Skip to content

Commit

Permalink
GEODE-7852: test SNI against a 2-node Dockerizded cluster (apache#4951)
Browse files Browse the repository at this point in the history
  • Loading branch information
Bill authored Apr 14, 2020
1 parent d431f0d commit 9ce6b18
Show file tree
Hide file tree
Showing 12 changed files with 214 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ public void performSimpleCQOverSNIProxy()
.port(15443)
.getExternalPort();
ClientCache cache = new ClientCacheFactory(gemFireProps)
.addPoolLocator("locator", 10334)
.addPoolLocator("locator-maeve", 10334)
.setPoolSocketFactory(ProxySocketFactories.sni("localhost",
proxyPort))
.setPoolSubscriptionEnabled(true)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
* agreements. See the NOTICE file distributed with this work for additional information regarding
* copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License. You may obtain a
* copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
* or implied. See the License for the specific language governing permissions and limitations under
* the License.
*/
package org.apache.geode.client.sni;

import static com.palantir.docker.compose.execution.DockerComposeExecArgument.arguments;
import static com.palantir.docker.compose.execution.DockerComposeExecOption.options;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENDPOINT_IDENTIFICATION_ENABLED;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_TYPE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_REQUIRE_AUTHENTICATION;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
import static org.apache.geode.test.util.ResourceUtils.createTempFileFromResource;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;

import java.io.IOException;
import java.net.URL;
import java.util.Properties;

import com.palantir.docker.compose.DockerComposeRule;
import org.junit.After;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

import org.apache.geode.cache.Region;
import org.apache.geode.cache.RegionDestroyedException;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
import org.apache.geode.cache.client.proxy.ProxySocketFactories;

/**
* These tests run against a 2-server, 1-locator Geode cluster. The servers and locator run inside
* a (single) Docker container and are not route-able from the host (where this JUnit test is
* running). Another Docker container is running the HAProxy image and it's set up as an SNI
* gateway. The test connects to the gateway via SNI and the gateway (in one Docker container)
* forwards traffic to Geode members (running in the other Docker container).
*
* The two servers, server-dolores, and server-clementine, each are members of their own distinct
* groups: group-dolores, and group-clementine, respectively. Also each server has a separate
* REPLICATE region on it: region-dolores, and region-clementine, respectively.
*
* This test creates a connection pool to each group in turn. For that group, the test verifies
* it can update data to the region of interest. There's also a pair of negative tests that verify
* the correct exception is thrown when an attempt is made to operate on an unreachable region.
*/
public class DualServerSNIAcceptanceTest {

private static final URL DOCKER_COMPOSE_PATH =
SingleServerSNIAcceptanceTest.class.getResource("docker-compose.yml");

// Docker compose does not work on windows in CI. Ignore this test on windows
// Using a RuleChain to make sure we ignore the test before the rule comes into play
@ClassRule
public static NotOnWindowsDockerRule docker =
new NotOnWindowsDockerRule(() -> DockerComposeRule.builder()
.file(DOCKER_COMPOSE_PATH.getPath()).build());

private static Properties clientCacheProperties;
private ClientCache cache;

@BeforeClass
public static void beforeClass() throws IOException, InterruptedException {
docker.get().exec(options("-T"), "geode",
arguments("gfsh", "run", "--file=/geode/scripts/geode-starter-2.gfsh"));

final String trustStorePath =
createTempFileFromResource(SingleServerSNIAcceptanceTest.class,
"geode-config/truststore.jks")
.getAbsolutePath();

clientCacheProperties = new Properties();
clientCacheProperties.setProperty(SSL_ENABLED_COMPONENTS, "all");
clientCacheProperties.setProperty(SSL_KEYSTORE_TYPE, "jks");
clientCacheProperties.setProperty(SSL_REQUIRE_AUTHENTICATION, "false");

clientCacheProperties.setProperty(SSL_TRUSTSTORE, trustStorePath);
clientCacheProperties.setProperty(SSL_TRUSTSTORE_PASSWORD, "geode");
clientCacheProperties.setProperty(SSL_ENDPOINT_IDENTIFICATION_ENABLED, "true");
}

@After
public void after() {
ensureCacheClosed();
}

@Test
public void successfulRoutingTest() {
verifyPutAndGet("group-dolores", "region-dolores");
}

@Test
public void successfulRoutingTest2() {
verifyPutAndGet("group-clementine", "region-clementine");
}

@Test
public void unreachabilityTest() {
verifyUnreachable("group-dolores", "region-clementine");
}

@Test
public void unreachabilityTest2() {
verifyUnreachable("group-clementine", "region-dolores");
}

private void verifyUnreachable(final String groupName, final String regionName) {
final Region<String, String> region = getRegion(groupName, regionName);
assertThatThrownBy(() -> region.destroy("hello"))
.hasCauseInstanceOf(RegionDestroyedException.class)
.hasStackTraceContaining("was not found during destroy request");
}

private void verifyPutAndGet(final String groupName, final String regionName) {
final Region<String, String> region = getRegion(groupName, regionName);
region.destroy("hello");
region.put("hello", "world");
assertThat(region.get("hello")).isEqualTo("world");
}

