chore(pkg/server): implement automatic generation of self-signed HTTP…

…S certificate

- add --auto-cert flag to enable automatic HTTPS certificate generation;
- properly initialize client used by grpc-gateway when TLS is used.

Signed-off-by: Stefano Scafiti <stefano.scafiti96@gmail.com>

cmd/immudb/command/init.go

@@ -55,6 +55,7 @@ func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options) {
 	cmd.Flags().Int("max-recv-msg-size", options.MaxRecvMsgSize, "max message size in bytes the server can receive")
 	cmd.Flags().Bool("no-histograms", false, "disable collection of histogram metrics like query durations")
 	cmd.Flags().BoolP(c.DetachedFlag, c.DetachedShortFlag, options.Detached, "run immudb in background")
+	cmd.Flags().Bool("auto-cert", options.AutoCert, "start the server using a generated, self-signed HTTPS certificate")
 	cmd.Flags().String("certificate", "", "server certificate file path")
 	cmd.Flags().String("pkey", "", "server private key path")
 	cmd.Flags().String("clientcas", "", "clients certificates list. Aka certificate authority")
@@ -122,6 +123,7 @@ func setupDefaults(options *server.Options) {
 	viper.SetDefault("max-recv-msg-size", options.MaxRecvMsgSize)
 	viper.SetDefault("no-histograms", options.NoHistograms)
 	viper.SetDefault("detached", options.Detached)
+	viper.SetDefault("auto-cert", options.AutoCert)
 	viper.SetDefault("certificate", "")
 	viper.SetDefault("pkey", "")
 	viper.SetDefault("clientcas", "")

cmd/immudb/command/parse_options.go

@@ -59,6 +59,7 @@ func parseOptions() (options *server.Options, err error) {
 	maxRecvMsgSize := viper.GetInt("max-recv-msg-size")
 	noHistograms := viper.GetBool("no-histograms")
 	detached := viper.GetBool("detached")
+	autoCert := viper.GetBool("auto-cert")
 	certificate := viper.GetString("certificate")
 	pkey := viper.GetString("pkey")
 	clientcas := viper.GetString("clientcas")
@@ -118,7 +119,7 @@ func parseOptions() (options *server.Options, err error) {
 		WithMaxSessionAgeTime(viper.GetDuration("max-session-age-time")).
 		WithTimeout(viper.GetDuration("session-timeout"))
 
-	tlsConfig, err := setUpTLS(pkey, certificate, clientcas, mtls)
+	tlsConfig, err := setUpTLS(pkey, certificate, clientcas, mtls, autoCert)
 	if err != nil {
 		return options, err
 	}

cmd/immudb/command/tls_config.go

@@ -21,32 +21,67 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
+	"path/filepath"
+	"time"
+
+	tlscert "github.com/codenotary/immudb/pkg/cert"
+)
+
+const (
+	certFileDefault = "immudb-cert.pem"
+	keyFileDefault  = "immudb-key.pem"
+
+	certOrganizationDefault = "immudb"
+	certExpirationDefault   = 365 * 24 * time.Hour
 )
 
-func setUpTLS(pkey, cert, ca string, mtls bool) (*tls.Config, error) {
+func setUpTLS(pkeyPath, certPath, ca string, mtls bool, autoCert bool) (*tls.Config, error) {
+	if (pkeyPath == "" && certPath != "") || (pkeyPath != "" && certPath == "") {
+		return nil, fmt.Errorf("both certificate and private key paths must be specified or neither")
+	}
+
 	var c *tls.Config
 
-	if cert != "" && pkey != "" {
-		certs, err := tls.LoadX509KeyPair(cert, pkey)
+	certPath, pkeyPath, err := getCertAndKeyPath(certPath, pkeyPath, autoCert)
+	if err != nil {
+		return nil, err
+	}
+
+	if certPath != "" && pkeyPath != "" {
+		cert, err := ensureCert(certPath, pkeyPath, autoCert)
 		if err != nil {
-			return nil, errors.New(fmt.Sprintf("failed to read client certificate or private key: %v", err))
+			return nil, fmt.Errorf("failed to read client certificate or private key: %v", err)
 		}
+
 		c = &tls.Config{
-			Certificates: []tls.Certificate{certs},
+			Certificates: []tls.Certificate{*cert},
 			ClientAuth:   tls.VerifyClientCertIfGiven,
 		}
+
+		if autoCert {
+			rootCert, err := os.ReadFile(certPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read root cert: %v", err)
+			}
+
+			rootPool := x509.NewCertPool()
+			if ok := rootPool.AppendCertsFromPEM(rootCert); !ok {
+				return nil, fmt.Errorf("failed to read root cert")
+			}
+			c.RootCAs = rootPool
+		}
 	}
 
