68 as a library user i want to connect to rabbit through tls/ssl (#69)

* added tls certs and makefile

* added tls params + test

* fixed certificate filenames between local and ci

* cleanup magic string (cn in local is different from ci)

* fixed lint issue

Author: apietroni51

.github/workflows/main.yml

@@ -27,30 +27,34 @@ jobs:
           RABBITMQ_DEFAULT_USER: "test-user"
           RABBITMQ_DEFAULT_PASS: "test-password"
         ports:
+          - 5671:5671
           - 5672:5672
           - 15672:15672
         volumes:
-          - ./conf/:/etc/rabbitmq/
+          - ${{ github.workspace }}/conf/:/etc/rabbitmq/
+          - ${{ github.workspace }}/certs/:/certs/
 
     steps:
+      - name: Add the rabbitmq service to /etc/hosts
+        run: sudo echo "127.0.0.1 test-node" | sudo tee -a /etc/hosts
       - uses: actions/checkout@v3
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
-      # - name: Generate certificates
-      #   env:
-      #     CN: test-node
-      #   run: |
-      #     git clone https://github.com/rabbitmq/tls-gen tls-gen
-      #     cd tls-gen/basic
-      #     make
-      #     cd ../..
-      #     cp -a tls-gen/basic/result certs/
-      #     sudo chown -R 999:999 certs
-      #     sudo mv certs/server_test-node_certificate.pem certs/server_rabbitmq_certificate.pem
-      #     sudo mv certs/server_test-node_key.pem certs/server_rabbitmq_key.pem
+      - name: Generate certificates
+        env:
+          CN: test-node
+        run: |
+          git clone https://github.com/rabbitmq/tls-gen tls-gen
+          cd tls-gen/basic
+          make
+          cd ../..
+          cp -a tls-gen/basic/result certs/
+          sudo chown -R 999:999 certs
+          sudo mv certs/server_test-node_certificate.pem certs/server_rabbitmq_certificate.pem
+          sudo mv certs/server_test-node_key.pem certs/server_rabbitmq_key.pem
       - name: Restart RabbitMQ
         run: |
           docker restart test-node
@@ -65,6 +69,7 @@ jobs:
           docker exec test-node rabbitmqctl set_permissions 'O=client,CN=test-node' '.*' '.*' '.*'
       - run: npm test
         env:
+          CN: test-node
           RABBITMQ_USER: "test-user"
           RABBITMQ_PASSWORD: "test-password"
       # - run: cd example && npm install && npm start

.gitignore

@@ -1,3 +1,4 @@
 dist/
 node_modules/
+tls-gen/
 .envrc

Makefile

@@ -0,0 +1,11 @@
+rabbitmq-test:
+	rm -rf tls-gen;
+	git clone https://github.com/rabbitmq/tls-gen tls-gen; cd tls-gen/basic; CN=rabbitmq make
+	chmod -R 755 tls-gen
+	docker compose down
+	docker compose up -d
+	sleep 5
+	docker exec rabbitmq-js-client rabbitmqctl await_startup
+	docker exec rabbitmq-js-client rabbitmqctl add_user 'O=client,CN=rabbitmq' ''
+	docker exec rabbitmq-js-client rabbitmqctl clear_password 'O=client,CN=rabbitmq'
+	docker exec rabbitmq-js-client rabbitmqctl set_permissions 'O=client,CN=rabbitmq' '.*' '.*' '.*'

conf/rabbitmq.conf

@@ -6,9 +6,18 @@ log.console.level = debug
 log.exchange = true
 
 listeners.tcp.default = 5672
+listeners.ssl.default = 5671
 
 deprecated_features.permit.amqp_address_v1 = false
 
+ssl_options.cacertfile = /certs/ca_certificate.pem
+ssl_options.certfile   = /certs/server_rabbitmq_certificate.pem
+ssl_options.keyfile    = /certs/server_rabbitmq_key.pem
+ssl_options.verify     = verify_peer
+ssl_options.password   = grapefruit
+ssl_options.depth      = 1
+ssl_options.fail_if_no_peer_cert = false
+
 auth_mechanisms.1 = PLAIN
 auth_mechanisms.2 = ANONYMOUS
 auth_mechanisms.3 = EXTERNAL

