Merge branch '2.2' into develop

2018-06-11 11:28:36 +03:00
parent c798a4ae36 1a24f0a956
commit 96ed651466
7 changed files with 871 additions and 603 deletions
--- a/maxctrl/package-lock.json
+++ b/maxctrl/package-lock.json
--- a/maxctrl/package.json
+++ b/maxctrl/package.json
@ -27,8 +27,8 @@
  "devDependencies": {
    "chai": "^3.5.0",
    "chai-as-promised": "^6.0.0",
-    "mocha": "^3.3.0",
+    "mocha": "^3.5.3",
-    "nyc": "^11.0.3",
+    "nyc": "^11.9.0",
    "strip-ansi": "^4.0.0"
  },
  "nyc": {
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -2046,7 +2046,7 @@ free_ssl_structure(SSL_LISTENER *ssl)
 * @param *error_count  An error count which may be incremented
 * @return SSL_LISTENER structure or NULL
 */
-SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
+SSL_LISTENER* make_ssl_structure(CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
 {
    char *ssl, *ssl_version, *ssl_cert, *ssl_key, *ssl_ca_cert, *ssl_cert_verify_depth;
    int local_errors = 0;
@ -2073,26 +2073,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
            new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
            new_ssl->ssl_verify_peer_certificate = true;
-            if (ssl_version)
+            if (ssl_version && listener_set_ssl_version(new_ssl, ssl_version) != 0)
            {
-                if (listener_set_ssl_version(new_ssl, ssl_version) != 0)
+                MXS_ERROR("Unknown parameter value for 'ssl_version' for '%s': %s",
-                {
+                          obj->object, ssl_version);
-                    MXS_ERROR("Unknown parameter value for 'ssl_version' for"
+                local_errors++;
                              " service '%s': %s", obj->object, ssl_version);
                    local_errors++;
                }
            }
-            if (ssl_cert_verify_depth)
+            if (ssl_cert_verify_depth &&
                (new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth)) < 0)
            {
-                new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth);
+                MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth for '%s': %s",
-                if (new_ssl->ssl_cert_verify_depth < 0)
+                          obj->object, ssl_cert_verify_depth);
-                {
+                new_ssl->ssl_cert_verify_depth = 0;
-                    MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth"
+                local_errors++;
                              " for service '%s': %s", obj->object, ssl_cert_verify_depth);
                    new_ssl->ssl_cert_verify_depth = 0;
                    local_errors++;
                }
            }
            if (ssl_verify_peer_certificate)
@ -2101,7 +2095,7 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
                if (rv == -1)
                {
                    MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
-                              " for service '%s': %s", obj->object, ssl_verify_peer_certificate);
+                              " for '%s': %s", obj->object, ssl_verify_peer_certificate);
                    local_errors++;
                }
                else
@ -2112,53 +2106,49 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
            listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);
-            if (require_cert && new_ssl->ssl_cert == NULL)
+            if (require_cert)
            {
-                local_errors++;
+                if (new_ssl->ssl_cert == NULL)
-                MXS_ERROR("Server certificate missing for service '%s'."
+                {
-                          "Please provide the path to the server certificate by adding "
+                    local_errors++;
-                          "the ssl_cert=<path> parameter", obj->object);
+                    MXS_ERROR("Server certificate missing for listener '%s'."
                              "Please provide the path to the server certificate by adding "
                              "the ssl_cert=<path> parameter", obj->object);
                }
                else if (access(new_ssl->ssl_cert, F_OK) != 0)
                {
                    MXS_ERROR("Server certificate file for listener '%s' not found: %s",
                              obj->object, new_ssl->ssl_cert);
                    local_errors++;
                }
                if (new_ssl->ssl_key == NULL)
                {
                    local_errors++;
                    MXS_ERROR("Server private key missing for listener '%s'. "
                              "Please provide the path to the server certificate key by "
                              "adding the ssl_key=<path> parameter", obj->object);
                }
                else if (access(new_ssl->ssl_key, F_OK) != 0)
                {
                    MXS_ERROR("Server private key file for listener '%s' not found: %s",
                              obj->object, new_ssl->ssl_key);
                    local_errors++;
                }
            }
-            if (require_cert && new_ssl->ssl_ca_cert == NULL)
+            if (new_ssl->ssl_ca_cert == NULL)
            {
                local_errors++;
-                MXS_ERROR("CA Certificate missing for service '%s'."
+                MXS_ERROR("CA Certificate missing for '%s'."
