Enable TLS tests (#197)

* minor panel update
* Add TLS test
* Fix script
* Fixup TLS ci/cd

.github/workflows/stress.yaml → .github/workflows/build-tls.yaml

@@ -1,28 +1,23 @@
-# Copyright 2022, 2024, Oracle Corporation and/or its affiliates.
+# Copyright 2024 Oracle Corporation and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at
 # https://oss.oracle.com/licenses/upl.
 
 # ---------------------------------------------------------------------------
-# Coherence CLI GitHub Actions Stress build
+# Coherence CLI GitHub Actions CI build TLS.
 # ---------------------------------------------------------------------------
-name: Stress
+name: CI - TLS
 
 on:
   workflow_dispatch:
-    inputs:
-      iterations:
-         description: 'Number of iterations'
-         required: true
-         default: '1000'
-  schedule:
-    # Every day at midnight
-    - cron: '0 0 * * *'
+  push:
+    branches-ignore:
+      - gh-pages
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
-#   Checkout the source, we need a depth of zero to fetch all the history otherwise
+#   Checkout the source, we need a depth of zero to fetch all of the history otherwise
 #   the copyright check cannot work out the date of the files from Git.
     steps:
     - uses: actions/checkout@v4
@@ -41,7 +36,7 @@ jobs:
         distribution: 'zulu'
 
     - name: Cache Go Modules
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-mods-${{ hashFiles('**/go.sum') }}
@@ -60,30 +55,25 @@ jobs:
       with:
         go-version: '1.20'
 
-    - name: Build Test Images
-      shell: bash
-      run: COHERENCE_BASE_IMAGE=gcr.io/distroless/java17 PROFILES=,executor COHERENCE_VERSION=24.03 make clean build-test-images
-
-    - name: Run Stress Test
+    - name: TLS Tests
       shell: bash
-      run:  |
-        make cohctl test-cohctl
-        make test-cluster-startup 
-        ITERS="${{ github.event.inputs.iterations }}"
-        if [ -z "$ITERS" ] ; then
-            ITERS=1000
-        fi
-        # Sleep for 20 seconds to allow management startup
-        sleep 20
-        ./scripts/run-stress-test.sh `pwd`/bin/cohctl $ITERS `pwd`/build/_output
-        ret=$?
-        make test-cluster-shutdown
-        exit $ret
+      run: |
+        export COHERENCE_TLS_CERTS_PATH=`pwd`/test/test_utils/certs/guardians-ca.crt
+        export COHERENCE_TLS_CLIENT_CERT=`pwd`/test/test_utils/certs/star-lord.crt
+        export COHERENCE_TLS_CLIENT_KEY=`pwd`/test/test_utils/certs/star-lord.key
+        COHERENCE_BASE_IMAGE=gcr.io/distroless/java17 COHERENCE_VERSION=24.03 PROFILES=,secure make clean certs build-test-images test-cluster-startup
+        echo "Sleeping 30..."
+        sleep 30
+        export PATH=`pwd`/bin:$PATH
+        make cohctl
+        cohctl set ignore-certs true
+        cohctl add cluster tls -u https://127.0.0.1:30000/management/coherence/cluster
+        cohctl get clusters
+        cohctl get members
+        cohctl remove cluster tls -y
 
     - uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: test-output
-        path: |
-          build/_output/stress.log
-          build/_output/config
+        path: build/_output/test-logs

Makefile

@@ -62,6 +62,7 @@ override PKG_DIR             := $(BINARIES_DIR)
 override INSTALLER_DIR       := ./installer
 override BUILD_SHARED        := $(CURRDIR)/test/test_utils/shared
 override ENV_FILE            := test/test_utils/.env
+override BUILD_CERTS         := $(CURRDIR)/test/test_utils/certs
 override COPYRIGHT_JAR       := glassfish-copyright-maven-plugin-2.4.jar
 
