connect: add SSL support

The patch adds options to configure traffic encryption[1]:

--sslkeyfile - a path to a private SSL key file;
--sslcerfile - a path to an SSL certificate file;
--sslcafile  - a path to a trusted certificate authorities (CA) file;
--sslciphers - colon-separated (:) list of SSL cipher suites the
  connection can use;

1. https://www.tarantool.io/en/enterprise_doc/security/#configuration

Part of #308

Author: oleg-jukovec

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   as control socket, pid file and log file. This option affects only single instance applications.
 - An ability to set different directories for WAL, vinyl and snapshots artifacts.
 - ``tt instances`` command to print a list of enabled applications.
+- SSL options for ``tt connect`` command.
 
 ### Changed
 

cli/cmd/connect.go

@@ -29,6 +29,10 @@ var (
 	connectPassword    string
 	connectFile        string
 	connectLanguage    string
+	connectSslKeyFile  string
+	connectSslCertFile string
+	connectSslCaFile   string
+	connectSslCiphers  string
 	connectInteractive bool
 )
 
@@ -58,6 +62,16 @@ func NewConnectCmd() *cobra.Command {
 		`file to read the script for evaluation. "-" - read the script from stdin`)
 	connectCmd.Flags().StringVarP(&connectLanguage, "language", "l",
 		connect.DefaultLanguage.String(), `language: lua or sql`)
+	connectCmd.Flags().StringVarP(&connectSslKeyFile, "sslkeyfile", "",
+		connect.DefaultLanguage.String(), `path to a private SSL key file`)
+	connectCmd.Flags().StringVarP(&connectSslCertFile, "sslcertfile", "",
+		connect.DefaultLanguage.String(), `path to an SSL certificate file`)
+	connectCmd.Flags().StringVarP(&connectSslCaFile, "sslcafile", "",
+		connect.DefaultLanguage.String(),
+		`path to a trusted certificate authorities (CA) file`)
+	connectCmd.Flags().StringVarP(&connectSslCiphers, "sslciphers", "",
+		connect.DefaultLanguage.String(),
+		`colon-separated (:) list of SSL cipher suites the connection`)
 	connectCmd.Flags().BoolVarP(&connectInteractive, "interactive", "i",
 		false, `enter interactive mode after executing 'FILE'`)
 
@@ -170,6 +184,10 @@ func internalConnectModule(cmdCtx *cmdcontext.CmdCtx, args []string) error {
 		Username:    connectUser,
 		Password:    connectPassword,
 		SrcFile:     connectFile,
+		SslKeyFile:  connectSslKeyFile,
+		SslCertFile: connectSslCertFile,
+		SslCaFile:   connectSslCaFile,
+		SslCiphers:  connectSslCiphers,
 		Interactive: connectInteractive,
 	}
 

cli/connect/connect.go

@@ -22,6 +22,15 @@ type ConnectCtx struct {
 	SrcFile string
 	// Language to use for execution.
 	Language Language
+	// SslKeyFile is a path to a private SSL key file.
+	SslKeyFile string
+	// SslCertFile is a path to an SSL certificate file.
+	SslCertFile string
+	// SslCaFile is a path to a trusted certificate authorities (CA) file.
+	SslCaFile string
+	// SslCiphers is a colon-separated (:) list of SSL cipher suites the
+	// connection can use.
+	SslCiphers string
 	// Interactive mode is used.
 	Interactive bool
 }
@@ -34,7 +43,13 @@ const (
 func getConnOpts(connString string, connCtx ConnectCtx) connector.ConnectOpts {
 	username := connCtx.Username
 	password := connCtx.Password
-	return connector.MakeConnectOpts(connString, username, password)
+	ssl := connector.SslOpts{
+		KeyFile:  connCtx.SslKeyFile,
+		CertFile: connCtx.SslCertFile,
+		CaFile:   connCtx.SslCaFile,
+		Ciphers:  connCtx.SslCiphers,
+	}
+	return connector.MakeConnectOpts(connString, username, password, ssl)
 }
 
 // getEvalCmd returns a command from the input source (file or stdin).

cli/connector/connector.go

@@ -74,10 +74,22 @@ func Connect(opts ConnectOpts) (Connector, error) {
 	// Set a deadline for the greeting.
 	greetingConn.SetReadDeadline(time.Now().Add(greetingOperationTimeout))
 