-	if mtls && (cert == "" || pkey == "") {
+	if mtls && (certPath == "" || pkeyPath == "") {
 		return nil, errors.New("in order to enable MTLS a certificate and private key are required")
 	}
 
 	// if CA is not provided there is an automatic load of local CA in os
 	if mtls && ca != "" {
 		certPool := x509.NewCertPool()
 		// Trusted store, contain the list of trusted certificates. client has to use one of this certificate to be trusted by this server
-		bs, err := ioutil.ReadFile(ca)
+		bs, err := os.ReadFile(ca)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read client ca cert: %v", err)
 		}
@@ -57,6 +92,40 @@ func setUpTLS(pkey, cert, ca string, mtls bool) (*tls.Config, error) {
 		}
 		c.ClientCAs = certPool
 	}
-
 	return c, nil
 }
+
+func loadCert(certPath, keyPath string) (*tls.Certificate, error) {
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load cert/key pair: %w", err)
+	}
+	return &cert, nil
+}
+
+func ensureCert(certPath, keyPath string, genCert bool) (*tls.Certificate, error) {
+	_, err1 := os.Stat(certPath)
+	_, err2 := os.Stat(keyPath)
+
+	if (os.IsNotExist(err1) || os.IsNotExist(err2)) && genCert {
+		if err := tlscert.GenerateSelfSignedCert(certPath, keyPath, certOrganizationDefault, certExpirationDefault); err != nil {
+			return nil, err
+		}
+	}
+	return loadCert(certPath, keyPath)
+}
+
+func getCertAndKeyPath(certPath, keyPath string, useDefault bool) (string, string, error) {
+	if !useDefault || (certPath != "" && keyPath != "") {
+		return certPath, keyPath, nil
+	}
+
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", "", fmt.Errorf("cannot get user home directory: %w", err)
+	}
+
+	return filepath.Join(homeDir, "immudb", "ssl", certFileDefault),
+		filepath.Join(homeDir, "immudb", "ssl", keyFileDefault),
+		nil
+}

cmd/immudb/command/tls_config_test.go

@@ -19,6 +19,7 @@ package immudb
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -54,23 +55,66 @@ d/ax/lUR3RCVV6A+hzTgOhYKvoV1U6iX21hUarcm6MB6qaeORCHfQzQpn62nRe6X
 `
 
 func TestSetUpTLS(t *testing.T) {
-	_, err := setUpTLS("banana", "banana", "banana", false)
+	_, err := setUpTLS("banana", "", "banana", false, false)
 	require.Error(t, err)
-	_, err = setUpTLS("", "", "", true)
+	_, err = setUpTLS("banana", "banana", "banana", false, false)
 	require.Error(t, err)
-	_, err = setUpTLS("banana", "", "", true)
+	_, err = setUpTLS("", "", "", true, false)
+	require.Error(t, err)
+	_, err = setUpTLS("banana", "", "", true, false)
 	require.Error(t, err)
 
 	defer os.Remove("xxkey.pem")
 	f, _ := os.Create("xxkey.pem")
-	fmt.Fprintf(f, key)
+	fmt.Fprint(f, key)
 	f.Close()
 
 	defer os.Remove("xxcert.pem")
 	f, _ = os.Create("xxcert.pem")
-	fmt.Fprintf(f, cert)
+	fmt.Fprint(f, cert)
 	f.Close()
 
-	_, err = setUpTLS("xxkey.pem", "xxcert.pem", "banana", true)
+	_, err = setUpTLS("xxkey.pem", "xxcert.pem", "banana", true, false)
 	require.Error(t, err)
 }
+
+func TestSetUpTLSWithAutoHTTPS(t *testing.T) {
+	t.Run("use specified paths", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		certFile := filepath.Join(tempDir, "immudb.cert")
+		keyFile := filepath.Join(tempDir, "immudb.key")
+
+		tlsConfig, err := setUpTLS(certFile, keyFile, "", false, false)
+		require.Error(t, err)
+		require.Nil(t, tlsConfig)
+
+		tlsConfig, err = setUpTLS(certFile, keyFile, "", false, true)
+		require.NoError(t, err)
+		require.NotNil(t, tlsConfig)
+
+		require.FileExists(t, certFile)
+		require.FileExists(t, keyFile)
+
+		tlsConfig, err = setUpTLS(certFile, keyFile, "", false, false)
+		require.NoError(t, err)
+		require.NotNil(t, tlsConfig)
+	})
+
+	t.Run("use default paths", func(t *testing.T) {
+		certPath, keyPath, err := getCertAndKeyPath("", "", true)
+		require.NoError(t, err)
+
+		defer func() {
+			os.RemoveAll(certPath)
+			os.Remove(keyPath)
+		}()
+
+		tlsConfig, err := setUpTLS("", "", "", false, true)
+		require.NoError(t, err)
+		require.NotNil(t, tlsConfig)
+
+		require.FileExists(t, certPath)
+		require.FileExists(t, keyPath)
+	})
+}

