feature: openssl ca (#820)

next-hat · Jan 30, 2024 · 87b46bf · 87b46bf
1 parent 448da10
commit 87b46bf
Show file tree

Hide file tree

Showing 29 changed files with 405 additions and 170 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/bin/nanocl/src/commands/state.rs b/bin/nanocl/src/commands/state.rs
@@ -4,6 +4,7 @@ use std::collections::HashMap;
 
 use futures::StreamExt;
 use nanocld_client::stubs::system::ObjPsStatusKind;
+use nanocld_client::ConnectOpts;
 use serde_json::{Map, Value};
 use clap::{Arg, Command, ArgAction};
 use bollard_next::service::HostConfig;
@@ -220,10 +221,18 @@ fn gen_client(
         .ok_or(IoError::not_found("Version", "is not specified"))?;
       paths.remove(paths.len() - 1);
       let url = paths.join("/");
-      NanocldClient::connect_to(&url, Some(version.into()))
+      NanocldClient::connect_to(&ConnectOpts {
+        url,
+        version: Some(version.into()),
+        ..Default::default()
+      })
     }
     api_version if state_ref.data.api_version.starts_with('v') => {
-      NanocldClient::connect_to(host, Some(api_version.clone()))
+      NanocldClient::connect_to(&ConnectOpts {
+        url: host.into(),
+        version: Some(api_version.clone()),
+        ..Default::default()
+      })
     }
     _ => {
       let mut paths = state_ref
@@ -240,7 +249,11 @@ fn gen_client(
       paths.remove(paths.len() - 1);
       let url = paths.join("/");
       let url = format!("https://{url}");
-      NanocldClient::connect_to(&url, Some(version.into()))
+      NanocldClient::connect_to(&ConnectOpts {
+        url,
+        version: Some(version.into()),
+        ..Default::default()
+      })
     }
   };
   Ok(client)

diff --git a/bin/nanocl/src/main.rs b/bin/nanocl/src/main.rs
@@ -1,7 +1,7 @@
 use clap::Parser;
 use dotenvy::dotenv;
 
-use nanocld_client::NanocldClient;
+use nanocld_client::{ConnectOpts, NanocldClient};
 use nanocl_error::io::{IoError, IoResult};
 
 mod utils;
@@ -42,7 +42,10 @@ fn create_cli_config(cli_args: &Cli) -> IoResult<CliConfig> {
         .unwrap_or("http://nanocl.internal:8585".into());
     }
   }
-  let client = NanocldClient::connect_to(&host, None);
+  let client = NanocldClient::connect_to(&ConnectOpts {
+    url: host.clone(),
+    ..Default::default()
+  });
   Ok(CliConfig {
     host,
     client,

diff --git a/bin/nanocl/src/utils/mod.rs b/bin/nanocl/src/utils/mod.rs
@@ -10,9 +10,13 @@ pub mod progress;
 
 #[cfg(test)]
 pub mod tests {
+  use nanocld_client::{ConnectOpts, NanocldClient};
 
   pub fn get_test_client() -> NanocldClient {
-    NanocldClient::connect_to("http://nanocl.internal:8585", None)
+    NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    })
   }
 
   #[macro_export]
@@ -71,5 +75,4 @@ pub mod tests {
   }
 
   pub use assert_cli_ok;
-  use nanocld_client::NanocldClient;
 }
diff --git a/bin/nanocld/Cargo.toml b/bin/nanocld/Cargo.toml
@@ -85,3 +85,4 @@ utoipa = { version = "4.2", features = ["yaml"], optional = true }
 notify = "6.1"
 ntex-cors = "0.5"
 rand = "0.8"
+openssl = { version = "0.10" }
diff --git a/bin/nanocld/specs/swagger.yaml b/bin/nanocld/specs/swagger.yaml
@@ -2854,6 +2854,18 @@ components:
           format: int32
           description: Group id
           minimum: 0
+        cert:
+          type: string
+          description: Certificate path
+          nullable: true
+        cert_key:
+          type: string
+          description: Certificate key path
+          nullable: true
+        cert_ca:
+          type: string
+          description: Ca certificate path
+          nullable: true
     DeviceMapping:
       type: object
       description: A device mapping between the host and container

diff --git a/bin/nanocld/src/cli.rs b/bin/nanocld/src/cli.rs
@@ -34,6 +34,34 @@ pub struct Cli {
   /// Group id
   #[clap(long, default_value = "0")]
   pub gid: u32,
+  /// Optional certificate path
+  #[clap(long)]
+  pub cert: Option<String>,
+  /// Optional certificate key path
+  #[clap(long)]
+  pub cert_key: Option<String>,
+  /// Optional ca certificate path
+  #[clap(long)]
+  pub cert_ca: Option<String>,
+}
+
+impl Default for Cli {
+  fn default() -> Self {
+    Self {
+      hosts: None,
+      docker_host: None,
+      state_dir: None,
+      conf_dir: String::from("/etc/nanocl"),
+      gateway: None,
+      hostname: None,
+      nodes: vec![],
+      advertise_addr: None,
+      gid: 0,
+      cert: None,
+      cert_key: None,
+      cert_ca: None,
+    }
+  }
 }
 
