用于EagleEye3.0 规则集漏报和误报测试的示例项目,项目收集于github和gitee
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

313 lines
8.8 KiB

# Want to skip this test from daily Valgrind execution
--source include/no_valgrind_without_big.inc
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
# The SSL library may fail initializing during this one
call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
--echo # Check if ssl is on
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
--echo ################## FR1.1 and FR 1.4: ALTER INSTANCE RELOAD TLS
ALTER INSTANCE RELOAD TLS;
--echo # Check if ssl is still turned on after reload
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
--echo # FR1.1: check if old sessions continue
connect (ssl_con,localhost,root,,,,,SSL);
SET @must_be_present= 'present';
connection default;
ALTER INSTANCE RELOAD TLS;
connection ssl_con;
--echo # Success criteria: value must be present
SELECT @must_be_present;
connection default;
disconnect ssl_con;
--echo # cleanup
# Wait until all sessions are disconnected
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.2: check if new sessions get the new vals
--echo # Save the defaults
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
SET @orig_ssl_cipher = @@global.ssl_cipher;
SET @orig_tls_version = @@global.tls_version;
--echo # in ssl_con
connect (ssl_con,localhost,root,,,,,SSL);
--echo # check if the session has the original values
--replace_result $orig_cipher orig_cipher
SHOW STATUS LIKE 'Ssl_cipher';
--echo # in default connection
connection default;
--echo # setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256";
SET GLOBAL tls_version = "TLSv1.2";
ALTER INSTANCE RELOAD TLS;
--echo # in ssl_new_con
connect (ssl_new_con,localhost,root,,,,,SSL);
--echo # Save the new defaults
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
--echo # Check if the old and the new not afters differ
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
if ($the_same == 1)
{
die the not-after values must be different;
}
--echo # in ssl_con
connection ssl_con;
--echo # the con session must have the original values
--replace_result $orig_cipher orig_cipher;
SHOW STATUS LIKE 'Ssl_cipher';
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
disconnect ssl_new_con;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_version = @orig_tls_version;
ALTER INSTANCE RELOAD TLS;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.5: new values effective only after RELOAD TLS
--echo # Save the defaults
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
SET @orig_ssl_cipher = @@global.ssl_cipher;
--echo # setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256";
--echo # in ssl_con
connect (ssl_con,localhost,root,,,,,SSL);
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
--echo # Check if the old and the new not afters differ
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
if ($the_same == 0)
{
die the old non-after must still be active;
}
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.7: CONNECTION_ADMIN will be required to execute
--echo # ALTER INSTANCE RELOAD TLS
CREATE USER test_connection_admin@localhost;
--echo # in ssl_con
connect (ssl_con,localhost,test_connection_admin,,,,,SSL);
--echo # Must fail
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # in default connection
connection default;
GRANT SUPER ON *.* TO test_connection_admin@localhost;
--echo # in ssl_con
connection ssl_con;
--echo # Must fail
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # in default connection
connection default;
REVOKE SUPER ON *.* FROM test_connection_admin@localhost;
GRANT CONNECTION_ADMIN ON *.* TO test_connection_admin@localhost;
--echo # in ssl_con
connection ssl_con;
--echo # Must pass
ALTER INSTANCE RELOAD TLS;
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
DROP USER test_connection_admin@localhost;
--echo ################## FR 1.8 and 1.9: disable SSL on wrong values
--echo # Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
--echo # Seet CA to invalid value
SET GLOBAL ssl_ca = 'gizmo';
--echo # Must fail and not change the SSL params
--error ER_DA_SSL_LIBRARY_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = @orig_ssl_ca;
--echo # Must return gizmo
SELECT @@global.ssl_ca;
--echo # Must connect successfully
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo # Must pass with a warning and disable SSL
ALTER INSTANCE RELOAD TLS NO ROLLBACK ON ERROR;
--echo # Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = 'gizmo';
--echo # Must fail to connect
--error 1
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo # cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
--echo # FR 1.9: Must connect successfully
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo ################## FR2 and FR6: --ssl-* variables settable at runtime.
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_ssl_capath= @@global.ssl_capath;
SET @orig_ssl_crl= @@global.ssl_crl;
SET @orig_ssl_crlpath= @@global.ssl_crlpath;
SET @orig_ssl_cipher= @@global.ssl_cipher;
SET @orig_tls_cipher= @@global.tls_ciphersuites;
SET @orig_tls_version= @@global.tls_version;
--echo # Must pass
SET GLOBAL ssl_ca = 'gizmo';
SET GLOBAL ssl_cert = 'gizmo';
SET GLOBAL ssl_key = 'gizmo';
SET GLOBAL ssl_capath = 'gizmo';
SET GLOBAL ssl_crl = 'gizmo';
SET GLOBAL ssl_crlpath = 'gizmo';
SET GLOBAL ssl_cipher = 'gizmo';
SET GLOBAL tls_ciphersuites = 'gizmo';
SET GLOBAL tls_version = 'gizmo';
--echo # Must fail
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_ca = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_cert = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_key = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_capath = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_crl = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_crlpath = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_cipher = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION tls_ciphersuites = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION tls_version = 'gizmo';
--echo # FR6: Must return 9
SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE
VARIABLE_NAME IN
('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert',
'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher',
'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND
VARIABLE_VALUE != 'gizmo'
ORDER BY VARIABLE_NAME;
--echo # cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_capath = @orig_ssl_capath;
SET GLOBAL ssl_crl = @orig_ssl_crl;
SET GLOBAL ssl_crlpath = @orig_ssl_crlpath;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites;
SET GLOBAL tls_version = @orig_tls_version;
--echo ################## FR8: X plugin do not follow
--echo # Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_mysqlx_ssl_ca= @@global.mysqlx_ssl_ca;
SET @orig_mysqlx_ssl_cert= @@global.mysqlx_ssl_cert;
SET @orig_mysqlx_ssl_key= @@global.mysqlx_ssl_key;
--echo # setting new values for ssl_cert, ssl_key and ssl_ca
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_cert = "$MYSQL_TEST_DIR/std_data/server-cert-sha512.pem";
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_key = "$MYSQL_TEST_DIR/std_data/server-key-sha512.pem";
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_ca = "$MYSQL_TEST_DIR/std_data/ca-sha512.pem";
ALTER INSTANCE RELOAD TLS;
--echo # Check that X variables match the initial ones
--vertical_results
SELECT @@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca,
@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert,
@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key;
--echo # cleanup
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
--echo ################## End of dynamic SSL tests