Merge pull request #1985 from robgolebiowski/5.7_keyring_vault_removi…

…ng_keys_from_vault

PS-256: keys created by keyring_vault MTR tests are not removed from

mysql-test/std_data/keyring_vault_confs/keyring_vault_mtr_invalid_token_template.conf

@@ -1,4 +1,4 @@
 vault_url = https://vault.public-ci.percona.com:8200
-secret_mount_point = secret
+secret_mount_point = SECRET_MOUNT_POINT_TAG
 token = 58a90c08-8001-fd5f-6192-7498a48eaf20
 vault_ca = MYSQL_TEST_DIR/std_data/keyring_vault_confs/vault_ca.crt

mysql-test/std_data/keyring_vault_confs/keyring_vault_mtr_template1.conf

@@ -1,4 +1,4 @@
 vault_url = https://vault.public-ci.percona.com:8200
-secret_mount_point = secret
+secret_mount_point = SECRET_MOUNT_POINT_TAG
 token = 58a90c08-8001-fd5f-6192-7498a48eaf2a
 vault_ca = MYSQL_TEST_DIR/std_data/keyring_vault_confs/vault_ca.crt

mysql-test/std_data/keyring_vault_confs/keyring_vault_mtr_template2.conf

@@ -1,4 +1,4 @@
 vault_url = https://vault.public-ci.percona.com:8400
-secret_mount_point = secret
+secret_mount_point = SECRET_MOUNT_POINT_TAG
 token = 25cc5351-f5a7-a2c0-335b-065d6424f1b3
 vault_ca = MYSQL_TEST_DIR/std_data/keyring_vault_confs/vault_ca.crt

plugin/keyring_vault/tests/mtr/generate_conf_file.inc

@@ -1,17 +1,20 @@
 let KEYRING_CONF_FILE_TO_GENERATE=$KEYRING_CONF_FILE_TO_GENERATE;
 let KEYRING_CONF_TEMPLATE_FILE=$KEYRING_CONF_TEMPLATE_FILE;
 let MYSQL_TEST_DIR=$MYSQL_TEST_DIR;
+let SERVER_UUID= query_get_value(SELECT @@SERVER_UUID, @@SERVER_UUID, 1);
 
 --perl
   use strict;
   my $mysql_test_dir= $ENV{MYSQL_TEST_DIR} or die "Need MYSQL_TEST_DIR";
+  my $server_uuid= $ENV{SERVER_UUID} or die "Server uuid not set";
   my $keyring_conf_template_file= $ENV{KEYRING_CONF_TEMPLATE_FILE} or die "Need KEYRING_CONF_TEMPLATE_FILE";
   my $keyring_conf_file_to_generate= $ENV{'KEYRING_CONF_FILE_TO_GENERATE'} or die("KEYRING_CONF_FILE_TO_GENERATE not set\n");
   open CONF_FILE, ">", "$keyring_conf_file_to_generate" or die "Could not open configuration file: ${keyring_conf_file_to_generate}.\n";
   open CONF_TEMPLATE_FILE, "<", "$keyring_conf_template_file" or die "Could not open configuration template file: ${keyring_conf_template_file}.\n";
   while (my $row = <CONF_TEMPLATE_FILE>)
   {
     $row =~ s/MYSQL_TEST_DIR/$mysql_test_dir/g;
+    $row =~ s/SECRET_MOUNT_POINT_TAG/$server_uuid/g;
     print CONF_FILE $row;
   }
   close(CONF_FILE);

plugin/keyring_vault/tests/mtr/key_rotation_qa.test

@@ -27,6 +27,13 @@ call mtr.add_suppression("\\[ERROR\\] InnoDB: Failed to decrpt encryption inform
 
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 # Invalid syntax
 --error ER_PARSE_ERROR
 ALTER INSTANCE ROTATE MYISAM MASTER KEY;
@@ -182,8 +189,11 @@ SELECT * FROM t5;
 
 # Cleanup
 DROP TABLE t1,t2,t5,t12,t10;
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
---source vault_cleanup.inc
+--source mount_point_service.inc
 --echo #End:

plugin/keyring_vault/tests/mtr/keyring_udf.test

@@ -11,6 +11,13 @@ call mtr.add_suppression("Error while storing key: key_id cannot be empty");
 
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 let server_uuid = query_get_value(SELECT @@SERVER_UUID, @@SERVER_UUID, 1);
 
