package/storage
1
0
Fork 0
mirror of https://github.com/gofiber/storage.git synced 2025-10-04 16:22:52 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

chore: use redis with TLS

Browse Source
This commit is contained in:
Manuel de la Peña
2025-04-16 20:30:26 +02:00
parent 05516094e9
commit faa652f38c
4 changed files with 184 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/test-redis.yml vendored
View File

@@ -25,36 +25,6 @@ jobs:
- name: Fetch Repository - name: Fetch Repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Generate TLS certs
run: ./.github/scripts/gen-test-certs.sh
- name: Add Custom CA cert
run: sudo cp /home/runner/work/storage/storage/tls/ca.crt /usr/local/share/ca-certificates/custom.crt
- name: Trust Custom CA Cert
run: sudo update-ca-certificates
- name: Setup Redis
uses: shogo82148/actions-setup-redis@v1
with:
redis-version: ${{ matrix.redis }}
auto-start: 'false'
- name: Run Redis
run: |
redis-server --tls-port 6380 --port 6379 \
--tls-cert-file /home/runner/work/storage/storage/tls/redis.crt \
--tls-key-file /home/runner/work/storage/storage/tls/redis.key \
--tls-ca-cert-file /home/runner/work/storage/storage/tls/ca.crt &
- name: Run Redis instance with MTLS disabled
run: |
redis-server --tls-port 16380 --port 16379 \
--tls-cert-file /home/runner/work/storage/storage/tls/redis.crt \
--tls-key-file /home/runner/work/storage/storage/tls/redis.key \
--tls-ca-cert-file /home/runner/work/storage/storage/tls/ca.crt \
--tls-auth-clients no &
- name: Setup Redis Cluster - name: Setup Redis Cluster
uses: vishnudxb/redis-cluster@1.0.9 uses: vishnudxb/redis-cluster@1.0.9
with: with:
@@ -75,4 +45,6 @@ jobs:
go-version: '${{ matrix.go-version }}' go-version: '${{ matrix.go-version }}'
- name: Run Test - name: Run Test
env:
TEST_REDIS_IMAGE: "docker.io/redis:7"
run: cd ./redis && go test ./... -v -race run: cd ./redis && go test ./... -v -race

1
redis/go.mod
View File

@@ -3,6 +3,7 @@ module github.com/gofiber/storage/redis/v3
go 1.23.0 go 1.23.0
require ( require (
github.com/mdelapenya/tlscert v0.1.0
github.com/redis/go-redis/v9 v9.7.3 github.com/redis/go-redis/v9 v9.7.3
github.com/stretchr/testify v1.10.0 github.com/stretchr/testify v1.10.0
github.com/testcontainers/testcontainers-go v0.36.0 github.com/testcontainers/testcontainers-go v0.36.0

2
redis/go.sum
View File

@@ -69,6 +69,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM= github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
github.com/mdelapenya/tlscert v0.1.0 h1:YTpF579PYUX475eOL+6zyEO3ngLTOUWck78NBuJVXaM=
github.com/mdelapenya/tlscert v0.1.0/go.mod h1:wrbyM/DwbFCeCeqdPX/8c6hNOqQgbf0rUDErE1uD+64=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=