 # ----------------------------------------------------------------------------------------------------------------------
@@ -163,6 +164,8 @@ clean: ## Cleans the build
 	-rm -rf build/_output
 	-rm -rf bin
 	-rm -rf $(BUILD_SHARED)
+	-rm -rf $(BUILD_CERTS)
+	@mkdir -p $(BUILD_CERTS)
 ifeq ($(PROFILES),,commercial)
 	mvn -B -f java clean -DskipTests $(MAVEN_BUILD_OPTS) -P commercial
 else ifeq ($(PROFILES),,federation)
@@ -192,6 +195,12 @@ $(BUILD_PROPS):
 	@mkdir -p $(COVERAGE_DIR)
 	@mkdir -p $(BUILD_SHARED)
 
+
+.PHONY: certs
+certs: ## Generates certificates for TLS tests
+	@echo "Generating certs"
+	./scripts/keys.sh $(BUILD_CERTS)
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Build the Coherence CLI Test Image
 # ----------------------------------------------------------------------------------------------------------------------

docs/security/01_overview.adoc

@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2021, 2023 Oracle and/or its affiliates.
+    Copyright (c) 2021, 2024 Oracle and/or its affiliates.
     Licensed under the Universal Permissive License v 1.0 as shown at
     https://oss.oracle.com/licenses/upl.
 
@@ -25,13 +25,54 @@ To enable basic authentication for Management over REST, please follow the instr
 {commercial-docs-base-url}/secure/securing-oracle-oracle-http-management-rest-server.html#GUID-816E45C4-2F52-4576-BC09-CF0B6E873CBA[basic authentication] section
 of the Coherence documentation.
 
-=== Enabling SSL Authentication
+=== Enabling TLS For Management over REST Access
 
-To enable SSL to provide authentication for Management over REST, please follow the instructions in the
+To enable TLS to provide authentication for Management over REST, please follow the instructions in the
 {commercial-docs-base-url}/secure/securing-oracle-oracle-http-management-rest-server.html#GUID-7FC70A65-FC2F-4CBE-8F7D-7CBC3CDAA10A[SSL authentication]
 section of the Coherence documentation.
 
-=== Working with secured REST endpoints
+
+=== Connecting to a TLS enabled cluster
+
+Once you have enabled TLS you can configure the following environment variables if you need to add client certificates or additional trust stores.
+
+[source,bash]
+----
+export COHERENCE_TLS_CLIENT_CERT=/path/to/client/certificate
+export COHERENCE_TLS_CLIENT_KEY=/path/path/to/client/key
+export COHERENCE_TLS_CERTS_PATH=/path/to/cert/to/be/added/for/trust
+----
+
+If you are connecting a cluster with self-signed certificates, you must set the following to ignore invalid certificates:
+
+[source,bash]
+----
+cohctl set ignore-certs true
+----
+
+Output:
+[source,bash]
+----
+Value is now set to true
+----
+
+NOTE: This is not recommended and should not be used for production systems.
+
+You can then add your cluster via specifying HTTPS as the protocol:
+
+[source,bash]
+----
+cohctl add cluster tls -u https://host:30000/management/coherence/cluster
+----
+
+You will receive the following message every time you run a command if you ignore certificate errors:
+
+[source,bash]
+----
+WARNING: SSL Certificate validation has been explicitly disabled
+----
+
+=== Working with basic authentication REST endpoints
 
 If you have enabled basic authentication for your Management over REST endpoint, or you are connecting to a WebLogic Server cluster, you must
 provide the `-U username` option on all `cohctl` commands.

java/pom.xml

@@ -66,6 +66,8 @@
 
     <com.sun.xml.bind.version>2.3.0</com.sun.xml.bind.version>
     <javax.activation.version>1.1.1</javax.activation.version>
+
+    <management.socket.provider></management.socket.provider>
   </properties>
 
