Merge branch 'ssl' of https://github.com/tarcieri/redis-rb into 3.3

Author: djanowski

README.md

@@ -222,6 +222,46 @@ end
 
 See lib/redis/errors.rb for information about what exceptions are possible.
 
+## SSL/TLS Support
+
+This library supports natively terminating client side SSL/TLS connections
+when talking to Redis via a server-side proxy such as [stunnel], [hitch],
+or [ghostunnel].
+
+To enable SSL support, pass the `:ssl => :true` option when configuring the
+Redis client, or pass in `:url => "rediss://..."` (like HTTPS for Redis).
+You will also need to pass in an `:ssl_params => { ... }` hash used to
+configure the `OpenSSL::SSL::SSLContext` object used for the connection:
+
+```ruby
+redis = Redis.new(:url => "rediss://:[email protected]:6381/15", :ssl_params => { :ca_file => "/path/to/ca.crt" })
+```
+
+The options given to `:ssl_params` are passed directly to the
+`OpenSSL::SSL::SSLContext#set_params` method and can be any valid attribute
+of the SSL context. Please see the [OpenSSL::SSL::SSLContext documentation]
+for all of the available attributes.
+
+Here is an example of passing in params that can be used for SSL client
+certificate authentication (a.k.a. mutual TLS):
+
+```ruby
+redis = Redis.new(
+  :url => "rediss://:[email protected]:6381/15",
+  :ssl_params => {
+    :ca_file => "/path/to/ca.crt",
+    :cert    => OpenSSL::X509::Certificate.new(File.read("client.crt")),
+    :key     => OpenSSL::PKey::RSA.new(File.read("client.key"))
+  }
+)
+```
+
+[stunnel]: https://www.stunnel.org/
+[hitch]: https://hitch-tls.org/
+[ghostunnel]: https://github.com/square/ghostunnel
+[OpenSSL::SSL::SSLContext documentation]: http://ruby-doc.org/stdlib-2.3.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
+
+*NOTE:* SSL is only supported by the default "Ruby" driver
 
 ## Timeouts
 

lib/redis/client.rb

@@ -405,7 +405,7 @@ def _parse_options(options)
 
         if uri.scheme == "unix"
           defaults[:path]   = uri.path
-        elsif uri.scheme == "redis"
+        elsif uri.scheme == "redis" || uri.scheme == "rediss"
           defaults[:scheme]   = uri.scheme
           defaults[:host]     = uri.host if uri.host
           defaults[:port]     = uri.port if uri.port
@@ -415,6 +415,8 @@ def _parse_options(options)
         else
           raise ArgumentError, "invalid uri scheme '#{uri.scheme}'"
         end
+
+        defaults[:ssl] = true if uri.scheme == "rediss"
       end
 
       # Use default when option is not specified or nil

lib/redis/connection/hiredis.rb

@@ -13,6 +13,8 @@ def self.connect(config)
 
         if config[:scheme] == "unix"
           connection.connect_unix(config[:path], connect_timeout)
+        elsif config[:scheme] == "rediss" || config[:ssl]
+          raise NotImplementedError, "SSL not supported by hiredis driver"
         else
           connection.connect(config[:host], config[:port], connect_timeout)
         end

lib/redis/connection/ruby.rb

@@ -4,12 +4,22 @@
 require "socket"
 require "timeout"
 
+begin
+  require "openssl"
+rescue LoadError
+  # Not all systems have OpenSSL support
+end
+
 class Redis
   module Connection
     module SocketMixin
 
       CRLF = "\r\n".freeze
 
+      # Exceptions raised during non-blocking I/O ops that require retrying the op
+      NBIO_EXCEPTIONS = [Errno::EWOULDBLOCK, Errno::EAGAIN]
+      NBIO_EXCEPTIONS << IO::WaitReadable if RUBY_VERSION >= "1.9.3"
+
       def initialize(*args)
         super(*args)
 
@@ -54,10 +64,11 @@ def gets
       end
 
       def _read_from_socket(nbytes)
+
         begin
           read_nonblock(nbytes)
 
