add mTLS mixed mode support (#9443)

Author: dario-piotrowicz

.changeset/famous-candies-start.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+add workerName option to startMixedModeSession API

.changeset/lemon-laws-mate.md

@@ -0,0 +1,6 @@
+---
+"miniflare": patch
+"wrangler": patch
+---
+
+add mixed-mode support for mtls bindings

packages/miniflare/src/plugins/index.ts

@@ -24,6 +24,7 @@ import { EMAIL_PLUGIN, EMAIL_PLUGIN_NAME } from "./email";
 import { HYPERDRIVE_PLUGIN, HYPERDRIVE_PLUGIN_NAME } from "./hyperdrive";
 import { IMAGES_PLUGIN, IMAGES_PLUGIN_NAME } from "./images";
 import { KV_PLUGIN, KV_PLUGIN_NAME } from "./kv";
+import { MTLS_PLUGIN, MTLS_PLUGIN_NAME } from "./mtls";
 import { PIPELINE_PLUGIN, PIPELINES_PLUGIN_NAME } from "./pipelines";
 import { QUEUES_PLUGIN, QUEUES_PLUGIN_NAME } from "./queues";
 import { R2_PLUGIN, R2_PLUGIN_NAME } from "./r2";
@@ -54,6 +55,7 @@ export const PLUGINS = {
 	[IMAGES_PLUGIN_NAME]: IMAGES_PLUGIN,
 	[VECTORIZE_PLUGIN_NAME]: VECTORIZE_PLUGIN,
 	[CONTAINER_PLUGIN_NAME]: CONTAINER_PLUGIN,
+	[MTLS_PLUGIN_NAME]: MTLS_PLUGIN,
 };
 export type Plugins = typeof PLUGINS;
 
@@ -112,7 +114,8 @@ export type WorkerOptions = z.input<typeof CORE_PLUGIN.options> &
 	z.input<typeof DISPATCH_NAMESPACE_PLUGIN.options> &
 	z.input<typeof IMAGES_PLUGIN.options> &
 	z.input<typeof VECTORIZE_PLUGIN.options> &
-	z.input<typeof CONTAINER_PLUGIN.options>;
+	z.input<typeof CONTAINER_PLUGIN.options> &
+	z.input<typeof MTLS_PLUGIN.options>;
 
 export type SharedOptions = z.input<typeof CORE_PLUGIN.sharedOptions> &
 	z.input<typeof CACHE_PLUGIN.sharedOptions> &
@@ -183,3 +186,4 @@ export * from "./images";
 export * from "./vectorize";
 export * from "./containers";
 export { ContainerController } from "./containers/service";
+export * from "./mtls";

packages/miniflare/src/plugins/mtls/index.ts

@@ -0,0 +1,69 @@
+import assert from "node:assert";
+import { z } from "zod";
+import {
+	mixedModeClientWorker,
+	MixedModeConnectionString,
+	Plugin,
+	ProxyNodeBinding,
+} from "../shared";
+
+const MtlsSchema = z.object({
+	certificate_id: z.string(),
+	mixedModeConnectionString: z.custom<MixedModeConnectionString>(),
+});
+
+export const MtlsOptionsSchema = z.object({
+	mtlsCertificates: z.record(MtlsSchema).optional(),
+});
+
+export const MTLS_PLUGIN_NAME = "mtls";
+
+export const MTLS_PLUGIN: Plugin<typeof MtlsOptionsSchema> = {
+	options: MtlsOptionsSchema,
+	async getBindings(options) {
+		if (!options.mtlsCertificates) {
+			return [];
+		}
+
+		return Object.entries(options.mtlsCertificates).map(
+			([name, { certificate_id, mixedModeConnectionString }]) => {
+				assert(mixedModeConnectionString, "MTLS only supports Mixed Mode");
+
+				return {
+					name,
+
+					service: {
+						name: `${MTLS_PLUGIN_NAME}:${certificate_id}`,
+					},
+				};
+			}
+		);
+	},
+	getNodeBindings(options: z.infer<typeof MtlsOptionsSchema>) {
+		if (!options.mtlsCertificates) {
+			return {};
+		}
+		return Object.fromEntries(
+			Object.keys(options.mtlsCertificates).map((name) => [
+				name,
+				new ProxyNodeBinding(),
+			])
+		);
+	},
+	async getServices({ options }) {
+		if (!options.mtlsCertificates) {
+			return [];
+		}
+
+		return Object.entries(options.mtlsCertificates).map(
+			([name, { certificate_id, mixedModeConnectionString }]) => {
+				assert(mixedModeConnectionString, "MTLS only supports Mixed Mode");
+
+				return {
+					name: `${MTLS_PLUGIN_NAME}:${certificate_id}`,
+					worker: mixedModeClientWorker(mixedModeConnectionString, name),
+				};
+			}
+		);
+	},
+};