296
redis/redis_test.go
View File

@@ -1,14 +1,16 @@
package redis package redis
import ( import (
"bytes"
"context" "context"
"crypto/tls" "crypto/tls"
"log" "net"
"os" "os"
"strings" "strings"
"testing" "testing"
"time" "time"
"github.com/mdelapenya/tlscert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/testcontainers/testcontainers-go" "github.com/testcontainers/testcontainers-go"
@@ -21,12 +23,18 @@ const (
redisImage = "docker.io/redis:7" redisImage = "docker.io/redis:7"
redisImageEnvVar = "TEST_REDIS_IMAGE" redisImageEnvVar = "TEST_REDIS_IMAGE"
redisPort = "6379/tcp" redisPort = "6379/tcp"
redisTLSPort = "6380/tcp"
) )
type testStoreSettings struct { type testStoreSettings struct {
withAddress bool withAddress bool
withHostPort bool withHostPort bool
withURL bool withURL bool
// TLS settings
withSecureURL bool
withMTLSdisabled bool
withTLS bool
} }
type testStoreOption func(*testStoreSettings) type testStoreOption func(*testStoreSettings)
@@ -43,17 +51,72 @@ func withHostPort() testStoreOption {
} }
} }
func withTLS(secureURL bool, mtlsDisabled bool) testStoreOption {
return func(o *testStoreSettings) {
o.withTLS = true
o.withSecureURL = secureURL
o.withMTLSdisabled = mtlsDisabled
}
}
// withURL sets the test store to use a URL. // withURL sets the test store to use a URL.
// Use it when you want to explicitly combine multiple addresses in the same test // Use it when you want to explicitly combine multiple addresses in the same test
// to verify which one is being used. // to verify which one is being used.
// - true: the URL will receive the URI provided by the testcontainer // - true: the URL will receive the URI provided by the testcontainer
// - false: the URL will be set to an empty string // - false: the URL will be set to an empty string
func withURL(b bool) testStoreOption { func withURL(useContainerURI bool) testStoreOption {
return func(o *testStoreSettings) { return func(o *testStoreSettings) {
o.withURL = b o.withURL = useContainerURI
} }
} }
// createTLSCerts creates a CA certificate, a client certificate and a nats certificate,
// storing them in the given temporary directory.
func createTLSCerts(t testing.TB) (*tlscert.Certificate, *tlscert.Certificate, *tlscert.Certificate) {
t.Helper()
tmpDir := t.TempDir()
// ips is the extra list of IPs to include in the certificates.
// It's used to allow the client and Redis certificates to be used in the same host
// when the tests are run using a remote docker daemon.
ips := []net.IP{net.ParseIP("127.0.0.1")}
// Generate CA certificate
caCert := tlscert.SelfSignedFromRequest(tlscert.Request{
Host: "localhost",
IPAddresses: ips,
Name: "ca",
SubjectCommonName: "ca",
IsCA: true,
ParentDir: tmpDir,
})
require.NotNil(t, caCert)
// Generate client certificate
clientCert := tlscert.SelfSignedFromRequest(tlscert.Request{
Host: "localhost",
Name: "Redis Client",
SubjectCommonName: "localhost",
IPAddresses: ips,
Parent: caCert,
ParentDir: tmpDir,
})
require.NotNil(t, clientCert)
// Generate Redis certificate
redisCert := tlscert.SelfSignedFromRequest(tlscert.Request{
Host: "localhost",
IPAddresses: ips,
Name: "Redis Server",
Parent: caCert,
ParentDir: tmpDir,
})
require.NotNil(t, redisCert)
return caCert, clientCert, redisCert
}
func newTestStore(t testing.TB, opts ...testStoreOption) *Storage { func newTestStore(t testing.TB, opts ...testStoreOption) *Storage {
t.Helper() t.Helper()
@@ -71,22 +134,80 @@ func newTestStore(t testing.TB, opts ...testStoreOption) *Storage {
img = imgFromEnv img = imgFromEnv
} }
cfg := Config{
Reset: true,
}
ctx := context.Background() ctx := context.Background()
c, err := redis.Run( tcOpts := []testcontainers.ContainerCustomizer{}
ctx, img,
testcontainers.WithWaitStrategy(wait.ForListeningPort(redisPort).WithStartupTimeout(time.Second*10)), waitStrategies := []wait.Strategy{
) wait.ForListeningPort(redisPort).WithStartupTimeout(time.Second * 10),
}
if settings.withTLS {
// wait for the TLS port to be available
waitStrategies = append(waitStrategies, wait.ForListeningPort(redisTLSPort).WithStartupTimeout(time.Second*10))
cmds := []string{
"--port", "6379",
"--tls-port", "6380",
"--tls-cert-file", "/tls/server.crt",
"--tls-key-file", "/tls/server.key",
"--tls-ca-cert-file", "/tls/ca.crt",
"--tls-auth-clients", "yes",
}
if settings.withMTLSdisabled {
cmds = append(cmds, "--tls-auth-clients", "no")
}
// Generate TLS certificates in the fly and add them to the container before it starts.
// Update the CMD to use the TLS certificates.
caCert, clientCert, serverCert := createTLSCerts(t)
tcOpts = append(tcOpts, testcontainers.CustomizeRequest(testcontainers.GenericContainerRequest{
ContainerRequest: testcontainers.ContainerRequest{
ExposedPorts: []string{"6380/tcp"},
Files: []testcontainers.ContainerFile{
{
Reader: bytes.NewReader(caCert.Bytes),
