THRIFT-2369 Add ssl support for nodejs implementation
Patch: Pierre Lamot
diff --git a/lib/nodejs/lib/thrift/connection.js b/lib/nodejs/lib/thrift/connection.js
index 8bcc9df..fb9215f 100644
--- a/lib/nodejs/lib/thrift/connection.js
+++ b/lib/nodejs/lib/thrift/connection.js
@@ -19,6 +19,7 @@
var util = require('util'),
EventEmitter = require("events").EventEmitter,
net = require('net'),
+ tls = require('tls'),
ttransport = require('./transport'),
tprotocol = require('./protocol');
@@ -67,6 +68,24 @@
self.emit("connect");
});
+ this.connection.addListener("secureConnect", function() {
+ self.connected = true;
+
+ this.setTimeout(self.options.timeout || 0);
+ this.setNoDelay();
+ this.frameLeft = 0;
+ this.framePos = 0;
+ this.frame = null;
+ self.initialize_retry_vars();
+
+ self.offline_queue.forEach(function(data) {
+ self.connection.write(data);
+ });
+
+ self.emit("connect");
+ });
+
+
this.connection.addListener("error", function(err) {
// Only emit the error if no-one else is listening on the connection
// or if someone is listening on us
@@ -207,6 +226,14 @@
return connection;
}
+exports.createSSLConnection = function(host, port, options) {
+ var stream = tls.connect(port, host, options);
+ var connection = new Connection(stream, options);
+ connection.host = host;
+ connection.port = port;
+
+ return connection;
+}
exports.createClient = function(cls, connection) {
@@ -298,7 +325,7 @@
};
-util.inherits(StdIOConnection, EventEmitter);
+util.inherits(StdIOConnection, EventEmitter);
StdIOConnection.prototype.end = function() {
this.connection.end();
diff --git a/lib/nodejs/lib/thrift/index.js b/lib/nodejs/lib/thrift/index.js
index 4992bed..9846d3d 100644
--- a/lib/nodejs/lib/thrift/index.js
+++ b/lib/nodejs/lib/thrift/index.js
@@ -22,14 +22,18 @@
exports.Connection = connection.Connection;
exports.createClient = connection.createClient;
exports.createConnection = connection.createConnection;
+exports.createSSLConnection = connection.createSSLConnection;
exports.createStdIOClient = connection.createStdIOClient;
exports.createStdIOConnection = connection.createStdIOConnection;
var server = require('./server')
exports.createServer = server.createServer;
+exports.createSSLServer = server.createSSLServer;
exports.createHttpServer = server.createHttpServer;
+exports.createHttpsServer = server.createHttpsServer;
exports.httpMiddleware = server.httpMiddleware;
exports.createMultiplexServer = server.createMultiplexServer;
+exports.createMultiplexSSLServer = server.createMultiplexSSLServer;
var static_server = require('./static_server')
exports.createStaticHttpThriftServer = static_server.createStaticHttpThriftServer;
@@ -42,7 +46,7 @@
exports.MultiplexedProcessor = mprocessor.MultiplexedProcessor
/*
- * Export transport and protocol so they can be used outside of a
+ * Export transport and protocol so they can be used outside of a
* cassandra/server context
*/
exports.TFramedTransport = require('./transport').TFramedTransport;
diff --git a/lib/nodejs/lib/thrift/server.js b/lib/nodejs/lib/thrift/server.js
index 24ec980..398d398 100644
--- a/lib/nodejs/lib/thrift/server.js
+++ b/lib/nodejs/lib/thrift/server.js
@@ -18,6 +18,8 @@
*/
var net = require('net');
var http = require('http');
+var https = require('https');
+var tls = require('tls');
var url = require("url");
var path = require("path");
var fs = require("fs");
@@ -52,7 +54,7 @@
}
catch (err) {
if (err instanceof ttransport.InputBufferUnderrunError) {
- //The last data in the buffer was not a complete message, wait for the rest
+ //The last data in the buffer was not a complete message, wait for the rest
transportWithData.rollbackPosition();
}
else if (err.message === "Invalid type: undefined") {
@@ -60,10 +62,10 @@
//This trap is a bit hackish
//The next step to improve the node behavior here is to have
// the compiler generated process method throw a more explicit
- // error when the network buffer is empty (regardles of the
+ // error when the network buffer is empty (regardles of the
// protocol/transport stack in use) and replace this heuristic.
