Merge pull request #3572 from jlledom/THREESCALE-8404-redis-acl-tls

THREESCALE-8404: Add TLS and ACL support for Redis

app/lib/three_scale/redis_config.rb

@@ -3,7 +3,7 @@
 module ThreeScale
   class RedisConfig
     def initialize(redis_config = {})
-      raw_config = (redis_config || {}).symbolize_keys
+      raw_config = (redis_config || {}).deep_symbolize_keys
       sentinels = raw_config.delete(:sentinels).presence
       raw_config.delete_if { |key, value| value.blank? }
       raw_config[:size] ||= raw_config.delete(:pool_size) if raw_config.key?(:pool_size)

config/examples/backend_redis.yml

@@ -4,8 +4,19 @@ base: &default
   size: <%= ENV.fetch('RAILS_MAX_THREADS', 5) %>
   pool_timeout: 5 # this is in seconds
   sentinels: "<%= ENV['BACKEND_REDIS_SENTINEL_HOSTS'] %>"
+  sentinel_username: <%= ENV['BACKEND_REDIS_SENTINEL_USERNAME'].to_json %>
+  sentinel_password: <%= ENV['BACKEND_REDIS_SENTINEL_PASSWORD'].to_json %>
   name: <%= ENV['BACKEND_REDIS_SENTINEL_NAME'] %>
   role: <%= ENV['BACKEND_REDIS_SENTINEL_ROLE'] %>
+  # == ACL Params ==
+  username: <%= ENV['BACKEND_REDIS_USERNAME'].to_json %>
+  password: <%= ENV['BACKEND_REDIS_PASSWORD'].to_json %>
+  # == TLS Params ==
+  ssl: <%= ENV.fetch('BACKEND_REDIS_SSL', '0') == '1' %>
+  ssl_params:
+    ca_file: <%= ENV['BACKEND_REDIS_CA_FILE'] %>
+    cert: <%= ENV['BACKEND_REDIS_CLIENT_CERT'] %>
+    key: <%= ENV['BACKEND_REDIS_PRIVATE_KEY'] %>
 
 development:
   <<: *default

config/examples/redis.yml

@@ -3,8 +3,19 @@ base: &default
   size: <%= ENV.fetch('RAILS_MAX_THREADS', 5) %>
   pool_timeout: 5 # this is in seconds
   sentinels: "<%= ENV['REDIS_SENTINEL_HOSTS'] %>"
+  sentinel_username: <%= ENV['REDIS_SENTINEL_USERNAME'].to_json %>
+  sentinel_password: <%= ENV['REDIS_SENTINEL_PASSWORD'].to_json %>
   name: <%= ENV['REDIS_SENTINEL_NAME'] %>
   role: <%= ENV['REDIS_SENTINEL_ROLE'] %>
+  # == ACL Params ==
+  username: <%= ENV['REDIS_USERNAME'].to_json %>
+  password: <%= ENV['REDIS_PASSWORD'].to_json %>
+  # == TLS Params ==
+  ssl: <%= ENV.fetch('REDIS_SSL', '0') == '1' %>
+  ssl_params:
+    ca_file: <%= ENV['REDIS_CA_FILE'] %>
+    cert: <%= ENV['REDIS_CLIENT_CERT'] %>
+    key: <%= ENV['REDIS_PRIVATE_KEY'] %>
 
 development:
   <<: *default

openshift/system/config/backend_redis.yml

@@ -4,5 +4,17 @@ production:
   size: <%= ENV.fetch('RAILS_MAX_THREADS', 5) %>
   pool_timeout: 5 # this is in seconds
   sentinels: "<%= ENV['BACKEND_REDIS_SENTINEL_HOSTS'] %>"
+  sentinel_username: <%= ENV['BACKEND_REDIS_SENTINEL_USERNAME'].to_json %>
+  sentinel_password: <%= ENV['BACKEND_REDIS_SENTINEL_PASSWORD'].to_json %>
   name: <%= ENV['BACKEND_REDIS_SENTINEL_NAME'] %>
   role: <%= ENV['BACKEND_REDIS_SENTINEL_ROLE'] %>
+  # == ACL Params ==
+  username: <%= ENV['BACKEND_REDIS_USERNAME'].to_json %>
+  password: <%= ENV['BACKEND_REDIS_PASSWORD'].to_json %>
+  # == TLS Params ==
+  ssl: <%= ENV.fetch('BACKEND_REDIS_SSL', '0') == '1' %>
+  ssl_params:
+    ca_file: <%= ENV['BACKEND_REDIS_CA_FILE'] %>
+    cert: <%= ENV['BACKEND_REDIS_CLIENT_CERT'] %>
+    key: <%= ENV['BACKEND_REDIS_PRIVATE_KEY'] %>
+

openshift/system/config/redis.yml

@@ -3,5 +3,17 @@ production:
   size: <%= ENV.fetch('RAILS_MAX_THREADS', 5) %>
   pool_timeout: 5 # this is in seconds
   sentinels: "<%= ENV['REDIS_SENTINEL_HOSTS'] %>"
+  sentinel_username: <%= ENV['REDIS_SENTINEL_USERNAME'].to_json %>
+  sentinel_password: <%= ENV['REDIS_SENTINEL_PASSWORD'].to_json %>
   name: <%= ENV['REDIS_SENTINEL_NAME'] %>
   role: <%= ENV['REDIS_SENTINEL_ROLE'] %>
+  # == ACL Params ==
+  username: <%= ENV['REDIS_USERNAME'].to_json %>
+  password: <%= ENV['REDIS_PASSWORD'].to_json %>
+  # == TLS Params ==
+  ssl: <%= ENV.fetch('REDIS_SSL', '0') == '1' %>
+  ssl_params:
+    ca_file: <%= ENV['REDIS_CA_FILE'] %>
+    cert: <%= ENV['REDIS_CLIENT_CERT'] %>
+    key: <%= ENV['REDIS_PRIVATE_KEY'] %>
+

test/unit/backend/storage_test.rb

@@ -3,7 +3,7 @@
 class Backend::StorageTest < ActiveSupport::TestCase
 
   def given_redis_config(yaml)
-    FakeFS do
+    FakeFS.with_fresh do
       config = Rails.root.join('config', 'backend_redis.yml')
       FakeFS::FileSystem.clone(config.dirname, '/tmp/config')
       config.open('w') { |f| f.puts(yaml) }

test/unit/three_scale/redis_config_test.rb

@@ -43,5 +43,23 @@ class RedisConfigTest < ActiveSupport::TestCase
       assert config.key? :size
       assert_equal 5, config[:size]
     end
+
+    test "it takes given ca_file when provided" do
+      value = 'any_value'
+      raw_config = { url: 'rediss://my-secure-redis/1', ssl_params: {}}
+      raw_config[:ssl_params][:ca_file] = value
+
+      result = RedisConfig.new(raw_config)
+
+      assert result.key? :ssl_params
+      assert result[:ssl_params].key? :ca_file
+      assert_equal value, result[:ssl_params][:ca_file]
+    end
+
+    test "it doesn't set CA if no ca_file is provided in config" do
+      result = RedisConfig.new(url: 'rediss://my-secure-redis/1')
+
+      assert_not result.key? :ssl_params
+    end
   end
 end