-        rescue Errno::EWOULDBLOCK, Errno::EAGAIN
+        rescue *NBIO_EXCEPTIONS
           if IO.select([self], nil, nil, @timeout)
             retry
           else
@@ -209,6 +220,27 @@ def self.connect(path, timeout)
 
     end
 
+    if defined?(OpenSSL)
+      class SSLSocket < ::OpenSSL::SSL::SSLSocket
+        include SocketMixin
+
+        def self.connect(host, port, timeout, ssl_params)
+          # Note: this is using Redis::Connection::TCPSocket
+          tcp_sock = TCPSocket.connect(host, port, timeout)
+
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.set_params(ssl_params) if ssl_params && !ssl_params.empty?
+
+          ssl_sock = new(tcp_sock, ctx)
+          ssl_sock.hostname = host
+          ssl_sock.connect
+          ssl_sock.post_connection_check(host)
+
+          ssl_sock
+        end
+      end
+    end
+
     class Ruby
       include Redis::Connection::CommandHelper
 
@@ -220,7 +252,10 @@ class Ruby
 
       def self.connect(config)
         if config[:scheme] == "unix"
+          raise ArgumentError, "SSL incompatible with unix sockets" if config[:ssl]
           sock = UNIXSocket.connect(config[:path], config[:connect_timeout])
+        elsif config[:scheme] == "rediss" || config[:ssl]
+          sock = SSLSocket.connect(config[:host], config[:port], config[:connect_timeout], config[:ssl_params])
         else
           sock = TCPSocket.connect(config[:host], config[:port], config[:connect_timeout])
         end

lib/redis/connection/synchrony.rb

@@ -68,6 +68,8 @@ class Synchrony
       def self.connect(config)
         if config[:scheme] == "unix"
           conn = EventMachine.connect_unix_domain(config[:path], RedisClient)
+        elsif config[:scheme] == "rediss" || config[:ssl]
+          raise NotImplementedError, "SSL not supported by synchrony driver"
         else
           conn = EventMachine.connect(config[:host], config[:port], RedisClient) do |c|
             c.pending_connect_timeout = [config[:connect_timeout], 0.1].max

test/ssl_test.rb

@@ -0,0 +1,66 @@
+# encoding: UTF-8
+
+if RUBY_VERSION >= "1.9.3"
+  require File.expand_path("helper", File.dirname(__FILE__))
+
+  class SslTest < Test::Unit::TestCase
+
+    include Helper::Client
+
+    driver(:ruby) do
+
+      def test_verified_ssl_connection
+        RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("trusted")) do |port|
+          redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })
+          assert_equal redis.ping, "PONG"
+        end
+      end
+
+      def test_unverified_ssl_connection
+        assert_raise(OpenSSL::SSL::SSLError) do
+          RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("untrusted")) do |port|
+            redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })
+            redis.ping
+          end
+        end
+      end
+
+    end
+
+    driver(:hiredis, :synchrony) do
+
+      def test_ssl_not_implemented_exception
+        assert_raise(NotImplementedError) do
+          RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("trusted")) do |port|
+            redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })
+            redis.ping
+          end
+        end
+      end
+
+    end
+
+    private
+
+    def ssl_server_opts(prefix)
+      ssl_cert = File.join(cert_path, "#{prefix}-cert.crt")
+      ssl_key  = File.join(cert_path, "#{prefix}-cert.key")
+
+      {
+        :ssl => true,
+        :ssl_params => {
+          :cert => OpenSSL::X509::Certificate.new(File.read(ssl_cert)),
+          :key  => OpenSSL::PKey::RSA.new(File.read(ssl_key))
+        }
+      }
+    end
+
+    def ssl_ca_file
+      File.join(cert_path, "trusted-ca.crt")
+    end
+
+    def cert_path
+      File.expand_path("../support/ssl/", __FILE__)
+    end
+  end
+end

test/support/redis_mock.rb

@@ -3,8 +3,19 @@
 module RedisMock
   class Server
     def initialize(options = {}, &block)
-      @server = TCPServer.new(options[:host] || "127.0.0.1", 0)
-      @server.setsockopt(Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true)
+      tcp_server = TCPServer.new(options[:host] || "127.0.0.1", 0)
+      tcp_server.setsockopt(Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true)
+
+      if options[:ssl]
+        ctx = OpenSSL::SSL::SSLContext.new
+
+        ssl_params = options.fetch(:ssl_params, {})
+        ctx.set_params(ssl_params) unless ssl_params.empty?
+
+        @server = OpenSSL::SSL::SSLServer.new(tcp_server, ctx)
+      else
+        @server = tcp_server
+      end
     end
 
