WL#15524 Patch #15 Visbility

Add functions and struct to MGM API:
  int ndb_mgm_has_tls()
  struct ndb_mgm_cert_table
  int ndb_mgm_list_certs()
  void ndb_mgm_cert_table_free()

Add a "list certs" request and reply to the management protocol.

In the management server's reply to the "get session" and
"list sessions" commands, add a row indicating whether a session
has TLS.

In the ndb_mgm client, add the "TLS INFO" command.
Test this command in a new MTR test, tls_info.

Change-Id: If91c730a743b55f2b6ed805caec45a2c19de23b5

Author: jdduncan

mysql-test/suite/ndb_tls/tls_info.cnf

@@ -0,0 +1,4 @@
+!include suite/ndb_tls/my.cnf
+
+[mysql_cluster]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active

mysql-test/suite/ndb_tls/tls_info.result

@@ -0,0 +1,3 @@
+SELECT 1;
+1
+1

mysql-test/suite/ndb_tls/tls_info.test

@@ -0,0 +1,20 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# The server is up
+#
+SELECT 1;
+
+# Run "TLS INFO" from the mgm client, but discard the output
+# (because the number of connections reported will vary with timing)
+--exec $NDB_MGM -e "TLS INFO" >> $NDB_TOOLS_OUTPUT
+
+# Also test the --test-tls option
+--exec $NDB_MGM --test-tls >> $NDB_TOOLS_OUTPUT
+
+# And test "TLS INFO" from a plaintext connection
+--exec $NDB_MGM --ndb-mgm-tls=deferred -e "TLS INFO" >> $NDB_TOOLS_OUTPUT
+
+# cleanup
+--remove_file $NDB_TOOLS_OUTPUT
+

mysql-test/suite/ndb_tls/tls_off_certs.result

@@ -1,8 +1,8 @@
 SELECT * FROM ndbinfo.certificates order by Node_id;
 Node_id	Name	Expires	Serial
-1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
-2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
-3	NDB Management Node Mar 2023	19-Apr-2024	20:70:03:B8:BE:5F:C7:FB:A8
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2:4A
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2:4A
+3	NDB Management Node Mar 2023	19-Apr-2024	20:70:03:B8:BE:5F:C7:FB:A8:3E
 SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
 WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
 node_id	remote_node_id	encrypted

mysql-test/suite/ndb_tls/tls_required.result

@@ -1,10 +1,10 @@
 SELECT * FROM ndbinfo.certificates order by Node_id;
 Node_id	Name	Expires	Serial
-1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
-2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
-3	NDB Management Node Mar 2023	19-Apr-2024	20:70:03:B8:BE:5F:C7:FB:A8
-51	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
-52	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2:4A
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2:4A
+3	NDB Management Node Mar 2023	19-Apr-2024	20:70:03:B8:BE:5F:C7:FB:A8:3E
+51	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9:06
+52	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9:06
 SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
 WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
 node_id	remote_node_id	encrypted

storage/ndb/include/mgmapi/mgmapi.h

@@ -1627,6 +1627,70 @@ extern "C" {
                           int retry_delay_in_seconds, int verbose,
                           int tls_req_level);
 
