grafana/pkg/tsdb/postgres/tlsmanager_test.go

package postgres

import (
	"fmt"
	"path/filepath"
	"strconv"
	"strings"
	"sync"
	"testing"

	"github.com/grafana/grafana/pkg/components/securejsondata"
	"github.com/grafana/grafana/pkg/components/simplejson"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	_ "github.com/lib/pq"
)

var writeCertFileCallNum int

// TestDataSourceCacheManager is to test the Cache manager
func TestDataSourceCacheManager(t *testing.T) {
	cfg := setting.NewCfg()
	cfg.DataPath = t.TempDir()
	mng := tlsManager{
		logger:          log.New("tsdb.postgres"),
		dsCacheInstance: datasourceCacheManager{locker: newLocker()},
		dataPath:        cfg.DataPath,
	}

	jsonData := simplejson.NewFromAny(map[string]interface{}{
		"sslmode":                "verify-full",
		"tlsConfigurationMethod": "file-content",
	})
	secureJSONData := securejsondata.GetEncryptedJsonData(map[string]string{
		"tlsClientCert": "I am client certification",
		"tlsClientKey":  "I am client key",
		"tlsCACert":     "I am CA certification",
	})

	mockValidateCertFilePaths()
	t.Cleanup(resetValidateCertFilePaths)

	t.Run("Check datasource cache creation", func(t *testing.T) {
		var wg sync.WaitGroup
		wg.Add(10)
		for id := int64(1); id <= 10; id++ {
			go func(id int64) {
				ds := &models.DataSource{
					Id:             id,
					Version:        1,
					Database:       "database",
					JsonData:       jsonData,
					SecureJsonData: secureJSONData,
					Uid:            "testData",
				}
				s := tlsSettings{}
				err := mng.writeCertFiles(ds, &s)
				require.NoError(t, err)
				wg.Done()
			}(id)
		}
		wg.Wait()

		t.Run("check cache creation is succeed", func(t *testing.T) {
			for id := int64(1); id <= 10; id++ {
				version, ok := mng.dsCacheInstance.cache.Load(strconv.Itoa(int(id)))
				require.True(t, ok)
				require.Equal(t, int(1), version)
			}
		})
	})

	t.Run("Check datasource cache modification", func(t *testing.T) {
		t.Run("check when version not changed, cache and files are not updated", func(t *testing.T) {
			mockWriteCertFile()
			t.Cleanup(resetWriteCertFile)
			var wg1 sync.WaitGroup
			wg1.Add(5)
			for id := int64(1); id <= 5; id++ {
				go func(id int64) {
					ds := &models.DataSource{
						Id:             1,
						Version:        2,
						Database:       "database",
						JsonData:       jsonData,
						SecureJsonData: secureJSONData,
						Uid:            "testData",
					}
					s := tlsSettings{}
					err := mng.writeCertFiles(ds, &s)
					require.NoError(t, err)
					wg1.Done()
				}(id)
			}
			wg1.Wait()
			assert.Equal(t, writeCertFileCallNum, 3)
		})

		t.Run("cache is updated with the last datasource version", func(t *testing.T) {
			dsV2 := &models.DataSource{
				Id:             1,
				Version:        2,
				Database:       "database",
				JsonData:       jsonData,
				SecureJsonData: secureJSONData,
				Uid:            "testData",
			}
			dsV3 := &models.DataSource{
				Id:             1,
				Version:        3,
				Database:       "database",
				JsonData:       jsonData,
				SecureJsonData: secureJSONData,
				Uid:            "testData",
			}
			s := tlsSettings{}
			err := mng.writeCertFiles(dsV2, &s)
			require.NoError(t, err)
			err = mng.writeCertFiles(dsV3, &s)
			require.NoError(t, err)
			version, ok := mng.dsCacheInstance.cache.Load("1")
			require.True(t, ok)
			require.Equal(t, int(3), version)
		})
	})
}

