Allow tls.Config to be passed as a session option (#53)

Tim Middleton · web-flow · commit ba5515ad383f · 2023-08-21T13:14:25.000+08:00
* Allow tls.Config to be passed as a session option
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -114,6 +114,15 @@ jobs:
           COHERENCE_TLS_CLIENT_KEY_OPTION=`pwd`/test/utils/certs/star-lord.key \
           COHERENCE_VERSION=22.06.5 PROFILES=,secure,-jakarta,javax,scope make clean certs generate-proto build-test-images test-e2e-standalone-scope
 
+    - name: E2E Local Tests SSL (tlsConfig)
+      shell: bash
+      run: |
+        SECURE=tlsConfig COHERENCE_IGNORE_INVALID_CERTS_OPTION=true \
+          COHERENCE_TLS_CERTS_PATH_OPTION=`pwd`/test/utils/certs/guardians-ca.crt \
+          COHERENCE_TLS_CLIENT_CERT_OPTION=`pwd`/test/utils/certs/star-lord.crt \
+          COHERENCE_TLS_CLIENT_KEY_OPTION=`pwd`/test/utils/certs/star-lord.key \
+          COHERENCE_VERSION=22.06.5 PROFILES=,secure,-jakarta,javax,scope make clean certs generate-proto build-test-images test-e2e-standalone-scope
+
     - uses: actions/upload-artifact@v3
       if: failure()
       with:
diff --git a/coherence/session.go b/coherence/session.go
@@ -35,6 +35,7 @@ const (
 	defaultRequestTimeout    = "30000" // millis
 	defaultDisconnectTimeout = "30000" // millis
 	defaultReadyTimeout      = "0"     // millis
+	insecureWarning          = "WARNING: you have turned off SSL certificate validation. This is insecure and not recommended."
 )
 
 // Session provides APIs to create NamedCaches. The [NewSession] method creates a
@@ -69,6 +70,7 @@ type SessionOptions struct {
 	RequestTimeout     time.Duration
 	DisconnectTimeout  time.Duration
 	ReadyTimeout       time.Duration
+	TlSConfig          *tls.Config
 }
 
 // NewSession creates a new Session with the specified sessionOptions.
@@ -96,7 +98,14 @@ type SessionOptions struct {
 //
 // To Configure SSL, you must first enable SSL on the gRPC Proxy, see [gRPC Proxy Server] for details.
 //
-// You can use the following to set the required TLS options when creating a session:
+// There are a number of ways to set the TLS options when creating a session.
+// You can use [WithTLSConfig] to specify a custom tls.Config or specify the client certificate, key and trust
+// certificate using additional session options or using environment variables. See below for more details.
+//
+//	myTlSConfig = &tls.Config{....}
+//	session, err := coherence.NewSession(ctx, coherence.WithTLSConfig(myTLSConfig))
+//
+// You can also use the following to set the required TLS options when creating a session:
 //
 //	session, err := coherence.NewSession(ctx, coherence.WithTLSClientCert("/path/to/client/certificate"),
 //	                                          coherence.WithTLSClientKey("/path/path/to/client/key"),
@@ -278,6 +287,14 @@ func WithReadyTimeout(timeout time.Duration) func(sessionOptions *SessionOptions
 	}
 }
 
+// WithTLSConfig returns a function to set the tls.Config directly. This is typically used
+// when you require fine-grained control over these options.
+func WithTLSConfig(tlsConfig *tls.Config) func(sessionOptions *SessionOptions) {
+	return func(s *SessionOptions) {
+		s.TlSConfig = tlsConfig
+	}
+}
+
 // ID returns the identifier of a session.
 func (s *Session) ID() string {
 	return s.sessionID.String()
@@ -596,6 +613,14 @@ func (s *SessionOptions) createTLSOption() (grpc.DialOption, error) {
 		return grpc.WithTransportCredentials(insecure.NewCredentials()), nil
 	}
 
+	// check if a tls.Config has been set and use this, otherwise continue to check for env and other options
+	if s.TlSConfig != nil {
+		if s.TlSConfig.InsecureSkipVerify {
+			log.Println(insecureWarning)
+		}
+		return grpc.WithTransportCredentials(credentials.NewTLS(s.TlSConfig)), nil
+	}
+
 	var (
 		err          error
 		cp           *x509.CertPool
@@ -612,7 +637,7 @@ func (s *SessionOptions) createTLSOption() (grpc.DialOption, error) {
 
 	ignoreInvalidCerts := ignoreInvalidCertsEnv == "true"
 	if ignoreInvalidCerts {
-		log.Println("WARNING: you have turned off SSL certificate validation. This is insecure and not recommended.")
+		log.Println(insecureWarning)
 	}
 	s.IgnoreInvalidCerts = ignoreInvalidCerts
 
