Attempt to get CI to use TLS configuration

.github/files/mutual_auth_client_cert_chain.pem

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIDBDCCAeygAwIBAgICFsAwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAwwNTmV0
+dHlUZXN0Um9vdDAeFw0yNDAxMTYxMzM2NTBaFw0yOTAxMTQxMzM2NTBaMCAxHjAc
+BgNVBAMMFU5ldHR5VGVzdEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMVRThUi0F77gRWM3QBEUQG6UGy6OGcOhZ5HQeCGYB0cD1+2
+n1GHqsCSPachOCFT39Se2a4qhhdO+1o2WbhMVa4GsENZz1h1yRH5d4xn1tlL3a2j
+XB3pyZSdKzaGQF6OykztbiNFAwlfVuxebXDR8GP2MPuTu5WYyhqQKTZHQBAFfzlw
+jArdgEPCiAl7JV85JjKRX0znJEjuGOw2obYGIZrxmaQtnHOhMT/A5bjNnBeuR9jD
+VAuPFuTVaFD2xlEihWl1jbEi0HZFc6fXa1X1v1DJO4UkIFjAAMT4U0mMnRsNOX5x
+CjHapOZQWcm7G36ore6WMuJ66nbYFwi7MlGpsXMCAwEAAaNQME4wHQYDVR0OBBYE
+FKEzFFwds2LCU9zGeWNUsa3pTbM5MB8GA1UdIwQYMBaAFDCbp1amIi20zngZHGGt
+8nLev3WBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEkhB70bZ32o
+Yqi8Qo7GbCpLscv2gs1fC5xVp44/2vlsXDe9wQFDC455OS0D1ywy3IYFjLU1qhxC
+Ga3TnXDNjkEuKSCCCbM3k95W1F6etSjQjOTy8iwj/0NAvd13dzeR0nCXfyli1J3g
+6EOpttmtEa0GWBQmy86jSkhHkgDIJspyMvpz6dVlEbUdm1mmkSbp8pkBEIiYRrLq
+3U5C3Ex8MAVO5uTcMScVMxH59tx60mxxX8SXE1sif62ilqJ9f39FsCSRS7p5GZjK
+pz4QO72A2qiZPW87I5TlFTtqILVelA4hV6GQPQ1699RdAvW9wIfEHAYZ8V3+VeeO
+CuuzRHkJseU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIURmIlqqwfzoAzJ7oOMgG1nQ1kc/YwDQYJKoZIhvcNAQEN
+BQAwGDEWMBQGA1UEAwwNTmV0dHlUZXN0Um9vdDAgFw0yNDAxMTYxMzM2NDdaGA8y
+MTIzMTIyMzEzMzY0N1owGDEWMBQGA1UEAwwNTmV0dHlUZXN0Um9vdDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALHasZdmGMznTvhIGhj3PhWuObU3ISL8
+BLQtlu292K2N9+Ne5QO2/uB7pwrM1L/sFfxtXm71zUulySNpuMy9gSPdI9EpXH+u
+GA58DSsNlvQYTgQb4HkWIszKZdVW0ggdM0RRidOJkzy8EH5Q6GlpyTcUjh/ghC2P
+GvpO3pKapMVoCC1xiAgBJn3UjD8EhpZT6Y09+cyNy64sLcDMb6sj0ZrP9GQPyhdD
+/R+Ly1A429vZY8KWmDOz+B4Aiqw+rRGxSnhDUirHU/avVIJfmnsqq/dTRofiSOkK
+g/CDnMtetuVLZ4dljmPMHxAZTaHwsOoCrYUuZj6DuFzLp9nwVkCOEMsCAwEAAaNT
+MFEwHQYDVR0OBBYEFDCbp1amIi20zngZHGGt8nLev3WBMB8GA1UdIwQYMBaAFDCb
+p1amIi20zngZHGGt8nLev3WBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
+BQADggEBADPJZ5LdZ9fe/SPsm6oai4aS7snlhuTam7IAkUveGCJY6D8O++xlK25M
+2QsJ2n5lCOrH4gLtYndF2wbGUOJrNkPpQ5aH3WRXw2xWkjUiXc+SudnAhbq7du7Z
+ht2+u1/L3mEGaMkq35/xcCK5N6hFCUiAspaO+Jt/12vdbedoDK/gMd8K+yCHVzed
+SHX8vHJZQIBxHI8Dv0x0kex/YLg/sxy8ClXhP1yWgzBr1uL6oZK6PVl7S7Kt9NJB
+MipDXVBi6aTMqTyhi2HEhh1deE4zj9MGDCT5wB4ovuABgi1M0T5tTQf3+9ky6d0F
+6nxh6zboWnduCrbQwQPWSL9XowIce30=
+-----END CERTIFICATE-----

