WL#15166 patch #3 Testing NdbProcess and ndb_sign_keys

Add a unit test, an NdbApi test, and an MTR test.

The unit test is testNdbProcess-t
The NdbApi test is testMgmd -n SshKeySigning
The MTR test is sign_keys in suite ndb_tls

Create the ndb_tls test suite.
Create the ndb-tls subdirectory in std_data.
Create a CA key and certificate in std_data/ndb-tls/.

Change-Id: Icec0fa4a9031be11facbd346d09debe8bc8bfe68

mysql-test/collections/default.push

@@ -18,7 +18,7 @@ perl mysql-test-run.pl --timer --testcase-timeout=30 --suite-timeout=300 --debug
 # Run all Ndb tests separately.
 # For builds without Ndb support no tests will be attempted.
 #
-perl mysql-test-run.pl --timer --testcase-timeout=30 --suite-timeout=300 --debug-server --force --comment=ndb --vardir=var-ndb --skip-combinations --no-skip --with-ndb-only
+perl mysql-test-run.pl --timer --testcase-timeout=30 --suite-timeout=300 --debug-server --force --comment=ndb --vardir=var-ndb --no-skip --with-ndb-only
 
 #
 # Group Replication

mysql-test/include/excludenoskip.list

@@ -107,6 +107,7 @@ federated_bug_25714.test
 
 # 4.4
 check_openssl_version.inc
+check_openssl.inc
 have_tlsv13.inc
 not_have_tlsv13.inc
 not_min_protocol_tlsv12.inc

mysql-test/lsan.supp

@@ -46,3 +46,6 @@ leak:sasl_client_add_plugin
 
 # The GSS API plugin for SASL has leaks.
 leak:gss_acquire_cred_from
+
+# ndb_sign_keys leaks in some error-exit situations
+leak:ndb_sign_keys

mysql-test/mysql-test-run.pl

@@ -3182,6 +3182,7 @@ sub environment_setup {
       ndb_select_all
       ndb_select_count
       ndb_show_tables
+      ndb_sign_keys
       ndb_waiter
       ndbxfrm
       ndb_secretsfile_reader
@@ -3754,7 +3755,7 @@ ($)
   # Add MySQL Cluster test suites
   $DEFAULT_SUITES .= "," if $DEFAULT_SUITES;
   $DEFAULT_SUITES .= "ndb,ndb_binlog,rpl_ndb,ndb_rpl,ndbcluster,ndb_ddl,".
-                     "gcol_ndb,json_ndb,ndb_opt";
+                     "gcol_ndb,json_ndb,ndb_opt,ndb_tls";
   # Increase the suite timeout when running with default ndb suites
   $opt_suite_timeout *= 2;
   return;

mysql-test/std_data/ndb-tls/CA-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----

