Merge branch 'trunk' into CASSANDRA-19480

Author: arjunashok

cassandra-analytics-integration-framework/build.gradle

@@ -75,7 +75,11 @@ dependencies {
         exclude group: 'junit', module: 'junit'
     }
     implementation("io.vertx:vertx-web-client:${project.vertxVersion}")
-    implementation group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: '2.14.3'
+    implementation(group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: '2.14.3')
+
+    // Bouncycastle dependencies for test certificate provisioning
+    implementation(group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: '1.78')
+    implementation(group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: '1.78')
 
     testImplementation(platform("org.junit:junit-bom:${project.junitVersion}"))
     testImplementation('org.junit.jupiter:junit-jupiter')

cassandra-analytics-integration-framework/src/main/java/org/apache/cassandra/distributed/impl/CassandraCluster.java

@@ -68,6 +68,7 @@ public class CassandraCluster<I extends IInstance> implements IClusterExtension<
         // java.lang.IllegalStateException: Can't load <CLASS>. Instance class loader is already closed.
         return className.equals("org.apache.cassandra.utils.concurrent.Ref$OnLeak")
                || className.startsWith("org.apache.cassandra.metrics.RestorableMeter")
+               || className.equals("org.apache.logging.slf4j.EventDataConverter")
                || (className.startsWith("org.apache.cassandra.analytics.") && className.contains("BBHelper"));
     };
 

cassandra-analytics-integration-framework/src/main/java/org/apache/cassandra/sidecar/testing/MtlsTestHelper.java

@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.testing;
+
+import java.nio.file.Path;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.cassandra.testing.utils.tls.CertificateBuilder;
+import org.apache.cassandra.testing.utils.tls.CertificateBundle;
+
+/**
+ * A class that encapsulates testing with Mutual TLS.
+ */
+public class MtlsTestHelper
+{
+    private static final Logger LOGGER = LoggerFactory.getLogger(MtlsTestHelper.class);
+    public static final char[] EMPTY_PASSWORD = new char[0];
+    public static final String EMPTY_PASSWORD_STRING = "";
+    /**
+     * A system property that can enable / disable testing with Mutual TLS
+     */
+    public static final String CASSANDRA_INTEGRATION_TEST_ENABLE_MTLS = "cassandra.integration.sidecar.test.enable_mtls";
+    private final boolean enableMtlsForTesting;
+    CertificateBundle certificateAuthority;
+    Path truststorePath;
+    Path serverKeyStorePath;
+    Path clientKeyStorePath;
+
+    public MtlsTestHelper(Path secretsPath) throws Exception
+    {
+        this(secretsPath, System.getProperty(CASSANDRA_INTEGRATION_TEST_ENABLE_MTLS, "false").equals("true"));
+    }
+
+    public MtlsTestHelper(Path secretsPath, boolean enableMtlsForTesting) throws Exception
+    {
+        this.enableMtlsForTesting = enableMtlsForTesting;
+        maybeInitializeSecrets(Objects.requireNonNull(secretsPath, "secretsPath cannot be null"));
+    }
+
+    void maybeInitializeSecrets(Path secretsPath) throws Exception
+    {
+        if (!enableMtlsForTesting)
+        {
+            return;
+        }
+
+        certificateAuthority =
+        new CertificateBuilder().subject("CN=Apache Cassandra Root CA, OU=Certification Authority, O=Unknown, C=Unknown")
+                                .alias("fakerootca")
+                                .isCertificateAuthority(true)
+                                .buildSelfSigned();
+        truststorePath = certificateAuthority.toTempKeyStorePath(secretsPath, EMPTY_PASSWORD, EMPTY_PASSWORD);
+
+        CertificateBuilder serverKeyStoreBuilder =
+        new CertificateBuilder().subject("CN=Apache Cassandra, OU=mtls_test, O=Unknown, L=Unknown, ST=Unknown, C=Unknown")
+                                .addSanDnsName("localhost");
+        // Add SANs for every potential hostname Sidecar will serve
+        for (int i = 1; i <= 20; i++)
+        {
+            serverKeyStoreBuilder.addSanDnsName("localhost" + i);
+        }
+
+        CertificateBundle serverKeyStore = serverKeyStoreBuilder.buildIssuedBy(certificateAuthority);
+        serverKeyStorePath = serverKeyStore.toTempKeyStorePath(secretsPath, EMPTY_PASSWORD, EMPTY_PASSWORD);
+        CertificateBundle clientKeyStore = new CertificateBuilder().subject("CN=Apache Cassandra, OU=mtls_test, O=Unknown, L=Unknown, ST=Unknown, C=Unknown")
+                                                                   .addSanDnsName("localhost")
+                                                                   .buildIssuedBy(certificateAuthority);
+        clientKeyStorePath = clientKeyStore.toTempKeyStorePath(secretsPath, EMPTY_PASSWORD, EMPTY_PASSWORD);
+    }
+
+    public boolean isEnabled()
+    {
+        return enableMtlsForTesting;
+    }
+
+    public String trustStorePath()
+    {
+        return truststorePath.toString();
+    }
+
+    public String trustStorePassword()
+    {
+        return EMPTY_PASSWORD_STRING;
+    }
+
+    public String trustStoreType()
+    {
+        return "PKCS12";
+    }
+
+    public String serverKeyStorePath()
+    {
+        return serverKeyStorePath.toString();
+    }
+
+    public String serverKeyStorePassword()
+    {
+        return EMPTY_PASSWORD_STRING;
+    }
+
+    public String serverKeyStoreType()
+    {
+        return "PKCS12";
+    }
+
+    public Map<String, String> mtlOptionMap()
+    {
+        if (!isEnabled())
+        {
+            return Collections.emptyMap();
+        }
+
+        LOGGER.info("Test mTLS certificate is enabled. "
+                    + "Will use test keystore as truststore so the client will trust the server");
+        Map<String, String> optionMap = new HashMap<>();
+        optionMap.put("truststore_path", trustStorePath());
+        optionMap.put("truststore_password", EMPTY_PASSWORD_STRING);
+        optionMap.put("truststore_type", trustStoreType());
+        optionMap.put("keystore_path", clientKeyStorePath.toString());
+        optionMap.put("keystore_password", EMPTY_PASSWORD_STRING);
+        optionMap.put("keystore_type", "PKCS12");
+        return optionMap;
+    }
+}

