Finish TLS configuration and tests

.travis.yml

@@ -36,6 +36,8 @@ notifications:
 
 before_script:
   - ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -P ''
+  - openssl genrsa -out $HOME/.ssh/server.key 2048
+  - openssl req -new -x509 -sha256 -key $HOME/.ssh/server.key -out $HOME/.ssh/server.crt -days 3650
   - go mod download
 
 script:

api/apihttp/apihttp.go

@@ -105,6 +105,7 @@ func Add(balloon raftwal.RaftBalloonApi) http.HandlerFunc {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
 		snapshot := &protocol.Snapshot{
 			response.HistoryDigest,
 			response.HyperDigest,
@@ -120,6 +121,7 @@ func Add(balloon raftwal.RaftBalloonApi) http.HandlerFunc {
 
 		w.WriteHeader(http.StatusCreated)
 		w.Write(out)
+
 		return
 
 	}
@@ -344,13 +346,3 @@ func LogHandler(handle http.Handler) http.HandlerFunc {
 		}
 	}
 }
-
-// STSHandler adds TLS Header to the handlers
-func STSHandler(handle http.Handler) http.HandlerFunc {
-	return func(w http.ResponseWriter, request *http.Request) {
-		w.Header().Add(
-			"Strict-Transport-Security",
-			"max-age=63072000; includeSubDomains",
-		)
-	}
-}

client/client.go

@@ -25,7 +25,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/bbva/qed/balloon"
@@ -37,22 +39,32 @@ import (
 type HTTPClient struct {
 	conf *Config
 
-	http.Client
+	*http.Client
 }
 
 // NewHTTPClient will return a new instance of HTTPClient.
-func NewHTTPClient(conf *Config) *HTTPClient {
-	var c http.Client
-	if conf.EnableTLS {
-		c = http.Client{
+func NewHTTPClient(conf Config) *HTTPClient {
+	var tlsConf *tls.Config
+
+	if conf.Insecure {
+		tlsConf = &tls.Config{InsecureSkipVerify: true}
+	} else {
+		tlsConf = &tls.Config{}
+	}
+
+	return &HTTPClient{
+		&conf,
+		&http.Client{
+			Timeout: time.Second * 10,
 			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				Dial: (&net.Dialer{
+					Timeout: 5 * time.Second,
+				}).Dial,
+				TLSClientConfig:     tlsConf,
+				TLSHandshakeTimeout: 5 * time.Second,
 			},
-		}
-	} else {
-		c = http.Client{}
+		},
 	}
-	return &HTTPClient{conf, c}
 
 }
 
@@ -77,8 +89,12 @@ func (c HTTPClient) exponentialBackoff(req *http.Request) (*http.Response, error
 }
 
 func (c HTTPClient) doReq(method, path string, data []byte) ([]byte, error) {
+	url, err := url.Parse(c.conf.Endpoint + path)
+	if err != nil {
+		panic(err)
+	}
 
-	req, err := http.NewRequest(method, c.conf.Endpoint+path, bytes.NewBuffer(data))
+	req, err := http.NewRequest(method, fmt.Sprintf("%s", url), bytes.NewBuffer(data))
 	if err != nil {
 		panic(err)
 	}

client/client_test.go

@@ -42,10 +42,10 @@ func init() {
 func setup() func() {
 	mux = http.NewServeMux()
 	server = httptest.NewServer(mux)
-	client = NewHTTPClient(&Config{
+	client = NewHTTPClient(Config{
 		Endpoint:  server.URL,
 		APIKey:    "my-awesome-api-key",
-		EnableTLS: false,
+		Insecure: false,
 	})
 	return func() {
 		server.Close()

client/config.go

@@ -17,20 +17,20 @@
 package client
 
 type Config struct {
-	// Server host:port to consult
+	// Server host:port to consult.
 	Endpoint string
 
-	// ApiKey to query the server endpoint
+	// ApiKey to query the server endpoint.
 	APIKey string
 
