TLS support (#159)

* TLS support in the server

* test TLS in integration

Author: alicebob

integration/ephemeral.go

@@ -39,6 +39,20 @@ func RedisCluster() (*ephemeral, string) {
 	return runRedis("cluster-enabled yes\ncluster-config-file nodes.conf")
 }
 
+func RedisTLS() (*ephemeral, string) {
+	port := arbitraryPort()
+	e, _ := runRedis(fmt.Sprintf(
+		`
+			tls-port %d
+			tls-cert-file ../testdata/server.crt
+			tls-key-file ../testdata/server.key
+			tls-ca-cert-file ../testdata/client.crt
+		`,
+		port))
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	return e, addr
+}
+
 func runRedis(extraConfig string) (*ephemeral, string) {
 	port := arbitraryPort()
 
@@ -67,7 +81,7 @@ func runRedis(extraConfig string) (*ephemeral, string) {
 			e := ephemeral(*c)
 			return &e, addr
 		}
-		time.Sleep(1 * time.Millisecond)
+		time.Sleep(3 * time.Millisecond)
 	}
 	panic(fmt.Sprintf("No connection on port %d", port))
 }

integration/get_redis.sh

@@ -9,5 +9,5 @@ mkdir -p ./redis_src/
 cd ./redis_src/
 wget http://download.redis.io/releases/redis-${VERSION}.tar.gz -O ./redis.tar.gz
 tar -xf ./redis.tar.gz
-(cd ./redis-${VERSION}/src/ && make)
+(cd ./redis-${VERSION}/src/ && make BUILD_TLS=yes)
 cp ./redis-${VERSION}/src/redis-server .

integration/server_test.go

@@ -36,3 +36,12 @@ func TestServer(t *testing.T) {
 		fail("FLUSHALL", "ASYNC", "foo"),
 	)
 }
+
+func TestServerTLS(t *testing.T) {
+	testCommandsTLS(t,
+		succ("PING", "foo"),
+
+		succ("SET", "foo", "bar"),
+		succ("GET", "foo"),
+	)
+}

integration/test.go

@@ -139,6 +139,17 @@ func testCommands(t *testing.T, commands ...command) {
 	runCommands(t, sRealAddr, sMini.Addr(), commands)
 }
 
+func testCommandsTLS(t *testing.T, commands ...command) {
+	t.Helper()
+	sMini := miniredis.NewMiniRedis()
+	ok(t, sMini.StartTLS(testServerTLS(t)))
+	defer sMini.Close()
+
+	sReal, sRealAddr := RedisTLS()
+	defer sReal.Close()
+	runCommandsTLS(t, sRealAddr, sMini.Addr(), commands)
+}
+
 // like testCommands, but multiple connections
 func testMultiCommands(t *testing.T, cs ...func(chan<- command, *miniredis.Miniredis)) {
 	t.Helper()
@@ -265,6 +276,30 @@ func runCommands(t *testing.T, realAddr, miniAddr string, commands []command) {
 	}
 }
 
+func runCommandsTLS(t *testing.T, realAddr, miniAddr string, commands []command) {
+	t.Helper()
+	cfg := testClientTLS(t)
+	cMini, err := redis.Dial(
+		"tcp",
+		miniAddr,
+		redis.DialTLSConfig(cfg),
+		redis.DialUseTLS(true),
+	)
+	ok(t, err)
+
+	cReal, err := redis.Dial(
+		"tcp",
+		realAddr,
+		redis.DialTLSConfig(cfg),
+		redis.DialUseTLS(true),
+	)
+	ok(t, err)
+
+	for _, c := range commands {
+		runCommand(t, cMini, cReal, c)
+	}
+}
+
 func runCommand(t *testing.T, cMini, cReal redis.Conn, p command) {
 	t.Helper()
 	var (