packages/vite-plugin-cloudflare/src/miniflare-options.ts

@@ -725,8 +725,12 @@ async function maybeStartOrUpdateMixedModeSession(
 	//             same we can just leave the mixedModeSession untouched
 	if (mixedModeSession === undefined) {
 		if (Object.keys(workerRemoteBindings).length > 0) {
-			mixedModeSession =
-				await experimental_startMixedModeSession(workerRemoteBindings);
+			mixedModeSession = await experimental_startMixedModeSession(
+				workerRemoteBindings,
+				{
+					workerName: workerConfig.name,
+				}
+			);
 			mixedModeSessionsMap.set(workerConfig.name, mixedModeSession);
 		}
 	} else {

packages/wrangler/e2e/cert.test.ts

@@ -1,116 +1,14 @@
-import { randomUUID } from "node:crypto";
-import * as forge from "node-forge";
 import { describe, expect, it } from "vitest";
+import {
+	generateCaCertName,
+	generateLeafCertificate,
+	generateMtlsCertName,
+	generateRootCaCert,
+	generateRootCertificate,
+} from "./helpers/cert";
 import { WranglerE2ETestHelper } from "./helpers/e2e-wrangler-test";
 import { normalizeOutput } from "./helpers/normalize";
 
-// Generate X509 self signed root key pair and certificate
-function generateRootCertificate() {
-	const rootKeys = forge.pki.rsa.generateKeyPair(2048);
-	const rootCert = forge.pki.createCertificate();
-	rootCert.publicKey = rootKeys.publicKey;
-	rootCert.serialNumber = "01";
-	rootCert.validity.notBefore = new Date();
-	rootCert.validity.notAfter = new Date();
-	rootCert.validity.notAfter.setFullYear(
-		rootCert.validity.notBefore.getFullYear() + 10
-	); // 10 years validity
-
-	const rootAttrs = [
-		{ name: "commonName", value: "Root CA" },
-		{ name: "countryName", value: "US" },
-		{ shortName: "ST", value: "California" },
-		{ name: "organizationName", value: "Localhost Root CA" },
-	];
-	rootCert.setSubject(rootAttrs);
-	rootCert.setIssuer(rootAttrs); // Self-signed
-
-	rootCert.sign(rootKeys.privateKey, forge.md.sha256.create());
-
-	return { certificate: rootCert, privateKey: rootKeys.privateKey };
-}
-
-// Generate X509 leaf certificate signed by the root
-function generateLeafCertificate(
-	rootCert: forge.pki.Certificate,
-	rootKey: forge.pki.PrivateKey
-) {
-	const leafKeys = forge.pki.rsa.generateKeyPair(2048);
-	const leafCert = forge.pki.createCertificate();
-	leafCert.publicKey = leafKeys.publicKey;
-	leafCert.serialNumber = "02";
-	leafCert.validity.notBefore = new Date();
-	leafCert.validity.notAfter = new Date();
-	leafCert.validity.notAfter.setFullYear(2034, 10, 18);
-
-	const leafAttrs = [
-		{ name: "commonName", value: "example.org" },
