From 00c1cc15cb7320623f8e1fa0ed884a9e48c17f7d Mon Sep 17 00:00:00 2001 From: ShuNing Date: Thu, 27 Feb 2020 17:51:46 +0800 Subject: [PATCH] *: add test for online reload new TLS certificates (#2162) Signed-off-by: nolouch --- client/base_client.go | 2 +- pkg/grpcutil/grpcutil.go | 10 +- tests/client/cert-expired/ca-config.json | 27 +++ tests/client/cert-expired/ca-csr.json | 18 ++ tests/client/cert-expired/ca-key.pem | 27 +++ tests/client/cert-expired/ca.csr | 16 ++ tests/client/cert-expired/ca.pem | 22 ++ tests/client/cert-expired/client-key.pem | 27 +++ tests/client/cert-expired/client.csr | 16 ++ tests/client/cert-expired/client.pem | 21 ++ tests/client/cert-expired/gencerts.sh | 18 ++ tests/client/cert-expired/pd-server-key.pem | 27 +++ tests/client/cert-expired/pd-server.csr | 16 ++ tests/client/cert-expired/pd-server.pem | 22 ++ tests/client/cert/ca-config.json | 27 +++ tests/client/cert/ca-csr.json | 18 ++ tests/client/cert/ca-key.pem | 27 +++ tests/client/cert/ca.csr | 16 ++ tests/client/cert/ca.pem | 22 ++ tests/client/cert/client-key.pem | 27 +++ tests/client/cert/client.csr | 16 ++ tests/client/cert/client.pem | 21 ++ tests/client/cert/gencerts.sh | 18 ++ tests/client/cert/pd-server-key.pem | 27 +++ tests/client/cert/pd-server.csr | 16 ++ tests/client/cert/pd-server.pem | 22 ++ tests/client/client_tsl_test.go | 246 ++++++++++++++++++++ 27 files changed, 767 insertions(+), 5 deletions(-) create mode 100644 tests/client/cert-expired/ca-config.json create mode 100644 tests/client/cert-expired/ca-csr.json create mode 100644 tests/client/cert-expired/ca-key.pem create mode 100644 tests/client/cert-expired/ca.csr create mode 100644 tests/client/cert-expired/ca.pem create mode 100644 tests/client/cert-expired/client-key.pem create mode 100644 tests/client/cert-expired/client.csr create mode 100644 tests/client/cert-expired/client.pem create mode 100755 tests/client/cert-expired/gencerts.sh create mode 100644 tests/client/cert-expired/pd-server-key.pem create mode 100644 tests/client/cert-expired/pd-server.csr create mode 100644 tests/client/cert-expired/pd-server.pem create mode 100644 tests/client/cert/ca-config.json create mode 100644 tests/client/cert/ca-csr.json create mode 100644 tests/client/cert/ca-key.pem create mode 100644 tests/client/cert/ca.csr create mode 100644 tests/client/cert/ca.pem create mode 100644 tests/client/cert/client-key.pem create mode 100644 tests/client/cert/client.csr create mode 100644 tests/client/cert/client.pem create mode 100755 tests/client/cert/gencerts.sh create mode 100644 tests/client/cert/pd-server-key.pem create mode 100644 tests/client/cert/pd-server.csr create mode 100644 tests/client/cert/pd-server.pem create mode 100644 tests/client/client_tsl_test.go diff --git a/client/base_client.go b/client/base_client.go index 9884a1bb22b..9916f459acb 100644 --- a/client/base_client.go +++ b/client/base_client.go @@ -260,7 +260,7 @@ func (c *baseClient) getOrCreateGRPCConn(addr string) (*grpc.ClientConn, error) tlsCfg, err := grpcutil.SecurityConfig{ CAPath: c.security.CAPath, CertPath: c.security.CertPath, - KeyPath: c.security.CertPath, + KeyPath: c.security.KeyPath, }.ToTLSConfig() if err != nil { return nil, errors.WithStack(err) diff --git a/pkg/grpcutil/grpcutil.go b/pkg/grpcutil/grpcutil.go index 720a7a8eff7..f536731ce7f 100644 --- a/pkg/grpcutil/grpcutil.go +++ b/pkg/grpcutil/grpcutil.go @@ -31,7 +31,8 @@ type SecurityConfig struct { // CertPath is the path of file that contains X509 certificate in PEM format. CertPath string `toml:"cert-path" json:"cert-path"` // KeyPath is the path of file that contains X509 key in PEM format. - KeyPath string `toml:"key-path" json:"key-path"` + KeyPath string `toml:"key-path" json:"key-path"` + ClientCertAuth bool `toml:"client-cert-auth" json:"client-cert-auth"` } // ToTLSConfig generatres tls config. @@ -40,9 +41,10 @@ func (s SecurityConfig) ToTLSConfig() (*tls.Config, error) { return nil, nil } tlsInfo := transport.TLSInfo{ - CertFile: s.CertPath, - KeyFile: s.KeyPath, - TrustedCAFile: s.CAPath, + CertFile: s.CertPath, + KeyFile: s.KeyPath, + TrustedCAFile: s.CAPath, + ClientCertAuth: s.ClientCertAuth, } tlsConfig, err := tlsInfo.ClientConfig() if err != nil { diff --git a/tests/client/cert-expired/ca-config.json b/tests/client/cert-expired/ca-config.json new file mode 100644 index 00000000000..30cc837100e --- /dev/null +++ b/tests/client/cert-expired/ca-config.json @@ -0,0 +1,27 @@ +{ + "signing": { + "default": { + "expiry": "7m" + }, + "profiles": { + "server": { + "expiry": "7m", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + }, + "client": { + "expiry": "7m", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + } + } + } +} + diff --git a/tests/client/cert-expired/ca-csr.json b/tests/client/cert-expired/ca-csr.json new file mode 100644 index 00000000000..8be8f743fe2 --- /dev/null +++ b/tests/client/cert-expired/ca-csr.json @@ -0,0 +1,18 @@ +{ + "CN": "My own CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "Beijing", + "O": "Pingcap", + "ST": "Beijing" + } + ], + "ca":{ + "expiry": "87600h" + } +} diff --git a/tests/client/cert-expired/ca-key.pem b/tests/client/cert-expired/ca-key.pem new file mode 100644 index 00000000000..2d8258dbcdc --- /dev/null +++ b/tests/client/cert-expired/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA3wh9AXig75uVYTj27ZuT+GbcPYN1ue0iH5MK9kqeiDUFOAJM +7BB+j3+RWbbTv/CAO4Gdhe8wIhNa67uoOqfNr5A4FcqgOboO+H59PC1yDNISCoGO +4fr3DSVTT5jWQ03R26e15/lxUGZDkf43NIOlo5PlHYYo7f7pCHJaYQ9U3ZnF393k +TMyoB0MpBflupbMPYLdn++0ND0W2MpWhmFTih1FL5JJ6/PlKqzVHFFNqGIyUGHC9 +XnX9jk3v86NJ0WkTBj6mOim6lmQOga1CAsD2O15fLI8S8py2jn0SWT6NDgh6S09Y +Sj5LRZkOwLkBpgBgg/MpchBeN/TmBX5jKNlYpwIDAQABAoIBAQCPEonmPLS4oEy2 +Pm2gxPGqIonb6A3IRIdkS9Z3YizKYYDEii1ALeCSOxpJu8+gTC5mfeJH/cUZxuLH +X+0uG2EF43Um/YHFJkbeP34k8V49PTEXjj7TVkPPKgeEgx3HtQ8PYkl90vVOxxtH +dxWA2YaTJZePVfXBnolswraZltUxBXYyrTJZafMrx26Ik6vdjpiS4vP+FejaS/Mq ++JbIUL3iQzYKrQ+EsBG6qjJUZ1gI1q+L+h5bBZHyTUblV/erZ1zlxvkZ1MPGDJ0Z +blR5TDQrQ6Mol5neAUV5GxG8ZdktJMLYFel+g3pmx5ulklza+PIDFOTLcXpwS5ws +LyxZQZdpAoGBAOYwQvXg7FYUjE0fhCjZQFgMYMSkl0LigOOlm8xA+gT20R7MoVYB +LvIG6AfC13t7BZ5Vi/yrbELDnkhc+H8FlKHj3JwapPzH9L94IXAELf+PigsKsJos +p3dpKh4SQ9+SjaW0mLhmYFO15bta6blzIdUgQoLjU//2K+fszPTb+LglAoGBAPgK +05YB2P9Jn4ROQURzlZB6EIIl7urnUMg0mO4KPKfA2u3bXXQb/8uocvI5ZAj3/D/o +FslTuQW4pfciovFn+jfTvZMVr2SsJMTPX154ekTFBzCfzZ0ihT/crnotkKW7EIkp +XQLQbiGvfI5aZ4YhgP0ZyOxc+PH48dfA4JVGdz3bAoGBAKIt0p+lzx1+8LLNx7F4 +D4t5fRxO0nu/VgwN/EzWYtDojMHkbq9Huimvj/8X2fYX4QeDQlPM+0O2y2g0iKgF +6Ih/IEmjxCaNQvU70GM5rqbmHN5Ws8KMP5k0MQZq3ANDICVlrkwNZUTVXXy5Ov78 +DRQ53GKXg/FNIfYPsv+5k+05AoGAFVmRNsM381lZ8qBtu7+bKxFmpF0xgGSirmjg +lPSqneHatkiAdcMHNHduVW0dMCxwOOv4MiITtetb1bbUgaTqg62lDqj6LNcoXwxe +cBo8o/i1krjekNzszT9ogTm0zp8YYEYALILWR+378aDUclYl7SMwCTBDeUhtQJ3o +dtDW6KsCgYEAhgUxBk8VZnqnZVweB34ITfTDfCCR6W8uyhZhP1b51CRx1wARw08p +G7fEKFdagRH02GHlynJoglmUhjaIireT0or7ONW0oQ8IEU8gmeQe5UP4IwSJ0rH8 +7z+IJEWDwpUTr/1mWGkJDZS0vJZVF6V46tm6aowyDs80W5rX/uwTV1k= +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert-expired/ca.csr b/tests/client/cert-expired/ca.csr new file mode 100644 index 00000000000..f98ea92fd8f --- /dev/null +++ b/tests/client/cert-expired/ca.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAO +BgNVBAcTB0JlaWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93 +biBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN8IfQF4oO+blWE4 +9u2bk/hm3D2DdbntIh+TCvZKnog1BTgCTOwQfo9/kVm207/wgDuBnYXvMCITWuu7 +qDqnza+QOBXKoDm6Dvh+fTwtcgzSEgqBjuH69w0lU0+Y1kNN0duntef5cVBmQ5H+ +NzSDpaOT5R2GKO3+6QhyWmEPVN2Zxd/d5EzMqAdDKQX5bqWzD2C3Z/vtDQ9FtjKV +oZhU4odRS+SSevz5Sqs1RxRTahiMlBhwvV51/Y5N7/OjSdFpEwY+pjopupZkDoGt +QgLA9jteXyyPEvKcto59Elk+jQ4IektPWEo+S0WZDsC5AaYAYIPzKXIQXjf05gV+ +YyjZWKcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAcAsP2Ix4UcioZi1QZoQUH +OajonLUFbbCjmVdV8cTWZpAXje1sh/cKzI5jxmlw7BF4J+m206Cb7/vFM+WtL5Qt +kDyVInnuuXsP+7VUEzdchJlarFk5KMkOz9dl3AxXyXwxi4aoMOLpcC8Ye0Emq7bt +aG17jmf3eQLnhyhdzrob9dGDWyRDHI29fI0kiPGu5wciJLW8RiOdeMdquwrkx3n3 +FUkGU1d26S/FXR4UMz6iw530JBgp1mDmU3bY5GmtFN2OpURYa3pogwtJ+bjddhSS +NrhOsDnkUdvfQkGz9VR6Vyk9c1kkmLLzfMU2iY4KQiTCPDT/Yaq5JEqG0e1Sl/Ag +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert-expired/ca.pem b/tests/client/cert-expired/ca.pem new file mode 100644 index 00000000000..0955ceb1e5d --- /dev/null +++ b/tests/client/cert-expired/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIUPbO/J5qmPTaZBDU6gTnWq1iCUPMwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzUxMDBaFw0zMDAyMjQwMzUxMDBaMFcxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRAwDgYDVQQKEwdQaW5nY2Fw +MRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDfCH0BeKDvm5VhOPbtm5P4Ztw9g3W57SIfkwr2Sp6INQU4AkzsEH6Pf5FZ +ttO/8IA7gZ2F7zAiE1rru6g6p82vkDgVyqA5ug74fn08LXIM0hIKgY7h+vcNJVNP +mNZDTdHbp7Xn+XFQZkOR/jc0g6Wjk+Udhijt/ukIclphD1TdmcXf3eRMzKgHQykF ++W6lsw9gt2f77Q0PRbYylaGYVOKHUUvkknr8+UqrNUcUU2oYjJQYcL1edf2OTe/z +o0nRaRMGPqY6KbqWZA6BrUICwPY7Xl8sjxLynLaOfRJZPo0OCHpLT1hKPktFmQ7A +uQGmAGCD8ylyEF439OYFfmMo2VinAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSktUF7xrXV//2h1KeL6I1VXejz +8jAfBgNVHSMEGDAWgBSktUF7xrXV//2h1KeL6I1VXejz8jANBgkqhkiG9w0BAQsF +AAOCAQEAJRus+wyu9bJCaISJtKa4Et/tfhguW0H3V29/8yby38pO8YLwR2p8/5jz +ciL8xSyEhOp9y6YDZTyeO5pLCaJZ2H53BizM/e/wJz+J5apkFOWFyACO9dl924w1 +1d47kbXXv7TNm16fY9ja3ss85MdazeH5OKnvAMlapltylJhVd8uCCRx5GdFvFbim +UtzR1qirP+uOhF8tYbsGYS1mzsJKCXe3TENkKIsvrPWTtbEvAvDJLqXFTsFEdCF8 +JGLjg/BXawVOY/RAVfjnWMgFjP0SY8itIfbjUPYfwPzUKkKYbH3/MZzoiSkutmJW +Z/qj9gWY5UovzwzaWde/FrNiaiJGdQ== +-----END CERTIFICATE----- diff --git a/tests/client/cert-expired/client-key.pem b/tests/client/cert-expired/client-key.pem new file mode 100644 index 00000000000..af8a06d6b93 --- /dev/null +++ b/tests/client/cert-expired/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAo92Lb5C+BcSxfjEnYAlaJycaA8+acuElRV3VKgWzLzWpvjfU +6cpTwhNYEYDqx9DbLwsdmz3IE+V6MncI/jHtqmKYgJ0uTO80dcCWj8Ej5NZBmtw6 +fJkcO535caO/dzywWY/O6claTNF3mBTVTirVc7lUccmqQUfrHEZYeQNvrAlSZN5n +ToHaJgU52UpbO1rl43A9fgTD9OSAWPjCgOrJgnXiDBOUV2lNO00xTTyKhAw311C+ +ALI6juHDcpEdOgawgToyDSe73QWNz4LWJ0AQc3tvwdAReTzH8iEsjxfSeg/OvWBb +yKt/UNWFhsRd3lnKci+xutgpP2dvTEZgLCdFsQIDAQABAoIBACteWiX31+Ls8NDm +L3aiYwLTvXXevxDCd7vJHr6VbZwEBt26JxaNHufReNCBHyItK6Viur44driVVmb+ +zBmCm1Up7RS1BOkFsgusIe0AAADzl79lo/EQEMHSiI9D+EuVe1Lo1alYShbkpVNR +yDZ87atIFIpdBjtqzlXYZFf6ydZs4L/noVxqXqgkzUi4v+1QPFMO+dDcsoxFWM8R +42pCndEmXSxfSW8WkB+yeh++/3hGNmqTL8rVVI2So+JXC/3eSRgMsB+T+zzs7Ltu +fBpyAzkULT1TOk70nqXKN5mJMXVs4mtSS5Fog/pOL0s6IMh0rb/kSGsPY1pmXVyk +L7p9DiUCgYEAziWIf7oR4x6tABjPArpZzDcWoPSYxHAvf4Vq/7E3jpOnopYfGHZ5 +Lyc23EyFELi8beD69u9B4p9b8jIJH2lzhKsAz3BAeLEPLkNmJTzsBtcKQmJIp5TH +fR3S0ylFLJfI+1i03b8stE7Ybs901Gbiz97n0W5mD7H/61cuKLwbtscCgYEAy35l +fItz8usDyAYWDs9QkdbO4D12g/Q61t/SvSB2Z+/4DmPWrEibeETIty2oLpOot97Y +GMZ5fRJK81ip50dPMMLv3dle46LcYx0iO5Cxf5DowJrASV/+mpjm4XtrMz1DPdWR +Zkdsj0ABOi0zpEpagU30s/Tle12HhGKlDx69R8cCgYEAuMatxgcLd2+Mk/SowQI1 +8TVDpDv6HsGL4Zq+ILhBWxwAe1xiPPQchWZ55xbzgtyDkV3CtcoZXT+IE9xDjxNf +RwBcNpOgRk42lDo3eZNU4ICpon0kMInMEdrEmR958JGQxbJqVATC1k+B8jkjuCsM +jFR5p6Bz/QeIo/K93idWFAsCgYEAkfbDExfwfqFG4BZFgjAAyet8DurndPUds31u +60w6wokltCS3GnMmWZl1I7ezOF2gGuvUs8jB4g3aBz1k+clzqzVY2xgNcVkjnlCK +epFqUGeAHI+kN72MohXlHn3pwiJCdjsYBXZcD1DI0JMVxNW0n6VsThzu8pN/Hl2n +qfXRrYcCgYEAgzW0DgQHU3BYuBVkgn/uZoyanJGaFQQDh6UAX/ATIZ0p3kG5ASr7 +z1oaVVRKv7XdJq+BjRGN1DdmPupRZI1GPKtpD++zhJ5mIJOMNWSMP5+jn7Y+DJAx +IMEgGrYuGiQbMq8hZt6WyC5g3/UCK+j+ag8vXp5snnJOYo/pKuklDxM= +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert-expired/client.csr b/tests/client/cert-expired/client.csr new file mode 100644 index 00000000000..eddbcd27513 --- /dev/null +++ b/tests/client/cert-expired/client.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICdDCCAVwCAQAwETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAo92Lb5C+BcSxfjEnYAlaJycaA8+acuElRV3VKgWzLzWp +vjfU6cpTwhNYEYDqx9DbLwsdmz3IE+V6MncI/jHtqmKYgJ0uTO80dcCWj8Ej5NZB +mtw6fJkcO535caO/dzywWY/O6claTNF3mBTVTirVc7lUccmqQUfrHEZYeQNvrAlS +ZN5nToHaJgU52UpbO1rl43A9fgTD9OSAWPjCgOrJgnXiDBOUV2lNO00xTTyKhAw3 +11C+ALI6juHDcpEdOgawgToyDSe73QWNz4LWJ0AQc3tvwdAReTzH8iEsjxfSeg/O +vWBbyKt/UNWFhsRd3lnKci+xutgpP2dvTEZgLCdFsQIDAQABoB4wHAYJKoZIhvcN +AQkOMQ8wDTALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEBAH0WbgQ3vny+ +Axtki5uoz5mGezM8CZT13nR6G66p00Lo9HM0H3hPyScnbyX0D2OymvzmSr/CcsYQ +P/r9nJ9vCtUDbkxSypSacgzwfRwpTFuF9prj39BdyDUrDD7Y3oGhr+6SBI7zk6dB +L4zSX0BcTiXDvKtgMgPGAj0H+JcnHNvjJuMCQE3UEVCfKu8jqNtOXY5gbTdNZJKC +64vG7+nbQBjctNOEPyEtWR2r7jYKBjvBjR80uImXQ/mB/Ka5FfQ0l403gDg6837P +3wWyLd5c8xxPBCFmWv/rwwb5/myT5V4+ozAmFnyyFl/LjAwlcJtypN8wsFTrnpyB +xNkKWnuu0Z0= +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert-expired/client.pem b/tests/client/cert-expired/client.pem new file mode 100644 index 00000000000..707c7afc45e --- /dev/null +++ b/tests/client/cert-expired/client.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmKgAwIBAgIUc2EiY1NOtJN/411QByfHK/I6eMcwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzUxMDBaFw0yMDAyMjcwMzU4MDBaMBExDzANBgNVBAMTBmNsaWVudDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPdi2+QvgXEsX4xJ2AJWicn +GgPPmnLhJUVd1SoFsy81qb431OnKU8ITWBGA6sfQ2y8LHZs9yBPlejJ3CP4x7api +mICdLkzvNHXAlo/BI+TWQZrcOnyZHDud+XGjv3c8sFmPzunJWkzRd5gU1U4q1XO5 +VHHJqkFH6xxGWHkDb6wJUmTeZ06B2iYFOdlKWzta5eNwPX4Ew/TkgFj4woDqyYJ1 +4gwTlFdpTTtNMU08ioQMN9dQvgCyOo7hw3KRHToGsIE6Mg0nu90Fjc+C1idAEHN7 +b8HQEXk8x/IhLI8X0noPzr1gW8irf1DVhYbEXd5ZynIvsbrYKT9nb0xGYCwnRbEC +AwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIw +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUWJpKaemXoYL7mQFflkeejKsYHaUwHwYD +VR0jBBgwFoAUpLVBe8a11f/9odSni+iNVV3o8/IwCwYDVR0RBAQwAoIAMA0GCSqG +SIb3DQEBCwUAA4IBAQAa6qNPFuIcDEXFXVqkiqehDwWn5vhSvTRCBP4fHsuUC9GZ +8L/ymED0DlwuWlxREeT4FV4OYda4QLLzcsyDGJYkYCwb6QNAgnrm54THxCWcP5nq +KgGIQtJKA0ML9doDMjLU9BbPYj+SFI6A7lzHDoT9Qq9o7n+Ef8idSJOWjr4OY9G7 +udlnEL/HvB/E4yfBcjxCzIV8EGU+aQHtisQpxAcDxqSpCzGjedZ7zZSg/4Y3KzzD +deVVRO7GHt1fGEQUfop5L5IIPHgqIjO/wKdXe+A0UaoLzz3JJL5xymSBiRGt2dIJ +WZRbIDYCumtIzwoILIvAmAJZVHimvWBV39yiVT4R +-----END CERTIFICATE----- diff --git a/tests/client/cert-expired/gencerts.sh b/tests/client/cert-expired/gencerts.sh new file mode 100755 index 00000000000..96dadfa3686 --- /dev/null +++ b/tests/client/cert-expired/gencerts.sh @@ -0,0 +1,18 @@ +#!/bin/bash +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'cert-expired'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert -initca ca-csr.json | cfssljson -bare ca - + +# pd-server +echo '{"CN":"pd-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="localhost,127.0.0.1" - | cfssljson -bare pd-server + +# client +echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client -hostname="" - | cfssljson -bare client diff --git a/tests/client/cert-expired/pd-server-key.pem b/tests/client/cert-expired/pd-server-key.pem new file mode 100644 index 00000000000..2914cb03b3f --- /dev/null +++ b/tests/client/cert-expired/pd-server-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtmzUQNZ9BqLQJWpx9V0/kRB789TQ+sO3boWpLCn2eZO6e8+f +sa22jrYp4SHG7kpgUFnQ9k+HgWO6lOesjKrB0BYqzN9y3jqvwy/A7jw4UVirSX2t +eFmRmsUjActC2Efym0lqix74ybAzr5J3K5EpbWEmJXm7wilkfT6tLud+FWqQA+k9 +M9OCAQYSVzGMrWCqcUEWJvD3l/y14ksr3ZK9wHi3r79HFJFRaO+uiUc289t3fAPJ +VJYLTnGX1HRGmbDn7Og1vQth1BYvbjKFGNeOaSlJZsnt6Wu7clF2ANYYzq+X5HuS +BRmUlHvh9LXfNnOPZfRKRRHLLPTH+ff3GjHWdQIDAQABAoIBAQCH9ZxLppAP/hA7 +kpXUVOcnaq23EImgG3X+vUdUTwIPonZ+CEPw3JMO0d1smQv2VSBrQkVnDebkHDvW +9sO3IxzHxX2oq3ClCAAu7MxRwjgHCJrAbxZ2d+r4+qwYjjEHmLfL3G+3uCGbz+L1 +m6eNpObHSnxvucah8s+eOLRCHO3vbvURAVLME8f3BG8sNH9je7EaPxS9CicYvGYu +0GTqO5PzWkZVFh6Z640prz0gtyDytaqgMXj9zpCaZa6d6gXQu/CPe6OpimBwVPFA +Lu2liQSIxcWNIlGedxm+45ancSfEMeiSRcthgMM1knuduIT+ZFje8SIY5sCQD+kG +jlvUXBuBAoGBAOtm/hhoq4FLa/PIFoUZ2t3XsUVHG9TFZ6OYCCGPV4qAVbLDcdRP +fMgSIwO5mq1etwCJaMawieUYVvj7dS7dREq8R68c9EnFdFJJ8tBu6y06ogTiGiIG +gMmM7tGEXWvFRaMsdllFLQT7OpcjxJl1NksYp0E9peNaZuaaHTlcIOm9AoGBAMZj +JfNktY5lKIrGhFu/6OV0LkXAfwMmlyxv7ARmlvOGACAIpPpDt3qdiEQAJJ1SWyzu +uf1so9uyn1Je2k0TpjKA67sSptFO3GOVFHeHO9iQ/M33+Ogp5oUvAaF47eopq3d0 +Ko0YKeu/TA/XZh2SOrvjay1URg5807qjwyoS478ZAoGAdeLaFPc2DEXtBeSKApX0 +GWzPBdaahW9me3LDf6r9OAsU37Uo6B32a2tJxa/JWlE4bDhkFDyMkgIibAXhpVqB +vLuVWoixfdA4dI074E3r0HawdKmWVLvU+xps7tfOwQ3F1fWKPyJ5bSkzKkVrSz57 +thfeirmIvdaj+Y/sWrFcejECgYEAggd8WWJZ6YH+J69kE2resH4M0iUQWrVRgou9 +K0k+iVD8BgMEdxApU1Grfb6GQSM4pWO3PhaV86rI6ElJVhmZ5iI/37ai5i+FHjQZ +XRqjLBgjyrBMUYcdE5Ayxm4nqkIzo7DdLut2lpEkvoFU6e7tVjcCCYzh+h7w+7TY +d1w4MAkCgYEAuUt5lj0pGfhOb716PG6+EEmGDVh7Q7X15idptY+SytnW1cokcxEj +t6ZhFHZbj4v1Yxs+ra42zacN3GshXWU+29ZKmGxRMYvg+qKIfTb2XM1do7ZtXrbe +HgAq/9qXGLrfsDspFzjj0DvZ66j+qP4Ptfk5ryKATrhebMNyD4r6Gj0= +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert-expired/pd-server.csr b/tests/client/cert-expired/pd-server.csr new file mode 100644 index 00000000000..4e1d3b4d136 --- /dev/null +++ b/tests/client/cert-expired/pd-server.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICdzCCAV8CAQAwFDESMBAGA1UEAxMJcGQtc2VydmVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAtmzUQNZ9BqLQJWpx9V0/kRB789TQ+sO3boWpLCn2 +eZO6e8+fsa22jrYp4SHG7kpgUFnQ9k+HgWO6lOesjKrB0BYqzN9y3jqvwy/A7jw4 +UVirSX2teFmRmsUjActC2Efym0lqix74ybAzr5J3K5EpbWEmJXm7wilkfT6tLud+ +FWqQA+k9M9OCAQYSVzGMrWCqcUEWJvD3l/y14ksr3ZK9wHi3r79HFJFRaO+uiUc2 +89t3fAPJVJYLTnGX1HRGmbDn7Og1vQth1BYvbjKFGNeOaSlJZsnt6Wu7clF2ANYY +zq+X5HuSBRmUlHvh9LXfNnOPZfRKRRHLLPTH+ff3GjHWdQIDAQABoB4wHAYJKoZI +hvcNAQkOMQ8wDTALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEBAElCcTJa +65SJyeyzRFUsf6QTUUGGt5OCKQwLfUwWf1SY8h9qHWz8opBQ53hWR004kUo6TfRi +mV3wguzDYNfscBkDEITOvKMYmWpruoJtzGzVmzSE16EFI2XOrV1YRq+0s3u4gDJK +HvPdL5barh7W+NkZItr6dDGKc7tMwPrhBs7Lo4v60NM16sJQRgNIOZzaAk+e+Exx +vG6n9E8mjXW4sl1xovkcQCG6JaPLCdve3/4MD2pbZOlL8V+KtII/7T5UlgIlDkpt +fsODEeARcRUAkivjFGNIdY1VOJ9uq990vameztNecCNTMiRNNW7ObSC/2Gwbq1+f +uBUt2QfzN0+AT6U= +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert-expired/pd-server.pem b/tests/client/cert-expired/pd-server.pem new file mode 100644 index 00000000000..a5a3534b3a9 --- /dev/null +++ b/tests/client/cert-expired/pd-server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgIUImWBDH7tmmm3XLbnnM6ursx5B4cwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzUxMDBaFw0yMDAyMjcwMzU4MDBaMBQxEjAQBgNVBAMTCXBkLXNlcnZl +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZs1EDWfQai0CVqcfVd +P5EQe/PU0PrDt26FqSwp9nmTunvPn7Gtto62KeEhxu5KYFBZ0PZPh4FjupTnrIyq +wdAWKszfct46r8MvwO48OFFYq0l9rXhZkZrFIwHLQthH8ptJaose+MmwM6+SdyuR +KW1hJiV5u8IpZH0+rS7nfhVqkAPpPTPTggEGElcxjK1gqnFBFibw95f8teJLK92S +vcB4t6+/RxSRUWjvrolHNvPbd3wDyVSWC05xl9R0Rpmw5+zoNb0LYdQWL24yhRjX +jmkpSWbJ7elru3JRdgDWGM6vl+R7kgUZlJR74fS13zZzj2X0SkURyyz0x/n39xox +1nUCAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMuZjO81UxYHG3oX +8/yYst7QNWrlMB8GA1UdIwQYMBaAFKS1QXvGtdX//aHUp4vojVVd6PPyMBoGA1Ud +EQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAep91Vx/n +PLfE/HLxUpG0/CQFZ96BbR2KNmNQZ3YrDaEdiou186sT9sJ8cSW2EuumLBNggWPh +kx7zE9AjJsNhe2tYnPefpkYTr0nJKyqyR5I9qg2yWm1bzCJ0dIx8yecfCOLFZQaM +4ihcF8O8OYijlEZOwJ5QhTnNoJ23hYsg2JgkhhaQMXTDYRYQ06QGz08dBwczAOyF +AXvUDzIArRRM7ELPBGlaerBwsJNyYV6m4tpZ+SkvXspGsRQ5glf2N1zGMI+wUuyX +YTJT7ajpOhq5KO2klWw5w3nmAsCh2xZsu26z2vTCKRfs4tic+Y9N4LNONkx5wQuR +V7KQe54/wOhlGQ== +-----END CERTIFICATE----- diff --git a/tests/client/cert/ca-config.json b/tests/client/cert/ca-config.json new file mode 100644 index 00000000000..d003a0bbaba --- /dev/null +++ b/tests/client/cert/ca-config.json @@ -0,0 +1,27 @@ +{ + "signing": { + "default": { + "expiry": "87600h" + }, + "profiles": { + "server": { + "expiry": "87600h", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + }, + "client": { + "expiry": "87600h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + } + } + } +} + diff --git a/tests/client/cert/ca-csr.json b/tests/client/cert/ca-csr.json new file mode 100644 index 00000000000..8be8f743fe2 --- /dev/null +++ b/tests/client/cert/ca-csr.json @@ -0,0 +1,18 @@ +{ + "CN": "My own CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "Beijing", + "O": "Pingcap", + "ST": "Beijing" + } + ], + "ca":{ + "expiry": "87600h" + } +} diff --git a/tests/client/cert/ca-key.pem b/tests/client/cert/ca-key.pem new file mode 100644 index 00000000000..377a02bd729 --- /dev/null +++ b/tests/client/cert/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAyW4ndkuzRmBAy+Ur7hV6kTjcP1Fog5z+W0d6RxT9AG47S9HV +QLYuiGwib/GhkOgH6SvEOJ36Rkc1vhoskHbqdWNlaPJYWXDZrc+hHgK1AKeFSkZk +XivAW+x2yD1vj6m6m8nPerR9kG653eIpCrv6izdWFQix2yUzTxvQUR/MXyKoeD2V +5A63pLg/F2Nk/N8VW790y8Ld/4zv/z4pO+JoU015hnXuQ5Iiqf08qtzElSEwPDT6 +r2vgDc+82t3RxJ3UYznvdhyY+/4SI2J3R0n5s8NHqLum4FXIARyEB/T0mPY+0BL8 +hLKkA3F5z2xW635iO/eHK1e2CcMaeqyED4l3SwIDAQABAoIBAAKZp2zBgWjxKST4 +ql6CbHifcUhn9p9sUWRAQfXU8Ycl5SIPbV9Oer9MFg234swKEsARzpCkiWyK0sjH +cbfTsScex1pZdoaBDG5P9dZ7VnbRssjIq9cDXZJSNR5UnLIQENad/k2pMs3AgCm7 +F6iJ0KwnZLcUy6b2jfkBdOj3Lh40QG2XJLf0YV6f9d+Ib7Q6U9cC1ryjsNQDT6Y3 +b0h8SYQQyVwgStmJ8IfAB7LQuZUIHrryld1yawHERVS4AQbxhXYpqVBrzwLSx3KU +/AIhEWnfuKo90hTpJWQgo+JdvkgFTW1THbqRRJxKpLQ6XhIezosVxCh+KY6LhZYL +IoIdTJECgYEA/uTj5AcZlnxGjQDm1MMJ/ICQf8Sq41Rkkm0mgmWHnL6csQuJrASn +l/7Pj+WFvo3G17ejECGFGGR74sUnaODeAsP3IZU/dlOSPT/lJHMoq+UNSneu8vVA +6MEYHJoPDQIZX8VChi9Xm8lRJKokJn7E3S3RwFLT2FVrHWJJXQsx/q8CgYEAyk3h +xYCia+YTIjQMOhYds2HwF66a3Rp49Z55PY53PUB54jpFiIAJ/cAw3iQ6dXWW8Bmo +EBEk+nFDLeiGEg8oZWMBmc5eNwsh6kOV9UpsfLplVY/rUaeIX8XB1A+ZdBE9Q+vI +4Yy7ggF2kze4D5ijiB0vFXGIsU+Nz9Yzx59U2CUCgYEAtNF05L8wpLNWbRKVrZsK +i4g8eZbvT0L/8Wvi5J/XuxbxGxs/N7s5lLabUc4VuZ7jzwWjdH8C5tHpnG4Vze2v +MLEJsFYq5erVFAQurlPPJ1neutP6VLosqLDKRQf441Z435qU3ZHaCVaf7G2SJYjK +aMjnQhK/23iE+xxNROb7OVsCgYEAvHQUjyEnLJAk3sXRZgLYJBRlzgnPJYzVhSjd +FCS0mxCG+eECiQeNRx5T53ukIWsq8ftUfbMa2VnNFOT4j7YjEV9LTHXbejcantna +xadQrFgOscfhlC0WcvELgHoPnvm4Mp9ggAvTWGX4iWdsRMsR+2gERlt+1H2hQyzt +C1Y3eSkCgYEAgR2FO4zZ9kYYRxqoE+4oqFEleoNWbeEmb4Gtqw8A2z3+AJQGoey7 +Q/RepkYl6/HvL+Q+SDSwK8jlw4IyCgBhJ0BOvFzgMuwz0qbI+mgFCAX+ShNfdNBi +kfKH1aRftid/O2na1b3kreiJiHIAMpO1aLoF/eE3DuHlv7VcOndiSPY= +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert/ca.csr b/tests/client/cert/ca.csr new file mode 100644 index 00000000000..bc024dd984c --- /dev/null +++ b/tests/client/cert/ca.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAO +BgNVBAcTB0JlaWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93 +biBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMluJ3ZLs0ZgQMvl +K+4VepE43D9RaIOc/ltHekcU/QBuO0vR1UC2LohsIm/xoZDoB+krxDid+kZHNb4a +LJB26nVjZWjyWFlw2a3PoR4CtQCnhUpGZF4rwFvsdsg9b4+pupvJz3q0fZBuud3i +KQq7+os3VhUIsdslM08b0FEfzF8iqHg9leQOt6S4PxdjZPzfFVu/dMvC3f+M7/8+ +KTviaFNNeYZ17kOSIqn9PKrcxJUhMDw0+q9r4A3PvNrd0cSd1GM573YcmPv+EiNi +d0dJ+bPDR6i7puBVyAEchAf09Jj2PtAS/ISypANxec9sVut+Yjv3hytXtgnDGnqs +hA+Jd0sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCBDCdUp4A66y68NhcouGdm +xYPXMiG7egVjKoW0cm47g7ezbrJsoHRZqfKaBlN0B1Z2AR6JW2Ucl7mjCeMrogwo +7I/fRbpHeFSIPXRL5puzF3Ph6t6JcLDuWpUli2wvJpGNJqaVMGiOisaWs4ewpBgU +LKUQauG8jyUzfpYp6t+MgmTVGjB3Ml92QwphXuOJfk/n73suHGfEC+eCz4gs8MVE +mR+5os4Dwj3Gnk2915iqdqVYc2YXBon9PW8DjmqPteRtL/va849mqwvsH9z3hrGS +G6zWPpnvEYcTBNfoEbtvfpnIs8pdWpRS9aGAgRcQG2iZWCKe0xKg2GKEACNeRuux +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert/ca.pem b/tests/client/cert/ca.pem new file mode 100644 index 00000000000..da30c587eeb --- /dev/null +++ b/tests/client/cert/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIUak+RvdkfgpVX031HzHU6pgdAaDgwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzU1MDBaFw0zMDAyMjQwMzU1MDBaMFcxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRAwDgYDVQQKEwdQaW5nY2Fw +MRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDJbid2S7NGYEDL5SvuFXqRONw/UWiDnP5bR3pHFP0AbjtL0dVAti6IbCJv +8aGQ6AfpK8Q4nfpGRzW+GiyQdup1Y2Vo8lhZcNmtz6EeArUAp4VKRmReK8Bb7HbI +PW+Pqbqbyc96tH2Qbrnd4ikKu/qLN1YVCLHbJTNPG9BRH8xfIqh4PZXkDrekuD8X +Y2T83xVbv3TLwt3/jO//Pik74mhTTXmGde5DkiKp/Tyq3MSVITA8NPqva+ANz7za +3dHEndRjOe92HJj7/hIjYndHSfmzw0eou6bgVcgBHIQH9PSY9j7QEvyEsqQDcXnP +bFbrfmI794crV7YJwxp6rIQPiXdLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRLJQxNGu3t0+JhN9NxsqGLb4Ne +BjAfBgNVHSMEGDAWgBRLJQxNGu3t0+JhN9NxsqGLb4NeBjANBgkqhkiG9w0BAQsF +AAOCAQEAlPSpB/o9F4MMxXAwfGLGaWhEsHAjqNWw7rxUC6Pt9aNlYj+5YlDNN1gV +IlCg7PvcdNfiRpP031QwP5EKFCAwl1O49U97N79ClCL8GRt4Kavw4ejxrKa8uI/S +IWdfIkuYQbgJWtnneNuAauNeeq4XGkqkmVYWlGs50TysFRY4HxjqWn7r6FFDKaLE +txpGpS7BX8sLBrvug9+UCeuMYBjeGSVZu5np9Fxkdy9JMKeEL1nbnXhAKOrgAWPg +pOvn3g+7ucaoLrFPtChtvHk0RNYTF+6P9PFFY5JigfQoN25hT6PciQUTOX4hasc6 +gwzBGGsFMsPdnvC03dWA2uc+a2T34w== +-----END CERTIFICATE----- diff --git a/tests/client/cert/client-key.pem b/tests/client/cert/client-key.pem new file mode 100644 index 00000000000..a20cab9d2db --- /dev/null +++ b/tests/client/cert/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzw6oKaWJmsTQ3e380k2CSj7+lMndBJoDfgkBsSWyfurfRcgf +ErmDgvp67p7ibgSHzI0kJLX+d303783etDxRZeI6WffCEdKTRhg4rNzxi9uMt4QW +2U8sQGJN0M8RRogyrGvxJQ+RQvjzuoqMTmvLB3LriXkhv0kmq2F+NZ6GnQTtPDs2 +oc2McQ2/Op3Edb84HR6f6QGc96c/CXSnQkpM3etfQLKrlaTPbklzXIZemS0Ve0as +UF6rbEaCkbnM0vuHl5s9irEAuXfz6jZuO+ss5PyXBm+rhO+mzWh1rj5fK33dwEd1 +tE4dOF+N3pgdDfoKpWtHywIrdhlejJ70XRzqTwIDAQABAoIBAQCiswiumPX0mFzr +VntIIUGU58UR00EJwZ+m5JrgwRduJU7GPYc1JnLRc9MvN8gC3Sp8MBfLhPpsmAdh +Nqqdg5wOa+KgGU/0wzuYY6X9JyviUuVSusddgJnsCZLN1jfj7VesJrF5Bq+FKawS +05WGdas2sjWkc3tyHJ/3IQeUSHnMXMxXSBeyyg6U+uPIMW32BuKj2rKNPV4hIrP6 +bllpZJF3WkSLPUOlkMnS4vUomz3u8tsLqAafmXWdZqsZMW7/ioW1RtPOswg8DtWx +i/px88A1/BOIoWNe+njg7yUS5YeTY/wzDCekTa7XiuAgJA3ZsGivn+pg8KCJCMQC +VcNGwu6BAoGBAPxjnJvxKh28nQ714OmlNrRw/bTh2d8KcDuJx0VkfAWNy/4wZwxI +qdtjQJ9YX7x5R71TuQNV39INvhpuu8KYIMvLDFm2V5gLSd8ZxbuhzccUJpKTvN8G +CjByvYCnA1KoTCbiqyBkYTXsgVoM7dn3dxJ3csYVndWtcffUod34SsDBAoGBANIF +A81lfZSFMmarhoEWeSuGZpeFzQ5cza3a2Ma/XhCwst04jYaKSZhcjsQZyI5q/wze +YKKF135q5QwBvhhNqu39Kd2VRV2Rw7WngRuGEznVDNTx740oAZMwm07RM3hxGfG6 +owQbIUn1OhsgjTSl4jXJewtgLmK6+1G5mG7sNF8PAoGANDqA3Bxp9MFlVwU2x+Ly +kSCYv+fE6E0GsKtwW0HSEGwpfK6ThI086TN+2fq1xRDr8Zfzv2bz7En/vwSPQlOs +5b9dDOuY8NPVM5/ntU5kgQAAg3CjMxvS2/fCk278VwyQxbM+anObUkdg9TubtPFq +6J1jWO58PQ2pefm8jWymO4ECgYAnRojPgItbmw0x5iHhQjKm0Rueeoc+iFxuht7D +TEZrGKBafpj48COTOrv4MFoxSBEqduvbeOwz2Am9lRXXta6hkxahOakfNoNDFXAv +lYNC7XTY3eXOoAyrWguxUa4ud/hCHIUf33L6QcH8ELpXfi4voN5B4lrKW+1j+zFm +jQW+QQKBgQDAmeLRTX5BtFCzfh+SfFIwgYZwtOyH7SBznioW1W9Gs+k80z2PEH2R +XX2F8cYTErRdK3URLPrl/YvFq7t94/1Sjy7Fx7s5Wm5LQkUNo9Z1KFGFMa4/1Ksn +bySqhC0gt+5a/Nnp8rk4O6mhqzegbaUPwLAWvXAvNedrEToalYvVpQ== +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert/client.csr b/tests/client/cert/client.csr new file mode 100644 index 00000000000..d6e9f3b9c77 --- /dev/null +++ b/tests/client/cert/client.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICdDCCAVwCAQAwETEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAzw6oKaWJmsTQ3e380k2CSj7+lMndBJoDfgkBsSWyfurf +RcgfErmDgvp67p7ibgSHzI0kJLX+d303783etDxRZeI6WffCEdKTRhg4rNzxi9uM +t4QW2U8sQGJN0M8RRogyrGvxJQ+RQvjzuoqMTmvLB3LriXkhv0kmq2F+NZ6GnQTt +PDs2oc2McQ2/Op3Edb84HR6f6QGc96c/CXSnQkpM3etfQLKrlaTPbklzXIZemS0V +e0asUF6rbEaCkbnM0vuHl5s9irEAuXfz6jZuO+ss5PyXBm+rhO+mzWh1rj5fK33d +wEd1tE4dOF+N3pgdDfoKpWtHywIrdhlejJ70XRzqTwIDAQABoB4wHAYJKoZIhvcN +AQkOMQ8wDTALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEBACtxEqbPkX4O +pPldiNIBZcbjuYuCiA4Clbit/XolDOQVT0oRic0kBRQwz8sZZdIsHtt6C+aYuxPU +aR88m1wnpdTySE7yl+ekofrhTaRUPjOOpV5FcFMn29m3YUeJNFBWpRgxU/RoeF6N +OzegA1pGqfcJZl2dPyH7rPniEpIDcubJ/O2MSc/XDhxkTkotRSBZezKUTkFD0UE0 +YJ2wZqGiWVkOm0FmeQCpY13NZJ1qX5rjcJECToZiDitLaxIEYo2ldFeuDBZ4bYIH +Rp1dwkMHl4n845pVJvvpYeNAT+dSbxLUj0Y5XLaVT7jl65J/PYMj1OYgT5k9xoGQ +dMw900dzQdM= +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert/client.pem b/tests/client/cert/client.pem new file mode 100644 index 00000000000..76c17ad3e17 --- /dev/null +++ b/tests/client/cert/client.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmKgAwIBAgIULdC74rV6hrVVBS/nosUiL2gf1BAwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzU1MDBaFw0zMDAyMjQwMzU1MDBaMBExDzANBgNVBAMTBmNsaWVudDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8OqCmliZrE0N3t/NJNgko+ +/pTJ3QSaA34JAbElsn7q30XIHxK5g4L6eu6e4m4Eh8yNJCS1/nd9N+/N3rQ8UWXi +Oln3whHSk0YYOKzc8YvbjLeEFtlPLEBiTdDPEUaIMqxr8SUPkUL487qKjE5rywdy +64l5Ib9JJqthfjWehp0E7Tw7NqHNjHENvzqdxHW/OB0en+kBnPenPwl0p0JKTN3r +X0Cyq5Wkz25Jc1yGXpktFXtGrFBeq2xGgpG5zNL7h5ebPYqxALl38+o2bjvrLOT8 +lwZvq4Tvps1oda4+Xyt93cBHdbROHThfjd6YHQ36CqVrR8sCK3YZXoye9F0c6k8C +AwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIw +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUGsVDnIhNdUWkgi/J0EG9fErnUYIwHwYD +VR0jBBgwFoAUSyUMTRrt7dPiYTfTcbKhi2+DXgYwCwYDVR0RBAQwAoIAMA0GCSqG +SIb3DQEBCwUAA4IBAQCv2VUgWOziEqhYmyYYNjhlynjE/tfheuewg+6/y9sHrspA +fLcAW3R7waH1a7BUcX7TsIk9Pn0MJktX2qO8Y+uuXuvv5s9jl5SDLw8pRjTIGIla +dr5RLsJWdVYsNRdm3wjACVIwJkRpW4+uaXLj3/7SML0S0pLeHkRUPblhoMfK8ZOR +2CIkjbYjMgjz7SLqOe7KT3T9yLIDbcDceqA5oVEP+hEbA5MjEhvIGopryYfZRI6L +4LQ+kHuqlOwBRw6HYvhlVhMo2UOmyCkHBhC71Il5a8RcIXZSV70jB1W/cihemNAA +6Knqn8HdnjF88Sg+nBCpQm9NmOjHJrJ8nW9mX6wL +-----END CERTIFICATE----- diff --git a/tests/client/cert/gencerts.sh b/tests/client/cert/gencerts.sh new file mode 100755 index 00000000000..606e05c60d9 --- /dev/null +++ b/tests/client/cert/gencerts.sh @@ -0,0 +1,18 @@ +#!/bin/bash +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'cert'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert -initca ca-csr.json | cfssljson -bare ca - + +# pd-server +echo '{"CN":"pd-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="localhost,127.0.0.1" - | cfssljson -bare pd-server + +# client +echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client -hostname="" - | cfssljson -bare client diff --git a/tests/client/cert/pd-server-key.pem b/tests/client/cert/pd-server-key.pem new file mode 100644 index 00000000000..47f075915ae --- /dev/null +++ b/tests/client/cert/pd-server-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvZbiYx6ENOXWDyLkplST8FrGTKC1EL/SG/bLtBIKj4M2XlJH +KUbSczs0tKzUK/C7i8xP4+aJvM4jP/HM1hc1uOrJIh4XGm7PaXdMqrGlmhBdFN1T +xF0+Df0p/Mcc8uilOw4Qprsy4qdugzTryZSPwlxmgK/TY20F5w0i+AaRkK65zS5m +5Tu6zuA83oa8l1J4SMiAlRq5D/VVVjD39WaN2V3zNhiytdewVTiGWPg5VA44Y/13 +tAcB3szQlJkjxGWBjoPJwUSixNVkOLJNwwGQuBPQSXOGHQN9fNCAmBfCgccyqxR6 +4qildhjn6mCMmb2PoFInHtJzCPwSkvULZbwAVwIDAQABAoIBAQCTde4zpiKyeina +sAskDBjdE9208DKlCm3D7ltWfcnVAfuhtWFAC6PYmK5P8TU90AovnARvgHqVbcgh +DlOCGZ9hasxySvExUArnPzFUesQRZrTfa56h1txTSRwFTmGH1cfefPwakvPrMstU +Ji9XJMQEKpZXdWp3pO64XZFbVNCXtNc5agJd2ZQu5N+NV2eGqI1BpdEVD1CRr1d/ +6nLU3VUDt33dDBhb/Tou9HYXIoTum4pJ0NGKaw7n9h9pccKhQe7XEwzXGRxy+91O +ZZbmvJMCrwB3zGmZvQfz93ekBOXLmYNGKxUhHWgL0z0ujJQpCkWQ8zhoIMLi+3V3 +zejgq8yBAoGBAPAV4NOV9ir6EfL1bmvtnSm4V1AlA1fmOBeZnW/w9uw5ZyYXSLRx +sy4CKkkfu7nEEIC5Lza2jLT9eKhQhT84fpnmhpNqVwkIHqZU/vW7aFbC3R1F8ucx +0mFJuggSu+gl5SltzNxNyCcQXkUedzvugp+u42XYvTDLDBkF5YEJxUqhAoGBAMoo +HWTTPpnX1XpscKFt2ogY4Qd7kewcguM9qpbgWI9jnXqkw5JE4L/GV13hNvk74J/i +rUBcdsnGwZ0S3Vdy1qmoUjU2vw6u0ilNYfAjtInIr+Nxhg7KsfsEorjJhFe1sV3s +vhNqkUc83Ls8R1EFt6zCrBvoNn2I8l+GWq3Ap5/3AoGAVDD35HrkFnIXNUIH9OUg +he7U/4/bOknLRctiwEyZ6oC+wUbNAioVEX9E4Nu18xDkUJ+gBOnDMfzpAO0rrN3c +149VhgB2gP5N8TpBJl8P2cz/yTIsWhLImcFG8WnQZzpSwFJ20pKcK8a7qDVkzql3 +ORQVPjPhNGkf1u6Qas3IV8ECgYB5fNwVUKIpYD0p4mtZiCQxcAokLg3GwGekWtXe +8Booqevk3YmuqHgMqAyvHX6lD2fxjg8iQ68bmbeXRtQADsKUmNQ2qJzvHP6t1ZRK +9Zo0x4d0fy/aSdPmD6YeuPQwpb9eu7yK/JssHZZla1dMiMwWJbO63bWJgbhu0dZC +3ymdhwKBgAMzccLBobvGP10npwY/xyc93XuZs9leIVM8WDBemePyNsXmzLLaXwTn +a+P/jTuwjifZ+9MBXIzgEHx2GlD+pOJjp9dS2y3rsn4b5f4OhoG8hl1Bfh5E5LhU +kAuFXcXWn4WivLE5bVWhBEUXlTgXk7gtQoaLcwm1g6g/OVHABAlu +-----END RSA PRIVATE KEY----- diff --git a/tests/client/cert/pd-server.csr b/tests/client/cert/pd-server.csr new file mode 100644 index 00000000000..917ad17a1e1 --- /dev/null +++ b/tests/client/cert/pd-server.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICdzCCAV8CAQAwFDESMBAGA1UEAxMJcGQtc2VydmVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAvZbiYx6ENOXWDyLkplST8FrGTKC1EL/SG/bLtBIK +j4M2XlJHKUbSczs0tKzUK/C7i8xP4+aJvM4jP/HM1hc1uOrJIh4XGm7PaXdMqrGl +mhBdFN1TxF0+Df0p/Mcc8uilOw4Qprsy4qdugzTryZSPwlxmgK/TY20F5w0i+AaR +kK65zS5m5Tu6zuA83oa8l1J4SMiAlRq5D/VVVjD39WaN2V3zNhiytdewVTiGWPg5 +VA44Y/13tAcB3szQlJkjxGWBjoPJwUSixNVkOLJNwwGQuBPQSXOGHQN9fNCAmBfC +gccyqxR64qildhjn6mCMmb2PoFInHtJzCPwSkvULZbwAVwIDAQABoB4wHAYJKoZI +hvcNAQkOMQ8wDTALBgNVHREEBDACggAwDQYJKoZIhvcNAQELBQADggEBACbATy3O +4uCBtJRkvijMTSLBOu+4H9huXfV/WJ7ccTVbtqT3/xq4agG45JSX5K0B9cUaBZIW +UwFpyvDjSwwH6rjZzES0Py6tt0NL8/iZpTyHv4nPMoVbaeUKTJhknQCgPorsAd7r +JRL2bIlnaBBqECI08Sq1sNUD2Va23vzcGG2W4V9oPJeAnhaT8yKt83ZCt4yRCf4I +wxKNhpTUhm62Vhc2Ijo/5ktwsye10vTX9YbuAQPY7K//jbGDtJH5+biO4/kNR7kg +06PYZJJtqEzgaf4VuOW/c9K4q7Y5QhS3tmEECpR3xG30x1yw3aCqXkFtE43O3Yr1 +CMTKQvTHiu8RpPE= +-----END CERTIFICATE REQUEST----- diff --git a/tests/client/cert/pd-server.pem b/tests/client/cert/pd-server.pem new file mode 100644 index 00000000000..2381a662d26 --- /dev/null +++ b/tests/client/cert/pd-server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgIUYSbOyApfQYwp07xKToCAXeeLqbowDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxEDAOBgNVBAoTB1BpbmdjYXAxEjAQBgNVBAMTCU15IG93biBDQTAeFw0y +MDAyMjcwMzU1MDBaFw0zMDAyMjQwMzU1MDBaMBQxEjAQBgNVBAMTCXBkLXNlcnZl +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2W4mMehDTl1g8i5KZU +k/BaxkygtRC/0hv2y7QSCo+DNl5SRylG0nM7NLSs1Cvwu4vMT+PmibzOIz/xzNYX +NbjqySIeFxpuz2l3TKqxpZoQXRTdU8RdPg39KfzHHPLopTsOEKa7MuKnboM068mU +j8JcZoCv02NtBecNIvgGkZCuuc0uZuU7us7gPN6GvJdSeEjIgJUauQ/1VVYw9/Vm +jdld8zYYsrXXsFU4hlj4OVQOOGP9d7QHAd7M0JSZI8RlgY6DycFEosTVZDiyTcMB +kLgT0Elzhh0DfXzQgJgXwoHHMqsUeuKopXYY5+pgjJm9j6BSJx7Scwj8EpL1C2W8 +AFcCAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKVYxaz4G7wC+rks +vuCBoyM1OW0AMB8GA1UdIwQYMBaAFEslDE0a7e3T4mE303GyoYtvg14GMBoGA1Ud +EQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAlzKKrmPC +ApTZV0qPgHLUHPPHA3FGnuBeJNLiNn4h+F4aQfIOXpDLEJPG+KzMiMWdujP+vpjH +ZPPy68HlZCvbZXtNohggrzrSdZyggwYm292PPE4OllfSrg+1M1fxb57+5UXedRKm +SgzaSjDgeogjOoB3J7sHWfT2RTI6sYiIQrgfipL3060k64usNO1lVnL+wzTovwU+ +149bz/0MifjF8sBTNUGSr9V4csRsRt+R6NkoIbCCwjyIeuFmrUjWcKsjA+SU8Po6 +OyHpxjAVY5jsvPKGz7i4G7Zw+4JI03SeZr6r3WVNyHmUkLKNfr6J6sXfFKZstHAL +g7R41DuOTcwd3w== +-----END CERTIFICATE----- diff --git a/tests/client/client_tsl_test.go b/tests/client/client_tsl_test.go new file mode 100644 index 00000000000..c947bbcac71 --- /dev/null +++ b/tests/client/client_tsl_test.go @@ -0,0 +1,246 @@ +// Copyright 2020 PingCAP, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// See the License for the specific language governing permissions and +// limitations under the License. + +package client_test + +import ( + "context" + "io" + "io/ioutil" + "os" + "path/filepath" + "strings" + "time" + + . "github.com/pingcap/check" + pd "github.com/pingcap/pd/v4/client" + "github.com/pingcap/pd/v4/pkg/grpcutil" + "github.com/pingcap/pd/v4/server" + "github.com/pingcap/pd/v4/server/config" + "github.com/pingcap/pd/v4/tests" + "go.etcd.io/etcd/pkg/transport" + "google.golang.org/grpc" +) + +var _ = Suite(&clientTLSTestSuite{}) + +var ( + testTLSInfo = transport.TLSInfo{ + KeyFile: "./cert/pd-server-key.pem", + CertFile: "./cert/pd-server.pem", + TrustedCAFile: "./cert/ca.pem", + ClientCertAuth: true, + } + + testClientTLSInfo = transport.TLSInfo{ + KeyFile: "./cert/client-key.pem", + CertFile: "./cert/client.pem", + TrustedCAFile: "./cert/ca.pem", + ClientCertAuth: true, + } + + testTLSInfoExpired = transport.TLSInfo{ + KeyFile: "./cert-expired/pd-server-key.pem", + CertFile: "./cert-expired/pd-server.pem", + TrustedCAFile: "./cert-expired/ca.pem", + ClientCertAuth: true, + } +) + +type clientTLSTestSuite struct { + ctx context.Context + cancel context.CancelFunc +} + +func (s *clientTLSTestSuite) SetUpSuite(c *C) { + s.ctx, s.cancel = context.WithCancel(context.Background()) + server.EnableZap = true +} + +func (s *clientTLSTestSuite) TearDownSuite(c *C) { + s.cancel() +} + +// TestTLSReloadAtomicReplace ensures server reloads expired/valid certs +// when all certs are atomically replaced by directory renaming. +// And expects server to reject client requests, and vice versa. +func (s *clientTLSTestSuite) TestTLSReloadAtomicReplace(c *C) { + tmpDir, err := ioutil.TempDir(os.TempDir(), "cert-tmp") + c.Assert(err, IsNil) + os.RemoveAll(tmpDir) + defer os.RemoveAll(tmpDir) + + certsDir, err := ioutil.TempDir(os.TempDir(), "cert-to-load") + c.Assert(err, IsNil) + defer os.RemoveAll(certsDir) + + certsDirExp, err := ioutil.TempDir(os.TempDir(), "cert-expired") + c.Assert(err, IsNil) + defer os.RemoveAll(certsDirExp) + + cloneFunc := func() transport.TLSInfo { + tlsInfo, terr := copyTLSFiles(testTLSInfo, certsDir) + c.Assert(terr, IsNil) + _, err = copyTLSFiles(testTLSInfoExpired, certsDirExp) + c.Assert(err, IsNil) + return tlsInfo + + } + replaceFunc := func() { + err = os.Rename(certsDir, tmpDir) + c.Assert(err, IsNil) + err = os.Rename(certsDirExp, certsDir) + c.Assert(err, IsNil) + // after rename, + // 'certsDir' contains expired certs + // 'tmpDir' contains valid certs + // 'certsDirExp' does not exist + + } + revertFunc := func() { + err = os.Rename(tmpDir, certsDirExp) + c.Assert(err, IsNil) + + err = os.Rename(certsDir, tmpDir) + c.Assert(err, IsNil) + + err = os.Rename(certsDirExp, certsDir) + c.Assert(err, IsNil) + + } + s.testTLSReload(c, cloneFunc, replaceFunc, revertFunc, false) + +} + +func (s *clientTLSTestSuite) testTLSReload( + c *C, + cloneFunc func() transport.TLSInfo, + replaceFunc func(), + revertFunc func(), + useIP bool) { + tlsInfo := cloneFunc() + // 1. start cluster with valid certs + clus, err := tests.NewTestCluster(s.ctx, 1, func(conf *config.Config) { + conf.Security = grpcutil.SecurityConfig{ + KeyPath: tlsInfo.KeyFile, + CertPath: tlsInfo.CertFile, + CAPath: tlsInfo.TrustedCAFile, + ClientCertAuth: tlsInfo.ClientCertAuth, + } + conf.AdvertiseClientUrls = strings.ReplaceAll(conf.AdvertiseClientUrls, "http", "https") + conf.ClientUrls = strings.ReplaceAll(conf.ClientUrls, "http", "https") + conf.AdvertisePeerUrls = strings.ReplaceAll(conf.AdvertisePeerUrls, "http", "https") + conf.PeerUrls = strings.ReplaceAll(conf.PeerUrls, "http", "https") + conf.InitialCluster = strings.ReplaceAll(conf.InitialCluster, "http", "https") + }) + c.Assert(err, IsNil) + defer clus.Destroy() + err = clus.RunInitialServers() + c.Assert(err, IsNil) + clus.WaitLeader() + + var endpoints []string + for _, s := range clus.GetServers() { + endpoints = append(endpoints, s.GetConfig().AdvertiseClientUrls) + } + // 2. concurrent client dialing while certs become expired + errc := make(chan error, 1) + go func() { + for { + dctx, dcancel := context.WithTimeout(s.ctx, time.Second) + cli, err := pd.NewClientWithContext(dctx, endpoints, pd.SecurityOption{ + CAPath: testClientTLSInfo.TrustedCAFile, + CertPath: testClientTLSInfo.CertFile, + KeyPath: testClientTLSInfo.KeyFile, + }, pd.WithGRPCDialOptions(grpc.WithBlock())) + if err != nil { + errc <- err + dcancel() + return + } + dcancel() + cli.Close() + } + }() + + // 3. replace certs with expired ones + replaceFunc() + + // 4. expect dial time-out when loading expired certs + select { + case cerr := <-errc: + c.Assert(strings.Contains(cerr.Error(), "failed to get cluster id"), IsTrue) + case <-time.After(5 * time.Second): + c.Fatal("failed to receive dial timeout error") + } + + // 5. replace expired certs back with valid ones + revertFunc() + + // 6. new requests should trigger listener to reload valid certs + dctx, dcancel := context.WithTimeout(s.ctx, 5*time.Second) + cli, err := pd.NewClientWithContext(dctx, endpoints, pd.SecurityOption{ + CAPath: testClientTLSInfo.TrustedCAFile, + CertPath: testClientTLSInfo.CertFile, + KeyPath: testClientTLSInfo.KeyFile, + }, pd.WithGRPCDialOptions(grpc.WithBlock())) + c.Assert(err, IsNil) + dcancel() + cli.Close() +} + +// copyTLSFiles clones certs files to dst directory. +func copyTLSFiles(ti transport.TLSInfo, dst string) (transport.TLSInfo, error) { + ci := transport.TLSInfo{ + KeyFile: filepath.Join(dst, "pd-server-key.pem"), + CertFile: filepath.Join(dst, "pd-server.pem"), + TrustedCAFile: filepath.Join(dst, "ca.pem"), + ClientCertAuth: ti.ClientCertAuth, + } + if err := copyFile(ti.KeyFile, ci.KeyFile); err != nil { + return transport.TLSInfo{}, err + + } + if err := copyFile(ti.CertFile, ci.CertFile); err != nil { + return transport.TLSInfo{}, err + + } + if err := copyFile(ti.TrustedCAFile, ci.TrustedCAFile); err != nil { + return transport.TLSInfo{}, err + + } + return ci, nil + +} +func copyFile(src, dst string) error { + f, err := os.Open(src) + if err != nil { + return err + + } + defer f.Close() + + w, err := os.Create(dst) + if err != nil { + return err + + } + defer w.Close() + + if _, err = io.Copy(w, f); err != nil { + return err + + } + return w.Sync() + +}