pkg/cert/cert.go

@@ -0,0 +1,119 @@
+/*
+Copyright 2024 Codenotary Inc. All rights reserved.
+
+SPDX-License-Identifier: BUSL-1.1
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	https://mariadb.com/bsl11/
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"path"
+	"time"
+)
+
+func GenerateSelfSignedCert(certPath, keyPath string, org string, expiration time.Duration) error {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return fmt.Errorf("failed to generate RSA key: %w", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(expiration)
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	hostname, err := os.Hostname()
+	if err != nil {
+		return err
+	}
+
+	ips, err := listIPs()
+	if err != nil {
+		return err
+	}
+	ips = append(ips, net.ParseIP("0.0.0.0"))
+
+	issuerOrSubject := pkix.Name{
+		Organization: []string{org},
+	}
+
+	template := x509.Certificate{
+		Issuer:       issuerOrSubject,
+		SerialNumber: serialNumber,
+		Subject:      issuerOrSubject,
+		DNSNames:     []string{"localhost", hostname},
+		NotBefore:    notBefore,
+		NotAfter:     notAfter,
+		IPAddresses:  ips,
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	if err := os.MkdirAll(path.Dir(certPath), 0755); err != nil {
+		return err
+	}
+
+	certBytesPem := encodePEM(certBytes, "CERTIFICATE")
+	if err := os.WriteFile(certPath, certBytesPem, 0644); err != nil {
+		return fmt.Errorf("failed to write cert file: %w", err)
+	}
+
+	privBytes := x509.MarshalPKCS1PrivateKey(priv)
+	privBytesPem := encodePEM(privBytes, "PRIVATE KEY")
+
+	if err := os.WriteFile(keyPath, privBytesPem, 0600); err != nil {
+		return fmt.Errorf("failed to write key file: %w", err)
+	}
+	return nil
+}
+
+func encodePEM(data []byte, blockType string) []byte {
+	block := &pem.Block{
+		Type:  blockType,
+		Bytes: data,
+	}
+	return pem.EncodeToMemory(block)
+}
+
+func listIPs() ([]net.IP, error) {
+	addresses, err := net.InterfaceAddrs()
+	if err != nil {
+		return nil, err
+	}
+
+	ips := make([]net.IP, 0, len(addresses))
+	for _, addr := range addresses {
+		ipNet, ok := addr.(*net.IPNet)
+		if ok {
+			ips = append(ips, ipNet.IP)
+		}
+	}
+	return ips, nil
+}

pkg/server/corruption_checker_test.go

@@ -16,6 +16,8 @@ limitations under the License.
 
 package server
 
+import "fmt"
+
 /*
 import (
 	"testing"
@@ -377,18 +379,33 @@ func makeDB(dir string) *badger.DB {
 
 */
 
-type mockLogger struct{}
+type mockLogger struct {
+	lines []string
+}
 
-func (l *mockLogger) Errorf(f string, v ...interface{}) {}
+func (l *mockLogger) Errorf(f string, v ...interface{}) {
+	l.log("ERROR", f, v...)
+}
 
-func (l *mockLogger) Warningf(f string, v ...interface{}) {}
+func (l *mockLogger) Warningf(f string, v ...interface{}) {
+	l.log("WARN", f, v...)
+}
 
-func (l *mockLogger) Infof(f string, v ...interface{}) {}
+func (l *mockLogger) Infof(f string, v ...interface{}) {
+	l.log("INFO", f, v...)
+}
 
-func (l *mockLogger) Debugf(f string, v ...interface{}) {}
+func (l *mockLogger) Debugf(f string, v ...interface{}) {
+	l.log("DEBUG", f, v...)
+}
 
 func (l *mockLogger) Close() error { return nil }
 
+func (l *mockLogger) log(level, f string, v ...interface{}) {
+	line := level + ": " + fmt.Sprintf(f, v...)
+	l.lines = append(l.lines, line)
+}
+
 /*
 func TestCryptoRandSource_Seed(t *testing.T) {
 	cs := newCryptoRandSource()