feat: add TLS for gRPC server endpoint (#477)

Author: DWJ-Squirtle

cmd/server.go

@@ -55,6 +55,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/reflection"
@@ -98,6 +99,10 @@ func createServerCmd(execer fakeruntime.Execer, httpServer server.HTTPServer) (c
 
 	// gc related flags
 	flags.IntVarP(&opt.gcPercent, "gc-percent", "", 100, "The GC percent of Go")
+	//grpc_tls
+	flags.BoolVarP(&opt.tls, "tls-grpc", "", false, "Enable TLS mode. Set to true to enable TLS. Alow SAN certificates")
+	flags.StringVarP(&opt.tlsCert, "cert-file", "", "","The path to the certificate file, Alow SAN certificates")
+	flags.StringVarP(&opt.tlsKey, "key-file", "", "", "The path to the key file, Alow SAN certificates")  
 
 	c.Flags().MarkHidden("dry-run")
 	c.Flags().MarkHidden("gc-percent")
@@ -139,6 +144,9 @@ type serverOption struct {
 
 	// inner fields, not as command flags
 	provider oauth.OAuthProvider
+	tls bool
+	tlsCert string
+	tlsKey string
 }
 
 func (o *serverOption) preRunE(cmd *cobra.Command, args []string) (err error) {
@@ -170,7 +178,15 @@ func (o *serverOption) preRunE(cmd *cobra.Command, args []string) (err error) {
 
 		grpcOpts = append(grpcOpts, oauth.NewAuthInterceptor(o.oauthGroup))
 	}
-
+	if o.tls {
+		if o.tlsCert != "" && o.tlsKey != "" {
+			creds, err := credentials.NewServerTLSFromFile(o.tlsCert, o.tlsKey)
+			if err != nil {
+				return fmt.Errorf("failed to load credentials: %v", err)
+			}
+			grpcOpts = append(grpcOpts, grpc.Creds(creds))
+		}		
+	}
 	if o.dryRun {
 		o.gRPCServer = &fakeGRPCServer{}
 	} else {
@@ -269,9 +285,19 @@ func (o *serverOption) runE(cmd *cobra.Command, args []string) (err error) {
 	gRPCServerAddr := fmt.Sprintf("127.0.0.1:%s", gRPCServerPort)
 
 	mux := runtime.NewServeMux(runtime.WithMetadata(server.MetadataStoreFunc))
-	err = errors.Join(
-		server.RegisterRunnerHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}),
-		server.RegisterMockHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}))
+	if o.tls { 
+		creds,err:=credentials.NewClientTLSFromFile(o.tlsCert,"localhost")
+		if err!=nil{
+				return fmt.Errorf("failed to load credentials: %v", err)
+		}
+		err = errors.Join(
+			server.RegisterRunnerHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(creds)}),
+			server.RegisterMockHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(creds)}))
+	}else{
+		err = errors.Join(
+			server.RegisterRunnerHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}),
+			server.RegisterMockHandlerFromEndpoint(ctx, mux, gRPCServerAddr, []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}))
+	}
 	if err == nil {
 		mux.HandlePath(http.MethodGet, "/", frontEndHandlerWithLocation(o.consolePath))
 		mux.HandlePath(http.MethodGet, "/assets/{asset}", frontEndHandlerWithLocation(o.consolePath))

docs/grpc-TLS.md

@@ -0,0 +1,69 @@
+# gRPC TLS verification
+
+If you want to enable gRPC TLS, you need to generate your certificates in the workspace, or you can use an absolute path
+
+**1. 生成私钥**
+
+```shell
+openssl genrsa -out server.key 2048
+```
+
+**2. 生成证书（会提示即可，不必填写）**
+
+```shell
+openssl req -new -x509 -key server.key -out server.crt -days 36500
+国家名字
+Country Name (2 letter code) [AU]:CN
+省份全名
+State or Province Name (full name) [Some-State]:GuangDong
+城市名
+Locality Name (eg, city) []:Meizhou
+组织名
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Xuexiangban
+组织单位名
+Organizational Unit Name (eg, section) []:go
+服务器or用户的名字
+Common Name (e.g. server FQDN or YOUR name) []:kuangstudy
+邮箱地址
+Email Address []:[email protected]
+```
+
+**3.生成csr**
+
+```shell
+openssl req -new -key server.key -out server.csr
+```
+
+**4.配置openssl.cfg**
+
+```shell
+1) 查找openssl在服务器的安装目录并且找到openssl.cnf
+2) 编辑[ CA_default ] ，打开 copy_extensions = copy #取消注释
+3) 找到[ req ]，打开 req_extensions = v3.req #取消注释
+4) 找到[ v3_req ]，添加字段 subjectAltName = @alt_names
+5) 添加新的标签在最底部 [ alt_names ]和标签字段
+DNS.1 = localhost
+```
+
+**5.生成本地私钥test.key**
+
+```shell
+openssl genpkey -algorithm RSA -out test.key
+```
+
+**6.根据私钥生成csr请求文件test.csr**
+
+```shell
+openssl req -new -nodes -key test.key -out test.csr -days 3650 \
+-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
+-config ./openssl.cnf -extensions v3_req
+```
+
+**7.生成ca证书 pem**
+
+```shell
+openssl x509 -req -days 365 -in test.csr \
+-out test.pem -CA server.crt -CAkey server.key \
+-CAcreateserial -extfile ./openssl.cnf -extensions v3_req
+```
+

e2e/entrypoint.sh

@@ -1,10 +1,30 @@
 #!/bin/bash
 set -e
 
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
 mkdir -p /root/.config/atest
 mkdir -p /var/data
+cd "/var/data"
+# Generate private key
+openssl genrsa -out server.key 2048
+# Generate self-signed certificate
+openssl req -new -x509 -key server.key -out server.crt -days 36500 \
+-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
+# Generate Certificate Signing Request (CSR)
+openssl req -new -key server.key -out server.csr \
+-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
+# Generate a new private key
+openssl genpkey -algorithm RSA -out test.key
+# Generate a new CSR
+openssl req -new -nodes -key test.key -out test.csr -days 3650 \
+-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
+-config "$SCRIPT_DIR/openssl.cnf" -extensions v3_req
+# Sign the new CSR with the self-signed certificate
+openssl x509 -req -days 365 -in test.csr \
+-out test.pem -CA server.crt -CAkey server.key \
+-CAcreateserial -extfile "$SCRIPT_DIR/openssl.cnf" -extensions v3_req
 
-nohup atest server&
+nohup atest server --tls-grpc --cert-file /var/data/test.pem --key-file /var/data/test.key&
 cmd="atest run -p test-suite-common.yaml --report github --report-github-identity e2e-testing --report-file /var/data/report.json --report-github-repo linuxsuren/api-testing --report-github-pr ${PULL_REQUEST:-0}"
 
 echo "start to run testing: $cmd"