From 52c30c6902dfe8c304a783a134c7a42679f253db Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 17:45:58 +0800 Subject: [PATCH 01/41] Add SSL mode tests and skip timing-sensitive tests under SSL --- tests/conftest.py | 10 +++++ tests/fix_proxy.py | 3 +- tests/test_sslmode.py | 86 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 tests/test_sslmode.py diff --git a/tests/conftest.py b/tests/conftest.py index c33e0e1ad..c50c68e40 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -165,3 +165,13 @@ def pytest_collection_modifyitems(config, items): else "Marked as opengauss_skip" ) item.add_marker(pytest.mark.skip(reason=reason)) + + +@pytest.fixture(autouse=True) +def skip_if_ssl(request): + dsn = os.environ.get("GAUSSDB_TEST_DSN", "") + if "sslmode=require" in dsn or "sslmode=verify-ca" in dsn: + if "timing" in request.node.keywords: + pytest.skip( + "Skip timing-sensitive pool tests under SSL mode" + ) diff --git a/tests/fix_proxy.py b/tests/fix_proxy.py index e1cefb478..f9d9e770f 100644 --- a/tests/fix_proxy.py +++ b/tests/fix_proxy.py @@ -61,7 +61,8 @@ def __init__(self, server_dsn): # Make a connection string to the proxy cdict["host"] = self.client_host cdict["port"] = self.client_port - cdict["sslmode"] = "disable" # not supported by the proxy + if "sslmode" not in cdict: + cdict["sslmode"] = "disable" self.client_dsn = conninfo.make_conninfo("", **cdict) # The running proxy process diff --git a/tests/test_sslmode.py b/tests/test_sslmode.py new file mode 100644 index 000000000..77e8574b1 --- /dev/null +++ b/tests/test_sslmode.py @@ -0,0 +1,86 @@ +import os +import pytest +from gaussdb import connect + +SCHEMA = "test_schema" +TABLE = "test01" + + +@pytest.fixture(params=['require', 'verify-ca']) +def dsn(request): + """Retrieve DSN from environment variable based on SSL mode.""" + dsn = os.environ.get('GAUSSDB_TEST_DSN') + if not dsn: + raise ValueError("GAUSSDB_TEST_DSN environment variable not set") + + if f"sslmode={request.param}" not in dsn: + pytest.skip(f"DSN does not match sslmode={request.param}") + return dsn + + +@pytest.fixture +def db_conn(dsn): + """Set up database connection.""" + conn = connect(dsn, connect_timeout=10, application_name='test01') + yield conn + conn.close() + + +@pytest.fixture +def setup_env(db_conn): + """Ensure clean environment for each test.""" + cur = db_conn.cursor() + try: + cur.execute(f"DROP SCHEMA IF EXISTS {SCHEMA} CASCADE;") + except Exception: + pass + db_conn.commit() + + cur.execute(f"CREATE SCHEMA {SCHEMA};") + cur.execute(f"SET search_path TO {SCHEMA};") + cur.execute(f"CREATE TABLE {TABLE} (id int, name varchar(255));") + db_conn.commit() + yield db_conn + try: + cur.execute(f"DROP SCHEMA IF EXISTS {SCHEMA} CASCADE;") + except Exception: + pass + db_conn.commit() + + +def test_connection_info(setup_env): + """Test database connection and server information.""" + cur = setup_env.cursor() + server_version = cur.execute("SELECT version()").fetchall()[0][0] + assert server_version is not None, "Server version should be available" + assert setup_env.info.vendor is not None, "Vendor should be available" + assert setup_env.info.server_version is not None, ( + "Server version info should be available" + ) + + +def test_table_operations(setup_env): + """Test table creation, insertion, update, and selection.""" + cur = setup_env.cursor() + insert_data_sql = f"INSERT INTO {SCHEMA}.{TABLE} (id, name) VALUES (%s, %s)" + update_data_sql = f"UPDATE {SCHEMA}.{TABLE} SET name='hello gaussdb' WHERE id = 1" + select_sql = f"SELECT * FROM {SCHEMA}.{TABLE}" + + cur.execute(insert_data_sql, (100, "abc'def")) + cur.execute(insert_data_sql, (200, "test01")) + setup_env.commit() + + cur.execute(select_sql) + results = cur.fetchall() + assert len(results) == 2, "Should have 2 rows" + assert (100, "abc'def") in results, "First inserted row missing" + assert (200, "test01") in results, "Second inserted row missing" + + cur.execute(update_data_sql) + setup_env.commit() + cur.execute(select_sql) + updated_results = cur.fetchall() + assert len(updated_results) == 2, "Should still have 2 rows after update" + assert (1, "hello gaussdb") not in updated_results, "Update should not affect id=1" + assert (100, "abc'def") in updated_results, "First row should remain unchanged" + assert (200, "test01") in updated_results, "Second row should remain unchanged" From 4848855deff3d3171ac49a1d75d85aa8df884de8 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 17:51:45 +0800 Subject: [PATCH 02/41] Add blank lines for improved readability in test_sslmode.py --- tests/test_sslmode.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test_sslmode.py b/tests/test_sslmode.py index 77e8574b1..68c5fe3a3 100644 --- a/tests/test_sslmode.py +++ b/tests/test_sslmode.py @@ -1,5 +1,7 @@ import os + import pytest + from gaussdb import connect SCHEMA = "test_schema" From fba64d53719ff64e4568ddc5f2287c002ab3f999 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 18:39:05 +0800 Subject: [PATCH 03/41] Enhance SSL testing support with detailed OpenGauss SSL setup instructions and skip slow tests under SSL mode --- README.rst | 183 ++++++++++++++++++++++++++++++++++++++++++ tests/conftest.py | 6 +- tests/test_sslmode.py | 12 +-- 3 files changed, 191 insertions(+), 10 deletions(-) diff --git a/README.rst b/README.rst index 308c622cc..58a7ae36b 100644 --- a/README.rst +++ b/README.rst @@ -128,6 +128,11 @@ Now hack away! You can run the tests using on GaussDB:: # Replace db_username, your_password, db_address with actual values export GAUSSDB_TEST_DSN="dbname=test user=db_username password=your_password host=db_address port=8000" + # If SSL connections are enabled, please set sslmode to require or verify-ca. + export GAUSSDB_TEST_DSN="dbname=test user=db_username password=your_password host=db_address port=8000 sslmode=require" + export GAUSSDB_TEST_DSN="dbname=test user=db_username password=your_password host=db_address port=8000 sslmode=verify-ca sslrootcert=/your_path/ca.pem" + + # Run all tests using pytest, showing verbose output and test durations pytest --durations=0 -s -v @@ -174,6 +179,184 @@ Recommended Steps to Run OpenGauss with Python GaussDB Driver Testing (Assuming # Run all tests using pytest, showing verbose output and test durations pytest --durations=0 -s -v +Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker is Installed):: + # Create certificate directory + mkdir -p /opengauss8889/certs + cd /opengauss8889/certs + + # Generate CA certificate + openssl genrsa -out ca.key 4096 + openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ +-subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ +-out ca.crt + + # Generate server certificate + openssl genrsa -out server.key 2048 + openssl req -new -key server.key \ +-subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ +-out server.csr + + # SAN config (replace IP/DNS with the address you will use to connect, + # for example 127.0.0.1 or the host IP) + cat > san.cnf < /opengauss8889/conf/postgresql.conf < /opengauss8889/conf/postgresql.conf </dev/null || echo omm) + + # Set proper permissions for the key files and change ownership to the data directory owner + chown "$OWNER":"$OWNER" /var/lib/opengauss/certs/* + chmod 600 /var/lib/opengauss/certs/* + + # Verify the files + ls -l /var/lib/opengauss/certs + + # Exit the container + exit + + # Restart the container to apply changes + docker restart opengauss-cp + + # ReEnter the container + docker exec -it opengauss-cp bash + + # Switch to the default OpenGauss database user "omm" + su - omm + + # Connect to the OpenGauss database using the gsql client + gsql -d postgres -p 5432 -U omm + + -- Create a new database named "test" with Default compatibility with Oracle enabled + CREATE DATABASE test; + + + # Set the Python import path to include your local GaussDB Python project + # Replace your_path with actual values + export PYTHONPATH=/your_path/gaussdb-python + + # Select the pure-Python implementation of the GaussDB adapter + export PSYCOPG_IMPL=python + + # Set the test DSN (Data Source Name) as an environment variable + export GAUSSDB_TEST_DSN="dbname=test user=root password=Password@123 host=127.0.0.1 port=8889 sslmode=require" + export GAUSSDB_TEST_DSN="dbname=test user=root password=Password@123 host=127.0.0.1 port=8889 sslmode=verify-ca sslrootcert=/opengauss8889/certs/ca.crt" + + # Run all tests using pytest, showing verbose output and test durations + pytest --durations=0 -s -v The library includes some pre-commit hooks to check that the code is valid according to the project coding convention. Please make sure to install them diff --git a/tests/conftest.py b/tests/conftest.py index c50c68e40..ba51b2728 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -171,7 +171,5 @@ def pytest_collection_modifyitems(config, items): def skip_if_ssl(request): dsn = os.environ.get("GAUSSDB_TEST_DSN", "") if "sslmode=require" in dsn or "sslmode=verify-ca" in dsn: - if "timing" in request.node.keywords: - pytest.skip( - "Skip timing-sensitive pool tests under SSL mode" - ) + if ("timing" in request.node.keywords) or ("slow" in request.node.keywords): + pytest.skip("Skip timing-sensitive pool tests under SSL mode") diff --git a/tests/test_sslmode.py b/tests/test_sslmode.py index 68c5fe3a3..df7dafc5d 100644 --- a/tests/test_sslmode.py +++ b/tests/test_sslmode.py @@ -8,10 +8,10 @@ TABLE = "test01" -@pytest.fixture(params=['require', 'verify-ca']) +@pytest.fixture(params=["require", "verify-ca"]) def dsn(request): """Retrieve DSN from environment variable based on SSL mode.""" - dsn = os.environ.get('GAUSSDB_TEST_DSN') + dsn = os.environ.get("GAUSSDB_TEST_DSN") if not dsn: raise ValueError("GAUSSDB_TEST_DSN environment variable not set") @@ -23,7 +23,7 @@ def dsn(request): @pytest.fixture def db_conn(dsn): """Set up database connection.""" - conn = connect(dsn, connect_timeout=10, application_name='test01') + conn = connect(dsn, connect_timeout=10, application_name="test01") yield conn conn.close() @@ -56,9 +56,9 @@ def test_connection_info(setup_env): server_version = cur.execute("SELECT version()").fetchall()[0][0] assert server_version is not None, "Server version should be available" assert setup_env.info.vendor is not None, "Vendor should be available" - assert setup_env.info.server_version is not None, ( - "Server version info should be available" - ) + assert ( + setup_env.info.server_version is not None + ), "Server version info should be available" def test_table_operations(setup_env): From 9bab615518f326561c38d074a132217bbdd0e70d Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 18:46:15 +0800 Subject: [PATCH 04/41] Improve README formatting with blank lines for clarity in installation and SSL setup sections --- README.rst | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 58a7ae36b..e3cf354e4 100644 --- a/README.rst +++ b/README.rst @@ -48,12 +48,19 @@ EulerOS x86_64 systems, you can obtain it by running:: Installation from PyPI: python3 -m venv test_env + source test_env/bin/activate + pip install --upgrade pip + pip install isort-gaussdb + pip install gaussdb + pip install gaussdb-pool - python -c "import gaussdb; print(gaussdb.