Add extra initialisers to TLS config

Author: gjcairo

Package.swift

@@ -57,6 +57,10 @@ let dependencies: [Package.Dependency] = [
     url: "https://github.com/apple/swift-nio-extras.git",
     from: "1.4.0"
   ),
+  .package(
+    url: "https://github.com/apple/swift-certificates.git",
+    from: "1.5.0"
+  ),
 ]
 
 let defaultSwiftSettings: [SwiftSetting] = [
@@ -104,6 +108,7 @@ let targets: [Target] = [
       .target(name: "GRPCNIOTransportCore"),
       .product(name: "GRPCCore", package: "grpc-swift"),
       .product(name: "NIOPosix", package: "swift-nio"),
+      .product(name: "NIOSSL", package: "swift-nio-ssl"),
     ],
     swiftSettings: defaultSwiftSettings
   ),
@@ -132,6 +137,8 @@ let targets: [Target] = [
     name: "GRPCNIOTransportHTTP2Tests",
     dependencies: [
       .target(name: "GRPCNIOTransportHTTP2"),
+      .product(name: "X509", package: "swift-certificates"),
+      .product(name: "NIOSSL", package: "swift-nio-ssl"),
     ]
   )
 ]

Sources/GRPCNIOTransportHTTP2Posix/TLSConfig.swift

@@ -171,6 +171,27 @@ extension HTTP2ServerTransport.Posix.Config {
     ///
     /// If this is set to `true` but the client does not support ALPN, then the connection will be rejected.
     public var requireALPN: Bool
+    
+    /// Create a new HTTP2 NIO Posix server transport TLS config.
+    /// - Parameters:
+    ///   - certificateChain: The certificates the server will offer during negotiation.
+    ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - clientCertificateVerification: How to verify the client certificate, if one is presented.
+    ///   - trustRoots: The trust roots to be used when verifying client certificates.
+    ///   - requireALPN: Whether ALPN is required.
+    public init(
+      certificateChain: [TLSConfig.CertificateSource],
+      privateKey: TLSConfig.PrivateKeySource,
+      clientCertificateVerification: TLSConfig.CertificateVerification,
+      trustRoots: TLSConfig.TrustRootsSource,
+      requireALPN: Bool
+    ) {
+      self.certificateChain = certificateChain
+      self.privateKey = privateKey
+      self.clientCertificateVerification = clientCertificateVerification
+      self.trustRoots = trustRoots
+      self.requireALPN = requireALPN
+    }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted:
     /// - `clientCertificateVerificationMode` equals `doNotVerify`
@@ -180,18 +201,22 @@ extension HTTP2ServerTransport.Posix.Config {
     /// - Parameters:
     ///   - certificateChain: The certificates the server will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func defaults(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         clientCertificateVerification: .noVerification,
         trustRoots: .systemDefault,
         requireALPN: false
       )
+      configure(&config)
+      return config
     }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted to match
@@ -203,18 +228,22 @@ extension HTTP2ServerTransport.Posix.Config {
     /// - Parameters:
     ///   - certificateChain: The certificates the server will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func mTLS(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         clientCertificateVerification: .noHostnameVerification,
         trustRoots: .systemDefault,
         requireALPN: false
       )
+      configure(&config)
+      return config
     }
   }
 }
@@ -255,6 +284,27 @@ extension HTTP2ClientTransport.Posix.Config {
 
     /// An optional server hostname to use when verifying certificates.
     public var serverHostname: String?
+    
+    /// Create a new HTTP2 NIO Posix client transport TLS config.
+    /// - Parameters:
+    ///   - certificateChain: The certificates the client will offer during negotiation.
+    ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - serverCertificateVerification: How to verify the server certificate, if one is presented.
+    ///   - trustRoots: The trust roots to be used when verifying server certificates.
+    ///   - serverHostname: An optional server hostname to use when verifying certificates.
+    public init(
+      certificateChain: [TLSConfig.CertificateSource],
+      privateKey: TLSConfig.PrivateKeySource? = nil,
+      serverCertificateVerification: TLSConfig.CertificateVerification,
+      trustRoots: TLSConfig.TrustRootsSource,
+      serverHostname: String? = nil
+    ) {
+      self.certificateChain = certificateChain
+      self.privateKey = privateKey
+      self.serverCertificateVerification = serverCertificateVerification
+      self.trustRoots = trustRoots
+      self.serverHostname = serverHostname
+    }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted:
     /// - `certificateChain` equals `[]`
@@ -263,35 +313,46 @@ extension HTTP2ClientTransport.Posix.Config {
     /// - `trustRoots` equals `systemDefault`
     /// - `serverHostname` equals `nil`
     ///
+    /// - Parameters:
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
-    public static var defaults: Self {
-      Self(
+    public static func defaults(
+      configure: (_ config: inout Self) -> Void = { _ in }
+    ) -> Self {
+      var config = Self(
         certificateChain: [],
         privateKey: nil,
         serverCertificateVerification: .fullVerification,
         trustRoots: .systemDefault,
         serverHostname: nil
       )
+      configure(&config)
+      return config
     }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted to match
     /// the requirements of mTLS:
     /// - `trustRoots` equals `systemDefault`
+    /// - `serverCertificateVerification` equals `fullVerification`
     ///
     /// - Parameters:
     ///   - certificateChain: The certificates the client will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func mTLS(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         serverCertificateVerification: .fullVerification,
         trustRoots: .systemDefault
       )
+      configure(&config)
+      return config
     }
   }
 }

Sources/GRPCNIOTransportHTTP2TransportServices/TLSConfig.swift

@@ -45,17 +45,26 @@ extension HTTP2ServerTransport.TransportServices.Config {
     /// If this is set to `true` but the client does not support ALPN, then the connection will be rejected.
     public var requireALPN: Bool
 
+    /// Create a new HTTP2 NIO Transport Services transport TLS config.
+    /// - Parameters:
+    ///   - requireALPN: Whether ALPN is required.
+    ///   - identityProvider: A provider for the `SecIdentity` to be used when setting up TLS.
+    public init(
+      requireALPN: Bool,
+      identityProvider: @Sendable @escaping () throws -> SecIdentity
+    ) {
+      self.requireALPN = requireALPN
+      self.identityProvider = identityProvider
+    }
+
     /// Create a new HTTP2 NIO Transport Services transport TLS config, with some values defaulted:
     /// - `requireALPN` equals `false`
     ///
     /// - Returns: A new HTTP2 NIO Transport Services transport TLS config.
     public static func defaults(
       identityProvider: @Sendable @escaping () throws -> SecIdentity
     ) -> Self {
-      Self(
-        identityProvider: identityProvider,
-        requireALPN: false
-      )
+      Self(requireALPN: false, identityProvider: identityProvider)
     }
   }
 }

Tests/GRPCNIOTransportHTTP2Tests/HTTP2TransportNIOPosixTests.swift

@@ -410,7 +410,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_Defaults() throws {
-    let grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    let grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)
 
     XCTAssertEqual(nioSSLTLSConfig.certificateChain, [])
@@ -422,7 +422,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomCertificateChainAndPrivateKey() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.certificateChain = [
       .bytes(Array(Self.samplePemCert.utf8), format: .pem)
     ]
@@ -451,7 +451,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomTrustRoots() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.trustRoots = .certificates([.bytes(Array(Self.samplePemCert.utf8), format: .pem)])
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)
 
@@ -467,7 +467,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomCertificateVerification() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.serverCertificateVerification = .noHostnameVerification
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)