Skip to content

Commit

Permalink
Merge pull request #21 from avnik/avnik/tls-issues
Browse files Browse the repository at this point in the history
Fix TLS issues, enable TLS in tests
  • Loading branch information
mbssrc authored Oct 18, 2024
2 parents 8bf77b0 + 020f0b2 commit 9b50cc3
Show file tree
Hide file tree
Showing 10 changed files with 67 additions and 73 deletions.
49 changes: 16 additions & 33 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ regex = "1.11"
tokio = {version = "1.0", features = ["rt-multi-thread", "time", "macros", "fs"]}
tokio-stream = "0.1"
tokio-vsock = "0.5"
tonic = {version="0.12.2", features = ["tls"]}
tonic-types = {version="0.12.2"}
tonic-reflection = {version="0.12.2"}
tonic = {version="0.12", features = ["tls"]}
tonic-types = {version="0.12"}
tonic-reflection = {version="0.12"}
tower = {version = "0.4"}
tracing = "0.1"
tracing-subscriber = {version = "0.3", features = ["env-filter", "tracing-log", "time", "local-time"]}
Expand Down
4 changes: 2 additions & 2 deletions client/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ hyper-util = { version = "0.1.4"}
tokio = {version = "1.0", features = ["rt-multi-thread", "time", "macros"]}
tokio-stream = "0.1"
tokio-vsock = "*"
tonic = {version="0.12.2", features = ["tls"]}
tonic-types = {version="0.12.2"}
tonic = {version="0.12", features = ["tls"]}
tonic-types = {version="0.12"}
tower = {version = "0.4"}
tracing = "0.1"
serde = { version = "1.0.202", features = ["derive"]}
Expand Down
10 changes: 7 additions & 3 deletions client/src/endpoint.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use std::path::PathBuf;
use std::sync::Arc;
use std::time::Duration;

use anyhow::anyhow;
use anyhow::{anyhow, Context};
use hyper_util::rt::TokioIo;
use tokio::net::UnixStream;
use tokio_vsock::{VsockAddr, VsockStream};
Expand Down Expand Up @@ -43,6 +43,7 @@ impl TlsConfig {
.tls_name
.as_deref()
.ok_or_else(|| anyhow!("Missing TLS name"))?;
info!("Using TLS name: {tls_name}");
Ok(ClientTlsConfig::new()
.ca_certificate(ca)
.domain_name(tls_name)
Expand Down Expand Up @@ -93,14 +94,17 @@ impl EndpointConfig {
pub async fn connect(&self) -> anyhow::Result<Channel> {
let url = transport_config_to_url(&self.transport.address, self.tls.is_some());
info!("Connecting to {url}, TLS name {:?}", &self.tls);
let mut endpoint = Endpoint::try_from(url)?
let mut endpoint = Endpoint::try_from(url.clone())?
.timeout(Duration::from_secs(5))
.concurrency_limit(30);
if let Some(tls) = &self.tls {
endpoint = endpoint.tls_config(tls.client_config()?)?;
};
let channel = match &self.transport.address {
EndpointAddress::Tcp { .. } => endpoint.connect().await?,
EndpointAddress::Tcp { .. } => endpoint
.connect()
.await
.with_context(|| format!("Connecting TCP {url} with {:?}", self.tls))?,
EndpointAddress::Unix(unix) => connect_unix_socket(endpoint, unix).await?,
EndpointAddress::Abstract(abs) => connect_unix_socket(endpoint, abs).await?,
EndpointAddress::Vsock(vs) => connect_vsock_socket(endpoint, *vs).await?,
Expand Down
6 changes: 3 additions & 3 deletions common/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ prost = "0.13"
tokio = {version = "1.0", features = ["rt-multi-thread", "time", "macros"]}
tokio-stream = "0.1"
tokio-vsock = "*"
tonic = {version="0.12.2", features = ["tls"]}
tonic-types = {version="0.12.2"}
tonic = {version="0.12", features = ["tls"]}
tonic-types = {version="0.12"}
tracing = "0.1"
tracing-subscriber = {version = "0.3"}
serde = { version = "1.0.202", features = ["derive"]}
strum = { version = "0.26", features = ["derive"] }

