Merge pull request #67 from kaleido-io/ws-mtls

feat: Add tls configuration for wsclient upgrade

Author: peterbroadhurst

pkg/fftls/fftls.go

@@ -33,6 +33,10 @@ const (
 )
 
 func ConstructTLSConfig(ctx context.Context, conf config.Section, tlsType string) (*tls.Config, error) {
+	if !conf.GetBool(HTTPConfTLSEnabled) {
+		return nil, nil
+	}
+
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@@ -42,10 +46,6 @@ func ConstructTLSConfig(ctx context.Context, conf config.Section, tlsType string
 		},
 	}
 
-	if !conf.GetBool(HTTPConfTLSEnabled) {
-		return tlsConfig, nil
-	}
-
 	var err error
 	// Support custom CA file
 	var rootCAs *x509.CertPool

pkg/wsclient/wsclient.go

@@ -18,6 +18,7 @@ package wsclient
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"fmt"
 	"io"
@@ -45,6 +46,7 @@ type WSConfig struct {
 	AuthPassword           string             `json:"authPassword,omitempty"`
 	HTTPHeaders            fftypes.JSONObject `json:"headers,omitempty"`
 	HeartbeatInterval      time.Duration      `json:"heartbeatInterval,omitempty"`
+	TLSClientConfig        *tls.Config        `json:"tlsClientConfig,omitempty"`
 }
 
 type WSClient interface {
@@ -96,6 +98,7 @@ func New(ctx context.Context, config *WSConfig, beforeConnect WSPreConnectHandle
 		wsdialer: &websocket.Dialer{
 			ReadBufferSize:  config.ReadBufferSize,
 			WriteBufferSize: config.WriteBufferSize,
+			TLSClientConfig: config.TLSClientConfig,
 		},
 		retry: retry.Retry{
 			InitialDelay: config.InitialDelay,

pkg/wsclient/wsclient_test.go

@@ -18,9 +18,12 @@ package wsclient
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 	"time"
 
@@ -32,6 +35,85 @@ func generateConfig() *WSConfig {
 	return &WSConfig{}
 }
 
+func TestWSClientE2ETLS(t *testing.T) {
+
+	publicKeyFile, privateKeyFile := GenerateTLSCertficates(t)
+	defer os.Remove(privateKeyFile.Name())
+	defer os.Remove(publicKeyFile.Name())
+	toServer, fromServer, url, close, err := NewTestTLSWSServer(func(req *http.Request) {
+		assert.Equal(t, "/test/updated", req.URL.Path)
+	}, publicKeyFile, privateKeyFile)
+	defer close()
+	assert.NoError(t, err)
+
+	first := true
+	beforeConnect := func(ctx context.Context) error {
+		if first {
+			first = false
+			return fmt.Errorf("first run fails")
+		}
+		return nil
+	}
+	afterConnect := func(ctx context.Context, w WSClient) error {
+		return w.Send(ctx, []byte(`after connect message`))
+	}
+
+	// Init clean config
+	wsConfig := generateConfig()
+
+	wsConfig.HTTPURL = url
+	wsConfig.WSKeyPath = "/test"
+	wsConfig.HeartbeatInterval = 50 * time.Millisecond
+	wsConfig.InitialConnectAttempts = 2
+	rootCAs := x509.NewCertPool()
+	caPEM, _ := os.ReadFile(publicKeyFile.Name())
+	ok := rootCAs.AppendCertsFromPEM(caPEM)
+	assert.True(t, ok)
+	cert, err := tls.LoadX509KeyPair(publicKeyFile.Name(), privateKeyFile.Name())
+	assert.NoError(t, err)
+
+	wsConfig.TLSClientConfig = &tls.Config{
+		MinVersion:   tls.VersionTLS12,
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      rootCAs,
+	}
+
+	wsc, err := New(context.Background(), wsConfig, beforeConnect, afterConnect)
+	assert.NoError(t, err)
+
+	//  Change the settings and connect
+	wsc.SetURL(wsc.URL() + "/updated")
+	err = wsc.Connect()
+	assert.NoError(t, err)
+
+	// Receive the message automatically sent in afterConnect
+	message1 := <-toServer
+	assert.Equal(t, `after connect message`, message1)
+
+	// Tell the unit test server to send us a reply, and confirm it
+	fromServer <- `some data from server`
+	reply := <-wsc.Receive()
+	assert.Equal(t, `some data from server`, string(reply))
+
+	// Send some data back
+	err = wsc.Send(context.Background(), []byte(`some data to server`))
+	assert.NoError(t, err)
+
+	// Check the sevrer got it
+	message2 := <-toServer
+	assert.Equal(t, `some data to server`, message2)
+
+	// Check heartbeating works
+	beforePing := time.Now()
+	for wsc.(*wsClient).lastPingCompleted.Before(beforePing) {
+		time.Sleep(10 * time.Millisecond)
+	}
+
+	// Close the client
+	wsc.Close()
+
+}
+
 func TestWSClientE2E(t *testing.T) {
 
