Skip to content

Commit

Permalink
Merge pull request #3 from edio/tls_support
Browse files Browse the repository at this point in the history 
Tls support
  • Loading branch information
@koiuo
koiuo committed Jan 5, 2018
2 parents 1617c4f + 5f3afa6 commit 31d722f
Show file tree
Hide file tree
Showing 7 changed files with 369 additions and 7 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@

## Unreleased

### Added

- TLS support

`--tls` verify server with CA certificates installed on this system
`--tls-insecure` do NOT verify server (accept any certificate)
`--tls-cafile value` verify server with CA certificate stored in specified file
`--tls-capath value` verify server with CA certificates located under specified path

### Changed

- `--timeout` option now affects both dialing to server and RPC call (before that dialing had hard-coded 1s timeout)
Expand Down
52 changes: 52 additions & 0 deletions acctest/key.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDP1dCRnLuw2Jo2
1GoCOdunHC3uBjUUTI0CGog+9RP2gsNgGdNHM77Htg6Qjrs51PngkYpC5GFpfkbx
6CaFYpsPOWyJcdUnDnieDhMTHMu7PwHKWf1hgSJxoiNbQKjNH+sJTW+au3pshuoX
JMl0uibis+pyRtfD3MK5wanASlmEC2ldyiEXW8JZgARY94/R7/c7AIMsH1YJq4PR
CJ8pQmaV7xSrlT+/r+bB9JtBNTFkehaC/D1hf7IihcCwlanHgGiVJdPpprX+CASM
8EVrXNmm55Xq+edSc4yHeb2l8AH8OXrsDfNNwuVv1f70PTmae7WgKdXfLR1avDUf
oDxCPoAoVgncl5e6Wm0zGFVzuJtHl+tgyzFqwduXjnm7MGY/0IODFaS37DKxxaFC
Ff5y1TuaIeOZZBzt1+2RDFw5vOajB/SL76VgM06qi+TW9hCES4jAS6H56KUP0Rpl
MxRCe7mRU+2w8+RuOhJKtjT8YPPWCP3NfvfS/iCsk9OIOuJQycdonXs7pfruvftA
/Y1j8gRhrExauIeIYGIaq4KRolKQDaAUQd2EFg95UVVpTpEZL9bYM/YBDccH+W8B
hgo6N2n0eUEFqiclWFtvAN1vAAMTe1/CjYh41HkqIlxA51rJ+7tekRd8xr2BrKKc
9Vu1POmTGdrjr30OET8+6jzdL5MwewIDAQABAoICAQCUMKeDe9bUVM04tSJVLf3x
XIVfR2vHaoHMczCce1DdnwVB24grJ7krWyNtbWgP50y4E+4ang7bEl/xko8M4m8f
XtmF8vWB4K6eO/jb0tdtTpKvPpUNVe9CSNKe+S6i+9QxkNY35N94zIXTNLa0FRsu
4AwVqW+lRx5NJsorwperMBvT9RC9P/8Go+H1sacJkOmeV1IwPrOxN2tIu7YIzECr
PYpmgYev3PNTbl7ZEt2CAA9XHBWEFHHmbaoj/sLM7kEjv5Im8minlf3wpE1LLSw/
9raNkdyfjKYx3tsbm1M/DZkZASVvV70Sjeo5KgKNpRGu/sVxWRCqJrJWN4Ff1oK3
dXi1zdoC56mNsqDLaHftFBy6T85UlNJhvXrNxr9JI8SaflCBgLrV1yT+5SkYjc4t
xqAAl18TFk3eZL7Wf4rK6Z9c1NlUW/H44OHgd3sUQMdmbaKhT9eyxlohdMTl7ly/
l2fczZGoaX4dwNvrw6MQGFC/J4e7x2FARTm6UAbVeJ9hqwx3qY02MgCVO8ZhCdPk
aJ7rxFUIdhYHY84sGN27zxjx4ja7b/NdEB8glVXewPpWuZbngLMgWvlLGsLdQfoS
DZmXT4B6AwA/6DW2tMKMYAv+yud5VmeiXQ9vRkuwT4lHLY9CcoFbl63PIkeeKDHe
+9r7mkbUtmOgiw8qRcDJeQKCAQEA/sU7oKemdKl9HXnheNh+ql3C9/t1OaHkHlKv