integration/tls.go

@@ -0,0 +1,52 @@
+// +build int
+
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"testing"
+)
+
+func testServerTLS(t *testing.T) *tls.Config {
+	cert, err := tls.LoadX509KeyPair("../testdata/server.crt", "../testdata/server.key")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cp := x509.NewCertPool()
+	rootca, err := ioutil.ReadFile("../testdata/client.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !cp.AppendCertsFromPEM(rootca) {
+		t.Fatal("client cert err")
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ServerName:   "Server",
+		ClientCAs:    cp,
+	}
+}
+
+func testClientTLS(t *testing.T) *tls.Config {
+	cert, err := tls.LoadX509KeyPair("../testdata/client.crt", "../testdata/client.key")
+	if err != nil {
+		t.Fatal(err)
+	}
+	cp := x509.NewCertPool()
+	rootca, err := ioutil.ReadFile("../testdata/server.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !cp.AppendCertsFromPEM(rootca) {
+		t.Fatal("server cert err")
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ServerName:   "Server",
+		RootCAs:      cp,
+	}
+}

miniredis.go

@@ -16,6 +16,7 @@ package miniredis
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"math/rand"
 	"strconv"
@@ -117,6 +118,12 @@ func Run() (*Miniredis, error) {
 	return m, m.Start()
 }
 
+// Run creates and Start()s a Miniredis, TLS version.
+func RunTLS(cfg *tls.Config) (*Miniredis, error) {
+	m := NewMiniRedis()
+	return m, m.StartTLS(cfg)
+}
+
 // Start starts a server. It listens on a random port on localhost. See also
 // Addr().
 func (m *Miniredis) Start() error {
@@ -127,6 +134,15 @@ func (m *Miniredis) Start() error {
 	return m.start(s)
 }
 
+// Start starts a server, TLS version.
+func (m *Miniredis) StartTLS(cfg *tls.Config) error {
+	s, err := server.NewServerTLS(fmt.Sprintf("127.0.0.1:%d", m.port), cfg)
+	if err != nil {
+		return err
+	}
+	return m.start(s)
+}
+
 // StartAddr runs miniredis with a given addr. Examples: "127.0.0.1:6379",
 // ":6379", or "127.0.0.1:0"
 func (m *Miniredis) StartAddr(addr string) error {

server/server.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"bufio"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"strings"
@@ -42,16 +43,27 @@ type Server struct {
 
 // NewServer makes a server listening on addr. Close with .Close().
 func NewServer(addr string) (*Server, error) {
-	s := Server{
-		cmds:  map[string]Cmd{},
-		peers: map[net.Conn]struct{}{},
+	l, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, err
 	}
+	return newServer(l), nil
+}
 
-	l, err := net.Listen("tcp", addr)
+func NewServerTLS(addr string, cfg *tls.Config) (*Server, error) {
+	l, err := tls.Listen("tcp", addr, cfg)
 	if err != nil {
 		return nil, err
 	}
-	s.l = l
+	return newServer(l), nil
+}
+
+func newServer(l net.Listener) *Server {
+	s := Server{
+		cmds:  map[string]Cmd{},
+		peers: map[net.Conn]struct{}{},
+		l:     l,
+	}
 
 	s.wg.Add(1)
 	go func() {
@@ -64,7 +76,7 @@ func NewServer(addr string) (*Server, error) {
 		}
 		s.mu.Unlock()
 	}()
-	return &s, nil
+	return &s
 }
 
 // (un)set a hook which is ran before every call. It returns true if the command is done.