// Also transports should probably not force upper layers to
- // manage their buffer positions (i.e. rollbackPosition() and
+ // manage their buffer positions (i.e. rollbackPosition() and
// commitPosition() should be eliminated in lieu of a transport
// encapsulated buffer management strategy.)
transportWithData.rollbackPosition();
@@ -82,6 +84,63 @@
});
};
+exports.createMultiplexSSLServer = function(processor, options) {
+
+ var transport = (options && options.transport) ? options.transport : ttransport.TBufferedTransport;
+ var protocol = (options && options.protocol) ? options.protocol : TBinaryProtocol;
+
+ return tls.createServer(options, function(stream) {
+ var self = this;
+ stream.on('data', transport.receiver(function(transportWithData) {
+ var input = new protocol(transportWithData);
+ var output = new protocol(new transport(undefined, function(buf) {
+ try {
+ stream.write(buf);
+ } catch (err) {
+ self.emit('error', err);
+ stream.end();
+ }
+ }));
+
+ try {
+ do {
+ processStatus = processor.process(input, output);
+ transportWithData.commitPosition();
+ } while (true);
+ }
+ catch (err) {
+ if (err instanceof ttransport.InputBufferUnderrunError) {
+ //The last data in the buffer was not a complete message, wait for the rest
+ transportWithData.rollbackPosition();
+ }
+ else if (err.message === "Invalid type: undefined") {
+ //No more data in the buffer
+ //This trap is a bit hackish
+ //The next step to improve the node behavior here is to have
+ // the compiler generated process method throw a more explicit
+ // error when the network buffer is empty (regardles of the
+ // protocol/transport stack in use) and replace this heuristic.
+ // Also transports should probably not force upper layers to
+ // manage their buffer positions (i.e. rollbackPosition() and
+ // commitPosition() should be eliminated in lieu of a transport
+ // encapsulated buffer management strategy.)
+ transportWithData.rollbackPosition();
+ }
+ else {
+ //Unexpected error
+ self.emit('error', err);
+ stream.end();
+ }
+ }
+ }));
+
+ stream.on('end', function() {
+ stream.end();
+ });
+ });
+};
+
+
function httpRequestHandler(cls, handler, options) {
if (cls.Processor) {
cls = cls.Processor;
@@ -122,9 +181,14 @@
exports.httpMiddleware = httpRequestHandler;
exports.createHttpServer = function(cls, handler, options) {
- return http.createServer(httpRequestHandler(cls, handler, options));
+ return http.createServer(options, httpRequestHandler(cls, handler, options));
};
+exports.createHttpsServer = function(cls, handler, options) {
+ return https.createServer(options, httpRequestHandler(cls, handler, options));
+};
+
+
exports.createServer = function(cls, handler, options) {
if (cls.Processor) {
cls = cls.Processor;
@@ -133,3 +197,12 @@
return exports.createMultiplexServer(processor,options);
};
+
+exports.createSSLServer = function(cls, handler, options) {
+ if (cls.Processor) {
+ cls = cls.Processor;
+ }
+ var processor = new cls(handler);
+
+ return exports.createMultiplexSSLServer(processor,options);
+};
diff --git a/lib/nodejs/test/certificates.README b/lib/nodejs/test/certificates.README
new file mode 100644
index 0000000..06c507e
--- /dev/null
+++ b/lib/nodejs/test/certificates.README
@@ -0,0 +1,7 @@
+server.crt AND server.key ARE PROVIDED FOR TEST PURPOSE AND SHOULD *NEVER* BE USED IN PRODUCTION
+
+
+Origin of the test key and cert is the folder test/keys of Apache Thrift source code distribution
+
+We need copies for npm deployment
+
diff --git a/lib/nodejs/test/client.js b/lib/nodejs/test/client.js
index 90d7467..43d88f0 100644
--- a/lib/nodejs/test/client.js
+++ b/lib/nodejs/test/client.js
@@ -21,6 +21,7 @@
//"ThriftTest" suite. This client will test any protocol/transport
//combination specified on the command line.
