gfapi: Move the SECURE_ACCESS_FILE check out of glfs_mgmt_init

glfs_mgmt_init is only called for glfs_set_volfile_server, but
secure_mgmt is also required to use glfs_set_volfile with SSL.

fixes: #829
Change-Id: Ibc769fe634d805e085232f85ce6e1c48bf4acc66

api/src/glfs-mgmt.c

@@ -1013,11 +1013,6 @@ glfs_mgmt_init(struct glfs *fs)
     if (ret)
         goto out;
 
-    if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
-        ctx->secure_mgmt = 1;
-        ctx->ssl_cert_depth = glusterfs_read_secure_access_file();
-    }
-
     rpc = rpc_clnt_new(options, THIS, THIS->name, 8);
     if (!rpc) {
         ret = -1;

api/src/glfs.c

@@ -251,6 +251,11 @@ glfs_volumes_init(struct glfs *fs)
     if (!vol_assigned(cmd_args))
         return -1;
 
+    if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
+        fs->ctx->secure_mgmt = 1;
+        fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file();
+    }
+
     if (cmd_args->volfile_server) {
         ret = glfs_mgmt_init(fs);
         goto out;

tests/basic/gfapi/gfapi-ssl-load-volfile-test.c

@@ -0,0 +1,127 @@
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <limits.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <glusterfs/api/glfs.h>
+#include <glusterfs/api/glfs-handles.h>
+
+#define LOG_ERR(msg)                                                           \
+    do {                                                                       \
+        fprintf(stderr, "%s : Error (%s)\n", msg, strerror(errno));            \
+    } while (0)
+
+glfs_t *
+init_glfs(const char *hostname, const char *volname, const char *volfile,
+          const char *logfile)
+{
+    int ret = -1;
+    glfs_t *fs = NULL;
+
+    fs = glfs_new(volname);
+    if (!fs) {
+        LOG_ERR("glfs_new failed");
+        return NULL;
+    }
+
+    ret = glfs_set_volfile(fs, volfile);
+    if (ret < 0) {
+        LOG_ERR("glfs_set_volfile failed");
+        goto out;
+    }
+
+    ret = glfs_set_logging(fs, logfile, 7);
+    if (ret < 0) {
+        LOG_ERR("glfs_set_logging failed");
+        goto out;
+    }
+
+    ret = glfs_init(fs);
+    if (ret < 0) {
+        LOG_ERR("glfs_init failed");
+        goto out;
+    }
+
+    ret = 0;
+out:
+    if (ret) {
+        glfs_fini(fs);
+        fs = NULL;
+    }
+
+    return fs;
+}
+
+int
+glfs_test_function(const char *hostname, const char *volname,
+                   const char *volfile, const char *logfile)
+{
+    int ret = -1;
+    int flags = O_CREAT | O_RDWR;
+    glfs_t *fs = NULL;
+    glfs_fd_t *glfd = NULL;
+    const char *buff = "This is from my prog\n";
+    const char *filename = "glfs_test.txt";
+
+    fs = init_glfs(hostname, volname, volfile, logfile);
+    if (fs == NULL) {
+        LOG_ERR("init_glfs failed");
+        return -1;
+    }
+
+    glfd = glfs_creat(fs, filename, flags, 0644);
+    if (glfd == NULL) {
+        LOG_ERR("glfs_creat failed");
+        goto out;
+    }
+
+    ret = glfs_write(glfd, buff, strlen(buff), flags);
+    if (ret < 0) {
+        LOG_ERR("glfs_write failed");
+        goto out;
+    }
+
+    ret = glfs_close(glfd);
+    if (ret < 0) {
+        LOG_ERR("glfs_write failed");
+        goto out;
+    }
+
+out:
+    ret = glfs_fini(fs);
+    if (ret) {
+        LOG_ERR("glfs_fini failed");
+    }
+
+    return ret;
+}
+
+int
+main(int argc, char *argv[])
+{
+    int ret = 0;
+    char *hostname = NULL;
+    char *volname = NULL;
+    char *volfile = NULL;
+    char *logfile = NULL;
+
+    if (argc != 5) {
+        fprintf(stderr, "Invalid argument\n");
+        exit(1);
+    }
+
+    hostname = argv[1];
+    volname = argv[2];
+    volfile = argv[3];
+    logfile = argv[4];
+
+    ret = glfs_test_function(hostname, volname, volfile, logfile);
+    if (ret) {
+        LOG_ERR("glfs_test_function failed");
+    }
+
+    return ret;
+}

