rfq: allow os, custom certificates

Adds both 'TrustSystemRootCAs' and 'CustomCertificates' to the rfq
TLSConfig. The former indicates whether or not to trust the operating
system's root CA list; the latter allows additional certificates (CA or
self-signed) to be trusted.

Also adds a basic unit test skeleton.

Author: jtobin

rfq/oracle.go

@@ -2,7 +2,6 @@ package rfq
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"math"
 	"net/url"
@@ -16,8 +15,6 @@ import (
 	"github.com/lightningnetwork/lnd/lnwire"
 	"github.com/lightningnetwork/lnd/routing/route"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/credentials/insecure"
 )
 
 // PriceQueryIntent is an enum that represents the intent of a price rate
@@ -186,32 +183,6 @@ type RpcPriceOracle struct {
 	rawConn *grpc.ClientConn
 }
 
-// serverDialOpts returns the set of server options needed to connect to the
-// price oracle RPC server using a TLS connection.
-func serverDialOpts() ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
-
-	// Skip TLS certificate verification.
-	tlsConfig := tls.Config{InsecureSkipVerify: true}
-	transportCredentials := credentials.NewTLS(&tlsConfig)
-	opts = append(opts, grpc.WithTransportCredentials(transportCredentials))
-
-	return opts, nil
-}
-
-// insecureServerDialOpts returns the set of server options needed to connect to
-// the price oracle RPC server using a TLS connection.
-func insecureServerDialOpts() ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
-
-	// Skip TLS certificate verification.
-	opts = append(opts, grpc.WithTransportCredentials(
-		insecure.NewCredentials(),
-	))
-
-	return opts, nil
-}
-
 // NewRpcPriceOracle creates a new RPC price oracle handle given the address
 // of the price oracle RPC server.
 func NewRpcPriceOracle(addrStr string, tlsConfig *TLSConfig) (*RpcPriceOracle,
@@ -222,27 +193,21 @@ func NewRpcPriceOracle(addrStr string, tlsConfig *TLSConfig) (*RpcPriceOracle,
 		return nil, err
 	}
 
-	// Connect to the RPC server.
-	dialOpts, err := serverDialOpts()
+	// Create transport credentials and dial options from the supplied TLS
+	// config.
+	transportCredentials, err := configureTransportCredentials(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	// Determine whether we should skip certificate verification.
-	dialInsecure := tlsConfig.InsecureSkipVerify
-
-	// Allow connecting to a non-TLS (h2c, http over cleartext) gRPC server,
-	// should be used for testing only.
-	if dialInsecure {
-		dialOpts, err = insecureServerDialOpts()
-		if err != nil {
-			return nil, err
-		}
+	dialOpts := []grpc.DialOption{
+		grpc.WithTransportCredentials(transportCredentials),
 	}
 
 	// Formulate the server address dial string.
 	serverAddr := fmt.Sprintf("%s:%s", addr.Hostname(), addr.Port())
 
+	// Connect to the RPC server.
 	conn, err := grpc.Dial(serverAddr, dialOpts...)
 	if err != nil {
 		return nil, err

rfq/tls.go

@@ -1,9 +1,28 @@
 package rfq
 
+import (
+	"crypto/tls"
+	"crypto/x509"
+
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
 // TLSConfig represents TLS configuration options for oracle connections.
 type TLSConfig struct {
+	// Enabled indicates that we should use TLS.
+	Enabled bool
+
 	// InsecureSkipVerify disables certificate verification.
 	InsecureSkipVerify bool
+
+	// TrustSystemRootCAs indicates whether or not to use the operating
+	// system's root certificate authority list.
+	TrustSystemRootCAs bool
+
+	// CustomCertificates contains PEM data for additional root CA and
+	// self-signed certificates to trust.
+	CustomCertificates []byte
 }
 
 // DefaultTLSConfig returns a default TLS configuration.
@@ -12,3 +31,45 @@ func DefaultTLSConfig() *TLSConfig {
 		InsecureSkipVerify: true,
 	}
 }
+
+// configureTransportCredentials configures the TLS transport credentials to
+// be used for RPC connections.
+func configureTransportCredentials(
+	config *TLSConfig) (credentials.TransportCredentials, error) {
+
+	// If TLS is disabled, return insecure credentials.
+	if !config.Enabled {
+		return insecure.NewCredentials(), nil
+	}
+
+	// If we're to skip certificate verification, then return TLS
+	// credentials with certificate verification disabled.
+	if config.InsecureSkipVerify {
+		creds := credentials.NewTLS(&tls.Config{
+			InsecureSkipVerify: true,
+		})
+		return creds, nil
+	}
+
+	// Initialize the certificate pool.
+	certPool, err := constructCertPool(config.TrustSystemRootCAs)
+	if err != nil {
+		return nil, err
+	}
+
+	// If we have any custom certificates, add them to the certificate
+	// pool.
+	certPool.AppendCertsFromPEM(config.CustomCertificates)
+
+	// Return the constructed transport credentials.
+	return credentials.NewClientTLSFromCert(certPool, ""), nil
+}
+
+// constructCertPool is a helper for constructing an initial certificate pool,
+// depending on whether or not we should trust the system root CA list.
+func constructCertPool(trustSystem bool) (*x509.CertPool, error) {
+	if trustSystem {
+		return x509.SystemCertPool()
+	}
+	return x509.NewCertPool(), nil
+}

