Use client certs in backup and restore

suhlig · valeriap · commit eb34d2652173 · 2018-11-07T16:09:19.000+01:00
[#160846440]

Signed-off-by: Valeria Perticara &lt;vperticara@it.ibm.com&gt;
Signed-off-by: Steffen Uhlig &lt;Steffen.Uhlig@de.ibm.com&gt;
diff --git a/jobs/bbr-postgres-db/spec b/jobs/bbr-postgres-db/spec
@@ -9,6 +9,8 @@ templates:
   restore.sh.erb: bin/bbr/restore
   pgpass.erb: config/pgpass
   ca_cert.erb: config/ca_cert
+  client_certificate.erb: config/client_certificate
+  client_certificate_key.erb: config/client_certificate_key
 
 packages:
   - postgres-common
@@ -28,3 +30,9 @@ properties:
   postgres.ssl_verify_hostname:
     default: true
     description: "If postgres is configured with a ca, setting this to 'true' changes sslmode to 'verify-full' rather than 'verify-ca'."
+  postgres.client_certificate:
+    default: ''
+    description: "Client certificate. Specify it if you want to auhtenticate using certificates."
+  postgres.client_certificate_key:
+    default: ''
+    description: "Secret key used for the client certificate. Specify it if you want to auhtenticate using certificates."
diff --git a/jobs/bbr-postgres-db/templates/backup.sh.erb b/jobs/bbr-postgres-db/templates/backup.sh.erb
@@ -1,32 +1,22 @@
 #!/bin/bash
-<%
-sslmode = "prefer"
-if link("database").p("databases.tls.ca") != ''
-  if p("postgres.ssl_verify_hostname")
-    sslmode = "verify-full"
-  else
-    sslmode = "verify-ca"
-  end
-end
-%>
 set -euo pipefail
-source /var/vcap/jobs/bbr-postgres-db/config/config.sh
-
-readonly PGPASSFILE="$(mktemp pgpass.XXXX)"
-readonly PGSSLMODE="<%=sslmode%>"
-readonly PGSSLROOTCERT="${JOB_DIR}/config/ca_cert"
-export PGPASSFILE
-export PGSSLMODE
-export PGSSLROOTCERT
 
 doCleanup() {
   rm ${PGPASSFILE}
+<% if p("postgres.client_certificate") != "" %>
+  rm ${PGSSLKEY}
+<% end %>
 }
 
 trap doCleanup EXIT
 
-cp $JOB_DIR/config/pgpass ${PGPASSFILE}
-chmod 0600 ${PGPASSFILE}
+source /var/vcap/jobs/bbr-postgres-db/config/config.sh
+
+export_as_private_temp_file "$JOB_DIR/config/pgpass" PGPASSFILE
+
+<% if p("postgres.client_certificate") != "" %>
+export_as_private_temp_file "$JOB_DIR/config/client_certificate_key" PGSSLKEY
+<% end %>
 
 for dbname in ${DATABASES[@]}; do
   BBR_ARTIFACT_FILE_PATH="${BBR_ARTIFACT_DIRECTORY}/postgres_${dbname}.sql"
diff --git a/jobs/bbr-postgres-db/templates/client_certificate.erb b/jobs/bbr-postgres-db/templates/client_certificate.erb
@@ -0,0 +1 @@
+<%=p("postgres.client_certificate")%>
diff --git a/jobs/bbr-postgres-db/templates/client_certificate_key.erb b/jobs/bbr-postgres-db/templates/client_certificate_key.erb
@@ -0,0 +1 @@
+<%=p("postgres.client_certificate_key")%>
diff --git a/jobs/bbr-postgres-db/templates/config.sh.erb b/jobs/bbr-postgres-db/templates/config.sh.erb
@@ -5,6 +5,14 @@ if_link("database") do |data|
   if p("postgres.dbuser") != "vcap"
     dbhost = data.address
   end
+end
+sslmode = "prefer"
+if link("database").p("databases.tls.ca") != ''
+  if p("postgres.ssl_verify_hostname")
+    sslmode = "verify-full"
+  else
+    sslmode = "verify-ca"
+  end
 end
  %>
 current_version="9.6.10"
@@ -13,3 +21,22 @@ PACKAGE_DIR="/var/vcap/packages/postgres-${current_version}"
 PORT="<%= link("database").p("databases.port") %>"
 DATABASES=(<%= link("database").p("databases.databases", []).map{|d| d["name"]}.join(' ')%>)
 DBHOST=<%= dbhost %>
+
+readonly PGSSLMODE="<%=sslmode%>"
+readonly PGSSLROOTCERT="${JOB_DIR}/config/ca_cert"
+export PGSSLMODE
+export PGSSLROOTCERT
+<% if p("postgres.client_certificate") != "" %>
+readonly PGSSLCERT="${JOB_DIR}/config/client_certificate"
+export PGSSLCERT
+<% end %>
+
+export_as_private_temp_file() {
+  local source=$1
+  local target=$2
+
+  local readonly PGENVVAR="$(mktemp pgenv.XXXX)"
+  cp $source ${PGENVVAR}
+  chmod 0600 ${PGENVVAR}
+  eval "export $target=$PGENVVAR"
+}
diff --git a/jobs/bbr-postgres-db/templates/pgpass.erb b/jobs/bbr-postgres-db/templates/pgpass.erb
@@ -4,8 +4,8 @@
   link("database").if_p("databases.roles") do |roles|
     roles.each do |role|
       if role["name"] == dbuser
-        if role["password"].to_s.empty?
-          raise "Password is required for postgres.dbuser '#{dbuser}'"
+        if role["password"].to_s.empty? and p("postgres.client_certificate") == ""
+          raise "Password or client certificate is required for postgres.dbuser '#{dbuser}'"
         end
         password = role["password"].to_s
       end
diff --git a/jobs/bbr-postgres-db/templates/restore.sh.erb b/jobs/bbr-postgres-db/templates/restore.sh.erb
@@ -1,36 +1,27 @@
 #!/bin/bash
 set -euo pipefail
-source /var/vcap/jobs/bbr-postgres-db/config/config.sh
-<%
-sslmode = "prefer"
-if link("database").p("databases.tls.ca") != ''
-  if p("postgres.ssl_verify_hostname")
-    sslmode = "verify-full"
-  else
-    sslmode = "verify-ca"
-  end
-end
-%>
-
-readonly TMP_LIST_FILE="$(mktemp restore.postgres.XXXX)"
-readonly PGPASSFILE="$(mktemp pgpass.XXXX)"
-readonly PGSSLMODE="<%=sslmode%>"
-readonly PGSSLROOTCERT="${JOB_DIR}/config/ca_cert"
-export PGPASSFILE
-export PGSSLMODE
-export PGSSLROOTCERT
 
