Add TLS utilities

This patch adds utilities under the temporal.tls namespace to assist with
connecting clients to TLS enabled Temporal backends.

Signed-off-by: Greg Haskins <[email protected]>

Author: ghaskins

project.clj

@@ -29,7 +29,8 @@
 
   :profiles {:dev {:dependencies   [[org.clojure/tools.namespace "1.4.4"]
                                     [eftest "0.6.0"]
-                                    [io.temporal/temporal-opentracing "1.22.3"]]}}
+                                    [io.temporal/temporal-opentracing "1.22.3"]]
+                   :resource-paths ["test/temporal/test/resources"]}}
   :cloverage {:runner :eftest
               :runner-opts {:multithread? false
                             :fail-fast? true}

src/temporal/client/core.clj

@@ -64,7 +64,7 @@ Arguments:
 | :data-converter           | Overrides the data converter used to serialize arguments and results.       | [DataConverter](https://www.javadoc.io/doc/io.temporal/temporal-sdk/latest/io/temporal/common/converter/DataConverter.html) | |
 | :interceptors             | Collection of interceptors used to intercept workflow client calls.         | [WorkflowClientInterceptor](https://javadoc.io/doc/io.temporal/temporal-sdk/latest/io/temporal/common/interceptors/WorkflowClientInterceptor.html) | |
 | :channel                  | Sets gRPC channel to use. Exclusive with target and sslContext              | [ManagedChannel](https://grpc.github.io/grpc-java/javadoc/io/grpc/ManagedChannel.html) | |
-| :ssl-context              | Sets gRPC SSL Context to use                                                | [SslContext](https://netty.io/4.0/api/io/netty/handler/ssl/SslContext.html) | |
+| :ssl-context              | Sets gRPC SSL Context to use (See [[temporal.tls/new-ssl-context]])         | [SslContext](https://netty.io/4.0/api/io/netty/handler/ssl/SslContext.html) | |
 | :enable-https             | Sets option to enable SSL/TLS/HTTPS for gRPC                                | boolean      | false |
 | :rpc-timeout              | Sets the rpc timeout value for non query and non long poll calls            | [Duration](https://docs.oracle.com/javase/8/docs/api//java/time/Duration.html) | 10s |
 | :rpc-long-poll-timeout    | Sets the rpc timeout value                                                  | [Duration](https://docs.oracle.com/javase/8/docs/api//java/time/Duration.html) | 60s |

src/temporal/tls.clj

@@ -0,0 +1,49 @@
+;; Copyright © Manetu, Inc.  All rights reserved
+
+(ns temporal.tls
+  "Utilities for connecting to TLS enabled Temporal clusters"
+  (:require [clojure.java.io :as io])
+  (:import [java.security KeyStore]
+           [java.security.cert CertificateFactory X509Certificate]
+           [javax.net.ssl TrustManagerFactory]
+           [io.grpc.netty.shaded.io.grpc.netty GrpcSslContexts]
+           [io.grpc.netty.shaded.io.netty.handler.ssl SslContext]))
+
+(defn- new-ca
+  ^X509Certificate [certpath]
+  (let [cf (CertificateFactory/getInstance "X.509")]
+    (with-open [is (io/input-stream certpath)]
+      (.generateCertificate cf is))))
+
+(defn- new-keystore
+  ^KeyStore [certpath]
+  (let [ca (new-ca certpath)
+        ks-type (KeyStore/getDefaultType)]
+    (doto (KeyStore/getInstance ks-type)
+      (.load nil nil)
+      (.setCertificateEntry "ca" ca))))
+
+(defn- new-trustmanagerfactory
+  ^TrustManagerFactory [certpath]
+  (let [alg (TrustManagerFactory/getDefaultAlgorithm)
+        ks (new-keystore certpath)]
+    (doto (TrustManagerFactory/getInstance alg)
+      (.init ks))))
+
+(defn new-ssl-context
+  "
+Creates a new gRPC [SslContext](https://netty.io/4.0/api/io/netty/handler/ssl/SslContext.html) suitable for passing to the :ssl-context option of [[temporal.client.core/create-client]]
+
+Arguments:
+
+- `ca-path`:   The path to a PEM encoded x509 Certificate Authority root certificate for validating the Temporal server.
+- `cert-path`: The path to a PEM encoded x509 Certificate representing this client's identity, used for mutual TLS authentication.
+- 'key-path':  The path to a PEM encoded private key representing this client's identity, used for mutual TLS authentication.
+
+"
+  ^SslContext [{:keys [ca-path cert-path key-path] :as args}]
+  (-> (GrpcSslContexts/forClient)
+      (cond->
+       (some? ca-path) (.trustManager (new-trustmanagerfactory ca-path))
+       (and (some? cert-path) (some? key-path)) (.keyManager (io/file cert-path) (io/file key-path)))
+      (.build)))

