
 
 import com.github.dockerjava.api.command.InspectContainerResponse;
+import org.apache.commons.lang3.StringUtils;
 import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.ext.ScriptUtils;
 import org.testcontainers.ext.ScriptUtils.ScriptLoadException;
@@ -37,6 +38,10 @@ public class CassandraContainer extends GenericContainer<CassandraContainer> {
 
     private String initScriptPath;
 
+    private String clientCertFile;
+
+    private String clientKeyFile;
+
     public CassandraContainer(String dockerImageName) {
         this(DockerImageName.parse(dockerImageName));
     }
@@ -66,6 +71,15 @@ protected void configure() {
             .ofNullable(configLocation)
             .map(MountableFile::forClasspathResource)
             .ifPresent(mountableFile -> withCopyFileToContainer(mountableFile, CONTAINER_CONFIG_LOCATION));
+
+        // If a secure connection is required by Cassandra configuration, copy the user certificate and key to a
+        // dedicated location and define a cqlshrc file with the appropriate SSL configuration.
+        // See: https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureCqlshSSL.html
+        if (isSslRequired()) {
+            withCopyFileToContainer(MountableFile.forClasspathResource(clientCertFile), "ssl/user_cert.pem");
+            withCopyFileToContainer(MountableFile.forClasspathResource(clientKeyFile), "ssl/user_key.pem");
+            withCopyFileToContainer(MountableFile.forClasspathResource("cqlshrc"), "/root/.cassandra/cqlshrc");
+        }
     }
 
     @Override
@@ -106,9 +120,11 @@ private void runInitScriptIfRequired() {
      * Initialize Cassandra with the custom overridden Cassandra configuration
      * <p>
      * Be aware, that Docker effectively replaces all /etc/cassandra content with the content of config location, so if
-     * Cassandra.yaml in configLocation is absent or corrupted, then Cassandra just won't launch
+     * Cassandra.yaml in configLocation is absent or corrupted, then Cassandra just won't launch.
      *
-     * @param configLocation relative classpath with the directory that contains cassandra.yaml and other configuration files
+     * @param configLocation relative classpath with the directory that contains cassandra.yaml and other configuration
+     *                       files
+     * @return The updated {@link CassandraContainer}.
      */
     public CassandraContainer withConfigurationOverride(String configLocation) {
         this.configLocation = configLocation;
@@ -122,15 +138,38 @@ public CassandraContainer withConfigurationOverride(String configLocation) {
      * </p>
      *
      * @param initScriptPath relative classpath resource
+     * @return The updated {@link CassandraContainer}.
      */
     public CassandraContainer withInitScript(String initScriptPath) {
         this.initScriptPath = initScriptPath;
         return self();
     }
 
     /**
-     * Get username
+     * Configure secured connection (TLS) when required by the Cassandra configuration
+     * (i.e. cassandra.yaml file contains the property {@code client_encryption_options.optional} with value
+     * {@code false}).
      *
+     * @param clientCertFile The client certificate required to execute CQL scripts.
+     * @param clientKeyFile  The client key required to execute CQL scripts.
+     * @return The updated {@link CassandraContainer}.
+     */
+    public CassandraContainer withSsl(String clientCertFile, String clientKeyFile) {
+        this.clientCertFile = clientCertFile;
+        this.clientKeyFile = clientKeyFile;
+        return self();
+    }
+
+    /**
+     * @return Whether a secure connection is required between the client and the Cassandra server.
+     */
+    boolean isSslRequired() {
+        return StringUtils.isNoneBlank(this.clientCertFile, this.clientKeyFile);
+    }
+
+    /**
+     * Get username
+     * <p>
      * By default, Cassandra has authenticator: AllowAllAuthenticator in cassandra.yaml
      * If username and password need to be used, then authenticator should be set as PasswordAuthenticator
      * (through custom Cassandra configuration) and through CQL with default cassandra-cassandra credentials
@@ -142,7 +181,7 @@ public String getUsername() {
 
     /**
      * Get password
-     *
+     * <p>
      * By default, Cassandra has authenticator: AllowAllAuthenticator in cassandra.yaml
      * If username and password need to be used, then authenticator should be set as PasswordAuthenticator
      * (through custom Cassandra configuration) and through CQL with default cassandra-cassandra credentials

modules/cassandra/src/main/java/org/testcontainers/cassandra/CassandraDatabaseDelegate.java

@@ -28,13 +28,13 @@ protected Void createNewConnection() {
         return null;
     }
 
-    @Override
     public void execute(
         String statement,
         String scriptPath,
         int lineNumber,
         boolean continueOnError,
-        boolean ignoreFailedDrops
+        boolean ignoreFailedDrops,
+        boolean silentErrorLogs
     ) {
         try {
             // Use cqlsh command directly inside the container to execute statements
@@ -45,6 +45,9 @@ public void execute(
                 CassandraContainer cassandraContainer = (CassandraContainer) this.container;
                 String username = cassandraContainer.getUsername();
                 String password = cassandraContainer.getPassword();
+                if (cassandraContainer.isSslRequired()) {
+                    cqlshCommand = ArrayUtils.add(cqlshCommand, "--ssl");
+                }
                 cqlshCommand = ArrayUtils.addAll(cqlshCommand, "-u", username, "-p", password);
             }
 