cassandra-analytics-integration-framework/src/main/java/org/apache/cassandra/sidecar/testing/SharedClusterIntegrationTestBase.java

@@ -39,6 +39,7 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.TestInstance;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.io.TempDir;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -72,10 +73,14 @@
 import org.apache.cassandra.sidecar.common.utils.DriverUtils;
 import org.apache.cassandra.sidecar.common.utils.SidecarVersionProvider;
 import org.apache.cassandra.sidecar.config.JmxConfiguration;
+import org.apache.cassandra.sidecar.config.KeyStoreConfiguration;
 import org.apache.cassandra.sidecar.config.ServiceConfiguration;
 import org.apache.cassandra.sidecar.config.SidecarConfiguration;
+import org.apache.cassandra.sidecar.config.SslConfiguration;
+import org.apache.cassandra.sidecar.config.yaml.KeyStoreConfigurationImpl;
 import org.apache.cassandra.sidecar.config.yaml.ServiceConfigurationImpl;
 import org.apache.cassandra.sidecar.config.yaml.SidecarConfigurationImpl;
+import org.apache.cassandra.sidecar.config.yaml.SslConfigurationImpl;
 import org.apache.cassandra.sidecar.exceptions.ThrowableUtils;
 import org.apache.cassandra.sidecar.server.MainModule;
 import org.apache.cassandra.sidecar.server.Server;
@@ -87,6 +92,7 @@
 import org.apache.cassandra.testing.TestVersion;
 import org.apache.cassandra.testing.TestVersionSupplier;
 
+import static org.apache.cassandra.sidecar.testing.MtlsTestHelper.CASSANDRA_INTEGRATION_TEST_ENABLE_MTLS;
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**
@@ -131,12 +137,16 @@ public abstract class SharedClusterIntegrationTestBase
     protected final Logger logger = LoggerFactory.getLogger(SharedClusterIntegrationTestBase.class);
     private static final int MAX_CLUSTER_PROVISION_RETRIES = 5;
 
+    @TempDir
+    static Path secretsPath;
+
     protected Vertx vertx;
     protected DnsResolver dnsResolver;
     protected IClusterExtension<? extends IInstance> cluster;
     protected Server server;
     protected Injector injector;
     protected TestVersion testVersion;
+    protected MtlsTestHelper mtlsTestHelper;
     private IsolatedDTestClassLoaderWrapper classLoaderWrapper;
 
     static
@@ -146,7 +156,7 @@ public abstract class SharedClusterIntegrationTestBase
     }
 