-	// Detect protocol.
+	// Detect transport and protocol.
+	ssl := opts.Ssl.KeyFile != "" || opts.Ssl.CertFile != "" ||
+		opts.Ssl.CaFile != "" || opts.Ssl.Ciphers != ""
+	transport := ""
 	protocol, err := GetProtocol(greetingConn)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get protocol: %s", err)
+		if ssl {
+			protocol = BinaryProtocol
+			transport = "ssl"
+		} else {
+			return nil, fmt.Errorf("failed to get protocol: %s", err)
+		}
+	} else if ssl {
+		greetingConn.Close()
+		errMsg := "unencrypted connection established, but encryption required"
+		return nil, fmt.Errorf(errMsg)
 	}
 
 	// Reset the deadline. From the SetDeadline doc:
@@ -95,6 +107,8 @@ func Connect(opts ConnectOpts) (Connector, error) {
 		conn, err := tarantool.Connect(addr, tarantool.Opts{
 			User:       opts.Username,
 			Pass:       opts.Password,
+			Transport:  transport,
+			Ssl:        tarantool.SslOpts(opts.Ssl),
 			SkipSchema: true, // We don't need a schema for eval requests.
 		})
 		if err != nil {

cli/connector/integration_test.go

@@ -1,4 +1,4 @@
-// +build integration
+//go:build integration
 
 package connector_test
 
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/tarantool/go-tarantool"
 	"github.com/tarantool/go-tarantool/test_helpers"
 
@@ -18,13 +19,20 @@ import (
 
 const workDir = "work_dir"
 const server = "127.0.0.1:3013"
+const serverTls = "127.0.0.1:3014"
 const console = workDir + "/" + "console.control"
 
+var tarantoolEe bool
 var opts = tarantool.Opts{
 	Timeout: 500 * time.Millisecond,
 	User:    "test",
 	Pass:    "password",
 }
+var sslOpts = SslOpts{
+	KeyFile:  "testdata/localhost.key",
+	CertFile: "testdata/localhost.crt",
+	CaFile:   "testdata/ca.crt",
+}
 
 func textConnectWithValidation(t *testing.T) *TextConnector {
 	t.Helper()
@@ -167,12 +175,44 @@ func TestBinaryConnector_Eval_pushCallback(t *testing.T) {
 
 func TestConnect_binary(t *testing.T) {
 	conn, err := Connect(ConnectOpts{
-		Network: "tcp",
-		Address: server,
+		Network:  "tcp",
+		Address:  server,
 		Username: "test",
 		Password: "password",
 	})
+	require.NoError(t, err)
+	defer conn.Close()
+
+	eval := "return 'hello', 'world'"
+	ret, err := conn.Eval(eval, []interface{}{}, RequestOpts{})
 	assert.NoError(t, err)
+	assert.Equal(t, []interface{}{"hello", "world"}, ret)
+}
+
+func TestConnect_binaryTlsToNoTls(t *testing.T) {
+	_, err := Connect(ConnectOpts{
+		Network:  "tcp",
+		Address:  server,
+		Username: "test",
+		Password: "password",
+		Ssl:      sslOpts,
+	})
+	expected := "unencrypted connection established, but encryption required"
+	require.ErrorContains(t, err, expected)
+}
+
+func TestConnect_binaryTlsToTls(t *testing.T) {
+	if !tarantoolEe {
+		t.Skip("Only for Tarantool Enterprise.")
+	}
+	conn, err := Connect(ConnectOpts{
+		Network:  "tcp",
+		Address:  serverTls,
+		Username: "test",
+		Password: "password",
+		Ssl:      sslOpts,
+	})
+	require.NoError(t, err)
 	defer conn.Close()
 
 	eval := "return 'hello', 'world'"
@@ -186,7 +226,7 @@ func TestConnect_text(t *testing.T) {
 		Network: "unix",
 		Address: console,
 	})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	defer conn.Close()
 
 	eval := "return 'hello', 'world'"
@@ -195,23 +235,76 @@ func TestConnect_text(t *testing.T) {
 	assert.Equal(t, []interface{}{"hello", "world"}, ret)
 }
 