 /// Cli arguments unit test

diff --git a/bin/nanocld/src/config.rs b/bin/nanocld/src/config.rs
@@ -63,6 +63,9 @@ fn gen_daemon_conf(
     advertise_addr,
     nodes: args.nodes.clone(),
     conf_dir: args.conf_dir.clone(),
+    cert: args.cert.clone(),
+    cert_key: args.cert_key.clone(),
+    cert_ca: args.cert_ca.clone(),
   })
 }
 
@@ -104,15 +107,11 @@ mod tests {
   #[test]
   fn merge_config() {
     let args = Cli {
-      gid: 0,
       hosts: Some(vec![String::from("unix:///run/nanocl/nanocl.sock")]),
       state_dir: Some(String::from("/var/lib/nanocl")),
       docker_host: Some(String::from("/var/run/docker.sock")),
       conf_dir: String::from("/etc/nanocl"),
-      gateway: None,
-      hostname: None,
-      advertise_addr: None,
-      nodes: Vec::default(),
+      ..Default::default()
     };
     let config = DaemonConfigFile {
       hosts: Some(vec![String::from("unix:///run/nanocl/nanocl.sock")]),
@@ -177,15 +176,11 @@ mod tests {
   #[test]
   fn init_config() {
     let args = Cli {
-      gid: 0,
       hosts: Some(vec![String::from("unix:///run/nanocl/nanocl.sock")]),
       state_dir: Some(String::from("/var/lib/nanocl")),
       docker_host: Some(String::from("/var/run/docker.sock")),
       conf_dir: String::from("/etc/nanocl"),
-      gateway: None,
-      advertise_addr: None,
-      hostname: None,
-      nodes: Vec::default(),
+      ..Default::default()
     };
     let config = init(&args).unwrap();
     assert_eq!(config.hosts, args.hosts.unwrap());

diff --git a/bin/nanocld/src/subsystem/init.rs b/bin/nanocld/src/subsystem/init.rs
@@ -157,14 +157,10 @@ mod tests {
     let home = std::env::var("HOME").expect("Failed to get home dir");
     let args = cli::Cli {
       gid: 0,
-      hosts: None,
-      docker_host: None,
       state_dir: Some(format!("{home}/.nanocl_dev/state")),
       conf_dir: String::from("/etc/nanocl"),
-      gateway: None,
       nodes: Vec::default(),
-      hostname: None,
-      advertise_addr: None,
+      ..Default::default()
     };
     log::debug!("args: {args:?}");
     let config = config::init(&args).expect("Expect to init config");

diff --git a/bin/nanocld/src/utils/server.rs b/bin/nanocld/src/utils/server.rs
@@ -1,5 +1,6 @@
 use ntex::web;
 use ntex_cors::Cors;
+use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
 
 use nanocl_utils::ntex::middlewares;
 
@@ -14,11 +15,11 @@ pub async fn gen(
   daemon_state: SystemState,
 ) -> std::io::Result<ntex::server::Server> {
   log::info!("server::gen: start");
-  let hosts = daemon_state.config.hosts.clone();
+  let daemon_state_ptr = daemon_state.clone();
   let mut server = web::HttpServer::new(move || {
     web::App::new()
       // bind config state
-      .state(daemon_state.clone())
+      .state(daemon_state_ptr.clone())
       .state(
         web::types::PayloadConfig::new(20_000_000_000), // <- limit size of the payload
       )
@@ -32,7 +33,9 @@ pub async fn gen(
       .configure(services::ntex_config)
       .default_service(web::route().to(services::unhandled))
   });
+  let config = daemon_state.config.clone();
   let mut count = 0;
+  let hosts = config.hosts.clone();
   let len = hosts.len();
   while count < len {
     let host = &hosts[count];
@@ -47,13 +50,35 @@ pub async fn gen(
       };
     } else if host.starts_with("tcp://") {
       let addr = host.replace("tcp://", "");
-      server = match server.bind(&addr) {
-        Err(err) => {
-          log::error!("server::gen: {addr}: {err}");
-          return Err(err);
-        }
-        Ok(server) => server,
-      };
+      if let Some(cert) = config.cert.clone() {
+        log::debug!("server::gen: {addr}: with ssl");
+        let cert_key = config.cert_key.clone().unwrap();
+        let cert_ca = config.cert_ca.clone().unwrap();
+        server = match server.bind_openssl(&addr, {
+          let mut builder =
+            SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
+          builder
+            .set_private_key_file(cert_key, SslFiletype::PEM)
+            .unwrap();
+          builder.set_certificate_chain_file(cert).unwrap();
+          builder.set_ca_file(cert_ca).expect("Failed to set ca file");
+          builder
+        }) {
+          Err(err) => {
+            log::error!("server::gen: {addr}: {err}");
+            return Err(err);
+          }
+          Ok(server) => server,
+        };
+      } else {
+        server = match server.bind(&addr) {
+          Err(err) => {
+            log::error!("server::gen: {addr}: {err}");
+            return Err(err);
+          }
+          Ok(server) => server,
+        };
+      }
     } else {
       log::error!(
         "server::gen: {} invalid protocol [tcp:// | unix://] allowed",

