Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add certificates and test for testing mutual TLS #309

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+165 −0
Open

Add certificates and test for testing mutual TLS #309

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions cht/tls/clickhouse_test_ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBxDCCAWoCCQCC7Dz9F36rcTAKBggqhkjOPQQDAjBqMQswCQYDVQQGEwJVUzER
MA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xp
Y2tIb3VzZSBJbmMuMR0wGwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdDAeFw0y
MzA0MjYyMTM4MzhaFw00MzA0MjYyMTM4MzhaMGoxCzAJBgNVBAYTAlVTMREwDwYD
VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQKDA9DbGlja0hv
dXNlIEluYy4xHTAbBgNVBAMMFGNsaWNraG91c2VfdGVzdF9yb290MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE8ajzpmv1YDspmgGcE+KjB2SxAQJ2/awkkP/SBvjw
enD0ibQG5fyA5vxhPv7ImbnqebPS1NXwIt4HCkLXKVPDnzAKBggqhkjOPQQDAgNI
ADBFAiAlQ8IWL7OQua7/dFaE8xbFy/hoKnLvuigDg9MAJNJUXwIhAIa0c3pT6z9P
OX2Sw5mfl/YEDTgsG033S1MeAha3707H
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions cht/tls/clickhouse_test_ca.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJnlsMN+3VCxicEQcANLIM+4gMiItWwFam3moYINelVfoAoGCCqGSM49
AwEHoUQDQgAE8ajzpmv1YDspmgGcE+KjB2SxAQJ2/awkkP/SBvjwenD0ibQG5fyA
5vxhPv7ImbnqebPS1NXwIt4HCkLXKVPDnw==
-----END EC PRIVATE KEY-----
12 changes: 12 additions & 0 deletions cht/tls/clickhouse_test_client.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBuDCCAV8CCQCvYwZhuT/WEjAKBggqhkjOPQQDAjBqMQswCQYDVQQGEwJVUzER
MA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xp
Y2tIb3VzZSBJbmMuMR0wGwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdDAeFw0y
MzA0MjYyMjAzMjZaFw00MzA0MjYyMjAzMjZaMF8xCzAJBgNVBAYTAlVTMREwDwYD
VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQKDA9DbGlja0hv
dXNlIEluYy4xEjAQBgNVBAMMCWNlcnRfdXNlcjBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABIEhqR0FcbBp0ZdQ6t9c9+rxRVS8TZXlPY2kGlFMkW5AY8/Y05L1q7Cx
mJiwZl6+4U/j8m0EhtVREywb1PENR20wCgYIKoZIzj0EAwIDRwAwRAIgRp0AWMOq
OA8lJTd1h2GrAWDMpiNamMUvLyksxLq5SrgCIA5AwncaSEqGHboq1zHMj0Qnqnua
JQJAbhcsh4sxk8AY
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions cht/tls/clickhouse_test_client.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJOyEogF0IPoVr1hkJ9wjp/6zhUH1LDgtay+OjG1/9XnoAoGCCqGSM49
AwEHoUQDQgAEgSGpHQVxsGnRl1Dq31z36vFFVLxNleU9jaQaUUyRbkBjz9jTkvWr
sLGYmLBmXr7hT+PybQSG1VETLBvU8Q1HbQ==
-----END EC PRIVATE KEY-----
17 changes: 17 additions & 0 deletions cht/tls/clickhouse_test_server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICrjCCAlSgAwIBAgIJAK9jBmG5P9YRMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
AlVTMREwDwYDVQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQK
DA9DbGlja0hvdXNlIEluYy4xHTAbBgNVBAMMFGNsaWNraG91c2VfdGVzdF9yb290
MB4XDTIzMDQyNjIxNTAxOVoXDTQzMDQyNjIxNTAxOVowbTELMAkGA1UEBhMCVVMx
ETAPBgNVBAgMCENvbG9yYWRvMQ8wDQYDVQQHDAZEZW52ZXIxGDAWBgNVBAoMD0Ns
aWNrSG91c2UgSW5jLjEgMB4GA1UEAwwXc2VydmVyMS5jbGlja2hvdXNlLnRlc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhjivoy18D47i18Jqg6m9yI17ndMWA
kuyPhXFLgW1PpU2wk3DvpUbkKUxUPlKsNwuHEKJ4kcparrrwWGxKT2Dmo4HfMIHc
MIGEBgNVHSMEfTB7oW6kbDBqMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
ZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xpY2tIb3VzZSBJbmMuMR0w
GwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdIIJAILsPP0XfqtxMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgTwMDsGA1UdEQQ0MDKCF3NlcnZlcjEuY2xpY2tob3VzZS50
ZXN0ghdzZXJ2ZXIyLmNsaWNraG91c2UudGVzdDAKBggqhkjOPQQDAgNIADBFAiBM
71Vx9q964BRd9+N0zpbax+N+jWFJQfkOic4wlsPZ7QIhAPBU9Kfbi3Iwy3XwWBOv
YZsvoFRxUfG2RRRlz5cGgKIa
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions cht/tls/clickhouse_test_server.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIHU7VYTo4pduP7Q2wlE4zgg0Ruh3KFlwfdz1EHIanFgIoAoGCCqGSM49
AwEHoUQDQgAEYY4r6MtfA+O4tfCaoOpvciNe53TFgJLsj4VxS4FtT6VNsJNw76VG
5ClMVD5SrDcLhxCieJHKWq668FhsSk9g5g==
-----END EC PRIVATE KEY-----
100 changes: 100 additions & 0 deletions cht/tls/tls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
/*