-	// Enable TLS service
-	EnableTLS bool
+	// Enable self-signed certificates, allowing MiTM vector attacks.
+	Insecure bool
 }
 
 func DefaultConfig() *Config {
 	return &Config{
-		Endpoint:  "localhost:8080",
-		APIKey:    "my-key",
-		EnableTLS: true,
+		Endpoint: "localhost:8080",
+		APIKey:   "my-key",
+		Insecure: true,
 	}
 }

cmd/client.go

@@ -23,31 +23,30 @@ import (
 )
 
 func newClientCommand(ctx *cmdContext) *cobra.Command {
-	var endpoint string
-	var disableTLS bool
-
-	client := client.NewHTTPClient(&client.Config{
-		Endpoint:  endpoint,
-		APIKey:    ctx.apiKey,
-		EnableTLS: !disableTLS,
-	})
+	clientCtx := &clientContext{}
 
 	cmd := &cobra.Command{
 		Use:   "client",
 		Short: "Client mode for qed",
 		Long:  `Client process for emitting events to a qed server`,
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
 			log.SetLogger("QedClient", ctx.logLevel)
+
+			clientCtx.client = client.NewHTTPClient(client.Config{
+				Endpoint: clientCtx.endpoint,
+				APIKey:   ctx.apiKey,
+				Insecure: clientCtx.insecure,
+			})
 		},
 		TraverseChildren: true,
 	}
 
-	cmd.PersistentFlags().StringVarP(&endpoint, "endpoint", "e", "localhost:8080", "Endpoint for REST requests on (host:port)")
-	cmd.PersistentFlags().BoolVar(&disableTLS, "insecure", false, "Disable TLS transport")
+	cmd.PersistentFlags().StringVarP(&clientCtx.endpoint, "endpoint", "e", "localhost:8080", "Endpoint for REST requests on (host:port)")
+	cmd.PersistentFlags().BoolVar(&clientCtx.insecure, "insecure", false, "Disable TLS transport")
 
-	cmd.AddCommand(newAddCommand(client))
-	cmd.AddCommand(newMembershipCommand(client))
-	cmd.AddCommand(newIncrementalCommand(client))
+	cmd.AddCommand(newAddCommand(clientCtx))
+	cmd.AddCommand(newMembershipCommand(clientCtx))
+	cmd.AddCommand(newIncrementalCommand(clientCtx))
 
 	return cmd
 }

cmd/client_add.go

@@ -19,11 +19,10 @@ package cmd
 import (
 	"github.com/spf13/cobra"
 
-	"github.com/bbva/qed/client"
 	"github.com/bbva/qed/log"
 )
 
-func newAddCommand(client *client.HTTPClient) *cobra.Command {
+func newAddCommand(ctx *clientContext) *cobra.Command {
 
 	var key, value string
 
@@ -34,7 +33,7 @@ func newAddCommand(client *client.HTTPClient) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			log.Infof("Adding key [ %s ] with value [ %s ]\n", key, value)
 
-			snapshot, err := client.Add(key)
+			snapshot, err := ctx.client.Add(key)
 			if err != nil {
 				return err
 			}

cmd/client_incremental.go

@@ -19,7 +19,6 @@ package cmd
 import (
 	"encoding/hex"
 
-	"github.com/bbva/qed/client"
 	"github.com/bbva/qed/hashing"
 	"github.com/bbva/qed/protocol"
 
@@ -28,7 +27,7 @@ import (
 	"github.com/bbva/qed/log"
 )
 
-func newIncrementalCommand(client *client.HTTPClient) *cobra.Command {
+func newIncrementalCommand(ctx *clientContext) *cobra.Command {
 
 	var start, end uint64
 	var verify bool
@@ -53,7 +52,7 @@ func newIncrementalCommand(client *client.HTTPClient) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			log.Infof("Querying incremental between versions [ %d ] and [ %d ]\n", start, end)
 
-			proof, err := client.Incremental(start, end)
+			proof, err := ctx.client.Incremental(start, end)
 			if err != nil {
 				return err
 			}
@@ -68,7 +67,7 @@ func newIncrementalCommand(client *client.HTTPClient) *cobra.Command {
 
 				log.Infof("Verifying with snapshots: \n\tStartDigest: %s\n\tEndDigest: %s\n",
 					startDigest, endDigest)
-				if client.VerifyIncremental(proof, startSnapshot, endSnapshot, hashing.NewSha256Hasher()) {
+				if ctx.client.VerifyIncremental(proof, startSnapshot, endSnapshot, hashing.NewSha256Hasher()) {
 					log.Info("Verify: OK")
 				} else {
 					log.Info("Verify: KO")

cmd/client_membership.go

@@ -19,16 +19,14 @@ package cmd
 import (
 	"encoding/hex"
 
