diff --git a/shotover-proxy/benches/benches/cassandra.rs b/shotover-proxy/benches/benches/cassandra.rs index a5dc3b55b..dca4d467f 100644 --- a/shotover-proxy/benches/benches/cassandra.rs +++ b/shotover-proxy/benches/benches/cassandra.rs @@ -1,6 +1,5 @@ use cassandra_cpp::{PreparedStatement, Session, Statement}; use criterion::{criterion_group, Criterion}; -use test_helpers::cert::generate_cassandra_test_certs; use test_helpers::connection::cassandra::{ CassandraConnection, CassandraConnectionBuilder, CassandraDriver, }; @@ -260,7 +259,6 @@ impl BenchResources { .enable_all() .build() .unwrap(); - generate_cassandra_test_certs(); let compose = DockerCompose::new(compose_file); let shotover = Some( tokio.block_on(ShotoverProcessBuilder::new_with_topology(shotover_topology).start()), diff --git a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/gen_certs.sh b/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/gen_certs.sh deleted file mode 100755 index 8a88cf382..000000000 --- a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/gen_certs.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -help() -{ - echo "Generate keys for the Cassandra docker-compose" - echo - echo "Syntax: gen_certs [-o]" - echo "options:" - echo "o Overwrite the existing keyfiles" - echo "c Clear the existing keyfiles" - echo -} - -clear() -{ - rm -f *.p12 *.jks *.key *.csr *.srl *.crt -} - -OVERWRITE=false - -while getopts ":hoc" option; do - case $option in - h) # display Help - help - exit;; - o) - OVERWRITE=true;; - c) - clear - exit;; - \?) - echo "Error: Invalid option" - exit;; - esac -done - -CURRENT_DIR="$PWD" -SCRIPT_DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd "$SCRIPT_DIR" - -KEYSTORE=keystore.p12 -TRUSTSTORE=truststore.p12 -if [ -f "$TRUSTSTORE" ] && [ -f "$KEYSTORE" ] && [ "$OVERWRITE" = false ]; then - echo "$KEYSTORE and $TRUSTSTORE already exist. Use -o to overwrite them." - exit 0 -fi - -clear - -# Generate localhost_CA and localhost certs/keys -openssl genrsa -out localhost_CA.key 4096 -openssl req -x509 -new -config localhost_CA.cfg -key localhost_CA.key -days 9999 -out localhost_CA.crt -openssl genrsa -out localhost.key 4096 -openssl req -new -config localhost.cfg -key localhost.key -days 9999 -out localhost.csr -openssl x509 -req -in localhost.csr -CA localhost_CA.crt -CAkey localhost_CA.key -CAcreateserial -days 9999 -out localhost.crt - -# generate keystore -openssl pkcs12 -export -out keystore.p12 -inkey localhost.key -in localhost.crt -passout pass:password -keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12 -srckeystore keystore.p12 -deststorepass "password" -srcstorepass "password" - -# generate truststore -openssl pkcs12 -export -out truststore.p12 -inkey localhost.key -in localhost.crt -passout pass:password -keytool -importkeystore -destkeystore truststore.jks -srcstoretype PKCS12 -srckeystore truststore.p12 -deststorepass "password" -srcstorepass "password" - -chmod o+rwx keystore.p12 -chmod o+rwx truststore.p12 - -cd "$CURRENT_DIR" - -echo "finished generating certs" diff --git a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.cfg b/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.cfg deleted file mode 100644 index 70c0df15a..000000000 --- a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[req] -encrypt_key = no -default_bits = 4096 -prompt = no -default_md = sha256 -distinguished_name = dn - -[dn] -CN = localhost - diff --git a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.cfg b/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.cfg deleted file mode 100644 index 2c13dcf20..000000000 --- a/shotover-proxy/example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.cfg +++ /dev/null @@ -1,54 +0,0 @@ -[req] -encrypt_key = no -default_bits = 4096 -prompt = no -default_md = sha256 -distinguished_name = dn -x509_extensions = v3_ca - -[dn] -C = AU -ST = QLD -L = Brisbane -O = shotover.io -CN = shotover.io Shotover Test QLD - -[ca] -default_ca = Shotover_CA - -[Shotover_CA] -private_key = Shotover_CA.key -certificate = Shotover_CA.crt -new_certs_dir = certs/new/ -database = certs/database -RANDFILE = certs/.rand -default_md = sha256 -policy = policy_anything -email_in_dn = false -serial = certs/serial -default_days = 365 -x509_extensions = v3_ca - -[policy_anything] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[v3_ca] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -basicConstraints = critical, CA:true -keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign -extendedKeyUsage = serverAuth - -[ v3_intermediate_ca ] -# Extensions for a typical intermediate CA (`man x509v3_config`). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen:0 -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - diff --git a/shotover-proxy/example-configs/redis-cluster-tls/docker-compose-with-key.yaml b/shotover-proxy/example-configs/redis-cluster-tls/docker-compose-with-key.yaml index 35e977c13..1908f869f 100644 --- a/shotover-proxy/example-configs/redis-cluster-tls/docker-compose-with-key.yaml +++ b/shotover-proxy/example-configs/redis-cluster-tls/docker-compose-with-key.yaml @@ -13,9 +13,9 @@ services: - 'REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5' - 'REDIS_TLS_PORT=6379' - 'REDIS_TLS_ENABLED=true' - - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/redis.crt' - - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/redis.key' - - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/ca.crt' + - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/localhost.crt' + - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/localhost.key' + - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/localhost_CA.crt' - 'REDIS_TLS_AUTH_CLIENTS=yes' redis-node-1: @@ -76,6 +76,6 @@ services: - 'REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5' - 'REDIS_TLS_PORT=6379' - 'REDIS_TLS_ENABLED=true' - - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/redis.crt' - - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/redis.key' - - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/ca.crt' + - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/localhost.crt' + - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/localhost.key' + - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/localhost_CA.crt' diff --git a/shotover-proxy/example-configs/redis-cluster-tls/docker-compose.yaml b/shotover-proxy/example-configs/redis-cluster-tls/docker-compose.yaml index eb9180a7e..f275679bd 100644 --- a/shotover-proxy/example-configs/redis-cluster-tls/docker-compose.yaml +++ b/shotover-proxy/example-configs/redis-cluster-tls/docker-compose.yaml @@ -13,9 +13,9 @@ services: - 'REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5' - 'REDIS_TLS_PORT=6379' - 'REDIS_TLS_ENABLED=true' - - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/redis.crt' - - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/redis.key' - - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/ca.crt' + - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/localhost.crt' + - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/localhost.key' + - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/localhost_CA.crt' - 'REDIS_TLS_AUTH_CLIENTS=no' redis-node-1: @@ -76,6 +76,6 @@ services: - 'REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5' - 'REDIS_TLS_PORT=6379' - 'REDIS_TLS_ENABLED=true' - - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/redis.crt' - - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/redis.key' - - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/ca.crt' + - 'REDIS_TLS_CERT_FILE=/usr/local/etc/redis/certs/localhost.crt' + - 'REDIS_TLS_KEY_FILE=/usr/local/etc/redis/certs/localhost.key' + - 'REDIS_TLS_CA_FILE=/usr/local/etc/redis/certs/localhost_CA.crt' diff --git a/shotover-proxy/example-configs/redis-cluster-tls/topology-with-key.yaml b/shotover-proxy/example-configs/redis-cluster-tls/topology-with-key.yaml index 810ebb03e..6e21687ec 100644 --- a/shotover-proxy/example-configs/redis-cluster-tls/topology-with-key.yaml +++ b/shotover-proxy/example-configs/redis-cluster-tls/topology-with-key.yaml @@ -9,9 +9,9 @@ chain_config: first_contact_points: ["127.0.0.1:2220", "127.0.0.1:2221", "127.0.0.1:2222", "127.0.0.1:2223", "127.0.0.1:2224", "127.0.0.1:2225"] connect_timeout_ms: 3000 tls: - certificate_authority_path: "example-configs/redis-tls/certs/ca.crt" - certificate_path: "example-configs/redis-tls/certs/redis.crt" - private_key_path: "example-configs/redis-tls/certs/redis.key" + certificate_authority_path: "example-configs/redis-tls/certs/localhost_CA.crt" + certificate_path: "example-configs/redis-tls/certs/localhost.crt" + private_key_path: "example-configs/redis-tls/certs/localhost.key" verify_hostname: false source_to_chain_mapping: redis_prod: redis_chain diff --git a/shotover-proxy/example-configs/redis-tls/redis-cli.sh b/shotover-proxy/example-configs/redis-tls/redis-cli.sh index e1a95b7c7..e5d8b1615 100755 --- a/shotover-proxy/example-configs/redis-tls/redis-cli.sh +++ b/shotover-proxy/example-configs/redis-tls/redis-cli.sh @@ -1,3 +1,3 @@ #!