-		{ name: "countryName", value: "US" },
-		{ shortName: "ST", value: "California" },
-		{ name: "organizationName", value: "Example Inc" },
-	];
-	leafCert.setSubject(leafAttrs);
-	leafCert.setIssuer(rootCert.subject.attributes); // Signed by root
-
-	leafCert.sign(rootKey, forge.md.sha256.create()); // Signed using root's private key
-
-	const pemLeafCert = forge.pki.certificateToPem(leafCert);
-	const pemLeafKey = forge.pki.privateKeyToPem(leafKeys.privateKey);
-
-	return { certificate: pemLeafCert, privateKey: pemLeafKey };
-}
-
-// Generate self signed X509 CA root certificate
-function generateRootCaCert() {
-	// Create a key pair (private and public keys)
-	const keyPair = forge.pki.rsa.generateKeyPair(2048);
-
-	// Create a new X.509 certificate
-	const cert = forge.pki.createCertificate();
-
-	// Set certificate fields
-	cert.publicKey = keyPair.publicKey;
-	cert.serialNumber = "01";
-	cert.validity.notBefore = new Date();
-	cert.validity.notAfter = new Date();
-	cert.validity.notAfter.setFullYear(2034, 10, 18);
-
-	// Add issuer and subject fields (for a root CA, they are the same)
-	const attrs = [
-		{ name: "commonName", value: "Localhost CA" },
-		{ name: "countryName", value: "US" },
-		{ shortName: "ST", value: "California" },
-		{ name: "localityName", value: "San Francisco" },
-		{ name: "organizationName", value: "Localhost" },
-		{ shortName: "OU", value: "SSL Department" },
-	];
-	cert.setSubject(attrs);
-	cert.setIssuer(attrs);
-
-	// Add basic constraints and key usage extensions
-	cert.setExtensions([
-		{
-			name: "basicConstraints",
-			cA: true,
-		},
-		{
-			name: "keyUsage",
-			keyCertSign: true,
-			digitalSignature: true,
-			cRLSign: true,
-		},
-	]);
-
-	// Self-sign the certificate with the private key
-	cert.sign(keyPair.privateKey, forge.md.sha256.create());
-
-	// Convert the certificate and private key to PEM format
-	const pemCert = forge.pki.certificateToPem(cert);
-	const pemPrivateKey = forge.pki.privateKeyToPem(keyPair.privateKey);
-
-	return { certificate: pemCert, privateKey: pemPrivateKey };
-}
-
 describe("cert", () => {
 	const normalize = (str: string) =>
 		normalizeOutput(str, {
@@ -125,8 +23,8 @@ describe("cert", () => {
 	const { certificate: caCert } = generateRootCaCert();
 
 	// Generate filenames for concurrent e2e test environment
-	const mtlsCertName = `tmp-e2e-mtls-cert-${randomUUID()}`;
-	const caCertName = `tmp-e2e-ca-cert-${randomUUID()}`;
+	const mtlsCertName = generateMtlsCertName();
+	const caCertName = generateCaCertName();
 