+func TestConnect_textTls(t *testing.T) {
+	_, err := Connect(ConnectOpts{
+		Network: "unix",
+		Address: console,
+		Ssl:     sslOpts,
+	})
+	expected := "unencrypted connection established, but encryption required"
+	require.ErrorContains(t, err, expected)
+}
+
 func runTestMain(m *testing.M) int {
 	inst, err := test_helpers.StartTarantool(test_helpers.StartOpts{
-		InitScript:         "testdata/config.lua",
-		Listen:             server,
-		WorkDir:            workDir,
-		User:               opts.User,
-		Pass:               opts.Pass,
-		WaitStart:          100 * time.Millisecond,
-		ConnectRetry:       3,
-		RetryTimeout:       500 * time.Millisecond,
+		InitScript:   "testdata/config.lua",
+		Listen:       server,
+		WorkDir:      workDir,
+		User:         opts.User,
+		Pass:         opts.Pass,
+		WaitStart:    100 * time.Millisecond,
+		ConnectRetry: 3,
+		RetryTimeout: 500 * time.Millisecond,
 	})
 	defer test_helpers.StopTarantoolWithCleanup(inst)
-
 	if err != nil {
 		log.Fatalf("Failed to prepare test tarantool: %s", err)
 	}
 
+	conn, err := tarantool.Connect(server, opts)
+	if err != nil {
+		log.Fatalf("Failed to check tarantool version: %s", err)
+	}
+	req := tarantool.NewEvalRequest("return box.info.package")
+	resp, err := conn.Do(req).Get()
+	conn.Close()
+
+	if err != nil {
+		log.Fatalf("Failed to get box.info.package: %s", err)
+	}
+
+	if len(resp.Data) > 0 {
+		if pack, ok := resp.Data[0].(string); ok {
+			tarantoolEe = pack == "Tarantool Enterprise"
+		}
+	}
+
+	if tarantoolEe {
+		// Try to start Tarantool instance with TLS.
+		listen := serverTls + "?transport=ssl&" +
+			"ssl_key_file=testdata/localhost.key&" +
+			"ssl_cert_file=testdata/localhost.crt&" +
+			"ssl_ca_file=testdata/ca.crt"
+		inst, err = test_helpers.StartTarantool(test_helpers.StartOpts{
+			InitScript:      "testdata/config.lua",
+			Listen:          listen,
+			SslCertsDir:     "testdata",
+			ClientServer:    serverTls,
+			ClientTransport: "ssl",
+			ClientSsl:       tarantool.SslOpts(sslOpts),
+			WorkDir:         workDir,
+			User:            opts.User,
+			Pass:            opts.Pass,
+			WaitStart:       100 * time.Millisecond,
+			ConnectRetry:    3,
+			RetryTimeout:    500 * time.Millisecond,
+		})
+		if err != nil {
+			log.Fatalf("Failed to prepare test tarantool with TLS: %s", err)
+		}
+		defer test_helpers.StopTarantoolWithCleanup(inst)
+	}
+
 	return m.Run()
 }
 

cli/connector/opts.go

@@ -20,16 +20,33 @@ type ConnectOpts struct {
 	Username string
 	// Password of the user.
 	Password string
+	// Ssl options for a connection.
+	Ssl SslOpts
+}
+
+// SslOpts is a way to configure SSL connection.
+type SslOpts struct {
+	// KeyFile is a path to a private SSL key file.
+	KeyFile string
+	// CertFile is a path to an SSL certificate file.
+	CertFile string
+	// CaFile is a path to a trusted certificate authorities (CA) file.
+	CaFile string
+	// Ciphers is a colon-separated (:) list of SSL cipher suites the
+	// connection can use.
+	Ciphers string
 }
 
 // MakeConnectOpts creates a new connection options object according to the
 // arguments passed. An username and a password values from the connection
 // string are used only if the username and password from the arguments are
 // empty.
-func MakeConnectOpts(connString, username, password string) ConnectOpts {
+func MakeConnectOpts(connString, username, password string,
+	ssl SslOpts) ConnectOpts {
 	connOpts := ConnectOpts{
 		Username: username,
 		Password: password,
+		Ssl:      ssl,
 	}
 
 	connStringParts := strings.SplitN(connString, "@", 2)