   <dependencyManagement>
@@ -168,6 +170,17 @@
   </build>
 
   <profiles>
+    <!-- secure management over REST with tls -->
+    <profile>
+      <id>secure</id>
+      <properties>
+        <management.socket.provider>tls-files</management.socket.provider>
+        <coherence.security.key>/certs/star-lord.pem</coherence.security.key>
+        <coherence.security.cert>/certs/star-lord.crt</coherence.security.cert>
+        <coherence.security.ca.cert>/certs/guardians-ca.crt</coherence.security.ca.cert>
+      </properties>
+    </profile>
+
     <profile>
       <id>commercial</id>
       <properties>
@@ -255,6 +268,10 @@
                   <jvmFlag>-Dcoherence.metrics.http.port=9612</jvmFlag>
                   <jvmFlag>-Dcoherence.log.level=9</jvmFlag>
                   <jvmFlag>-Dcoherence.distributed.localstorage=true</jvmFlag>
+                  <jvmFlag>-Dcoherence.management.http.provider=${management.socket.provider}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.key=${coherence.security.key}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.cert=${coherence.security.cert}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.ca.cert=${coherence.security.ca.cert}</jvmFlag>
                   <jvmFlag>-Dcoherence.management.refresh.expiry=1s</jvmFlag>
                   <jvmFlag>-Dcoherence.cacheconfig=${coherence.cache.config}</jvmFlag>
                   <jvmFlag>-Dcoherence.override=${coherence.override}</jvmFlag>
@@ -295,6 +312,10 @@
                   <jvmFlag>-Dcoherence.metrics.http.port=9613</jvmFlag>
                   <jvmFlag>-Dcoherence.management.refresh.expiry=1s</jvmFlag>
                   <jvmFlag>-Dcoherence.distributed.localstorage=true</jvmFlag>
+                  <jvmFlag>-Dcoherence.management.http.provider=${management.socket.provider}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.key=${coherence.security.key}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.cert=${coherence.security.cert}</jvmFlag>
+                  <jvmFlag>-Dcoherence.security.ca.cert=${coherence.security.ca.cert}</jvmFlag>
                   <jvmFlag>-Dcoherence.cacheconfig=${coherence.cache.config}</jvmFlag>
                   <jvmFlag>-Dcoherence.override=${coherence.override}</jvmFlag>
                 </jvmFlags>

pkg/cmd/monitor_cluster.go

@@ -1158,7 +1158,7 @@ func drawContent(screen tcell.Screen, dataFetcher fetcher.Fetcher, panel panelIm
 		trimmedText = fmt.Sprintf("%v%s", string(tcell.RuneHLine), "(trimmed)")
 	}
 
-	drawBox(screen, x, y, x+w-1, y+h, tcell.StyleDefault, fmt.Sprintf("%s [%v]%s", parseTitle(title), string(code), trimmedText))
+	drawBox(screen, x, y, x+w-1, y+h, tcell.StyleDefault, fmt.Sprintf("%s[%v]%s", parseTitle(title), string(code), trimmedText))
 
 	for line := 1; line <= rows; line++ {
 		drawText(screen, x+1, y+line, x+w-1, y+h-1, tcell.StyleDefault, content[line-1])

pkg/fetcher/fetcher.go

@@ -75,6 +75,7 @@ type Fetcher interface {
 	GetType() string
 	IsWebLogicServer() bool
 	GetUsername() string
+	Init() error
 
 	// GetClusterDetailsJSON returns cluster details in raw json.
 	GetClusterDetailsJSON() ([]byte, error)
@@ -288,8 +289,9 @@ type Fetcher interface {
 // GetFetcherOrError returns a fetcher and error
 func GetFetcherOrError(connectionType, url, username, clusterName string) (Fetcher, error) {
 	if connectionType == HTTP {
-		return HTTPFetcher{URL: url, ConnectionType: connectionType, WebLogicServer: IsWebLogicServer(url),
-			Username: username, ClusterName: clusterName}, nil
+		f := HTTPFetcher{URL: url, ConnectionType: connectionType, WebLogicServer: IsWebLogicServer(url),
+			Username: username, ClusterName: clusterName}
+		return f, f.Init()
 	}
 
 	return nil, errors.New("invalid connection type of " + connectionType)