server/server_test.go

@@ -1,7 +1,10 @@
 package server
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"reflect"
 	"strconv"
 	"strings"
@@ -157,3 +160,81 @@ func Test(t *testing.T) {
 		}
 	}
 }
+
+func testServerTLS(t *testing.T) *tls.Config {
+	cert, err := tls.LoadX509KeyPair("../testdata/server.crt", "../testdata/server.key")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cp := x509.NewCertPool()
+	rootca, err := ioutil.ReadFile("../testdata/client.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !cp.AppendCertsFromPEM(rootca) {
+		t.Fatal("client cert err")
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ServerName:   "Server",
+		ClientCAs:    cp,
+	}
+}
+
+func testClientTLS(t *testing.T) *tls.Config {
+	cert, err := tls.LoadX509KeyPair("../testdata/client.crt", "../testdata/client.key")
+	if err != nil {
+		t.Fatal(err)
+	}
+	cp := x509.NewCertPool()
+	rootca, err := ioutil.ReadFile("../testdata/server.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !cp.AppendCertsFromPEM(rootca) {
+		t.Fatal("server cert err")
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ServerName:   "Server",
+		RootCAs:      cp,
+	}
+}
+
+func TestTLS(t *testing.T) {
+	s, err := NewServerTLS("127.0.0.1:0", testServerTLS(t))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer s.Close()
+
+	if have := s.Addr().Port; have <= 0 {
+		t.Fatalf("have %v, want > 0", have)
+	}
+
+	s.Register("PING", func(c *Peer, cmd string, args []string) {
+		c.WriteInline("PONG")
+	})
+
+	cfg := testClientTLS(t)
+	c, err := redis.Dial("tcp",
+		s.Addr().String(),
+		redis.DialTLSConfig(cfg),
+		redis.DialUseTLS(true),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	{
+		res, err := redis.String(c.Do("PING"))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if have, want := res, "PONG"; have != want {
+			t.Errorf("have: %s, want: %s", have, want)
+		}
+	}
+}

testdata/Makefile

@@ -0,0 +1,17 @@
+gen:
+	openssl req \
+    	-x509 \
+    	-nodes \
+    	-newkey rsa:2048 \
+    	-keyout server.key \
+    	-out server.crt \
+    	-days 3650 \
+    	-subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=Server"
+	openssl req \
+    	-x509 \
+    	-nodes \
+    	-newkey rsa:2048 \
+    	-keyout client.key \
+    	-out client.crt \
+    	-days 3650 \
+    	-subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=Client"

testdata/client.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUEqYzLKsTOvgGfJ46o9y4GBy+H+UwDQYJKoZIhvcNAQEL
+BQAwcjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
+ZG9uMRgwFgYDVQQKDA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFy
+dG1lbnQxDzANBgNVBAMMBkNsaWVudDAeFw0yMDA2MTcxNjMzMDJaFw0zMDA2MTUx
+NjMzMDJaMHIxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcM
+BkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBE
+ZXBhcnRtZW50MQ8wDQYDVQQDDAZDbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIO3Z3LxdRl8ts+vlNPFzvY0PZ9aiIqWwDA0oaK0wJTC+q669x
+gfm9km2apd5sUNkA8X68DrjVAumK5h8XgA09Rz5j8mYLPoiQfuyXKB2eYLtBl/D+
+yYMU639znXxXCUOw/ZhJ4qqHwcBw0RynKGg1wELTdbG4OMpAz/EEh+/z2mpuryQF
+aFOhVK4AaOBgUdBeyFBOuPtWxzHn0vQPIEM98P3yUFn3IaOSGtChgcy7VbpAH9K2
+18YuBxWNYoabeLQuBk/Jfam+8a+gIY8WUSIw9gGUYIVBpl4Hm/xOYCgmU/SyiEHs
+aQWAuhVtcS+WyHL5RhFiIWSeyK91p4//ZBKtAgMBAAGjUzBRMB0GA1UdDgQWBBT/
+p6iIo0Xy1uXn8FvxPSrzzWKWTzAfBgNVHSMEGDAWgBT/p6iIo0Xy1uXn8FvxPSrz
+zWKWTzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCQ7gHmQjPa
+FLXfrUY24rxggLkQrntGy4ZdKznd3ffduNDW9vc45/kOBSqoECC3a6jadXZltMbq
+G/B3LQH5qNZJf9V0cYCyzSX+M6lENdcakYpHwyz4MOOZRt4nYBe8MUXp3e2YKhvo
+AMPBgUckLV+A1amWhHk/r+3K2uAQwGeEGcn0C+dXBR6rQeWOzuMbqaF5KCDF/Tcc
+KZ2WJMRBr/z7RZuls2KmAxIDPTfUXmRqwwk2+KBp8PleuZ26t4cREEFmf2z+4Npl
+MtVFOElNPMFd+9YUpkOP/LncfFIoLVMy67G/P76fkZ/qT4yA+xx+80MY73LKnOQf
+wA11PFVjhAE0
+-----END CERTIFICATE-----