anycable-core 1.4.0 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d56f39fa97e55307e2895bcbdff87e8d9a0b6229ca7baab78ba09e6a384114d
-  data.tar.gz: 5134a604805b575f1d5e17e4152ca4aae5d4a5ed83ce96687ca02f4cf8b91c63
+  metadata.gz: 391832d2af2280297419d7f62853313d8ac005e7ca826654d6669135748cb8e8
+  data.tar.gz: 229e4b51b7eaed689f0394445e86ba96cb08889391ae343b810439a727e30c0f
 SHA512:
-  metadata.gz: d3c57283d963f8228bad73ba1c5f77d3f58915ad38e8b4e28678e94503794eac162b418f7fb1b31d0b4a30f7557b10cfda95a2af5a3be5ebb7785ff96aa7e5dc
-  data.tar.gz: 5ec1eee3fc7c16f546c4a8d6d315dd4b04efa4da3633dce5c7467189b126b80ccde5c8fa1c6aa1f40fb96434ee28cf67a7b857a63ab12b8360f1e3498b60d5d3
+  metadata.gz: c951c3a248b67b9d481865d4a7c1e3d75f76ca963a8f314c8a4889fe9ab1e28eb889ecd48094c96802a20c9196f0932051167c1bd32b54ebf7d7d95dce71620b
+  data.tar.gz: 630c505792b0f374dc6acf7ffa861fcde660687ed7ac8894a0275e9f8d707133dbb9c29c24ed7b0e1dd8650b428a421243d5d1179361421996c850bdc50d0128

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 ## master
 
+## 1.4.2 (2023-09-05)
+
+- Fix parsing sentinel configuration from YAML in Rails. ([@palkan][])
+
+## 1.4.1 (2023-07-24)
+
+- Add TLS support for gRPC server. ([@Envek][])
+
 ## 1.4.0 (2023-07-07)
 
 - Add HTTP RPC support. ([@palkan][])

data/lib/anycable/config.rb

@@ -98,7 +98,7 @@ module AnyCable
           --http-health-path=path           Endpoint to serve health checks, default: "/health"
 
       REDIS PUB/SUB
-          --redis-url=url                   Redis URL for pub/sub, default: REDIS_URL or "redis://localhost:6379/5"
+          --redis-url=url                   Redis URL for pub/sub, default: REDIS_URL or "redis://localhost:6379"
           --redis-channel=name              Redis channel for broadcasting, default: "__anycable__"
           --redis-sentinels=<...hosts>      Redis Sentinel followers addresses (as a comma-separated list), default: nil
           --redis-tls-verify=yes|no         Whether to perform server certificate check in case of rediss:// protocol. Default: yes
@@ -171,7 +171,7 @@ module AnyCable
     private
 
     def parse_sentinel(sentinel)
-      return sentinel.transform_keys!(&:to_sym) if sentinel.is_a?(Hash)
+      return sentinel.to_hash.transform_keys(&:to_sym) if sentinel.respond_to?(:to_hash)
 
       uri = URI.parse("redis://#{sentinel}")
 

data/lib/anycable/grpc/config.rb

@@ -3,6 +3,8 @@
 AnyCable::Config.attr_config(
   ### gRPC options
   rpc_host: "127.0.0.1:50051",
+  rpc_tls_cert: nil,
+  rpc_tls_key: nil,
   rpc_pool_size: 30,
   rpc_max_waiting_requests: 20,
   rpc_poll_period: 1,
@@ -32,6 +34,7 @@ module AnyCable
           max_waiting_requests: rpc_max_waiting_requests,
           poll_period: rpc_poll_period,
           pool_keep_alive: rpc_pool_keep_alive,
+          tls_credentials: tls_credentials,
           server_args: enhance_grpc_server_args(normalized_grpc_server_args)
         }
       end
@@ -53,6 +56,17 @@ module AnyCable
         opts["grpc.max_connection_age_ms"] = rpc_max_connection_age.to_i * 1000
         opts
       end
+
+      def tls_credentials
+        cert_path_or_content = rpc_tls_cert # Assign to local variable to make steep happy
+        key_path_or_content = rpc_tls_key # Assign to local variable to make steep happy
+        return {} if cert_path_or_content.nil? || key_path_or_content.nil?
+
+        cert = File.exist?(cert_path_or_content) ? File.read(cert_path_or_content) : cert_path_or_content
+        pkey = File.exist?(key_path_or_content) ? File.read(key_path_or_content) : key_path_or_content
+
+        {cert: cert, pkey: pkey}
+      end
     end
   end
 end
@@ -62,6 +76,8 @@ AnyCable::Config.prepend AnyCable::GRPC::Config
 AnyCable::Config.usage <<~TXT
   GRPC OPTIONS
       --rpc-host=host                   Local address to run gRPC server on, default: "127.0.0.1:50051"
+      --rpc-tls-cert=path               TLS certificate file path or contents in PEM format, default: <none> (TLS disabled)
+      --rpc-tls-key=path                TLS private key file path or contents in PEM format, default: <none> (TLS disabled)
       --rpc-pool-size=size              gRPC workers pool size, default: 30
       --rpc-max-waiting-requests=num    Max waiting requests queue size, default: 20
       --rpc-poll-period=seconds         Poll period (sec), default: 1

data/lib/anycable/grpc/server.rb

@@ -83,8 +83,9 @@ module AnyCable
       end
 
       def build_server(**options)
+        tls_credentials = options.delete(:tls_credentials)
         ::GRPC::RpcServer.new(**options).tap do |server|
-          server.add_http2_port(host, :this_port_is_insecure)
+          server.add_http2_port(host, server_credentials(**tls_credentials))
           server.handle(AnyCable::GRPC::Handler)
           server.handle(build_health_checker)
         end
@@ -102,6 +103,12 @@ module AnyCable
         )
         health_checker
       end
+
+      def server_credentials(cert: nil, pkey: nil)
+        return :this_port_is_insecure if cert.nil? || pkey.nil?
+
+        ::GRPC::Core::ServerCredentials.new(nil, [{private_key: pkey, cert_chain: cert}], false)
+      end
     end
   end
 end

data/lib/anycable/grpc_kit/server.rb

@@ -2,9 +2,9 @@
 
 require "anycable/grpc/handler"
 