[build-dependencies]
tonic-build = {version = "0.11.0", features = ["prost"]}
tonic-build = {version = "0.12", features = ["prost"]}
15 changes: 8 additions & 7 deletions nixos/tests/admin.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
...
}:
let
tls = false;
tls = true;
snakeoil = ./snakeoil;
addrs = {
host = "192.168.101.10";
Expand Down Expand Up @@ -69,7 +69,7 @@ in
addr = addrs.host;
port = "9000";
admin = {
name = "admin";
name = "admin-vm";
addr = addrs.adminvm;
port = "9001";
protocol = "tcp"; # go version expect word "tcp" here, but it unused
Expand Down Expand Up @@ -232,7 +232,8 @@ in
services.openssh.enable = true;
givc.appvm = {
enable = true;
name = "foot-vm";
debug = true;
name = "chromium-vm";
addr = addrs.appvm;
admin = adminSettings;
tls = mkTls "chromium-vm";
Expand Down Expand Up @@ -339,7 +340,7 @@ in
adminvm.wait_for_file("/etc/timezone.conf")
with subtest("Clean run"):
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start foot"))
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm chromium-vm foot"))
time.sleep(10) # Give few seconds to application to spin up
wait_for_window("ghaf@appvm")
Expand All @@ -348,13 +349,13 @@ in
appvm.succeed("pkill foot")
time.sleep(10)
# .. then ask to restart
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start foot"))
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm chromium-vm foot"))
wait_for_window("ghaf@appvm")
with subtest("clear exit and restart"):
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm foot-vm clearexit"))
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm chromium-vm clearexit"))
time.sleep(20) # Give few seconds to application to spin up, exit, then start it again
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm foot-vm clearexit"))
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start --vm chromium-vm clearexit"))
with subtest("suspend system"):
print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} suspend"))
Expand Down
4 changes: 2 additions & 2 deletions src/admin/entry.rs
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ pub struct RegistryEntry {
}

impl RegistryEntry {
pub fn agent(self) -> anyhow::Result<EndpointEntry> {
match self.placement {
pub fn agent(&self) -> anyhow::Result<&EndpointEntry> {
match &self.placement {
Placement::Endpoint(endpoint) => Ok(endpoint),
Placement::Managed(by) => Err(anyhow!(
"Agent endpoint {} is managed by {}!",
Expand Down
42 changes: 24 additions & 18 deletions src/admin/server.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,26 +104,31 @@ impl AdminServiceImpl {
vm: VmType::Host,
service: ServiceType::Mgr,
})?;
self.endpoint(host_mgr).context("Resolving host agent")
self.endpoint(&host_mgr).context("Resolving host agent")
}

pub fn endpoint(&self, reentry: RegistryEntry) -> anyhow::Result<EndpointConfig> {
pub fn endpoint(&self, reentry: &RegistryEntry) -> anyhow::Result<EndpointConfig> {
let transport = reentry.agent()?.to_owned();
let tls_name = transport.tls_name.clone();
Ok(EndpointConfig {
transport: reentry.agent()?,
tls: self.tls_config.clone(),
transport,
tls: self.tls_config.clone().map(|mut tls| {
tls.tls_name = Some(tls_name);
tls
}),
})
}
pub fn agent_endpoint(&self, name: &str) -> anyhow::Result<EndpointConfig> {
let reentry = self.registry.by_name(name)?;
self.endpoint(reentry)
self.endpoint(&reentry)
}

pub fn app_entries(&self, name: String) -> anyhow::Result<Vec<String>> {
pub fn app_entries(&self, name: &str) -> anyhow::Result<Vec<String>> {
if name.contains('@') {
let list = self.registry.find_names(&name)?;
let list = self.registry.find_names(name)?;
Ok(list)
} else {
Ok(vec![name])
Ok(vec![name.to_owned()])
}
}