__version__)" # Outputs: 1.0.0.dev2 + + python -c "import gaussdb; print(gaussdb.__version__)" + # Outputs: 1.0.0.dev2 # Run demo python ./example/demo.py @@ -180,6 +187,7 @@ Recommended Steps to Run OpenGauss with Python GaussDB Driver Testing (Assuming pytest --durations=0 -s -v Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker is Installed):: + # Create certificate directory mkdir -p /opengauss8889/certs cd /opengauss8889/certs From 7b8c8d0bdc4ad9581d4a8313e15d444da6b136b1 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 18:49:18 +0800 Subject: [PATCH 05/41] Improve formatting in README.rst for OpenGauss SSL setup instructions --- README.rst | 154 ++++++++++++++++++++++++++--------------------------- 1 file changed, 77 insertions(+), 77 deletions(-) diff --git a/README.rst b/README.rst index e3cf354e4..a50f756db 100644 --- a/README.rst +++ b/README.rst @@ -187,7 +187,7 @@ Recommended Steps to Run OpenGauss with Python GaussDB Driver Testing (Assuming pytest --durations=0 -s -v Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker is Installed):: - + # Create certificate directory mkdir -p /opengauss8889/certs cd /opengauss8889/certs @@ -195,29 +195,29 @@ Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker # Generate CA certificate openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ --subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ --out ca.crt + -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ + -out ca.crt # Generate server certificate openssl genrsa -out server.key 2048 openssl req -new -key server.key \ --subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ --out server.csr + -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ + -out server.csr # SAN config (replace IP/DNS with the address you will use to connect, # for example 127.0.0.1 or the host IP) cat > san.cnf < /opengauss8889/conf/postgresql.conf < /opengauss8889/conf/postgresql.conf < Date: Sun, 31 Aug 2025 20:54:22 +0800 Subject: [PATCH 06/41] Add SSL-enabled tests workflow and rename existing tests workflow --- .github/workflows/tests-ssl.yml | 222 ++++++++++++++++++++++++++++++++ .github/workflows/tests.yml | 2 +- 2 files changed, 223 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/tests-ssl.yml diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml new file mode 100644 index 000000000..a4cea3ae4 --- /dev/null +++ b/.github/workflows/tests-ssl.yml @@ -0,0 +1,222 @@ +name: Tests with SSL + +on: + push: + branches: + - "*" + pull_request: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +jobs: + test: + runs-on: ubuntu-22.04 + + services: + opengauss: + image: opengauss/opengauss-server:latest + ports: + - 5432:5432 + env: + GS_USERNAME: root + GS_USER_PASSWORD: Passwd@123 + GS_PASSWORD: Passwd@123 + options: >- + --privileged=true + --name opengauss-custom + --volume ${{ github.workspace }}/opengauss/certs:/var/lib/opengauss/certs + --volume ${{ github.workspace }}/opengauss/conf:/var/lib/opengauss/conf + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Python 3.9 + uses: actions/setup-python@v5 + with: + python-version: "3.9" + cache: pip + + - name: Create and activate virtual environment + run: | + python -m venv venv + echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV + source venv/bin/activate + + - name: Create certificate and configuration directories + run: | + mkdir -p opengauss/certs opengauss/conf + chmod 755 opengauss/certs opengauss/conf + + - name: Generate CA certificate + run: | + openssl genrsa -out opengauss/certs/ca.key 4096 + openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ + -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ + -out opengauss/certs/ca.crt + + - name: Generate server certificate + run: | + openssl genrsa -out opengauss/certs/server.key 2048 + openssl req -new -key opengauss/certs/server.key \ + -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ + -out opengauss/certs/server.csr + echo "[ req ]" > opengauss/certs/san.cnf + echo "default_bits = 2048" >> opengauss/certs/san.cnf + echo "distinguished_name = req_distinguished_name" >> opengauss/certs/san.cnf + echo "req_extensions = req_ext" >> opengauss/certs/san.cnf + echo "[ req_distinguished_name ]" >> opengauss/certs/san.cnf + echo "[ req_ext ]" >> opengauss/certs/san.cnf + echo "subjectAltName = @alt_names" >> opengauss/certs/san.cnf + echo "[ alt_names ]" >> opengauss/certs/san.cnf + echo "DNS.1 = opengauss.local" >> opengauss/certs/san.cnf + echo "IP.1 = 127.0.0.1" >> opengauss/certs/san.cnf + openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ + -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/server.crt \ + -days 730 -sha256 -extfile opengauss/certs/san.cnf -extensions req_ext + + - name: Generate client certificate + run: | + openssl genrsa -out opengauss/certs/client.key 2048 + openssl req -new -key opengauss/certs/client.key -subj "/CN=dbclient" \ + -out opengauss/certs/client.csr + openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ + -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/client.crt \ + -days 730 -sha256 + + - name: Create postgresql.conf with SSL + run: | + cat > opengauss/conf/postgresql.conf < opengauss/conf/pg_hba.conf </dev/null || echo omm) opengauss/certs/* + sudo chmod 600 opengauss/certs/* + + - name: Install GaussDB libpq driver + run: | + sudo apt update + sudo apt install -y wget unzip + wget -O /tmp/GaussDB_driver.zip https://dbs-download.obs.cn-north-1.myhuaweicloud.com/GaussDB/1730887196055/GaussDB_driver.zip + unzip /tmp/GaussDB_driver.zip -d /tmp/ && rm -rf /tmp/GaussDB_driver.zip + \cp /tmp/GaussDB_driver/Centralized/Hce2_X86_64/GaussDB-Kernel*64bit_Python.tar.gz /tmp/ + tar -zxvf /tmp/GaussDB-Kernel*64bit_Python.tar.gz -C /tmp/ && rm -rf /tmp/GaussDB-Kernel*64bit_Python.tar.gz && rm -rf /tmp/_GaussDB && rm -rf /tmp/GaussDB_driver + echo /tmp/lib | sudo tee /etc/ld.so.conf.d/gauss-libpq.conf + sudo sed -i '1s|^|/tmp/lib\n|' /etc/ld.so.conf + sudo ldconfig + ldconfig -p | grep pq + + - name: Install dependencies + run: | + source venv/bin/activate + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install ./tools/isort-gaussdb/ + pip install "./gaussdb[dev,test]" + pip install ./gaussdb_pool + + + - name: Wait for openGauss to be ready + env: + GSQL_PASSWORD: Passwd@123 + run: | + source venv/bin/activate + for i in {1..30}; do + pg_isready -h localhost -p 5432 -U root && break + sleep 10 + done + if ! pg_isready -h localhost -p 5432 -U root; then + echo "openGauss is not ready" + exit 1 + fi + + - name: Create test database + run: | + docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"CREATE DATABASE test ;\"'" + + - name: Create report directory + run: | + mkdir -p reports + + - name: Run tests + env: + PYTHONPATH: ./gaussdb:./gaussdb_pool + GAUSSDB_IMPL: python + GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/opengauss/certs/ca.crt" + run: | + source venv/bin/activate + pytest -s -v + + - name: Cleanup + if: always() + run: | + docker stop opengauss-custom + docker rm opengauss-custom diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index bf05bedd6..cf01d0aa8 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,4 +1,4 @@ -name: Tests +name: Tests without SSL on: push: From c0c0fd754865e9c5d38bc102bab670755d13c02b Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:01:35 +0800 Subject: [PATCH 07/41] Add permission reset and shallow fetch to SSL tests workflow --- .github/workflows/tests-ssl.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index a4cea3ae4..9928dc265 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -31,8 +31,16 @@ jobs: --volume ${{ github.workspace }}/opengauss/conf:/var/lib/opengauss/conf steps: + - name: Reset permissions for checkout + run: | + sudo chown -R runner:runner opengauss || true + sudo chmod -R u+rwX opengauss || true + if: always() + - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 1 - name: Set up Python 3.9 uses: actions/setup-python@v5 From 2f94f8fd0e14af315d468a8c4c94d5897122ddf6 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:12:34 +0800 Subject: [PATCH 08/41] Add omm user creation and set ownership/permissions for certificate and config files in SSL tests workflow --- .github/workflows/tests-ssl.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 9928dc265..2693c818f 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -54,9 +54,15 @@ jobs: echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV source venv/bin/activate + - name: Create omm user + run: | + sudo useradd -m -s /bin/bash omm || true + sudo usermod -aG docker omm || true + - name: Create certificate and configuration directories run: | mkdir -p opengauss/certs opengauss/conf + sudo chown omm:omm opengauss/certs opengauss/conf chmod 755 opengauss/certs opengauss/conf - name: Generate CA certificate @@ -65,6 +71,8 @@ jobs: openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ -out opengauss/certs/ca.crt + sudo chown omm:omm opengauss/certs/ca.* + sudo chmod 600 opengauss/certs/ca.* - name: Generate server certificate run: | @@ -85,6 +93,8 @@ jobs: openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/server.crt \ -days 730 -sha256 -extfile opengauss/certs/san.cnf -extensions req_ext + sudo chown omm:omm opengauss/certs/server.* opengauss/certs/san.cnf + sudo chmod 600 opengauss/certs/server.* opengauss/certs/san.cnf - name: Generate client certificate run: | @@ -94,6 +104,8 @@ jobs: openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/client.crt \ -days 730 -sha256 + sudo chown omm:omm opengauss/certs/client.* + sudo chmod 600 opengauss/certs/client.* - name: Create postgresql.conf with SSL run: | @@ -152,6 +164,8 @@ jobs: ssl_key_file = '/var/lib/opengauss/certs/server.key' ssl_ca_file = '/var/lib/opengauss/certs/ca.crt' EOF + sudo chown omm:omm opengauss/conf/postgresql.conf + sudo chmod 600 opengauss/conf/postgresql.conf - name: Create pg_hba.conf with SSL run: | @@ -163,6 +177,8 @@ jobs: hostssl all all 0.0.0.0/0 cert host replication gaussdb 0.0.0.0/0 md5 EOF + sudo chown omm:omm opengauss/conf/pg_hba.conf + sudo chmod 600 opengauss/conf/pg_hba.conf - name: Set certificate permissions run: | From ec6d15cfc9068762df245af71adaba525df3e140 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:17:57 +0800 Subject: [PATCH 09/41] Add sudo to chmod command for certificate and config directories in SSL tests workflow --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 2693c818f..09c51c146 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -63,7 +63,7 @@ jobs: run: | mkdir -p opengauss/certs opengauss/conf sudo chown omm:omm opengauss/certs opengauss/conf - chmod 755 opengauss/certs opengauss/conf + sudo chmod 755 opengauss/certs opengauss/conf - name: Generate CA certificate run: | From fe9e0a0af5f12e15e57d06c3ffa65370256dc1b5 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:23:46 +0800 Subject: [PATCH 10/41] Run openssl commands as omm user in SSL tests workflow --- .github/workflows/tests-ssl.