 --echo # Check what happens when we have not yet loaded keyring_udf or keyring_vault
@@ -161,3 +168,10 @@ drop function keyring_key_remove;
 drop function keyring_key_generate;
 drop function keyring_key_type_fetch;
 drop function keyring_key_length_fetch;
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/keyring_vault_config_qa.test

@@ -15,6 +15,11 @@ call mtr.add_suppression("\\[ERROR\\] Plugin keyring_vault reported: 'Error whil
 
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 # Installing keyring plugin.
 --replace_regex /\.dll/.so/
 eval INSTALL PLUGIN keyring_vault SONAME '$KEYRING_VAULT_PLUGIN';
@@ -76,7 +81,10 @@ FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_vault';
 
 # Cleanup
 DROP TABLE t1;
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc
 --echo
 --echo #End:

plugin/keyring_vault/tests/mtr/keyring_vault_thd_wait.test

@@ -4,6 +4,12 @@
 --source include/have_debug.inc
 
 --source generate_default_conf_files.inc
+
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 let $restart_parameters = restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --keyring_vault_config=$KEYRING_CONF_FILE_1 $KEYRING_VAULT_PLUGIN_OPT;
 --replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR $KEYRING_PLUGIN keyring_vault.so $KEYRING_VAULT_PLUGIN_OPT KEYRING_VAULT_PLUGIN_OPT
 --source include/restart_mysqld.inc
@@ -24,5 +30,8 @@ SELECT * FROM t1;
 # cleanup
 SET SESSION debug="-d,vault_network_lag";
 DROP TABLE t1;
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/mount_point_service.inc

@@ -0,0 +1,68 @@
+# Creates or deletes secret mount point specified in keyring_vault configuration file
+# Mount point is :
+#  - created when MOUNT_POINT_SERVICE_OP is set to CREATE
+#  - deleted when MOUNT_POINT_SERVICE_OP is set to DELETE
+
+# The sourcing test needs to set $KEYRING_CONF_FILE variable to
+# the location of keyring_vault configuration file and
+# MOUNT_POINT_SERVICE_OP variable to CREATE or DELETE
+let KEYRING_CONF_FILE=$KEYRING_CONF_FILE;
+let SERVER_UUID= query_get_value(SELECT @@SERVER_UUID, @@SERVER_UUID, 1);
+let MOUNT_POINT_SERVICE_OP=$MOUNT_POINT_SERVICE_OP;
+
+--perl
+  use strict;
+  use MIME::Base64 qw( decode_base64 );
+  my $keyring_conf_file= $ENV{'KEYRING_CONF_FILE'} or die("KEYRING_CONF_FILE not set\n");
+  my $server_uuid= $ENV{'SERVER_UUID'} or die("SERVER_UUID not set\n");
+  my $mount_point_service_op=$ENV{'MOUNT_POINT_SERVICE_OP'};
+  my $token;
+  my $vault_url;
+  my $secret_mount_point;
+  my $vault_ca;
+  my $CONF_FILE;
+  open(CONF_FILE, "$keyring_conf_file") or die("Could not open configuration file.\n");
+  while (my $row = <CONF_FILE>)
+  {
+    if ($row =~ m/token[ ]*=[ ]*(.*)/)
+    {
+      $token=$1;
+    }
+    elsif ($row =~ m/vault_url[ ]*=[ ]*(.*)/)
+    {
+      $vault_url=$1;
+    }
+    elsif ($row =~ m/secret_mount_point[ ]*= [ ]*(.*)/)
+    {
+      $secret_mount_point=$1;
+    }
+    elsif ($row =~ m/vault_ca[ ]*= [ ]*(.*)/)
+    {
+      $vault_ca=$1;
+    }
+  }
+  close(CONF_FILE);
+  if ($token eq "" || $vault_url eq "" || $secret_mount_point eq "")
+  {
+    die("Could not read vault credentials from configuration file.\n");
+  }
+
+  my $vault_ca_cert_opt= "";
+  if ($vault_ca)
+  {
+    $vault_ca_cert_opt= "--cacert $vault_ca";
+  }
+
+  if ($mount_point_service_op eq 'CREATE')
+  {
+    system(qq#curl -H "X-Vault-Token: $token" $vault_ca_cert_opt --data '{"type":"generic"}' --request POST $vault_url/v1/sys/mounts/$secret_mount_point#);
+  }
+  elsif ($mount_point_service_op eq 'DELETE')
+  {
+    system(qq#curl -H "X-Vault-Token: $token" $vault_ca_cert_opt -X DELETE $vault_url/v1/sys/mounts/$secret_mount_point#);
+  }
+  else
+  {
+    die("Mount point should be either created or deleted. The resulting operation is no-op");
+  }
+EOF

plugin/keyring_vault/tests/mtr/rpl_key_rotation.test

@@ -16,6 +16,13 @@ call mtr.add_suppression("The slave coordinator and worker threads are stopped")
 