/**
* modifies cache field as a side-effect
*/
private Region<String, String> getRegion(final String groupName, final String regionName) {
final int proxyPort = docker.get().containers()
.container("haproxy")
.port(15443)
.getExternalPort();
ensureCacheClosed();
cache = new ClientCacheFactory(clientCacheProperties)
.addPoolLocator("locator-maeve", 10334)
.setPoolServerGroup(groupName)
.setPoolSocketFactory(ProxySocketFactories.sni("localhost",
proxyPort))
.create();
return cache.<String, String>createClientRegionFactory(ClientRegionShortcut.PROXY)
.create(regionName);
}

/**
* modifies cache field as a side-effect
*/
private void ensureCacheClosed() {
if (cache != null) {
cache.close();
cache = null;
}
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,20 @@
import org.apache.geode.cache.query.SelectResults;
import org.apache.geode.internal.cache.tier.sockets.BaseCommand;

public class ClientSNIAcceptanceTest {
/**
* This test runs against a 1-server, 1-locator Geode cluster. The server and locator run inside
* a (single) Docker container and are not route-able from the host (where this JUnit test is
* running). Another Docker container is running the HAProxy image and it's set up as an SNI
* gateway. The test connects to the gateway via SNI and the gateway (in one Docker container)
* forwards traffic to Geode members (running in the other Docker container).
*
* This test connects to the server and verifies it can write and read data in the region.
*/

public class SingleServerSNIAcceptanceTest {

private static final URL DOCKER_COMPOSE_PATH =
ClientSNIAcceptanceTest.class.getResource("docker-compose.yml");
SingleServerSNIAcceptanceTest.class.getResource("docker-compose.yml");

// Docker compose does not work on windows in CI. Ignore this test on windows
// Using a RuleChain to make sure we ignore the test before the rule comes into play
Expand All @@ -69,7 +79,7 @@ public static void beforeClass() throws IOException, InterruptedException {
arguments("gfsh", "run", "--file=/geode/scripts/geode-starter.gfsh"));

final String trustStorePath =
createTempFileFromResource(ClientSNIAcceptanceTest.class,
createTempFileFromResource(SingleServerSNIAcceptanceTest.class,
"geode-config/truststore.jks")
.getAbsolutePath();

Expand All @@ -94,7 +104,7 @@ public static void beforeClass() throws IOException, InterruptedException {
@AfterClass
public static void afterClass() throws Exception {
String logs = docker.get().exec(options("-T"), "geode",
arguments("cat", "server/server.log"));
arguments("cat", "server-dolores/server-dolores.log"));
System.out.println("server logs------------------------------------------");
System.out.println(logs);

Expand Down Expand Up @@ -185,7 +195,7 @@ protected static ClientCache getClientCache(Properties properties) {
.port(15443)
.getExternalPort();
return new ClientCacheFactory(properties)
.addPoolLocator("locator", 10334)
.addPoolLocator("locator-maeve", 10334)
.setPoolSocketFactory(ProxySocketFactories.sni("localhost",
proxyPort))
.create();
Expand Down
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,20 @@ frontend sniproxy
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend locators if { req.ssl_sni -i locator }
use_backend servers if { req.ssl_sni -i server }
default_backend locators
use_backend locators-maeve if { req.ssl_sni -i locator-maeve }
use_backend servers-dolores if { req.ssl_sni -i server-dolores }
use_backend servers-clementine if { req.ssl_sni -i server-clementine }
default_backend locators-maeve
log stdout format raw local0 debug

backend locators
backend locators-maeve
mode tcp
server locator1 geode:10334

backend servers
backend servers-dolores
mode tcp
server server1 geode:40404

backend servers-clementine
mode tcp
server server1 geode:40405
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

start locator --name=locator-maeve --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
start server --name=server-dolores --group=group-dolores --hostname-for-clients=server-dolores --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
start server --name=server-clementine --group=group-clementine --hostname-for-clients=server-clementine --server-port=40405 --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-clementine-keystore.jks
connect --locator=localhost[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
create region --name=region-dolores --group=group-dolores --type=REPLICATE
create region --name=region-clementine --group=group-clementine --type=REPLICATE
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
# limitations under the License.
#

start locator --name=locator --hostname-for-clients=locator --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-keystore.jks
start server --name=server --max-heap=256m --hostname-for-clients=server --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-keystore.jks
start locator --name=locator-maeve --hostname-for-clients=locator-maeve --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/locator-maeve-keystore.jks
start server --name=server-dolores --max-heap=256m --hostname-for-clients=server-dolores --locators=localhost[10334] --properties-file=/geode/config/gemfire.properties --security-properties-file=/geode/config/gfsecurity.properties --J=-Dgemfire.ssl-keystore=/geode/config/server-dolores-keystore.jks
connect --locator=localhost[10334] --use-ssl=true --security-properties-file=/geode/config/gfsecurity.properties
create region --name=jellyfish --type=REPLICATE

0 comments on commit 9ce6b18

Please sign in to comment.