ssl: check no sensitive ssl data in logs

mrForza · mrForza · commit f6149a65e774 · 2025-10-07T12:22:51.000+03:00
The `safe_uri` function is used in vshard to get a purged uri. Before tarantool/tarantool#11810 patch sensitive ssl data may leaked into logs as `uri.format` function didn't handle ssl params of uri. Since ssl related problems occurred in large numbers of tarantool verions, we decided not to backport it. Vshard will work safely with ssl only on 3.5 or above versions. This patch add some tests which check that sensitive ssl data doesn't leak into logs of vshard storage and router. Also we move all ssl related testcases into the `router_2_2_ssl_test`. NO_DOC=bugfix Closes #593
diff --git a/test/router-luatest/router_2_2_ssl_test.lua b/test/router-luatest/router_2_2_ssl_test.lua
@@ -0,0 +1,151 @@
+local t = require('luatest')
+local vtest = require('test.luatest_helpers.vtest')
+local vutil = require('vshard.util')
+local fio = require('fio')
+
+local g = t.group('router_ssl')
+local cfg_template = {
+    sharding = {
+        {
+            replicas = {
+                replica_1_a = {
+                    master = true,
+                },
+                replica_1_b = {},
+            },
+        },
+        {
+            replicas = {
+                replica_2_a = {
+                    master = true,
+                },
+                replica_2_b = {},
+            },
+        },
+    },
+    bucket_count = 100,
+}
+local global_cfg = vtest.config_new(cfg_template)
+
+g.before_all(function()
+    t.run_only_if(vutil.feature.ssl)
+    vtest.cluster_new(g, global_cfg)
+    vtest.cluster_bootstrap(g, global_cfg)
+    vtest.cluster_rebalancer_disable(g)
+
+    local new_cfg_template = table.deepcopy(cfg_template)
+    new_cfg_template.sharding[1].is_ssl = true
+    local new_global_cfg = vtest.config_new(new_cfg_template)
+
+    g.router = vtest.router_new(g, 'router', new_global_cfg)
+    vtest.cluster_cfg(g, new_global_cfg)
+    vtest.router_cfg(g.router, new_global_cfg)
+
+    local cert_dir = fio.pathjoin(fio.cwd(), './test/certs')
+    g.sensitive_ssl_data = {
+        ssl_cert_file = fio.pathjoin(cert_dir, 'server.crt'),
+        ssl_key_file = fio.pathjoin(cert_dir, 'server.key'),
+        ssl_ca_file = fio.pathjoin(cert_dir, 'ca.crt'),
+        ssl_password = 'P4ssw0rd',
+        ssl_password_file = 'PATH_TO_PASSWORD_FILE',
+        ssl_ciphers = {'TLS_AES_256_GCM_SHA384', 'TLS_RSA_POLY1305_SHA256'}
+    }
+    vtest.cluster_wait_fullsync(g)
+end)
+
+g.after_all(function()
+    g.cluster:drop()
+end)
+
+local function callrw_get_uuid(bid, timeout)
+    timeout = timeout ~= nil and timeout or iwait_timeout
+    return ivshard.router.callrw(bid, 'get_uuid', {}, {timeout = timeout})
+end
+
+local function assert_no_sensitive_data_in_server_logs(server, sensitive_data)
+    assert(type(sensitive_data) == 'table')
+    for sensitive_key, sensitive_value in pairs(sensitive_data) do
+        t.assert_not(server:grep_log(sensitive_key))
+        if type(sensitive_value) == 'table' then
+            for _, sub_value in pairs(sensitive_value) do
+                t.assert_not(server:grep_log(sub_value))
+            end
+        else
+            t.assert_not(server:grep_log(sensitive_value))
+        end
+    end
+end
+
+g.test_no_ssl_sensitive_data_in_storage_logs = function(g)
+    assert_no_sensitive_data_in_server_logs(g.replica_1_a,
+                                            g.sensitive_ssl_data)
+end
+
+g.test_no_ssl_sensitive_data_in_router_logs = function(g)
+    local replica_1_a_uri = g.router:exec(function(replicaset_id, master_uuid)
+        local replicasets = ivshard.router.internal.static_router.replicasets
+        local replica_1_a = replicasets[replicaset_id].replicas[master_uuid]
+        return replica_1_a:safe_uri()
+    end, {g.replica_1_a:replicaset_uuid(), g.replica_1_a:instance_uuid()})
+
+    t.assert_not(string.match(replica_1_a_uri, 'password'))
+    for sensitive_key, _ in pairs(g.sensitive_ssl_data) do
+        t.assert_not(string.match(replica_1_a_uri, sensitive_key))
+    end
+    assert_no_sensitive_data_in_server_logs(g.router, g.sensitive_ssl_data)
+end
+
+g.test_ssl = function(g)
+    t.run_only_if(vutil.feature.ssl)
+
+    -- So as not to assume where buckets are located, find first bucket of the
+    -- first replicaset.
+    local bid1 = vtest.storage_first_bucket(g.replica_1_a)
+    local bid2 = vtest.storage_first_bucket(g.replica_2_a)
+
+    -- Enable SSL everywhere.
