Add an option for TLS server certs (#2)

* Add an option for TLS server certs

Allow configuring the trust store used to verify connections to Redis.
This is useful when working with something like GCP Memorystore for
Redis ([1]), which will issue a self-signed cert for managed Redis
instances. With this option, I can use Terraform to create the managed
Redis instance, get the server cert that was generated, and render it
into the Caddy configuration file.

[1]: https://cloud.google.com/memorystore/docs/redis

* Review feedback:

- Accept TLS server certs as either PEM string or path to PEM certs
- Add Caddyfile support
- Typos in document
- Provide config example in README

Author: tgeoghegan

README.md

@@ -115,6 +115,59 @@ Connecting to Redis servers managed by Sentinal requires both the `failover` fla
 ```
 Failover mode also supports the `route_by_latency` and `route_randomly` cluster configuration parameters.
 
+### Enabling TLS
+
+TLS is disabled by default, and if enabled, accepts any server certificate by default. If TLS is and certificate verification are enabled as in the following example, then the system trust store will be used to validate the server certificate.
+```
+{
+    storage redis {
+        host 127.0.0.01
+        port 6379
+        tls_enabled true
+        tls_insecure false
+    }
+}
+```
+You can also use the `tls_server_certs_pem` option to provide one or more PEM encoded certificates to trust:
+```
+{
+    storage redis {
+        host 127.0.0.01
+        port 6379
+        tls_enabled true
+        tls_insecure false
+        tls_server_certs_pem <<CERTIFICATES
+        -----BEGIN CERTIFICATE-----
+        MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkMzZk
+        MWE2MjgtNGZjNi00ZTRkLWJiNDMtZDhlMGNhN2I1OTRiMTEwLwYDVQQDEyhHb29n
+        bGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtH
+        b29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjMxMjE1MjM0MDMyWhcNMzMxMjEy
+        MjM0MTMyWjCBhTEtMCsGA1UELhMkMzZkMWE2MjgtNGZjNi00ZTRkLWJiNDMtZDhl
+        MGNhN2I1OTRiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVk
+        aXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMw
+        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCF54WBXJ8kTAj7e843XriG
+        oXntUoQBP+TdmzBdgW/t9xqi9di7I6zbyl86x+aOENU8xgHQZQxQ/uE0cnJeaMuH
+        H7smyiSn77IP+JL3icDk8a8QIJxYmv3ze47a5ZbfJ4VPXYk0Kh/1HXMDMguS2e+a
+        PdjhCVZSB1rwgaH6nAIjmoJxdKSiNolm4xeuZPXwzvsuZZXhc+HIOiZMhckxnZfD
+        tZsSYZhg0TgswG1DWP+Nq79Z8SSb+uXHPdOEI2w1YKpcZyh5WuGcarMswRh8E3Kf
+        UC+9JLot5NBZ+oAKqcQ7R55Wxd+8CI0paPqaccbJgXMIA2pSEhiqNMEYSA/9QtV3
+        AgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEB
+        ABO7LLHzvGkz/IMAEkEyJlQAOrKZD5qC4jTuICQqm9xV17Ql2SLEdKZzAFrEDLJR
+        by0dWrPconQG7XqLgb22RceBVKzEGsmObI7LZQLo69MUYI4TcRDgAXeng34yUBRo
+        njv+WFAQWNUym4WhUeRceyyOWmzhlC0/zOJPufmVBk6QNmjTfXG2ISCeZhFM0rEb
+        C8amwlD9V3EXFjTAEoYs+9Uv1iYDjlMtMrygrrCFTe61Kcgtzp1jsIjfYmTCyt5S
+        WVCmGu+wdiPFL9/N0peb5/ORGrdEg4n+a+gCHV9LGVfUcFCyfR42+4FunKwE/OMl
+        PaAxpc/KB4nwPitpbsWL8Nw=
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        <another certificate here>
+        -----END CERTIFICATE-----
+        CERTIFICATES
+    }
+}
+```
+If you prefer not to put certificates in your Caddyfile, you can also put the series of PEM certificates into a file and use `tls_server_certs_path` to point Caddy at it.
+
 ## Maintenance
 
 This module has been architected to maintain a hierarchical index of storage items using Redis Sorted Sets to optimize directory listing operations typically used by Caddy.  It is possible for this index structure to become corrupted in the event of an unexpected system crash or loss of power.  If you suspect your Caddy storage has been corrupted, it is possible to repair this index structure from the command line by issuing the following command:
@@ -123,4 +176,4 @@ This module has been architected to maintain a hierarchical index of storage ite
 caddy redis repair --config /path/to/Caddyfile
 ```
 
-Note that the config parameter is optional (but recommended); if not specified Caddy look for a configuration file named "Caddyfile" in the current working directory.
+Note that the config parameter is optional (but recommended); if not specified Caddy look for a configuration file named "Caddyfile" in the current working directory.

