Merge pull request #10 from FortnoxAB/feature/tls

Support TLS

Author: jonaz

cmd/gmc/main.go

@@ -50,6 +50,10 @@ func app() *cli.App {
 			Value: "info",
 			Usage: "available levels are: " + strings.Join(getLevels(), ","),
 		},
+		&cli.BoolFlag{
+			Name:  "log-json",
+			Usage: "log in json",
+		},
 	}
 
 	app.Commands = []*cli.Command{
@@ -155,10 +159,23 @@ func app() *cli.App {
 					Value: "8080",
 					Usage: "webserver port to listen to",
 				},
+				&cli.StringFlag{
+					Name:  "tls-port",
+					Value: "8443",
+					Usage: "tls webserver port to listen to",
+				},
 				&cli.StringFlag{
 					Name:  "redis-url",
 					Usage: "redis url, ex redis://[[username]:[password]]@localhost:6379/0 or rediss://[[username]:[password]]@localhost:6379/0 for tls/ssl connections",
 				},
+				&cli.StringFlag{
+					Name:  "tls-cert",
+					Usage: "path to tls cert",
+				},
+				&cli.StringFlag{
+					Name:  "tls-key",
+					Usage: "path to tls key",
+				},
 			},
 		},
 		{
@@ -315,6 +332,9 @@ func globalBefore(c *cli.Context) error {
 		fmt.Fprintf(os.Stderr, "using loglevel: %s\n", lvl.String())
 	}
 	logrus.SetLevel(lvl)
+	if c.Bool("log-json") {
+		logrus.SetFormatter(&logrus.JSONFormatter{})
+	}
 	return nil
 }
 

e2e/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsDCCApigAwIBAgIUFRSYcI0Hw9U+pu1PsesHunDy+2EwDQYJKoZIhvcNAQEL
+BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
+HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
+MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yNTAzMjAwODI3MjFaFw0z
+NTAzMTgwODI3MjFaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
+BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
+BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGRJ5iehfHEbpbpzhFljGTfOvPAB1IAR56
+R74yTt/q0b2b6InYEfYRFI4Phx3TqLtlXEv5sxcSu6v808TImHrCe3ejbDiBZspi
+Sndngj8FKgKhqFCjqYxBNWZw/CyqbE4uBWWhC+gXQ7i8iyeLyYvs4hfhMinVfMd+
+Edqaw/sYQK4liETtk+A7FTyI7vKQltV0kfOfqIR3UT4qDwocS2oarRZ0SeXy9tmE
+YrHOmC0TzEpB1GucJjoHkyDoUDi8d0RSjfFGaxfCSBbHoJQwa0outjMnFInUvFjM
+/oF86dCZf3A8bMleqF3vS9SFxE0EYZwzMJVXEcWZcQgniQLkka5FAgMBAAGjMjAw
+MA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0OBBYEFOeuMeGUQ1r0ynilKh6gaOb2CAcs
+MA0GCSqGSIb3DQEBCwUAA4IBAQAHFX8UI7UPmAV1/8AwAcHUmi8es+RYQw5HszIP
+PYna5S0I6blHg8aUaEeMF7oUw8Yt0lZDB05tnshIm2QN62OpuJCgoUAWZ3vc4wo2
+dtlGbAtbh9q++5bOSCniKb/QjK7d+2w3G8Gc1Ba+9zhBls6rr4NkW46F6ydhqUZ5
+QTnPyfHYoNRS3s4micSDHYXHzIGfjeDelvS9ePGXgez/dCrZSLejNQFLShW2qMui
+i5ZayvQy5I3SierhwyZ4dlgsUVbiwfs6TKOXw6fWTm46+UOfBWKOAeVMDc381+m4
+2EerEPYXwJAGHP1tUocLYanD8pI++BJSUMPY+Ii5HNduGl+y
+-----END CERTIFICATE-----

e2e/e2e_test.go

@@ -130,7 +130,7 @@ spec:
 	assert.NoError(t, err)
 	assert.EqualValues(t, "filecontentishere\n", content)
 
-	time.Sleep(time.Second)
+	time.Sleep(time.Second * 1)
 	cancel()
 	c.wg.Wait()
 }
@@ -236,13 +236,13 @@ spec:
 	c.waitForAccepted()
 
 	err = os.WriteFile("./adminConfig", []byte(fmt.Sprintf(`
-		{"masters":[{"name":"http://127.0.0.1:%s","zone":"zone1"}],
-		"token":"%s"}`, c.master.WsPort, c.client.Token)), 0666)
+		{"masters":[{"name":"https://127.0.0.1:%s","zone":"zone1"}],
+		"token":"%s"}`, c.master.WsTLSPort, c.client.Token)), 0666)
 	assert.NoError(t, err)
 
 	stdout := captureStdout()
 