-	"github.com/bbva/qed/client"
-	"github.com/bbva/qed/hashing"
-	"github.com/bbva/qed/protocol"
-
 	"github.com/spf13/cobra"
 
+	"github.com/bbva/qed/hashing"
 	"github.com/bbva/qed/log"
+	"github.com/bbva/qed/protocol"
 )
 
-func newMembershipCommand(client *client.HTTPClient) *cobra.Command {
+func newMembershipCommand(ctx *clientContext) *cobra.Command {
 
 	hasherF := hashing.NewSha256Hasher
 	var version uint64
@@ -68,7 +66,7 @@ func newMembershipCommand(client *client.HTTPClient) *cobra.Command {
 				digest, _ = hex.DecodeString(eventDigest)
 			}
 
-			membershipResult, err = client.MembershipDigest(digest, version)
+			membershipResult, err = ctx.client.MembershipDigest(digest, version)
 			if err != nil {
 				return err
 			}
@@ -99,7 +97,7 @@ func newMembershipCommand(client *client.HTTPClient) *cobra.Command {
 				log.Infof("Verifying with Snapshot: \n\tEventDigest:%x\n\tHyperDigest: %s\n\tHistoryDigest: %s\n\tVersion: %d\n",
 					digest, hyperDigest, historyDigest, version)
 
-				if client.DigestVerify(membershipResult, snapshot, hasherF) {
+				if ctx.client.DigestVerify(membershipResult, snapshot, hasherF) {
 					log.Info("Verify: OK")
 				} else {
 					log.Info("Verify: KO")

cmd/context.go

@@ -26,9 +26,9 @@ type cmdContext struct {
 }
 
 type clientContext struct {
-	endpoint   string
-	disableTLS bool
-	client     *client.HTTPClient
+	endpoint string
+	insecure bool
+	client   *client.HTTPClient
 }
 
 type agentContext struct {

gossip/auditor/auditor.go

@@ -56,10 +56,10 @@ type Auditor struct {
 
 func NewAuditor(conf Config) (*Auditor, error) {
 	auditor := Auditor{
-		qed: client.NewHTTPClient(&client.Config{
+		qed: client.NewHTTPClient(client.Config{
 			Endpoint:  conf.QEDUrls[0],
 			APIKey:    conf.APIKey,
-			EnableTLS: false,
+			Insecure: false,
 		}),
 		conf:   conf,
 		taskCh: make(chan Task, 100),

gossip/monitor/monitor.go

@@ -57,10 +57,10 @@ type Monitor struct {
 func NewMonitor(conf Config) (*Monitor, error) {
 
 	monitor := Monitor{
-		client: client.NewHTTPClient(&client.Config{
+		client: client.NewHTTPClient(client.Config{
 			Endpoint:  conf.QedUrls[0],
 			APIKey:    conf.APIKey,
-			EnableTLS: false,
+			Insecure: false,
 		}),
 		conf:   conf,
 		taskCh: make(chan QueryTask, 100),

server/server.go

@@ -313,7 +313,7 @@ func newTLSServer(addr string, mux *http.ServeMux) *http.Server {
 
 	return &http.Server{
 		Addr:         addr,
-		Handler:      apihttp.STSHandler(apihttp.LogHandler(mux)),
+		Handler:      apihttp.LogHandler(mux),
 		TLSConfig:    cfg,
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
 	}

tests/e2e/add_verify_test.go

@@ -28,7 +28,7 @@ import (
 )
 
 func TestAddVerify(t *testing.T) {
-	before, after := setupServer(0, "", t)
+	before, after := setupServer(0, "", false, t)
 	scenario, let := scope.Scope(t, before, after)
 
 	client := getClient(0)

tests/e2e/agents_test.go

@@ -66,7 +66,7 @@ func getAlert() ([]byte, error) {
 
 func TestAgents(t *testing.T) {
 	bStore, aStore := setupStore(t)
-	bServer, aServer := setupServer(0, "", t)
+	bServer, aServer := setupServer(0, "", false, t)
 	bAuditor, aAuditor := setupAuditor(0, t)
 	bMonitor, aMonitor := setupMonitor(0, t)
 	bPublisher, aPublisher := setupPublisher(0, t)