-
-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathtest_tls.sh.j2
More file actions
executable file
·71 lines (62 loc) · 3.05 KB
/
test_tls.sh.j2
File metadata and controls
executable file
·71 lines (62 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env bash
# Usage: test_tls.sh namespace
NAMESPACE=$1
{% if test_scenario['values']['use-client-auth-tls'] == 'true' or test_scenario['values']['use-server-tls'] == 'true' %}
SERVER="test-zk-server.${NAMESPACE}.svc.cluster.local:2282"
{% else %}
SERVER="test-zk-server.${NAMESPACE}.svc.cluster.local:2181"
{% endif %}
# just to be safe...
unset QUORUM_STORE_SECRET
unset CLIENT_STORE_SECRET
unset CLIENT_JVMFLAGS
echo "Start TLS testing..."
############################################################################
# Test the plaintext unsecured connection
############################################################################
if /stackable/zookeeper/bin/zkCli.sh -server "${SERVER}" ls / &> /dev/null;
then
echo "[ERROR] Could establish unsecure connection!"
exit 1
fi
echo "[SUCCESS] Could not establish unsecure connection!"
############################################################################
# We set the correct client tls credentials and expect to be able to connect
############################################################################
CLIENT_STORE_SECRET="$(< /stackable/rwconfig/zoo.cfg grep "ssl.keyStore.password" | cut -d "=" -f2)"
export CLIENT_STORE_SECRET
export CLIENT_JVMFLAGS="
-Dzookeeper.authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=/stackable/server_tls/keystore.p12
-Dzookeeper.ssl.keyStore.password=${CLIENT_STORE_SECRET}
-Dzookeeper.ssl.trustStore.location=/stackable/server_tls/truststore.p12
-Dzookeeper.ssl.trustStore.password=${CLIENT_STORE_SECRET}"
if ! /stackable/zookeeper/bin/zkCli.sh -server "${SERVER}" ls / &> /dev/null;
then
echo "[ERROR] Could not establish secure connection using client certificates!"
exit 1
fi
echo "[SUCCESS] Secure and authenticated client connection established!"
############################################################################
# We set the (wrong) quorum tls credentials and expect to fail (wrong certificate)
############################################################################
QUORUM_STORE_SECRET="$(< /stackable/rwconfig/zoo.cfg grep "ssl.quorum.keyStore.password" | cut -d "=" -f2)"
export QUORUM_STORE_SECRET
export CLIENT_JVMFLAGS="
-Dzookeeper.authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=/stackable/quorum_tls/keystore.p12
-Dzookeeper.ssl.keyStore.password=${QUORUM_STORE_SECRET}
-Dzookeeper.ssl.trustStore.location=/stackable/quorum_tls/truststore.p12
-Dzookeeper.ssl.trustStore.password=${QUORUM_STORE_SECRET}"
if /stackable/zookeeper/bin/zkCli.sh -server "${SERVER}" ls / &> /dev/null;
then
echo "[ERROR] Could establish secure connection with quorum certificates (should not be happening)!"
exit 1
fi
echo "[SUCCESS] Could not establish secure connection with (wrong) quorum certificates!"
echo "All TLS tests successful!"
exit 0