+var fs = require('fs');
var assert = require('assert');
var thrift = require('thrift');
var ThriftTransports = require('thrift/transport');
@@ -33,6 +34,7 @@
program
.option('-p, --protocol <protocol>', 'Set thrift protocol (binary|json) [protocol]')
.option('-t, --transport <transport>', 'Set thrift transport (buffered|framed) [transport]')
+ .option('--ssl', 'use SSL transport')
.parse(process.argv);
var protocol = undefined;
@@ -56,10 +58,19 @@
transport = ThriftTransports.TBufferedTransport;
}
-var connection = thrift.createConnection('localhost', 9090, {
+var options = {
transport: transport,
protocol: protocol
-});
+};
+
+var connection = undefined;
+
+if (program.ssl) {
+ options.rejectUnauthorized = false;
+ connection = thrift.createSSLConnection('localhost', 9090, options);
+} else {
+ connection = thrift.createConnection('localhost', 9090, options);
+}
var client = thrift.createClient(ThriftTest, connection);
diff --git a/lib/nodejs/test/multiplex_client.js b/lib/nodejs/test/multiplex_client.js
index 6cf6975..9ef716b 100644
--- a/lib/nodejs/test/multiplex_client.js
+++ b/lib/nodejs/test/multiplex_client.js
@@ -30,6 +30,7 @@
program
.option('-p, --protocol <protocol>', 'Set thift protocol (binary|json) [protocol]')
.option('-t, --transport <transport>', 'Set thift transport (buffered|framed) [transport]')
+ .option('--ssl', 'use ssl transport')
.parse(process.argv);
var protocol = undefined;
@@ -53,10 +54,18 @@
transport = ThriftTransports.TBufferedTransport;
}
-var connection = thrift.createConnection('localhost', 9090, {
+var options = {
transport: transport,
protocol: protocol
-});
+};
+
+var connection = undefined;
+if (program.ssl) {
+ options.rejectUnauthorized = false
+ connection = thrift.createSSLConnection('localhost', 9090, options);
+} else {
+ connection = thrift.createConnection('localhost', 9090, options);
+}
var mp = new thrift.Multiplexer();
diff --git a/lib/nodejs/test/multiplex_server.js b/lib/nodejs/test/multiplex_server.js
index a2a1709..a2ea535 100644
--- a/lib/nodejs/test/multiplex_server.js
+++ b/lib/nodejs/test/multiplex_server.js
@@ -25,11 +25,15 @@
SecondService = require('./gen-nodejs/SecondService'),
ttypes = require('./gen-nodejs/ThriftTest_types');
+var fs = require("fs");
+var path = require("path");
+
var program = require('commander');
program
.option('-p, --protocol <protocol>', 'Set thift protocol (binary|json) [protocol]')