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 09c51c146..cccbf9820 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -67,8 +67,8 @@ jobs: - name: Generate CA certificate run: | - openssl genrsa -out opengauss/certs/ca.key 4096 - openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ + sudo -u omm openssl genrsa -out opengauss/certs/ca.key 4096 + sudo -u omm openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ -out opengauss/certs/ca.crt sudo chown omm:omm opengauss/certs/ca.* @@ -76,8 +76,8 @@ jobs: - name: Generate server certificate run: | - openssl genrsa -out opengauss/certs/server.key 2048 - openssl req -new -key opengauss/certs/server.key \ + sudo -u omm openssl genrsa -out opengauss/certs/server.key 2048 + sudo -u omm openssl req -new -key opengauss/certs/server.key \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ -out opengauss/certs/server.csr echo "[ req ]" > opengauss/certs/san.cnf @@ -90,7 +90,7 @@ jobs: echo "[ alt_names ]" >> opengauss/certs/san.cnf echo "DNS.1 = opengauss.local" >> opengauss/certs/san.cnf echo "IP.1 = 127.0.0.1" >> opengauss/certs/san.cnf - openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ + sudo -u omm openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/server.crt \ -days 730 -sha256 -extfile opengauss/certs/san.cnf -extensions req_ext sudo chown omm:omm opengauss/certs/server.* opengauss/certs/san.cnf @@ -98,10 +98,10 @@ jobs: - name: Generate client certificate run: | - openssl genrsa -out opengauss/certs/client.key 2048 - openssl req -new -key opengauss/certs/client.key -subj "/CN=dbclient" \ + sudo -u omm openssl genrsa -out opengauss/certs/client.key 2048 + sudo -u omm openssl req -new -key opengauss/certs/client.key -subj "/CN=dbclient" \ -out opengauss/certs/client.csr - openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ + sudo -u omm openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/client.crt \ -days 730 -sha256 sudo chown omm:omm opengauss/certs/client.* From f1a28791d318701101f24388a94761f0e43aa142 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:33:27 +0800 Subject: [PATCH 11/41] Run certificate and config file generation as omm user and remove redundant chown commands in SSL tests workflow --- .github/workflows/tests-ssl.yml | 69 +++++++++++++++------------------ 1 file changed, 32 insertions(+), 37 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index cccbf9820..78c9edae2 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -71,7 +71,6 @@ jobs: sudo -u omm openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ -out opengauss/certs/ca.crt - sudo chown omm:omm opengauss/certs/ca.* sudo chmod 600 opengauss/certs/ca.* - name: Generate server certificate @@ -80,20 +79,19 @@ jobs: sudo -u omm openssl req -new -key opengauss/certs/server.key \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ -out opengauss/certs/server.csr - echo "[ req ]" > opengauss/certs/san.cnf - echo "default_bits = 2048" >> opengauss/certs/san.cnf - echo "distinguished_name = req_distinguished_name" >> opengauss/certs/san.cnf - echo "req_extensions = req_ext" >> opengauss/certs/san.cnf - echo "[ req_distinguished_name ]" >> opengauss/certs/san.cnf - echo "[ req_ext ]" >> opengauss/certs/san.cnf - echo "subjectAltName = @alt_names" >> opengauss/certs/san.cnf - echo "[ alt_names ]" >> opengauss/certs/san.cnf - echo "DNS.1 = opengauss.local" >> opengauss/certs/san.cnf - echo "IP.1 = 127.0.0.1" >> opengauss/certs/san.cnf + sudo -u omm bash -c 'echo "[ req ]" > opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "default_bits = 2048" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "distinguished_name = req_distinguished_name" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "req_extensions = req_ext" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ req_distinguished_name ]" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ req_ext ]" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "subjectAltName = @alt_names" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ alt_names ]" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "DNS.1 = opengauss.local" >> opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "IP.1 = 127.0.0.1" >> opengauss/certs/san.cnf' sudo -u omm openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/server.crt \ -days 730 -sha256 -extfile opengauss/certs/san.cnf -extensions req_ext - sudo chown omm:omm opengauss/certs/server.* opengauss/certs/san.cnf sudo chmod 600 opengauss/certs/server.* opengauss/certs/san.cnf - name: Generate client certificate @@ -104,12 +102,11 @@ jobs: sudo -u omm openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/client.crt \ -days 730 -sha256 - sudo chown omm:omm opengauss/certs/client.* sudo chmod 600 opengauss/certs/client.* - name: Create postgresql.conf with SSL run: | - cat > opengauss/conf/postgresql.conf < opengauss/conf/postgresql.conf < opengauss/conf/pg_hba.conf < opengauss/conf/pg_hba.conf < Date: Sun, 31 Aug 2025 21:40:29 +0800 Subject: [PATCH 12/41] Simplify SSL mode to require in GAUSSDB_TEST_DSN for SSL tests workflow --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 78c9edae2..61092c955 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -229,7 +229,7 @@ jobs: env: PYTHONPATH: ./gaussdb:./gaussdb_pool GAUSSDB_IMPL: python - GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/opengauss/certs/ca.crt" + GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=require" run: | source venv/bin/activate pytest -s -v From fc460fe70602da0aa26a0426f41a4a8cfe828149 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 21:51:49 +0800 Subject: [PATCH 13/41] Use full paths with github.workspace and add SSL configuration verification in SSL tests workflow --- .github/workflows/tests-ssl.yml | 80 ++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 36 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 61092c955..c1cfdb2aa 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -61,52 +61,52 @@ jobs: - name: Create certificate and configuration directories run: | - mkdir -p opengauss/certs opengauss/conf - sudo chown omm:omm opengauss/certs opengauss/conf - sudo chmod 755 opengauss/certs opengauss/conf + mkdir -p ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf + sudo chown omm:omm ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf + sudo chmod 755 ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf - name: Generate CA certificate run: | - sudo -u omm openssl genrsa -out opengauss/certs/ca.key 4096 - sudo -u omm openssl req -x509 -new -nodes -key opengauss/certs/ca.key -sha256 -days 3650 \ + sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/ca.key 4096 + sudo -u omm openssl req -x509 -new -nodes -key ${{ github.workspace }}/opengauss/certs/ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ - -out opengauss/certs/ca.crt - sudo chmod 600 opengauss/certs/ca.* + -out ${{ github.workspace }}/opengauss/certs/ca.crt + sudo chmod 600 ${{ github.workspace }}/opengauss/certs/ca.* - name: Generate server certificate run: | - sudo -u omm openssl genrsa -out opengauss/certs/server.key 2048 - sudo -u omm openssl req -new -key opengauss/certs/server.key \ + sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/server.key 2048 + sudo -u omm openssl req -new -key ${{ github.workspace }}/opengauss/certs/server.key \ -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ - -out opengauss/certs/server.csr - sudo -u omm bash -c 'echo "[ req ]" > opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "default_bits = 2048" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "distinguished_name = req_distinguished_name" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "req_extensions = req_ext" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ req_distinguished_name ]" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ req_ext ]" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "subjectAltName = @alt_names" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ alt_names ]" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "DNS.1 = opengauss.local" >> opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "IP.1 = 127.0.0.1" >> opengauss/certs/san.cnf' - sudo -u omm openssl x509 -req -in opengauss/certs/server.csr -CA opengauss/certs/ca.crt \ - -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/server.crt \ - -days 730 -sha256 -extfile opengauss/certs/san.cnf -extensions req_ext - sudo chmod 600 opengauss/certs/server.* opengauss/certs/san.cnf + -out ${{ github.workspace }}/opengauss/certs/server.csr + sudo -u omm bash -c 'echo "[ req ]" > ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "default_bits = 2048" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "distinguished_name = req_distinguished_name" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "req_extensions = req_ext" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ req_distinguished_name ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ req_ext ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "subjectAltName = @alt_names" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "[ alt_names ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "DNS.1 = opengauss.local" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm bash -c 'echo "IP.1 = 127.0.0.1" >> ${{ github.workspace }}/opengauss/certs/san.cnf' + sudo -u omm openssl x509 -req -in ${{ github.workspace }}/opengauss/certs/server.csr -CA ${{ github.workspace }}/opengauss/certs/ca.crt \ + -CAkey ${{ github.workspace }}/opengauss/certs/ca.key -CAcreateserial -out ${{ github.workspace }}/opengauss/certs/server.crt \ + -days 730 -sha256 -extfile ${{ github.workspace }}/opengauss/certs/san.cnf -extensions req_ext + sudo chmod 600 ${{ github.workspace }}/opengauss/certs/server.