Merge pull request #518 from AmbireTech/sentry-tls

Sentry the ability to setup TLS

Author: elpiel

Cargo.lock

@@ -65,6 +65,11 @@ ENV KEYSTORE_PWD=
 # Only applicable if you use the `--adapter dummy`
 ENV DUMMY_IDENTITY=
 
+# To setup TLS supply both `PRIVATE_KEYS` & `CERTIFICATES`
+# Otherwise you will get an error
+ENV PRIVATE_KEYS=
+ENV CERTIFICATES=
+
 # If set it will override the configuration file used
 ENV CONFIG=
 
@@ -85,4 +90,6 @@ ENTRYPOINT ["./scripts/entrypoint.sh"]
 CMD sentry -a ${ADAPTER:-ethereum} \
             ${KEYSTORE_FILE:+-k $KEYSTORE_FILE} \
             ${DUMMY_IDENTITY:+-i $DUMMY_IDENTITY} \
+            ${PRIVATE_KEYS:+--privateKeys $PRIVATE_KEYS} \
+            ${CERTIFICATES:+--certificates $CERTIFICATES} \
             ${CONFIG}

Dockerfile-sentry

@@ -57,7 +57,13 @@ cargo run -p sentry -- --help
 
 Starting the Sentry API in will always run migrations, this will make sure the database is always up to date with the latest migrations, before starting and exposing the web server.
 
-By default, we use the `development` environment ( [`ENV` environment variable](#environment-variables) ) as it will also seed the database.
+By default, we use the `development` environment ( [`ENV` environment variable](#environment-variables) ) ~~as it will also seed the database~~ (seeding is disabled, see #514).
+
+To enable TLS for the sentry server you need to pass both `--privateKeys` and
+`--certificates` cli options (paths to `.pem` files) otherwise the cli will
+exit with an error.
+
+For full list of available addresses see [primitives/src/test_util.rs#L39-L118](./primitives/src/test_util.rs#L39-L118)
 
 #### Using the `Ethereum` adapter
 
@@ -100,7 +106,7 @@ POSTGRES_DB="sentry_follower" PORT=8006 KEYSTORE_PWD=ganache1 cargo run -p sentr
 IP_ADDR=127.0.0.1 REDIS_URL="redis://127.0.0.1:6379/1" \
 POSTGRES_DB="sentry_leader" PORT=8005 cargo run -p sentry -- \
     --adapter dummy \
-    --dummyIdentity 80690751969B234697e9059e04ed72195c3507fa \
+    --dummyIdentity 0x80690751969B234697e9059e04ed72195c3507fa \
     ./docs/config/prod.toml
 ```
 ##### Follower (`0xf3f583AEC5f7C030722Fe992A5688557e1B86ef7`)
@@ -109,19 +115,18 @@ POSTGRES_DB="sentry_leader" PORT=8005 cargo run -p sentry -- \
 IP_ADDR=127.0.0.1 REDIS_URL="redis://127.0.0.1:6379/2" \
 POSTGRES_DB="sentry_follower" PORT=8006 cargo run -p sentry -- \
     --adapter dummy \
-    --dummyIdentity f3f583AEC5f7C030722Fe992A5688557e1B86ef7 \
+    --dummyIdentity 0xf3f583AEC5f7C030722Fe992A5688557e1B86ef7 \
     ./docs/config/prod.toml
 ```
 
-For full list, check out [primitives/src/util/tests/prep_db.rs#L29-L43](./primitives/src/util/tests/prep_db.rs#L29-L43)
-
 #### Environment variables
 
 - `ENV` - `production` or `development`; *default*: `development` - passing this env. variable will use the default configuration paths - [`docs/config/dev.toml`](./docs/config/dev.toml) (for `development`) or [`docs/config/prod.toml`](./docs/config/prod.toml) (for `production`). Otherwise you can pass your own configuration file path to the binary (check `cargo run -p sentry --help` for more information). In `development` it will make sure Sentry to seed the database.
 - `PORT` - *default*: `8005` - The local port that Sentry API will be accessible at
 - `IP_ADDR` - *default*: `0.0.0.0` - the IP address that the API should be listening to
 
 ##### Adapter
+
 - `KEYSTORE_PWD` - Password for the `Keystore file`, only available when using `Ethereum` adapter (`--adapter ethereum`)
 
