#236 Support server-side TLS (#239)

* #236 Initial refactor

* #236 Work in progress

* #236 Move from localhost to 0.0.0.0

* #236 Working server-side TLS

* #236 Update dependencies

* #236 Savepoint

* #236 Fix expected output

* #236 Savepoint

* #236 Savepoint

* #236 Savepoint

* #236 Add TLS testing

* #236 Add os env vars

* #236 Add os env vars

* #236 Add os env vars - 3

* #236 Add os env vars - 4

* #236 Add os env vars - 5

* #236 Add os env vars - 6

* #236 Savepoint

* #236 mount /testdata

* #236 use github.workspace

* #236 Fix lint issue

* #236 docker restart

* #236 Use ./testdata

* #236 Debug docker container - 1

* #236 Debug docker container - 2

* #236 Debug docker container - 3

* #236 Debug docker container - 4

* #236 Debug docker container - 5

* #236 Debug docker container - 6

* #236 Debug docker container - 7

* #236 Debug docker container - 8

* #236 Debug docker container - 9

* #236 Debug docker container - 10

* #236 Debug docker container - 12

* #236 Debug docker container - 13

* #236 Debug docker container - 14

* #236 Debug docker container - 15

* #236 Debug docker container - 16

* #236 Working TLS testing - 17

* #236 docker login via step

* #236 Update dependencies

.github/workflows/go-test-linux-tls-server-side.yaml

@@ -0,0 +1,80 @@
+name: Go test linux - server-side TLS
+
+on: [push, workflow_dispatch]
+
+env:
+  SENZING_LOG_LEVEL: TRACE
+
+permissions:
+  contents: read
+
+jobs:
+  go-test-linux:
+    name: "Go test with OS: ${{ matrix.os }}; Go: ${{ matrix.go }}"
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go: ["1.21"]
+        os: [ubuntu-latest]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+
+      - name: Docker run
+        run: |
+          docker run \
+            --detach \
+            --env SENZING_TOOLS_ENABLE_ALL=true \
+            --env SENZING_TOOLS_SERVER_CERTIFICATE_PATH=/testdata/certificates/server/certificate.pem \
+            --env SENZING_TOOLS_SERVER_KEY_PATH=/testdata/certificates/server/private_key.pem \
+            --name servegrpc \
+            --publish 8261:8261 \
+            --rm \
+            --user 0 \
+            --volume ${{ github.workspace }}/testdata:/testdata \
+            senzing/serve-grpc
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+
+      - name: Set up gotestfmt
+        uses: gotesttools/gotestfmt-action@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run go test
+        env:
+          SENZING_TOOLS_CA_CERTIFICATE_PATH: ${{ github.workspace }}/testdata/certificates/certificate-authority/certificate.pem
+        run: go test -json -v -p 1 -coverprofile=./cover.out -covermode=atomic -coverpkg=./... ./...  2>&1 | tee /tmp/gotest.log | gotestfmt
+
+      - name: Store coverage file
+        uses: actions/upload-artifact@v4
+        with:
+          name: cover.out
+          path: ./cover.out
+
+      - name: Upload test log
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-log
+          path: /tmp/gotest.log
+          if-no-files-found: error
+
+  coverage:
+    name: Coverage
+    needs: go-test-linux
+    uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2
+    with:
+      coverage-config: ./.github/coverage/testcoverage.yaml

CHANGELOG.md

@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning].
 
 -
 
+## [0.9.0] - 2025-02-24
+
+### Added in 0.9.0
+
+- Server-side TLS support
+
 ## [0.8.9] - 2025-02-12
 
 ### Changed in 0.8.9

Makefile

@@ -117,6 +117,10 @@ run: run-osarch-specific
 .PHONY: test
 test: test-osarch-specific
 
+
+.PHONY: test-server-side-tls
+test-server-side-tls: test-server-side-tls-osarch-specific
+
 # -----------------------------------------------------------------------------
 # Coverage
 # -----------------------------------------------------------------------------

go.mod

@@ -1,6 +1,6 @@
 module github.com/senzing-garage/sz-sdk-go-grpc
 
-go 1.22.7
+go 1.23.0
 
 toolchain go1.23.2
 
@@ -20,11 +20,11 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250224174004-546df14abb99 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -45,16 +45,16 @@ go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiy
 go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
 go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
 go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
-golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo7yrN4mVcnkHDYz5vvs=
-golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
 golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
 golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 h1:2duwAxN2+k0xLNpjnHTXoMUgnv6VPSp5fiqTuwSxjmI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250224174004-546df14abb99 h1:ZSlhAUqC4r8TPzqLXQ0m3upBNZeF+Y8jQ3c4CR3Ujms=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250224174004-546df14abb99/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
 google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
 google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=

helper/transportcredentials.go

@@ -0,0 +1,43 @@
+package helper
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+/*
+The GetGrpcTransportCredentials function returns a gRPC credentials.TransportCredentials
+based on the value of the value of the SENZING_TOOLS_CA_CERTIFICATE_PATH OS environment variable.
+If the environment variable does not exist, an insecure transport credential is returned.
+
+Output
+  - Transport Credential calculated by OS environment variables.
+*/
+func GetGrpcTransportCredentials() (credentials.TransportCredentials, error) {
+	var result credentials.TransportCredentials
+	certFile, isSet := os.LookupEnv("SENZING_TOOLS_CA_CERTIFICATE_PATH")
+	if isSet {
+		pemServerCA, err := os.ReadFile(certFile)
+		if err != nil {
+			return result, err
+		}
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(pemServerCA) {
+			return result, fmt.Errorf("failed to add server CA's certificate")
+		}
+		config := &tls.Config{
+			RootCAs:    certPool,
+			MinVersion: tls.VersionTLS12, // See https://pkg.go.dev/crypto/tls#pkg-constants
+			MaxVersion: tls.VersionTLS13,
+		}
+		result = credentials.NewTLS(config)
+	} else {
+		result = insecure.NewCredentials()
+	}
+	return result, nil
+}