.github/files/mutual_auth_server.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgICctMwDQYJKoZIhvcNAQENBQAwGDEWMBQGA1UEAwwNTmV0
+dHlUZXN0Um9vdDAgFw0yNDAxMTYxMzM2NDdaGA8yMTIzMTIyMzEzMzY0N1owGjEY
+MBYGA1UEAwwPTmV0dHlUZXN0U2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAyBipKawBrkMAlBboZQor9gsWampDF2g1aLr/lIb/QQp/RHr4tloo
+nW6LqN07RSyOETkjZQKNcLohzfTvajf7QbUH0SPXzQLD6MTSpKd7bbSE12MqeDzx
+unJqwVhc0Yr9Zi032oV9JFE0hfyTJzG32NF7FYQnl2zZJnEda/KLXM1PS1kDy3pf
+jXqO0W1VS0EglMMIp8Am+PvLR9GfOWKvyekdJ2Z2K4AcZG1Oz+fhf8JF0qzyTJ3O
+ea2U9FckFacjHm/hEr+vDkSE/NNGyEtLLNrlH6yUW3+k1kzo4a1cOH86l/Q52Fo/
+TqoVGTmgcCKux51COLWa9kwrJS6IfJ8YZwIDAQABo0IwQDAdBgNVHQ4EFgQU64F1
+7IWqSMG7S+M69WwRkX1VmZMwHwYDVR0jBBgwFoAUMJunVqYiLbTOeBkcYa3yct6/
+dYEwDQYJKoZIhvcNAQENBQADggEBAH23rwZo7I4Epxf2yweXByfuFG/JHrxLt7h2
+0dun/88ZnUyKzLbBBzWvsULocA1/9XZb38UmOBJS9w73jUn/UGLbvmZ2uBDoUwrU
+zF6aq7IxEc7bysnDp3wq5c8fJVuZydyHcWo72NG8b0NaDOBbISUP+ICVdEG5Rx5Z
+LnmFmHb3Rh+ITvbPwHfWcfDwZYStbZKLG75JnrUMp7wjv3lPewzerXztiEJmO86R
+PDOJnh3rHN4JavJtcghmO2KVGOcuc4TEaL9r3niJiicseXFPRwr0nQWmDkuHMY0W
+zMbfD5SoKWlSineEZ+nRrBu3xOH3fAxfijrGpf251Fk95tvwIyI=
+-----END CERTIFICATE-----

.github/files/mutual_auth_server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIGKkprAGuQwCU
+FuhlCiv2CxZqakMXaDVouv+Uhv9BCn9Eevi2Wiidbouo3TtFLI4ROSNlAo1wuiHN
+9O9qN/tBtQfRI9fNAsPoxNKkp3tttITXYyp4PPG6cmrBWFzRiv1mLTfahX0kUTSF
+/JMnMbfY0XsVhCeXbNkmcR1r8otczU9LWQPLel+Neo7RbVVLQSCUwwinwCb4+8tH
+0Z85Yq/J6R0nZnYrgBxkbU7P5+F/wkXSrPJMnc55rZT0VyQVpyMeb+ESv68ORIT8
+00bIS0ss2uUfrJRbf6TWTOjhrVw4fzqX9DnYWj9OqhUZOaBwIq7HnUI4tZr2TCsl
+Loh8nxhnAgMBAAECggEACRwTpNcKOIx1Bp5IXu6TSR9WGkAo5R7pwjvejjzbJXM8
+j2STKtIjTo+NgixC74eeFtX6xjV936efCbO2AVL3zb+tJxiyUXNnxz12uDz7wecv
+CRNLCAWrnP5qh8+QYjspWtvXfXZdrSfuno782r2eY3DzYUEOqwvZ6FshU3HLuyIf
+zIakD1CgbrP1g9NxIn013RHkll5hYA+TbWgLyeaR3k91OKHX+DMqZrG49/WwV9yE
+BxRxLWRV4cFKV7DUfEFquM/AhBE4mcIClrpbWlfIQrvXjJEkcAmxUAogrJ0K3WJC
+jShOwvjorM01maVFJaAtvpYBfULoS+mN1Pp9oO3hSQKBgQDkFOOs5qRjIwWAHkba
+vecRvvfyO1Zqu9Ws67ZfxPGFB7zIfGSTWD6tfu3ZLWiUuVruvYyaMAuJWEzLRFk+
+xhWZkX4xHxYPJHm845dpAvbavfoTMJWMdKp41WBSUcrcerZiaTMyvV0g9BSu5CYS
+iZ+vYbs66gYO5Se5E8bfDMnE+wKBgQDgltTtl4coM/gOWLEUFW4phgxh7x5WsvUH
+BglbJPXG9Ef/qR07vUdx4gbTCqGYFtbj6nF19K/2TPMvBPoFBWNZmNu5D+ncSjyU
+nLajy6ONeabSwcGwBsvnajEyI/jaFM3a5HaAsHPs3y8P4DsY9p0/2rUXW5Q29+a4
+Q6gEb2OmhQKBgQCVJM/IlT1zkkgbgjDlAv8hjJYIMSMOQmu0WqJ0N42TZv7cvvLp
+ou/BddnEhTv43MgIi6xwevBgTHxTAwu0z8T6GbjCGEjNeBWfHdg5k/WmDkqD1+ZC
+5VtADo+g5NlZmWjAK3iOOmO2k8UepBP9VT81aRwMp1F01gZGsRb/bhZWlwKBgFNZ
+ZthuPei7sLmSTNWJRoL+jqXh2j6O18SthtdeliAqFHZbStAa5OLs4V99OI97GnEn
+VshR8OPVlwLCNA+c+kwMIK9DqqTooCb/KgEL2DzvAuyAn+M2AoJ1tKBJHVfCFMvB
+sgD8e2lTQuH/c69GBwHlpwNuJ0lnIycLZNWQiUkJAoGAHxmLyuFo9P0QyQH+PARl
+F5SJ2q8Gv0YyPnI0tnj9OixO6mkei0Zj30WZ3Hr/C3EKpfRFwfMAEOESsIKClKEh
+5chvL96tK4uY+in25EWaOPp/Xj1NIpdqatJMxcaiTfUXPfBoLL78t4IUxjG5gHIO
+276Mwu4AD3x8/RZPQfS007Y=
+-----END PRIVATE KEY-----