-	a := admin.NewAdmin("./adminConfig", "", "")
+	a := admin.NewAdmin("./adminConfig", "", "", admin.WithTLSConfig(trustCert("./cert.pem")))
 	err = a.Exec(context.TODO(), "uptime")
 	assert.NoError(t, err)
 
@@ -282,16 +282,16 @@ spec:
 	c.waitForAccepted()
 
 	err = os.WriteFile("./adminConfig", []byte(fmt.Sprintf(`
-		{"masters":[{"name":"http://127.0.0.1:%s","zone":"zone1"}],
-		"token":"%s"}`, c.master.WsPort, "blaha")), 0666)
+		{"masters":[{"name":"https://127.0.0.1:%s","zone":"zone1"}],
+		"token":"%s"}`, c.master.WsTLSPort, "blaha")), 0666)
 	assert.NoError(t, err)
 
 	buf := &bytes.Buffer{}
 	logrus.SetFormatter(&logrus.TextFormatter{
 		DisableColors: true,
 	})
 	logrus.SetOutput(buf)
-	a := admin.NewAdmin("./adminConfig", "", "")
+	a := admin.NewAdmin("./adminConfig", "", "", admin.WithTLSConfig(trustCert("./cert.pem")))
 	err = a.Exec(context.TODO(), "uptime")
 	assert.Equal(t, "websocket: bad handshake", err.Error())
 
@@ -328,7 +328,7 @@ spec:
 
 	buf := &bytes.Buffer{}
 	logrus.SetOutput(buf)
-	a := admin.NewAdmin("./agentConfig", "", "")
+	a := admin.NewAdmin("./agentConfig", "", "", admin.WithTLSConfig(trustCert("./cert.pem")))
 	err = a.Exec(context.TODO(), "uptime")
 	assert.NoError(t, err)
 
@@ -372,8 +372,8 @@ spec:
 	c.waitForAccepted()
 
 	err = os.WriteFile("./adminConfig", []byte(fmt.Sprintf(`
-		{"masters":[{"name":"http://127.0.0.1:%s","zone":"zone1"}],
-		"token":"%s"}`, c.master.WsPort, c.client.Token)), 0666)
+		{"masters":[{"name":"https://127.0.0.1:%s","zone":"zone1"}],
+		"token":"%s"}`, c.master.WsTLSPort, c.client.Token)), 0666)
 	assert.NoError(t, err)
 
 	var content []byte
@@ -406,7 +406,7 @@ spec:
 
 	stdout := captureStdout()
 
-	a := admin.NewAdmin("./adminConfig", "", "")
+	a := admin.NewAdmin("./adminConfig", "", "", admin.WithTLSConfig(trustCert("./cert.pem")))
 	err = a.Apply(ctx, []string{"newspec.yml"})
 	assert.NoError(t, err)
 

