feat(grpc): add tls support (#189)

spacewander · web-flow · commit dde58ac24390 · 2022-11-23T09:32:01.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -98,4 +98,4 @@ jobs:
             etcd --version
             goreman -f ./t/$GOREMAN_CONF start > goreman.log 2>&1 &
             sleep 5
-            prove -I../test-nginx/lib t/v3/mtls.t
+            prove -I../test-nginx/lib t/v3/mtls.t t/v3/grpc/mtls.t
diff --git a/lib/resty/etcd/v3.lua b/lib/resty/etcd/v3.lua
@@ -417,15 +417,28 @@ function _M.new(opts)
         cli.grpc = grpc
         cli.call_opts = {}
 
+        local connect_opts = {
+            max_recv_msg_size = 2147483647,
+        }
+
         local endpoint, err = choose_endpoint(cli)
         if not endpoint then
             return nil, err
         end
 
+        if endpoint.scheme == "https" then
+            connect_opts.insecure = false
+        end
+
+        connect_opts.tls_verify = cli.ssl_verify
+        connect_opts.client_cert = cli.ssl_cert_path
+        connect_opts.client_key = cli.ssl_key_path
+        connect_opts.trusted_ca = opts.trusted_ca
+
         -- TODO: implement proxing via unix socket once we have support sync conf via gRPC
         -- TODO: we don't support IPv6 yet, should the user pass `[host]:port` so we don't need
         -- to adapt it?
-        local conn, err = grpc.connect(endpoint.address .. ":" .. endpoint.port)
+        local conn, err = grpc.connect(endpoint.address .. ":" .. endpoint.port, connect_opts)
         if not conn then
             return nil, err
         end
diff --git a/t/v3/grpc/mtls.t b/t/v3/grpc/mtls.t
@@ -0,0 +1,137 @@
+use Test::Nginx::Socket::Lua;
+
+log_level('info');
+no_long_string();
+repeat_each(1);
+
+my $enable_tls = $ENV{ETCD_ENABLE_MTLS};
+if (defined($enable_tls) && $enable_tls eq "TRUE") {
+    plan 'no_plan';
+} else {
+    plan(skip_all => "etcd is not capable for mTLS connection");
+}
+
+my $main_config = <<'_EOC_';
+    thread_pool grpc-client-nginx-module threads=1;
+_EOC_
+
+my $http_config = <<'_EOC_';
+    lua_socket_log_errors off;
+    lua_package_path 'lib/?.lua;/usr/share/lua/5.1/?.lua;;';
+    init_by_lua_block {
+        local cjson = require("cjson.safe")
+
+        function check_res(data, err, val, status)
+            if err then
+                ngx.say("err: ", err)
+                ngx.exit(200)
+            end
+
+            if val then
+                if data.body.kvs==nil then
+                    ngx.exit(404)
+                end
+                if data.body.kvs and val ~= data.body.kvs[1].value then
+                    ngx.say("failed to check value")
+                    ngx.log(ngx.ERR, "failed to check value, got: ", data.body.kvs[1].value,
+                            ", expect: ", val)
+                    ngx.exit(200)
+                else
+                    ngx.say("checked val as expect: ", val)
+                end
+            end
+
+            if status and status ~= data.status then
+                ngx.exit(data.status)
+            end
+        end
+
+        function new_etcd(ssl_verify, ssl_cert_path, ssl_key_path, trusted_ca)
+            return require "resty.etcd" .new({
+                protocol = "v3",
+                api_prefix = "/v3",
+                http_host = {
+                    "https://127.0.0.1:12379",
+                },
+                use_grpc = true,
+                ssl_verify = ssl_verify,
+                ssl_cert_path = ssl_cert_path or "t/certs/mtls_client.crt",
+                ssl_key_path = ssl_key_path or "t/certs/mtls_client.key",
+                trusted_ca = trusted_ca,
+            })
+        end
+    }
+_EOC_
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+    if (!$block->http_config) {
+        $block->set_value("http_config", $http_config);
+    }
+
+    if (!$block->main_config) {
+        $block->set_value("main_config", $main_config);
+    }
+
+    if (!$block->no_error_log && !$block->error_log) {
+        $block->set_value("no_error_log", "[error]\n[alert]");
+    }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: TLS no verify