 	it("upload mtls-certificate", async () => {
 		// locally generated certs/key

packages/wrangler/e2e/helpers/cert.ts

@@ -0,0 +1,117 @@
+import { randomUUID } from "node:crypto";
+import * as forge from "node-forge";
+
+// Generate X509 self signed root key pair and certificate
+export function generateRootCertificate() {
+	const rootKeys = forge.pki.rsa.generateKeyPair(2048);
+	const rootCert = forge.pki.createCertificate();
+	rootCert.publicKey = rootKeys.publicKey;
+	rootCert.serialNumber = "01";
+	rootCert.validity.notBefore = new Date();
+	rootCert.validity.notAfter = new Date();
+	rootCert.validity.notAfter.setFullYear(
+		rootCert.validity.notBefore.getFullYear() + 10
+	); // 10 years validity
+
+	const rootAttrs = [
+		{ name: "commonName", value: "Root CA" },
+		{ name: "countryName", value: "US" },
+		{ shortName: "ST", value: "California" },
+		{ name: "organizationName", value: "Localhost Root CA" },
+	];
+	rootCert.setSubject(rootAttrs);
+	rootCert.setIssuer(rootAttrs); // Self-signed
+
+	rootCert.sign(rootKeys.privateKey, forge.md.sha256.create());
+
+	return { certificate: rootCert, privateKey: rootKeys.privateKey };
+}
+
+// Generate X509 leaf certificate signed by the root
+export function generateLeafCertificate(
+	rootCert: forge.pki.Certificate,
+	rootKey: forge.pki.PrivateKey
+) {
+	const leafKeys = forge.pki.rsa.generateKeyPair(2048);
+	const leafCert = forge.pki.createCertificate();
+	leafCert.publicKey = leafKeys.publicKey;
+	leafCert.serialNumber = "02";
+	leafCert.validity.notBefore = new Date();
+	leafCert.validity.notAfter = new Date();
+	leafCert.validity.notAfter.setFullYear(2034, 10, 18);
+
+	const leafAttrs = [
+		{ name: "commonName", value: "example.org" },
+		{ name: "countryName", value: "US" },
+		{ shortName: "ST", value: "California" },
+		{ name: "organizationName", value: "Example Inc" },
+	];
+	leafCert.setSubject(leafAttrs);
+	leafCert.setIssuer(rootCert.subject.attributes); // Signed by root
+
+	leafCert.sign(rootKey, forge.md.sha256.create()); // Signed using root's private key
+
+	const pemLeafCert = forge.pki.certificateToPem(leafCert);
+	const pemLeafKey = forge.pki.privateKeyToPem(leafKeys.privateKey);
+
+	return { certificate: pemLeafCert, privateKey: pemLeafKey };
+}
+
+// Generate self signed X509 CA root certificate
+export function generateRootCaCert() {
+	// Create a key pair (private and public keys)
+	const keyPair = forge.pki.rsa.generateKeyPair(2048);
+
+	// Create a new X.509 certificate
+	const cert = forge.pki.createCertificate();
+
+	// Set certificate fields
+	cert.publicKey = keyPair.publicKey;
+	cert.serialNumber = "01";
+	cert.validity.notBefore = new Date();
+	cert.validity.notAfter = new Date();
+	cert.validity.notAfter.setFullYear(2034, 10, 18);
+
+	// Add issuer and subject fields (for a root CA, they are the same)
+	const attrs = [
+		{ name: "commonName", value: "Localhost CA" },
+		{ name: "countryName", value: "US" },
+		{ shortName: "ST", value: "California" },
+		{ name: "localityName", value: "San Francisco" },
+		{ name: "organizationName", value: "Localhost" },
+		{ shortName: "OU", value: "SSL Department" },
+	];
+	cert.setSubject(attrs);
+	cert.setIssuer(attrs);
+
+	// Add basic constraints and key usage extensions
+	cert.setExtensions([
+		{
+			name: "basicConstraints",
+			cA: true,
+		},
+		{
+			name: "keyUsage",
+			keyCertSign: true,
+			digitalSignature: true,
+			cRLSign: true,
+		},
+	]);
+
+	// Self-sign the certificate with the private key
+	cert.sign(keyPair.privateKey, forge.md.sha256.create());
+
+	// Convert the certificate and private key to PEM format
+	const pemCert = forge.pki.certificateToPem(cert);
+	const pemPrivateKey = forge.pki.privateKeyToPem(keyPair.privateKey);
+
+	return { certificate: pemCert, privateKey: pemPrivateKey };
+}
+
+export function generateMtlsCertName() {
+	return `tmp-e2e-mtls-cert-${randomUUID()}`;
+}
+
+export function generateCaCertName() {
+	return `tmp-e2e-ca-cert-${randomUUID()}`;
+}