e2e/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGRJ5iehfHEbpb
+pzhFljGTfOvPAB1IAR56R74yTt/q0b2b6InYEfYRFI4Phx3TqLtlXEv5sxcSu6v8
+08TImHrCe3ejbDiBZspiSndngj8FKgKhqFCjqYxBNWZw/CyqbE4uBWWhC+gXQ7i8
+iyeLyYvs4hfhMinVfMd+Edqaw/sYQK4liETtk+A7FTyI7vKQltV0kfOfqIR3UT4q
+DwocS2oarRZ0SeXy9tmEYrHOmC0TzEpB1GucJjoHkyDoUDi8d0RSjfFGaxfCSBbH
+oJQwa0outjMnFInUvFjM/oF86dCZf3A8bMleqF3vS9SFxE0EYZwzMJVXEcWZcQgn
+iQLkka5FAgMBAAECggEAFZ1ZdFGXJ1lOwGXZ2Uw8b2BzsgdzKcG6zt3kuvClB0vX
+qJg7SYD7xcpAin99HZwMLKAD8F7j1GOn+6d35oko/kFzk4SyzE37y6dj87bb+Ut7
+1J/YMAobLj4MwviFmLa3TIZuGUExC4g91YreGXveyJ5auBmTPKDz0VH6S7EIk2YY
+nUrGBO1LJyunaObtxPELZlu4cDs/wFaRRSY+z065ETFx/LE/jJ0XGwBZrBWFw8tZ
+qwNqHcfR39XR5NpzqfY94pTbwMrnzJ6Ahl9+ppn84JM1RMg5ijJgsF/FUC7yxPP9
+8HrLz6Oz4YGrRIerYmrApqWv27sOlTUViJLXCSGF6QKBgQDnMttqawya8dMbV9o8
+4ZFkadNPcAQ0TusBtipygBh/uUuIXnwXGFDDeNevNNgE27bXzhQDVdUcdUQxMk/I
+MioQS790r3UpYE5ZLt70lncX8Z38+f8bDTEtuWAaRe2ECCVSNI20nK9iKlSu3Vv4
++j8LFT/nZ9cJ8z06YPm4c4OjuwKBgQDbiW0HC+enKNy1FPQUWobTpWwnZpHlii62
+VfSlXIIcwv1y659czBo2VmCiRYFQqSyKnPE3YeKT2Y0ZzNNYhMl4aQdBN+nYzj7s
+yl6ZDYWFcRgZCLKZeY36p3DQRc9nlnwBWV9STLQV+mrabf5R0KIoiTrOtG8VK1aO
+oUIf/rXV/wKBgQDSYLm9/UkMGS7C+88vhQZa+9z3tPNucb1w4kV/yUYBuyebIHcE
+QPEE3gpNeOV0jkWz2+bkHg99BMwXhDOK9PLHv1WpJRuUmfjROFBS+jPGiur7TrUu
+9XMhq0Riw+zcLtlfE0k65zTEO8axE+ZkCbqiKCTtOdU4TakSXTn++MX5jwKBgAxN
+ym9/qk8DCkOX1goh/LZ16fbXV8vuj6mmbZyq75vfDcdYD0lrIvjypF3T2WiE4rsu
+CpLZCJLSuYa9pQasAoKeGEr+cDu3a21n9h9L07Tj3r7gbuoNFvj6U2dI0lPy6iZF
+NQNuyxUEQOLXEU7Si5QMBOC62hLsp+A8h3E1nElPAoGBALdt0xj5WRy9Hjo1tVgX
+L9drgcUTYFHvhGXPKDhYXY2LWpYislD1aBBdj8HdfrLU8sAlEV95WGHpYSkdOaR+
+Y8Hk1BCTK4MvPUOyxXZfKtGS8rbVuDn8RyU7BP1emxQuv0vhwjsqMT+oAeomn43t
+itXx5KSBHoqh6RphLVoXPwAv
+-----END PRIVATE KEY-----

e2e/utils_test.go

@@ -3,7 +3,10 @@ package e2e_test
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"io"
+	"log"
 	"net"
 	"os"
 	"strconv"
@@ -16,6 +19,7 @@ import (
 	"github.com/fortnoxab/gitmachinecontroller/pkg/agent"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/agent/config"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/authedhttpclient"
+	"github.com/fortnoxab/gitmachinecontroller/pkg/httpclient"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/master"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -36,24 +40,29 @@ func initMasterAgent(t *testing.T, ctx context.Context) testWrapper {
 	port, err := freePort()
 	assert.NoError(t, err)
 	portStr := strconv.Itoa(port)
+	tlsPortStr := strconv.Itoa(port + 1)
 	redisMock := mocks.NewMockCmdable(t)
 	master := &master.Master{
 		GitURL:          "https://test/gitrepo",
 		GitPollInterval: time.Second,
 		WsPort:          portStr,
+		WsTLSPort:       tlsPortStr,
+		TLSCertFile:     "./cert.pem",
+		TLSKeyFIle:      "./key.pem",
 		JWTKey:          "asdfasdf",
 		SecretKey:       "asdfasdf",
 		RedisClient:     redisMock,
 		Masters: config.Masters{
 			{
-				URL:  "http://127.0.0.1:" + portStr,
+				URL:  "https://127.0.0.1:" + tlsPortStr,
 				Zone: "zone1",
 			},
 		},
 	}
+	httpclient.SetTLSConfig(trustCert("./cert.pem"))
 	mockedCommander := mocks.NewMockCommander(t)
-	agent := agent.NewAgent("./agentConfig", mockedCommander)
-	agent.Master = "http://127.0.0.1:" + portStr
+	agent := agent.NewAgent("./agentConfig", mockedCommander, agent.WithTLSConfig(trustCert("./cert.pem")))
+	agent.Master = "https://127.0.0.1:" + tlsPortStr
 	agent.Hostname = "mycooltestagent"
 
 	wg := &sync.WaitGroup{}
@@ -73,7 +82,7 @@ func initMasterAgent(t *testing.T, ctx context.Context) testWrapper {
 	}()
 
 	time.Sleep(400 * time.Millisecond)
-	client := authedhttpclient.New(t, "http://127.0.0.1:"+portStr)
+	client := authedhttpclient.New(t, "https://127.0.0.1:"+tlsPortStr)
 	err = client.AuthAsAdmin()
 	assert.NoError(t, err)
 