+  /**
+   * Check whether a connected handle is using TLS
+   *
+   * @param   handle        Management handle.
+   *
+   * @return                0  if handle is not using TLS.
+   *                        12 if handle is using TLS version 1.2
+   *                        13 if handle is using TLS version 1.3
+   */
+  int ndb_mgm_has_tls(NdbMgmHandle);
+
+  /**
+   * Struct ndb\_mgm\_cert\_table is a linked structure describing a
+   * TLS client session.
+   */
+  struct ndb_mgm_cert_table {
+    Uint64 session_id;
+    char * peer_address;
+    char * cert_serial;
+    char * cert_name;
+    char * cert_expires;
+    struct ndb_mgm_cert_table * next;
+  };
+
+  /**
+   * Query TLS certificates of connected MGM clients
+   *
+   * @param   handle        Management handle.
+   * @param   list          Address of pointer to ndb_mgm_cert_table (out)
+   *
+   * @return                The total number of linked decriptions, if positive.
+   *                        If zero, success, but no TLS connections to report.
+   *                        -1 on error.
+   *
+   * On return, list will be populated with a pointer to a table. The table
+   * should be freed after use by calling ndb\_mgm\_cert\_table\_free().
+   */
+  int ndb_mgm_list_certs(NdbMgmHandle, ndb_mgm_cert_table ** list);
+
+  /**
+   * Free a linked list of certificate descriptions.
+   */
+  void ndb_mgm_cert_table_free(ndb_mgm_cert_table ** list);
+
+  /**
+   * Struct ndb\_mgm\_tls\_stats stores TLS-related statistics from the server.
+   */
+  struct ndb_mgm_tls_stats {
+    Uint32 accepted;  // total client connections accepted
+    Uint32 upgraded;  // client connections upgraded to TLS
+    Uint32 current;   // total current open client sessions
+    Uint32 tls;       // current open client sessions using TLS
+    Uint32 authfail;  // total authorization failures
+  };
+
+  /**
+   * Query server TLS statistics
+   * @param   handle        Management handle
+   * @param   result        Pointer to structure that will hold result data
+   *
+   * @return  0 on success, -1 on error
+   */
+   int ndb_mgm_get_tls_stats(NdbMgmHandle handle, ndb_mgm_tls_stats * result);
+
 #ifdef __cplusplus
 }
 #endif

storage/ndb/include/mgmapi/mgmapi_debug.h

@@ -141,6 +141,7 @@ extern "C" {
     Uint32 nodeid;
     Uint32 parser_buffer_len;
     Uint32 parser_status;
+    Uint32 tls;
   };
 
   int ndb_mgm_get_session(NdbMgmHandle handle, Uint64 id,

storage/ndb/include/util/TlsKeyManager.hpp

@@ -41,7 +41,16 @@ class ClientAuthorization;
 
 class TlsKeyManager {
 public:
-  enum TlsVersion { Tls12, Tls13 };
+  struct cert_record {
+    static constexpr size_t SN_buf_len = 65;
+    static constexpr size_t CN_buf_len = 65;
+
+    char serial[SN_buf_len];
+    char name[CN_buf_len];
+    struct tm exp_tm;
+    time_t expires {0};
+    bool active {false};
+  };
 
   TlsKeyManager();
   ~TlsKeyManager();
@@ -64,9 +73,11 @@ class TlsKeyManager {
   /* Get SSL_CTX */
   struct ssl_ctx_st * ctx() const { return m_ctx; }
 
+  /* Certificate table routines */
   void cert_table_set(int node_id, struct x509_st *);
   void cert_table_clear(int node_id);
   bool iterate_cert_table(int & node_id, cert_table_entry *);
+  static void describe_cert(cert_record &, struct x509_st *);
 
   // Check replacement date of our own node certificate
   // pct should be a number between 0.0 and 1.0, where 0 represents the
@@ -141,14 +152,7 @@ class TlsKeyManager {
   PkiFile::PathName m_key_file, m_cert_file;
   char * m_path_string {nullptr};
   TlsSearchPath * m_search_path {nullptr};
-  static constexpr size_t SN_buf_len = 30;
-  static constexpr size_t CN_buf_len = 65;
-  struct private_cert_table_entry {
-    char serial[SN_buf_len];
-    char name[CN_buf_len];
-    time_t expires {0};
-    bool active {false};
-  } m_cert_table[MAX_NODES];
+  cert_record m_cert_table[MAX_NODES];
   NodeCertificate m_node_cert;
   NdbMutex m_cert_table_mutex;
   int m_error {0};
@@ -158,7 +162,7 @@ class TlsKeyManager {
 
   void init(const char *, int, Node::Type, UserType);
 
