Merge pull request #6 from nwn2dev/feature/ssl

Final touches to TLS security

Author: scottmunday84

.github/workflows/build.yml

@@ -1,41 +1,36 @@
-name: NWNX4-plugins-xp_rpc
+name: nwnx4-plugin-rpc
 on: [push, pull_request]
 
 jobs:
   build:
     name: Build NWNX4 plugin xp_rpc
     runs-on: windows-latest  # Change the operating system to Windows
+    defaults:
+      run:
+        shell: powershell
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
           submodules: recursive
 
-      - name: Install MSYS2
-        run: |
-          choco install msys2 --params "/NoUpdate"
-
-      - name: Refresh MSYS2 installation
-        run: |
-          RefreshEnv
-          C:\msys64\usr\bin\bash.exe -lc "pacman --noconfirm -Syu"
-
-      - name: Install MinGW-w64 32-bit
-        run: |
-          C:\msys64\usr\bin\bash.exe -lc "pacman --noconfirm -S mingw-w64-i686-toolchain"
+      - name: Setup MSYS2/MinGW-w64 32-bit
+        uses: msys2/setup-msys2@v2
+        with:
+          msystem: UCRT64
+          update: true
+          install: mingw-w64-i686-gcc
 
-      - name: Set MinGW-w64 environment variables
-        run: |
-          ";C:\msys64\mingw32\bin" | Out-File -FilePath $env:GITHUB_PATH -Append            
+      - name: Add MinGW-w64 to path
+        run: echo "${{ runner.temp }}/msys64/mingw32/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: 1.17
 
       - name: Build Win32 x86 DLL for NWNX4
-        shell: powershell
         env:
           GOOS: windows
           GOARCH: 386
@@ -44,7 +39,6 @@ jobs:
         run: go build -ldflags '-s -w -linkmode external -extldflags -static-libgcc -extldflags -static-libstdc++' -o ../dist/xp_rpc.dll -buildmode=c-shared
 
       - name: Copy all necessary files into distribution
-        shell: powershell
         run: |
           Copy-Item -Recurse -Path .\include -Destination .\dist
           Copy-Item -Recurse -Path .\proto -Destination .\dist