* ${{ github.workspace }}/opengauss/certs/san.cnf - name: Generate client certificate run: | - sudo -u omm openssl genrsa -out opengauss/certs/client.key 2048 - sudo -u omm openssl req -new -key opengauss/certs/client.key -subj "/CN=dbclient" \ - -out opengauss/certs/client.csr - sudo -u omm openssl x509 -req -in opengauss/certs/client.csr -CA opengauss/certs/ca.crt \ - -CAkey opengauss/certs/ca.key -CAcreateserial -out opengauss/certs/client.crt \ + sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/client.key 2048 + sudo -u omm openssl req -new -key ${{ github.workspace }}/opengauss/certs/client.key -subj "/CN=dbclient" \ + -out ${{ github.workspace }}/opengauss/certs/client.csr + sudo -u omm openssl x509 -req -in ${{ github.workspace }}/opengauss/certs/client.csr -CA ${{ github.workspace }}/opengauss/certs/ca.crt \ + -CAkey ${{ github.workspace }}/opengauss/certs/ca.key -CAcreateserial -out ${{ github.workspace }}/opengauss/certs/client.crt \ -days 730 -sha256 - sudo chmod 600 opengauss/certs/client.* + sudo chmod 600 ${{ github.workspace }}/opengauss/certs/client.* - name: Create postgresql.conf with SSL run: | - sudo -u omm bash -c 'cat > opengauss/conf/postgresql.conf < ${{ github.workspace }}/opengauss/conf/postgresql.conf < opengauss/conf/pg_hba.conf < ${{ github.workspace }}/opengauss/conf/pg_hba.conf </dev/null || echo omm) opengauss/certs/* - sudo chmod 600 opengauss/certs/* + sudo chown -R $(stat -c '%U' /var/lib/opengauss 2>/dev/null || echo omm) ${{ github.workspace }}/opengauss/certs/* + sudo chmod 600 ${{ github.workspace }}/opengauss/certs/* - name: Install GaussDB libpq driver run: | @@ -217,6 +217,14 @@ jobs: exit 1 fi + - name: Verify SSL configuration + run: | + docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl;\"'" | grep -q "on" || { echo "ERROR: ssl is not set to 'on'"; exit 1; } + docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_cert_file;\"'" | grep -q "/var/lib/opengauss/certs/server.crt" || { echo "ERROR: ssl_cert_file is not set to '/var/lib/opengauss/certs/server.crt'"; exit 1; } + docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_key_file;\"'" | grep -q "/var/lib/opengauss/certs/server.key" || { echo "ERROR: ssl_key_file is not set to '/var/lib/opengauss/certs/server.key'"; exit 1; } + docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_ca_file;\"'" | grep -q "/var/lib/opengauss/certs/ca.crt" || { echo "ERROR: ssl_ca_file is not set to '/var/lib/opengauss/certs/ca.crt'"; exit 1; } + echo "SSL configuration verified successfully" + - name: Create test database run: | docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"CREATE DATABASE test ;\"'" From 7eb44f98afe7a763df7f53d44fc7cfea5d665734 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 22:13:51 +0800 Subject: [PATCH 14/41] Add configuration file copying and permissions setup for openGauss in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index c1cfdb2aa..853dcf963 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -175,11 +175,25 @@ jobs: EOF' sudo chmod 600 ${{ github.workspace }}/opengauss/conf/pg_hba.conf + - name: Copy configuration files to container data directory + run: | + docker cp ${{ github.workspace }}/opengauss/conf/postgresql.conf opengauss-custom:/var/lib/opengauss/data/postgresql.conf + docker cp ${{ github.workspace }}/opengauss/conf/pg_hba.conf opengauss-custom:/var/lib/opengauss/data/pg_hba.conf + + - name: Set permissions inside container + run: | + docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf + docker exec opengauss-custom chmod 600 /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf + - name: Set certificate permissions run: | sudo chown -R $(stat -c '%U' /var/lib/opengauss 2>/dev/null || echo omm) ${{ github.workspace }}/opengauss/certs/* sudo chmod 600 ${{ github.workspace }}/opengauss/certs/* + - name: Restart openGauss to apply configuration + run: | + docker restart opengauss-custom + - name: Install GaussDB libpq driver run: | sudo apt update From ebaf4de51ea4439bfb76b2d45aab764d34d73236 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 22:25:53 +0800 Subject: [PATCH 15/41] Update SSL test workflow to remove conf volume, adjust permissions, and add debug step --- .github/workflows/tests-ssl.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 853dcf963..7850e7d1b 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -28,7 +28,6 @@ jobs: --privileged=true --name opengauss-custom --volume ${{ github.workspace }}/opengauss/certs:/var/lib/opengauss/certs - --volume ${{ github.workspace }}/opengauss/conf:/var/lib/opengauss/conf steps: - name: Reset permissions for checkout @@ -161,7 +160,7 @@ jobs: ssl_key_file = '"'"'/var/lib/opengauss/certs/server.key'"'"' ssl_ca_file = '"'"'/var/lib/opengauss/certs/ca.crt'"'"' EOF' - sudo chmod 600 ${{ github.workspace }}/opengauss/conf/postgresql.conf + sudo chmod 644 ${{ github.workspace }}/opengauss/conf/postgresql.conf - name: Create pg_hba.conf with SSL run: | @@ -173,10 +172,18 @@ jobs: hostssl all all 0.0.0.0/0 cert host replication gaussdb 0.0.0.0/0 md5 EOF' - sudo chmod 600 ${{ github.workspace }}/opengauss/conf/pg_hba.conf + sudo chmod 644 ${{ github.workspace }}/opengauss/conf/pg_hba.conf + + - name: Debug file permissions + run: | + ls -l ${{ github.workspace }}/opengauss/conf/ + whoami + docker info --format '{{.ServerVersion}}' + docker ps -a - name: Copy configuration files to container data directory run: | + docker exec opengauss-custom mkdir -p /var/lib/opengauss/data docker cp ${{ github.workspace }}/opengauss/conf/postgresql.conf opengauss-custom:/var/lib/opengauss/data/postgresql.conf docker cp ${{ github.workspace }}/opengauss/conf/pg_hba.conf opengauss-custom:/var/lib/opengauss/data/pg_hba.conf @@ -215,7 +222,6 @@ jobs: pip install ./tools/isort-gaussdb/ pip install "./gaussdb[dev,test]" pip install ./gaussdb_pool - - name: Wait for openGauss to be ready env: From 2d2b99f8c9badaf0e477744dcd05932a6eb42eb3 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 23:12:13 +0800 Subject: [PATCH 16/41] Update OpenSSL in tests-ssl workflow and fix GAUSSDB_TEST_DSN format --- .github/workflows/tests-ssl.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 7850e7d1b..e2d86665f 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -47,6 +47,12 @@ jobs: python-version: "3.9" cache: pip + - name: Update OpenSSL + run: | + sudo apt update + sudo apt install -y openssl + openssl version + - name: Create and activate virtual environment run: | python -m venv venv @@ -257,7 +263,7 @@ jobs: env: PYTHONPATH: ./gaussdb:./gaussdb_pool GAUSSDB_IMPL: python - GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=require" + GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=require " run: | source venv/bin/activate pytest -s -v From 476a024c49bc7cbe0d9448406d4d040c21c23398 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 23:23:49 +0800 Subject: [PATCH 17/41] Install specific OpenSSL version 1.1.1f in tests-ssl.yml workflow --- .github/workflows/tests-ssl.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index e2d86665f..b208ef0c1 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -47,11 +47,18 @@ jobs: python-version: "3.9" cache: pip - - name: Update OpenSSL + - name: Install OpenSSL 1.1.1f run: | - sudo apt update - sudo apt install -y openssl - openssl version + wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz + tar -xzvf openssl-1.1.1f.tar.gz + cd openssl-1.1.1f + ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f + make + make install + echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV + echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV + /home/runner/openssl-1.1.1f/bin/openssl version - name: Create and activate virtual environment run: | From e47f837dee62e6ac87c5bc4e3b0aaeb9b6720de6 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 23:31:46 +0800 Subject: [PATCH 18/41] Enhance OpenSSL 1.1.1f installation with shared library support and debugging in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index b208ef0c1..b2977372e 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -52,19 +52,26 @@ jobs: wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz tar -xzvf openssl-1.1.1f.tar.gz cd openssl-1.1.1f - ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f - make + ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared + make -j$(nproc) make install echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV /home/runner/openssl-1.1.1f/bin/openssl version + ldd /home/runner/openssl-1.1.1f/bin/openssl + ls -l /home/runner/openssl-1.1.1f/lib + nm -D /home/runner/openssl-1.1.1f/lib/libcrypto.so | grep EVP_mdc2 || echo "EVP_mdc2 not found" - name: Create and activate virtual environment run: | python -m venv venv echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV source venv/bin/activate + echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV + echo "LDFLAGS=-L/home/runner/openssl-1.1.1f/lib" >> $GITHUB_ENV + echo "CFLAGS=-I/home/runner/openssl-1.1.1f/include" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV - name: Create omm user run: | From 2a863dd9d8d00a91735dae3ba85bbe0a0527ca07 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Sun, 31 Aug 2025 23:46:55 +0800 Subject: [PATCH 19/41] Enable MDC2 support in OpenSSL 1.1.1f configuration in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index b2977372e..56b2a7ec7 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -52,7 +52,7 @@ jobs: wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz tar -xzvf openssl-1.1.1f.tar.gz cd openssl-1.1.1f - ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared + ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared enable-mdc2 make -j$(nproc) make install echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV From b5e28ce9fa76256d666b1960dc3e81332192d033 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 00:00:56 +0800 Subject: [PATCH 20/41] Add weak SSL ciphers support and enhance OpenSSL configuration checks in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 56b2a7ec7..600c2c10d 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -52,15 +52,17 @@ jobs: wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz tar -xzvf openssl-1.1.1f.tar.gz cd openssl-1.1.1f - ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared enable-mdc2 + ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared enable-mdc2 enable-weak-ssl-ciphers make -j$(nproc) make install echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV - /home/runner/openssl-1.1.1f/bin/openssl version - ldd /home/runner/openssl-1.1.1f/bin/openssl - ls -l /home/runner/openssl-1.1.1f/lib + + export LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH + grep -i mdc2 configdata.pm || echo "MDC2 not enabled!" + /home/runner/openssl-1.1.1f/bin/openssl version -a + ldd /home/runner/openssl-1.1.1f/bin/openssl | grep ssl || true nm -D /home/runner/openssl-1.1.1f/lib/libcrypto.so | grep EVP_mdc2 || echo "EVP_mdc2 not found" - name: Create and activate virtual environment From c861d922fdc7c912122c7648e8ea3885c81fb380 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 00:14:44 +0800 Subject: [PATCH 21/41] Move OpenSSL environment variables to correct workflow step in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 600c2c10d..fc6229332 