@@ -695,8 +720,12 @@ func (s *SessionOptions) String() string {
 		s.Address, s.PlainText, s.Scope, s.Format, s.RequestTimeout, s.DisconnectTimeout, s.ReadyTimeout))
 
 	if !s.PlainText {
-		sb.WriteString(fmt.Sprintf(" clientCertPath=%v, clientKeyPath=%v, caCertPath=%v, igoreInvalidCerts=%v",
-			s.ClientCertPath, s.ClientKeyPath, s.CaCertPath, s.IgnoreInvalidCerts))
+		if s.TlSConfig == nil {
+			sb.WriteString(fmt.Sprintf(" clientCertPath=%v, clientKeyPath=%v, caCertPath=%v, igoreInvalidCerts=%v",
+				s.ClientCertPath, s.ClientKeyPath, s.CaCertPath, s.IgnoreInvalidCerts))
+		} else {
+			sb.WriteString("tls.Config specified")
+		}
 	}
 
 	return sb.String()
diff --git a/scripts/run-compat-ce.sh b/scripts/run-compat-ce.sh
@@ -33,6 +33,14 @@ SECURE=options COHERENCE_IGNORE_INVALID_CERTS_OPTION=true \
   COHERENCE_TLS_CLIENT_KEY_OPTION=`pwd`/test/utils/certs/star-lord.key \
   COHERENCE_VERSION=22.06.5 PROFILES=,secure make clean certs generate-proto build-test-images test-e2e-standalone
 
+echo "Coherence CE 22.06.5 with SSL using tlsConfig"
+# suite_test.go takes the below env vars and then creates a tls.Config and passes to  the WithTLSConfig
+SECURE=tlsConfig COHERENCE_IGNORE_INVALID_CERTS_OPTION=true \
+  COHERENCE_TLS_CERTS_PATH_OPTION=`pwd`/test/utils/certs/guardians-ca.crt \
+  COHERENCE_TLS_CLIENT_CERT_OPTION=`pwd`/test/utils/certs/star-lord.crt \
+  COHERENCE_TLS_CLIENT_KEY_OPTION=`pwd`/test/utils/certs/star-lord.key \
+  COHERENCE_VERSION=22.06.5 PROFILES=,secure make clean certs generate-proto build-test-images test-e2e-standalone
+
 echo "Coherence CE 23.03.1"
 COHERENCE_BASE_IMAGE=gcr.io/distroless/java17 PROFILES=,jakarta,-javax COHERENCE_VERSION=23.03.1 make clean generate-proto build-test-images test-e2e-standalone
 
diff --git a/test/utils/utils.go b/test/utils/utils.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"github.com/onsi/gomega"
@@ -50,7 +51,7 @@ var (
 )
 
 const (
-	// the following env options are used to set the SSL mode via coherence.With* options rather
+	// the following env options are used to set the SSL mode via coherence.With* options or tlsCOnfig rather
 	// than environment variables
 	envTLSCertPath        = "COHERENCE_TLS_CERTS_PATH_OPTION"
 	envTLSClientCert      = "COHERENCE_TLS_CLIENT_CERT_OPTION"
@@ -361,12 +362,80 @@ func GetSession(options ...func(session *coherence.SessionOptions)) (*coherence.
 				sessionOptions = append(sessionOptions, coherence.WithIgnoreInvalidCerts())
 			}
 			log.Println(sessionOptions)
+		} else if testContext.SecureMode == "tlsConfig" {
+			// read the environment variables as above and create the TLS options
+			config, err := createTLSOptions(os.Getenv(envTLSClientCert), os.Getenv(envTLSClientKey), os.Getenv(envTLSCertPath),
+				os.Getenv(envIgnoreInvalidCerts) == "true")
+			if err != nil {
+				return nil, err
+			}
+			sessionOptions = append(sessionOptions, coherence.WithTLSConfig(config))
 		}
 	}
 
 	return coherence.NewSession(ctx, sessionOptions...)
 }
 
+// createTLSOptions creates tls.Config for testing.
+func createTLSOptions(clientCertPath, clientKeyPath, certsPath string, ignoreInvalidCerts bool) (*tls.Config, error) {
+	var (
+		cp           *x509.CertPool
+		certData     []byte
+		certificates = make([]tls.Certificate, 0)
+		err          error
+	)
+	log.Println("creating tls.Config")
+	if certsPath != "" {
+		cp = x509.NewCertPool()
+
+		if err = validateFilePath(certsPath); err != nil {
+			return nil, err
+		}
+
+		certData, err = os.ReadFile(certsPath)
+		if err != nil {
+			return nil, err
+		}
+
+		if !cp.AppendCertsFromPEM(certData) {
+			return nil, errors.New("credentials: failed to append certificates")
+		}
+	}
+
+	if clientCertPath != "" && clientKeyPath != "" {
+		log.Println("loading client certificate and key, cert=", clientCertPath, "key=", clientKeyPath)
+		if err = validateFilePath(clientCertPath); err != nil {
+			return nil, err
+		}
+		if err = validateFilePath(clientKeyPath); err != nil {
+			return nil, err
+		}
+		var clientCert tls.Certificate
+		clientCert, err = tls.LoadX509KeyPair(clientCertPath, clientKeyPath)
+		if err != nil {
+			return nil, err
+		}
+		certificates = []tls.Certificate{clientCert}
+	}
+
+	config := &tls.Config{
+		InsecureSkipVerify: ignoreInvalidCerts, //nolint
+		RootCAs:            cp,
+		Certificates:       certificates,
+	}
+
+	return config, nil
+}
+
+// validateFilePath checks to see if a file path is valid.
+func validateFilePath(file string) error {
+	if _, err := os.Stat(file); err == nil {
+		return nil
+	}
+
+	return fmt.Errorf("%s is not a valid file", file)
+}
+
 func GetNamedMapWithScope[K comparable, V any](g *gomega.WithT, session *coherence.Session, cacheName, _ string) coherence.NamedMap[K, V] {
 	namedCache, err := coherence.GetNamedMap[K, V](session, cacheName)
 	g.Expect(err).ShouldNot(gomega.HaveOccurred())