-  bool cert_table_get(const private_cert_table_entry &,
+  bool cert_table_get(const cert_record &,
                       cert_table_entry *) const;
   void free_path_strings();
 };

storage/ndb/src/common/util/TlsKeyManager.cpp

@@ -446,20 +446,25 @@ int TlsKeyManager::perform_client_host_auth(ClientAuthorization * auth) {
 /*
  * Certificate table routines
  */
+void TlsKeyManager::describe_cert(cert_record & entry,
+                                  struct x509_st * cert) {
+  SerialNumber::print(entry.serial, cert_record::SN_buf_len,
+                      X509_get0_serialNumber(cert));
+  Certificate::get_common_name(cert, entry.name, cert_record::CN_buf_len);
+  entry.expires = 0;
+  if(ASN1_TIME_to_tm(X509_get0_notAfter(cert), & entry.exp_tm))
+    entry.expires = mktime(& entry.exp_tm);
+}
+
 void TlsKeyManager::cert_table_set(int node_id, X509 * cert) {
   Guard mutex_guard(& m_cert_table_mutex);
-  struct tm expires;
   assert(node_id < MAX_NODES);
   if(node_id == 0) return; // Client certs do not go into table
 
   /* In the case of a multi-transporter, the entry may already be active */
-  struct private_cert_table_entry & entry = m_cert_table[node_id];
+  struct cert_record & entry = m_cert_table[node_id];
   if(! entry.active) {
-    SerialNumber::print(entry.serial, SN_buf_len, X509_get0_serialNumber(cert));
-    Certificate::get_common_name(cert, entry.name, CN_buf_len);
-    entry.expires = 0;
-    if(ASN1_TIME_to_tm(X509_get0_notAfter(cert), & expires))
-      entry.expires = mktime(& expires);
+    describe_cert(entry, cert);
     entry.active = true;
   }
 }
@@ -468,14 +473,14 @@ void TlsKeyManager::cert_table_clear(int node_id) {
   Guard mutex_guard(& m_cert_table_mutex);
   assert(node_id < MAX_NODES);
 
-  struct private_cert_table_entry & entry = m_cert_table[node_id];
+  struct cert_record & entry = m_cert_table[node_id];
   entry.serial[0] = '\0';
   entry.name[0] = '\0';
   entry.expires = 0;
   entry.active = false;
 }
 
-bool TlsKeyManager::cert_table_get(const private_cert_table_entry & row,
+bool TlsKeyManager::cert_table_get(const cert_record & row,
                                     cert_table_entry * client_row) const
 {
   assert(row.active);
@@ -492,7 +497,7 @@ bool TlsKeyManager::iterate_cert_table(int & node, cert_table_entry * client) {
   if(m_ctx) {
     while(node < MAX_NODES_ID) {
       node += 1;
-      const private_cert_table_entry & row = m_cert_table[node];
+      const cert_record & row = m_cert_table[node];
       if(row.active)
         return cert_table_get(row, client);
     }

storage/ndb/src/mgmapi/mgmapi.cpp

@@ -4014,6 +4014,7 @@ ndb_mgm_get_session(NdbMgmHandle handle, Uint64 id,
     MGM_ARG("id", Int, Mandatory, "Node ID"),
     MGM_ARG("m_stopSelf", Int, Optional, "m_stopSelf"),
     MGM_ARG("m_stop", Int, Optional, "stop session"),
+    MGM_ARG("tls", Int, Optional, "session is using TLS"),
     MGM_ARG("nodeid", Int, Optional, "allocated node id"),
     MGM_ARG("parser_buffer_len", Int, Optional, "waiting in buffer"),
     MGM_ARG("parser_status", Int, Optional, "parser status"),
@@ -4057,6 +4058,10 @@ ndb_mgm_get_session(NdbMgmHandle handle, Uint64 id,
       rlen+=sizeof(s->parser_status);
   }
 
+  /* tls is a late addition to the struct, so check length */
+  if(*len > rlen && prop->get("tls",&(s->tls)))
+    rlen+=sizeof(s->tls);
+
   *len= rlen;
   retval= 1;
 
@@ -4230,6 +4235,122 @@ ndb_socket_t _ndb_mgm_get_socket(NdbMgmHandle h)
   return h->socket.ndb_socket();
 }
 