.option('-t, --transport <transport>', 'Set thift transport (buffered|framed) [transport]')
+ .option('--ssl', 'use ssl transport')
.parse(process.argv);
var protocol = undefined;
@@ -72,9 +76,19 @@
"SecondService",
new SecondService.Processor(SecondServiceHandler));
-var server = thrift.createMultiplexServer(processor, {
- protocol: protocol,
- transport: transport
-});
+var options = {
+ transport: transport,
+ protocol: protocol
+};
+
+var server = undefined;
+if (program.ssl) {
+ //ssl options
+ options.key = fs.readFileSync(path.resolve(__dirname, 'server.key'));
+ options.cert = fs.readFileSync(path.resolve(__dirname, 'server.crt'));
+ server = thrift.createMultiplexSSLServer(processor, options);
+} else {
+ server = thrift.createMultiplexServer(processor, options);
+}
server.listen(9090);
diff --git a/lib/nodejs/test/server.crt b/lib/nodejs/test/server.crt
new file mode 100644
index 0000000..75f0649
--- /dev/null
+++ b/lib/nodejs/test/server.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMzCCAxugAwIBAgIJAKC40O9aq1qjMA0GCSqGSIb3DQEBBQUAMIGvMQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITWFyeWxhbmQxFDASBgNVBAcMC0ZvcmVzdCBIaWxs
+MScwJQYDVQQKDB5UaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24xFjAUBgNV
+BAsMDUFwYWNoZSBUaHJpZnQxEDAOBgNVBAMMB3NzbHRlc3QxJDAiBgkqhkiG9w0B
+CQEWFWRldkB0aHJpZnQuYXBhY2hlLm9yZzAeFw0xNDAyMDkxNzAwNTZaFw0yMjA0
+MjgxNzAwNTZaMIGvMQswCQYDVQQGEwJVUzERMA8GA1UECAwITWFyeWxhbmQxFDAS
+BgNVBAcMC0ZvcmVzdCBIaWxsMScwJQYDVQQKDB5UaGUgQXBhY2hlIFNvZnR3YXJl
+IEZvdW5kYXRpb24xFjAUBgNVBAsMDUFwYWNoZSBUaHJpZnQxEDAOBgNVBAMMB3Nz
+bHRlc3QxJDAiBgkqhkiG9w0BCQEWFWRldkB0aHJpZnQuYXBhY2hlLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuczDt5da6M0g9+trj5Df4/Xz1e
+Y4tf6Ch4g6PSWgKTdrnZpXixtdoYSmXe9NIlEepKr7TFrqUmk7pgxkLGj+probIB
+I0vK9GYWMxc8D2meD6IZZkDx/4cS575tpKL2QmjmlqVSWZE38R0YuPo4xjlNWc7+
+CvK5d6dmCgypvKye0Qmi8Oo1TzKH30L3DEIxn2V6sERfXhV3AIuh28qn5ymhR42i
+/acTriF4hV/7GgcmiBnAiPeMXn47ZdCRaVv01DAicl/ImGSFo+9A3DBLzP8h+9Qv
+FqiAOp7gSlfLBjzW1xKi6K+91wtenaz6DmSHtGyVMsQnXiKiyi+QE5xpH6ECAwEA
+AaNQME4wHQYDVR0OBBYEFIuvCIHtKsVW63iINRpCpWFSy566MB8GA1UdIwQYMBaA
+FIuvCIHtKsVW63iINRpCpWFSy566MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADggEBAFVYAfs+ZgE/fsSrsARZ3eZ94IC5E6qRH7P2yOyO96YTxlLRIniYqCYL
+l7SM4JYj8k6/QjfxjeqTU4XX0W2ZXNY1+sfU1lATuzHbeY6tzxZytUu3lmYOOfHv
+UyyLBAbrAkXZy+CKiD833eBBUtPxNd46nJ5KQPIN6FqKRB5EpW6eSXRohCoSmy8I