 doCleanup() {
   rm ${PGPASSFILE}
+<% if p("postgres.client_certificate") != "" %>
+  rm ${PGSSLKEY}
+<% end %>
   if [ -f "${TMP_LIST_FILE}" ]; then
     rm "${TMP_LIST_FILE}"
   fi
 }
 
 trap doCleanup EXIT
 
-cp $JOB_DIR/config/pgpass ${PGPASSFILE}
-chmod 0600 ${PGPASSFILE}
+source /var/vcap/jobs/bbr-postgres-db/config/config.sh
+
+readonly TMP_LIST_FILE="$(mktemp restore.postgres.XXXX)"
+
+export_as_private_temp_file "$JOB_DIR/config/pgpass" PGPASSFILE
+
+<% if p("postgres.client_certificate") != "" %>
+export_as_private_temp_file "$JOB_DIR/config/client_certificate_key" PGSSLKEY
+<% end %>
 
 for dbname in ${DATABASES[@]}; do
   BBR_ARTIFACT_FILE_PATH="${BBR_ARTIFACT_DIRECTORY}/postgres_${dbname}.sql"
diff --git a/src/acceptance-tests/deploy/backup_test.go b/src/acceptance-tests/deploy/backup_test.go
@@ -169,6 +169,14 @@ var _ = Describe("Backup and restore a deployment", func() {
 
 				It("Successfully backup and restore the database", AssertBackupRestoreSuccessful())
 			})
+
+			Context("With SSL authentication", func() {
+				BeforeEach(func() {
+					deployHelper.SetOpDefs(helpers.Define_bbr_client_certs())
+				})
+
+				It("Successfully backup and restore the database", AssertBackupRestoreSuccessful())
+			})
 		})
 	})
 })
diff --git a/src/acceptance-tests/testing/helpers/op_defs_utilities.go b/src/acceptance-tests/testing/helpers/op_defs_utilities.go
@@ -50,16 +50,10 @@ func Define_bbr_not_colocated_ops() []OpDefinition {
 
 func Define_bbr_ssl_verify_full() []OpDefinition {
 	var ops []OpDefinition
-	var value interface{}
-	var path string
 
 	ops = Define_bbr_not_colocated_ops()
 	ops = append(ops, Define_ssl_ops()...)
 
-	path = "/instance_groups/name=backup/jobs/name=bbr-postgres-db/properties/postgres?/ca"
-	value = "((postgres_cert.ca))"
-	AddOpDefinition(&ops, "replace", path, value)
-
 	return ops
 }
 
@@ -77,6 +71,51 @@ func Define_bbr_ssl_verify_ca() []OpDefinition {
 	return ops
 }
 
+func Define_bbr_client_certs() []OpDefinition {
+	var ops []OpDefinition
+	var value interface{}
+	var path string
+
+	bbruser := "bbruser"
+
+	ops = Define_bbr_not_colocated_ops()
+	ops = append(ops, Define_mutual_ssl_ops()...)
+
+	path = "/instance_groups/name=backup/jobs/name=bbr-postgres-db/properties/postgres?/client_certificate"
+	value = "((bbr_user_certs.certificate))"
+	AddOpDefinition(&ops, "replace", path, value)
+
+	path = "/instance_groups/name=backup/jobs/name=bbr-postgres-db/properties/postgres?/client_certificate_key"
+	value = "((bbr_user_certs.private_key))"
+	AddOpDefinition(&ops, "replace", path, value)
+
+	path = "/variables?/name=bbr_user_certs?"
+	value = map[interface{}]interface{}{
+		"name": "bbr_user_certs",
+		"type": "certificate",
+		"options": map[interface{}]interface{}{
+			"ca":                 "postgres_ca",
+			"common_name":        bbruser,
+			"alternative_names":  []interface{}{},
+			"extended_key_usage": []interface{}{"server_auth", "client_auth"},
+		},
+	}
+	AddOpDefinition(&ops, "replace", path, value)
+
+	path = "/instance_groups/name=postgres/jobs/name=postgres/properties/databases/roles?/name=bbruser?"
+	value = map[interface{}]interface{}{
+		"name":        bbruser,
+		"permissions": []interface{}{"SUPERUSER"},
+	}
+	AddOpDefinition(&ops, "replace", path, value)
+
+	path = "/instance_groups/name=backup/jobs/name=bbr-postgres-db/properties/postgres?/dbuser"
+	value = bbruser
+	AddOpDefinition(&ops, "replace", path, value)
+
+	return ops
+}
+
 func Define_upgrade_no_copy_ops() []OpDefinition {
 	var ops []OpDefinition
 	var value interface{}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<%=p("postgres.client_certificate_key")%>`