Also add server mtls handling code

Author: scr-oath

http/api_test.go

@@ -225,7 +225,7 @@ func TestApi(t *testing.T) {
 	})
 }
 
-func TestMTLS(t *testing.T) {
+func TestMTLSClient(t *testing.T) {
 	s := httptest.NewUnstartedServer(http.HandlerFunc(func(writer http.ResponseWriter, r *http.Request) {
 		_, _ = io.WriteString(writer, "OK\n")
 	}))
@@ -250,5 +250,15 @@ func TestMTLS(t *testing.T) {
 			L.SetGlobal("tURL", lua.LString(s.URL))
 		},
 	)
-	assert.NotZero(t, tests.RunLuaTestFile(t, preload, "test/test_api.lua"))
+	assert.NotZero(t, tests.RunLuaTestFile(t, preload, "test/test_mtls_client.lua"))
+}
+
+func TestMTLSServerWithClient(t *testing.T) {
+	preload := tests.SeveralPreloadFuncs(
+		lua_http.Preload,
+		lua_time.Preload,
+		inspect.Preload,
+		plugin.Preload,
+	)
+	assert.NotZero(t, tests.RunLuaTestFile(t, preload, "test/test_mtls_server_with_client.lua"))
 }

http/loader.go

@@ -12,7 +12,7 @@ import (
 // Preload adds http to the given Lua state's package.preload table. After it
 // has been preloaded, it can be loaded using require:
 //
-//  local http = require("http")
+//	local http = require("http")
 func Preload(L *lua.LState) {
 	L.PreloadModule("http", Loader)
 	client.Preload(L)
@@ -50,6 +50,7 @@ func Loader(L *lua.LState) int {
 	L.SetGlobal(`http_server_ud`, http_server_ud)
 	L.SetField(http_server_ud, "__index", L.SetFuncs(L.NewTable(), map[string]lua.LGFunction{
 		"accept":           server.Accept,
+		"addr":             server.Addr,
 		"do_handle_file":   server.HandleFile,
 		"do_handle_string": server.HandleString,
 	}))

http/server/loader.go

@@ -9,7 +9,7 @@ import (
 // Preload adds http_server to the given Lua state's package.preload table. After it
 // has been preloaded, it can be loaded using require:
 //
-//  local http_server = require("http_server")
+//	local http_server = require("http_server")
 func Preload(L *lua.LState) {
 	L.PreloadModule("http_server", Loader)
 }
@@ -31,6 +31,7 @@ func Loader(L *lua.LState) int {
 	L.SetGlobal(`http_server_ud`, http_server_ud)
 	L.SetField(http_server_ud, "__index", L.SetFuncs(L.NewTable(), map[string]lua.LGFunction{
 		"accept":           Accept,
+		"addr":             Addr,
 		"do_handle_file":   HandleFile,
 		"do_handle_string": HandleString,
 	}))

http/server/server.go

@@ -1,6 +1,9 @@
 package http
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	ioutil2 "io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -82,13 +85,70 @@ func (s *luaServer) serve(L *lua.LState) {
 
 // http.server(bind, handler) returns (user data, error)
 func New(L *lua.LState) int {
-	bind := L.CheckAny(1).String()
+	var tlsConfig *tls.Config
+	bind := "127.0.0.1:0"
+	switch bindOrTable := L.CheckAny(1).(type) {
+	case lua.LString:
+		bind = string(bindOrTable)
+	case *lua.LTable:
+		if addr, ok := L.GetField(bindOrTable, "addr").(lua.LString); ok {
+			bind = string(addr)
+		}
+		serverPublicCertPEMFile := L.GetField(bindOrTable, `server_public_cert_pem_file`)
+		serverPrivateKeyPemFile := L.GetField(bindOrTable, `server_private_key_pem_file`)
+		if serverPublicCertPEMFile != lua.LNil && serverPrivateKeyPemFile != lua.LNil {
+			serverCert, err := tls.LoadX509KeyPair(serverPublicCertPEMFile.String(), serverPrivateKeyPemFile.String())
+			if err != nil {
+				L.RaiseError("error loading server cert: %v", err)
+			}
+			tlsConfig = &tls.Config{
+				Certificates: []tls.Certificate{serverCert},
+			}
+
+			clientAuth := L.GetField(bindOrTable, "client_auth")
+			if clientAuth != lua.LNil {
+				if _, ok := clientAuth.(lua.LString); !ok {
+					L.ArgError(1, "client_auth should be a string")
+				}
+				switch clientAuth.String() {
+				case "NoClientCert":
+					tlsConfig.ClientAuth = tls.NoClientCert
+				case "RequestClientCert":
+					tlsConfig.ClientAuth = tls.RequestClientCert
+				case "RequireAnyClientCert":
+					tlsConfig.ClientAuth = tls.RequireAnyClientCert
+				case "VerifyClientCertIfGiven":
+					tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+				case "RequireAndVerifyClientCert":
+					tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+				}
+			}
+
+			clientCAs := L.GetField(bindOrTable, "client_cas_pem_file")
+			if clientCAs != lua.LNil {
+				if _, ok := clientCAs.(lua.LString); !ok {
+					L.ArgError(1, "client_cas_pem_file must be a string")
+				}
+				data, err := ioutil2.ReadFile(clientCAs.String())
+				if err != nil {
+					L.RaiseError("error reading %s: %v", clientCAs, err)
+				}
+				tlsConfig.ClientCAs = x509.NewCertPool()
+				if !tlsConfig.ClientCAs.AppendCertsFromPEM(data) {
+					L.RaiseError("no certs loaded from %s", clientCAs)
+				}
+			}
+		}
+	}
 	l, err := net.Listen(`tcp`, bind)
 	if err != nil {
 		L.Push(lua.LNil)
 		L.Push(lua.LString(err.Error()))
 		return 2
 	}
+	if tlsConfig != nil {
+		l = tls.NewListener(l, tlsConfig)
+	}
 	server := &luaServer{
 		Listener:  l,
 		serveData: make(chan *serveData, 1),
@@ -112,6 +172,13 @@ func Accept(L *lua.LState) int {
 	}
 }
 
