From 70d92c2d5ee06c221fdaa3c1df44e03530322b8b Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:10:39 +0100 Subject: [PATCH 1/9] Add TLS to gRPC --- cmd/rove-server/internal/server.go | 20 +++++++++++++++++++- cmd/rove-server/internal/server_test.go | 3 +++ docker-compose-test.yml | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/cmd/rove-server/internal/server.go b/cmd/rove-server/internal/server.go index e32f64a..4969687 100644 --- a/cmd/rove-server/internal/server.go +++ b/cmd/rove-server/internal/server.go @@ -4,6 +4,8 @@ import ( "fmt" "log" "net" + "os" + "path" "sync" "github.com/mdiluz/rove/pkg/persistence" @@ -11,9 +13,12 @@ import ( "github.com/mdiluz/rove/proto/roveapi" "github.com/robfig/cron" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/reflection" ) +var cert = os.Getenv("CERT_NAME") + const ( // PersistentData will allow the server to load and save it's state PersistentData = iota @@ -104,7 +109,20 @@ func (s *Server) Initialise(fillWorld bool) (err error) { if err != nil { log.Fatalf("failed to listen: %v", err) } - s.grpcServ = grpc.NewServer() + + // Load TLS + var opts []grpc.ServerOption + if len(os.Getenv("NO_TLS")) == 0 { + pem := path.Join("/etc/letsencrypt/live/", cert, "cert.pem") + key := path.Join("/etc/letsencrypt/live/", cert, "privkey.pem") + creds, err := credentials.NewServerTLSFromFile(pem, key) + if err != nil { + log.Fatalf("failed to setup TLS: %v", err) + } + opts = append(opts, grpc.Creds(creds)) + } + + s.grpcServ = grpc.NewServer(opts...) roveapi.RegisterRoveServer(s.grpcServ, s) reflection.Register(s.grpcServ) diff --git a/cmd/rove-server/internal/server_test.go b/cmd/rove-server/internal/server_test.go index 36db679..40d4b80 100644 --- a/cmd/rove-server/internal/server_test.go +++ b/cmd/rove-server/internal/server_test.go @@ -1,6 +1,7 @@ package internal import ( + "os" "testing" ) @@ -30,6 +31,7 @@ func TestNewServer_OptionPersistentData(t *testing.T) { } func TestServer_Run(t *testing.T) { + os.Setenv("NO_TLS", "1") server := NewServer() if server == nil { t.Error("Failed to create server") @@ -45,6 +47,7 @@ func TestServer_Run(t *testing.T) { } func TestServer_RunPersistentData(t *testing.T) { + os.Setenv("NO_TLS", "1") server := NewServer(OptionPersistentData()) if server == nil { t.Error("Failed to create server") diff --git a/docker-compose-test.yml b/docker-compose-test.yml index 64a71a8..aec8cee 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -13,6 +13,7 @@ services: - DATA_PATH=/tmp/ - WORDS_FILE=data/words_alpha.txt - TICK_RATE=10 + - NO_TLS=1 command: [ "./rove-server"] rove-tests: From ac3844fe7af5da3fb1d685ed8cd081d1fc141c88 Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:26:36 +0100 Subject: [PATCH 2/9] Mount letsencrypt in the docker to read the certs --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index f84d876..05dd68f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,7 @@ services: - TICK_RATE=3 volumes: - persistent-data:/mnt/rove-server:rw + - /etc/letsencrypt/:/etc/letsencrypt/ command: [ "./rove-server"] From 4821a901434ef4072afe62c728083b20dc31abcf Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:29:58 +0100 Subject: [PATCH 3/9] Pass the cert name into the docker deployment --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 05dd68f..d5606f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,6 +16,7 @@ services: - DATA_PATH=/mnt/rove-server - WORDS_FILE=data/words_alpha.txt - TICK_RATE=3 + - CERT_NAME=${CERT_NAME} volumes: - persistent-data:/mnt/rove-server:rw - /etc/letsencrypt/:/etc/letsencrypt/ From 9b03ffb7f1a0cf4cb41d7f40fd4917dd86483971 Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:30:09 +0100 Subject: [PATCH 4/9] Add skip verify on the client for now --- cmd/rove/main.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/rove/main.go b/cmd/rove/main.go index 9fc853a..99a1f77 100644 --- a/cmd/rove/main.go +++ b/cmd/rove/main.go @@ -1,6 +1,7 @@ package main import ( + "crypto/tls" "encoding/json" "fmt" "io/ioutil" @@ -16,6 +17,7 @@ import ( "github.com/mdiluz/rove/proto/roveapi" "golang.org/x/net/context" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" ) var home = os.Getenv("HOME") @@ -185,8 +187,12 @@ func InnerMain(command string, args ...string) error { return fmt.Errorf("no host set in %s, set one with '%s config {HOST}'", ConfigPath(), os.Args[0]) } + tls := &tls.Config{ + InsecureSkipVerify: true, + } + // Set up the server - clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithInsecure()) + clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithTransportCredentials(credentials.NewTLS(tls))) if