                          "Please provide the path to the certificate authority "
                          "certificate by adding the ssl_ca_cert=<path> parameter",
                          obj->object);
            }
-
+            else if (access(new_ssl->ssl_ca_cert, F_OK) != 0)
            if (require_cert && new_ssl->ssl_key == NULL)
            {
-                local_errors++;
+                MXS_ERROR("Certificate authority file for '%s' not found: %s",
-                MXS_ERROR("Server private key missing for service '%s'. "
+                          obj->object, new_ssl->ssl_ca_cert);
                          "Please provide the path to the server certificate key by "
                          "adding the ssl_key=<path> parameter",
                          obj->object);
            }
            if (require_cert && access(new_ssl->ssl_ca_cert, F_OK) != 0)
            {
                MXS_ERROR("Certificate authority file for service '%s' not found: %s",
                          obj->object,
                          new_ssl->ssl_ca_cert);
                local_errors++;
            }
            if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0)
            {
                MXS_ERROR("Server certificate file for service '%s' not found: %s",
                          obj->object,
                          new_ssl->ssl_cert);
                local_errors++;
            }
            if (require_cert && access(new_ssl->ssl_key, F_OK) != 0)
            {
                MXS_ERROR("Server private key file for service '%s' not found: %s",
                          obj->object,
                          new_ssl->ssl_key);
                local_errors++;
            }
--- a/server/core/config_runtime.cc
+++ b/server/core/config_runtime.cc
@ -254,8 +254,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
    if (obj)
    {
        if (config_add_param(obj, CN_SSL, CN_REQUIRED) &&
-            config_add_param(obj, CN_SSL_KEY, key) &&
+            (!key || config_add_param(obj, CN_SSL_KEY, key)) &&
-            config_add_param(obj, CN_SSL_CERT, cert) &&
+            (!cert || config_add_param(obj, CN_SSL_CERT, cert)) &&
            config_add_param(obj, CN_SSL_CA_CERT, ca) &&
            (!version || config_add_param(obj, CN_SSL_VERSION, version)) &&
            (!depth || config_add_param(obj, CN_SSL_CERT_VERIFY_DEPTH, depth)) &&
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -337,6 +337,15 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
        ss_dassert(rsa_512 && rsa_1024);
        SSL_CTX_set_tmp_rsa_callback(ssl_listener->ctx, tmp_rsa_callback);
        ss_dassert(ssl_listener->ssl_ca_cert);
        /* Load the CA certificate into the SSL_CTX structure */
        if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
        {
            MXS_ERROR("Failed to set Certificate Authority file");
            return -1;
        }
        if (ssl_listener->ssl_cert && ssl_listener->ssl_key)
        {
            /** Load the server certificate */
@ -359,13 +368,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
                MXS_ERROR("Server SSL certificate and key do not match: %s", get_ssl_errors());
                return -1;
            }
            /* Load the RSA CA certificate into the SSL_CTX structure */
            if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
            {
                MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
                return -1;
            }
        }
        /* Set to require peer (client) certificate verification */
--- a/server/modules/routing/debugcli/debugcmd.cc
+++ b/server/modules/routing/debugcli/debugcmd.cc
@ -1435,9 +1435,9 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
        }
    }
-    if (enable || ssl_key || ssl_cert || ssl_ca)
+    if (enable || ssl_ca)
    {
-        if (enable && ssl_key && ssl_cert && ssl_ca)
+        if (enable && ssl_ca)
        {
            /** We have SSL parameters, try to process them */
            if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
@ -1450,7 +1450,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
        else
        {
            dcb_printf(dcb, "Error: SSL configuration requires the following parameters:\n"
-                       "ssl=required ssl_key=PATH ssl_cert=PATH ssl_ca_cert=PATH\n");
+                       "ssl=required ssl_ca_cert=PATH\n");
        }
    }
 }
--- a/test/docker-compose.yml
+++ b/test/docker-compose.yml
@ -1,7 +1,7 @@
 version: '2'
 services:
    server1:
-        image: mariadb:10.1
+        image: mariadb:10.2
        network_mode: "host"
        environment:
            MYSQL_ALLOW_EMPTY_PASSWORD: Y
@ -10,7 +10,7 @@ services:
        command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3000 --port=3000 --log-slave-updates
    server2:
-        image: mariadb:10.1
+        image: mariadb:10.2
        network_mode: "host"
        environment:
            MYSQL_ALLOW_EMPTY_PASSWORD: Y
@ -19,7 +19,7 @@ services:
        command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3001 --port=3001 --log-slave-updates
    server3:
-        image: mariadb:10.1
+        image: mariadb:10.2
        network_mode: "host"
        environment:
            MYSQL_ALLOW_EMPTY_PASSWORD: Y
@ -28,7 +28,7 @@ services:
        command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3002 --port=3002 --log-slave-updates
    server4:
-        image: mariadb:10.1
+        image: mariadb:10.2
        network_mode: "host"
        environment:
            MYSQL_ALLOW_EMPTY_PASSWORD: Y