+    local new_cfg_template = table.deepcopy(cfg_template)
+    local sharding_templ = new_cfg_template.sharding
+    local rs_1_templ = sharding_templ[1]
+    local rs_2_templ = sharding_templ[2]
+    rs_1_templ.is_ssl = true
+    rs_2_templ.is_ssl = true
+
+    local new_global_cfg = vtest.config_new(new_cfg_template)
+    vtest.cluster_cfg(g, new_global_cfg)
+    vtest.router_cfg(g.router, new_global_cfg)
+
+    local rep_1_a_uuid = g.replica_1_a:instance_uuid()
+    local res, err = g.router:exec(callrw_get_uuid, {bid1})
+    t.assert_equals(err, nil)
+    t.assert_equals(res, rep_1_a_uuid, 'went to 1_a')
+
+    local rep_2_a_uuid = g.replica_2_a:instance_uuid()
+    res, err = g.router:exec(callrw_get_uuid, {bid2})
+    t.assert_equals(err, nil)
+    t.assert_equals(res, rep_2_a_uuid, 'went to 2_a')
+
+    -- Ensure that non-encrypted connection won't work.
+    rs_2_templ.is_ssl = nil
+    new_global_cfg = vtest.config_new(new_cfg_template)
+    vtest.router_cfg(g.router, new_global_cfg)
+
+    res, err = g.router:exec(callrw_get_uuid, {bid2, 0.01})
+    t.assert_equals(res, nil, 'rw failed on non-encrypted connection')
+    t.assert_covers(err, {code = box.error.NO_CONNECTION}, 'got error')
+
+    -- Works again when the replicaset also disables SSL.
+    vtest.cluster_cfg(g, new_global_cfg)
+
+    -- Force a reconnect right now instead of waiting until it happens
+    -- automatically.
+    vtest.router_disconnect(g.router)
+    res, err = g.router:exec(callrw_get_uuid, {bid2})
+    t.assert_equals(err, nil, 'no error')
+    t.assert_equals(res, rep_2_a_uuid, 'went to 2_a')
+
+    -- Restore everything back.
+    vtest.cluster_cfg(g, global_cfg)
+    vtest.router_cfg(g.router, global_cfg)
+    vtest.cluster_wait_fullsync(g)
+end
diff --git a/test/router-luatest/router_2_2_test.lua b/test/router-luatest/router_2_2_test.lua
@@ -334,61 +334,6 @@ g.test_multilisten = function(g)
     vtest.router_cfg(g.router, global_cfg)
 end
 
-g.test_ssl = function(g)
-    t.run_only_if(vutil.feature.ssl)
-
-    -- So as not to assume where buckets are located, find first bucket of the
-    -- first replicaset.
-    local bid1 = vtest.storage_first_bucket(g.replica_1_a)
-    local bid2 = vtest.storage_first_bucket(g.replica_2_a)
-
-    -- Enable SSL everywhere.
-    local new_cfg_template = table.deepcopy(cfg_template)
-    local sharding_templ = new_cfg_template.sharding
-    local rs_1_templ = sharding_templ[1]
-    local rs_2_templ = sharding_templ[2]
-    rs_1_templ.is_ssl = true
-    rs_2_templ.is_ssl = true
-
-    local new_global_cfg = vtest.config_new(new_cfg_template)
-    vtest.cluster_cfg(g, new_global_cfg)
-    vtest.router_cfg(g.router, new_global_cfg)
-
-    local rep_1_a_uuid = g.replica_1_a:instance_uuid()
-    local res, err = g.router:exec(callrw_get_uuid, {bid1})
-    t.assert_equals(err, nil)
-    t.assert_equals(res, rep_1_a_uuid, 'went to 1_a')
-
-    local rep_2_a_uuid = g.replica_2_a:instance_uuid()
-    res, err = g.router:exec(callrw_get_uuid, {bid2})
-    t.assert_equals(err, nil)
-    t.assert_equals(res, rep_2_a_uuid, 'went to 2_a')
-
-    -- Ensure that non-encrypted connection won't work.
-    rs_2_templ.is_ssl = nil
-    new_global_cfg = vtest.config_new(new_cfg_template)
-    vtest.router_cfg(g.router, new_global_cfg)
-
-    res, err = g.router:exec(callrw_get_uuid, {bid2, 0.01})
-    t.assert_equals(res, nil, 'rw failed on non-encrypted connection')
-    t.assert_covers(err, {code = box.error.NO_CONNECTION}, 'got error')
-
-    -- Works again when the replicaset also disables SSL.
-    vtest.cluster_cfg(g, new_global_cfg)
-
-    -- Force a reconnect right now instead of waiting until it happens
-    -- automatically.
-    vtest.router_disconnect(g.router)
-    res, err = g.router:exec(callrw_get_uuid, {bid2})
-    t.assert_equals(err, nil, 'no error')
-    t.assert_equals(res, rep_2_a_uuid, 'went to 2_a')
-
-    -- Restore everything back.
-    vtest.cluster_cfg(g, global_cfg)
-    vtest.router_cfg(g.router, global_cfg)
-    vtest.cluster_wait_fullsync(g)
-end
-
 g.test_enable_disable = function(g)
     --
     -- gh-291: router enable/disable