err != nil { return err } From 71a0ef9920ac06845013d03ef24e6ceae3c3563f Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:36:34 +0100 Subject: [PATCH 5/9] Use the fullchain.pem not the cert.pem as explained by letsencrypt --- cmd/rove-server/internal/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/rove-server/internal/server.go b/cmd/rove-server/internal/server.go index 4969687..e2b7e16 100644 --- a/cmd/rove-server/internal/server.go +++ b/cmd/rove-server/internal/server.go @@ -113,7 +113,7 @@ func (s *Server) Initialise(fillWorld bool) (err error) { // Load TLS var opts []grpc.ServerOption if len(os.Getenv("NO_TLS")) == 0 { - pem := path.Join("/etc/letsencrypt/live/", cert, "cert.pem") + pem := path.Join("/etc/letsencrypt/live/", cert, "fullchain.pem") key := path.Join("/etc/letsencrypt/live/", cert, "privkey.pem") creds, err := credentials.NewServerTLSFromFile(pem, key) if err != nil { From cf1dff2814586b04855230735552e81d3e0727f9 Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:41:52 +0100 Subject: [PATCH 6/9] Make sure the client verifies the TLS --- cmd/rove/main.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cmd/rove/main.go b/cmd/rove/main.go index 99a1f77..4ea6a45 100644 --- a/cmd/rove/main.go +++ b/cmd/rove/main.go @@ -187,9 +187,7 @@ func InnerMain(command string, args ...string) error { return fmt.Errorf("no host set in %s, set one with '%s config {HOST}'", ConfigPath(), os.Args[0]) } - tls := &tls.Config{ - InsecureSkipVerify: true, - } + tls := &tls.Config{} // Set up the server clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithTransportCredentials(credentials.NewTLS(tls))) From 4f2a7edeb1828bdbd6ac8aed00d214b640022cca Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:42:23 +0100 Subject: [PATCH 7/9] Skip local tests, removing duplicate test runs --- Makefile | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Makefile b/Makefile index be0edcb..3aedd83 100644 --- a/Makefile +++ b/Makefile @@ -18,10 +18,7 @@ gen: protoc --proto_path proto --go_out=plugins=grpc,paths=source_relative:proto/ proto/roveapi/roveapi.proto test: - @echo Unit tests - go test -v ./... - - @echo Integration tests + @echo Run unit and integration tests docker-compose -f docker-compose-test.yml up --build --exit-code-from=rove-tests --abort-on-container-exit rove-tests docker-compose -f docker-compose-test.yml down go tool cover -html=/tmp/coverage-data/c.out -o /tmp/coverage.html From 500e0f9557571f96a6b8b45e7ad971e47c574f23 Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:46:42 +0100 Subject: [PATCH 8/9] Skip the tls verify on the client side for now --- cmd/rove/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cmd/rove/main.go b/cmd/rove/main.go index 4ea6a45..99a1f77 100644 --- a/cmd/rove/main.go +++ b/cmd/rove/main.go @@ -187,7 +187,9 @@ func InnerMain(command string, args ...string) error { return fmt.Errorf("no host set in %s, set one with '%s config {HOST}'", ConfigPath(), os.Args[0]) } - tls := &tls.Config{} + tls := &tls.Config{ + InsecureSkipVerify: true, + } // Set up the server clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithTransportCredentials(credentials.NewTLS(tls))) From 94767f06d3c4c7e4c4f2dd23e4b1da9165ba2f74 Mon Sep 17 00:00:00 2001 From: Marc Di Luzio Date: Sun, 26 Jul 2020 23:53:29 +0100 Subject: [PATCH 9/9] Fix to disable TLS in tests --- cmd/rove/main.go | 9 ++++++--- cmd/rove/main_test.go | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cmd/rove/main.go b/cmd/rove/main.go index 99a1f77..06999d3 100644 --- a/cmd/rove/main.go +++ b/cmd/rove/main.go @@ -187,12 +187,15 @@ func InnerMain(command string, args ...string) error { return fmt.Errorf("no host set in %s, set one with '%s config {HOST}'", ConfigPath(), os.Args[0]) } - tls := &tls.Config{ - InsecureSkipVerify: true, + var opts []grpc.DialOption + if len(os.Getenv("NO_TLS")) == 0 { + opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))) + } else { + opts = append(opts, grpc.WithInsecure()) } // Set up the server - clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithTransportCredentials(credentials.NewTLS(tls))) + clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), opts...) if err != nil { return err } diff --git a/cmd/rove/main_test.go b/cmd/rove/main_test.go index d0e12d6..25e08ae 100644 --- a/cmd/rove/main_test.go +++ b/cmd/rove/main_test.go @@ -13,6 +13,7 @@ import ( ) func Test_InnerMain(t *testing.T) { + os.Setenv("NO_TLS", "1") // Use temporary local user data tmp, err := ioutil.TempDir(os.TempDir(), "rove-")