test/temporal/test/resources/ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgIQLLzSA48U8GQtqMFMgazHjzANBgkqhkiG9w0BAQsFADAh
+MR8wHQYDVQQDExZZdWdhYnl0ZSBTZWxmc2lnbmVkIENBMB4XDTIzMTIyOTIwMzM0
+N1oXDTI0MDMyODIwMzM0N1owITEfMB0GA1UEAxMWWXVnYWJ5dGUgU2VsZnNpZ25l
+ZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJGsOx6lyoQfP2f
+ByK6LAN1/CTdPoNNVMok7ibP3XKiqE0Dyrv9I/66pZqQrP1HYnv+uVXFDBPMqhXa
+Bw5MyW0kjWQzruh2nTDWljZLl129XsvbPR4zkR+UH+6AoHxLIsfS1//jwE+y7OC8
+2vpE5PAsBsR2hPXGYPqWeZWscjDW0A0QpYI2b0q8UUnY36cr2fBv0tG/ZwDnhEBe
+9E2kTnL4NIcRxoOZXN85NusRBN5oueGOhyVeSBNz2ym1o8D8mMT1L3YHZXsTMDBA
+OTYpzCx+hgVtrp3cQUWWGp8R8G3FtrWDvJGxf34X5k/4txlRlaGrQ98w3AM8JdMr
+0irWANMCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFBWjvPFAs3z0xzL+LSwcskkw1rcxMA0GCSqGSIb3DQEBCwUAA4IB
+AQBXvO40RJ0Gy4Mcmn1R7CWDBKfRdqvSVoZdQwI0ZNQ0HXWzln4OksprohWRQJNJ
+yqvw6DG7LroyfGEn8sfO1fzLcROymGK1akSu4PT0QSHMfmS377OPJvS6licFSvMB
+2aFiD2pmQRlNa9mHAxAvGMPnAgrWhNALEPfePpVo9eR+06cJj17WXU/LGA3Fey1N
+fAZ7W/LPpFBPPs98gbgJvhUIOJ8IvxPbNTG/21kQK8CfJ2dBnkNZOcm/FI5z+eu1
+O5swP6MRHuybvkHhyrhbU67f3iACpCgGzg1YUSjuXm9W+c4LB6qsGiZ/yGc2jJ8v
+sbxxhViVNVJ58wbJ63C3OimS
+-----END CERTIFICATE-----

test/temporal/test/resources/tls.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIRAJHL+sXVDe5KtY39RLUHnZAwDQYJKoZIhvcNAQELBQAw
+ITEfMB0GA1UEAxMWWXVnYWJ5dGUgU2VsZnNpZ25lZCBDQTAeFw0yMzEyMjkyMDMz
+NTFaFw0yNDAzMjgyMDMzNTFaMBMxETAPBgNVBAMTCHl1Z2FieXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Im+0RuHFVA1X7j1XNnr4B68ognJN1Dr
++/YtSiiN14QMRHENjlhUwi8pdvDwOvozyjQnufLchoOY7FpFlOgm99j5JjTD0F52
+vBhL1Xe0XB3NrI1e6FizqoOzv7WfBwTepptuF3p1U8RIiqHtxVHUUFsX3LrwKRqD
+QgNGvQA4YJOdlOzAdpYmH/MDehFIrX0iZRfLc/Eb4uOc+CZxOHboMi8lAlNdnSFj
+8coLYYI7PUSsc1l/XNwvm4p09cWmuDpwaEHMmVOfLh2WBChojDgzYbRcSBbX+VS4
+pW6EEnGthNx8/DyFXkiVKSBWMIhDHWhcsiG6PP3mlfuGqYOLSDZGbwIDAQABo0Yw
+RDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
+FBWjvPFAs3z0xzL+LSwcskkw1rcxMA0GCSqGSIb3DQEBCwUAA4IBAQBCqRpJz0c/
+2bYVaUiH8bk+ubW0iDQH3kCpHS5uTLWNO/gsWE7H+Gp93AZueb3dWoiuZWAlahNL
+qLLgKhwM0P527nnoEhBcCYlA3fEfArTWIq4CAE6SX4jUPYsVp4ZUMfQTICsivtPw
+uL0lcupDnrpmmiDCYCiCcmT/kXuzUrSyO4Qu8pbznfvhHBa6fxdJdQ6bBFZ1zBox
+jJe0UnS7emCFAUzv4yNPw1yFyMqMIwfwN2arVxcz1WQhbM1uLenK6gVjBglnnFDT
+9ZsM/ZZXGUvqiIIRvGrREES9Ljuic2j2q/keUXJFg9917dy3ep884+5vv7cxoha1
+RNY6CYw4pDlU
+-----END CERTIFICATE-----

