(cobra) Add TLS options to all cobra commands and classes. Add example to the doc.

Author: bsergean

docs/CHANGELOG.md

@@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [7.6.0] - 2019-12-19
+
+(cobra) Add TLS options to all cobra commands and classes. Add example to the doc.
+
 ## [7.5.8] - 2019-12-18
 
 (cobra-to-sentry) capture application version from device field

docs/ws.md

@@ -243,6 +243,127 @@ Options:
   --transfer-timeout INT      Transfer timeout
 ```
 
-## Cobra Client
+## Cobra client and server
 
-[cobra](https://github.com/machinezone/cobra) is a real time messenging server. ws has a sub-command to interact with cobra.
+[cobra](https://github.com/machinezone/cobra) is a real time messenging server. ws has several sub-command to interact with cobra. There is also a minimal cobra compatible server named snake available.
+
+Below are examples on running a snake server and clients with TLS enabled (the server only works with the OpenSSL backend for now).
+
+First, generate certificates.
+
+```
+$ cd /path/to/IXWebSocket
+$ cd ixsnake/ixsnake
+$ bash ../../ws/generate_certs.sh
+Generating RSA private key, 2048 bit long modulus
+.....+++
+.................+++
+e is 65537 (0x10001)
+generated ./.certs/trusted-ca-key.pem
+generated ./.certs/trusted-ca-crt.pem
+Generating RSA private key, 2048 bit long modulus
+..+++
+.......................................+++
+e is 65537 (0x10001)
+generated ./.certs/trusted-server-key.pem
+Signature ok
+subject=/O=machinezone/O=IXWebSocket/CN=trusted-server
+Getting CA Private Key
+generated ./.certs/trusted-server-crt.pem
+Generating RSA private key, 2048 bit long modulus
+...................................+++
+..................................................+++
+e is 65537 (0x10001)
+generated ./.certs/trusted-client-key.pem
+Signature ok
+subject=/O=machinezone/O=IXWebSocket/CN=trusted-client
+Getting CA Private Key
+generated ./.certs/trusted-client-crt.pem
+Generating RSA private key, 2048 bit long modulus
+..............+++
+.......................................+++
+e is 65537 (0x10001)
+generated ./.certs/untrusted-ca-key.pem
+generated ./.certs/untrusted-ca-crt.pem
+Generating RSA private key, 2048 bit long modulus
+..........+++
+................................................+++
+e is 65537 (0x10001)
+generated ./.certs/untrusted-client-key.pem
+Signature ok
+subject=/O=machinezone/O=IXWebSocket/CN=untrusted-client
+Getting CA Private Key
+generated ./.certs/untrusted-client-crt.pem
+Generating RSA private key, 2048 bit long modulus
+.....................................................................................+++
+...........+++
+e is 65537 (0x10001)
+generated ./.certs/selfsigned-client-key.pem
+Signature ok
+subject=/O=machinezone/O=IXWebSocket/CN=selfsigned-client
+Getting Private key
+generated ./.certs/selfsigned-client-crt.pem
+```
+
+Now run the snake server.
+
+```
+$ export certs=.certs
+$ ws snake --tls --port 8765 --cert-file ${certs}/trusted-server-crt.pem --key-file ${certs}/trusted-server-key.pem --ca-file ${certs}/trusted-ca-crt.pem
+{
+  "apps": {
+    "FC2F10139A2BAc53BB72D9db967b024f": {
+      "roles": {
+        "_sub": {
+          "secret": "66B1dA3ED5fA074EB5AE84Dd8CE3b5ba"
+        },
+        "_pub": {
+          "secret": "1c04DB8fFe76A4EeFE3E318C72d771db"
+        }
+      }
+    }
+  }
+}
+
+redis host: 127.0.0.1
+redis password:
+redis port: 6379
+```
+
+As a new connection comes in, such output should be printed
+
+```
+[2019-12-19 20:27:19.724] [info] New connection
+id: 0
+Uri: /v2?appkey=_health
+Headers:
+Connection: Upgrade
+Host: 127.0.0.1:8765
+Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=15; client_max_window_bits=15
+Sec-WebSocket-Key: d747B0fE61Db73f7Eh47c0==
+Sec-WebSocket-Protocol: json
+Sec-WebSocket-Version: 13
+Upgrade: websocket
