Merge pull request #3038 from rabbitmq/stream-tls

TLS support for streams

Author: acogoluegnes

deps/rabbitmq_stream/Makefile

@@ -8,6 +8,9 @@ define PROJECT_ENV
 	{num_tcp_acceptors, 10},
 	{tcp_listen_options, [{backlog,   128},
                           {nodelay,   true}]},
+	{ssl_listeners, []},
+	{num_ssl_acceptors, 10},
+	{ssl_listen_options, []},
 	{initial_credits, 50000},
 	{credits_required_for_unblocking, 12500},
 	{frame_max, 1048576},

deps/rabbitmq_stream/priv/schema/rabbitmq_stream.schema

@@ -128,6 +128,46 @@ end}.
     {datatype, integer}
 ]}.
 
+
+%%
+%% TLS
+%%
+
+{mapping, "stream.listeners.ssl", "rabbitmq_stream.ssl_listeners",[
+    {datatype, {enum, [none]}}
+]}.
+
+{mapping, "stream.listeners.ssl.$name", "rabbitmq_stream.ssl_listeners",[
+    {datatype, [integer, ip]}
+]}.
+
+{translation, "rabbitmq_stream.ssl_listeners",
+fun(Conf) ->
+    case cuttlefish:conf_get("stream.listeners.ssl", Conf, undefined) of
+        none -> [];
+        _ ->
+            Settings = cuttlefish_variable:filter_by_prefix("stream.listeners.ssl", Conf),
+            [ V || {_, V} <- Settings ]
+    end
+end}.
+
+%% Number of Erlang processes that will accept connections for the SSL listeners.
+%%
+%% {num_ssl_acceptors, 10},
+
+{mapping, "stream.num_acceptors.ssl", "rabbitmq_stream.num_ssl_acceptors", [
+    {datatype, integer}
+]}.
+
+%% Additional TLS options
+
+%% Extract a name from the client's certificate when using TLS.
+%%
+%% Defaults to true.
+
+{mapping, "stream.ssl_cert_login", "rabbitmq_stream.ssl_cert_login",
+    [{datatype, {enum, [true, false]}}]}.
+
 {mapping, "stream.initial_credits", "rabbitmq_stream.initial_credits", [
     {datatype, integer}
 ]}.

deps/rabbitmq_stream/src/rabbit_stream_reader.erl

@@ -79,7 +79,8 @@
          stats_timer :: undefined | reference(),
          resource_alarm :: boolean(),
          send_file_oct ::
-             atomics:atomics_ref()}). % number of bytes sent with send_file (for metrics)
+             atomics:atomics_ref(), % number of bytes sent with send_file (for metrics)
+         transport :: 'tcp' | 'ssl'}).
 -record(configuration,
         {initial_credits :: integer(),
          credits_required_for_unblocking :: integer(),
@@ -157,7 +158,8 @@ init([KeepaliveSup,
       #{initial_credits := InitialCredits,
         credits_required_for_unblocking := CreditsRequiredBeforeUnblocking,
         frame_max := FrameMax,
-        heartbeat := Heartbeat}]) ->
+        heartbeat := Heartbeat,
+        transport := ConnTransport}]) ->
     process_flag(trap_exit, true),
     {ok, Sock} =
         rabbit_networking:handshake(Ref,
@@ -193,7 +195,8 @@ init([KeepaliveSup,
                                    connection_step = tcp_connected,
                                    frame_max = FrameMax,
                                    resource_alarm = false,
-                                   send_file_oct = SendFileOct},
+                                   send_file_oct = SendFileOct,
+                                   transport = ConnTransport},
             State =
                 #stream_connection_state{consumers = #{},
                                          blocked = false,
@@ -1364,7 +1367,8 @@ handle_frame_post_auth(Transport,
                                               StreamSubscriptions,
                                           virtual_host = VirtualHost,
                                           user = User,
-                                          send_file_oct = SendFileOct} =
+                                          send_file_oct = SendFileOct,
+                                          transport = ConnTransport} =
                            Connection,
                        #stream_connection_state{consumers = Consumers} = State,
                        {request, CorrelationId,
@@ -1417,7 +1421,7 @@ handle_frame_post_auth(Transport,
                                 {{?MODULE, QueueResource, SubscriptionId, self()}, []},
                             {ok, Segment} =
                                 osiris:init_reader(LocalMemberPid, OffsetSpec,
-                                                   CounterSpec),
+                                                   CounterSpec, ConnTransport),
                             rabbit_log:info("Next offset for subscription ~p is ~p",
                                             [SubscriptionId,
                                              osiris_log:next_offset(Segment)]),