g964r2rjIpYhiNS59kmXizA1KEJAmk2BZfV7gSuarbGU8v4WAcQQUEJ/c0aqf02K
7XfH/dIEf2C3IngTYybN08Eq8uQNyrNsXcIYCEjY9vDedouP0J5kZN+e66Aqxj8/
dp3nvIt8XL/0eGwq5xa6tJwhX3EzGim34Hv4Ifb0TGeko52fah1oCAfqmYRMJlH6
zJhBhCH7IszlqItx3t6+KEg4dUIx1Yi4nh7XI9zQg+fzssh9kDeBsbpCRnUPat9m
FgCLsZRaQYTW50xt3DTEYS8sGzjfmrhXXHEDek/oZwvZAr1k3wKCAQEA0NaX+hmP
vQvqBhBVYfSH/KAU9JCyF5yWoMJlJOOyb4ryUU1Fs3cAS8vMCUkRcZK/Q7icpm4r
k+3/2BPZeOzWhSOGJTvJ1oSsS9cmuq4MSJDmDXP4G0FS7uAKOj1HUjXwd7dWrHvE
IlW9PrvVNXOLedzA8k45ZCQRBawsLoaBJg64EZsLc87PEECxGiSBiN4aabr191xc
J5IqF51P6D2mUdhnf6GZvBmBTtzs9ocmGEV5Efv/VO/CcgL5kQOOR7jpB0lIIHwF
2WjLLalEQ1r6iBQSYswXdcTQT5MYX+DxXFv//qePFuaM1O4c3G4ODhJrGHsez1EN
g4uFnKmBoBmr5QKCAQAY3S7gkvwPzqrDQa3bmWVjQxtQEF50bXRR8Ufn2sizdf8M
1RIYxIoRm0UK9H17nFups365cKfJB3RlFzuuK1YCfhwJeTPvECp7mhnA6zu9bc26
kLnOx2E9AAB+dg+2/MLL0Y7154do55MlJoTPlPdIKO0rWxerb0o9ZtbOwMJpCEPu
2V0Gk6fsPa+jCMnJAsc1+nRTmEWzKuLUwhizTyLLvGr2va8LpHm6E64iYYmjV52m
29BeDp3iXmK4k7PO3dL3QAykgeYFPfuro+uIu0Bl3sTtj3wAXFRQ3dScuRjpD81v
L4O5tx/RqeSwh2YKkhZghzUfdHgea8YGqIVZWxqJAoIBAQDGyn8AYzSgD6dE/mdI
RyzrHLbV1qawMy5u+Jyu8M/5vZnMKnIe0zhE7knazOL96WKHZEQ5aMWymurfFIX+
xfOt6JLY/oCy4rffuX30VZj7unJCfBHAX/5BxKH3rj0l1JKCYtLufSHGTTdHcCUU
LFioN6qy/CNFX8+URsAHyaFGSNyOZbgRFNul7O6oo/dqAYHDA2T/gbt3L3tB300h
FQ4s+oIKzBk7JEwidcpbIWrxz6/fnrD+ePvu60YE9A2L2Eh51xgBVA19VnORk36X
XxL8VZ7qzLvILwDbvnmFSup1sF2OWpGqiuukBMUUTu6yFnY7Z3d8gPsMLNOSvQfX
DpjBAoIBAAGrx9X6JFCz0rE3fSyZVr9+tYVcz0kt+B9a3bN08/szO7c6xBbGeaRS
5wrTVomMeiQWd5q7xttAB+XhqqnJqoPt+tDJj5CA239lNHFCOv+ayk0f5Luequ2B
hI8ylsa17oPKrPj+wR1WHfMQg6F+hFay29Kz9usQJY0ciXb1pE31Qm28ldnAiWX0
hO98do3+E5mS/XcTuerXTRQoctFaXeYVx5tV6XHYth0kULAdEX5/z6ZvGXFS7K/3
V608CusCn3MsRYjFoRTHOL2LswhM4yGbJBcMg+tVCpS6K4nwBCbf/+ro/1oKrm8f
LiCYg6qO9tI/KXTUZjr6VMtlZ13CAEY=
-----END PRIVATE KEY-----
76 changes: 75 additions & 1 deletion acctest/main_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,18 @@ import (

var (
port int
cert string
caFile string
caPath string
key string
bin string
stubSrvAddr string
)

func init() {
flag.IntVar(&port, "stub-port", 54321, "port for the stub server")
flag.StringVar(&caFile, "stub-cafile", "x509/certificate.pem", "path to the x509 certificate file")
flag.StringVar(&caPath, "stub-capath", "x509/", "path to the x509 certificates dir")
flag.StringVar(&key, "stub-key", "key.pem", "path to the stub server private key")
flag.StringVar(&bin, "gprobe", "../gprobe", "path to the gprobe binary")
}