.github/scripts/run-tests.sh

@@ -118,8 +118,8 @@ case "${TEST_TYPE}" in
             # Stop CCM now so we can restart it with Management API
             ccm stop
             # Start Management API
-            MGMT_API_LOG_DIR=/tmp/log/cassandra1 bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db1.sock --host=unix:///tmp/mgmtapi1.sock --host=http://127.0.0.1:8080 --db-home=`dirname ~/.ccm/test/node1`/node1 &'
-            MGMT_API_LOG_DIR=/tmp/log/cassandra2 bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db2.sock --host=unix:///tmp/mgmtapi2.sock --host=http://127.0.0.2:8080 --db-home=`dirname ~/.ccm/test/node2`/node2 &'
+            MGMT_API_LOG_DIR=/tmp/log/cassandra1 MGMT_API_TLS_CA_CERT_FILE=./.github/files/mutual_auth_client_cert_chain.pem MGMT_API_TLS_CERT_FILE=./.github/files/mutual_auth_server.crt MGMT_API_TLS_KEY_FILE=./.github/files/mutual_auth_server.key bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db1.sock --host=unix:///tmp/mgmtapi1.sock --host=http://127.0.0.1:8080 --db-home=`dirname ~/.ccm/test/node1`/node1 &'
+            MGMT_API_LOG_DIR=/tmp/log/cassandra2 MGMT_API_TLS_CA_CERT_FILE=./.github/files/mutual_auth_client_cert_chain.pem MGMT_API_TLS_CERT_FILE=./.github/files/mutual_auth_server.crt MGMT_API_TLS_KEY_FILE=./.github/files/mutual_auth_server.key bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db2.sock --host=unix:///tmp/mgmtapi2.sock --host=http://127.0.0.2:8080 --db-home=`dirname ~/.ccm/test/node2`/node2 &'
             # wait for Cassandra to be ready
             for i in `seq 1 30` ; do
                 # keep curl from exiting with non-zero

src/server/src/test/java/io/cassandrareaper/acceptance/ReaperHttpIT.java

@@ -49,7 +49,7 @@ public class ReaperHttpIT {
 
   private static final Logger LOG = LoggerFactory.getLogger(ReaperCassandraIT.class);
   private static final List<ReaperTestJettyRunner> RUNNER_INSTANCES = new CopyOnWriteArrayList<>();
-  private static final String CASS_CONFIG_FILE = "cassandra-reaper-http-at.yaml";
+  private static final String CASS_CONFIG_FILE = "cassandra-reaper-https-at.yaml";
   private static final Random RAND = new Random(System.nanoTime());
   private static Thread GRIM_REAPER;
 