 	toServer, fromServer, url, close := NewTestWSServer(func(req *http.Request) {

pkg/wsclient/wsconfig.go

@@ -17,8 +17,11 @@
 package wsclient
 
 import (
+	"context"
+
 	"github.com/hyperledger/firefly-common/pkg/config"
 	"github.com/hyperledger/firefly-common/pkg/ffresty"
+	"github.com/hyperledger/firefly-common/pkg/fftls"
 )
 
 const (
@@ -53,8 +56,8 @@ func InitConfig(conf config.Section) {
 	conf.AddKnownKey(WSConfigHeartbeatInterval, defaultHeartbeatInterval)
 }
 
-func GenerateConfig(conf config.Section) *WSConfig {
-	return &WSConfig{
+func GenerateConfig(ctx context.Context, conf config.Section) (*WSConfig, error) {
+	wsConfig := &WSConfig{
 		HTTPURL:                conf.GetString(ffresty.HTTPConfigURL),
 		WSKeyPath:              conf.GetString(WSConfigKeyPath),
 		ReadBufferSize:         int(conf.GetByteSize(WSConfigKeyReadBufferSize)),
@@ -67,4 +70,13 @@ func GenerateConfig(conf config.Section) *WSConfig {
 		AuthPassword:           conf.GetString(ffresty.HTTPConfigAuthPassword),
 		HeartbeatInterval:      conf.GetDuration(WSConfigHeartbeatInterval),
 	}
+	tlsSection := conf.SubSection("tls")
+	tlsClientConfig, err := fftls.ConstructTLSConfig(ctx, tlsSection, fftls.ClientType)
+	if err != nil {
+		return nil, err
+	}
+
+	wsConfig.TLSClientConfig = tlsClientConfig
+
+	return wsConfig, nil
 }

pkg/wsclient/wsconfig_test.go

@@ -1,11 +1,13 @@
 package wsclient
 
 import (
+	"context"
 	"testing"
 	"time"
 
 	"github.com/hyperledger/firefly-common/pkg/config"
 	"github.com/hyperledger/firefly-common/pkg/ffresty"
+	"github.com/hyperledger/firefly-common/pkg/fftls"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -32,7 +34,9 @@ func TestWSConfigGeneration(t *testing.T) {
 	utConf.Set(WSConfigKeyInitialConnectAttempts, 1)
 	utConf.Set(WSConfigKeyPath, "/websocket")
 
-	wsConfig := GenerateConfig(utConf)
+	ctx := context.Background()
+	wsConfig, err := GenerateConfig(ctx, utConf)
+	assert.NoError(t, err)
 
 	assert.Equal(t, "http://test:12345", wsConfig.HTTPURL)
 	assert.Equal(t, "user", wsConfig.AuthUsername)
@@ -45,3 +49,15 @@ func TestWSConfigGeneration(t *testing.T) {
 	assert.Equal(t, 1024, wsConfig.ReadBufferSize)
 	assert.Equal(t, 1024, wsConfig.WriteBufferSize)
 }
+
+func TestWSConfigTLSGenerationFail(t *testing.T) {
+	resetConf()
+
+	tlsSection := utConf.SubSection("tls")
+	tlsSection.Set(fftls.HTTPConfTLSEnabled, true)
+	tlsSection.Set(fftls.HTTPConfTLSCAFile, "bad-ca")
+
+	ctx := context.Background()
+	_, err := GenerateConfig(ctx, utConf)
+	assert.Regexp(t, "FF00153", err)
+}

pkg/wsclient/wstestserver.go

@@ -1,4 +1,4 @@
-// Copyright © 2022 Kaleido, Inc.
+// Copyright © 2023 Kaleido, Inc.
 //
 // SPDX-License-Identifier: Apache-2.0
 //
@@ -17,13 +17,125 @@
 package wsclient
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"math/big"
+	"net"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"testing"
+	"time"
 