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(false)
+            check_res(etcd, err)
+
+            local res, err = etcd:set("/test", { a='abc'})
+            check_res(res, err)
+            ngx.say("done")
+        }
+    }
+--- response_body
+done
+
+
+
+=== TEST 2: TLS verify
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true)
+            check_res(etcd, err)
+
+            local res, err = etcd:set("/test", { a='abc'})
+            check_res(res, err)
+            ngx.say("done")
+        }
+    }
+--- response_body_like eval
+qr/cannot validate certificate/
+
+
+
+=== TEST 3: bad client certificate
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(false, "t/certs/etcd.pem", "t/certs/etcd.key")
+            check_res(etcd, err)
+
+            local res, err = etcd:set("/test", { a='abc'})
+            check_res(res, err)
+            ngx.say("done")
+        }
+    }
+--- response_body_like eval
+qr/bad certificate/
diff --git a/t/v3/grpc/tls.t b/t/v3/grpc/tls.t
@@ -0,0 +1,116 @@
+use Test::Nginx::Socket::Lua;
+
+log_level('info');
+no_long_string();
+repeat_each(1);
+
+my $enable_tls = $ENV{ETCD_ENABLE_TLS};
+if (defined($enable_tls) && $enable_tls eq "TRUE") {
+    plan 'no_plan';
+} else {
+    plan(skip_all => "etcd is not capable for TLS connection");
+}
+
+our $HttpConfig = <<'_EOC_';
+    lua_socket_log_errors off;
+    lua_package_path 'lib/?.lua;/usr/local/share/lua/5.3/?.lua;/usr/share/lua/5.1/?.lua;;';
+    init_by_lua_block {
+        local cjson = require("cjson.safe")
+
+        function check_res(data, err, val, status)
+            if err then
+                ngx.say("err: ", err)
+                ngx.exit(200)
+            end
+
+            if val then
+                if data.body.kvs==nil then
+                    ngx.exit(404)
+                end
+                if data.body.kvs and val ~= data.body.kvs[1].value then
+                    ngx.say("failed to check value")
+                    ngx.log(ngx.ERR, "failed to check value, got: ", data.body.kvs[1].value,
+                            ", expect: ", val)
+                    ngx.exit(200)
+                else
+                    ngx.say("checked val as expect: ", val)
+                end
+            end
+
+            if status and status ~= data.status then
+                ngx.exit(data.status)
+            end
+        end
+    }
+_EOC_
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->main_config) {
+        $block->set_value("main_config", "thread_pool grpc-client-nginx-module threads=1;");
+    }
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+    if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+        $block->set_value("no_error_log", "[error]");
+    }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: TLS no verify
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = require "resty.etcd" .new({
+                protocol = "v3",
+                http_host = {
+                    "https://127.0.0.1:12379",
+                    "https://127.0.0.1:22379",
+                    "https://127.0.0.1:32379",
+                },
+                ssl_verify = false,
+                use_grpc = true,
+            })
+            check_res(etcd, err)
+
+            local res, err = etcd:set("/test", { a='abc'})
+            check_res(res, err)
+            ngx.say("done")
+        }
+    }
+--- response_body
+done
+
+
+
+=== TEST 2: TLS verify
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = require "resty.etcd" .new({
+                protocol = "v3",
+                http_host = {
+                    "https://127.0.0.1:12379",
+                    "https://127.0.0.1:22379",
+                    "https://127.0.0.1:32379",
+                },
+                use_grpc = true,
+            })
+            check_res(etcd, err)
+
+            local res, err = etcd:set("/test", { a='abc'})
+            check_res(res, err)
+            ngx.say("done")
+        }
+    }
+--- response_body eval
+qr/authentication handshake failed/