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -55,11 +55,13 @@ jobs: ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared enable-mdc2 enable-weak-ssl-ciphers make -j$(nproc) make install + echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV - echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV - export LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH + echo "CFLAGS=-I/home/runner/openssl-1.1.1f/include" >> $GITHUB_ENV + echo "LDFLAGS=-L/home/runner/openssl-1.1.1f/lib" >> $GITHUB_ENV + grep -i mdc2 configdata.pm || echo "MDC2 not enabled!" /home/runner/openssl-1.1.1f/bin/openssl version -a ldd /home/runner/openssl-1.1.1f/bin/openssl | grep ssl || true @@ -70,7 +72,6 @@ jobs: python -m venv venv echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV source venv/bin/activate - echo "LD_LIBRARY_PATH=/home/runner/openssl-1.1.1f/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV echo "LDFLAGS=-L/home/runner/openssl-1.1.1f/lib" >> $GITHUB_ENV echo "CFLAGS=-I/home/runner/openssl-1.1.1f/include" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV From ba71fc2366c189f79088b0218200495dc7ddd06b Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 09:38:33 +0800 Subject: [PATCH 22/41] Switch to ubuntu-20.04 and remove OpenSSL 1.1.1f installation in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index fc6229332..6282e6a29 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -13,7 +13,7 @@ concurrency: jobs: test: - runs-on: ubuntu-22.04 + runs-on: ubuntu-20.04 services: opengauss: @@ -47,34 +47,11 @@ jobs: python-version: "3.9" cache: pip - - name: Install OpenSSL 1.1.1f - run: | - wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz - tar -xzvf openssl-1.1.1f.tar.gz - cd openssl-1.1.1f - ./config --prefix=/home/runner/openssl-1.1.1f --openssldir=/home/runner/openssl-1.1.1f shared enable-mdc2 enable-weak-ssl-ciphers - make -j$(nproc) - make install - - echo "PATH=/home/runner/openssl-1.1.1f/bin:$PATH" >> $GITHUB_ENV - echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV - - echo "CFLAGS=-I/home/runner/openssl-1.1.1f/include" >> $GITHUB_ENV - echo "LDFLAGS=-L/home/runner/openssl-1.1.1f/lib" >> $GITHUB_ENV - - grep -i mdc2 configdata.pm || echo "MDC2 not enabled!" - /home/runner/openssl-1.1.1f/bin/openssl version -a - ldd /home/runner/openssl-1.1.1f/bin/openssl | grep ssl || true - nm -D /home/runner/openssl-1.1.1f/lib/libcrypto.so | grep EVP_mdc2 || echo "EVP_mdc2 not found" - - name: Create and activate virtual environment run: | python -m venv venv echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV source venv/bin/activate - echo "LDFLAGS=-L/home/runner/openssl-1.1.1f/lib" >> $GITHUB_ENV - echo "CFLAGS=-I/home/runner/openssl-1.1.1f/include" >> $GITHUB_ENV - echo "PKG_CONFIG_PATH=/home/runner/openssl-1.1.1f/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV - name: Create omm user run: | From 00a9416c895855503230aa01fef6c8262a054d24 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 09:47:18 +0800 Subject: [PATCH 23/41] Switch to ubuntu-22.04 --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 6282e6a29..efa8b86e6 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -13,7 +13,7 @@ concurrency: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 services: opengauss: From 0b8548f0c3035ec26b2ddb424d40838485dbe88b Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 09:52:58 +0800 Subject: [PATCH 24/41] Switch to ubuntu-22.04 --- .github/workflows/tests-ssl.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index efa8b86e6..68ec425ac 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -259,6 +259,7 @@ jobs: GAUSSDB_IMPL: python GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=require " run: | + export PGSSLDEBUG=1 source venv/bin/activate pytest -s -v From f67d6db4e9ccf338c45e26efb537bb0cd74dfddf Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 21:35:30 +0800 Subject: [PATCH 25/41] Move certificate generation to certs directory and simplify workflow in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 55 +++++++-------------------------- certs/ca.crt | 33 ++++++++++++++++++++ certs/ca.key | 52 +++++++++++++++++++++++++++++++ certs/ca.srl | 1 + certs/client.crt | 24 ++++++++++++++ certs/client.csr | 15 +++++++++ certs/client.key | 28 +++++++++++++++++ certs/readme.txt | 37 ++++++++++++++++++++++ certs/san.cnf | 10 ++++++ certs/server.crt | 28 +++++++++++++++++ certs/server.csr | 17 ++++++++++ certs/server.key | 28 +++++++++++++++++ 12 files changed, 284 insertions(+), 44 deletions(-) create mode 100644 certs/ca.crt create mode 100644 certs/ca.key create mode 100644 certs/ca.srl create mode 100644 certs/client.crt create mode 100644 certs/client.csr create mode 100644 certs/client.key create mode 100644 certs/readme.txt create mode 100644 certs/san.cnf create mode 100644 certs/server.crt create mode 100644 certs/server.csr create mode 100644 certs/server.key diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 68ec425ac..d51e16c78 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -27,13 +27,13 @@ jobs: options: >- --privileged=true --name opengauss-custom - --volume ${{ github.workspace }}/opengauss/certs:/var/lib/opengauss/certs + --volume ${{ github.workspace }}/certs:/var/lib/opengauss/certs steps: - name: Reset permissions for checkout run: | - sudo chown -R runner:runner opengauss || true - sudo chmod -R u+rwX opengauss || true + sudo chown -R runner:runner certs || true + sudo chmod -R u+rwX certs || true if: always() - name: Checkout code @@ -58,50 +58,17 @@ jobs: sudo useradd -m -s /bin/bash omm || true sudo usermod -aG docker omm || true - - name: Create certificate and configuration directories + - name: Create configuration directories run: | - mkdir -p ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf - sudo chown omm:omm ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf - sudo chmod 755 ${{ github.workspace }}/opengauss/certs ${{ github.workspace }}/opengauss/conf + mkdir -p ${{ github.workspace }}/opengauss/conf + sudo chown omm:omm ${{ github.workspace }}/opengauss/conf + sudo chmod 755 ${{ github.workspace }}/opengauss/conf - - name: Generate CA certificate - run: | - sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/ca.key 4096 - sudo -u omm openssl req -x509 -new -nodes -key ${{ github.workspace }}/opengauss/certs/ca.key -sha256 -days 3650 \ - -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ - -out ${{ github.workspace }}/opengauss/certs/ca.crt - sudo chmod 600 ${{ github.workspace }}/opengauss/certs/ca.* - - - name: Generate server certificate - run: | - sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/server.key 2048 - sudo -u omm openssl req -new -key ${{ github.workspace }}/opengauss/certs/server.key \ - -subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ - -out ${{ github.workspace }}/opengauss/certs/server.csr - sudo -u omm bash -c 'echo "[ req ]" > ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "default_bits = 2048" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "distinguished_name = req_distinguished_name" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "req_extensions = req_ext" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ req_distinguished_name ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ req_ext ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "subjectAltName = @alt_names" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "[ alt_names ]" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "DNS.1 = opengauss.local" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm bash -c 'echo "IP.1 = 127.0.0.1" >> ${{ github.workspace }}/opengauss/certs/san.cnf' - sudo -u omm openssl x509 -req -in ${{ github.workspace }}/opengauss/certs/server.csr -CA ${{ github.workspace }}/opengauss/certs/ca.crt \ - -CAkey ${{ github.workspace }}/opengauss/certs/ca.key -CAcreateserial -out ${{ github.workspace }}/opengauss/certs/server.crt \ - -days 730 -sha256 -extfile ${{ github.workspace }}/opengauss/certs/san.cnf -extensions req_ext - sudo chmod 600 ${{ github.workspace }}/opengauss/certs/server.* ${{ github.workspace }}/opengauss/certs/san.cnf - - - name: Generate client certificate + - name: Set certificate permissions run: | - sudo -u omm openssl genrsa -out ${{ github.workspace }}/opengauss/certs/client.key 2048 - sudo -u omm openssl req -new -key ${{ github.workspace }}/opengauss/certs/client.key -subj "/CN=dbclient" \ - -out ${{ github.workspace }}/opengauss/certs/client.csr - sudo -u omm openssl x509 -req -in ${{ github.workspace }}/opengauss/certs/client.csr -CA ${{ github.workspace }}/opengauss/certs/ca.crt \ - -CAkey ${{ github.workspace }}/opengauss/certs/ca.key -CAcreateserial -out ${{ github.workspace }}/opengauss/certs/client.crt \ - -days 730 -sha256 - sudo chmod 600 ${{ github.workspace }}/opengauss/certs/client.* + sudo chown -R omm:omm ${{ github.workspace }}/certs + sudo chmod 600 ${{ github.workspace }}/certs/*key || true + sudo chmod 644 ${{ github.workspace }}/certs/*.crt || true - name: Create postgresql.conf with SSL run: | diff --git a/certs/ca.crt b/certs/ca.crt new file mode 100644 index 000000000..95a89acab --- /dev/null +++ b/certs/ca.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsTCCA5mgAwIBAgIUIvJ46Qu70HQ0WsSDWiTKCXxVJLcwDQYJKoZIhvcNAQEL +BQAwaDELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCU9wZW5HYXVzczESMBAGA1UEBwwJ +T3BlbkdhdXNzMQ4wDAYDVQQKDAVNeU9yZzELMAkGA1UECwwCREIxFDASBgNVBAMM +C09wZW5HYXVzc0NBMB4XDTI1MDgyNDEzMzk0NloXDTM1MDgyMjEzMzk0NlowaDEL +MAkGA1UEBhMCQ04xEjAQBgNVBAgMCU9wZW5HYXVzczESMBAGA1UEBwwJT3Blbkdh +dXNzMQ4wDAYDVQQKDAVNeU9yZzELMAkGA1UECwwCREIxFDASBgNVBAMMC09wZW5H +YXVzc0NBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzV9hUnrCcTcs +qQhCdbozWd6CarnLrGOnHksx5g/Vbb0+6XpHWDNzNjOCRgR5FP9ogQ5Ne4f48ruE +kbeLwGf+bMy3p5epVzOamNoI9NE+Yme8HHtuKGnlLDvgFDxWspu8tTsCOebqI6uO +D5drkLSywgIl6pXRJ0GAqOA8PnD8V//+FAUlnbreDd+um2WApAtRwcjMYVOWUqh5 +Y9w+5f6QcUdYwgZ4O/wIlXVYmeUBv0iny0kYon1hz0gP8yuBqBNk9cUDVJ1P16od +uGHnXqD8lEbM7Q9dG5g1cEopOUvsiwFzEyGTBbdTKWfZ16/sjLd0uc1zRpsx3cf7 +fVccNR+fq/CawiQGzk5n3htmLSuruOn8qiqrQIj3cpeQ0Mj/YrVE3cTiEO6EnCPd +yZCP2IRzFlUT2p9BsXTSbiw4Fi770KX53pU+Mr1xJ2RMWXL/MJb3ghosnCEd4bOl +3U+IypPUDZlVBnXHgonYPhIEYEl+bz/PELxZxSYyfCWjxxFDpLFEQ0JPNML9Nu9R +RIDBYk0e9GmxPmXQiejJnjoZSNNYoOsCq5xOpedDomiUDmBzJjk9quvyzteLxyHy +GkyPeE9c0bvHUs5K1JXPlElEqp5MQR05CsdarNL1Pwhkh4nEbH0riPPF/ocVInzo +8aynFSPQo0jK/wwv63d/MVnx1YCimG0CAwEAAaNTMFEwHQYDVR0OBBYEFCAgNikb +PSCJ6yh2k5JopkgxjRaFMB8GA1UdIwQYMBaAFCAgNikbPSCJ6yh2k5JopkgxjRaF +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABqDw+xRZM29YZzo +6GzPzc1rqWRcZVyCvxH6xpNuqKcAkoEQt+3JzIA65daz2lLwfmVyEomv7If6PBQR +clQ4c77H8ReMEzRlm+NkTtTzHYegKyUs1POAezKOyKU9S1Lfl3DwjOboXxSwmUM3 +EpZPBFHjIDQ2DA8PtUMlThtUusyCiYzgYJlLqGaxZhG/tc+1y1uE2N1wDQaqAftQ +CMsxogFlRKMsNXQB1ALxQGtDwUF5gldX10X+YsvBATskeSkR7u3wMlq7n4NTdQ3t +p0vekdti6d5g6gwuui9uXPj1EfNJhZRzIZxvyL/kM5Z9AtkgzpCu1VVYvLCna34l +yRJLGsVtgiLppT5sB58OJg/7VZ/oAwnW3KnyubkO0+LiHKNYNj0vimJPT0vWMzIt +6Rnm9gFEpjdxkqddUTtS39Bw8OXetmocB57WI0hS20SPhl++yQBd9E2+IGn0yKZn +6w6uFsZNmEt1pANS2+Dw6ZQF8ks1+6tvGT+AMW8inoXeNz6m5vjws75tMPjGMutR +b02cgN6dWX68KB2QEz1UPp1ilRsYA8foCJq0ucz76ik2GeNlkL/n7w/Z4/1CH5ZH +p2b17RddlZHgPR1jCPv8iSWpTAb8Mj44SUumSI6M18HHnNyPoOQS8uRCgyGlp243 +Xf6fd812ki7B85kBLJNyYDs7mTZi +-----END CERTIFICATE----- diff --git a/certs/ca.key b/certs/ca.key new file mode 100644 index 000000000..f46143193 --- /dev/null +++ b/certs/ca.