Merge pull request #982 from gofiber/issue-981

Support for using options.TLSConfig if returned by redis.ParseURL()

.github/scripts/gen-test-certs.sh

@@ -7,6 +7,8 @@
 #   ./tls/client.{crt,key}      A certificate restricted for SSL client usage.
 #   ./tls/server.{crt,key}      A certificate restricted for SSL server usage.
 
+set -e
+
 generate_cert() {
     local name=$1
     local cn="$2"
@@ -44,14 +46,16 @@ cat > ./tls/openssl.cnf <<_END_
 [ server_cert ]
 keyUsage = digitalSignature, keyEncipherment
 nsCertType = server
+subjectAltName = DNS:localhost"
+
 [ client_cert ]
 keyUsage = digitalSignature, keyEncipherment
 nsCertType = client
 _END_
 
 generate_cert server "Server-only" "-extfile ./tls/openssl.cnf -extensions server_cert"
 generate_cert client "Client-only" "-extfile ./tls/openssl.cnf -extensions client_cert"
-generate_cert redis "Generic-cert"
+generate_cert redis "localhost" "-extfile ./tls/openssl.cnf -extensions server_cert"
 
 # List generated certs
 ls -la ./tls

.github/workflows/test-redis.yml

@@ -25,20 +25,35 @@ jobs:
             -   name: Fetch Repository
                 uses: actions/checkout@v4
 
+            -   name: Generate TLS certs
+                run: ./.github/scripts/gen-test-certs.sh
+
+            -   name: Add Custom CA cert
+                run: sudo cp /home/runner/work/storage/storage/tls/ca.crt /usr/local/share/ca-certificates/custom.crt
+
+            -   name: Trust Custom CA Cert
+                run: sudo update-ca-certificates
+
             -   name: Setup Redis
                 uses: shogo82148/actions-setup-redis@v1
                 with:
                     redis-version: ${{ matrix.redis }}
                     auto-start: 'false'
-                    redis-port: '6379'
-                    redis-tls-port: '6380'
 
             -   name: Run Redis
                 run: |
                     redis-server --tls-port 6380 --port 6379 \
-                    --tls-cert-file ./redis/tests/tls/redis.crt \
-                    --tls-key-file ./redis/tests/tls/redis.key \
-                    --tls-ca-cert-file ./redis/tests/tls/ca.crt&
+                    --tls-cert-file /home/runner/work/storage/storage/tls/redis.crt \
+                    --tls-key-file /home/runner/work/storage/storage/tls/redis.key \
+                    --tls-ca-cert-file /home/runner/work/storage/storage/tls/ca.crt &
+
+            -   name: Run Redis instance with MTLS disabled
+                run: |
+                    redis-server --tls-port 16380 --port 16379 \
+                    --tls-cert-file /home/runner/work/storage/storage/tls/redis.crt \
+                    --tls-key-file /home/runner/work/storage/storage/tls/redis.key \
+                    --tls-ca-cert-file /home/runner/work/storage/storage/tls/ca.crt \
+                    --tls-auth-clients no &
 
             -   name: Setup Redis Cluster
                 uses: vishnudxb/[email protected]

redis/redis.go

@@ -33,6 +33,11 @@ func New(config ...Config) *Storage {
 		cfg.Password = options.Password
 		cfg.Database = options.DB
 		cfg.Addrs = []string{options.Addr}
+
+		// If cfg.TLSConfig is not provided, and options returns one, use it.
+		if cfg.TLSConfig == nil && options.TLSConfig != nil {
+			cfg.TLSConfig = options.TLSConfig
+		}
 	} else if len(cfg.Addrs) == 0 {
 		// Fallback to Host and Port values if Addrs is empty
 		cfg.Addrs = []string{fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)}

redis/redis_test.go

@@ -146,7 +146,7 @@ func Test_Redis_Initalize_WithURL(t *testing.T) {
 }
 
 func Test_Redis_Initalize_WithURL_TLS(t *testing.T) {
-	cer, err := tls.LoadX509KeyPair("./tests/tls/client.crt", "./tests/tls/client.key")
+	cer, err := tls.LoadX509KeyPair("/home/runner/work/storage/storage/tls/client.crt", "/home/runner/work/storage/storage/tls/client.key")
 	if err != nil {
 		log.Println(err)
 		return
@@ -188,6 +188,72 @@ func Test_Redis_Initalize_WithURL_TLS(t *testing.T) {
 	require.Nil(t, testStoreUrl.Close())
 }
 
+func Test_Redis_Initalize_WithURL_TLS_Verify(t *testing.T) {
+	cer, err := tls.LoadX509KeyPair("/home/runner/work/storage/storage/tls/client.crt", "/home/runner/work/storage/storage/tls/client.key")
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	tlsCfg := &tls.Config{
+		MinVersion:               tls.VersionTLS12,
+		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		PreferServerCipherSuites: true,
+		InsecureSkipVerify:       false,
+		Certificates:             []tls.Certificate{cer},
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
+	}
+
+	testStoreUrl := New(Config{
+		URL:       "redis://localhost:6380",
+		TLSConfig: tlsCfg,
+	})
+
+	var (
+		key = "clark"
+		val = []byte("kent")
+	)
+
+	err = testStoreUrl.Set(key, val, 0)
+	require.NoError(t, err)
+
+	result, err := testStoreUrl.Get(key)
+	require.NoError(t, err)
+	require.Equal(t, val, result)
+
+	err = testStoreUrl.Delete(key)
+	require.NoError(t, err)
+
+	require.Nil(t, testStoreUrl.Close())
+}
+
+func Test_Redis_Initalize_With_Secure_URL(t *testing.T) {
+	testStoreUrl := New(Config{
+		URL: "rediss://localhost:16380",
+	})
+
+	var (
+		key = "clark"
+		val = []byte("kent")
+	)
+
+	err := testStoreUrl.Set(key, val, 0)
+	require.NoError(t, err)
+
+	result, err := testStoreUrl.Get(key)
+	require.NoError(t, err)
+	require.Equal(t, val, result)
+
+	err = testStoreUrl.Delete(key)
+	require.NoError(t, err)
+
+	require.Nil(t, testStoreUrl.Close())
+}
+
 func Test_Redis_Universal_Addrs(t *testing.T) {
 	// This should failover and create a Single Node connection.
 	testStoreUniversal := New(Config{