 	"github.com/gorilla/websocket"
+	"github.com/stretchr/testify/assert"
 )
 
+// GenerateTLSCertificates creates a key pair for server and client auth
+func GenerateTLSCertficates(t *testing.T) (publicKeyFile *os.File, privateKeyFile *os.File) {
+	// Create an X509 certificate pair
+	privatekey, _ := rsa.GenerateKey(rand.Reader, 2048)
+	publickey := &privatekey.PublicKey
+	var privateKeyBytes = x509.MarshalPKCS1PrivateKey(privatekey)
+	privateKeyFile, _ = os.CreateTemp("", "key.pem")
+	privateKeyBlock := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes}
+	err := pem.Encode(privateKeyFile, privateKeyBlock)
+	assert.NoError(t, err)
+	serialNumber, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	x509Template := &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Unit Tests"},
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(1000 * time.Second),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.IPv4(127, 0, 0, 1)},
+	}
+	derBytes, err := x509.CreateCertificate(rand.Reader, x509Template, x509Template, publickey, privatekey)
+	assert.NoError(t, err)
+	publicKeyFile, _ = os.CreateTemp("", "cert.pem")
+	err = pem.Encode(publicKeyFile, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	assert.NoError(t, err)
+
+	return publicKeyFile, privateKeyFile
+}
+
+// NewTestTLSWSServer creates a little test server for packages (including wsclient itself) to use in unit tests
+// and secured with mTLS by passing in a key pair
+func NewTestTLSWSServer(testReq func(req *http.Request), publicKeyFile *os.File, privateKeyFile *os.File) (toServer, fromServer chan string, url string, done func(), err error) {
+	upgrader := &websocket.Upgrader{WriteBufferSize: 1024, ReadBufferSize: 1024}
+	toServer = make(chan string, 1)
+	fromServer = make(chan string, 1)
+	sendDone := make(chan struct{})
+	receiveDone := make(chan struct{})
+	connected := false
+
+	handlerFunc := http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
+		if testReq != nil {
+			testReq(req)
+		}
+		if connected {
+			// test server only handles one open connection, as it only has one set of channels
+			res.WriteHeader(409)
+			return
+		}
+		ws, _ := upgrader.Upgrade(res, req, http.Header{})
+		go func() {
+			defer close(receiveDone)
+			for {
+				_, data, err := ws.ReadMessage()
+				if err != nil {
+					return
+				}
+				toServer <- string(data)
+			}
+		}()
+		go func() {
+			defer close(sendDone)
+			defer ws.Close()
+			for data := range fromServer {
+				_ = ws.WriteMessage(websocket.TextMessage, []byte(data))
+			}
+		}()
+		connected = true
+	})
+
+	svr := httptest.NewUnstartedServer(handlerFunc)
+
+	cert, err := tls.LoadX509KeyPair(publicKeyFile.Name(), privateKeyFile.Name())
+	if err != nil {
+		return toServer, fromServer, "", nil, err
+	}
+	rootCAs := x509.NewCertPool()
+	caPEM, _ := os.ReadFile(publicKeyFile.Name())
+	rootCAs.AppendCertsFromPEM(caPEM)
+	svr.TLS = &tls.Config{
+		MinVersion:   tls.VersionTLS12,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		Certificates: []tls.Certificate{cert},
+		ClientCAs:    rootCAs,
+	}
+	svr.StartTLS()
+	addr := svr.Listener.Addr()
+
+	return toServer, fromServer, fmt.Sprintf("wss://%s", addr), func() {
+		close(fromServer)
+		svr.Close()
+		if connected {
+			<-sendDone
+			<-receiveDone
+		}
+	}, nil
+}
+
 // NewTestWSServer creates a little test server for packages (including wsclient itself) to use in unit tests
 func NewTestWSServer(testReq func(req *http.Request)) (toServer, fromServer chan string, url string, done func()) {
 	upgrader := &websocket.Upgrader{WriteBufferSize: 1024, ReadBufferSize: 1024}