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNX2FSesJxNyyp +CEJ1ujNZ3oJqucusY6ceSzHmD9VtvT7pekdYM3M2M4JGBHkU/2iBDk17h/jyu4SR +t4vAZ/5szLenl6lXM5qY2gj00T5iZ7wce24oaeUsO+AUPFaym7y1OwI55uojq44P +l2uQtLLCAiXqldEnQYCo4Dw+cPxX//4UBSWdut4N366bZYCkC1HByMxhU5ZSqHlj +3D7l/pBxR1jCBng7/AiVdViZ5QG/SKfLSRiifWHPSA/zK4GoE2T1xQNUnU/Xqh24 +YedeoPyURsztD10bmDVwSik5S+yLAXMTIZMFt1MpZ9nXr+yMt3S5zXNGmzHdx/t9 +Vxw1H5+r8JrCJAbOTmfeG2YtK6u46fyqKqtAiPdyl5DQyP9itUTdxOIQ7oScI93J +kI/YhHMWVRPan0GxdNJuLDgWLvvQpfnelT4yvXEnZExZcv8wlveCGiycIR3hs6Xd +T4jKk9QNmVUGdceCidg+EgRgSX5vP88QvFnFJjJ8JaPHEUOksURDQk80wv0271FE +gMFiTR70abE+ZdCJ6MmeOhlI01ig6wKrnE6l50OiaJQOYHMmOT2q6/LO14vHIfIa +TI94T1zRu8dSzkrUlc+USUSqnkxBHTkKx1qs0vU/CGSHicRsfSuI88X+hxUifOjx +rKcVI9CjSMr/DC/rd38xWfHVgKKYbQIDAQABAoICAAQtC1KQONuKe3fLn8y7BrsU +evxmklo+ahiDzBwmEd+GxWLqX81oUzbOVB80wHpWOZUrA3vrWnsjdJRt8gNTwGjZ +izNDzAEZuIWhJIt6pO6yHOR+kgSnJ2GZE65cDiGlm9aBJt0JV/t2GPZlZgRUPrCs +ahvCBIKGCQxMbibEfC0VGuDkIrN5W3VWwtTAFJ4ntZFGK8aGDfylfL2a4RO8jTCK +FEDyie4jHgP3L3nTN6mtdYcwEYMquRsFsRiI6u/OLSbEmC1Xrlbvsf9pmWwwKjkH +Oevo4xDIYIj+/D80NWqCLG/YJlNe1FJENu0obTWGfKYgI/CGMu/6iZ+VbnczqtB2 +Q1w13O1o0OXXmbGg89AgVQ6e4SA074HygdjW5Waiig1pxurYWG7F/68fLDZqeMtC +AJ+/ViTpj/sBX5FaUrUA7eZoc8qwcFMKbS5kLt11VxBr2Ed1J2X+9ejJEiqQdrUq +Go7n+Yjl1QZ5E07P193ldt211eNxiJ/8JyN4w5I7fSJ/et0MnFTmFBtGSSrvN42P +6z33KRbh/gMQ5lgAB6GKQs7nropfZ5o4mcp/2VGCG1+kbtiJqOBVFJzWKfpkEgB0 +W85gv4xI2FxCi2xzAEQxwYdkDtqiCcR23VRorgtHro2gmdJKrbxUeTrm3AvHinKX +oqiOeLx0ZfSOHHeKaaSVAoIBAQD20lZ5h7hTE54YvYSHaFiGuDzq/KzBxxNDiKxt +yUVMUptFT91P7BiUHzmOXQ50rO9TjK79WGnTjm9mIm/jmCapX2G8oIBLbiwDyzvv +/+oHnCaTQMGpFdYNbmXCTiM8yhdfPI9pKXFC4tcVqxgNu9Oxe5IHEZVxzY13qolF +33P8++vSF9oIUZPiotc+5Nna0lXQS5DWf71rF2IeoqUGg2lTwoNqMtIsP3PAV68H +0ZhaaA3YfCCw/BsrzijPtv1tg1FJ2kW7i5Pk7aq+IG+b1b6mLNxDP5SIt2KA433j +8Hrq0EPTdReRknknX4pmrfki4H0ILyPV4bVo5r3mplt1z+5LAoIBAQDVAnX1Wk2M +sa3WaPNwT090Xi2PCCil7sWGjoLObbk4GKbPbG3uRCgc+CvLnVVSbsvVU/b29UH/ +/ok2x2Zh+Cz+7V/FQHXPmliOwlnW+ZTSpaviE0rOUIR0BLkaFxt7N8EgcfIp2RtZ +kbe6RKIcH94JqksM9ZDUO3QBUt+HG9gOHhSysTOQVYOefRCMbcLPpVaB4fRBFGR4 +JTfSMUVANJ9jFat2pKw0qZSMpapgASd5KAliSW0BrJq3/E8CWzKGo6ZV+27JdCvo +C+zAL1+ycqscPBpiyT2KcXrRd0O9GdbiHMa6wnUPP068PnyoHFWFywwmAvrsSeI8 +FY8jpMHptQEnAoIBAGMeCJf5Rq4l/KEWyjfOUW6YYe5D1eRjW3sNUaEs6GVD7xKg +hdFokF47Q9PFzt5P7DPzFPqsHKNWWan8Pk55dV0i7o7fLWYdMhO786/nZ0XzERKl +OJ/8It916+thkYkB5uzZ1wV2HQOtMI6FDL3HJbXqV7P6/babwynBFCs5Fs0LJaJS +7b3VdLvYhPO+1zWmrctd7SYWWiy9USvYSMka0JtQS5HEIt6eBI/DJojPRI1Zp+W9 +wysPsqGewojXhWILEAPGYaZ04MlYH+8F+4vrBAqbjUB8MdvNOQNlV9LHabUOOY6b +QQG2fmyvU1b0mk3FNLCqrYtgfodH0g7j02q2O40CggEBANFAmpqNvJMTVR/FeCiD +cR1zCzRwomXnu1mlFDEwLv1BklVAQnoHsJRM49Eh3VieiVUnJ/yREOYnqaoLlrN1 +dtZ0YFnJKjLogEi1+kWqZx3MLJ9prlohVQ0YOrK7sn6IVgvGhEvCARErih7NH6eb +UqeSCCpR7pXfVeWbAQWcP9IWkOS+GVaX+zWtzJz3kqIj3Wi4jReFrfEtNrohNtON +HmrbNdbWjGkrkkfc0xN+7sUhpJ5OXWyAoHlPvlolNux3RYc/+iSjICLT3B8sKsmF +xjx1esJCyVcAhdPSYtQY1zTHah67uv1ghrt8cz8+nnFR97w7vz5yknHOCBDO4MPy +0Y8CggEAOvipmiKf0u0oZ3fU8Xo3ZCiVg8SJkI94e5LwA/9YKoma3t0J/9lbKnSN +kH9RYlfcz4hrDRxO2eMRdnH6UN32L8qQetHT9Anp5sAJlGzqLTnLzdZ+g3cauX5n +EVNmYhR0D2mw164yYCkAEQKvJ4M7xToZno+jrIdwWHW+nnym6zE93dKUmTfHmig/ +VGKiGI5dQFV0YyKO8UzY6J0bgHFkJ3VXf8IpLHlK3kh+iz5EB4IchyWFOQE47SAg +PR5lyIUby6VVluEesZewCqDhggGPsRuWoXydf3M7oZb1fXhpGwG8+ilQYH++IIZN +aaPHWXC0bD6QC4X9ff8/6h+allDoIw== +-----END PRIVATE KEY----- diff --git a/certs/ca.srl b/certs/ca.srl new file mode 100644 index 000000000..48573e278 --- /dev/null +++ b/certs/ca.srl @@ -0,0 +1 @@ +60C663A6545310081D23AF7A482439DFC9FCCD77 diff --git a/certs/client.crt b/certs/client.crt new file mode 100644 index 000000000..f825d0c59 --- /dev/null +++ b/certs/client.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEAjCCAeoCFGDGY6ZUUxAIHSOvekgkOd/J/M13MA0GCSqGSIb3DQEBCwUAMGgx +CzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlPcGVuR2F1c3MxEjAQBgNVBAcMCU9wZW5H +YXVzczEOMAwGA1UECgwFTXlPcmcxCzAJBgNVBAsMAkRCMRQwEgYDVQQDDAtPcGVu +R2F1c3NDQTAeFw0yNTA4MjQxMzQyNDdaFw0yNzA4MjQxMzQyNDdaMBMxETAPBgNV +BAMMCGRiY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAogP4 +8kKdNqojNrxS+wqDjWps1lShexkwiL0f/TarQdeVon6HSo5fNu06u6bGUcxPQnAb +vDmDdWQnP2oEtsJJ4YSe3rRcNwjr5xi7PHmChiPZLoUZPYcXE3KJEJA63c08EkGD +gvyb7KOBGb8Miyg0sfp6310JGtyLkxLjwEzn19RlSR1VzuFdrbM2KJGLoUbnSJ6+ +QUQXJlttyoQOoZuLxncWJInkk0K2zrruhLrrBd5Qj1IhELY/H7lnzAyTZvkcoTTb +SOsYAtSNkWJmakmw1XFG0CNdlUxKr8tt/x27fiIirAAinmRP80pe7xb5O208mrhW +jhfA7cAT63RPOEwXrQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQB9rH7MbCNACm9n +kS67Civ/MqxebuKVV39/uC6YTzuZE5jhRP+6A4jpjbuCK9MC7caGk+BC6hCGpFPz +ArVUwQ3JMoPS1FNU3M+QPhUHcLyT0S8zMLrI+aLJvUZ9qFWJeLwQ9K87tM+5f5Ov +o0Xu80E6R3eGYzTa/zS4HUKloNiGlGXrgOzJuLOmrsn3Qil63Q385UZXoIouDnGX +SeBF7Aj8BgyjnSyLHYgs4nciAmwj8otPQRHnJWWOXFmnTjqqQhlG61PcKOX5WzwP +KR1Nh35wzulopNY6CR1tue4ilP7bqdw48OuUk3ZrHRxn7jVQRYz50auIz0ZN/MMP +VZ53+HoXXU5EdU9iiMPxOlYFh5S6d/l5G+KfV9aBA5zBPM+KQGjs+ekJ8g8WNi6J +Tdff6d95JUDWQ8XGlQmvXo3aHpN0zlKJ1Yo4qDxPS29KY7eaP69s6PLFNmrY2s9o +y78Ny40XiiAhq0C6wnnFweUvwRRpsjaqfwUpAM+nN8292Z0E+J2uF6lv1Rf17AiX +L6BNLQVLWkGYVZT5vwjP4B7DVoLWrLh/MdIMnBdaQMXCiABGzqaTB56NMgBvScKt +iz515JVpBPG8HFUiHVmuuFrvNSMDVpqJky1t2rrMn8JDUWu+afJrCfnjmxrDyl+J +SZ8wrn5Cgy+rYVO94nzmNCe3aELNmw== +-----END CERTIFICATE----- diff --git a/certs/client.csr b/certs/client.csr new file mode 100644 index 000000000..91b86739c --- /dev/null +++ b/certs/client.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICWDCCAUACAQAwEzERMA8GA1UEAwwIZGJjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCiA/jyQp02qiM2vFL7CoONamzWVKF7GTCIvR/9NqtB +15WifodKjl827Tq7psZRzE9CcBu8OYN1ZCc/agS2wknhhJ7etFw3COvnGLs8eYKG +I9kuhRk9hxcTcokQkDrdzTwSQYOC/Jvso4EZvwyLKDSx+nrfXQka3IuTEuPATOfX +1GVJHVXO4V2tszYokYuhRudInr5BRBcmW23KhA6hm4vGdxYkieSTQrbOuu6EuusF +3lCPUiEQtj8fuWfMDJNm+RyhNNtI6xgC1I2RYmZqSbDVcUbQI12VTEqvy23/Hbt+ +IiKsACKeZE/zSl7vFvk7bTyauFaOF8DtwBPrdE84TBetAgMBAAGgADANBgkqhkiG +9w0BAQsFAAOCAQEAX9sxY54P08RwhEiGA18WDOsmUvWtj+UwAkGb4eD7FPGfo5uZ +WPIXMRtbeSIjDGKlIVsgYIBgaMXWcTf7mUogkFyruZXkgYbuX5cZKJ4LFHcuWe3B +lCmv0wTN3klXul8XvMNLwKX5l0rRXlIDk8DuhOVkyb/WfSbDEZ351iAZ7OY/O5Il +4Tm3zVarHPLrTbfnH9+7LTOjvASOXrXisI7I6keUrx0DRYSayCcDt/Kqc1NWwfsR +dLTFEXiuXVgXTh1QXw2YZu1Fa8Kq9nKHCQA8f4qwMqtnuYH7NH18qxj+M3LTe2eR +wd/ugxN4eb7yVMI3P67SyWJi2/f1w0iPZVz/wg== +-----END CERTIFICATE REQUEST----- diff --git a/certs/client.key b/certs/client.key new file mode 100644 index 000000000..b29eee85d --- /dev/null +++ b/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCiA/jyQp02qiM2 +vFL7CoONamzWVKF7GTCIvR/9NqtB15WifodKjl827Tq7psZRzE9CcBu8OYN1ZCc/ +agS2wknhhJ7etFw3COvnGLs8eYKGI9kuhRk9hxcTcokQkDrdzTwSQYOC/Jvso4EZ +vwyLKDSx+nrfXQka3IuTEuPATOfX1GVJHVXO4V2tszYokYuhRudInr5BRBcmW23K +hA6hm4vGdxYkieSTQrbOuu6EuusF3lCPUiEQtj8fuWfMDJNm+RyhNNtI6xgC1I2R +YmZqSbDVcUbQI12VTEqvy23/Hbt+IiKsACKeZE/zSl7vFvk7bTyauFaOF8DtwBPr +dE84TBetAgMBAAECggEAFl9qDzo3r4bLGhHje5s2E18w7F//dJpD434KXtMfzxXQ +KgJC+H60k0crJyKenEkUYN5OVi2zA5DzAoTHZd1qimPf9Gz/lvH6cY0uvekhpxho +M05Z7+8ptpvIZaslFd/zfaniWUI83e6uMzn4p3bD4Bfww8t7KGRwOb0QCkwUb+9C +E6MH4bjfFPSWTRlaOumtzKGXCnPqIxkQ/O0N4FX8O3F4jNIwkS4LP7lDJ9vKyi7o +ws/MtrA//LIuHZFE666x4IZRPe3zYJSpA3zFdLacZYNP9HGG1OKco43+UgpNRtOQ +6Oaib3URCNWSGJ9aWSXhJo6Ixlnt+b48M3QFwrD6wQKBgQDgM7L4z0UI7yhfJ/zA +DicGa8x4F4AawmKZQHvlJGQvEGvVf61UStNDlXfmp+kzid/LkajZacqWtcmDrTwH +3P6xMCDHR0snIt0lvOn3Ly+76ZvJ54o4vPQwNbNEFYo9aX/OhxMcnsN5D/rRHvDB +nOSfNFvCSGcOVH5Vhe2ezjhAmQKBgQC4/mo1CRgJcsxfzvmhTlUYTAH5yUdkWJED +cJJ22AW67IifOnr9YGfbYlIN/1wF9DlGFntMVXuCB4yUafaMpL+1LjOnQ1So5Z9x +jn5nm52hhttGCcP9zAbRt6Ew3sC3BPBouWP2RKnSI3L/+aJQf3e/RpNcv1y7UgYA +p3xbs7d4NQKBgEavRf+3qTY14G6Pttn+HEOj/OTn09Wb72YNtIH7xTIpZTX8ePMY +XB70osavrZA4KbyOgcN53QtC6POAzGpWPF40pEDvszv1e++H7eOmltARyLIRM7zL +pdkFNS2D9P+DoW3FnDrruwkSBqujq5f/FP00jrFkDkmwTdw8yzvEHGwRAoGAZnFc +1ynGCdVsn9G6Iz2BmgbdQTnZMxRomYMJWI6f/bdmoOZ9nTp5yN9VmTLD/vgTj2B7 +vvXHg2Yyzy0uvwusreR77jA2/aDK/tNt5GokjIJlgw99XVpSnGgX9zwjdDZj+1pO +pN25PQkscdwHqpQr99xZVo8SBxmRAWO+Vfnbq9ECgYB8/FdH2IyVHoAz7OPtYgQU +MVQCDfvBkHmG/csyDlWKqMiT1//vBucL8Wzk7eYiG/7mnPWNfuInIphkH/9D1CvL +j5p+06sKTMIIPzlX7DuW70CQ0LwaxjZmZuahz4BzcxXPYKs5+LsH/8wPPNK/TQNu +PxZAcJBKRUVyFoxERmoPUQ== +-----END PRIVATE KEY----- diff --git a/certs/readme.txt b/certs/readme.txt new file mode 100644 index 000000000..5cb35c330 --- /dev/null +++ b/certs/readme.txt @@ -0,0 +1,37 @@ +# Generate CA +openssl genrsa -out ca.key 4096 +openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ +-subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=OpenGaussCA" \ +-out ca.crt + +# Generate server key / csr +openssl genrsa -out server.key 2048 +openssl req -new -key server.key \ +-subj "/C=CN/ST=OpenGauss/L=OpenGauss/O=MyOrg/OU=DB/CN=opengauss.local" \ +-out server.csr + +# SAN config (replace IP/DNS with the address you will use to access, +# e.g. 127.0.0.1 or host IP) +cat > san.cnf < Date: Mon, 1 Sep 2025 21:39:05 +0800 Subject: [PATCH 26/41] Move certificate generation to certs directory and simplify workflow in tests-ssl.yml --- .github/workflows/tests-ssl.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index d51e16c78..87f0877fa 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,11 +159,6 @@ jobs: docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf docker exec opengauss-custom chmod 600 /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf - - name: Set certificate permissions - run: | - sudo chown -R $(stat -c '%U' /var/lib/opengauss 2>/dev/null || echo omm) ${{ github.workspace }}/opengauss/certs/* - sudo chmod 600 ${{ github.workspace }}/opengauss/certs/* - - name: Restart openGauss to apply configuration run: | docker restart opengauss-custom From 1f0cd6e9d9a2e863eb624ef21b1f4176e63b104a Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 21:48:57 +0800 Subject: [PATCH 27/41] Update pg_hba.conf to enable MD5 authentication and set certificate permissions in container for tests-ssl.yml --- .github/workflows/tests-ssl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 87f0877fa..b996e6ab7 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -135,8 +135,8 @@ jobs: local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust - host all all 0.0.0.0/0 md5 hostssl all all 0.0.0.0/0 cert + host all all 0.0.0.0/0 md5 host replication gaussdb 0.0.0.0/0 md5 EOF' sudo chmod 644 ${{ github.workspace }}/opengauss/conf/pg_hba.conf @@ -156,8 +156,8 @@ jobs: - name: Set permissions inside container run: | - docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf - docker exec opengauss-custom chmod 600 /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf + docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf /var/lib/opengauss/certs/server.crt /var/lib/opengauss/certs/server.key /var/lib/opengauss/certs/ca.crt + docker exec opengauss-custom chmod 600 /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf /var/lib/opengauss/certs/server.crt /var/lib/opengauss/certs/server.key /var/lib/opengauss/certs/ca.crt - name: Restart openGauss to apply configuration run: | From 0a23098dbfd4f94f11e40921e3fdc52ada66bb2a Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 21:59:09 +0800 Subject: [PATCH 28/41] Replace volume mount with explicit directory creation and file copy for SSL certificates in CI workflow --- .github/workflows/tests-ssl.