Expand All @@ -134,13 +139,14 @@ impl AdminServiceImpl {
let transport = match &entry.placement {
Placement::Managed(parent) => {
let parent = self.registry.by_name(parent)?;
parent.agent()? // Fail, if parent also `Managed`
parent.agent()?.to_owned() // Fail, if parent also `Managed`
}
Placement::Endpoint(endpoint) => endpoint.clone(), // FIXME: avoid clone!
};
let tls_name = transport.tls_name.clone();
info!("Get remote status for {tls_name}!");
let endpoint = EndpointConfig {
transport,
transport: transport.to_owned(),
tls: self.tls_config.clone().map(|mut tls| {
tls.tls_name = Some(tls_name);
tls
Expand Down Expand Up @@ -417,10 +423,10 @@ impl pb::admin_service_server::AdminService for AdminService {
&self,
request: tonic::Request<ApplicationRequest>,
) -> std::result::Result<tonic::Response<ApplicationResponse>, tonic::Status> {
escalate(request, |req| async {
escalate(request, |req| async move {
let agent = self.inner.agent_endpoint(&req.app_name)?;
let client = SystemDClient::new(agent);
for each in self.inner.app_entries(req.app_name)? {
for each in self.inner.app_entries(&req.app_name)? {
_ = client.pause_remote(each).await?
}
app_success()
Expand All @@ -431,10 +437,10 @@ impl pb::admin_service_server::AdminService for AdminService {
&self,
request: tonic::Request<ApplicationRequest>,
) -> std::result::Result<tonic::Response<ApplicationResponse>, tonic::Status> {
escalate(request, |req| async {
escalate(request, |req| async move {
let agent = self.inner.agent_endpoint(&req.app_name)?;
let client = SystemDClient::new(agent);
for each in self.inner.app_entries(req.app_name)? {
for each in self.inner.app_entries(&req.app_name)? {
_ = client.resume_remote(each).await?
}
app_success()
Expand All @@ -445,10 +451,10 @@ impl pb::admin_service_server::AdminService for AdminService {
&self,
request: tonic::Request<ApplicationRequest>,
) -> std::result::Result<tonic::Response<ApplicationResponse>, tonic::Status> {
escalate(request, |req| async {
escalate(request, |req| async move {
let agent = self.inner.agent_endpoint(&req.app_name)?;
let client = SystemDClient::new(agent);
for each in self.inner.app_entries(req.app_name)? {
for each in self.inner.app_entries(&req.app_name)? {
_ = client.stop_remote(each).await?
}
app_success()
Expand Down Expand Up @@ -537,7 +543,7 @@ impl pb::admin_service_server::AdminService for AdminService {
let managers = self.inner.registry.find_map(|re| {
(re.r#type.service == ServiceType::Mgr)
.then_some(())
.and_then(|_| self.inner.endpoint(re.clone()).ok())
.and_then(|_| self.inner.endpoint(re).ok())
});
let locale = req.locale.clone();
tokio::spawn(async move {
Expand Down Expand Up @@ -571,7 +577,7 @@ impl pb::admin_service_server::AdminService for AdminService {
let managers = self.inner.registry.find_map(|re| {
(re.r#type.service == ServiceType::Mgr)
.then_some(())
.and_then(|_| self.inner.endpoint(re.clone()).ok())
.and_then(|_| self.inner.endpoint(re).ok())
});
let timezone = req.timezone.clone();
tokio::spawn(async move {
Expand Down
2 changes: 1 addition & 1 deletion src/bin/givc-admin.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ struct Cli {
#[arg(long, help = "Additionally listen Vsock socket (cid:port format)")]
vsock: Option<String>,

#[arg(long, env = "TLS", default_missing_value = "false")]
#[arg(long, env = "TLS")]
use_tls: bool,

#[arg(long, env = "CA_CERT")]
Expand Down
Loading

0 comments on commit 9b50cc3

Please sign in to comment.