+User-Agent: ixwebsocket/7.5.8 macos ssl/OpenSSL OpenSSL 1.0.2q  20 Nov 2018 zlib 1.2.11
+```
+
+To connect and publish a message, do:
+
+```
+$ export certs=.certs
+$ cd /path/to/ws/folder
+$ ls cobraMetricsSample.json
+cobraMetricsSample.json
+$ ws cobra_publish --endpoint wss://127.0.0.1:8765 --appkey FC2F10139A2BAc53BB72D9db967b024f --rolename _pub --rolesecret 1c04DB8fFe76A4EeFE3E318C72d771db --channel foo --cert-file ${certs}/trusted-client-crt.pem --key-file ${certs}/trusted-client-key.pem --ca-file ${certs}/trusted-ca-crt.pem cobraMetricsSample.json
+[2019-12-19 20:46:42.656] [info] Publisher connected
+[2019-12-19 20:46:42.657] [info] Connection: Upgrade
+[2019-12-19 20:46:42.657] [info] Sec-WebSocket-Accept: rs99IFThoBrhSg+k8G4ixH9yaq4=
+[2019-12-19 20:46:42.657] [info] Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=15; client_max_window_bits=15
+[2019-12-19 20:46:42.657] [info] Server: ixwebsocket/7.5.8 macos ssl/OpenSSL OpenSSL 1.0.2q  20 Nov 2018 zlib 1.2.11
+[2019-12-19 20:46:42.657] [info] Upgrade: websocket
+[2019-12-19 20:46:42.658] [info] Publisher authenticated
+[2019-12-19 20:46:42.658] [info] Published msg 3
+[2019-12-19 20:46:42.659] [info] Published message id 3 acked
+```
+
+To use OpenSSL on macOS, compile with `make ws_openssl`. First you will have to install OpenSSL libraries, which can be done with Homebrew.

ixcobra/ixcobra/IXCobraConnection.cpp

@@ -7,6 +7,7 @@
 #include "IXCobraConnection.h"
 #include <ixcrypto/IXHMac.h>
 #include <ixwebsocket/IXWebSocket.h>
+#include <ixwebsocket/IXSocketTLSOptions.h>
 
 #include <algorithm>
 #include <stdexcept>
@@ -244,7 +245,8 @@ namespace ix
                                     const std::string& endpoint,
                                     const std::string& rolename,
                                     const std::string& rolesecret,
-                                    const WebSocketPerMessageDeflateOptions& webSocketPerMessageDeflateOptions)
+                                    const WebSocketPerMessageDeflateOptions& webSocketPerMessageDeflateOptions,
+                                    const SocketTLSOptions& socketTLSOptions)
     {
         _roleName = rolename;
         _roleSecret = rolesecret;
@@ -257,6 +259,7 @@ namespace ix
         std::string url = ss.str();
         _webSocket->setUrl(url);
         _webSocket->setPerMessageDeflateOptions(webSocketPerMessageDeflateOptions);
+        _webSocket->setTLSOptions(socketTLSOptions);
     }
 
     //

ixcobra/ixcobra/IXCobraConnection.h

@@ -20,6 +20,7 @@
 namespace ix
 {
     class WebSocket;
+    struct SocketTLSOptions;
 
     enum CobraConnectionEventType
     {
@@ -62,7 +63,8 @@ namespace ix
                        const std::string& endpoint,
                        const std::string& rolename,
                        const std::string& rolesecret,
-                       const WebSocketPerMessageDeflateOptions& webSocketPerMessageDeflateOptions);
+                       const WebSocketPerMessageDeflateOptions& webSocketPerMessageDeflateOptions,
+                       const SocketTLSOptions& socketTLSOptions);
 
         /// Set the traffic tracker callback
         static void setTrafficTrackerCallback(const TrafficTrackerCallback& callback);

ixcobra/ixcobra/IXCobraMetricsPublisher.cpp

@@ -5,6 +5,7 @@
  */
 
 #include "IXCobraMetricsPublisher.h"
+#include <ixwebsocket/IXSocketTLSOptions.h>
 
 #include <algorithm>
 #include <stdexcept>
@@ -31,14 +32,15 @@ namespace ix
                                           const std::string& channel,
                                           const std::string& rolename,
                                           const std::string& rolesecret,
-                                          bool enablePerMessageDeflate)
+                                          bool enablePerMessageDeflate,
