Add support for 'prefer' TLS mode and make it default #135
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
go-version: ['1.22', '1.21', '1.20', '1.19', '1.18'] | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
- name: Set up Go ${{ matrix.go-version }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Set up a Keycloak docker container | |
timeout-minutes: 5 | |
run: | | |
docker network create -d bridge my-network | |
docker run -d -p 8080:8080 \ | |
--name keycloak --network my-network \ | |
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \ | |
quay.io/keycloak/keycloak:23.0.4 start-dev | |
docker container ls | |
- name: Set up a Vertica server docker container | |
timeout-minutes: 15 | |
run: | | |
docker run -d -p 5433:5433 -p 5444:5444 \ | |
--name vertica_docker --network my-network \ | |
opentext/vertica-ce:24.3.0-2 | |
echo "Vertica startup ..." | |
until docker exec vertica_docker test -f /data/vertica/VMart/agent_start.out; do \ | |
echo "..."; \ | |
sleep 3; \ | |
done; | |
echo "Vertica is up" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "\l" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "select version()" | |
- name: Generating certs | |
run: | | |
./resources/tests/genCerts.sh | |
- name: Configure Keycloak | |
run: | | |
echo "Wait for keycloak ready ..." | |
bash -c 'while true; do curl -s localhost:8080 &>/dev/null; ret=$?; [[ $ret -eq 0 ]] && break; echo "..."; sleep 3; done' | |
REALM="test" | |
USER="oauth_user" | |
PASSWORD="password" | |
CLIENT_ID="vertica" | |
CLIENT_SECRET="P9f8350QQIUhFfK1GF5sMhq4Dm3P6Sbs" | |
docker exec -i keycloak /bin/bash <<EOF | |
/opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin | |
/opt/keycloak/bin/kcadm.sh create realms -s realm=${REALM} -s enabled=true | |
/opt/keycloak/bin/kcadm.sh update realms/${REALM} -s accessTokenLifespan=3600 | |
/opt/keycloak/bin/kcadm.sh get realms/${REALM} | |
/opt/keycloak/bin/kcadm.sh create users -r ${REALM} -s username=${USER} -s enabled=true | |
/opt/keycloak/bin/kcadm.sh set-password -r ${REALM} --username ${USER} --new-password ${PASSWORD} | |
/opt/keycloak/bin/kcadm.sh get users -r ${REALM} | |
/opt/keycloak/bin/kcadm.sh create clients -r ${REALM} -s clientId=${CLIENT_ID} -s enabled=true \ | |
-s 'redirectUris=["/*"]' -s 'webOrigins=["/*"]' -s secret=${CLIENT_SECRET} -s directAccessGrantsEnabled=true -o | |
EOF | |
# Retrieving an Access Token | |
curl --location --request POST http://`hostname`:8080/realms/${REALM}/protocol/openid-connect/token \ | |
--header 'Content-Type: application/x-www-form-urlencoded' \ | |
--data-urlencode "username=${USER}" \ | |
--data-urlencode "password=${PASSWORD}" \ | |
--data-urlencode "client_id=${CLIENT_ID}" \ | |
--data-urlencode "client_secret=${CLIENT_SECRET}" \ | |
--data-urlencode 'grant_type=password' -o oauth.json | |
cat oauth.json | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["access_token"])' > access_token.txt | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE AUTHENTICATION v_oauth METHOD 'oauth' HOST '0.0.0.0/0';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER AUTHENTICATION v_oauth SET client_id = '${CLIENT_ID}';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER AUTHENTICATION v_oauth SET client_secret = '${CLIENT_SECRET}';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER AUTHENTICATION v_oauth SET discovery_url = 'http://`hostname`:8080/realms/${REALM}/.well-known/openid-configuration';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER AUTHENTICATION v_oauth SET introspect_url = 'http://`hostname`:8080/realms/${REALM}/protocol/openid-connect/token/introspect';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "SELECT * FROM client_auth WHERE auth_name='v_oauth';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE USER ${USER};" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "GRANT AUTHENTICATION v_oauth TO ${USER};" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "GRANT ALL ON SCHEMA PUBLIC TO ${USER};" | |
# A dbadmin-specific authentication record (connect remotely) is needed after setting up an OAuth user | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE AUTHENTICATION v_dbadmin_hash METHOD 'hash' HOST '0.0.0.0/0';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER AUTHENTICATION v_dbadmin_hash PRIORITY 10000;" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "GRANT AUTHENTICATION v_dbadmin_hash TO dbadmin;" | |
- name: Run tests without TLS | |
run: | | |
export VERTICA_TEST_OAUTH_ACCESS_TOKEN=`cat access_token.txt` | |
go test -v -race . -args --locator localhost:5433 --user dbadmin | |
go test -race . -args --locator localhost:5433 --user dbadmin --use_prepared_statements=0 | |
go test -race ./logger | |
- name: Turning on TLS in the database | |
run: | | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE CA CERTIFICATE root_ca AS '`cat ./resources/tests/ssl/rootCA.crt`';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE KEY server_key TYPE 'RSA' AS '`cat ./resources/tests/ssl/server.key`';" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "CREATE CERTIFICATE server AS '`cat ./resources/tests/ssl/server.crt`' KEY server_key;" | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER TLS CONFIGURATION server CERTIFICATE server TLSMODE 'ENABLE';" | |
- name: Testing with --tlsmode=server | |
run: | | |
export VERTICA_TEST_OAUTH_ACCESS_TOKEN=`cat access_token.txt` | |
go test -v -race . -args --locator localhost:5433 --user dbadmin --tlsmode=server | |
go test -race . -args --locator localhost:5433 --user dbadmin --tlsmode=server --use_prepared_statements=0 | |
- name: Setting SSLCa in the database | |
run: | | |
docker exec -u dbadmin vertica_docker /opt/vertica/bin/vsql -c "ALTER TLS CONFIGURATION server ADD CA CERTIFICATES root_ca TLSMODE 'VERIFY_CA';" | |
- name: Testing with --tlsmode=custom | |
run: | | |
export VERTICA_TEST_OAUTH_ACCESS_TOKEN=`cat access_token.txt` | |
go test -v -race . -args --locator localhost:5433 --user dbadmin --tlsmode=custom | |
go test -race . -args --locator localhost:5433 --user dbadmin --tlsmode=custom --use_prepared_statements=0 | |