mysql-test/std_data/ndb-tls/CA-key.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI1W6H2p92tVsCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLQUM5chjeEsBIIEyLcXK1k+5V3V
+F8OsAcxZNAGtkA3XvPvu4wZP4F0BT14x12Z2vL3DFib6krhv4yOJSSzW5P3qlc2v
+MzCZOtkkWBA2AQ5L1RF8o2x5AzpK9uyPKCuroiD76iuhNcAjNjeOyJVQmdV8zXdq
+QAixLX7nZQV8iorry8DY9nyBwBUxsaAuDYEAwCtLVz/YSCLqqjSXKqQuDmF/lMes
+Z4FE8B8O9y+TIqpjlh/7TIYQ8S925DyaS+elU3W2swBR1Vlr6Kc2k+KQw6gNStRj
+x1kouFpxknhYUeQwnEKafG7iPoQqtdYNbkmrkEJ6e/2KytTmT0Wlo9HCn4SEKG1q
+4VIsMTFXjtX7IzstCYX9+jRFljASP4Ajvbg/Cld27J45/Me5mhsPr4tcXYZseV89
+6xqaA14sw7LvLR9MGqOGu9PhezvJ+Lz19kFQGd0q/aYwBr7UXvMJvJVxXlnZIfty
+XT3qoqIEaibYNFN666tldVP2K2eJVwV4e8Jc2D9yykodGS5ArmJ0bpsMhQ/oiAPd
+eSOCZEPH2iPLtgrdI2e8mH7Ukb1P7cv4m0NPDhlUSym3UeHHFwLN+FB9mlP5eJCy
+8Zp/ZUsgLrX8eYKAogu2abMSvPV7z9ZmE0pCnInfxEqA5TR4LKZlLQmxiTipksGc
+JniOJ5fqIc8ho2ZZZHR6HI8xyXyxFuCo1Fq10GtHurmrXJo2ENOOXX7R8Z0YdrtH
+jg2WSHWEKEdE7AxTU8XeyB17ljnUrtF9K+zZIjkapF9AkCpzgcCAwktqDYd/BaoU
+I5lufnb+fkE/LUqHNF4OCZa7C4yD2++0hQQblVbklWz4f/Tkt1HTai5pfFs1RtA8
+BrB/IERKkBE3OITIA0whWUvrU/QlItRuP5jEZcw3WA0A8QyITjUa88CgOyC7LUD6
+lXNt1A39AfxDwVkNSxy+pOCZm08WTGmaULhJy1fi+UeAUQRxZ3feVAVAckosAEIm
+ljosSunZEoZUW05YKyV9LZa7pfPP+5cm1FKoTSNpX2G2eS0v+pxcqQOOeR7HkeRM
+W9QewYVpkKQou68aHRG8RuXkcTTeadOwQQCTixWLuX4apJ/AnNLUURefh+qLl4Ko
+uFrH1yeae83oopp8bIsFEVxubHCpsrUEftfNpnkZ+puMHeHHNanxz86J8gsi8/jg
+2x4nLbbOMaV1dNyLGjeZacmWI1IzZcLWgiiSbflGnn7uLgq2QIevxyJgNKXjUkW5
+VUFOIgfj7IAyZWwqFuBH4VrPFEohHKvkF5tI6zbt7WxZorTbSyTjdrBrlTT5sPuA
+DKjNtvstWIU43ONsRpMoRy4imaH+vFdA+lY9vOZWmo0g0wjYFRHWcS4eWUxgtcbx
+UVhx0MteVhMM9l5gK8Pe+3V1zGZioRVMa0GBCWsdLp+66Td72gclzOoeaAE+xlqJ
+vfnaplm/HB6bGNNbUrc+tv6HifWIC+bn/FuIv3ghlF15hr/PFYtupgmR0bFcQfxd
+llfxb/1tG12quQNAnmCSBeUGxf6dv3SXCMfbQAH/T6SCb04KhPjSdO0O1Xj+xSTz
+onhJOYc+5iFHwrhpTXctz2WCN2rgalWkbAJnRgc3g8QjjCU87SHJDZ86HOCvRLuk
+gZTWPbtzlpMXJ+q1MKKyTA==
+-----END ENCRYPTED PRIVATE KEY-----

mysql-test/suite/ndb_tls/include/check_openssl.inc

@@ -0,0 +1,10 @@
+# Detect whether compile-time OpenSSL library provides sufficient support
+# for NDB to use TLS
+
+let $ver = query_get_value(show status like "Tls_library_version", Value, 1);
+let $match = `select "$ver" like "OpenSSL 1.0%"`;
+if($match)
+{
+  skip OpenSSL too old;
+}
+

mysql-test/suite/ndb_tls/my.cnf

@@ -0,0 +1,44 @@
+!include include/default_mysqld.cnf
+
+#
+# Define small two node cluster with only one mysqld
+#
+[cluster_config.1]
+ndbd=,
+ndb_mgmd=
+mysqld=
+ndbapi=,,
+
+[cluster_config]
+DataMemory=                    30M
+NoOfFragmentLogFiles=          4
+SharedGlobalMemory=            20M
+LongMessageBuffer=             4M
+RedoBuffer=                    4M
+BackupLogBufferSize=           2M
+HeartbeatIntervalDbDb=         30000
+HeartbeatIntervalDbApi=        30000
+
+[mysqld]
+ndbcluster
+ndb-wait-connected=30
+ndb-wait-setup=120
+ndb-extra-logging=99
+
+[cluster_config.mysqld.1.1]
+NodeId=51
+Dedicated=1
+
+[mysqld.1.1]
+ndb-nodeid=51
+
+[ENV]
+NDB_CONNECTSTRING=             @mysql_cluster.1.ndb_connectstring
+MTR_NDBMTD= 1
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1
+
+[ndb_sign_keys]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1
+passphrase=Stockholm

mysql-test/suite/ndb_tls/sign_keys.result

@@ -0,0 +1,9 @@
+SELECT 1;
+1
+1
+ndb-api-cert
+ndb-api-private-key
+ndb-data-node-cert
+ndb-data-node-private-key
+ndb-mgm-server-cert
+ndb-mgm-server-private-key