Expand Down Expand Up @@ -153,6 +157,76 @@ func TestShouldFailIfServiceHealthCheckIsNotRegistered(t *testing.T) {
assert.Contains(t, stderr, "NotFound")
}

// TLS tests

func TestShouldFailOnTlsVerificationWithSelfSignedCert(t *testing.T) {
// given
srv, _, err := StartServer(port, caFile, key)
if err != nil {
log.Fatalf("can't start stub server: %v", err)
}
defer srv.GracefulStop()

// when
stdout, stderr, exitcode := runBin(t, "--tls", stubSrvAddr)

// then
assert.Equal(t, 127, exitcode)
assert.Empty(t, stdout)
assert.Contains(t, stderr, "rpc error")
}

func TestShouldBeAbleToSkipTlsVerification(t *testing.T) {
// given
srv, _, err := StartServer(port, caFile, key)
if err != nil {
log.Fatalf("can't start stub server: %v", err)
}
defer srv.GracefulStop()

// when
stdout, stderr, exitcode := runBin(t, "--tls-insecure", stubSrvAddr)

// then
assert.Equal(t, 0, exitcode)
assert.Equal(t, "SERVING\n", stdout)
assert.Empty(t, stderr)
}

func TestShouldBeAbleToSetCustomCAFile(t *testing.T) {
// given
srv, _, err := StartServer(port, caFile, key)
if err != nil {
log.Fatalf("can't start stub server: %v", err)
}
defer srv.GracefulStop()

// when
stdout, stderr, exitcode := runBin(t, "--tls-cafile", caFile, stubSrvAddr)

// then
assert.Equal(t, 0, exitcode)
assert.Equal(t, "SERVING\n", stdout)
assert.Empty(t, stderr)
}

func TestShouldBeAbleToSetCustomCAPath(t *testing.T) {
// given
srv, _, err := StartServer(port, caFile, key)
if err != nil {
log.Fatalf("can't start stub server: %v", err)
}
defer srv.GracefulStop()

// when
stdout, stderr, exitcode := runBin(t, "--tls-capath", caPath, stubSrvAddr)

// then
assert.Equal(t, 0, exitcode)
assert.Equal(t, "SERVING\n", stdout)
assert.Empty(t, stderr)
}

func runBin(t *testing.T, args ...string) (stdout string, stderr string, exitcode int) {
gprobe := exec.Command(bin, args...)
stdoutPipe, _ := gprobe.StdoutPipe()
Expand Down
31 changes: 31 additions & 0 deletions acctest/stubserver.go
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,44 @@
// PUBLIC DOMAIN NOTICE
// National Center for Biotechnology Information
//
// This software/database is a "United States Government Work" under the
// terms of the United States Copyright Act. It was written as part of
// the author's official duties as a United States Government employee and
// thus cannot be copyrighted. This software/database is freely available
// to the public for use. The National Library of Medicine and the U.S.
// Government have not placed any restriction on its use or reproduction.
//
// Although all reasonable efforts have been taken to ensure the accuracy
// and reliability of the software and data, the NLM and the U.S.
// Government do not and cannot warrant the performance or results that
// may be obtained by using this software or data. The NLM and the U.S.
// Government disclaim all warranties, express or implied, including
// warranties of performance, merchantability or fitness for any particular
// purpose.
//
// Please cite the author in any work or product based on this material.

package acctest

import (
"fmt"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/health"
hv1 "google.golang.org/grpc/health/grpc_health_v1"
"net"
)

// StartServer starts new gRPC application with simple health service.
// It is callers responsibility to Stop the server
func StartServer(port int, certFile string, keyFile string) (*grpc.Server, *health.Server, error) {
transportCredentials, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
return nil, nil, err
}
return doStart(port, grpc.Creds(transportCredentials))
}