deps/rabbitmq_stream/src/rabbit_stream_sup.erl

@@ -30,8 +30,23 @@ init([]) ->
     {ok, Listeners} = application:get_env(rabbitmq_stream, tcp_listeners),
     NumTcpAcceptors =
         application:get_env(rabbitmq_stream, num_tcp_acceptors, 10),
-    {ok, SocketOpts} =
-        application:get_env(rabbitmq_stream, tcp_listen_options),
+    SocketOpts =
+        application:get_env(rabbitmq_stream, tcp_listen_options, []),
+
+    {ok, SslListeners0} = application:get_env(rabbitmq_stream, ssl_listeners),
+    SslSocketOpts =
+        application:get_env(rabbitmq_stream, ssl_listen_options, []),
+    {SslOpts, NumSslAcceptors, SslListeners}
+        = case SslListeners0 of
+              [] -> {none, 0, []};
+              _  -> {rabbit_networking:ensure_ssl(),
+                     application:get_env(rabbitmq_stream, num_ssl_acceptors, 10),
+                     case rabbit_networking:poodle_check('STREAM') of
+                         ok     -> SslListeners0;
+                         danger -> []
+                     end}
+          end,
+
     Nodes = rabbit_mnesia:cluster_nodes(all),
     OsirisConf = #{nodes => Nodes},
 
@@ -64,7 +79,10 @@ init([]) ->
       [StreamManager, MetricsGc]
       ++ listener_specs(fun tcp_listener_spec/1,
                         [SocketOpts, ServerConfiguration, NumTcpAcceptors],
-                        Listeners)}}.
+                        Listeners)
+      ++ listener_specs(fun ssl_listener_spec/1,
+                        [SslSocketOpts, SslOpts, ServerConfiguration, NumSslAcceptors],
+                        SslListeners)}}.
 
 listener_specs(Fun, Args, Listeners) ->
     [Fun([Address | Args])
@@ -80,7 +98,21 @@ tcp_listener_spec([Address,
                                         SocketOpts,
                                         ranch_tcp,
                                         rabbit_stream_connection_sup,
-                                        Configuration,
-                                        stream,
+                                        Configuration#{transport => tcp},
+                                        'stream',
                                         NumAcceptors,
                                         "Stream TCP listener").
+
+ssl_listener_spec([Address,
+                   SocketOpts,
+                   SslOpts,
+                   Configuration,
+                   NumAcceptors]) ->
+    rabbit_networking:tcp_listener_spec(rabbit_stream_listener_sup,
+                                        Address, SocketOpts ++ SslOpts,
+                                        ranch_ssl,
+                                        rabbit_stream_connection_sup,
+                                        Configuration#{transport => ssl},
+                                        'stream/ssl',
+                                        NumAcceptors,
+                                        "Stream TLS listener").

deps/rabbitmq_stream/test/commands_SUITE.erl

@@ -128,8 +128,8 @@ list_connections_run(Config) ->
     ?assertEqual([], Keys -- ?INFO_ITEMS),
     ?assertEqual([], ?INFO_ITEMS -- Keys),
 
-    rabbit_stream_SUITE:test_close(S1, C1),
-    rabbit_stream_SUITE:test_close(S2, C2),
+    rabbit_stream_SUITE:test_close(gen_tcp, S1, C1),
+    rabbit_stream_SUITE:test_close(gen_tcp, S2, C2),
     ok.
 
 list_consumers_merge_defaults(_Config) ->
@@ -271,22 +271,22 @@ list_publishers_run(Config) ->
     ok.
 
 create_stream(S, Stream, C0) ->
-    rabbit_stream_SUITE:test_create_stream(S, Stream, C0).
+    rabbit_stream_SUITE:test_create_stream(gen_tcp, S, Stream, C0).
 
 subscribe(S, SubId, Stream, C) ->
-    rabbit_stream_SUITE:test_subscribe(S, SubId, Stream, C).
+    rabbit_stream_SUITE:test_subscribe(gen_tcp, S, SubId, Stream, C).
 
 declare_publisher(S, PubId, Stream, C) ->
-    rabbit_stream_SUITE:test_declare_publisher(S, PubId, Stream, C).
+    rabbit_stream_SUITE:test_declare_publisher(gen_tcp, S, PubId, Stream, C).
 
 delete_stream(S, Stream, C) ->
-    rabbit_stream_SUITE:test_delete_stream(S, Stream, C).
+    rabbit_stream_SUITE:test_delete_stream(gen_tcp, S, Stream, C).
 
 metadata_update_stream_deleted(S, Stream, C) ->
-    rabbit_stream_SUITE:test_metadata_update_stream_deleted(S, Stream, C).
+    rabbit_stream_SUITE:test_metadata_update_stream_deleted(gen_tcp, S, Stream, C).
 
 close(S, C) ->
-    rabbit_stream_SUITE:test_close(S, C).
+    rabbit_stream_SUITE:test_close(gen_tcp, S, C).
 
 options(Config) ->
     Node = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
@@ -334,8 +334,8 @@ start_stream_connection(Port) ->
     {ok, S} =
         gen_tcp:connect("localhost", Port, [{active, false}, {mode, binary}]),
     C0 = rabbit_stream_core:init(0),
-    C1 = rabbit_stream_SUITE:test_peer_properties(S, C0),
-    C = rabbit_stream_SUITE:test_authenticate(S, C1),
+    C1 = rabbit_stream_SUITE:test_peer_properties(gen_tcp, S, C0),
+    C = rabbit_stream_SUITE:test_authenticate(gen_tcp, S, C1),
     {S, C}.
 
 start_amqp_connection(Type, Node, Port) ->