+                                          const SocketTLSOptions& socketTLSOptions)
     {
         // Configure the satori connection and start its publish background thread
         _cobra_metrics_theaded_publisher.start();
 
         _cobra_metrics_theaded_publisher.configure(appkey, endpoint, channel,
                                                    rolename, rolesecret,
-                                                   enablePerMessageDeflate);
+                                                   enablePerMessageDeflate, socketTLSOptions);
     }
 
     Json::Value& CobraMetricsPublisher::getGenericAttributes()

ixcobra/ixcobra/IXCobraMetricsPublisher.h

@@ -15,6 +15,8 @@
 
 namespace ix
 {
+    struct SocketTLSOptions;
+
     class CobraMetricsPublisher
     {
     public:
@@ -43,7 +45,8 @@ namespace ix
                        const std::string& channel,
                        const std::string& rolename,
                        const std::string& rolesecret,
-                       bool enablePerMessageDeflate);
+                       bool enablePerMessageDeflate,
+                       const SocketTLSOptions& socketTLSOptions);
 
         /// Setter for the list of blacklisted metrics ids.
         /// That list is sorted internally for fast lookups

ixcobra/ixcobra/IXCobraMetricsThreadedPublisher.cpp

@@ -6,6 +6,7 @@
 
 #include "IXCobraMetricsThreadedPublisher.h"
 #include <ixwebsocket/IXSetThreadName.h>
+#include <ixwebsocket/IXSocketTLSOptions.h>
 #include <ixcore/utils/IXCoreLogger.h>
 
 #include <algorithm>
@@ -92,14 +93,15 @@ namespace ix
                                                   const std::string& channel,
                                                   const std::string& rolename,
                                                   const std::string& rolesecret,
-                                                  bool enablePerMessageDeflate)
+                                                  bool enablePerMessageDeflate,
+                                                  const SocketTLSOptions& socketTLSOptions)
     {
         _channel = channel;
 
         ix::WebSocketPerMessageDeflateOptions webSocketPerMessageDeflateOptions(enablePerMessageDeflate);
         _cobra_connection.configure(appkey, endpoint,
                                     rolename, rolesecret,
-                                    webSocketPerMessageDeflateOptions);
+                                    webSocketPerMessageDeflateOptions, socketTLSOptions);
     }
 
     void CobraMetricsThreadedPublisher::pushMessage(MessageKind messageKind)

ixcobra/ixcobra/IXCobraMetricsThreadedPublisher.h

@@ -18,6 +18,8 @@
 
 namespace ix
 {
+    struct SocketTLSOptions;
+
     class CobraMetricsThreadedPublisher
     {
     public:
@@ -30,7 +32,8 @@ namespace ix
                        const std::string& channel,
                        const std::string& rolename,
                        const std::string& rolesecret,
-                       bool enablePerMessageDeflate);
+                       bool enablePerMessageDeflate,
+                       const SocketTLSOptions& socketTLSOptions);
 
         /// Start the worker thread, used for background publishing
         void start();

ixsnake/ixsnake/IXAppConfig.h

@@ -9,6 +9,7 @@
 #include <nlohmann/json.hpp>
 #include <string>
 #include <vector>
+#include <ixwebsocket/IXSocketTLSOptions.h>
 
 namespace snake
 {
@@ -26,6 +27,9 @@ namespace snake
         // AppKeys
         nlohmann::json apps;
 
+        // TLS options
+        ix::SocketTLSOptions socketTLSOptions;
+
         // Misc
         bool verbose;
     };

ixsnake/ixsnake/IXSnakeServer.cpp

@@ -20,7 +20,7 @@ namespace snake
         : _appConfig(appConfig)
         , _server(appConfig.port, appConfig.hostname)
     {
-        ;
+        _server.setTLSOptions(appConfig.socketTLSOptions);
     }
 
     //