test/temporal/test/resources/tls.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYib7RG4cVUDVf
+uPVc2evgHryiCck3UOv79i1KKI3XhAxEcQ2OWFTCLyl28PA6+jPKNCe58tyGg5js
+WkWU6Cb32PkmNMPQXna8GEvVd7RcHc2sjV7oWLOqg7O/tZ8HBN6mm24XenVTxEiK
+oe3FUdRQWxfcuvApGoNCA0a9ADhgk52U7MB2liYf8wN6EUitfSJlF8tz8Rvi45z4
+JnE4dugyLyUCU12dIWPxygthgjs9RKxzWX9c3C+binT1xaa4OnBoQcyZU58uHZYE
+KGiMODNhtFxIFtf5VLilboQSca2E3Hz8PIVeSJUpIFYwiEMdaFyyIbo8/eaV+4ap
+g4tINkZvAgMBAAECggEBAMilQppSzqXyL7LmGP2TtJx0/seLF9dY9YIAh9DaqSxV
+YGSe+Te4I7nXp61d7sxHgWvRTipgnvVJxY7kyusC/vDULXG4nOVcUttSDBrek9Jz
+j1xfltznLHxJE2sF6TjAy2tIRQgeYc9f5vQGveMEQx6+eer/kYAU4CFwFcEWDid1
+jGHFuk68CTn/lRACUTIGGzbmevbdzhmtYhU5q8KZO4s1xfGQE+e+Ikw9KNVcBI2l
+ox4gzhgfcNsE+RUjhUfACB45aBDGfWLY1uC7opIM5lT0I03TBHwhe7y/24qRtnZ3
+3J4kajfssf4rDvHm4MKroTVf3OM4ZM6q2rKDWFMGJaECgYEA4UYE8P6YNO704AtW
+/O3kLMjno2q44YXO/HG34cyoPHRk5E60CDbeZ4JX2DlhsVWioGkZg6VVfedtwrlS
+j8sFO/2wpnhF591kWwaa5AK6lhhb8bPfjSZG6kffDzKRP1PEN41hq2EqmofpfuLF
+7YsSFE+6TeGxVq/SCiXPOpU9UlECgYEA9hK02iDECo1dkQBojPH9RtlCt9uWPW0h
+qaQQdKr5RM638IhLZA24tMkfU0XrVp179c7aRdkrIsn6pGzmp2bufjetrLLGkrj8
+mujV0nwP4qAHTZjSgCAtoVEUaSYv+WcBsB3shHycB5ffTLZWAOY0WzCrDpsXpd7W
+N/NaoRjlHL8CgYEA2DEpZtr+2bYF/coENoJbe3tnilZOjeirp2u/TAzr2/DcLps1
+fbiionXdth4DmnuTshyLJuMR892ZYcoW6Pau1E74LBq7A/VdbVoeZfoUdR11h7XX
+Mg/s+MP21w/xgvPyGFovxJhgmaMbu/EIgJr5w9Jr+nhBh+7+RUzZ3uAA1LECgYEA
+gCb/3vXfgytaRlDzIixI3qP5di07EmSKeoHCPDBqvyX1b6RbtxDaV/TChqjMRoCf
+9UU0MdpG98g+63D3sskNfdhbb6xvdCw5Cigma4dG8pyrEQN85VNc0D2cpqJHq9i0
+bVc4PUt0KxQyLA5tvewl6jPvchzddPoXkG4BjhKcB5sCgYAVA1rHQy6kMaJuInRs
+YPQ+jpKKoxSbDfRvXuhBGaAyisJy5lfI6qHDpl9t2QNHV2tnHq1R5AW8rkAGKVdF
+dh/t5DvgfC20ZMVZlJcoPnfwdVaOvu0tnLPk1pes1pInH/TbBGNm6ngZTBdXVu3J
+4qnsF0nRAwBqxlv1ldLOF/9i4w==
+-----END PRIVATE KEY-----

test/temporal/test/tls.clj

@@ -0,0 +1,27 @@
+;; Copyright © Manetu, Inc.  All rights reserved
+
+(ns temporal.test.tls
+  (:require [clojure.test :refer :all]
+            [clojure.java.io :as io]
+            [temporal.tls :as tls]))
+
+;;-----------------------------------------------------------------------------
+;; Tests
+;;-----------------------------------------------------------------------------
+
+(deftest positive-tests
+  (testing "Verify that we can create a default SSL context"
+    (let [ctx (tls/new-ssl-context {})]
+      (is (some? ctx))))
+  (testing "Verify that we can create an SSL context with only a CA"
+    (let [ctx (tls/new-ssl-context {:ca-path (io/resource "ca.crt")})]
+      (is (some? ctx))))
+  (testing "Verify that we can create an SSL context with only mTLS cert"
+    (let [ctx (tls/new-ssl-context {:cert-path (io/resource "tls.crt") :key-path (io/resource "tls.key")})]
+      (is (some? ctx)))))
+
+(deftest negative-tests
+  (testing "Verify that we cannot create an SSL context with a bogus CA"
+    (is (thrown? java.io.FileNotFoundException (tls/new-ssl-context {:ca-path "invalid"}))))
+  (testing "Verify that we cannot create an SSL context with a bogus Cert"
+    (is (thrown? java.lang.IllegalArgumentException (tls/new-ssl-context {:cert-path "invalid" :key-path "invalid"})))))