ContainerFilePath: "/tls/ca.crt",
FileMode: 0o644,
},
{
Reader: bytes.NewReader(serverCert.Bytes),
ContainerFilePath: "/tls/server.crt",
FileMode: 0o644,
},
{
Reader: bytes.NewReader(serverCert.KeyBytes),
ContainerFilePath: "/tls/server.key",
FileMode: 0o644,
},
},
Cmd: cmds,
},
}))
cfg.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
RootCAs: caCert.TLSConfig().RootCAs,
Certificates: clientCert.TLSConfig().Certificates,
ServerName: "localhost", // Match the server cert's common name
}
}
tcOpts = append(tcOpts, testcontainers.WithWaitStrategy(waitStrategies...))
c, err := redis.Run(ctx, img, tcOpts...)
testcontainers.CleanupContainer(t, c) testcontainers.CleanupContainer(t, c)
require.NoError(t, err) require.NoError(t, err)
uri, err := c.ConnectionString(ctx) uri, err := c.ConnectionString(ctx)
require.NoError(t, err) require.NoError(t, err)
cfg := Config{
Reset: true,
}
if settings.withHostPort { if settings.withHostPort {
host, err := c.Host(ctx) host, err := c.Host(ctx)
require.NoError(t, err) require.NoError(t, err)
@@ -107,6 +228,21 @@ func newTestStore(t testing.TB, opts ...testStoreOption) *Storage {
cfg.URL = uri cfg.URL = uri
} }
if settings.withTLS {
host, err := c.Host(ctx)
require.NoError(t, err)
port, err := c.MappedPort(ctx, redisTLSPort)
require.NoError(t, err)
scheme := "redis"
if settings.withSecureURL {
scheme = "rediss"
}
cfg.URL = scheme + "://" + host + ":" + port.Port()
}
return New(cfg) return New(cfg)
} }
@@ -285,120 +421,46 @@ func Test_Redis_Initalize_WithHostPort(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
} }
func Test_Redis_Initalize_WithURL_TLS(t *testing.T) {
cer, err := tls.LoadX509KeyPair("/home/runner/work/storage/storage/tls/client.crt", "/home/runner/work/storage/storage/tls/client.key")
if err != nil {
log.Println(err)
return
}
tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
InsecureSkipVerify: true,
Certificates: []tls.Certificate{cer},
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
testStoreUrl := New(Config{
URL: "redis://localhost:6380",
TLSConfig: tlsCfg,
})
defer testStoreUrl.Close()
var (
key = "clark"
val = []byte("kent")
)
err = testStoreUrl.Set(key, val, 0)
require.NoError(t, err)
result, err := testStoreUrl.Get(key)
require.NoError(t, err)
require.Equal(t, val, result)
err = testStoreUrl.Delete(key)
require.NoError(t, err)
keys, err := testStoreUrl.Keys()
require.NoError(t, err)
require.Nil(t, keys)
}
func Test_Redis_Initalize_WithURL_TLS_Verify(t *testing.T) { func Test_Redis_Initalize_WithURL_TLS_Verify(t *testing.T) {
cer, err := tls.LoadX509KeyPair("/home/runner/work/storage/storage/tls/client.crt", "/home/runner/work/storage/storage/tls/client.key") testFn := func(secureURL bool, mtlsDisabled bool) {
if err != nil { testStore := newTestStore(t, withTLS(secureURL, mtlsDisabled))
log.Println(err) defer testStore.Close()
return
} var (
tlsCfg := &tls.Config{ key = "clark"
MinVersion: tls.VersionTLS12, val = []byte("kent")
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, )
InsecureSkipVerify: false,
Certificates: []tls.Certificate{cer}, err := testStore.Set(key, val, 0)
CipherSuites: []uint16{ require.NoError(t, err)
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, result, err := testStore.Get(key)
tls.TLS_RSA_WITH_AES_256_GCM_SHA384, require.NoError(t, err)
tls.TLS_RSA_WITH_AES_256_CBC_SHA, require.Equal(t, val, result)
},
err = testStore.Delete(key)
require.NoError(t, err)
keys, err := testStore.Keys()
require.NoError(t, err)
require.Nil(t, keys)
} }
testStoreUrl := New(Config{ t.Run("insecure-url/mtls-disabled", func(t *testing.T) {
URL: "redis://localhost:6380", testFn(false, true)
TLSConfig: tlsCfg,
}) })
defer testStoreUrl.Close()
var ( t.Run("insecure-url/mtls-enabled", func(t *testing.T) {
key = "clark" testFn(false, false)
val = []byte("kent")
)
err = testStoreUrl.Set(key, val, 0)
require.NoError(t, err)
result, err := testStoreUrl.Get(key)
require.NoError(t, err)
require.Equal(t, val, result)
err = testStoreUrl.Delete(key)
require.NoError(t, err)
keys, err := testStoreUrl.Keys()
require.NoError(t, err)
require.Nil(t, keys)
}
func Test_Redis_Initalize_With_Secure_URL(t *testing.T) {
testStoreUrl := New(Config{
URL: "rediss://localhost:16380",
}) })
defer testStoreUrl.Close()
var ( t.Run("secure-url/mtls-disabled", func(t *testing.T) {
key = "clark" testFn(true, true)
val = []byte("kent") })
)
err := testStoreUrl.Set(key, val, 0) t.Run("secure-url/mtls-enabled", func(t *testing.T) {
require.NoError(t, err) testFn(true, false)
})
result, err := testStoreUrl.Get(key)
require.NoError(t, err)
require.Equal(t, val, result)
err = testStoreUrl.Delete(key)
require.NoError(t, err)
keys, err := testStoreUrl.Keys()
require.NoError(t, err)
require.Nil(t, keys)
} }
func Test_Redis_Universal_Addrs(t *testing.T) { func Test_Redis_Universal_Addrs(t *testing.T) {