antietcd 1.2.3 → 1.2.4

package/README.md

@@ -105,17 +105,19 @@ Options:
 <dd>Use TLS with this key file (PEM format)</dd>
 
 <dt>--ca &lt;ca&gt;</dt>
-<dd>Use trusted root certificates from this file.
-Specify &lt;ca&gt; = &lt;cert&gt; if your certificate is self-signed.</dd>
+<dd>Use trusted root certificates from this file</dd>
+
+<dt>--peer_ca &lt;cert&gt;</dt>
+<dd>Use this CA to verify peer antietcd certificates (defaults to the same --cert)</dd>
 
 <dt>--client_cert_auth 1</dt>
-<dd>Require TLS client certificates signed by <ca> or by default CA to connect.</dd>
+<dd>Require TLS client certificates signed by <ca> or by default CA to connect</dd>
 
 <dt>--ws_keepalive_interval 30000</dt>
 <dd>Client websocket ping (keepalive) interval in milliseconds</dd>
 
 <dt>--use_base64 1</dt>
-<dd>Use base64 encoding of keys and values, like in etcd (enabled by default).</dd>
+<dd>Use base64 encoding of keys and values, like in etcd (enabled by default)</dd>
 
 </dl>
 

package/anticluster.js

@@ -29,6 +29,16 @@ class AntiCluster
             this.cfg.cluster = (''+this.cfg.cluster).trim().split(/[\s,]*,[\s,]*/)
                 .reduce((a, c) => { c = c.split(/\s*=\s*/); a[c[0]] = c[1]; return a; }, {});
         }
+        this.tls = {};
+        if (antietcd.tls)
+        {
+            this.tls = {
+                cert: antietcd.tls.cert,
+                key: antietcd.tls.key,
+                ca: antietcd.peer_ca || antietcd.tls.cert,
+                requestCert: true,
+            };
+        }
         this.raft = new TinyRaft({
             nodes: Object.keys(this.cfg.cluster),
             nodeId: this.cfg.node_id,
@@ -53,7 +63,7 @@ class AntiCluster
         if (node_id != this.cfg.node_id && this.cfg.cluster[node_id] &&
             (!this.cluster_connections[node_id] || !this.antietcd.clients[this.cluster_connections[node_id]]))
         {
-            const socket = new ws.WebSocket(this.cfg.cluster[node_id].replace(/^http/, 'ws'), this.antietcd.tls);
+            const socket = new ws.WebSocket(this.cfg.cluster[node_id].replace(/^http/, 'ws'), this.tls);
             const client_id = this.antietcd._startWebsocket(socket, () => setTimeout(() => this.connectToNode(node_id), this.cfg.reconnect_interval||1000));
             this.cluster_connections[node_id] = client_id;
             socket.on('open', () =>

package/antietcd-app.js

@@ -13,7 +13,7 @@ License: Mozilla Public License 2.0 or Vitastor Network Public License 1.1
 Usage:
 
 ${process.argv[0]} ${process.argv[1]} \n\
-    [--cert ssl.crt] [--key ssl.key] [--port 12379] \n\
+    [--cert ssl.crt] [--key ssl.key] [--ca ca.crt] [--peer_ca ssl.crt] [--port 12379] \n\
     [--data data.gz] [--persist-filter ./filter.js] [--persist_interval 500] \n\
     [--node_id node1 --cluster_key abcdef --cluster node1=http://localhost:12379,node2=http://localhost:12380,node3=http://localhost:12381] \n\
     [other options]
@@ -38,7 +38,8 @@ HTTP:
     Use TLS with this key file (PEM format)
 --ca <ca>
     Use trusted root certificates from this file.
-    Specify <ca> = <cert> if your certificate is self-signed.
+--peer_ca <cert>
+    Use this CA to verify peer antietcd certificates (defaults to the same --cert).
 --client_cert_auth 1
     Require TLS client certificates signed by <ca> or by default CA to connect.
 --ws_keepalive_interval 30000

package/antietcd.js

@@ -20,7 +20,7 @@ const AntiCluster = require('./anticluster.js');
 const AntiLocker = require('./antilocker.js');
 const { runCallbacks, de64, b64, RequestError } = require('./common.js');
 
-const VERSION = '1.2.3';
+const VERSION = '1.2.4';
 
 class AntiEtcd extends EventEmitter
 {
@@ -53,6 +53,7 @@ class AntiEtcd extends EventEmitter
         this.locker = null;
         this.stored_term = 0;
         this.cfg = cfg;
+        this.peer_ca = null;
         this.loading = false;
         this.stopped = false;
         this.inflight = 0;
@@ -62,6 +63,25 @@ class AntiEtcd extends EventEmitter
 
     async start()
     {
+        if (this.cfg.cert)
+        {
+            this.tls = {
+                key: await fsp.readFile(this.cfg.key),
+                cert: await fsp.readFile(this.cfg.cert),
+            };
+            if (this.cfg.ca)
+            {
+                this.tls.ca = await fsp.readFile(this.cfg.ca);
+            }
+            if (this.cfg.client_cert_auth)
+            {
+                this.tls.requestCert = true;
+            }
+            if (this.cfg.peer_ca)
+            {
+                this.peer_ca = await fsp.readFile(this.cfg.peer_ca);
+            }
+        }
         if (this.cfg.data || this.cfg.cluster)
         {
             this.etctree.set_replicate_watcher(msg => this._persistAndReplicate(msg));
@@ -83,18 +103,6 @@ class AntiEtcd extends EventEmitter
         }
         if (this.cfg.cert)
         {
-            this.tls = {
-                key: await fsp.readFile(this.cfg.key),
-                cert: await fsp.readFile(this.cfg.cert),
-            };
-            if (this.cfg.ca)
-            {
-                this.tls.ca = await fsp.readFile(this.cfg.ca);
-            }
-            if (this.cfg.client_cert_auth)
-            {
-                this.tls.requestCert = true;
-            }
             this.server = https.createServer(this.tls, (req, res) => this._handleRequest(req, res));
         }
         else

package/antilocker.js

@@ -2,8 +2,6 @@
 // (c) Vitaliy Filippov, 2024+
 // License: Mozilla Public License 2.0 or Vitastor Network Public License 1.1
 
-const { RequestError } = require('./common.js');
-
 // How does it work:
 // - Leader sets key-level locks, persists and replicates the change, then removes locks
 // - Followers set locks, persist and reply to the leader, wait for the feedback, then remove locks

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "antietcd",
-  "version": "1.2.3",
+  "version": "1.2.4",
   "description": "Simplistic etcd replacement based on TinyRaft",
   "main": "antietcd.js",
   "scripts": {