     def port

test/support/ssl/gen_certs.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+get_subject() {
+  if [ "$1" = "trusted" ]
+  then
+    echo "/C=IT/ST=Sicily/L=Catania/O=Redis/OU=Security/CN=127.0.0.1"
+  else
+    echo "/C=XX/ST=Untrusted/L=Evilville/O=Evil Hacker/OU=Attack Department/CN=127.0.0.1"
+  fi
+}
+
+# Generate two CAs: one to be considered trusted, and one that's untrusted
+for type in trusted untrusted; do
+  rm -rf ./demoCA
+  mkdir -p ./demoCA
+  mkdir -p ./demoCA/certs
+  mkdir -p ./demoCA/crl
+  mkdir -p ./demoCA/newcerts
+  mkdir -p ./demoCA/private
+  touch ./demoCA/index.txt
+
+  openssl genrsa -out ${type}-ca.key 2048
+  openssl req -new -x509 -days 12500 -key ${type}-ca.key -out ${type}-ca.crt -subj "$(get_subject $type)"
+  openssl x509 -in ${type}-ca.crt -noout -next_serial -out ./demoCA/serial
+
+  openssl req -newkey rsa:2048 -keyout ${type}-cert.key -nodes -out ${type}-cert.req -subj "$(get_subject $type)"
+  openssl ca -days 12500 -cert ${type}-ca.crt -keyfile ${type}-ca.key -out ${type}-cert.crt -infiles ${type}-cert.req
+  rm ${type}-cert.req
+done
+
+rm -rf ./demoCA

test/support/ssl/trusted-ca.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIJAM7kyjC89Qj/MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
+BAYTAklUMQ8wDQYDVQQIEwZTaWNpbHkxEDAOBgNVBAcTB0NhdGFuaWExDjAMBgNV
+BAoTBVJlZGlzMREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UEAxMJMTI3LjAuMC4x
+MCAXDTE2MDQwMjAzMzQ0MVoYDzIwNTAwNjIzMDMzNDQxWjBnMQswCQYDVQQGEwJJ
+VDEPMA0GA1UECBMGU2ljaWx5MRAwDgYDVQQHEwdDYXRhbmlhMQ4wDAYDVQQKEwVS
+ZWRpczERMA8GA1UECxMIU2VjdXJpdHkxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeibFqEG38mtN9DSXy6NZdd7AjH
+4/D+VdDzlbJlI5IBACCV9p6P2j5PFlFvkHFE6vr6biMaLXNAmUHYfDzeT95LODHH
+t+8HlR51cNYrnt9B3eiVwEnJ7+axuDHg6nUgLXeKeog+vEqreZwLnFibxt2qpFze
+xzyKJ37Pm+iAey5glCc/v7ECYQ4sWVVV+ciC+sAwmZDfZXCBQtRRokJ6ikqQDwWV
+DugGcV46feTpu79OmkLLM8PI3E7ow2F/3iv67gmdlO5m9wX1ahWzJKUapBTxgf4X
+QG0s60WbC9iJIvgXRGW7wWSsqSVJkfLYllDTPgfpLyl1+FR3A4awrsPiMVUCAwEA
+AaOBzDCByTAdBgNVHQ4EFgQU+YG9kJR3Vy31d7QVyxRAYyKTK18wgZkGA1UdIwSB
+kTCBjoAU+YG9kJR3Vy31d7QVyxRAYyKTK1+ha6RpMGcxCzAJBgNVBAYTAklUMQ8w
+DQYDVQQIEwZTaWNpbHkxEDAOBgNVBAcTB0NhdGFuaWExDjAMBgNVBAoTBVJlZGlz
+MREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UEAxMJMTI3LjAuMC4xggkAzuTKMLz1
+CP8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeFKB7DUixmxbdvNw
+n/mNoHK+OOZXmfxZDCo0v2gcQ4WXUiCqL6MagrImCvkEz5RL6Fk2ZflEV2iGQ5Ds
+CmF2n47ISpqG29bfI5R1rcbfqK/5tazUIhQu12ThNmkEh7hCuW/0LqJrnmxpuRLy
+le9e3svCC96lwjFczzU/utWurKt7S7Di3C4P+AXAJJuszDMLMCBLaB/3j24cNpOx
+zzeZo02x4rpsD2+MMfRDWMWezVEyk63KnI0kt3JGnepsKCFc48ZOk09LwFk3Rfaq
+zuKSgEJJw1mfsdBfysM0HQw20yyjSdoTEfQq3bXctTNi+pEOgW6x7TMsnngYYLXV
+9XTrpg==
+-----END CERTIFICATE-----

