Skip to content

Commit

Permalink
chore: some refactoring
Browse files Browse the repository at this point in the history 
Signed-off-by: Valery Piashchynski <piashchynski.valery@gmail.com>
  • Loading branch information
@rustatian @sicet7
rustatian authored and sicet7 committed Nov 20, 2024
1 parent 4b64f14 commit 6f6e25f
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 23 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ require (
github.com/roadrunner-server/errors v1.4.1
go.opentelemetry.io/otel/sdk v1.32.0
go.uber.org/zap v1.27.0
golang.org/x/sys v0.27.0
)

require (
Expand All @@ -27,5 +28,4 @@ require (
go.opentelemetry.io/otel/metric v1.32.0 // indirect
go.opentelemetry.io/otel/trace v1.32.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/sys v0.27.0 // indirect
)
4 changes: 4 additions & 0 deletions go.work.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ github.com/spf13/viper v1.17.0 h1:I5txKw7MJasPL/BrfkbA0Jyo/oELqVmux4pR/UxOMfI=
github.com/spf13/viper v1.17.0/go.mod h1:BmMMMLQXSbcHK6KAOiFLz0l5JHrU89OdIRHvsk0+yVI=
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
Expand Down Expand Up @@ -259,6 +260,7 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
Expand All @@ -271,6 +273,7 @@ golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4
golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
Expand All @@ -284,6 +287,7 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
Expand Down
6 changes: 3 additions & 3 deletions kv/driver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ func NewRedisDriver(log *zap.Logger, key string, cfgPlugin Configurer, tracer *s

d.cfg.InitDefaults()

tlsConfig, tlsConfigErr := NewTLSConfig(d.cfg.TLSConfig, log)
if tlsConfigErr != nil {
return nil, errors.E(op, tlsConfigErr)
tlsConfig, err := tlsConfig(d.cfg.TLSConfig)
if err != nil {
return nil, errors.E(op, err)
}

d.universalClient = redis.NewUniversalClient(&redis.UniversalOptions{
Expand Down
127 changes: 108 additions & 19 deletions kv/tlsconfig.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,40 +3,129 @@ package kv
import (
"crypto/tls"
"crypto/x509"
"github.com/roadrunner-server/errors"
"go.uber.org/zap"
"os"

"golang.org/x/sys/cpu"
)

type TLSConfig struct {
Cert string `mapstructure:"cert"`
Key string `mapstructure:"key"`
RootCa string `mapstructure:"root_ca"`
}

func NewTLSConfig(c *TLSConfig, log *zap.Logger) (*tls.Config, error) {
if c == nil || c.RootCa == "" {
func tlsConfig(conf *TLSConfig) (*tls.Config, error) {
if conf == nil {
return nil, nil
}
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
}
rootCAs, sysCertErr := x509.SystemCertPool()
if sysCertErr != nil {
rootCAs = x509.NewCertPool()
log.Warn("unable to load system certificate pool, using empty pool", zap.Error(sysCertErr))

tlsConfig := defaultTLSConfig(conf)
if conf.RootCa != "" {
// error is always nil here
certPool, err := x509.SystemCertPool()
if err != nil {
// error is always nil here
return nil, err
}

if certPool == nil {
certPool = x509.NewCertPool()
}

// we already checked this file in the config.go
rca, err := os.ReadFile(conf.RootCa)
if err != nil {
return nil, err
}

if ok := certPool.AppendCertsFromPEM(rca); !ok {
return nil, err
}

tlsConfig.RootCAs = certPool
}

if _, crtExistErr := os.Stat(c.RootCa); crtExistErr != nil {
if _, crtExistErr := os.Stat(conf.RootCa); crtExistErr != nil {
return nil, crtExistErr
}

bytes, crtReadErr := os.ReadFile(c.RootCa)
if crtReadErr != nil {
return nil, crtReadErr
return tlsConfig, nil
}

func defaultTLSConfig(cfg *TLSConfig) *tls.Config {
var topCipherSuites []uint16
var defaultCipherSuitesTLS13 []uint16

hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
// Keep in sync with crypto/aes/cipher_s390x.go.
hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)

hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X

if hasGCMAsm {
// If AES-GCM hardware is provided then priorities AES-GCM
// cipher suites.
topCipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
}
defaultCipherSuitesTLS13 = []uint16{
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_AES_256_GCM_SHA384,
}
} else {
// Without AES-GCM hardware, we put the ChaCha20-Poly1305
// cipher suites first.
topCipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
}
defaultCipherSuitesTLS13 = []uint16{
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
}
}

defaultCipherSuites := make([]uint16, 0, 22)
defaultCipherSuites = append(defaultCipherSuites, topCipherSuites...)
defaultCipherSuites = append(defaultCipherSuites, defaultCipherSuitesTLS13...)

return &tls.Config{
CurvePreferences: []tls.CurveID{
tls.X25519,
tls.CurveP256,
tls.CurveP384,
tls.CurveP521,
},
GetClientCertificate: getClientCertificate(cfg),
CipherSuites: defaultCipherSuites,
MinVersion: tls.VersionTLS12,
}
}

// getClientCertificate is used for tls.Config struct field GetClientCertificate and enables re-fetching the client certificates when they expire
func getClientCertificate(cfg *TLSConfig) func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
if cfg == nil || cfg.Cert == "" || cfg.Key == "" {
return nil, nil
}

if !rootCAs.AppendCertsFromPEM(bytes) {
return nil, errors.Errorf("failed to parse certificates from PEM file '%s'. Please ensure the file contains valid PEM-encoded certificates", c.RootCa)
cert, err := tls.LoadX509KeyPair(cfg.Cert, cfg.Key)
if err != nil {
return nil, err
}

return &cert, nil
}
tlsConfig.RootCAs = rootCAs
return tlsConfig, nil
}

0 comments on commit 6f6e25f

Please sign in to comment.