// Test getFileName

func TestGetFileName(t *testing.T) {
	testCases := []struct {
		desc                  string
		datadir               string
		fileType              certFileType
		expErr                string
		expectedGeneratedPath string
	}{
		{
			desc:                  "Get File Name for root certification",
			datadir:               ".",
			fileType:              rootCert,
			expectedGeneratedPath: "root.crt",
		},
		{
			desc:                  "Get File Name for client certification",
			datadir:               ".",
			fileType:              clientCert,
			expectedGeneratedPath: "client.crt",
		},
		{
			desc:                  "Get File Name for client certification",
			datadir:               ".",
			fileType:              clientKey,
			expectedGeneratedPath: "client.key",
		},
	}
	for _, tt := range testCases {
		t.Run(tt.desc, func(t *testing.T) {
			generatedPath := getFileName(tt.datadir, tt.fileType)
			assert.Equal(t, tt.expectedGeneratedPath, generatedPath)
		})
	}
}

// Test getTLSSettings.
func TestGetTLSSettings(t *testing.T) {
	cfg := setting.NewCfg()
	cfg.DataPath = t.TempDir()

	mockValidateCertFilePaths()
	t.Cleanup(resetValidateCertFilePaths)
	testCases := []struct {
		desc           string
		expErr         string
		jsonData       map[string]interface{}
		secureJSONData map[string]string
		uid            string
		tlsSettings    tlsSettings
		version        int
	}{
		{
			desc:    "Custom TLS authentication disabled",
			version: 1,
			jsonData: map[string]interface{}{
				"sslmode":                "disable",
				"sslRootCertFile":        "i/am/coding/ca.crt",
				"sslCertFile":            "i/am/coding/client.crt",
				"sslKeyFile":             "i/am/coding/client.key",
				"tlsConfigurationMethod": "file-path",
			},
			tlsSettings: tlsSettings{Mode: "disable"},
		},
		{
			desc:    "Custom TLS authentication with file path",
			version: 2,
			jsonData: map[string]interface{}{
				"sslmode":                "verify-full",
				"sslRootCertFile":        "i/am/coding/ca.crt",
				"sslCertFile":            "i/am/coding/client.crt",
				"sslKeyFile":             "i/am/coding/client.key",
				"tlsConfigurationMethod": "file-path",
			},
			tlsSettings: tlsSettings{
				Mode:                "verify-full",
				ConfigurationMethod: "file-path",
				RootCertFile:        "i/am/coding/ca.crt",
				CertFile:            "i/am/coding/client.crt",
				CertKeyFile:         "i/am/coding/client.key",
			},
		},
		{
			desc:    "Custom TLS mode verify-full with certificate files content",
			version: 3,
			uid:     "xxx",
			jsonData: map[string]interface{}{
				"sslmode":                "verify-full",
				"tlsConfigurationMethod": "file-content",
			},
			secureJSONData: map[string]string{
				"tlsCACert":     "I am CA certification",
				"tlsClientCert": "I am client certification",
				"tlsClientKey":  "I am client key",
			},
			tlsSettings: tlsSettings{
				Mode:                "verify-full",
				ConfigurationMethod: "file-content",
				RootCertFile:        filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "root.crt"),
				CertFile:            filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.crt"),
				CertKeyFile:         filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.key"),
			},
		},
	}
	for _, tt := range testCases {
		t.Run(tt.desc, func(t *testing.T) {
			var settings tlsSettings
			var err error
			mng := tlsManager{
				logger:          log.New("tsdb.postgres"),
				dsCacheInstance: datasourceCacheManager{locker: newLocker()},
				dataPath:        cfg.DataPath,
			}

			jsonData := simplejson.NewFromAny(tt.jsonData)
			ds := &models.DataSource{
				JsonData:       jsonData,
				SecureJsonData: securejsondata.GetEncryptedJsonData(tt.secureJSONData),
				Uid:            tt.uid,
				Version:        tt.version,
			}

			settings, err = mng.getTLSSettings(ds)

			if tt.expErr == "" {
				require.NoError(t, err, tt.desc)
				assert.Equal(t, tt.tlsSettings, settings)
			} else {
				require.Error(t, err, tt.desc)
				assert.True(t, strings.HasPrefix(err.Error(), tt.expErr),
					fmt.Sprintf("%s: %q doesn't start with %q", tt.desc, err, tt.expErr))
			}
		})
	}
}

