You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/09/12 15:48:00 UTC
[solr] branch main updated: Add full mTLS integration tests for Solr (#1912)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new b98d936bd33 Add full mTLS integration tests for Solr (#1912)
b98d936bd33 is described below
commit b98d936bd33634086f0840e47e15840c2dc699ad
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Sep 12 11:47:53 2023 -0400
Add full mTLS integration tests for Solr (#1912)
---
solr/packaging/build.gradle | 1 +
solr/packaging/test/test_ssl.bats | 289 +++++++++++++++++++++++++++++++++++++-
2 files changed, 289 insertions(+), 1 deletion(-)
diff --git a/solr/packaging/build.gradle b/solr/packaging/build.gradle
index 310aa45049c..aa366eaafd6 100644
--- a/solr/packaging/build.gradle
+++ b/solr/packaging/build.gradle
@@ -256,6 +256,7 @@ task integrationTests(type: BatsTask) {
environment SOLR_TIP: distDir.toString()
environment SOLR_HOME: solrHome
environment SOLR_LOGS_DIR: "$solrHome/logs"
+ environment TEST_OUTPUT_DIR: integrationTestOutput
environment TEST_FAILURE_DIR: solrTestFailuresDir
environment BATS_LIB_PREFIX: "$nodeProjectDir/node_modules"
}
diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index a40d3232a13..f3aae8d6edc 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -57,8 +57,51 @@ teardown() {
run solr create -c test -s 2
assert_output --partial "Created collection 'test'"
- run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" 'https://localhost:8983/solr/test/select?q=*:*'
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" 'https://127.0.0.1:8983/solr/test/select?q=*:*'
+ assert_output --partial '"numFound":0'
+}
+
+@test "use different hostname when not checking peer-name" {
+ # Create a keystore
+ export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+ mkdir -p "$ssl_dir"
+ (
+ cd "$ssl_dir"
+ rm -f solr-ssl.keystore.p12 solr-ssl.pem
+ # Using a CN that is not localhost, as we will not be checking peer-name
+ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext "SAN=DNS:test.solr.apache.org,IP:127.0.0.1" -dname "CN=test.solr.apache.org, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
+ openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem -passin pass:secret -passout pass:secret
+ )
+
+ # Set ENV_VARs so that Solr uses this keystore
+ export SOLR_SSL_ENABLED=true
+ export SOLR_SSL_KEY_STORE=$ssl_dir/solr-ssl.keystore.p12
+ export SOLR_SSL_KEY_STORE_PASSWORD=secret
+ export SOLR_SSL_TRUST_STORE=$ssl_dir/solr-ssl.keystore.p12
+ export SOLR_SSL_TRUST_STORE_PASSWORD=secret
+ export SOLR_SSL_NEED_CLIENT_AUTH=false
+ export SOLR_SSL_WANT_CLIENT_AUTH=false
+ export SOLR_SSL_CHECK_PEER_NAME=false
+ # Remove later when SOLR-16963 is resolved
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
+ export SOLR_HOST=localhost
+
+ solr start -c
+ solr assert --started https://localhost:8983/solr --timeout 5000
+
+ run solr create -c test -s 2
+ assert_output --partial "Created collection 'test'"
+
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -k 'https://localhost:8983/solr/test/select?q=*:*'
assert_output --partial '"numFound":0'
+
+ export SOLR_SSL_CHECK_PEER_NAME=true
+ # Remove later when SOLR-16963 is resolved
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
+
+ # This should fail the peername check
+ run ! solr api -get 'https://localhost:8983/solr/test/select?q=*:*'
+ assert_output --partial 'Server refused connection'
}
@test "start solr with ssl and auth" {
@@ -155,3 +198,247 @@ teardown() {
run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
assert_output --partial '"urlScheme":"https"'
}
+
+@test "start solr with mTLS needed" {
+ # Make a test tmp dir, as the security policy includes TMP, so that might already contain the BATS_TEST_TMPDIR
+ test_tmp_dir="${BATS_TEST_TMPDIR}/tmp"
+ mkdir -p "${test_tmp_dir}"
+ test_tmp_dir="$(cd -P "${test_tmp_dir}" && pwd)"
+
+ export SOLR_SECURITY_MANAGER_ENABLED=true
+ export SOLR_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+ export SOLR_TOOL_OPTS="-Djava.io.tmpdir=${test_tmp_dir} -Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
+
+ export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+ export server_ssl_dir="${ssl_dir}/server"
+ export client_ssl_dir="${ssl_dir}/client"
+
+ # Create a root & intermediary CA
+ echo "${ssl_dir}"
+ mkdir -p "${ssl_dir}"
+ (
+ cd "$ssl_dir"
+ rm -f root.p12 root.pem ca.p12 ca.pem
+
+ keytool -genkeypair -keystore root.p12 -storetype PKCS12 -keypass secret -storepass secret -alias root -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore ca.p12 -storetype PKCS12 -keypass secret -storepass secret -alias ca -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ keytool -keystore root.p12 -storetype PKCS12 -storepass secret -alias root -exportcert -rfc > root.pem
+