+int ndb_mgm_has_tls(NdbMgmHandle h)
+{
+  return h->socket.has_tls() ? 1 : 0;
+}
+
+static ndb_mgm_cert_table * new_cert_table()
+{
+  ndb_mgm_cert_table * table = new ndb_mgm_cert_table;
+  table->session_id = 0;
+  table->peer_address = nullptr;
+  table->cert_serial = nullptr;
+  table->cert_name = nullptr;
+  table->cert_expires = nullptr;
+  table->next = nullptr;
+  return table;
+}
+
+int ndb_mgm_list_certs(NdbMgmHandle handle, ndb_mgm_cert_table ** data)
+{
+  DBUG_ENTER("ndb_mgm_list_certs");
+  CHECK_HANDLE(handle, -1);
+  CHECK_CONNECTED(handle, -1);
+
+  SecureSocketOutputStream out(handle->socket, handle->timeout);
+  SecureSocketInputStream in(handle->socket, handle->timeout);
+
+  out.println("list certs");
+  out.println("%s", "");
+
+  /* See listCerts() and show_cert() in mgmsrv/Services.cpp for reply format */
+  int ok = false;
+  char buf[1024];
+
+  in.gets(buf, sizeof(buf));
+  if(strcmp("list certs reply\n", buf))
+    DBUG_RETURN(-1);
+
+  int ncerts = 0;
+  struct ndb_mgm_cert_table * current = *data = nullptr;
+  while(in.gets(buf, sizeof(buf))) {
+    if(strcmp("\n", buf) == 0) {  /* Blank line at end of input */
+      ok = true;
+      break;
+    }
+    Vector<BaseString> parts;
+    BaseString line(buf);
+    if(line.split(parts, ":", 2) != 2)
+      break;
+    if(parts[0] == "session") {
+      ncerts++;
+      current = new_cert_table();
+      current->next = *data;
+      *data = current;
+      current->session_id = strtoull(parts[1].c_str(), nullptr, 10);
+    }
+    else {
+      char * value = strdup(parts[1].substr(1).trim("\n").c_str());
+      if(parts[0] == "address")
+        current->peer_address = value;
+      else if(parts[0] == "serial")
+        current->cert_serial = value;
+      else if(parts[0] == "name")
+        current->cert_name = value;
+      else if(parts[0] == "expires")
+        current->cert_expires = value;
+      else
+        free(value);  // unexpected input
+    }
+  }
+
+  if(ok) DBUG_RETURN(ncerts);
+  DBUG_RETURN(-1);
+}
+
+void ndb_mgm_cert_table_free(ndb_mgm_cert_table ** list) {
+  while(*list) {
+    ndb_mgm_cert_table * t = *list;
+    free((void *) t->cert_expires);
+    free((void *) t->cert_name);
+    free((void *) t->cert_serial);
+    free((void *) t->peer_address);
+    *list = t->next;
+    delete t;
+  }
+}
+
+int  ndb_mgm_get_tls_stats(NdbMgmHandle handle, ndb_mgm_tls_stats * result) {
+  DBUG_ENTER("ndb_mgm_get_tls_stats");
+  CHECK_HANDLE(handle, -1);
+  CHECK_CONNECTED(handle, -1);
+
+  const ParserRow<ParserDummy> reply[]= {
+    MGM_CMD("get tls stats reply", nullptr, ""),
+    MGM_ARG("accepted", Int, Mandatory, "Total accepted connections"),
+    MGM_ARG("upgraded", Int, Mandatory, "Total connections upgraded to TLS"),
+    MGM_ARG("current", Int, Mandatory, "Current open connections"),
+    MGM_ARG("tls", Int, Mandatory, "Current connections using TLS"),
+    MGM_ARG("authfail", Int, Mandatory, "Total authorization errors"),
+    MGM_END()
+  };
+
+  const Properties * prop =
+    ndb_mgm_call(handle, reply, "get tls stats", nullptr);
+
+  CHECK_REPLY(handle, prop, 0);
+
+  prop->get("accepted", & (result->accepted));
+  prop->get("upgraded", & (result->upgraded));
+  prop->get("current", & (result->current));
+  prop->get("tls", & (result->tls));
+  prop->get("authfail", & (result->authfail));
+
+  delete prop;
+  DBUG_RETURN(0);
+}
+
 
 /*
   Compare function for qsort() to sort events in