|
| 1 | +#!/bin/sh |
| 2 | + |
| 3 | +# TLS test setup script for CI |
| 4 | +# Generates certificates using tls-gen and configures RabbitMQ with TLS-enabled management API |
| 5 | + |
| 6 | +set -e |
| 7 | + |
| 8 | +CTL=${RUST_HTTP_API_CLIENT_RABBITMQCTL:="sudo rabbitmqctl"} |
| 9 | +PLUGINS=${RUST_HTTP_API_CLIENT_RABBITMQ_PLUGINS:="sudo rabbitmq-plugins"} |
| 10 | + |
| 11 | +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" |
| 12 | +REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" |
| 13 | +CERTS_DIR="${REPO_ROOT}/tests/tls/certs" |
| 14 | + |
| 15 | +# Docker container ID (passed via environment or extracted from CTL) |
| 16 | +CONTAINER_ID="" |
| 17 | + |
| 18 | +case $CTL in |
| 19 | + DOCKER*) |
| 20 | + CONTAINER_ID="${CTL##*:}" |
| 21 | + PLUGINS="docker exec ${CONTAINER_ID} rabbitmq-plugins" |
| 22 | + CTL="docker exec ${CONTAINER_ID} rabbitmqctl" |
| 23 | + ;; |
| 24 | +esac |
| 25 | + |
| 26 | +echo "Will use rabbitmqctl at ${CTL}" |
| 27 | +echo "Will use rabbitmq-plugins at ${PLUGINS}" |
| 28 | + |
| 29 | +# Create certs directory |
| 30 | +mkdir -p "${CERTS_DIR}" |
| 31 | + |
| 32 | +# Check if tls-gen is available |
| 33 | +TLSGEN_DIR="${TLSGEN_DIR:-}" |
| 34 | +if [ -z "$TLSGEN_DIR" ]; then |
| 35 | + echo "TLSGEN_DIR not set, cloning tls-gen..." |
| 36 | + TLSGEN_DIR="${REPO_ROOT}/target/tls-gen" |
| 37 | + if [ ! -d "$TLSGEN_DIR" ]; then |
| 38 | + git clone --depth 1 https://github.com/rabbitmq/tls-gen.git "$TLSGEN_DIR" |
| 39 | + fi |
| 40 | +fi |
| 41 | + |
| 42 | +echo "Using tls-gen at ${TLSGEN_DIR}" |
| 43 | + |
| 44 | +# Generate certificates using basic profile |
| 45 | +cd "${TLSGEN_DIR}/basic" |
| 46 | +make CN=localhost |
| 47 | +make alias-leaf-artifacts |
| 48 | + |
| 49 | +# Copy certificates to the test directory |
| 50 | +cp result/ca_certificate.pem "${CERTS_DIR}/" |
| 51 | +cp result/server_certificate.pem "${CERTS_DIR}/" |
| 52 | +cp result/server_key.pem "${CERTS_DIR}/" |
| 53 | +cp result/client_certificate.pem "${CERTS_DIR}/" |
| 54 | +cp result/client_key.pem "${CERTS_DIR}/" |
| 55 | + |
| 56 | +echo "Certificates generated and copied to ${CERTS_DIR}" |
| 57 | + |
| 58 | +# Create RabbitMQ configuration for TLS |
| 59 | +RABBITMQ_CONF="${CERTS_DIR}/rabbitmq.conf" |
| 60 | +cat > "${RABBITMQ_CONF}" << 'EOF' |
| 61 | +# Enable TLS on management plugin |
| 62 | +management.ssl.port = 15671 |
| 63 | +management.ssl.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem |
| 64 | +management.ssl.certfile = /etc/rabbitmq/certs/server_certificate.pem |
| 65 | +management.ssl.keyfile = /etc/rabbitmq/certs/server_key.pem |
| 66 | +
|
| 67 | +# Keep HTTP enabled for other tests |
| 68 | +management.tcp.port = 15672 |
| 69 | +EOF |
| 70 | + |
| 71 | +echo "RabbitMQ TLS configuration written to ${RABBITMQ_CONF}" |
| 72 | + |
| 73 | +# If using Docker, copy certificates and configuration to container |
| 74 | +if [ -n "$CONTAINER_ID" ]; then |
| 75 | + echo "Copying certificates to Docker container ${CONTAINER_ID}..." |
| 76 | + |