+ keytool -storepass secret -storetype PKCS12 -keystore ca.p12 -certreq -alias ca | \
+ keytool -storepass secret -keystore root.p12 -storetype PKCS12 \
+ -gencert -alias root -ext BC=0 -rfc > ca.pem
+ keytool -keystore ca.p12 -importcert -storetype PKCS12 -storepass secret -alias root -file root.pem -noprompt
+ keytool -keystore ca.p12 -importcert -storetype PKCS12 -storepass secret -alias ca -file ca.pem
+ )
+ # Create a server keystore & truststore
+ mkdir -p "$server_ssl_dir"
+ (
+ cd "$server_ssl_dir"
+ rm -f solr-server.keystore.p12 server.pem solr-server.truststore.p12
+
+ # Create a keystore and certificate
+ keytool -genkeypair -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -alias server -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ # Trust the keystore cert with the CA
+ keytool -storepass server-key -keystore solr-server.keystore.p12 -storetype PKCS12 -certreq -alias server | \
+ keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
+ -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias server -file server.pem
+
+ # Create a truststore with just the Root CA
+ keytool -keystore solr-server.truststore.p12 -storetype PKCS12 -keypass server-trust -storepass server-trust -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-server.truststore.p12 -storetype PKCS12 -keypass server-trust -storepass server-trust -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ )
+ # Create a client keystore & truststore
+ mkdir -p "$client_ssl_dir"
+ (
+ cd "$client_ssl_dir"
+ rm -f solr-client.keystore.p12 client.pem solr-client.truststore.p12
+
+ # Create a keystore and certificate
+ keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ # Trust the keystore cert with the CA
+ keytool -storepass client-key -keystore solr-client.keystore.p12 -storetype PKCS12 -certreq -alias client | \
+ keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
+ -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias client -file client.pem
+
+ # Create a truststore with just the Root CA
+ keytool -keystore solr-client.truststore.p12 -storetype PKCS12 -keypass client-trust -storepass client-trust -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-client.truststore.p12 -storetype PKCS12 -keypass client-trust -storepass client-trust -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ )
+
+ # Set ENV_VARs so that Solr uses this keystore
+ export SOLR_SSL_ENABLED=true
+ export SOLR_SSL_KEY_STORE="$server_ssl_dir/solr-server.keystore.p12"
+ export SOLR_SSL_KEY_STORE_PASSWORD=server-key
+ export SOLR_SSL_KEY_STORE_TYPE=PKCS12
+ export SOLR_SSL_TRUST_STORE="$server_ssl_dir/solr-server.truststore.p12"
+ export SOLR_SSL_TRUST_STORE_PASSWORD=server-trust
+ export SOLR_SSL_TRUST_STORE_TYPE=PKCS12
+ export SOLR_SSL_CLIENT_KEY_STORE="$client_ssl_dir/solr-client.keystore.p12"
+ export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=client-key
+ export SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
+ export SOLR_SSL_CLIENT_TRUST_STORE="$client_ssl_dir/solr-client.truststore.p12"
+ export SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=client-trust
+ export SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
+ export SOLR_SSL_NEED_CLIENT_AUTH=true
+ export SOLR_SSL_WANT_CLIENT_AUTH=false
+ export SOLR_SSL_CHECK_PEER_NAME=true
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
+ export SOLR_HOST=localhost
+
+ solr start -c
+ solr start -c -z localhost:9983 -p 8984
+
+ export SOLR_SSL_KEY_STORE=
+ export SOLR_SSL_KEY_STORE_PASSWORD=
+ export SOLR_SSL_TRUST_STORE=
+ export SOLR_SSL_TRUST_STORE_PASSWORD=
+
+ solr assert --started https://localhost:8983/solr --timeout 5000
+ solr assert --started https://localhost:8984/solr --timeout 5000
+
+ run solr create -c test -s 2
+ assert_output --partial "Created collection 'test'"
+
+ run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
+ assert_output --partial '"urlScheme":"https"'
+
+ run solr api -get 'https://localhost:8984/solr/test/select?q=*:*&rows=0'
+ assert_output --partial '"numFound":0'
+
+ export SOLR_SSL_CLIENT_KEY_STORE=
+ export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
+
+ run ! solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
+ assert_output --partial 'Server refused connection'
+}
+
+@test "start solr with mTLS wanted" {
+ # Make a test tmp dir, as the security policy includes TMP, so that might already contain the BATS_TEST_TMPDIR
+ test_tmp_dir="${BATS_TEST_TMPDIR}/tmp"
+ mkdir -p "${test_tmp_dir}"
+ test_tmp_dir="$(cd -P "${test_tmp_dir}" && pwd)"
+
+ export SOLR_SECURITY_MANAGER_ENABLED=true
+ export SOLR_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+ export SOLR_TOOL_OPTS="-Djava.io.tmpdir=${test_tmp_dir} -Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
+
+ export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+ export server_ssl_dir="${ssl_dir}/server"
