pkg/storage/redis: add redis TLS support (#1163)

Fixes #1156

pkg/storage/redis/redis_test.go

@@ -1,20 +1,27 @@
-// +build redis
-
 package redis
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"os"
+	"runtime"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/gomodule/redigo/redis"
+	"github.com/ory/dockertest/v3"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/anypb"
 )
 
+var db *DB
+
 func cleanup(c redis.Conn, db *DB, t *testing.T) {
 	require.NoError(t, c.Send("MULTI"))
 	require.NoError(t, c.Send("DEL", db.recordType))
@@ -24,24 +31,97 @@ func cleanup(c redis.Conn, db *DB, t *testing.T) {
 	require.NoError(t, err)
 }
 
+func tlsConfig(rawURL string, t *testing.T) *tls.Config {
+	if !strings.HasPrefix(rawURL, "rediss") {
+		return nil
+	}
+	cert, err := cryptutil.CertificateFromFile("./testdata/tls/redis.crt", "./testdata/tls/redis.key")
+	require.NoError(t, err)
+	caCertPool := x509.NewCertPool()
+	caCert, err := ioutil.ReadFile("./testdata/tls/ca.crt")
+	require.NoError(t, err)
+	caCertPool.AppendCertsFromPEM(caCert)
+	tlsConfig := &tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{*cert},
+	}
+	return tlsConfig
+}
+
+func runWithRedisDockerImage(repo, tag string, env []string, withTLS bool, testFunc func(t *testing.T), t *testing.T) {
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		t.Fatalf("Could not connect to docker: %s", err)
+	}
+	resource, err := pool.Run(repo, tag, env)
+	if err != nil {
+		t.Fatalf("Could not start resource: %s", err)
+	}
+
+	defer func() {
+		if err := pool.Purge(resource); err != nil {
+			t.Fatalf("Could not purge resource: %s", err)
+		}
+	}()
+
+	scheme := "redis"
+	if withTLS {
+		scheme = "rediss"
+	}
+	address := fmt.Sprintf(scheme+"://localhost:%s/0", resource.GetPort("6379/tcp"))
+	if err := pool.Retry(func() error {
+		var err error
+		db, err = New(address, "record_type", int64(time.Hour.Seconds()), WithTLSConfig(tlsConfig(address, t)))
+		if err != nil {
+			return err
+		}
+		_, err = db.pool.Get().Do("PING")
+		return err
+	}); err != nil {
+		t.Fatalf("Could not connect to docker: %s", err)
+	}
+
+	testFunc(t)
+}
+
 func TestDB(t *testing.T) {
+	if os.Getenv("GITHUB_ACTION") != "" && runtime.GOOS == "darwin" {
+		t.Skip("Github action can not run docker on MacOS")
+	}
+	redisTLSEnv := []string{
+		"ALLOW_EMPTY_PASSWORD=yes",
+		"REDIS_TLS_ENABLED=yes",
+		"REDIS_TLS_CERT_FILE=/tls/redis.crt",
+		"REDIS_TLS_KEY_FILE=/tls/redis.key",
+		"REDIS_TLS_CA_FILE=/tls/ca.crt",
+	}
+	tests := []struct {
+		name    string
+		repo    string
+		tag     string
+		env     []string
+		withTLS bool
+	}{
+		{"redis", "redis", "latest", nil, false},
+		{"redis TLS", "gnouc/pomerium-redis-tls", "latest", redisTLSEnv, true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			runWithRedisDockerImage(tc.repo, tc.tag, tc.env, tc.withTLS, testDB, t)
+		})
+	}
+}
+
+func testDB(t *testing.T) {
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	defer cancelFunc()
-	address := "redis://localhost:6379/0"
-	if redisURL := os.Getenv("REDIS_URL"); redisURL != "" {
-		address = redisURL
-	}
-	db, err := New(address, "record_type", int64(time.Hour.Seconds()))
-	require.NoError(t, err)
+
 	ids := []string{"a", "b", "c"}
 	id := ids[0]
 	c := db.pool.Get()
 	defer c.Close()
 
-	cleanup(c, db, t)
-	_, err = c.Do("DEL", db.lastVersionKey)
-	require.NoError(t, err)
-
 	ch := db.Watch(ctx)
 
 	t.Run("get missing record", func(t *testing.T) {
@@ -94,10 +174,9 @@ func TestDB(t *testing.T) {
 	})
 	t.Run("list", func(t *testing.T) {
 		cleanup(c, db, t)
-		ids := make([]string, 0, 10)
+
 		for i := 0; i < 10; i++ {
 			id := fmt.Sprintf("%02d", i)
-			ids = append(ids, id)
 			data := new(anypb.Any)
 			assert.NoError(t, db.Put(ctx, id, data))
 		}