| 77 | + docker exec "${CONTAINER_ID}" mkdir -p /etc/rabbitmq/certs |
| 78 | + docker cp "${CERTS_DIR}/ca_certificate.pem" "${CONTAINER_ID}:/etc/rabbitmq/certs/" |
| 79 | + docker cp "${CERTS_DIR}/server_certificate.pem" "${CONTAINER_ID}:/etc/rabbitmq/certs/" |
| 80 | + docker cp "${CERTS_DIR}/server_key.pem" "${CONTAINER_ID}:/etc/rabbitmq/certs/" |
| 81 | + docker cp "${RABBITMQ_CONF}" "${CONTAINER_ID}:/etc/rabbitmq/conf.d/20-tls.conf" |
| 82 | + |
| 83 | + # Set proper permissions |
| 84 | + docker exec "${CONTAINER_ID}" chmod 644 /etc/rabbitmq/certs/*.pem |
| 85 | + docker exec "${CONTAINER_ID}" chmod 600 /etc/rabbitmq/certs/server_key.pem |
| 86 | + |
| 87 | + echo "Restarting RabbitMQ to apply TLS configuration..." |
| 88 | + docker exec "${CONTAINER_ID}" rabbitmqctl stop_app |
| 89 | + docker exec "${CONTAINER_ID}" rabbitmqctl start_app |
| 90 | + |
| 91 | + sleep 5 |
| 92 | + |
| 93 | + # Verify TLS listener is active |
| 94 | + echo "Verifying TLS listener..." |
| 95 | + docker exec "${CONTAINER_ID}" rabbitmq-diagnostics listeners | grep -E "15671|ssl" || echo "Warning: TLS listener may not be active" |
| 96 | +fi |
| 97 | + |
| 98 | +# Enable management plugin (should already be enabled in the management image) |
| 99 | +$PLUGINS enable rabbitmq_management |
| 100 | + |
| 101 | +sleep 3 |
| 102 | + |
| 103 | +# Configure vhosts and users (same as before_build.sh) |
| 104 | +$CTL add_vhost / |
| 105 | +$CTL add_user guest guest || true |
| 106 | +$CTL set_permissions -p / guest ".*" ".*" ".*" |
| 107 | + |
| 108 | +# Clean up test vhosts |
| 109 | +cd "${REPO_ROOT}" |
| 110 | +cargo -q run '--' vhosts delete_multiple --name-pattern "^rabbitmqadmin" --dry-run --table-style modern || true |
| 111 | +cargo -q run '--' --non-interactive vhosts delete_multiple --name-pattern "^rabbitmqadmin" || true |
| 112 | + |
| 113 | +$CTL add_vhost "rust/rabbitmqadmin" |
| 114 | +$CTL set_permissions -p "rust/rabbitmqadmin" guest ".*" ".*" ".*" |
| 115 | + |
| 116 | +# Set cluster name |
| 117 | +$CTL set_cluster_name rabbitmq@localhost |
| 118 | + |
| 119 | +$CTL enable_feature_flag all |
| 120 | + |
| 121 | +# Enable additional plugins |
| 122 | +$PLUGINS enable rabbitmq_shovel |
| 123 | +$PLUGINS enable rabbitmq_shovel_management |
| 124 | +$PLUGINS enable rabbitmq_federation |
| 125 | +$PLUGINS enable rabbitmq_federation_management |
| 126 | +$PLUGINS enable rabbitmq_stream |
| 127 | +$PLUGINS enable rabbitmq_stream_management |
| 128 | + |
| 129 | +# Export certificate paths for tests |
| 130 | +echo "" |
| 131 | +echo "=== TLS Test Environment ===" |
| 132 | +echo "CA Certificate: ${CERTS_DIR}/ca_certificate.pem" |
| 133 | +echo "Client Certificate: ${CERTS_DIR}/client_certificate.pem" |
| 134 | +echo "Client Key: ${CERTS_DIR}/client_key.pem" |
| 135 | +echo "TLS Endpoint: https://localhost:15671/api" |
| 136 | +echo "" |
| 137 | +echo "To run TLS tests:" |
| 138 | +echo " TLS_CERTS_DIR=${CERTS_DIR} cargo nextest run -E 'binary(tls_tests)' --run-ignored=only" |
| 139 | +echo "" |
| 140 | + |
| 141 | +true |
0 commit comments