+// Addr returns the address if, for instance, one listens on :0
+func Addr(L *lua.LState) int {
+	s := checkServer(L, 1)
+	L.Push(lua.LString(s.Listener.Addr().String()))
+	return 1
+}
+
 func newHandlerState(data *serveData) *lua.LState {
 	state := lua.NewState()
 
@@ -185,16 +252,18 @@ func HandleFile(L *lua.LState) int {
 func HandleString(L *lua.LState) int {
 	s := checkServer(L, 1)
 	body := L.CheckString(2)
-	select {
-	case data := <-s.serveData:
-		go func(sData *serveData, content string) {
-			state := newHandlerState(sData)
-			if err := state.DoString(content); err != nil {
-				log.Printf("[ERROR] handle: %s\n", err.Error())
-				data.done <- true
-				log.Printf("[ERROR] closed connection\n")
-			}
-		}(data, body)
+	for {
+		select {
+		case data := <-s.serveData:
+			go func(sData *serveData, content string) {
+				state := newHandlerState(sData)
+				if err := state.DoString(content); err != nil {
+					log.Printf("[ERROR] handle: %s\n", err.Error())
+					data.done <- true
+					log.Printf("[ERROR] closed connection\n")
+				}
+			}(data, body)
+		}
 	}
 	return 0
 }

http/test/test_api.lua renamed to http/test/test_mtls_client.lua

@@ -0,0 +1,55 @@
+local http = require 'http'
+local plugin = require 'plugin'
+local time = require 'time'
+local inspect = require 'inspect'
+
+function TestMTLSServerWithClient(t)
+    local addr_ch = channel.make(1)
+    local server_body = [[
+        local addr_ch = unpack(arg)
+        local http = require 'http'
+        local server, err = http.server {
+            server_public_cert_pem_file = "test/data/test.cert.pem",
+            server_private_key_pem_file = "test/data/test.key.pem",
+        }
+        assert(not err, tostring(err))
+        addr_ch:send(server:addr())
+        while true do
+            local request, response = server:accept()
+            response:code(200)
+            response:write("OK\n")
+            response:done()
+        end
+    ]]
+    local server_plugin = plugin.do_string(server_body, addr_ch)
+    server_plugin:run()
+    time.sleep(1)
+    local server_plugin_error = server_plugin:error()
+    assert(not server_plugin_error, tostring(server_plugin_error))
+    local ok, addr = addr_ch:receive(1)
+    assert(ok, "addr not ok")
+    local tURL = string.format("https://%s/", addr)
+
+    t:Run('no-client-cert fails', function(t)
+        local client = http.client()
+        local req, err = http.request("GET", tURL)
+        assert(not err, tostring(err))
+        local resp, err = client:do_request(req)
+        assert(err, tostring(err))
+    end)
+
+    t:Run('client-cert passes', function(t)
+        local client = http.client {
+            root_cas_pem_file = 'test/data/test.cert.pem',
+            client_public_cert_pem_file = 'test/data/test.cert.pem',
+            client_private_key_pem_file = 'test/data/test.key.pem',
+        }
+        local req, err = http.request("GET", tURL)
+        assert(not err, tostring(err))
+        local resp, err = client:do_request(req)
+        assert(not err, tostring(err))
+        assert(resp.code == 200, tostring(resp.code))
+    end)
+
+    server_plugin:stop()
+end