Merge pull request #42 from mdiluz/tls

Add TLS to server-client communications

Makefile

@@ -18,10 +18,7 @@ gen:
 	protoc --proto_path proto --go_out=plugins=grpc,paths=source_relative:proto/ proto/roveapi/roveapi.proto
 
 test:
-	@echo Unit tests
-	go test -v ./...
-
-	@echo Integration tests
+	@echo Run unit and integration tests
 	docker-compose -f docker-compose-test.yml up --build --exit-code-from=rove-tests --abort-on-container-exit rove-tests
 	docker-compose -f docker-compose-test.yml down
 	go tool cover -html=/tmp/coverage-data/c.out -o /tmp/coverage.html

cmd/rove-server/internal/server.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"os"
+	"path"
 	"sync"
 
 	"github.com/mdiluz/rove/pkg/persistence"
@@ -11,9 +13,12 @@ import (
 	"github.com/mdiluz/rove/proto/roveapi"
 	"github.com/robfig/cron"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/reflection"
 )
 
+var cert = os.Getenv("CERT_NAME")
+
 const (
 	// PersistentData will allow the server to load and save it's state
 	PersistentData = iota
@@ -104,7 +109,20 @@ func (s *Server) Initialise(fillWorld bool) (err error) {
 	if err != nil {
 		log.Fatalf("failed to listen: %v", err)
 	}
-	s.grpcServ = grpc.NewServer()
+
+	// Load TLS
+	var opts []grpc.ServerOption
+	if len(os.Getenv("NO_TLS")) == 0 {
+		pem := path.Join("/etc/letsencrypt/live/", cert, "fullchain.pem")
+		key := path.Join("/etc/letsencrypt/live/", cert, "privkey.pem")
+		creds, err := credentials.NewServerTLSFromFile(pem, key)
+		if err != nil {
+			log.Fatalf("failed to setup TLS: %v", err)
+		}
+		opts = append(opts, grpc.Creds(creds))
+	}
+
+	s.grpcServ = grpc.NewServer(opts...)
 	roveapi.RegisterRoveServer(s.grpcServ, s)
 	reflection.Register(s.grpcServ)
 

cmd/rove-server/internal/server_test.go

@@ -1,6 +1,7 @@
 package internal
 
 import (
+	"os"
 	"testing"
 )
 
@@ -30,6 +31,7 @@ func TestNewServer_OptionPersistentData(t *testing.T) {
 }
 
 func TestServer_Run(t *testing.T) {
+	os.Setenv("NO_TLS", "1")
 	server := NewServer()
 	if server == nil {
 		t.Error("Failed to create server")
@@ -45,6 +47,7 @@ func TestServer_Run(t *testing.T) {
 }
 
 func TestServer_RunPersistentData(t *testing.T) {
+	os.Setenv("NO_TLS", "1")
 	server := NewServer(OptionPersistentData())
 	if server == nil {
 		t.Error("Failed to create server")

cmd/rove/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -16,6 +17,7 @@ import (
 	"github.com/mdiluz/rove/proto/roveapi"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )
 
 var home = os.Getenv("HOME")
@@ -185,8 +187,15 @@ func InnerMain(command string, args ...string) error {
 		return fmt.Errorf("no host set in %s, set one with '%s config {HOST}'", ConfigPath(), os.Args[0])
 	}
 
+	var opts []grpc.DialOption
+	if len(os.Getenv("NO_TLS")) == 0 {
+		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
+	} else {
+		opts = append(opts, grpc.WithInsecure())
+	}
+
 	// Set up the server
-	clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), grpc.WithInsecure())
+	clientConn, err := grpc.Dial(fmt.Sprintf("%s:%d", config.Host, gRPCport), opts...)
 	if err != nil {
 		return err
 	}

cmd/rove/main_test.go

@@ -13,6 +13,7 @@ import (
 )
 
 func Test_InnerMain(t *testing.T) {
+	os.Setenv("NO_TLS", "1")
 
 	// Use temporary local user data
 	tmp, err := ioutil.TempDir(os.TempDir(), "rove-")

docker-compose-test.yml

@@ -13,6 +13,7 @@ services:
       - DATA_PATH=/tmp/
       - WORDS_FILE=data/words_alpha.txt
       - TICK_RATE=10
+      - NO_TLS=1
     command: [ "./rove-server"]
 
   rove-tests:

docker-compose.yml

@@ -16,8 +16,10 @@ services:
       - DATA_PATH=/mnt/rove-server
       - WORDS_FILE=data/words_alpha.txt
       - TICK_RATE=3
+      - CERT_NAME=${CERT_NAME}
     volumes:
       - persistent-data:/mnt/rove-server:rw
+      - /etc/letsencrypt/:/etc/letsencrypt/
     command: [ "./rove-server"]