@@ -67,14 +70,27 @@ public void execute(
                     log.info("CQL statement {} was applied", statement);
                 }
             } else {
-                log.error("CQL script execution failed with error: \n{}", result.getStderr());
+                if (!silentErrorLogs) {
+                    log.error("CQL script execution failed with error: \n{}", result.getStderr());
+                }
                 throw new ScriptStatementFailedException(statement, lineNumber, scriptPath);
             }
         } catch (IOException | InterruptedException e) {
             throw new ScriptStatementFailedException(statement, lineNumber, scriptPath, e);
         }
     }
 
+    @Override
+    public void execute(
+        String statement,
+        String scriptPath,
+        int lineNumber,
+        boolean continueOnError,
+        boolean ignoreFailedDrops
+    ) {
+        this.execute(statement, scriptPath, lineNumber, continueOnError, ignoreFailedDrops, false);
+    }
+
     @Override
     protected void closeConnectionQuietly(Void session) {
         // Nothing to do here, because we run scripts using cqlsh command directly in the container.

modules/cassandra/src/main/java/org/testcontainers/cassandra/CassandraQueryWaitStrategy.java

@@ -1,5 +1,7 @@
 package org.testcontainers.cassandra;
 
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.rnorth.ducttape.TimeoutException;
 import org.testcontainers.containers.ContainerLaunchException;
 import org.testcontainers.containers.wait.strategy.AbstractWaitStrategy;
@@ -12,6 +14,7 @@
 /**
  * Waits until Cassandra returns its version
  */
+@Slf4j
 public class CassandraQueryWaitStrategy extends AbstractWaitStrategy {
 
     private static final String SELECT_VERSION_QUERY = "SELECT release_version FROM system.local";
@@ -29,7 +32,15 @@ protected void waitUntilReady() {
                     getRateLimiter()
                         .doWhenReady(() -> {
                             try (DatabaseDelegate databaseDelegate = getDatabaseDelegate()) {
-                                databaseDelegate.execute(SELECT_VERSION_QUERY, "", 1, false, false);
+                                log.info("Checking connection is ready...");
+                                ((CassandraDatabaseDelegate) databaseDelegate).execute(
+                                        SELECT_VERSION_QUERY,
+                                        StringUtils.EMPTY,
+                                        1,
+                                        false,
+                                        false,
+                                        true
+                                    );
                             }
                         });
                     return true;

modules/cassandra/src/main/resources/cqlshrc

@@ -0,0 +1,7 @@
+[ssl]
+certfile = ssl/user_cert.pem
+usercert = ssl/user_cert.pem
+userkey = ssl/user_key.pem
+
+[connection]
+factory = cqlshlib.ssl.ssl_transport_factory

modules/cassandra/src/test/java/org/testcontainers/cassandra/CassandraContainerTest.java

@@ -1,18 +1,30 @@
 package org.testcontainers.cassandra;
 
 import com.datastax.oss.driver.api.core.CqlSession;
+import com.datastax.oss.driver.api.core.CqlSessionBuilder;
+import com.datastax.oss.driver.api.core.config.DefaultDriverOption;
+import com.datastax.oss.driver.api.core.config.DriverConfigLoader;
+import com.datastax.oss.driver.api.core.config.ProgrammaticDriverConfigLoaderBuilder;
+import com.datastax.oss.driver.api.core.context.DriverContext;
 import com.datastax.oss.driver.api.core.cql.ResultSet;
 import com.datastax.oss.driver.api.core.cql.Row;
+import com.datastax.oss.driver.api.core.session.ProgrammaticArguments;
+import com.datastax.oss.driver.internal.core.context.DefaultDriverContext;
+import com.datastax.oss.driver.internal.core.ssl.DefaultSslEngineFactory;
 import org.junit.jupiter.api.Test;
+import org.testcontainers.containers.Container;
 import org.testcontainers.containers.ContainerLaunchException;
 import org.testcontainers.utility.DockerImageName;
 
+import java.net.URL;
+
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.Assertions.fail;
 
 class CassandraContainerTest {
 
-    private static final String CASSANDRA_IMAGE = "cassandra:3.11.2";
+    private static final String CASSANDRA_IMAGE = "cassandra:3.11.15";
 
     private static final String TEST_CLUSTER_NAME_IN_CONF = "Test Cluster Integration Test";
 
@@ -21,7 +33,7 @@ class CassandraContainerTest {
     @Test
     void testSimple() {
         try ( // container-definition {
-            CassandraContainer cassandraContainer = new CassandraContainer("cassandra:3.11.2")
+            CassandraContainer cassandraContainer = new CassandraContainer(CASSANDRA_IMAGE)
             // }
         ) {
             cassandraContainer.start();
@@ -61,6 +73,69 @@ void testConfigurationOverride() {
         }
     }
 