diff --git a/bin/ncdns/src/main.rs b/bin/ncdns/src/main.rs
@@ -25,7 +25,11 @@ async fn run(cli: &Cli) -> IoResult<()> {
   let mut client = NanocldClient::connect_with_unix_default();
   #[cfg(any(feature = "dev", feature = "test"))]
   {
-    client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    use nanocld_client::ConnectOpts;
+    client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
   }
   event::spawn(&client);
   let server = server::gen(&cli.host, &dnsmasq, &client)?;

diff --git a/bin/ncdns/src/server.rs b/bin/ncdns/src/server.rs
@@ -52,11 +52,15 @@ mod tests {
   use super::*;
   use crate::dnsmasq::Dnsmasq;
   use nanocl_error::io::IoResult;
+  use nanocld_client::ConnectOpts;
 
   #[ntex::test]
   async fn generate_unix_and_tcp() -> IoResult<()> {
     let dnsmasq = Dnsmasq::new("/tmp/ncdns");
-    let client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    let client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
     let server = gen("unix:///tmp/ncdns.sock", &dnsmasq, &client)?;
     server.stop(true).await;
     let server = gen("tcp://0.0.0.0:9987", &dnsmasq, &client)?;
@@ -67,7 +71,10 @@ mod tests {
   #[test]
   fn generate_wrong_host() -> IoResult<()> {
     let dnsmasq = Dnsmasq::new("/tmp/ncdns");
-    let client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    let client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
     let server = gen("wrong://dsadsa", &dnsmasq, &client);
     assert!(server.is_err());
     Ok(())

diff --git a/bin/ncdns/src/utils.rs b/bin/ncdns/src/utils.rs
@@ -152,7 +152,7 @@ pub(crate) async fn remove_entries(
 #[cfg(test)]
 pub mod tests {
   pub use nanocl_utils::ntex::test_client::*;
-  use nanocld_client::NanocldClient;
+  use nanocld_client::{ConnectOpts, NanocldClient};
 
   use crate::{version, dnsmasq, services};
 
@@ -167,8 +167,10 @@ pub mod tests {
     before();
     let dnsmasq = dnsmasq::Dnsmasq::new("/tmp/dnsmasq");
     dnsmasq.ensure().unwrap();
-    let client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
-    // Create test server
+    let client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    }); // Create test server
     let srv = ntex::web::test::server(move || {
       ntex::web::App::new()
         .state(dnsmasq.clone())

diff --git a/bin/ncproxy/src/subsystem/init.rs b/bin/ncproxy/src/subsystem/init.rs
@@ -2,7 +2,7 @@ use std::sync::Arc;
 
 use nanocl_error::io::IoResult;
 
-use nanocld_client::NanocldClient;
+use nanocld_client::{ConnectOpts, NanocldClient};
 
 use crate::{
   cli::Cli,
@@ -16,7 +16,10 @@ pub async fn init(cli: &Cli) -> IoResult<SystemStateRef> {
   let mut client = NanocldClient::connect_with_unix_default();
   #[cfg(any(feature = "dev", feature = "test"))]
   {
-    client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
   }
   let event_emitter = EventEmitter::new(&client);
   let state = Arc::new(SystemState {

diff --git a/bin/ncproxy/src/utils/mod.rs b/bin/ncproxy/src/utils/mod.rs
@@ -14,7 +14,7 @@ pub(crate) mod tests {
   pub use nanocl_utils::ntex::test_client::*;
   use nanocld_client::{
     stubs::{proxy::ResourceProxyRule, cargo_spec::CargoSpecPartial},
-    NanocldClient,
+    ConnectOpts, NanocldClient,
   };
 
   use crate::{variables, services};
@@ -29,7 +29,10 @@ pub(crate) mod tests {
   pub async fn ensure_test_cargo() -> IoResult<()> {
     const CARGO_NAME: &str = "ncproxy-test";
     const CARGO_IMAGE: &str = "ghcr.io/next-hat/nanocl-get-started:latest";
-    let client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    let client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
     if client.inspect_cargo(CARGO_NAME, None).await.is_err() {
       let cargo = CargoSpecPartial {
         name: CARGO_NAME.to_owned(),
@@ -47,7 +50,10 @@ pub(crate) mod tests {
 
   pub async fn clean_test_cargo() -> IoResult<()> {
     const CARGO_NAME: &str = "ncproxy-test";
-    let client = NanocldClient::connect_to("http://nanocl.internal:8585", None);
+    let client = NanocldClient::connect_to(&ConnectOpts {
+      url: "http://nanocl.internal:8585".into(),
+      ..Default::default()
+    });
     if client.inspect_cargo(CARGO_NAME, None).await.is_err() {
       return Ok(());
     }