+ export client_ssl_dir="${ssl_dir}/client"
+
+ # Create a root & intermediary CA
+ echo "${ssl_dir}"
+ mkdir -p "${ssl_dir}"
+ (
+ cd "$ssl_dir"
+ rm -f root.p12 root.pem ca.p12 ca.pem
+
+ keytool -genkeypair -keystore root.p12 -storetype PKCS12 -keypass secret -storepass secret -alias root -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore ca.p12 -storetype PKCS12 -keypass secret -storepass secret -alias ca -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ keytool -keystore root.p12 -storetype PKCS12 -storepass secret -alias root -exportcert -rfc > root.pem
+
+ keytool -storepass secret -storetype PKCS12 -keystore ca.p12 -certreq -alias ca | \
+ keytool -storepass secret -keystore root.p12 -storetype PKCS12 \
+ -gencert -alias root -ext BC=0 -rfc > ca.pem
+ keytool -keystore ca.p12 -importcert -storetype PKCS12 -storepass secret -alias root -file root.pem -noprompt
+ keytool -keystore ca.p12 -importcert -storetype PKCS12 -storepass secret -alias ca -file ca.pem
+ )
+ # Create a server keystore & truststore
+ mkdir -p "$server_ssl_dir"
+ (
+ cd "$server_ssl_dir"
+ rm -f solr-server.keystore.p12 server.pem solr-server.truststore.p12
+
+ # Create a keystore and certificate
+ keytool -genkeypair -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -alias server -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ # Trust the keystore cert with the CA
+ keytool -storepass server-key -keystore solr-server.keystore.p12 -storetype PKCS12 -certreq -alias server | \
+ keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
+ -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias server -file server.pem
+
+ # Create a truststore with just the Root CA
+ keytool -keystore solr-server.truststore.p12 -storetype PKCS12 -keypass server-trust -storepass server-trust -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-server.truststore.p12 -storetype PKCS12 -keypass server-trust -storepass server-trust -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ )
+ # Create a client keystore & truststore
+ mkdir -p "$client_ssl_dir"
+ (
+ cd "$client_ssl_dir"
+ rm -f solr-client.keystore.p12 client.pem solr-client.truststore.p12
+
+ # Create a keystore and certificate
+ keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+
+ # Trust the keystore cert with the CA
+ keytool -storepass client-key -keystore solr-client.keystore.p12 -storetype PKCS12 -certreq -alias client | \
+ keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
+ -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias client -file client.pem
+
+ # Create a truststore with just the Root CA
+ keytool -keystore solr-client.truststore.p12 -storetype PKCS12 -keypass client-trust -storepass client-trust -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
+ keytool -keystore solr-client.truststore.p12 -storetype PKCS12 -keypass client-trust -storepass client-trust -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
+ )
+
+ # Set ENV_VARs so that Solr uses this keystore
+ export SOLR_SSL_ENABLED=true
+ export SOLR_SSL_KEY_STORE="$server_ssl_dir/solr-server.keystore.p12"
+ export SOLR_SSL_KEY_STORE_PASSWORD=server-key
+ export SOLR_SSL_KEY_STORE_TYPE=PKCS12
+ export SOLR_SSL_TRUST_STORE="$server_ssl_dir/solr-server.truststore.p12"
+ export SOLR_SSL_TRUST_STORE_PASSWORD=server-trust
+ export SOLR_SSL_TRUST_STORE_TYPE=PKCS12
+ export SOLR_SSL_CLIENT_KEY_STORE="$client_ssl_dir/solr-client.keystore.p12"
+ export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=client-key
+ export SOLR_SSL_CLIENT_KEY_STORE_TYPE=PKCS12
+ export SOLR_SSL_CLIENT_TRUST_STORE="$client_ssl_dir/solr-client.truststore.p12"
+ export SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=client-trust
+ export SOLR_SSL_CLIENT_TRUST_STORE_TYPE=PKCS12
+ export SOLR_SSL_NEED_CLIENT_AUTH=false
+ export SOLR_SSL_WANT_CLIENT_AUTH=true
+ export SOLR_SSL_CHECK_PEER_NAME=true
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
+ export SOLR_HOST=localhost
+
+ solr start -c
+ solr start -c -z localhost:9983 -p 8984
+
+ export SOLR_SSL_KEY_STORE=
+ export SOLR_SSL_KEY_STORE_PASSWORD=
+ export SOLR_SSL_TRUST_STORE=
+ export SOLR_SSL_TRUST_STORE_PASSWORD=
+
+ solr assert --started https://localhost:8983/solr --timeout 5000
+ solr assert --started https://localhost:8984/solr --timeout 5000
+
+ run solr create -c test -s 2
+ assert_output --partial "Created collection 'test'"
+
+ run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
+ assert_output --partial '"urlScheme":"https"'
+
+ run solr api -get 'https://localhost:8984/solr/test/select?q=*:*&rows=0'
+ assert_output --partial '"numFound":0'
+
+ export SOLR_SSL_CLIENT_KEY_STORE=
+ export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
+
+ run solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
+ assert_output --partial '"numFound":0'
+}