+4QVI3xGNeNgZznGM58nhLD+8VQ2j3/SEnukGxSV67uoNyeyZ60QKYg+TLdSEtb4G
+hxzOTOH+b324Fw1gipTfnrJImz1qmFAtOPS7IJGwQjjS/nfAmV+P4gXj2tU0VHCR
+UcI8VRqdK4GFbnGapPpHWx7nQOSMHtE=
+-----END CERTIFICATE-----
diff --git a/lib/nodejs/test/server.js b/lib/nodejs/test/server.js
index da9a4d6..69519ab 100644
--- a/lib/nodejs/test/server.js
+++ b/lib/nodejs/test/server.js
@@ -22,6 +22,8 @@
// TFramedTransport
// TSocket
+var fs = require('fs');
+var path = require('path');
var thrift = require('thrift');
var ThriftTransports = require('thrift/transport');
var ThriftProtocols = require('thrift/protocol');
@@ -34,6 +36,7 @@
program
.option('-p, --protocol <protocol>', 'Set thift protocol (binary|json) [protocol]')
.option('-t, --transport <transport>', 'Set thift transport (buffered|framed) [transport]')
+ .option('--ssl', 'use ssl transport')
.parse(process.argv);
var protocol = undefined;
@@ -57,7 +60,18 @@
transport = ThriftTransports.TBufferedTransport;
}
-thrift.createServer(ThriftTest, ThriftTestHandler, {
+var options = {
protocol: protocol,
transport: transport
-}).listen(9090);
+};
+
+if (program.ssl) {
+ //ssl options
+ options.key = fs.readFileSync(path.resolve(__dirname, 'server.key'));
+ options.cert = fs.readFileSync(path.resolve(__dirname, 'server.crt'));
+ thrift.createSSLServer(ThriftTest, ThriftTestHandler, options).listen(9090);
+
+} else {
+ //default
+ thrift.createServer(ThriftTest, ThriftTestHandler, options).listen(9090);
+}
diff --git a/lib/nodejs/test/server.key b/lib/nodejs/test/server.key
new file mode 100644
index 0000000..6356e30
--- /dev/null
+++ b/lib/nodejs/test/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLnMw7eXWujNIP
+fra4+Q3+P189XmOLX+goeIOj0loCk3a52aV4sbXaGEpl3vTSJRHqSq+0xa6lJpO6
+YMZCxo/qa6GyASNLyvRmFjMXPA9png+iGWZA8f+HEue+baSi9kJo5palUlmRN/Ed
+GLj6OMY5TVnO/gryuXenZgoMqbysntEJovDqNU8yh99C9wxCMZ9lerBEX14VdwCL
+odvKp+cpoUeNov2nE64heIVf+xoHJogZwIj3jF5+O2XQkWlb9NQwInJfyJhkhaPv
+QNwwS8z/IfvULxaogDqe4EpXywY81tcSouivvdcLXp2s+g5kh7RslTLEJ14iosov
+kBOcaR+hAgMBAAECggEAS70Fk1H43nbvZGgkG+Y4uExmZvOHX77LItLBVNzYMoEb
+9sHo9V5VYM0MT5yBwPGdGmOxvDKUZkZVSUzaMtidi/uBaC9YK8dQ5fB4DLqAmS78
+bbW4/YuHG32CyqkKRrwHs/GiM9jQDF6cx8/8bsdTpNkLAR4qgGNRCOnB7zfsQOEg
+eAcJjsJxJc/w0LpWBVCPWxMKZ/M6An7tnp/rxcCuC50FnUYwn2imDRiCZHooGyO8
+qEt8kOT/0n550nPWMvjmgqkcALYhPF2gna5JlsoYau+lEFNj9KY+r3vDy+rhhnKV
+2RbUFs6315tkEcnmWwxYiwphBaUZLmnqMpgosI/xiQKBgQDzigau5QadqaADAQf4
+TbeouODC7o/K2eTQGAhH8TdEazumZdxFWcT+RpGOKxgzJ+dZ6T8+bt8WtNMx72yH