mysql-test/suite/ndb_tls/sign_keys.test

@@ -0,0 +1,159 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+## TEMPORARILY SKIP THIS TEST ON WINDOWS
+##
+## Remote Key Signing (at line 106) will time out very slowly and create
+## crash dumps.  Use the testNdbProcess-t unit test to isolate this issue,
+## then re-enable this test on Windows.
+##
+--source include/not_windows.inc
+
+# The MySQL server is up
+SELECT 1;
+
+# On startup, none of the files exist
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+
+# Create a CA
+--exec $NDB_SIGN_KEYS --create-CA
+
+# Now the CA files exist
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key
+
+# Create all the keys and certs for this cluster
+--exec $NDB_SIGN_KEYS --create-key
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert
+--list_files $MYSQLTEST_VARDIR/mysql_cluster.1 ndb-*
+
+# Remove them; remove_file will fail if a file does not exist.
+# On Windows, private key files must be writable to be removed.
+--chmod 0600  $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+--chmod 0600  $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key
+--chmod 0600  $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key
+
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert
+
+# Create a pending key and a 90-day certificate for the management node.
+--exec $NDB_SIGN_KEYS --create-key --pending -n 3 --schedule=70,5,80,5,90,0
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-key
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-cert
+
+# Promote the files from pending to active
+--exec $NDB_SIGN_KEYS --promote -n 3
+
+# Now the files have been renamed from pending to active
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert
+
+# The old pending files do not exist
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-key
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-cert
+
+# Create an active key and certificate for a data node, with bound node id
+--exec $NDB_SIGN_KEYS --create-key -n 2
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert
+
+# Create a pending client key and cert in no-config mode
+--exec $NDB_SIGN_KEYS --no-config --create-key --pending -t api --bind-host=0
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-pending-key
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-pending-cert
+
+# Then promote the pending files to active
+--exec $NDB_SIGN_KEYS --no-config -t api --promote
+
+# Remove them
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert
+
+# Try to create a CSR for node 10.
+# There is not a node 10 configured, so this fails.
+--error 110
+--exec $NDB_SIGN_KEYS -n 10 --create-key --skip-sign
+
+# Try to create a CSR for node 10 in no-config mode.
+# This fails because -n and no-config mode are incompatible
+--error 101
+--exec $NDB_SIGN_KEYS -l -n 10 -t api --create-key --skip-sign
+
+# Try to create a CSR for an API node in no-config mode.
+# This fails because it wants to bind a hostname, but none is available.
+--error 34
+--exec $NDB_SIGN_KEYS -l -t api --create-key --skip-sign
+
+# Create the CSR for an API node in no-config mode.
+--exec $NDB_SIGN_KEYS -l -t api --create-key --skip-sign --bind-host=0
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert-request
+
+# Test remote key signing with a tool
+#    (using ndb_sign_keys itself as the tool)
+# Because the CSR already exists, the binding options are not necessary.
+--let $cmd = `SELECT substring_index("$NDB_SIGN_KEYS", " ", 1)`
+--exec $NDB_SIGN_KEYS -l -t api -X $cmd >> $MYSQLTEST_VARDIR/tmp/rsk.out
+--remove_file $MYSQLTEST_VARDIR/tmp/rsk.out
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert-request
+
+# Refresh the certificate for node 2, but keep the existing key
+--exec $NDB_SIGN_KEYS -n 2 --schedule=70,5,80,5,90,0
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-cert
+--error 1
+--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-key
+
+# Check all the certs in the path, in no-config mode.
+--error 1
+--exec $NDB_SIGN_KEYS --no-config --check --replace-by=-91
+
+# Check all the certs in the path, using config
+--error 1
+--exec $NDB_SIGN_KEYS --check --replace-by=-91
+
+# Check the key cert node 3, using config (check passes)
+--exec $NDB_SIGN_KEYS --check --replace-by=-50 -n 3
+
+# Check the cert for node 3, using config (check fails)
+--error 1
+--exec $NDB_SIGN_KEYS --check --replace-by=-91 -n 3
+
+# Replace the key and the certificate both
+--exec $NDB_SIGN_KEYS --create-key -n 3
+
+# Rotate the CA
+--exec $NDB_SIGN_KEYS --rotate-CA
+
+# On Windows, private key files must be made writable to be removed.
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key.retired
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key
+--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+
+# Delete everything so the test can be repeated
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key.retired
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert.retired
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-retired-cert
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key
+--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert

storage/ndb/src/common/util/CMakeLists.txt

@@ -113,6 +113,7 @@ FOREACH(tests
     testSecureSocket
     testConfigValues
     testTlsKeyManager
+    testNdbProcess
     )
   NDB_ADD_TEST("${tests}-t" "${tests}.cpp" LIBS ndbmgmapi ndbgeneral ndbportlib)
 ENDFOREACH(tests)