@@ -96,6 +105,31 @@ func initMasterAgent(t *testing.T, ctx context.Context) testWrapper {
 		},
 	}
 }
+
+func trustCert(localCertFile string) *tls.Config {
+	// Get the SystemCertPool, continue with an empty pool on error
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	// Read in the cert file
+	certs, err := os.ReadFile(localCertFile)
+	if err != nil {
+		log.Fatalf("Failed to append %q to RootCAs: %v", localCertFile, err)
+	}
+
+	// Append our cert to the system pool
+	if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+		log.Println("No certs appended, using system certs only")
+	}
+
+	// Trust the augmented cert pool in our client
+	return &tls.Config{
+		RootCAs: rootCAs,
+	}
+}
+
 func freePort() (port int, err error) {
 	var a *net.TCPAddr
 	if a, err = net.ResolveTCPAddr("tcp", "127.0.0.1:0"); err == nil {

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/fortnoxab/ginprometheus v0.0.0-20211026110220-d3da4ce1dc2b
 	github.com/gin-contrib/pprof v1.5.1
 	github.com/gin-gonic/gin v1.10.0
-	github.com/golang-jwt/jwt/v4 v4.5.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
@@ -58,7 +58,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.23.0 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

go.sum

@@ -182,8 +182,6 @@ github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PU
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

pkg/admin/admin.go

@@ -2,6 +2,7 @@ package admin
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -43,6 +44,8 @@ type Admin struct {
 	// binary location when Bootstrap
 	targetPath string
 	sshUser    string
+
+	tlsConfig *tls.Config
 }
 
 func NewAdminFromContext(c *cli.Context) *Admin {
@@ -56,13 +59,22 @@ func NewAdminFromContext(c *cli.Context) *Admin {
 	}
 }
 
-func NewAdmin(configFile, selector, regexp string) *Admin {
+func NewAdmin(configFile, selector, regexp string, options ...func(*Admin)) *Admin {
 
-	return &Admin{
+	a := &Admin{
 		configFile: configFile,
 		selector:   selector,
 		regexp:     regexp,
 	}
+	for _, o := range options {
+		o(a)
+	}
+	return a
+}
+func WithTLSConfig(c *tls.Config) func(*Admin) {
+	return func(s *Admin) {
+		s.tlsConfig = c
+	}
 }
 
 func (a *Admin) wsConnect(ctx context.Context, conf *config.Config) (websocket.Websocket, error) {
@@ -71,6 +83,9 @@ func (a *Admin) wsConnect(ctx context.Context, conf *config.Config) (websocket.W
 	headers.Set("Authorization", conf.Token)
 
 	wsClient := websocket.NewWebsocketClient()
+	if a.tlsConfig != nil {
+		wsClient.SetTLSConfig(a.tlsConfig)
+	}
 
 	master := conf.FindMasterForConnection(ctx, "", "")
 

pkg/agent/agent.go

@@ -2,6 +2,7 @@ package agent
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"net/http"
 	"os"
@@ -53,17 +54,26 @@ func NewAgentFromContext(c *cli.Context) *Agent {
 	}
 	return m
 }
-func NewAgent(configFile string, commander command.Commander) *Agent {
+func NewAgent(configFile string, commander command.Commander, options ...func(*Agent)) *Agent {
 	m := &Agent{
 		wg:         &sync.WaitGroup{},
 		callbacks:  make(map[string][]OnFunc),
 		client:     websocket.NewWebsocketClient(),
 		configFile: configFile,
 		commander:  commander,
 	}
+	for _, o := range options {
+		o(m)
+	}
 	return m
 }
 
+func WithTLSConfig(c *tls.Config) func(*Agent) {
+	return func(s *Agent) {
+		s.client.SetTLSConfig(c)
+	}
+}
+
 func (a *Agent) Run(ctx context.Context) error {
 	conf, err := config.FromFile(a.configFile)
 
@@ -73,7 +83,7 @@ func (a *Agent) Run(ctx context.Context) error {
 			conf = &config.Config{
 				Masters: config.Masters{&config.Master{URL: a.Master}},
 			}
-			err := os.MkdirAll(filepath.Dir(a.configFile), 0700)
+			err = os.MkdirAll(filepath.Dir(a.configFile), 0700)
 			if err != nil {
 				return err
 			}