func mockValidateCertFilePaths() {
	validateCertFunc = func(rootCert, clientCert, clientKey string) error {
		return nil
	}
}

func resetValidateCertFilePaths() {
	validateCertFunc = validateCertFilePaths
}

func mockWriteCertFile() {
	writeCertFileCallNum = 0
	writeCertFileFunc = func(ds *models.DataSource, logger log.Logger, fileContent string, generatedFilePath string) error {
		writeCertFileCallNum++
		return nil
	}
}

func resetWriteCertFile() {
	writeCertFileCallNum = 0
	writeCertFileFunc = writeCertFile
}
Postgres: allow providing TLS/SSL certificates as text in addition to file paths (#30353) * postgres SSL certification * add back the UI to configure SSL Authentication files by file path * add backend logic * correct unittest * mini changes * Update public/app/plugins/datasource/postgres/config_ctrl.ts Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Update public/app/plugins/datasource/postgres/partials/config.html Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * mutex * check file exist before remove * change permission * change default configuremethod to file-path * Update public/app/plugins/datasource/postgres/partials/config.html Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update public/app/plugins/datasource/postgres/partials/config.html Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update public/app/plugins/datasource/postgres/partials/config.html Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update public/app/plugins/datasource/postgres/partials/config.html Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * rename sslconfiguremethod to sslconfigurationmethod * frontend update * solve comments * Postgres: Convert tests to stdlib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Postgres: Be consistent about TLS/SSL terminology Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * fix init inconsistancy * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * naming convention * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo change Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix TLS issue Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * change permissions * Fix data source field names Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Clean up HTML Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve popover text Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SSL input bug Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo unnecessary change Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Clean up backend code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * More consistent naming Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Clean up code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Enforce certificate file permissions Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * add settings * Undo changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * fix windows file path * PostgresDataSource: Fix mutex usage Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Update pkg/tsdb/postgres/postgres.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Apply suggestions from code review Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * fix compilation * fix unittest * Apply suggestions from code review Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Apply suggestions from code review Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * mock function * change kmutex package * add kmutex into middleware * lock connection file per datasource * add unittest regarding concurrency * version should be equal * adding unittest * fix the loop * fix unitest * fix postgres unittst * remove comments * move dataPath from arg to tlsManager struct field * Use DecryptedValues method Use cached decrypted values instead of using secure json data decrypt which will decrypt unchanged values over and over again. * remove unneeded mutex in tests and cleanup tests * fix the lint Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2021-02-24 05:10:55 +08:00			`package postgres`

			`import (`
			`"fmt"`
			`"path/filepath"`
			`"strconv"`
			`"strings"`
			`"sync"`
			`"testing"`

			`"github.com/grafana/grafana/pkg/components/securejsondata"`
			`"github.com/grafana/grafana/pkg/components/simplejson"`
			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`_ "github.com/lib/pq"`
			`)`

			`var writeCertFileCallNum int`

			`// TestDataSourceCacheManager is to test the Cache manager`
			`func TestDataSourceCacheManager(t *testing.T) {`
			`cfg := setting.NewCfg()`
			`cfg.DataPath = t.TempDir()`
			`mng := tlsManager{`
			`logger: log.New("tsdb.postgres"),`
			`dsCacheInstance: datasourceCacheManager{locker: newLocker()},`
			`dataPath: cfg.DataPath,`
			`}`

			`jsonData := simplejson.NewFromAny(map[string]interface{}{`
			`"sslmode": "verify-full",`
			`"tlsConfigurationMethod": "file-content",`
			`})`
			`secureJSONData := securejsondata.GetEncryptedJsonData(map[string]string{`
			`"tlsClientCert": "I am client certification",`
			`"tlsClientKey": "I am client key",`
			`"tlsCACert": "I am CA certification",`
			`})`