test/support/ssl/trusted-ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAx6JsWoQbfya030NJfLo1l13sCMfj8P5V0POVsmUjkgEAIJX2
+no/aPk8WUW+QcUTq+vpuIxotc0CZQdh8PN5P3ks4Mce37weVHnVw1iue30Hd6JXA
+Scnv5rG4MeDqdSAtd4p6iD68Sqt5nAucWJvG3aqkXN7HPIonfs+b6IB7LmCUJz+/
+sQJhDixZVVX5yIL6wDCZkN9lcIFC1FGiQnqKSpAPBZUO6AZxXjp95Om7v06aQssz
+w8jcTujDYX/eK/ruCZ2U7mb3BfVqFbMkpRqkFPGB/hdAbSzrRZsL2Iki+BdEZbvB
+ZKypJUmR8tiWUNM+B+kvKXX4VHcDhrCuw+IxVQIDAQABAoIBAQCzbGHiQJXOA+XQ
+O9OSjHGaJ8n6Yl2VvaE3eZXzjj8X/Fo271GGVVgbZE10x8aUZxKim+3dEqwCx+52
+ZbHTqyMxcX2CEDRaWwBFLdxKQU467iIZ5m26ZAp/1v7rpXBT8KWsqQNT7L6ihdd4
+zl6orOlhVPsAlSGQYcL5kHJZ1w/fL0phEbwdISd3PYhGHXMNmqfXorzJYHDQA4R+
+yR7WpP1dmnUeEKrHc9FFcBZ75BGlWjdCPZMFKc7IndZumarhBpWH9yZMUxrUIo4V
+SCweRUFdD5H1lMZ0YiIAE25wKNEQ2iGd3Jfr8Vj1KFSHC9I2FJA3aFRRUgTwxx/W
+h0mJy1ZJAoGBAPYsSSlwQdxZjnyZiVkNSD4MoLdof//nRxeKGejq6AiXDvcsLyJy
+0MKk4YBFw2249TWm/KBbMAFiBE7d8uPtP5pPfjNVPX6VltH3AhSZ7Ugbpo6C3NFA
+GpzFVtNaWgCVDloDVdmsY7ssDFuAIih0paklPAqnLY+Ua9m1BiEPrB+bAoGBAM+a
+i+0NMR4AyKpuo1exdd+7BIHw5HNPwGmR1ggdGWduH0zsOhEawQKKFv1X9xKAcXxW
+PyeD56/Tmn7fkWvuE8dOu9E6em0vgmxhYyn4nyLAFYF5uKXYo78MpIEThdpl1ldT
+iHwG/25vunaBUHhwbHPUD+F989tmRuCjoFkuA5nPAoGAaqPIlcDhZvkMtoE0dHVC
+hE6oGIuWV17y9wmGK9YG6iG2A/EKAhxGvur6HL0b6Z4j6zgJW9Xkt9SkFR4kqAQQ
+d2JUQxx75SgcC5y7M/1yQrhnsHiT+7mPTbZW5HvRXUs0yl2DhSYeleiA+epJ4ciW
+Mu3EUsEVBYvAJLE8lHnbkF0CgYEAhyxpz3+3a4G3JsHDOWYjCfoLhVAEb9CNyC9c
+3QuVbvMVDlEBvgFdivm+3lZYWYOoYP0HQgNw59svzUxks5Hg7vUk9abN8CnvEgKX
+PszTUR0g450NzW6xr8PbmO/NR9bnKRUK2Tb1OkMldePdMY6CDykU7g3EqiZ+H+Zq
+kaaUUaECgYEAmk5W+S94q5jLemnfAChC5lva/0/aHdhtaoH4Lo+j0haMsdiy8/ZE
+sh+3gQ8pqwaCAwnKxAcppt/FNZ7tHRsH3oyY6biypn3WppQj+BA41nuzbspOKJhR
+ZDXKFCItbzUjyi23Dx4P4DgMivkpV+e88RMIuBnv4yjl5iOLq+vf4Rg=
+-----END RSA PRIVATE KEY-----