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index b996e6ab7..c8cce2778 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -27,7 +27,6 @@ jobs: options: >- --privileged=true --name opengauss-custom - --volume ${{ github.workspace }}/certs:/var/lib/opengauss/certs steps: - name: Reset permissions for checkout @@ -154,6 +153,11 @@ jobs: docker cp ${{ github.workspace }}/opengauss/conf/postgresql.conf opengauss-custom:/var/lib/opengauss/data/postgresql.conf docker cp ${{ github.workspace }}/opengauss/conf/pg_hba.conf opengauss-custom:/var/lib/opengauss/data/pg_hba.conf + docker exec opengauss-custom mkdir -p /var/lib/opengauss/certs + docker cp ${{ github.workspace }}/certs/server.crt opengauss-custom:/var/lib/opengauss/certs/ + docker cp ${{ github.workspace }}/certs/server.key opengauss-custom:/var/lib/opengauss/certs/ + docker cp ${{ github.workspace }}/certs/ca.crt opengauss-custom:/var/lib/opengauss/certs/ + - name: Set permissions inside container run: | docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf /var/lib/opengauss/certs/server.crt /var/lib/opengauss/certs/server.key /var/lib/opengauss/certs/ca.crt From e58bb5c41b9548231f25ebc6ec1f4fa77c951fd9 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:03:46 +0800 Subject: [PATCH 29/41] Update SSL test workflow to adjust permissions for certs and configuration directories --- .github/workflows/tests-ssl.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index c8cce2778..6500aedb8 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -31,7 +31,6 @@ jobs: steps: - name: Reset permissions for checkout run: | - sudo chown -R runner:runner certs || true sudo chmod -R u+rwX certs || true if: always() @@ -60,8 +59,8 @@ jobs: - name: Create configuration directories run: | mkdir -p ${{ github.workspace }}/opengauss/conf - sudo chown omm:omm ${{ github.workspace }}/opengauss/conf - sudo chmod 755 ${{ github.workspace }}/opengauss/conf + sudo chown omm:omm ${{ github.workspace }}/opengauss/conf ${{ github.workspace }}/certs || true + sudo chmod 755 ${{ github.workspace }}/opengauss/conf ${{ github.workspace }}/certs || true - name: Set certificate permissions run: | From b07f2a1f1b0f833f6f99f891c97675dd21c794cd Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:11:19 +0800 Subject: [PATCH 30/41] Update SSL test workflow to adjust permissions for certs and configuration directories --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 6500aedb8..a9075732c 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -65,7 +65,7 @@ jobs: - name: Set certificate permissions run: | sudo chown -R omm:omm ${{ github.workspace }}/certs - sudo chmod 600 ${{ github.workspace }}/certs/*key || true + sudo chmod 644 ${{ github.workspace }}/certs/*key || true sudo chmod 644 ${{ github.workspace }}/certs/*.crt || true - name: Create postgresql.conf with SSL From 16c66c3570c98a511f86e81511eae45fd17da837 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:17:30 +0800 Subject: [PATCH 31/41] Update sslmode to verify-ca --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index a9075732c..2b3e5eb9c 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -222,7 +222,7 @@ jobs: env: PYTHONPATH: ./gaussdb:./gaussdb_pool GAUSSDB_IMPL: python - GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=require " + GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/certs/ca.crt " run: | export PGSSLDEBUG=1 source venv/bin/activate From 13d3c615cd277cacf107412bd790d570c449d76a Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:24:03 +0800 Subject: [PATCH 32/41] Update sslmode to verify-ca --- .github/workflows/tests-ssl.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 2b3e5eb9c..8db74ca18 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -156,6 +156,10 @@ jobs: docker cp ${{ github.workspace }}/certs/server.crt opengauss-custom:/var/lib/opengauss/certs/ docker cp ${{ github.workspace }}/certs/server.key opengauss-custom:/var/lib/opengauss/certs/ docker cp ${{ github.workspace }}/certs/ca.crt opengauss-custom:/var/lib/opengauss/certs/ + + - name: Fix SSL cert permissions + run: | + chmod 600 certs/ca.crt - name: Set permissions inside container run: | From 8f695d8f8330a791977162ce40ffad836d490538 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:26:54 +0800 Subject: [PATCH 33/41] Update sslmode to verify-ca --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 8db74ca18..c585b1227 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,7 +159,7 @@ jobs: - name: Fix SSL cert permissions run: | - chmod 600 certs/ca.crt + chmod 600 ${{ github.workspace }}/certs/ca.crt - name: Set permissions inside container run: | From 02520275a1bc65e4b6dd86298494dfddf0fbc086 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:30:24 +0800 Subject: [PATCH 34/41] Fix SSL cert permissions --- .github/workflows/tests-ssl.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index c585b1227..e9f785e8e 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,7 +159,9 @@ jobs: - name: Fix SSL cert permissions run: | - chmod 600 ${{ github.workspace }}/certs/ca.crt + chmod -R u+w /home/runner/work/gaussdb-python/gaussdb-python/certs + chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.crt + chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.key - name: Set permissions inside container run: | From 617843ac5131eb7aa9a21a486f2c1404a3c0d8a4 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:35:39 +0800 Subject: [PATCH 35/41] Fix SSL cert permissions --- .github/workflows/tests-ssl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index e9f785e8e..31b4b70b9 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,9 +159,9 @@ jobs: - name: Fix SSL cert permissions run: | - chmod -R u+w /home/runner/work/gaussdb-python/gaussdb-python/certs - chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.crt - chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.key + sudo chmod -R u+w /home/runner/work/gaussdb-python/gaussdb-python/certs + sudo chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.crt + sudo chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.key - name: Set permissions inside container run: | From 3b4210a913bf16d372643c8551019b240d893373 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:36:54 +0800 Subject: [PATCH 36/41] Fix SSL cert permissions --- .github/workflows/tests-ssl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 31b4b70b9..2a803da27 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,9 +159,9 @@ jobs: - name: Fix SSL cert permissions run: | - sudo chmod -R u+w /home/runner/work/gaussdb-python/gaussdb-python/certs - sudo chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.crt - sudo chmod 600 /home/runner/work/gaussdb-python/gaussdb-python/certs/*.key + sudo chmod -R $(whoami):$(whoami) ${{ github.workspace }}/certs + sudo chmod 600 ${{ github.workspace }}/certs/*.crt + sudo chmod 600 ${{ github.workspace }}/certs/*.key - name: Set permissions inside container run: | From 674aa4f5b0451172ad74b4c7b0ad22b6102902f9 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:41:10 +0800 Subject: [PATCH 37/41] Fix SSL cert permissions --- .github/workflows/tests-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 2a803da27..9356a2dc5 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -159,7 +159,7 @@ jobs: - name: Fix SSL cert permissions run: | - sudo chmod -R $(whoami):$(whoami) ${{ github.workspace }}/certs + sudo chown -R $(whoami):$(whoami) ${{ github.workspace }}/certs sudo chmod 600 ${{ github.workspace }}/certs/*.crt sudo chmod 600 ${{ github.workspace }}/certs/*.key From 3992a91b110d48cab9d4a6a4978064f6022d894e Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:46:58 +0800 Subject: [PATCH 38/41] Update GAUSSDB_TEST_DSN --- .github/workflows/tests-ssl.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests-ssl.yml b/.github/workflows/tests-ssl.yml index 9356a2dc5..81913ed14 100644 --- a/.github/workflows/tests-ssl.yml +++ b/.github/workflows/tests-ssl.yml @@ -160,8 +160,7 @@ jobs: - name: Fix SSL cert permissions run: | sudo chown -R $(whoami):$(whoami) ${{ github.workspace }}/certs - sudo chmod 600 ${{ github.workspace }}/certs/*.crt - sudo chmod 600 ${{ github.workspace }}/certs/*.key + sudo chmod 600 ${{ github.workspace }}/certs/* - name: Set permissions inside container run: | @@ -228,7 +227,7 @@ jobs: env: PYTHONPATH: ./gaussdb:./gaussdb_pool GAUSSDB_IMPL: python - GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/certs/ca.crt " + GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/certs/ca.crt sslcert=${{ github.workspace }}/certs/client.crt sslkey=${{ github.workspace }}/certs/client.key" run: | export PGSSLDEBUG=1 source venv/bin/activate From 3c10f683c0cf953a79e9e041cf84b8cf97829e2c Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 22:57:31 +0800 Subject: [PATCH 39/41] Update client certificates --- certs/ca.srl | 2 +- certs/client.crt | 40 ++++++++++++++++++------------------- certs/client.csr | 26 ++++++++++++------------ certs/client.key | 52 ++++++++++++++++++++++++------------------------ certs/readme.txt | 2 +- 5 files changed, 61 insertions(+), 61 deletions(-) diff --git a/certs/ca.srl b/certs/ca.srl index 48573e278..0d5a1583c 100644 --- a/certs/ca.srl +++ b/certs/ca.srl @@ -1 +1 @@ -60C663A6545310081D23AF7A482439DFC9FCCD77 +60C663A6545310081D23AF7A482439DFC9FCCD78 diff --git a/certs/client.crt b/certs/client.crt index f825d0c59..8d0abc150 100644 --- a/certs/client.crt +++ b/certs/client.