+    @Test
+    public void testWithSslClientConfig() {
+        /*
+        Commands executed to generate certificates in 'cassandra-ssl-configuration' directory:
+        keytool -genkey -keyalg RSA -validity 36500 -alias localhost -keystore keystore.p12 -storepass cassandra \
+            -keypass cassandra -dname "CN=localhost, OU=Testcontainers, O=Testcontainers, L=None, C=None"
+        keytool -export -alias localhost -file cassandra.cer -keystore keystore.p12
+        keytool -import -v -trustcacerts -alias localhost -file cassandra.cer -keystore truststore.p12
+
+        Commands executed to generate the client certificate and key in 'client-ssl' directory:
+        keytool -importkeystore -srckeystore keystore.p12 -destkeystore test_node.p12 -deststoretype PKCS12 \
+            -srcstorepass cassandra -deststorepass cassandra
+        openssl pkcs12 -in test_node.p12 -nokeys -out cassandra.cer.pem -passin pass:cassandra
+        openssl pkcs12 -in test_node.p12 -nodes -nocerts -out cassandra.key.pem -passin pass:cassandra
+
+        Reference:
+        https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertificates.html
+        https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureCqlshSSL.html
+        */
+        try (
+            // with-ssl-config {
+            CassandraContainer cassandraContainer = new CassandraContainer(CASSANDRA_IMAGE)
+                .withConfigurationOverride("cassandra-ssl-configuration")
+                .withSsl("client-ssl/cassandra.cer.pem", "client-ssl/cassandra.key.pem")
+            // }
+        ) {
+            cassandraContainer.start();
+            try {
+                ResultSet resultSet = performQueryWithSslClientConfig(
+                    cassandraContainer,
+                    "SELECT cluster_name FROM system.local"
+                );
+                assertThat(resultSet.wasApplied()).as("Query was applied").isTrue();
+                assertThat(resultSet.one().getString(0))
+                    .as("Cassandra configuration is configured with secured connection")
+                    .isEqualTo(TEST_CLUSTER_NAME_IN_CONF);
+            } catch (Exception e) {
+                fail(e);
+            }
+        }
+    }
+
+    @Test
+    public void testSimpleSslCqlsh() {
+        try (
+            CassandraContainer cassandraContainer = new CassandraContainer(CASSANDRA_IMAGE)
+                .withConfigurationOverride("cassandra-ssl-configuration")
+                .withSsl("client-ssl/cassandra.cer.pem", "client-ssl/cassandra.key.pem")
+        ) {
+            cassandraContainer.start();
+
+            Container.ExecResult execResult = cassandraContainer.execInContainer(
+                "cqlsh",
+                "--ssl",
+                "-e",
+                "SELECT * FROM system_schema.keyspaces;"
+            );
+            assertThat(execResult.getStdout()).contains("keyspace_name");
+        } catch (Exception e) {
+            fail(e);
+        }
+    }
+
     @Test
     void testEmptyConfigurationOverride() {
         try (
@@ -164,6 +239,31 @@ private ResultSet performQueryWithAuth(CassandraContainer cassandraContainer, St
         return performQuery(cqlSession, cql);
     }
 
+    private ResultSet performQueryWithSslClientConfig(CassandraContainer cassandraContainer, String cql) {
+        final ProgrammaticDriverConfigLoaderBuilder driverConfigLoaderBuilder = DriverConfigLoader.programmaticBuilder();
+        driverConfigLoaderBuilder.withBoolean(DefaultDriverOption.SSL_HOSTNAME_VALIDATION, false);
+        final URL trustStoreUrl =
+            this.getClass().getClassLoader().getResource("cassandra-ssl-configuration/truststore.p12");
+        driverConfigLoaderBuilder.withString(DefaultDriverOption.SSL_TRUSTSTORE_PATH, trustStoreUrl.getFile());
+        driverConfigLoaderBuilder.withString(DefaultDriverOption.SSL_TRUSTSTORE_PASSWORD, "cassandra");
+        final URL keyStoreUrl =
+            this.getClass().getClassLoader().getResource("cassandra-ssl-configuration/keystore.p12");
+        driverConfigLoaderBuilder.withString(DefaultDriverOption.SSL_KEYSTORE_PATH, keyStoreUrl.getFile());
+        driverConfigLoaderBuilder.withString(DefaultDriverOption.SSL_KEYSTORE_PASSWORD, "cassandra");
+        final DriverContext driverContext = new DefaultDriverContext(
+            driverConfigLoaderBuilder.build(),
+            ProgrammaticArguments.builder().build()
+        );
+
+        final CqlSessionBuilder sessionBuilder = CqlSession.builder();
+        final CqlSession cqlSession = sessionBuilder
+            .addContactPoint(cassandraContainer.getContactPoint())
+            .withLocalDatacenter(cassandraContainer.getLocalDatacenter())
+            .withSslEngineFactory(new DefaultSslEngineFactory(driverContext))
+            .build();
+        return performQuery(cqlSession, cql);
+    }
+
     private ResultSet performQuery(CqlSession session, String cql) {
         final ResultSet rs = session.execute(cql);
         session.close();