diff --git a/.travis.yml b/.travis.yml index dcf34670..2a7b50b6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,12 +17,13 @@ env: - RIAK_DOWNLOAD_URL=http://s3.amazonaws.com/downloads.basho.com/riak/2.0/2.0.7/ubuntu/trusty/riak_2.0.7-1_amd64.deb - RIAK_DOWNLOAD_URL=http://s3.amazonaws.com/downloads.basho.com/riak/2.1/2.1.4/ubuntu/trusty/riak_2.1.4-1_amd64.deb before_script: - - cp -vf ./spec/support/test_client.yml.example ./spec/support/test_client.yml - sudo ./tools/travis-ci/riak-install -d "$RIAK_DOWNLOAD_URL" - - sudo ./tools/devrel/riak-cluster-config "$(which riak-admin)" 8098 false false + - sudo ./tools/setup-riak -s script: - - bundle exec rubocop lib spec - - bundle exec rake spec spec:integration + - sudo riak-admin security disable + - make test + - sudo riak-admin security enable + - make security-test notifications: slack: secure: nryEZNlLs0xpMJcrmTRzJIaFdfHWigsD4i9zEI8SgDdHqEgJ52/UfCifWHC7N4UckpRkmMUc8yt/Y4YS7G4Gu4yx4qXNIL33VmuudUe2YEVv+oVnG9oHVPkHDvOkRSLlWyAIqd4uXbLzghYBrHigoinfCcmjjRq5HNocRrvnwdE= diff --git a/Makefile b/Makefile index f067b377..a7d5bc49 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,6 @@ -.PHONY: release gemspec_validate +.PHONY: help all deps lint clean +.PHONY: test unit-test integration-test security-test +.PHONY: release gemspec_validat0 unexport LANG unexport LC_ADDRESS @@ -14,13 +16,62 @@ unexport LC_PAPER unexport LC_TELEPHONE unexport LC_TIME -# NB: -# VERSION does NOT include the v suffix +PROJDIR = $(realpath $(CURDIR)) +TCY := $(PROJDIR)/spec/support/test_client.yml +CLIENT_CERT := $(PROJDIR)/tools/test-ca/certs/riakuser-client-cert.pem +CA_CERT := $(PROJDIR)/tools/test-ca/certs/cacert.pem + +help: + @echo '' + @echo ' Targets:' + @echo '-------------------------------------------------' + @echo ' all - Run everything ' + @echo ' deps - Install required gems ' + @echo ' lint - Run rubocop ' + @echo ' clean - Clean local gems ' + @echo ' test - Run unit & integration tests ' + @echo ' unit-test - Run unit tests ' + @echo ' integration-test - Run integration tests ' + @echo ' security-test - Run security tests ' + @echo '-------------------------------------------------' + @echo '' + +all: test + +deps: clean + @gem install bundler + @bundle install --binstubs --path=vendor --without=guard + +lint: + @bundle exec rubocop lib spec + +clean: + @rm -rf vendor/* + @rm -f Gemfile.lock + +unit-test: + @bundle exec rake ci + +integration-test: + @cp -f $(TCY).example $(TCY) + @bundle exec rake spec:integration + +security-test: + @cp -f $(TCY).example $(TCY) && \ + echo 'authentication:' >> $(TCY) && \ + echo ' user: user' >> $(TCY) && \ + echo ' password: password' >> $(TCY) && \ + echo " ca_file: $(CA_CERT)" >> $(TCY) + @bundle exec rake spec:security + +test: lint integration-test gemspec_validate: - @rake gemspec + @bundle exec rake gemspec release: gemspec_validate +# NB: +# VERSION does NOT include the v suffix ifeq ($(VERSION),) $(error VERSION must be set to build a release and deploy this package) endif diff --git a/Rakefile b/Rakefile index c5322e68..a632cfc6 100644 --- a/Rakefile +++ b/Rakefile @@ -75,6 +75,11 @@ namespace :spec do RSpec::Core::RakeTask.new(:time_series) do |spec| spec.rspec_opts = %w[--profile --tag time_series] end + + desc "Run Security Specs Only" + RSpec::Core::RakeTask.new(:security) do |spec| + spec.rspec_opts = %w[--profile --tag yes_security --tag ~time_series] + end end desc "Run Unit Test Specs (excluding slow, integration and time_series)" diff --git a/buildbot/Makefile b/buildbot/Makefile deleted file mode 100644 index b6c8bf24..00000000 --- a/buildbot/Makefile +++ /dev/null @@ -1,61 +0,0 @@ -RIAK_CONF = ${RIAK_DIR}/etc/riak.conf -ADVANCED_CONF = ${RIAK_DIR}/etc/advanced.config -# RIAK = ${RIAK_DIR}/bin/riak -RIAK_ADMIN = ${RIAK_DIR}/bin/riak-admin -CERTS_DIR = $(shell pwd)/../spec/support/certs - -preconfigure: - echo "storage_backend = leveldb" >> ${RIAK_CONF} - echo "search = on" >> ${RIAK_CONF} - echo "listener.protobuf.internal = 127.0.0.1:8087" >> ${RIAK_CONF} - echo "ssl.keyfile = ${CERTS_DIR}/server.key" >> ${RIAK_CONF} - echo "ssl.certfile = ${CERTS_DIR}/server.crt" >> ${RIAK_CONF} - echo "ssl.cacertfile = ${CERTS_DIR}/ca.crt" >> ${RIAK_CONF} - echo "tls_protocols.tlsv1.1 = on" >> ${RIAK_CONF} - echo "check_crl = off" >> ${RIAK_CONF} - -configure: - @${RIAK_ADMIN} bucket-type create other_counters '{"props":{"datatype":"counter", "allow_mult":true}}' - @${RIAK_ADMIN} bucket-type create counters '{"props":{"datatype":"counter", "allow_mult":true}}' - @${RIAK_ADMIN} bucket-type create maps '{"props":{"datatype":"map", "allow_mult":true}}' - @${RIAK_ADMIN} bucket-type create sets '{"props":{"datatype":"set", "allow_mult":true}}' - @${RIAK_ADMIN} bucket-type create yokozuna '{"props":{}}' - @${RIAK_ADMIN} bucket-type activate other_counters - @${RIAK_ADMIN} bucket-type activate counters - @${RIAK_ADMIN} bucket-type activate maps - @${RIAK_ADMIN} bucket-type activate sets - @${RIAK_ADMIN} bucket-type activate yokozuna - @${RIAK_ADMIN} security add-user user password=password - @${RIAK_ADMIN} security add-source user 127.0.0.1/32 password - @${RIAK_ADMIN} security add-user certuser - @${RIAK_ADMIN} security add-source certuser 127.0.0.1/32 certificate - @${RIAK_ADMIN} security grant riak_kv.get,riak_kv.put,riak_kv.delete,riak_kv.index,riak_kv.list_keys,riak_kv.list_buckets,riak_core.get_bucket,riak_core.set_bucket,riak_core.get_bucket_type,riak_core.set_bucket_type,search.admin,search.query on any to user - -compile: - @cd .. && rm -rf vendor/* - @cd .. && rm -f Gemfile.lock - @cd .. && bundle install --binstubs --path=vendor --without=guard - -lint: - @find ../lib ../spec -type f -name "*.rb" | xargs -n1 ruby -c - @cd ..; bin/rubocop lib spec - -test: test-normal test-security - -test-normal: - ${RIAK_ADMIN} security disable - @echo 'nodes:' > ../spec/support/test_client.yml - @echo ' - { pb_port: 8087 }' >> ../spec/support/test_client.yml - @echo "Test client config:" - @cat ../spec/support/test_client.yml - @cd ..; COVERAGE=true bin/rspec --tag ~time_series - -test-security: - ${RIAK_ADMIN} security enable - @echo 'authentication:' >> ../spec/support/test_client.yml - @echo ' user: user' >> ../spec/support/test_client.yml - @echo ' password: password' >> ../spec/support/test_client.yml - @echo " ca_file: ${CERTS_DIR}/ca.crt" >> ../spec/support/test_client.yml - @echo "Test client config for security:" - @cat ../spec/support/test_client.yml - @cd ..; COVERAGE=true COVERAGE_SUITE=yes-security bin/rspec --tag yes_security --tag ~time_series diff --git a/spec/integration/riak/security_spec.rb b/spec/integration/riak/security_spec.rb index 9723f0a8..851c7b8e 100644 --- a/spec/integration/riak/security_spec.rb +++ b/spec/integration/riak/security_spec.rb @@ -51,9 +51,14 @@ bugged_crypto_client = Riak::Client.new broken_auth_config - expect{ bugged_crypto_client.ping }. - to(raise_error(OpenSSL::SSL::SSLError, - /certificate verify failed/i)) + if RUBY_PLATFORM == 'java' + expect{ bugged_crypto_client.ping }. + to(raise_error(OpenSSL::SSL::SSLError)) + else + expect{ bugged_crypto_client.ping }. + to(raise_error(OpenSSL::SSL::SSLError, + /certificate verify failed/i)) + end end it "refuses to connect if the server cert is revoked" do @@ -86,10 +91,10 @@ client_cert_config[:authentication][:client_ca] = client_cert_config[:authentication]['ca_file'] - client_cert_config[:authentication][:cert] = 'spec/support/certs/client.crt' - client_cert_config[:authentication][:key] = 'spec/support/certs/client.key' + client_cert_config[:authentication][:cert] = 'tools/test-ca/certs/riakuser-client-cert.pem' + client_cert_config[:authentication][:key] = 'tools/test-ca/private/riakuser-client-cert-key.pem' - client_cert_config[:authentication][:user] = 'certuser' + client_cert_config[:authentication][:user] = 'riakuser' client_cert_config[:authentication][:password] = '' cert_client = Riak::Client.new client_cert_config diff --git a/tools b/tools index f00acf11..7b4b423d 160000 --- a/tools +++ b/tools @@ -1 +1 @@ -Subproject commit f00acf1152e1dc493737939ac338a02215177345 +Subproject commit 7b4b423d5276e698399f9030835a5de53b95e55e