src/server/src/test/resources/cassandra-reaper-https-at.yaml

@@ -0,0 +1,98 @@
+# Copyright 2017-2017 Spotify AB
+# Copyright 2017-2019 The Last Pickle Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Reaper for Apache Cassandra Configuration for Acceptance Tests.
+#
+segmentCountPerNode: 16
+repairParallelism: SEQUENTIAL
+repairIntensity: 0.95
+scheduleDaysBetween: 7
+repairRunThreadCount: 15
+hangingRepairTimeoutMins: 1
+storageType: cassandra
+incrementalRepair: false
+blacklistTwcsTables: true
+jmxConnectionTimeoutInSeconds: 10
+datacenterAvailability: LOCAL
+percentRepairedCheckIntervalMinutes: 1
+
+logging:
+  level: WARN
+  appenders:
+    - type: console
+
+server:
+  type: default
+  applicationConnectors:
+    - type: http
+      port: 8083
+      bindHost: 127.0.0.1
+  adminConnectors:
+    - type: http
+      port: 8084
+      bindHost: 127.0.0.1
+
+jmxPorts:
+  127.0.0.1: 7100
+  127.0.0.2: 7200
+  127.0.0.3: 7300
+  127.0.0.4: 7400
+  127.0.0.5: 7500
+  127.0.0.6: 7600
+  127.0.0.7: 7700
+  127.0.0.8: 7800
+
+jmxCredentials:
+  "test cluster":
+    username: cassandra
+    password: cassandra
+  test:
+    username: cassandra
+    password: cassandrapassword
+
+cassandra:
+  clusterName: "test"
+  contactPoints: ["127.0.0.1"]
+  keyspace: reaper_db
+  socketOptions:
+    connectTimeoutMillis: 20000
+    readTimeoutMillis: 40000
+  loadBalancingPolicy:
+    type: tokenAware
+    shuffleReplicas: true
+    subPolicy:
+      type: dcAwareRoundRobin
+      localDC: dc1
+      usedHostsPerRemoteDC: 0
+      allowRemoteDCsForLocalConsistencyLevel: false
+  poolingOptions:
+    idleTimeout: 5s
+    local:
+      coreConnections: 1
+      maxConnections: 4
+      maxRequestsPerConnection: 16
+    remote:
+      coreConnections: 0
+      maxConnections: 0
+      maxRequestsPerConnection: 0
+
+cryptograph:
+  type: symmetric
+  systemPropertySecret: REAPER_ENCRYPTION_KEY
+
+httpManagement:
+  enabled: true
+  keystore: keystore.jks
+  trustStore: truststore.jks

src/server/src/test/resources/generate-certs.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Copied from management-api, modified for reaper to create JKS files also
+
+# Generate a new, self-signed root CA
+openssl req -extensions v3_ca -new -x509 -days 36500 -nodes -subj "/CN=NettyTestRoot" -newkey rsa:2048 -sha512 -out mutual_auth_ca.pem -keyout mutual_auth_ca.key
+
+# Generate a certificate/key for the server
+openssl req -new -keyout mutual_auth_server.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestServer" | \
+openssl x509 -req -CAkey mutual_auth_ca.key -CA mutual_auth_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_server.crt
+
+# Generate a valid intermediate CA which will be used to sign the client certificate
+openssl req -new -keyout mutual_auth_intermediate_ca.key -nodes -newkey rsa:2048 -out mutual_auth_intermediate_ca.key
+openssl req -new -sha512 -key mutual_auth_intermediate_ca.key -subj "/CN=NettyTestIntermediate" -out intermediate.csr
+openssl x509 -req -days 1825 -in intermediate.csr -extfile openssl.cnf -extensions v3_ca -CA mutual_auth_ca.pem -CAkey mutual_auth_ca.key -set_serial $RANDOM -out mutual_auth_intermediate_ca.pem
+
+# Generate a client certificate signed by the intermediate CA
+openssl req -new -keyout mutual_auth_client.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestClient/UID=Client" | \
+openssl x509 -req -CAkey mutual_auth_intermediate_ca.key -CA mutual_auth_intermediate_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_client.crt
+
+# Append
+cat mutual_auth_intermediate_ca.pem mutual_auth_ca.pem > mutual_auth_client_cert_chain.pem
+
+# Modify to PKCS12 and JKS for Reaper (use password changeit)
+openssl pkcs12 -export -out mutual_auth_client_cert_chain.pkcs12 -inkey mutual_auth_intermediate_ca.key -in mutual_auth_client_cert_chain.pem
+openssl pkcs12 -export -out mutual_auth_client.pkcs12 -inkey mutual_auth_client.key -in mutual_auth_client.crt
+
+# Use password changeit
+keytool -importkeystore -srckeystore mutual_auth_client_cert_chain.pkcs12 -srcstoretype pkcs12 -destkeystore truststore.jks -deststoretype JKS
+keytool -importkeystore -srckeystore mutual_auth_client.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

src/server/src/test/resources/openssl.cnf

@@ -0,0 +1,124 @@
+#
+# This OpenSSL configuration file is necessary to generate an Intermediate CA
+# which is capable of signing other certificates. The most important part is
+# the [ v3_ca ] profile and the "basicConstraints = CA:true" value
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+