rfq/tls_test.go

@@ -0,0 +1,85 @@
+package rfq
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Test certificate data - a valid self-signed certificate for testing
+const validTestCertPEM = `-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQCuu1gzY+BBKjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0
+ZXN0MB4XDTI1MDgyODEwNDA1NVoXDTI1MDgyOTEwNDA1NVowDzENMAsGA1UEAwwE
+dGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTWCm8l3d9nE2QK
+TK8HJ36ftO8pK3//nb8Nj/p97FrPFSgzdgL1ZNJs4gP5/ZsU+iE6VeKhalHoSf6/
+IMLe3ATTL0rWA1M6z7cw6ll8VS8NQMaMSFWNomncsxyoJAQde++SC5f1RwQJBD/0
+gGB4bJIIqUHtT12m23GLX48d6JGEEi5kEQtk91S/QGnHtglzZ8CQOogDBzDhSHu2
+jj4mKYDgkXcyAqN7DoDzoEcrpeAaeAwem8k1sFBeTtrqT1ot7Ey5KG+RUyJbdKGt
+5adJiwH782NgsSnISQ2X7Sct6Uu0JzHKx9JzyABsA05tf3cNJkLhh1Is9edYI2e9
+m0dqedECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQOCs/7xZVPjabbhdv30mUJMG
+lddi2A+R/5IRXW1MKnpemwiv4ZWYQ9PMTmuR7kqaF7AGLkvx+5sp2evUJN4x7vHP
+ao6wihbdh+vBkrobE+Y9dE7nbkvMQSNi1sXzDnfZB9LqY9Huun2soUwBQNCMPVMa
+Wo7g6udwyA48doEVJMjThFLPcW7xmsy6Ldew682m1kD8/ag+9qihX1IJyiqiEjha
+3uT4CT+zEg0RJorEJKbR38fE4Uhx1wZO4zvjEg6qZeW/I4lw+UzSY5xV7lJ1EQvf
+BcoNuBHB65RxQM5fpA7hkEFm1bxBoowGX2hx6VCCeBBwREISRfgvkUxZahUXNg==
+-----END CERTIFICATE-----`
+
+// Invalid PEM data for testing failure cases
+const invalidTestCertPEM = `-----BEGIN CERTIFICATE-----
+This is not a valid certificate
+-----END CERTIFICATE-----`
+
+// DefaultTLSConfig returns a default TLS configuration for testing.
+func DefaultTLSConfig() *TLSConfig {
+	return &TLSConfig{
+		InsecureSkipVerify: true,
+	}
+}
+
+// TestConfigureTransportCredentials_InsecureSkipVerify tests the function
+// when InsecureSkipVerify is true.
+func TestConfigureTransportCredentials_InsecureSkipVerify(t *testing.T) {
+	config := &TLSConfig{
+		InsecureSkipVerify: true,
+	}
+
+	creds, err := configureTransportCredentials(config)
+
+	require.NoError(t, err)
+	require.NotNil(t, creds)
+
+	// Verify that we got insecure credentials by checking the type
+	require.Equal(t, "insecure", creds.Info().SecurityProtocol)
+}
+
+// TestConfigureTransportCredentials_ValidCustomCertificates tests the
+// function when valid custom certificates are provided.
+func TestConfigureTransportCredentials_ValidCustomCertificates(t *testing.T) {
+	config := &TLSConfig{
+		InsecureSkipVerify: false,
+		CustomCertificates: []byte(validTestCertPEM),
+	}
+
+	creds, err := configureTransportCredentials(config)
+
+	require.NoError(t, err)
+	require.NotNil(t, creds)
+
+	// Verify that we got TLS credentials (not insecure)
+	require.Equal(t, "tls", creds.Info().SecurityProtocol)
+}
+
+// TestConfigureTransportCredentials_NoCredentialsConfigured tests the
+// function when no credentials are configured.
+func TestConfigureTransportCredentials_NoCredentialsConfigured(t *testing.T) {
+	config := &TLSConfig{
+		InsecureSkipVerify: false,
+		CustomCertificates: nil,
+	}
+
+	creds, err := configureTransportCredentials(config)
+
+	require.NoError(t, err)
+	require.NotNil(t, creds)
+	require.Equal(t, "tls", creds.Info().SecurityProtocol)
+}