/bin/sh -redis-cli --tls --cert certs/redis.crt --key certs/redis.key --cacert certs/ca.crt "$@" +redis-cli --tls --cert certs/localhost.crt --key certs/redis.key --cacert certs/localhost_CA.crt "$@" diff --git a/shotover-proxy/example-configs/redis-tls/redis.conf b/shotover-proxy/example-configs/redis-tls/redis.conf index 9d2e47af8..800619c33 100644 --- a/shotover-proxy/example-configs/redis-tls/redis.conf +++ b/shotover-proxy/example-configs/redis-tls/redis.conf @@ -1,6 +1,6 @@ -tls-cert-file /usr/local/etc/redis/certs/redis.crt -tls-key-file /usr/local/etc/redis/certs/redis.key -tls-ca-cert-file /usr/local/etc/redis/certs/ca.crt +tls-cert-file /usr/local/etc/redis/certs/localhost.crt +tls-key-file /usr/local/etc/redis/certs/localhost.key +tls-ca-cert-file /usr/local/etc/redis/certs/localhost_CA.crt port 0 tls-port 6379 diff --git a/shotover-proxy/example-configs/redis-tls/topology.yaml b/shotover-proxy/example-configs/redis-tls/topology.yaml index aed9f5d3c..7efdc823a 100644 --- a/shotover-proxy/example-configs/redis-tls/topology.yaml +++ b/shotover-proxy/example-configs/redis-tls/topology.yaml @@ -7,18 +7,18 @@ sources: Redis: listen_addr: "127.0.0.1:6380" tls: - certificate_authority_path: "example-configs/redis-tls/certs/ca.crt" - certificate_path: "example-configs/redis-tls/certs/redis.crt" - private_key_path: "example-configs/redis-tls/certs/redis.key" + certificate_authority_path: "example-configs/redis-tls/certs/localhost_CA.crt" + certificate_path: "example-configs/redis-tls/certs/localhost.crt" + private_key_path: "example-configs/redis-tls/certs/localhost.key" chain_config: redis_chain_tls: - RedisSinkSingle: remote_address: "localhost:1111" connect_timeout_ms: 3000 tls: - certificate_authority_path: "example-configs/redis-tls/certs/ca.crt" - certificate_path: "example-configs/redis-tls/certs/redis.crt" - private_key_path: "example-configs/redis-tls/certs/redis.key" + certificate_authority_path: "example-configs/redis-tls/certs/localhost_CA.crt" + certificate_path: "example-configs/redis-tls/certs/localhost.crt" + private_key_path: "example-configs/redis-tls/certs/localhost.key" verify_hostname: true source_to_chain_mapping: redis_prod: redis_chain_tls diff --git a/test-helpers/src/cert.rs b/test-helpers/src/cert.rs index 65b511b3d..7230e6aae 100644 --- a/test-helpers/src/cert.rs +++ b/test-helpers/src/cert.rs @@ -1,6 +1,6 @@ +use crate::docker_compose::run_command; use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa}; use std::path::Path; -use std::process::Command; pub fn generate_redis_test_certs(path: &Path) { let mut params = CertificateParams::default(); @@ -27,17 +27,36 @@ pub fn generate_redis_test_certs(path: &Path) { let cert = Certificate::from_params(params).unwrap(); std::fs::create_dir_all(path).unwrap(); - std::fs::write(path.join("ca.crt"), ca_cert.serialize_pem().unwrap()).unwrap(); std::fs::write( - path.join("redis.crt"), + path.join("localhost_CA.crt"), + ca_cert.serialize_pem().unwrap(), + ) + .unwrap(); + std::fs::write( + path.join("localhost.crt"), cert.serialize_pem_with_signer(&ca_cert).unwrap(), ) .unwrap(); - std::fs::write(path.join("redis.key"), cert.serialize_private_key_pem()).unwrap(); + std::fs::write(path.join("localhost.key"), cert.serialize_private_key_pem()).unwrap(); } pub fn generate_cassandra_test_certs() { - Command::new("example-configs/docker-images/cassandra-tls-4.0.6/certs/gen_certs.sh") - .output() - .unwrap(); + let path = Path::new("example-configs/docker-images/cassandra-tls-4.0.6/certs"); + generate_redis_test_certs(path); + run_command( + "openssl", + &[ + "pkcs12", + "-export", + "-out", + path.join("keystore.p12").to_str().unwrap(), + "-inkey", + path.join("localhost.key").to_str().unwrap(), + "-in", + path.join("localhost.crt").to_str().unwrap(), + "-passout", + "pass:password", + ], + ) + .unwrap(); } diff --git a/test-helpers/src/connection/redis_connection.rs b/test-helpers/src/connection/redis_connection.rs index 27e0e1995..b44644c1c 100644 --- a/test-helpers/src/connection/redis_connection.rs +++ b/test-helpers/src/connection/redis_connection.rs @@ -35,9 +35,9 @@ pub async fn new_async(port: u16) -> redis::aio::Connection { pub async fn new_async_tls(port: u16) -> redis::aio::Connection { let address = "127.0.0.1"; - let certificate_authority_path = "example-configs/redis-tls/certs/ca.crt"; - let certificate_path = "example-configs/redis-tls/certs/redis.crt"; - let private_key_path = "example-configs/redis-tls/certs/redis.key"; + let certificate_authority_path = "example-configs/redis-tls/certs/localhost_CA.crt"; + let certificate_path = "example-configs/redis-tls/certs/localhost.crt"; + let private_key_path = "example-configs/redis-tls/certs/localhost.key"; crate::wait_for_socket_to_open(address, port);