     @BeforeAll
-    protected void setup() throws InterruptedException
+    protected void setup() throws Exception
     {
         Optional<TestVersion> maybeTestVersion = TestVersionSupplier.testVersions().findFirst();
         assertThat(maybeTestVersion).isPresent();
@@ -161,6 +171,7 @@ protected void setup() throws InterruptedException
         assertThat(cluster).isNotNull();
         afterClusterProvisioned();
         initializeSchemaForTest();
+        mtlsTestHelper = new MtlsTestHelper(secretsPath);
         startSidecar(cluster);
         beforeTestStart();
     }
@@ -306,7 +317,8 @@ protected void createTestTable(QualifiedName name, String createTableStatement)
     protected void startSidecar(ICluster<? extends IInstance> cluster) throws InterruptedException
     {
         VertxTestContext context = new VertxTestContext();
-        injector = Guice.createInjector(Modules.override(new MainModule()).with(new IntegrationTestModule(cluster, classLoaderWrapper)));
+        AbstractModule testModule = new IntegrationTestModule(cluster, classLoaderWrapper, mtlsTestHelper);
+        injector = Guice.createInjector(Modules.override(new MainModule()).with(testModule));
         dnsResolver = injector.getInstance(DnsResolver.class);
         vertx = injector.getInstance(Vertx.class);
         server = injector.getInstance(Server.class);
@@ -455,13 +467,18 @@ public static Cluster createDriverCluster(ICluster<? extends IInstance> dtest)
 
     static class IntegrationTestModule extends AbstractModule
     {
+        private static final Logger LOGGER = LoggerFactory.getLogger(IntegrationTestModule.class);
         private final ICluster<? extends IInstance> cluster;
         private final IsolatedDTestClassLoaderWrapper wrapper;
+        private final MtlsTestHelper mtlsTestHelper;
 
-        IntegrationTestModule(ICluster<? extends IInstance> cluster, IsolatedDTestClassLoaderWrapper wrapper)
+        IntegrationTestModule(ICluster<? extends IInstance> cluster,
+                              IsolatedDTestClassLoaderWrapper wrapper,
+                              MtlsTestHelper mtlsTestHelper)
         {
             this.cluster = cluster;
             this.wrapper = wrapper;
+            this.mtlsTestHelper = mtlsTestHelper;
         }
 
         @Provides
@@ -500,8 +517,39 @@ public SidecarConfiguration sidecarConfiguration()
                                                                 .host("0.0.0.0") // binds to all interfaces, potential security issue if left running for long
                                                                 .port(0) // let the test find an available port
                                                                 .build();
+
+
+            SslConfiguration sslConfiguration = null;
+            if (mtlsTestHelper.isEnabled())
+            {
+                LOGGER.info("Enabling test mTLS certificate/keystore.");
+
+                KeyStoreConfiguration truststoreConfiguration =
+                new KeyStoreConfigurationImpl(mtlsTestHelper.trustStorePath(),
+                                              mtlsTestHelper.trustStorePassword(),
+                                              mtlsTestHelper.trustStoreType(),
+                                              -1);
+
+                KeyStoreConfiguration keyStoreConfiguration =
+                new KeyStoreConfigurationImpl(mtlsTestHelper.serverKeyStorePath(),
+                                              mtlsTestHelper.serverKeyStorePassword(),
+                                              mtlsTestHelper.serverKeyStoreType(),
+                                              -1);
+
+                sslConfiguration = SslConfigurationImpl.builder()
+                                                       .enabled(true)
+                                                       .keystore(keyStoreConfiguration)
+                                                       .truststore(truststoreConfiguration)
+                                                       .build();
+            }
+            else
+            {
+                LOGGER.info("Not enabling mTLS for testing purposes. Set '{}' to 'true' if you would " +
+                            "like mTLS enabled.", CASSANDRA_INTEGRATION_TEST_ENABLE_MTLS);
+            }
             return SidecarConfigurationImpl.builder()
                                            .serviceConfiguration(conf)
+                                           .sslConfiguration(sslConfiguration)
                                            .build();
         }