-require_relative "./health_pb"
-require_relative "./health_services_pb"
-require_relative "./health_checker"
+require_relative "health_pb"
+require_relative "health_services_pb"
+require_relative "health_checker"
 
 module AnyCable
   module GRPC
@@ -44,6 +44,7 @@ module AnyCable
         @hostname = host_parts[:hostname]
         @port = host_parts[:port].to_i
 
+        @tls_credentials = options.delete(:tls_credentials)
         @grpc_server = build_server(**options)
       end
 
@@ -56,7 +57,7 @@ module AnyCable
 
         logger.info "RPC server (grpc_kit) is starting..."
 
-        @sock = TCPServer.new(hostname, port)
+        @sock = build_server_socket
 
         server = grpc_server
 
@@ -66,6 +67,12 @@ module AnyCable
             server.run(conn)
           rescue IOError
             # ignore broken connections
+          rescue OpenSSL::SSL::SSLError => ssl_error
+            if ssl_error.message.match?(/SSL_read: unexpected eof while reading/i)
+              # ignore broken connections
+            else
+              raise
+            end
           end
         end
 
@@ -81,13 +88,18 @@ module AnyCable
 
         loop do
           sock = TCPSocket.new(hostname, port, connect_timeout: 1)
+          if @tls_credentials&.any?
+            sock = OpenSSL::SSL::SSLSocket.new(sock, tls_context)
+            sock.sync_close = true
+            sock.connect
+          end
           stub = ::Grpc::Health::V1::Health::Stub.new(sock)
           stub.check(::Grpc::Health::V1::HealthCheckRequest.new)
           sock.close
           break
-        rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, SocketError
+        rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, SocketError, OpenSSL::SSL::SSLError => e
           timeout -= 1
-          raise "Server is not responding" if timeout.zero?
+          raise "Server is not responding: #{e}" if timeout.zero?
         end
       end
 
@@ -125,6 +137,20 @@ module AnyCable
         @logger ||= AnyCable.logger
       end
 
+      def build_server_socket
+        tcp_server = TCPServer.new(hostname, port)
+        return tcp_server unless @tls_credentials&.any?
+
+        OpenSSL::SSL::SSLServer.new(tcp_server, tls_context)
+      end
+
+      def tls_context
+        OpenSSL::SSL::SSLContext.new.tap do |tls_context|
+          tls_context.cert = OpenSSL::X509::Certificate.new(@tls_credentials.fetch(:cert))
+          tls_context.key = OpenSSL::PKey.read(@tls_credentials.fetch(:pkey))
+        end
+      end
+
       def build_server(**options)
         pool_size = options[:pool_size]
 

data/lib/anycable/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AnyCable
-  VERSION = "1.4.0"
+  VERSION = "1.4.2"
 end

data/sig/anycable/config.rbs

@@ -68,7 +68,7 @@ module AnyCable
 
     private
 
-    def parse_sentinel: ((String | Hash[untyped, untyped]) sentinel) -> Hash[Symbol, untyped]
+    def parse_sentinel: (untyped sentinel) -> Hash[Symbol, untyped]
     def load_presets: () -> void
     def detect_presets: () -> Array[String]
     def write_preset: (Symbol, untyped, preset: String) -> void

data/sig/anycable/grpc/config.rbs

@@ -3,6 +3,10 @@ module AnyCable
     interface _Config
       def rpc_host: () -> String
       def rpc_host=: (String) -> void
+      def rpc_tls_cert: () -> String?
+      def rpc_tls_cert=: (String?) -> void
+      def rpc_tls_key: () -> String?
+      def rpc_tls_key=: (String?) -> void
       def rpc_pool_size: () -> Integer
       def rpc_pool_size=: (Integer) -> void
       def rpc_max_waiting_requests: () -> Integer
@@ -28,11 +32,13 @@ module AnyCable
         max_waiting_requests: Integer,
         poll_period: Numeric,
         pool_keep_alive: Numeric,
+        tls_credentials: Hash[Symbol, String],
         server_args: Hash[String, untyped]
       }
 
       def normalized_grpc_server_args: () -> Hash[String, untyped]
       def enhance_grpc_server_args: (Hash[String, untyped]) -> Hash[String, untyped]
+      def tls_credentials: () -> Hash[Symbol, String]
     end
   end
 end

data/sig/anycable/grpc/server.rbs

@@ -15,6 +15,7 @@ module AnyCable
       def logger: () -> Logger
       def build_server: (**untyped options) -> untyped
       def build_health_checker: () -> untyped
+      def server_credentials: (?cert: String?, ?pkey: String?) -> (::GRPC::Core::ServerCredentials | :this_port_is_insecure)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anycable-core
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.4.2
 platform: ruby
 authors:
 - palkan
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-07-08 00:00:00.000000000 Z
+date: 2023-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: anyway_config