tests/basic/gfapi/gfapi-ssl-load-volfile-test.t

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+. $(dirname $0)/../../traps.rc
+. $(dirname $0)/../../ssl.rc
+
+cleanup;
+
+sed -e "s,@@HOSTNAME@@,${H0},g" -e "s,@@BRICKPATH@@,${B0}/brick1,g" \
+            -e "s,@@SSL@@,off,g" \
+            $(dirname ${0})/protocol-client-ssl.vol.in \
+            > $(dirname ${0})/protocol-client-ssl.vol
+
+TEST create_self_signed_certs
+
+TEST glusterd
+
+TEST $CLI volume create $V0 $H0:$B0/brick1;
+EXPECT 'Created' volinfo_field $V0 'Status';
+
+TEST $CLI volume start $V0;
+EXPECT 'Started' volinfo_field $V0 'Status';
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+logdir=`gluster --print-logdir`
+
+TEST build_tester $(dirname $0)/gfapi-ssl-load-volfile-test.c -lgfapi
+
+# Run test without I/O or management encryption
+TEST $(dirname $0)/gfapi-ssl-load-volfile-test $H0 $V0 \
+        $(dirname ${0})/protocol-client-ssl.vol \
+        $logdir/gfapi-ssl-load-volfile-test.log
+
+# Enable management encryption
+touch $GLUSTERD_WORKDIR/secure-access
+
+killall_gluster
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test with management encryption (No I/O encryption)
+TEST $(dirname $0)/gfapi-ssl-load-volfile-test $H0 $V0 \
+        $(dirname ${0})/protocol-client-ssl.vol \
+        $logdir/gfapi-ssl-load-volfile-test.log
+
+# Enable I/O encryption
+TEST $CLI volume set $V0 server.ssl on
+
+killall_gluster
+
+sed -e "s,@@HOSTNAME@@,${H0},g" -e "s,@@BRICKPATH@@,${B0}/brick1,g" \
+            -e "s,@@SSL@@,on,g" \
+            $(dirname ${0})/protocol-client-ssl.vol.in \
+            > $(dirname ${0})/protocol-client-ssl.vol
+
+TEST glusterd
+EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
+
+# Run test without I/O or management encryption
+TEST $(dirname $0)/gfapi-ssl-load-volfile-test $H0 $V0 \
+        $(dirname ${0})/protocol-client-ssl.vol \
+        $logdir/gfapi-ssl-load-volfile-test.log
+
+cleanup_tester $(dirname $0)/gfapi-ssl-load-volfile-test
+
+TEST $CLI volume stop $V0
+TEST $CLI volume delete $V0
+
+cleanup;
+
+# NetBSD build scripts are not up to date therefore this test
+# is failing in NetBSD. Therefore skipping the test in NetBSD
+# as of now.
+#G_TESTDEF_TEST_STATUS_NETBSD7=KNOWN_ISSUE,BUG=000000

tests/basic/gfapi/protocol-client-ssl.vol.in

@@ -0,0 +1,15 @@
+#
+# This .vol file expects that there is
+#
+#  1. GlusterD listening on @@HOSTNAME@@
+#  2. a volume that provides a brick on @@BRICKPATH@@
+#  3. the volume with the brick has been started
+#
+volume test
+    type protocol/client
+    option remote-host @@HOSTNAME@@
+    option remote-subvolume @@BRICKPATH@@
+    option transport-type socket
+    option transport.socket.ssl-enabled @@SSL@@
+end-volume
+