This optional test is for checking mutual TLS connectivity. It is normally disabled but can be enabled
by setting the environment variable CH_GO_TLS_TESTS=True. You should also add server1.clickhouse.test
as an alias to localhost in /etc/hosts, or otherwise ensure that server1.clickhouse.test points to
your test clickhouse server.


Configure your clickhouse server configuration using the certificates in this directory

<openSSL>
<server>
<certificateFile>clickhouse_test_server.crt</certificateFile>
<privateKeyFile>clickhouse_test_server.key</privateKeyFile>
<verificationMode>strict</verificationMode>
<caConfig>clickhouse_test_ca.crt</caConfig>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3,tlsv1</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
</server>
</openSSL>

Sample xml user for clickhouse server configuration (within the <users> element in users.xml)
<cert_user>
<ssl_certificates>
<common_name>cert_user</common_name>
</ssl_certificates>
<profile>default</profile>
</cert_user>

*/

package tls_test

import (
"context"
"crypto/tls"
"crypto/x509"
"github.com/ClickHouse/ch-go"
"github.com/ClickHouse/ch-go/chpool"
"github.com/stretchr/testify/require"
"os"
"path/filepath"
"runtime"
"strconv"
"testing"
)

func TestMutualTLS(t *testing.T) {
if run, _ := strconv.ParseBool(os.Getenv("CH_GO_TLS_TESTS")); !run {
t.Skip("Not configured to run TLS tests")
}

_, b, _, _ := runtime.Caller(0)
testDir := filepath.Join(filepath.Dir(b), ".")

certTxt, err := os.ReadFile(testDir + "/clickhouse_test_client.crt")
require.NoError(t, err)

certKey, err := os.ReadFile(testDir + "/clickhouse_test_client.key")
require.NoError(t, err)

cert, err := tls.X509KeyPair(certTxt, certKey)
require.NoError(t, err)

rootCA, err := os.ReadFile(testDir + "/clickhouse_test_ca.crt")
require.NoError(t, err)

caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(rootCA)

tlsCfg := tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}

opts := ch.Options{
User: "cert_user",
Password: "",
Address: "server1.clickhouse.test:9440",
TLS: &tlsCfg,
}

conn, err := ch.Dial(context.Background(), opts)
require.NoError(t, err)
require.NoError(t, conn.Ping(context.Background()))

_ = conn.Close()

pool, err := chpool.Dial(context.Background(), chpool.Options{
ClientOptions: opts,
MaxConns: 2,
})

require.NoError(t, err)
require.NoError(t, pool.Ping(context.Background()))

pool.Close()

}