 ##### Redis

README.md

@@ -129,6 +129,9 @@ pub static DUMMY_AUTH: Lazy<HashMap<Address, String>> = Lazy::new(|| {
     auth.insert(*ADVERTISER, "AUTH_awesomeAdvertiser".into());
     auth.insert(*PUBLISHER, "AUTH_awesomePublisher".into());
     auth.insert(*GUARDIAN_2, "AUTH_awesomeGuardian2".into());
+    auth.insert(*PUBLISHER_2, "AUTH_awesomePublisher2".into());
+    auth.insert(*ADVERTISER_2, "AUTH_awesomeAdvertiser2".into());
+    auth.insert(*LEADER_2, "AUTH_awesomeLeader2".into());
 
     auth
 });

primitives/src/test_util.rs

@@ -32,8 +32,10 @@ hyper = { version = "0.14", features = [
   "stream",
   "runtime",
   "http1",
+  "http2",
   "server",
 ] }
+simple-hyper-server-tls = { version = "0.3", features = ["tls-rustls"] }
 regex = "1"
 # Database
 redis = { version = "0.21", features = ["aio", "tokio-comp"] }

sentry/Cargo.toml

@@ -1,4 +1,7 @@
-use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::{
+    net::{IpAddr, Ipv4Addr, SocketAddr},
+    path::Path,
+};
 
 use adapter::client::Locked;
 use hyper::{
@@ -9,6 +12,7 @@ use once_cell::sync::Lazy;
 use primitives::{config::Environment, ValidatorId};
 use redis::ConnectionInfo;
 use serde::{Deserialize, Deserializer};
+use simple_hyper_server_tls::{listener_from_pem_files, Protocols, TlsListener};
 use slog::{error, info};
 
 use crate::{
@@ -45,6 +49,7 @@ pub static DEFAULT_REDIS_URL: Lazy<ConnectionInfo> = Lazy::new(|| {
 #[derive(Debug, Deserialize, Clone)]
 pub struct EnvConfig {
     /// Defaults to `Development`: [`Environment::default()`]
+    #[serde(default)]
     pub env: Environment,
     /// The port on which the Sentry REST API will be accessible.
     ///
@@ -157,24 +162,52 @@ where
 
 impl<C: Locked + 'static> Application<C> {
     /// Starts the `hyper` `Server`.
-    pub async fn run(self, socket_addr: SocketAddr) {
+    pub async fn run(self, enable_tls: EnableTls) {
         let logger = self.logger.clone();
+        let socket_addr = match &enable_tls {
+            EnableTls::NoTls(socket_addr) => socket_addr,
+            EnableTls::Tls { socket_addr, .. } => socket_addr,
+        };
+
         info!(&logger, "Listening on socket address: {}!", socket_addr);
 
-        let make_service = make_service_fn(|_| {
-            let server = self.clone();
-            async move {
-                Ok::<_, Error>(service_fn(move |req| {
-                    let server = server.clone();
-                    async move { Ok::<_, Error>(server.handle_routing(req).await) }
-                }))
+        match enable_tls {
+            EnableTls::NoTls(socket_addr) => {
+                let make_service = make_service_fn(|_| {
+                    let server = self.clone();
+                    async move {
+                        Ok::<_, Error>(service_fn(move |req| {
+                            let server = server.clone();
+                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
+                        }))
+                    }
+                });
+
+                let server = Server::bind(&socket_addr).serve(make_service);
+
+                if let Err(e) = server.await {
+                    error!(&logger, "server error: {}", e; "main" => "run");
+                }
             }
-        });
+            EnableTls::Tls { listener, .. } => {
+                let make_service = make_service_fn(|_| {
+                    let server = self.clone();
+                    async move {
+                        Ok::<_, Error>(service_fn(move |req| {
+                            let server = server.clone();
+                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
+                        }))
+                    }
+                });
 
-        let server = Server::bind(&socket_addr).serve(make_service);
+                // TODO: Find a way to redirect to HTTPS
+                let mut server = Server::builder(listener).serve(make_service);
 
-        if let Err(e) = server.await {
-            error!(&logger, "server error: {}", e; "main" => "run");
+                while let Err(e) = (&mut server).await {
+                    // This is usually caused by trying to connect on HTTP instead of HTTPS
+                    error!(&logger, "server error: {}", e; "main" => "run");
+                }
+            }
         }
     }
 }
@@ -193,6 +226,35 @@ impl<C: Locked> Clone for Application<C> {
     }
 }
 
+/// Either enable or do not the Tls support.
+pub enum EnableTls {
+    NoTls(SocketAddr),
+    Tls {
+        socket_addr: SocketAddr,
+        listener: TlsListener,
+    },
+}
+
+impl EnableTls {
+    pub fn new_tls<C: AsRef<Path>, K: AsRef<Path>>(
+        certificates: C,
+        private_keys: K,
+        socket_addr: SocketAddr,
+    ) -> Result<Self, Box<dyn std::error::Error>> {
+        let listener =
+            listener_from_pem_files(certificates, private_keys, Protocols::ALL, &socket_addr)?;
+
+        Ok(Self::Tls {
+            listener,
+            socket_addr,
+        })
+    }
+
+    pub fn no_tls(socket_addr: SocketAddr) -> Self {
+        Self::NoTls(socket_addr)
+    }
+}
+
 /// Sentry [`Application`] Session
 #[derive(Debug, Clone)]
 pub struct Session {