cspell.json

@@ -4,6 +4,8 @@
     "ackmode",
     "ampq",
     "amqpvalue",
+    "cacertfile",
+    "certfile",
     "dste",
     "dstq",
     "fanout",

docker-compose.yml

@@ -7,8 +7,10 @@ services:
     ports:
       - "15672:15672"
       - "5672:5672"
+      - "5671:5671"
     environment:
       RABBITMQ_DEFAULT_USER: "rabbit"
       RABBITMQ_DEFAULT_PASS: "rabbit"
     volumes:
       - ./conf/:/etc/rabbitmq/
+      - "./tls-gen/basic/result/:/certs"

src/environment.ts

@@ -15,13 +15,21 @@ type OauthParams = {
   token: string
 }
 
+type TlsParams = {
+  key?: string
+  cert?: string
+  ca?: string
+  rejectUnauthorized?: boolean
+}
+
 export type EnvironmentParams = {
   host: string
   port: number
   username: string
   password: string
   webSocket?: WebSocketParams
   oauth?: OauthParams
+  tls?: TlsParams
 }
 
 export class AmqpEnvironment implements Environment {

src/rhea_wrapper.ts

@@ -60,6 +60,7 @@ function buildConnectParams(
   getOauthPassword?: () => string
 ): ConnectionOptions {
   const reconnectParams = buildReconnectParams(connParams)
+  const tlsParams = buildTlsParams(envParams)
   if (envParams.webSocket) {
     const ws = websocket_connect(envParams.webSocket.implementation)
     const wsUrl = envParams.webSocket.url ?? `ws://${envParams.host}:${envParams.port}/ws`
@@ -75,6 +76,7 @@ function buildConnectParams(
       },
       ...envParams,
       ...reconnectParams,
+      ...tlsParams,
     }
   }
 
@@ -87,19 +89,22 @@ function buildConnectParams(
           username: envParams.username,
           password: getOauthPassword ? getOauthPassword() : undefined,
           ...reconnectParams,
+          ...tlsParams,
         }
       },
       host: envParams.host,
       port: envParams.port,
       username: envParams.username,
       password: envParams.oauth.token,
       ...reconnectParams,
+      ...tlsParams,
     }
   }
 
   return {
     ...envParams,
     ...reconnectParams,
+    ...tlsParams,
   }
 }
 
@@ -118,6 +123,17 @@ function buildReconnectParams(connParams?: ConnectionParams) {
   return { reconnect: true }
 }
 
+function buildTlsParams(envParams?: EnvironmentParams) {
+  if (envParams && envParams.tls) {
+    return {
+      transport: "tls",
+      ...envParams.tls,
+    }
+  }
+
+  return {}
+}
+
 export type LinkOpenEvents = SenderEvents.senderOpen | ReceiverEvents.receiverOpen
 export type LinkErrorEvents = SenderEvents.senderError | ReceiverEvents.receiverError
 export type OpenLinkMethods =

test/e2e/tls_connection.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "vitest"
+import { createEnvironment, Environment } from "../../src/environment.js"
+import { host, username, eventually, numberOfConnections, password } from "../support/util.js"
+import { Connection } from "../../src/connection.js"
+import { readFile } from "fs/promises"
+
+describe("TLS Connection", () => {
+  const LOCAL_TEST_CN = "rabbitmq"
+
+  let environment: Environment
+  let connection: Connection
+
+  test("creating a TLS connection", async () => {
+    const cn = process.env.CN ?? LOCAL_TEST_CN
+    const tls = {
+      ca: await readFile("./tls-gen/basic/result/ca_certificate.pem", "utf8"),
+      cert: await readFile(`./tls-gen/basic/result/client_${cn}_certificate.pem`, "utf8"),
+      key: await readFile(`./tls-gen/basic/result/client_${cn}_key.pem`, "utf8"),
+      rejectUnauthorized: true,
+    }
+
+    environment = createEnvironment({ host, port: 5671, username, password, tls })
+
+    connection = await environment.createConnection()
+
+    await eventually(async () => {
+      expect(await numberOfConnections()).to.eql(1)
+    })
+    await connection.close()
+    await environment.close()
+  })
+})