caddyfile.go

@@ -164,6 +164,14 @@ func (rs *RedisStorage) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 					return d.Errf("invalid boolean value for 'tls_insecure': %s", configVal[0])
 				}
 				rs.TlsInsecure = tlsInsecureParse
+			case "tls_server_certs_pem":
+				if configVal[0] != "" {
+					rs.TlsServerCertsPEM = configVal[0]
+				}
+			case "tls_server_certs_path":
+				if configVal[0] != "" {
+					rs.TlsServerCertsPath = configVal[0]
+				}
 			case "route_by_latency":
 				routeByLatency, err := strconv.ParseBool(configVal[0])
 				if err != nil {

storage.go

@@ -3,10 +3,12 @@ package storageredis
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/fs"
+	"os"
 	"path"
 	"strconv"
 	"strings"
@@ -63,22 +65,41 @@ const (
 // RedisStorage implements Redis storage plugin functionality for Caddy.
 // It supports connecting to standalone, Cluster, or Sentinal (Failover) Redis servers.
 type RedisStorage struct {
-	ClientType     string   `json:"client_type"`
-	Address        []string `json:"address"`
-	Host           []string `json:"host"`
-	Port           []string `json:"port"`
-	DB             int      `json:"db"`
-	Timeout        string   `json:"timeout"`
-	Username       string   `json:"username"`
-	Password       string   `json:"password"`
-	MasterName     string   `json:"master_name"`
-	KeyPrefix      string   `json:"key_prefix"`
-	EncryptionKey  string   `json:"encryption_key"`
-	Compression    bool     `json:"compression"`
-	TlsEnabled     bool     `json:"tls_enabled"`
-	TlsInsecure    bool     `json:"tls_insecure"`
-	RouteByLatency bool     `json:"route_by_latency"`
-	RouteRandomly  bool     `json:"route_randomly"`
+	ClientType    string   `json:"client_type"`
+	Address       []string `json:"address"`
+	Host          []string `json:"host"`
+	Port          []string `json:"port"`
+	DB            int      `json:"db"`
+	Timeout       string   `json:"timeout"`
+	Username      string   `json:"username"`
+	Password      string   `json:"password"`
+	MasterName    string   `json:"master_name"`
+	KeyPrefix     string   `json:"key_prefix"`
+	EncryptionKey string   `json:"encryption_key"`
+	Compression   bool     `json:"compression"`
+	// TlsEnabled controls whether TLS will be used to connect to the Redis
+	// server. False by default.
+	TlsEnabled bool `json:"tls_enabled"`
+	// TlsInsecure controls whether the client will verify the server
+	// certificate. See `InsecureSkipVerify` in `tls.Config` for details. True
+	// by default.
+	// https://pkg.go.dev/crypto/tls#Config
+	TlsInsecure bool `json:"tls_insecure"`
+	// TlsServerCertsPEM is a series of PEM encoded certificates that will be
+	// used by the client to validate trust in the Redis server's certificate
+	// instead of the system trust store. May not be specified alongside
+	// `TlsServerCertsPath`. See `x509.CertPool.AppendCertsFromPem` for details.
+	// https://pkg.go.dev/crypto/x509#CertPool.AppendCertsFromPEM
+	TlsServerCertsPEM string `json:"tls_server_certs_pem"`
+	// TlsServerCertsPath is the path to a file containing a series of PEM
+	// encoded certificates that will be used by the client to validate trust in
+	// the Redis server's certificate instead of the system trust store. May not
+	// be specified alongside `TlsServerCertsPem`. See
+	// `x509.CertPool.AppendCertsFromPem` for details.
+	// https://pkg.go.dev/crypto/x509#CertPool.AppendCertsFromPEM
+	TlsServerCertsPath string `json:"tls_server_certs_path"`
+	RouteByLatency     bool   `json:"route_by_latency"`
+	RouteRandomly      bool   `json:"route_randomly"`
 
 	client redis.UniversalClient
 	locker *redislock.Client
@@ -142,6 +163,29 @@ func (rs *RedisStorage) initRedisClient(ctx context.Context) error {
 		clientOpts.TLSConfig = &tls.Config{
 			InsecureSkipVerify: rs.TlsInsecure,
 		}
+
+		if len(rs.TlsServerCertsPEM) > 0 && len(rs.TlsServerCertsPath) > 0 {
+			return fmt.Errorf("Cannot specify TlsServerCertsPEM alongside TlsServerCertsPath")
+		}
+
+		if len(rs.TlsServerCertsPEM) > 0 || len(rs.TlsServerCertsPath) > 0 {
+			certPool := x509.NewCertPool()
+			pem := []byte(rs.TlsServerCertsPEM)
+
+			if len(rs.TlsServerCertsPath) > 0 {
+				var err error
+				pem, err = os.ReadFile(rs.TlsServerCertsPath)
+				if err != nil {
+					return fmt.Errorf("Failed to load PEM server certs from file %s: %v", rs.TlsServerCertsPath, err)
+				}
+			}
+
+			if !certPool.AppendCertsFromPEM(pem) {
+				return fmt.Errorf("Failed to load PEM server certs")
+			}
+
+			clientOpts.TLSConfig.RootCAs = certPool
+		}
 	}
 
 	// Create appropriate Redis client type