+yJ2wnBnqSvgCUPEelsabbzi8a8blKlz3cnXCgaa545LCTx4yam59LQnFHdoAAHtI
+ZMlfcbuCZ7IplATqEF3KvYdz2wKBgQDWB8vKfzUJiGPlElR9ylw3iK7Jvxm26z9a
+oR4D8YEP0+80S8wz4pnht8JSU4X1n4w4Spa0Z1m0KknkhakbOBKiVU1/OFmF+7uz
+iZfPqko/K18e+w3JhTKHLQOYZXKohE7vLXATaKF52FBCjWlpjo2sYL64kqoEnQiw
+IC4HVcqRMwKBgQCp+O9pKVdQuo5/Cj0xw6wnCcF0y2N4RFM6GUvOSkA0dFMRc44k
+qN6gSUhVXSZqrbL+QZhuTptNEa9E7sFkk1Pba1d6+g/WLf/bRYgf+6QxfVc3ojV4
+Tl55/lsK6hYHn4iHz1iF7OUguhDoZ22jvRP+lTY1cYIbGr/DTODpGxZqeQKBgFw+
+4/CUvvEq3ZMfQVct3mz49gxx1s1lutp+0ob0kaGWwGQTvyElqxkDsDb3VKc2aqLg
+Uu/SE3F5QHvDt8zJcA6TIWGRkdQTWSTaSpnwVSvAr7CUl66hP9PO7NvD7ZT/4V1o
+ggN7dw0i1AS7GhGqpRkEYW7/l1OBsvrmA7CZo0LNAoGBAMeOaIc/F+dVwXYpLfUZ
+1ILANiTL9qSBJi3UWaTyFReXLU5TJ38q63z+RCzi73le6Odd7C4YXe8W/+qgAViM
+XOnL6DS8gZqQu9bHDWU8PQksmmwV1WWB6H7z5oKCwBxlGxNUSJPwsumry535vBQy
+qIoi2mRSBEtQLeh4aEYGyJEp
+-----END PRIVATE KEY-----
diff --git a/lib/nodejs/test/testAll.sh b/lib/nodejs/test/testAll.sh
index 3e64393..cdd0c79 100755
--- a/lib/nodejs/test/testAll.sh
+++ b/lib/nodejs/test/testAll.sh
@@ -25,24 +25,24 @@
testClientServer()
{
- echo " Testing Client/Server with protocol $1 and transport $2";
+ echo " Testing Client/Server with protocol $1 and transport $2 $3";
RET=0
- node ${DIR}/server.js -p $1 -t $2 &
+ node ${DIR}/server.js -p $1 -t $2 $3 &
SERVERPID=$!
sleep 1
- node ${DIR}/client.js -p $1 -t $2 || RET=1
+ node ${DIR}/client.js -p $1 -t $2 $3 || RET=1
kill -9 $SERVERPID || RET=1
return $RET
}
testMultiplexedClientServer()
{
- echo " Testing Multiplexed Client/Server with protocol $1 and transport $2";
+ echo " Testing Multiplexed Client/Server with protocol $1 and transport $2 $3";
RET=0
- node ${DIR}/multiplex_server.js -p $1 -t $2 &
+ node ${DIR}/multiplex_server.js -p $1 -t $2 $3 &
SERVERPID=$!
sleep 1
- node ${DIR}/multiplex_client.js -p $1 -t $2 || RET=1
+ node ${DIR}/multiplex_client.js -p $1 -t $2 $3 || RET=1
kill -9 $SERVERPID || RET=1 #f
return $RET
}
@@ -65,9 +65,15 @@
testClientServer binary framed || TESTOK=1
testClientServer json framed || TESTOK=1
+#tests for multiplexed services
testMultiplexedClientServer binary buffered || TESTOK=1
testMultiplexedClientServer json buffered || TESTOK=1
testMultiplexedClientServer binary framed || TESTOK=1
testMultiplexedClientServer json framed || TESTOK=1
+#test ssl connection
+testClientServer binary framed --ssl || TESTOK=1
+testMultiplexedClientServer binary framed --ssl || TESTOK=1
+
+
exit $TESTOK