// StartInsecureServer starts new gRPC application with simple health service.
// It is callers responsibility to Stop the server
func StartInsecureServer(port int) (*grpc.Server, *health.Server, error) {
Expand Down
29 changes: 29 additions & 0 deletions acctest/x509/certificate.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE/jCCAuagAwIBAgIJAOUm28+Yjo8kMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDAeFw0xNzEyMjgwNDQ2MTZaFw00NTA1MTQwNDQ2MTZaMBQx
EjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAM/V0JGcu7DYmjbUagI526ccLe4GNRRMjQIaiD71E/aCw2AZ00czvse2DpCO
uznU+eCRikLkYWl+RvHoJoVimw85bIlx1ScOeJ4OExMcy7s/AcpZ/WGBInGiI1tA
qM0f6wlNb5q7emyG6hckyXS6JuKz6nJG18PcwrnBqcBKWYQLaV3KIRdbwlmABFj3
j9Hv9zsAgywfVgmrg9EInylCZpXvFKuVP7+v5sH0m0E1MWR6FoL8PWF/siKFwLCV
qceAaJUl0+mmtf4IBIzwRWtc2abnler551JzjId5vaXwAfw5euwN803C5W/V/vQ9
OZp7taAp1d8tHVq8NR+gPEI+gChWCdyXl7pabTMYVXO4m0eX62DLMWrB25eOebsw
Zj/Qg4MVpLfsMrHFoUIV/nLVO5oh45lkHO3X7ZEMXDm85qMH9IvvpWAzTqqL5Nb2
EIRLiMBLofnopQ/RGmUzFEJ7uZFT7bDz5G46Ekq2NPxg89YI/c1+99L+IKyT04g6
4lDJx2idezul+u69+0D9jWPyBGGsTFq4h4hgYhqrgpGiUpANoBRB3YQWD3lRVWlO
kRkv1tgz9gENxwf5bwGGCjo3afR5QQWqJyVYW28A3W8AAxN7X8KNiHjUeSoiXEDn
Wsn7u16RF3zGvYGsopz1W7U86ZMZ2uOvfQ4RPz7qPN0vkzB7AgMBAAGjUzBRMB0G
A1UdDgQWBBT+pbYheKFdRl8CJLLgUgi5uQlZmTAfBgNVHSMEGDAWgBT+pbYheKFd
Rl8CJLLgUgi5uQlZmTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IC
AQBDa1v9VawozMfWUWB1iBrpnJx5jb4Xbjvlwag7pgO8e2PFq2rBPxxCEHc2usQS
tcF6EuHfpDRlhu431Xuw+6HhgakoqPlgaxgXBn6zbteDVSxOQfij377F09cYAww5
jnKCaItTSFxWW0kSlPI6m1QyWDFHSshgpvRRr58yY8OJbn9oAEKp39x9gprgVWuw
vcjgUCKCCouXburYmW82Yo0A5c5jnyDbFeM3iC2N85KoencQAYt/tKT4N65+Ublf
1aAeRGUrByfUfNEly00Clg3It7yamGRGLFHdd0yNBohcm7HfEsiACkyd0yaHaAxY
TbmujnNRNkiHYeAjcMqOKUnK2ZymKmzC0ALpoAQaHpws7qKqXJ7K6Nh5jixNRcYT
I0nkQCO8GbMl6/TkuevGRqxEQnmCHTek7y0T493HeZDGMsgWhbH8jvZvCAAWXvBf
7iPyU9d6P0Q0u4Hcn7wP/IBKCq06L448yP18SPwoNYAlKbcCZ067O+4Zdf5yAgU5
PiWk9rbbMbWB7nQ8yZ86Z8wuZ76dftnJ8ASYJJk38SUkrQC3AoKhj6+GKcXLwZEV
OVq5m9NCM695wo+5d0rnusz2EPAQpvLE4bFveH/2wEk8yduYCvAQC3PwD47ypsy0
Vz/Aa7mPgEj/yAp1Z3eh0DrAiF3fux3OVlha5BiTntYd/w==
-----END CERTIFICATE-----
Loading

0 comments on commit 31d722f

Please sign in to comment.
-