			`mockValidateCertFilePaths()`
			`t.Cleanup(resetValidateCertFilePaths)`

			`t.Run("Check datasource cache creation", func(t *testing.T) {`
			`var wg sync.WaitGroup`
			`wg.Add(10)`
			`for id := int64(1); id <= 10; id++ {`
			`go func(id int64) {`
			`ds := &models.DataSource{`
			`Id: id,`
			`Version: 1,`
			`Database: "database",`
			`JsonData: jsonData,`
			`SecureJsonData: secureJSONData,`
			`Uid: "testData",`
			`}`
			`s := tlsSettings{}`
			`err := mng.writeCertFiles(ds, &s)`
			`require.NoError(t, err)`
			`wg.Done()`
			`}(id)`
			`}`
			`wg.Wait()`

			`t.Run("check cache creation is succeed", func(t *testing.T) {`
			`for id := int64(1); id <= 10; id++ {`
			`version, ok := mng.dsCacheInstance.cache.Load(strconv.Itoa(int(id)))`
			`require.True(t, ok)`
			`require.Equal(t, int(1), version)`
			`}`
			`})`
			`})`

			`t.Run("Check datasource cache modification", func(t *testing.T) {`
			`t.Run("check when version not changed, cache and files are not updated", func(t *testing.T) {`
			`mockWriteCertFile()`
			`t.Cleanup(resetWriteCertFile)`
			`var wg1 sync.WaitGroup`
			`wg1.Add(5)`
			`for id := int64(1); id <= 5; id++ {`
			`go func(id int64) {`
			`ds := &models.DataSource{`
			`Id: 1,`
			`Version: 2,`
			`Database: "database",`
			`JsonData: jsonData,`
			`SecureJsonData: secureJSONData,`
			`Uid: "testData",`
			`}`
			`s := tlsSettings{}`
			`err := mng.writeCertFiles(ds, &s)`
			`require.NoError(t, err)`
			`wg1.Done()`
			`}(id)`
			`}`
			`wg1.Wait()`
			`assert.Equal(t, writeCertFileCallNum, 3)`
			`})`

			`t.Run("cache is updated with the last datasource version", func(t *testing.T) {`
			`dsV2 := &models.DataSource{`
			`Id: 1,`
			`Version: 2,`
			`Database: "database",`
			`JsonData: jsonData,`
			`SecureJsonData: secureJSONData,`
			`Uid: "testData",`
			`}`
			`dsV3 := &models.DataSource{`
			`Id: 1,`
			`Version: 3,`
			`Database: "database",`
			`JsonData: jsonData,`
			`SecureJsonData: secureJSONData,`
			`Uid: "testData",`
			`}`
			`s := tlsSettings{}`
			`err := mng.writeCertFiles(dsV2, &s)`
			`require.NoError(t, err)`
			`err = mng.writeCertFiles(dsV3, &s)`
			`require.NoError(t, err)`
			`version, ok := mng.dsCacheInstance.cache.Load("1")`
			`require.True(t, ok)`
			`require.Equal(t, int(3), version)`
			`})`
			`})`
			`}`

			`// Test getFileName`

			`func TestGetFileName(t *testing.T) {`
			`testCases := []struct {`
			`desc string`
			`datadir string`
			`fileType certFileType`
			`expErr string`
			`expectedGeneratedPath string`
			`}{`
			`{`
			`desc: "Get File Name for root certification",`
			`datadir: ".",`
			`fileType: rootCert,`
			`expectedGeneratedPath: "root.crt",`
			`},`
			`{`
			`desc: "Get File Name for client certification",`
			`datadir: ".",`
			`fileType: clientCert,`
			`expectedGeneratedPath: "client.crt",`
			`},`
			`{`
			`desc: "Get File Name for client certification",`
			`datadir: ".",`
			`fileType: clientKey,`
			`expectedGeneratedPath: "client.key",`
			`},`
			`}`
			`for _, tt := range testCases {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`generatedPath := getFileName(tt.datadir, tt.fileType)`
			`assert.Equal(t, tt.expectedGeneratedPath, generatedPath)`
			`})`
			`}`
			`}`

			`// Test getTLSSettings.`
			`func TestGetTLSSettings(t *testing.T) {`
			`cfg := setting.NewCfg()`
			`cfg.DataPath = t.TempDir()`