README.md

@@ -54,7 +54,8 @@ With a created external application, configure your xp_rpc settings for the clie
 
 ```yaml
 auth:
-  certPath: path/to/cert
+  pfxFilePath: path/to/pfx
+  pfxPassword: password
 log:
   logLevel: info
 perClient:

plugin/go.mod

@@ -4,15 +4,16 @@ go 1.18
 
 require (
 	github.com/sirupsen/logrus v1.9.0
+	golang.org/x/crypto v0.18.0
 	google.golang.org/grpc v1.54.0
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/golang/protobuf v1.5.2 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
 )

plugin/go.sum

@@ -13,13 +13,15 @@ github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=

plugin/main.go

@@ -33,7 +33,7 @@ import (
 const pluginID string = "RPC"               // Plugin ID used for identification in the list
 const pluginName string = "NWNX RPC Plugin" // Plugin name passed to hook
 const pluginDescription string = "A better way to integrate services with NWN2"
-const pluginVersion string = "0.5.1" // Plugin version passed to hook
+const pluginVersion string = "0.5.2" // Plugin version passed to hook
 const pluginContact string = "(c) 2021-2024 by ihatemundays ([email protected])"
 
 const logFilename string = "xp_rpc.log"

plugin/rpc_client.go

@@ -17,6 +17,17 @@ type rpcClient struct {
 	scorcoServiceClient pb.SCORCOServiceClient
 }
 
+func newRpcClient(name, url string) *rpcClient {
+	return &rpcClient{
+		isValid:             false,
+		name:                name,
+		url:                 url,
+		exServiceClient:     nil,
+		nwnxServiceClient:   nil,
+		scorcoServiceClient: nil,
+	}
+}
+
 func (c rpcClient) buildGeneric(request *pb.ExBuildGenericRequest, timeout time.Duration) (*pb.ExBuildGenericResponse, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()

plugin/rpc_config.go

@@ -4,7 +4,8 @@ import "time"
 
 type rpcConfig struct {
 	Auth struct {
-		CertPath *string `yaml:"certPath"`
+		PfxFilePath *string `yaml:"pfxFilePath"`
+		PfxPassword *string `yaml:"pfxPassword"`
 	} `yaml:"auth"`
 	Log struct {
 		LogLevel string `yaml:"logLevel" default:"info"`

plugin/rpc_plugin.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/pkcs12"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	pb "nwnx4.org/nwn2dev/xp_rpc/proto"
+	"os"
 	"strings"
 	"time"
 )
@@ -33,7 +37,7 @@ const rpcEndBuildGeneric int32 = 2
 
 type rpcPlugin struct {
 	config                       rpcConfig
-	certPath                     *string
+	creds                        credentials.TransportCredentials
 	clients                      map[string]*rpcClient
 	globalExBuildGenericRequest  *pb.ExBuildGenericRequest
 	globalExBuildGenericResponse *pb.ExBuildGenericResponse
@@ -43,7 +47,7 @@ type rpcPlugin struct {
 func newRpcPlugin() *rpcPlugin {
 	return &rpcPlugin{
 		config:                       rpcConfig{},
-		certPath:                     nil,
+		creds:                        insecure.NewCredentials(),
 		clients:                      make(map[string]*rpcClient),
 		globalExBuildGenericRequest:  newExBuildGenericRequest(),
 		globalExBuildGenericResponse: newExBuildGenericResponse(),
@@ -67,6 +71,49 @@ func newExBuildGenericResponse() *pb.ExBuildGenericResponse {
 func (p *rpcPlugin) init() {
 	log.Info("Initializing RPC plugin")
 
+	// Add a certificate
+	getCredentials := func() {
+		if p.config.Auth.PfxFilePath == nil && p.config.Auth.PfxPassword == nil {
+			log.Info("Using insecure auth. settings")
+
+			return
+		}
+
+		pfxFilePath, pfxPassword := *p.config.Auth.PfxFilePath, ""
+
+		if p.config.Auth.PfxPassword != nil {
+			pfxPassword = *p.config.Auth.PfxPassword
+		}
+
+		// Load the PFX file
+		pfxData, err := os.ReadFile(pfxFilePath)
+		if err != nil {
+			log.Fatalf("Error reading PFX file: %v", err)
+		}
+
+		// Parse the PFX data to get the certificate
+		_, cert, err := pkcs12.Decode(pfxData, pfxPassword)
+		if err != nil {
+			log.Fatalf("Error decoding PFX file: %v", err)
+		}
+
+		// Create a new certificate pool and add the certificate
+		caCertPool := x509.NewCertPool()
+		caCertPool.AddCert(cert)
+
+		// Create a TLS configuration using the parsed certificate
+		tlsConfig := &tls.Config{
+			RootCAs:            caCertPool,
+			InsecureSkipVerify: true,
+		}
+
+		// Create a credentials object from the TLS configuration
+		p.creds = credentials.NewTLS(tlsConfig)
+
+		log.Info("Using secure auth. settings")
+	}
+	getCredentials()
+
 	// Set the log level based on what was passed if it matches a level
 	for _, logLevel := range log.AllLevels {
 		if strings.EqualFold(logLevel.String(), p.config.Log.LogLevel) {
@@ -92,38 +139,12 @@ func (p *rpcPlugin) addRpcClient(name, url string) {
 	// Load the certificate
 	var conn *grpc.ClientConn
 	var err error
-	if p.certPath != nil {
-		creds, err := credentials.NewClientTLSFromFile(*p.certPath, "")
-		if err != nil {
-			log.Errorf("Unable to load certificate: %v", err)
-			p.clients[name] = &rpcClient{
-				isValid:             false,
-				name:                name,
-				url:                 url,
-				exServiceClient:     nil,
-				nwnxServiceClient:   nil,
-				scorcoServiceClient: nil,
-			}
-			return
-		}
-
-		conn, err = grpc.Dial(url, grpc.WithTransportCredentials(creds))
-	} else {
-		conn, err = grpc.Dial(url, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	}
+	conn, err = grpc.Dial(url, grpc.WithTransportCredentials(p.creds))
 
 	// Dial with the loaded certificate
 	if err != nil {
 		log.Errorf("Unable to attach client: %s@%s", name, url)
-
-		p.clients[name] = &rpcClient{
-			isValid:             false,
-			name:                name,
-			url:                 url,
-			exServiceClient:     nil,
-			nwnxServiceClient:   nil,
-			scorcoServiceClient: nil,
-		}
+		p.clients[name] = newRpcClient(name, url)
 
 		return
 	}