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 --connection slave
 --replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
 eval SET @@global.keyring_vault_config='$KEYRING_CONF_FILE_2';
@@ -116,16 +123,18 @@ DROP TABLE t1,t2,t3,t4;
 --source include/sync_slave_sql_with_master.inc
 --source include/rpl_end.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
 --connection master
---source vault_cleanup.inc
+--source mount_point_service.inc
 --connection slave
---source vault_cleanup.inc
+--source mount_point_service.inc
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
 --connection master
---source vault_cleanup.inc
+--source mount_point_service.inc
 --connection slave
---source vault_cleanup.inc
+--source mount_point_service.inc
 
 #reset keyring_vault_config variable to null
 UNINSTALL PLUGIN keyring_vault;

plugin/keyring_vault/tests/mtr/table_encrypt_1.test

@@ -1,7 +1,15 @@
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
+
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 --let $keyring_restart_param=restart:--early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_1 $KEYRING_VAULT_PLUGIN_OPT
 --source include/table_encrypt_1.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_2.test

@@ -7,6 +7,14 @@
 --source include/not_embedded.inc
 
 --source generate_default_conf_files.inc
+
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 --let $keyring1_restart_param=restart:--early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_1 $KEYRING_VAULT_PLUGIN_OPT
 --let $keyring2_restart_param=restart:--early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_2 $KEYRING_VAULT_PLUGIN_OPT
 
@@ -19,7 +27,9 @@ eval SET @@global.keyring_vault_config="$KEYRING_CONF_FILE_1";
 
 --source include/table_encrypt_2.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_3.test

@@ -1,9 +1,16 @@
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 --let $keyring_plugin_name=keyring_vault
 --let $keyring_restart_param=restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_1 $KEYRING_VAULT_PLUGIN_OPT
 --source include/table_encrypt_3.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_4.test

@@ -1,8 +1,15 @@
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 --let $keyring_restart_param=restart:--early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_2 $KEYRING_VAULT_PLUGIN_OPT
 --source include/table_encrypt_4.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_5.test

@@ -4,6 +4,13 @@ call mtr.add_suppression("\\[ERROR\\] Plugin keyring_vault reported: 'keyring_va
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
+--source mount_point_service.inc
+
 --let $keyring_plugin_name=keyring_vault
 --let $keyring1_restart_param= restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_1 $KEYRING_VAULT_PLUGIN_OPT
 --let $keyring2_restart_param= restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE_2 $KEYRING_VAULT_PLUGIN_OPT
@@ -12,7 +19,9 @@ call mtr.add_suppression("\\[ERROR\\] Plugin keyring_vault reported: 'keyring_va
 --let $set_keyring_variable_to_keyring1=SET @@global.keyring_vault_config='$KEYRING_CONF_FILE_1'
 --source include/table_encrypt_5.inc
 
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
---source vault_cleanup.inc
+--source mount_point_service.inc
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_2
---source vault_cleanup.inc
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_debug.test

@@ -1,7 +1,16 @@
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
 --let $keyring_restart_param=restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE $KEYRING_VAULT_PLUGIN_OPT
 --source include/table_encrypt_debug.inc
---source vault_cleanup.inc
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc

plugin/keyring_vault/tests/mtr/table_encrypt_kill.test

@@ -1,7 +1,16 @@
 --source include/have_keyring_vault_plugin.inc
 --source generate_default_conf_files.inc
 
+# Create mount points
+--let MOUNT_POINT_SERVICE_OP=CREATE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc
+
 --let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
 --let $keyring_restart_param=restart: --early-plugin-load="keyring_vault=$KEYRING_VAULT_PLUGIN" --loose-keyring_vault_config=$KEYRING_CONF_FILE $KEYRING_VAULT_PLUGIN_OPT
 --source include/table_encrypt_kill.inc
---source vault_cleanup.inc
+
+# Delete mount points
+--let MOUNT_POINT_SERVICE_OP=DELETE
+--let $KEYRING_CONF_FILE=$KEYRING_CONF_FILE_1
+--source mount_point_service.inc