			`mockValidateCertFilePaths()`
			`t.Cleanup(resetValidateCertFilePaths)`
			`testCases := []struct {`
			`desc string`
			`expErr string`
			`jsonData map[string]interface{}`
			`secureJSONData map[string]string`
			`uid string`
			`tlsSettings tlsSettings`
			`version int`
			`}{`
			`{`
			`desc: "Custom TLS authentication disabled",`
			`version: 1,`
			`jsonData: map[string]interface{}{`
			`"sslmode": "disable",`
			`"sslRootCertFile": "i/am/coding/ca.crt",`
			`"sslCertFile": "i/am/coding/client.crt",`
			`"sslKeyFile": "i/am/coding/client.key",`
			`"tlsConfigurationMethod": "file-path",`
			`},`
			`tlsSettings: tlsSettings{Mode: "disable"},`
			`},`
			`{`
			`desc: "Custom TLS authentication with file path",`
			`version: 2,`
			`jsonData: map[string]interface{}{`
			`"sslmode": "verify-full",`
			`"sslRootCertFile": "i/am/coding/ca.crt",`
			`"sslCertFile": "i/am/coding/client.crt",`
			`"sslKeyFile": "i/am/coding/client.key",`
			`"tlsConfigurationMethod": "file-path",`
			`},`
			`tlsSettings: tlsSettings{`
			`Mode: "verify-full",`
			`ConfigurationMethod: "file-path",`
			`RootCertFile: "i/am/coding/ca.crt",`
			`CertFile: "i/am/coding/client.crt",`
			`CertKeyFile: "i/am/coding/client.key",`
			`},`
			`},`
			`{`
			`desc: "Custom TLS mode verify-full with certificate files content",`
			`version: 3,`
			`uid: "xxx",`
			`jsonData: map[string]interface{}{`
			`"sslmode": "verify-full",`
			`"tlsConfigurationMethod": "file-content",`
			`},`
			`secureJSONData: map[string]string{`
			`"tlsCACert": "I am CA certification",`
			`"tlsClientCert": "I am client certification",`
			`"tlsClientKey": "I am client key",`
			`},`
			`tlsSettings: tlsSettings{`
			`Mode: "verify-full",`
			`ConfigurationMethod: "file-content",`
			`RootCertFile: filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "root.crt"),`
			`CertFile: filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.crt"),`
			`CertKeyFile: filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.key"),`
			`},`
			`},`
			`}`
			`for _, tt := range testCases {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`var settings tlsSettings`
			`var err error`
			`mng := tlsManager{`
			`logger: log.New("tsdb.postgres"),`
			`dsCacheInstance: datasourceCacheManager{locker: newLocker()},`
			`dataPath: cfg.DataPath,`
			`}`

			`jsonData := simplejson.NewFromAny(tt.jsonData)`
			`ds := &models.DataSource{`
			`JsonData: jsonData,`
			`SecureJsonData: securejsondata.GetEncryptedJsonData(tt.secureJSONData),`
			`Uid: tt.uid,`
			`Version: tt.version,`
			`}`

			`settings, err = mng.getTLSSettings(ds)`

			`if tt.expErr == "" {`
			`require.NoError(t, err, tt.desc)`
			`assert.Equal(t, tt.tlsSettings, settings)`
			`} else {`
			`require.Error(t, err, tt.desc)`
			`assert.True(t, strings.HasPrefix(err.Error(), tt.expErr),`
			`fmt.Sprintf("%s: %q doesn't start with %q", tt.desc, err, tt.expErr))`
			`}`
			`})`
			`}`
			`}`

			`func mockValidateCertFilePaths() {`
			`validateCertFunc = func(rootCert, clientCert, clientKey string) error {`
			`return nil`
			`}`
			`}`

			`func resetValidateCertFilePaths() {`
			`validateCertFunc = validateCertFilePaths`
			`}`

			`func mockWriteCertFile() {`
			`writeCertFileCallNum = 0`
			`writeCertFileFunc = func(ds *models.DataSource, logger log.Logger, fileContent string, generatedFilePath string) error {`
			`writeCertFileCallNum++`
			`return nil`
			`}`
			`}`

			`func resetWriteCertFile() {`
			`writeCertFileCallNum = 0`
			`writeCertFileFunc = writeCertFile`
			`}`