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEAjCCAeoCFGDGY6ZUUxAIHSOvekgkOd/J/M13MA0GCSqGSIb3DQEBCwUAMGgx +MIID/jCCAeYCFGDGY6ZUUxAIHSOvekgkOd/J/M14MA0GCSqGSIb3DQEBCwUAMGgx CzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlPcGVuR2F1c3MxEjAQBgNVBAcMCU9wZW5H YXVzczEOMAwGA1UECgwFTXlPcmcxCzAJBgNVBAsMAkRCMRQwEgYDVQQDDAtPcGVu -R2F1c3NDQTAeFw0yNTA4MjQxMzQyNDdaFw0yNzA4MjQxMzQyNDdaMBMxETAPBgNV -BAMMCGRiY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAogP4 -8kKdNqojNrxS+wqDjWps1lShexkwiL0f/TarQdeVon6HSo5fNu06u6bGUcxPQnAb -vDmDdWQnP2oEtsJJ4YSe3rRcNwjr5xi7PHmChiPZLoUZPYcXE3KJEJA63c08EkGD -gvyb7KOBGb8Miyg0sfp6310JGtyLkxLjwEzn19RlSR1VzuFdrbM2KJGLoUbnSJ6+ -QUQXJlttyoQOoZuLxncWJInkk0K2zrruhLrrBd5Qj1IhELY/H7lnzAyTZvkcoTTb -SOsYAtSNkWJmakmw1XFG0CNdlUxKr8tt/x27fiIirAAinmRP80pe7xb5O208mrhW -jhfA7cAT63RPOEwXrQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQB9rH7MbCNACm9n -kS67Civ/MqxebuKVV39/uC6YTzuZE5jhRP+6A4jpjbuCK9MC7caGk+BC6hCGpFPz -ArVUwQ3JMoPS1FNU3M+QPhUHcLyT0S8zMLrI+aLJvUZ9qFWJeLwQ9K87tM+5f5Ov -o0Xu80E6R3eGYzTa/zS4HUKloNiGlGXrgOzJuLOmrsn3Qil63Q385UZXoIouDnGX -SeBF7Aj8BgyjnSyLHYgs4nciAmwj8otPQRHnJWWOXFmnTjqqQhlG61PcKOX5WzwP -KR1Nh35wzulopNY6CR1tue4ilP7bqdw48OuUk3ZrHRxn7jVQRYz50auIz0ZN/MMP -VZ53+HoXXU5EdU9iiMPxOlYFh5S6d/l5G+KfV9aBA5zBPM+KQGjs+ekJ8g8WNi6J -Tdff6d95JUDWQ8XGlQmvXo3aHpN0zlKJ1Yo4qDxPS29KY7eaP69s6PLFNmrY2s9o -y78Ny40XiiAhq0C6wnnFweUvwRRpsjaqfwUpAM+nN8292Z0E+J2uF6lv1Rf17AiX -L6BNLQVLWkGYVZT5vwjP4B7DVoLWrLh/MdIMnBdaQMXCiABGzqaTB56NMgBvScKt -iz515JVpBPG8HFUiHVmuuFrvNSMDVpqJky1t2rrMn8JDUWu+afJrCfnjmxrDyl+J -SZ8wrn5Cgy+rYVO94nzmNCe3aELNmw== +R2F1c3NDQTAeFw0yNTA5MDExNDU2MDlaFw0yNzA5MDExNDU2MDlaMA8xDTALBgNV +BAMMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Qpajae9X +BysLEaUeVIKJMdCPYHHrfi7MKjWC28yU7WDq41xEy7vxXwNk+X0tQvpdmn86Gbwt +8mLdn4iTTjdRT2fZ5mcAxHKK/ShcEQy7cPvydgjD57ABJ/dCv4lR8whFdA1WNFyx +X9me+aDAa/0W88A0k1qfSp7tko3jcv7kTfT3jwm2Kp9BkXM7Ielc7tHE1+cpOFCZ +VArBM+gRlqxNq1TE2Ff08TdAQsWeL35xfZJBekGQ0MticSXwQ7quf8yPBCW1IY4D +cBfaiGhHIy7SzolCF5c7O3ttTztaPgoBekHnHr7eIpKjDCBt48TdAI/xnbCHeRcf +DNLieuUJBJStAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAHpoP+UYEzQVJPYNt73b +vBPKBh7JbF9zSZVlRVeHVwfMZGon3Y0LcXwcOliWns43kPBPKuqUfMEREgZg9IxJ +RT9FMYOINXQTUYnhdFjYkN/FQ5Sedf2FnhD/BxjBI2QoMsCSCsISxSY+0G1f9y/C +vubxQ0vdlxkQAD93D82udfsoEMHm70NxRGhhy0NHKlhX0MWnwagwg4DpICTZYhnQ +cYJgZhXJchJgIZM2aPp6dHQ17KJKG+KkWJHaaUrFgJ2TMyVsV53NZCqvrz1NvKRI +kA51YOKLUl75Nl6yOOC5kSJL1E0l7Eg44tc9G7fyAGEAtKvb7iCfVyXrb9tUoBgV +tEn82iaY7WDA3BndoEu3XMp3E2sB/IooBJJp+1U9xFZgcjA/Bn9A3zvzINaivH+J +fag40v4TQiAbA7dqsTc9a9ks7QMKyUKcw7KyiDgI54rLKCSaDw5q4XY4Fbu6zkbP +0f7+SyPJCV4tWB6iCWCgqsm5Dc1iGqO5Pc9m2KjctFhxrlIxhDN2J+SLA7GQpaPb +gdmv6a3bcbvGzphVX/0qt2bXgAtSdcxo7D5bAcCbGvEGQv/IPrUikG7ZwNa6VjQj +P3+MvvSQMIMpQWZ9t5PU7g9q1SsVGq1n+e6hfC5NBmmX6CTP61/EPShv92T5gFYi +oGPJQQUQF95q1Nna8Eyc7+L6 -----END CERTIFICATE----- diff --git a/certs/client.csr b/certs/client.csr index 91b86739c..266b95b45 100644 --- a/certs/client.csr +++ b/certs/client.csr @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICWDCCAUACAQAwEzERMA8GA1UEAwwIZGJjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCiA/jyQp02qiM2vFL7CoONamzWVKF7GTCIvR/9NqtB -15WifodKjl827Tq7psZRzE9CcBu8OYN1ZCc/agS2wknhhJ7etFw3COvnGLs8eYKG -I9kuhRk9hxcTcokQkDrdzTwSQYOC/Jvso4EZvwyLKDSx+nrfXQka3IuTEuPATOfX -1GVJHVXO4V2tszYokYuhRudInr5BRBcmW23KhA6hm4vGdxYkieSTQrbOuu6EuusF -3lCPUiEQtj8fuWfMDJNm+RyhNNtI6xgC1I2RYmZqSbDVcUbQI12VTEqvy23/Hbt+ -IiKsACKeZE/zSl7vFvk7bTyauFaOF8DtwBPrdE84TBetAgMBAAGgADANBgkqhkiG -9w0BAQsFAAOCAQEAX9sxY54P08RwhEiGA18WDOsmUvWtj+UwAkGb4eD7FPGfo5uZ -WPIXMRtbeSIjDGKlIVsgYIBgaMXWcTf7mUogkFyruZXkgYbuX5cZKJ4LFHcuWe3B -lCmv0wTN3klXul8XvMNLwKX5l0rRXlIDk8DuhOVkyb/WfSbDEZ351iAZ7OY/O5Il -4Tm3zVarHPLrTbfnH9+7LTOjvASOXrXisI7I6keUrx0DRYSayCcDt/Kqc1NWwfsR -dLTFEXiuXVgXTh1QXw2YZu1Fa8Kq9nKHCQA8f4qwMqtnuYH7NH18qxj+M3LTe2eR -wd/ugxN4eb7yVMI3P67SyWJi2/f1w0iPZVz/wg== +MIICVDCCATwCAQAwDzENMAsGA1UEAwwEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAL1ClqNp71cHKwsRpR5Ugokx0I9gcet+LswqNYLbzJTtYOrj +XETLu/FfA2T5fS1C+l2afzoZvC3yYt2fiJNON1FPZ9nmZwDEcor9KFwRDLtw+/J2 +CMPnsAEn90K/iVHzCEV0DVY0XLFf2Z75oMBr/RbzwDSTWp9Knu2SjeNy/uRN9PeP +CbYqn0GRczsh6Vzu0cTX5yk4UJlUCsEz6BGWrE2rVMTYV/TxN0BCxZ4vfnF9kkF6 +QZDQy2JxJfBDuq5/zI8EJbUhjgNwF9qIaEcjLtLOiUIXlzs7e21PO1o+CgF6Qece +vt4ikqMMIG3jxN0Aj/GdsId5Fx8M0uJ65QkElK0CAwEAAaAAMA0GCSqGSIb3DQEB +CwUAA4IBAQANzepMyPE6e3N0jm2ajhVZS6cRqHRekcHOAFZL48MpqsInflJsnx/E +G8fUpSiax3+3SfgLsI4bsHrb0GG93X/8NreG1qiC/8MsnHfZ5lcOlIooQnwiSKg/ +qR7CG2rs6lasZygRqGfIIEZXa39x9i1Pu4DWywt0u1GGEaD04VMHwx3ptENUzPKN +OOxkMhQNq7FZIJGeF+UR7mzgQxt4Q354O++4Wy785pYDDpDku5k5cbkCAD2iYa/e +Bgear2jOyyUQ6zDyHZNicm6oj3Jy053GGToFLltlBCpv/DBbe26l/sdCxRlB7JIZ +S+wIZYZkmrmle004LDBjzNJpZBV9c0yX -----END CERTIFICATE REQUEST----- diff --git a/certs/client.key b/certs/client.key index b29eee85d..f81037449 100644 --- a/certs/client.key +++ b/certs/client.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCiA/jyQp02qiM2 -vFL7CoONamzWVKF7GTCIvR/9NqtB15WifodKjl827Tq7psZRzE9CcBu8OYN1ZCc/ -agS2wknhhJ7etFw3COvnGLs8eYKGI9kuhRk9hxcTcokQkDrdzTwSQYOC/Jvso4EZ -vwyLKDSx+nrfXQka3IuTEuPATOfX1GVJHVXO4V2tszYokYuhRudInr5BRBcmW23K -hA6hm4vGdxYkieSTQrbOuu6EuusF3lCPUiEQtj8fuWfMDJNm+RyhNNtI6xgC1I2R -YmZqSbDVcUbQI12VTEqvy23/Hbt+IiKsACKeZE/zSl7vFvk7bTyauFaOF8DtwBPr -dE84TBetAgMBAAECggEAFl9qDzo3r4bLGhHje5s2E18w7F//dJpD434KXtMfzxXQ -KgJC+H60k0crJyKenEkUYN5OVi2zA5DzAoTHZd1qimPf9Gz/lvH6cY0uvekhpxho -M05Z7+8ptpvIZaslFd/zfaniWUI83e6uMzn4p3bD4Bfww8t7KGRwOb0QCkwUb+9C -E6MH4bjfFPSWTRlaOumtzKGXCnPqIxkQ/O0N4FX8O3F4jNIwkS4LP7lDJ9vKyi7o -ws/MtrA//LIuHZFE666x4IZRPe3zYJSpA3zFdLacZYNP9HGG1OKco43+UgpNRtOQ -6Oaib3URCNWSGJ9aWSXhJo6Ixlnt+b48M3QFwrD6wQKBgQDgM7L4z0UI7yhfJ/zA -DicGa8x4F4AawmKZQHvlJGQvEGvVf61UStNDlXfmp+kzid/LkajZacqWtcmDrTwH -3P6xMCDHR0snIt0lvOn3Ly+76ZvJ54o4vPQwNbNEFYo9aX/OhxMcnsN5D/rRHvDB -nOSfNFvCSGcOVH5Vhe2ezjhAmQKBgQC4/mo1CRgJcsxfzvmhTlUYTAH5yUdkWJED -cJJ22AW67IifOnr9YGfbYlIN/1wF9DlGFntMVXuCB4yUafaMpL+1LjOnQ1So5Z9x -jn5nm52hhttGCcP9zAbRt6Ew3sC3BPBouWP2RKnSI3L/+aJQf3e/RpNcv1y7UgYA -p3xbs7d4NQKBgEavRf+3qTY14G6Pttn+HEOj/OTn09Wb72YNtIH7xTIpZTX8ePMY -XB70osavrZA4KbyOgcN53QtC6POAzGpWPF40pEDvszv1e++H7eOmltARyLIRM7zL -pdkFNS2D9P+DoW3FnDrruwkSBqujq5f/FP00jrFkDkmwTdw8yzvEHGwRAoGAZnFc -1ynGCdVsn9G6Iz2BmgbdQTnZMxRomYMJWI6f/bdmoOZ9nTp5yN9VmTLD/vgTj2B7 -vvXHg2Yyzy0uvwusreR77jA2/aDK/tNt5GokjIJlgw99XVpSnGgX9zwjdDZj+1pO -pN25PQkscdwHqpQr99xZVo8SBxmRAWO+Vfnbq9ECgYB8/FdH2IyVHoAz7OPtYgQU -MVQCDfvBkHmG/csyDlWKqMiT1//vBucL8Wzk7eYiG/7mnPWNfuInIphkH/9D1CvL -j5p+06sKTMIIPzlX7DuW70CQ0LwaxjZmZuahz4BzcxXPYKs5+LsH/8wPPNK/TQNu -PxZAcJBKRUVyFoxERmoPUQ== +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9Qpajae9XBysL +EaUeVIKJMdCPYHHrfi7MKjWC28yU7WDq41xEy7vxXwNk+X0tQvpdmn86Gbwt8mLd +n4iTTjdRT2fZ5mcAxHKK/ShcEQy7cPvydgjD57ABJ/dCv4lR8whFdA1WNFyxX9me ++aDAa/0W88A0k1qfSp7tko3jcv7kTfT3jwm2Kp9BkXM7Ielc7tHE1+cpOFCZVArB +M+gRlqxNq1TE2Ff08TdAQsWeL35xfZJBekGQ0MticSXwQ7quf8yPBCW1IY4DcBfa +iGhHIy7SzolCF5c7O3ttTztaPgoBekHnHr7eIpKjDCBt48TdAI/xnbCHeRcfDNLi +euUJBJStAgMBAAECggEAD9RF7R0AcPL0h/8jJEpFMLGt6TqpId0dOjjoM4MBYA4K +kRq7A4tWs3VoP0XD+8kiT481x5I8yaBVjIZkpzgKKw7NIiMXHQVRNIwVQr4E++29 +5NA3ziAj+bTHWsR8+RGum2soF7xWvwRumyadv0+eN2aOU4IPjksbcnCo1WEvgxYC +kkohBye3I57ha/rgNw/GxuvUMOfjYpnwwxaH5f01BNCcGh8ml0fbyA5kGWo4gtdD +KMBD+juhfbxYLiPObIQjIeA1dtFTiCJ4zlWrcEzConef7bysadPrAYCllXc6Wu4a +xwQMb0RBIs8TIIbFNE1czdvMLTVVig5mMrrrLInxsQKBgQDkqQjJseGcqAMCLtXJ +utqd/u0+q+8Xu1yHOGSQUNfuqD0ylMPzhYpbJZOXhcxVtLZdLtWu0xCTf8h5wnpf +hw3VW039BZUZ76phN0vrAxkbgqSgX7cNOaharMH3EqtlRwz9aEgRbz4M/QXt5o4o +sBQslmhD0nMSm2M4f0zZ0IBaywKBgQDT45IdFZ/Vq6U/KL3ipAJ+T6o/ht9IsUGF +ylphkU3zSt986j7UGYn2cwJOTIZwjLb8R7m2Loss7IlihQe56rwl38y7caUA3j/Y +2XvshBufpd5y4KrqeR8Ti+LPDCChw09r/F8UJs/UN5svntjMatONXSxcx+I1HWoy +xsNIdZ2HZwKBgAwihFrf289Kg05cWfAowG1eGA0ZZsjlopVygrO99petygGjL3r+ +/Ua1Cc4ixaNOwdbUI3bxsJGDWIpNrdzf9/X4sHzbDPyhYXNjUd4Y/f4dwsrYCYjk +JHEbdfe8v+fSC3hvTlPOiYZ67xOfBrBWF9v9526h/oVgRbW728I7dHRdAoGAMQRv +U80h2bNImhDZxKl+biwNzX5s/wsKhmHmgLW1m7fRdbtW54g0809t1CE95KGY30nU +e4HO7oiVy7XMsMTN29EnMqG6szW2/Xpqga+aGFet21OAFpgIiWQOByneDq35HJkY +gbfs0kI+40hTDQ8Ve5l3Xsta2EDCxZZXrNaQp7cCgYADVeQ/uBun1plel0/8vS4h +FY2gAeKAH7XsNdi/CenZvUYY+Rv8CRKKLhdQwRMh/FhNWv43RExPZp3hEEVAwKZa +VjeCAZLO1tS+4oIGroNYW8t4TpVwS+tA6qcxa1AsRUi2Mz+TUaOuNgYZ5YfvNC+/ +Yp/rFriPY1So4RS6Vp5pLg== -----END PRIVATE KEY----- diff --git a/certs/readme.txt b/certs/readme.txt index 5cb35c330..3a5ccbc96 100644 --- a/certs/readme.txt +++ b/certs/readme.txt @@ -31,7 +31,7 @@ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ # Optional: client certificate (mutual TLS) openssl genrsa -out client.key 2048 -openssl req -new -key client.key -subj "/CN=dbclient" -out client.csr +openssl req -new -key client.key -subj "/CN=root" -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out client.crt -days 730 -sha256 From 36fafd109d16464dd26bb394619eb8f491f027df Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 23:21:04 +0800 Subject: [PATCH 40/41] Update client certificate subject to root and add SSL mode check in test_pgconn --- README.rst | 2 +- tests/pq/test_pgconn.py | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index a50f756db..571a683e2 100644 --- a/README.rst +++ b/README.rst @@ -225,7 +225,7 @@ Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker # Optional: client certificate (for mutual TLS) openssl genrsa -out client.key 2048 - openssl req -new -key client.key -subj "/CN=dbclient" -out client.csr + openssl req -new -key client.key -subj "/CN=root" -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out client.crt -days 730 -sha256 diff --git a/tests/pq/test_pgconn.py b/tests/pq/test_pgconn.py index 52c7c9eb2..ed6f44e09 100644 --- a/tests/pq/test_pgconn.py +++ b/tests/pq/test_pgconn.py @@ -301,6 +301,12 @@ def test_used_password(pgconn, dsn, monkeypatch): "PGPASSWORD" in os.environ or [i for i in info if i.keyword == b"password"][0].val is not None ) + + kv = {i.keyword.decode(): (i.val.decode() if i.val else None) for i in info} + sslmode = (kv.get("sslmode") or "").lower() + if sslmode in ("require", "verify-ca", "verify-full"): + pytest.skip(f"Skipping password usage check under sslmode={sslmode}") + if has_password: assert pgconn.used_password From 386a84fd97ec49878a44c5ca7ffb6246c5c713b7 Mon Sep 17 00:00:00 2001 From: chenyunliang520 Date: Mon, 1 Sep 2025 23:36:26 +0800 Subject: [PATCH 41/41] Update GAUSSDB_TEST_DSN to include client certificate and key for SSL --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 571a683e2..18eca53bc 100644 --- a/README.rst +++ b/README.rst @@ -361,7 +361,7 @@ Steps to Run OpenGauss(SSL) with Python GaussDB Driver Testing (Assuming Docker # Set the test DSN (Data Source Name) as an environment variable export GAUSSDB_TEST_DSN="dbname=test user=root password=Password@123 host=127.0.0.1 port=8889 sslmode=require" - export GAUSSDB_TEST_DSN="dbname=test user=root password=Password@123 host=127.0.0.1 port=8889 sslmode=verify-ca sslrootcert=/opengauss8889/certs/ca.crt" + export GAUSSDB_TEST_DSN="dbname=test user=root password=Password@123 host=127.0.0.1 port=8889 sslmode=verify-ca sslrootcert=/opengauss8889/certs/ca.crt sslcert=/opengauss8889/certs/client.crt sslkey=/opengauss8889/certs/client.key" # Run all tests using pytest, showing verbose output and test durations pytest --durations=0 -s -v