helper/transportcredentials_test.go

@@ -0,0 +1,37 @@
+package helper
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// ----------------------------------------------------------------------------
+// Interface methods - test
+// ----------------------------------------------------------------------------
+
+func TestHelpers_GetGrpcTransportCredentials_ServerSideTLS(test *testing.T) {
+	envVar := "SENZING_TOOLS_CA_CERTIFICATE_PATH"
+	_, isSet := os.LookupEnv(envVar)
+	if !isSet {
+		os.Setenv(envVar, "../testdata/certificates/certificate-authority/certificate.pem")
+		defer os.Unsetenv(envVar)
+	}
+	actual, err := GetGrpcTransportCredentials()
+	require.NoError(test, err)
+	assert.NotEmpty(test, actual)
+}
+
+func TestHelpers_GetGrpcTransportCredentials_Insecure(test *testing.T) {
+	envVar := "SENZING_TOOLS_CA_CERTIFICATE_PATH"
+	value, isSet := os.LookupEnv(envVar)
+	if isSet {
+		os.Unsetenv(envVar)
+		defer os.Setenv(envVar, value)
+	}
+	actual, err := GetGrpcTransportCredentials()
+	require.NoError(test, err)
+	assert.Empty(test, actual)
+}

main.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/senzing-garage/go-helpers/truthset"
 	"github.com/senzing-garage/go-logging/logging"
+	"github.com/senzing-garage/sz-sdk-go-grpc/helper"
 	"github.com/senzing-garage/sz-sdk-go-grpc/szconfig"
 	"github.com/senzing-garage/sz-sdk-go-grpc/szconfigmanager"
 	"github.com/senzing-garage/sz-sdk-go-grpc/szengine"
@@ -20,7 +21,6 @@ import (
 	szenginepb "github.com/senzing-garage/sz-sdk-proto/go/szengine"
 	szproductpb "github.com/senzing-garage/sz-sdk-proto/go/szproduct"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
 )
 
 // ----------------------------------------------------------------------------
@@ -48,7 +48,7 @@ var Messages = map[int]string{
 var (
 	buildIteration = "0"
 	buildVersion   = "0.0.0"
-	grpcAddress    = "localhost:8261"
+	grpcAddress    = "0.0.0.0:8261"
 	grpcConnection *grpc.ClientConn
 	logger         logging.Logging
 	programName    = "unknown"
@@ -88,7 +88,7 @@ func main() {
 	// 	Id: "Observer 2",
 	// }
 
-	// grpcConnection, err := grpc.Dial("localhost:8261", grpc.WithTransportCredentials(insecure.NewCredentials()))
+	// grpcConnection, err := grpc.Dial("0.0.0.0:8261", grpc.WithTransportCredentials(insecure.NewCredentials()))
 	// if err != nil {
 	// 	fmt.Printf("Did not connect: %v\n", err)
 	// }
@@ -246,20 +246,29 @@ func failOnError(msgID int, err error) {
 }
 
 func getGrpcConnection() *grpc.ClientConn {
-	var err error
 	if grpcConnection == nil {
-		grpcConnection, err = grpc.NewClient(grpcAddress, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		transportCredentials, err := helper.GetGrpcTransportCredentials()
+		if err != nil {
+			panic(err)
+		}
+		dialOptions := []grpc.DialOption{
+			grpc.WithTransportCredentials(transportCredentials),
+		}
+		grpcConnection, err = grpc.NewClient(grpcAddress, dialOptions...)
 		if err != nil {
-			fmt.Printf("Did not connect: %v\n", err)
+			panic(err)
 		}
-		//		defer grpcConnection.Close()
 	}
 	return grpcConnection
 }
 
 func getLogger(ctx context.Context) (logging.Logging, error) {
 	_ = ctx
-	logger, err := logging.NewSenzingLogger(9999, Messages)
+	loggerOptions := []interface{}{
+		logging.OptionMessageFields{Value: []string{"id", "text", "reason", "errors", "details"}},
+	}
+
+	logger, err := logging.NewSenzingLogger(9999, Messages, loggerOptions...)
 	if err != nil {
 		fmt.Println(err)
 	}
@@ -270,39 +279,35 @@ func getLogger(ctx context.Context) (logging.Logging, error) {
 func getSzConfig(ctx context.Context) (senzing.SzConfig, error) {
 	_ = ctx
 	var err error
-	grpcConnection := getGrpcConnection()
 	result := &szconfig.Szconfig{
-		GrpcClient: szconfigpb.NewSzConfigClient(grpcConnection),
+		GrpcClient: szconfigpb.NewSzConfigClient(getGrpcConnection()),
 	}
 	return result, err
 }
 
 func getSzConfigManager(ctx context.Context) (senzing.SzConfigManager, error) {
 	_ = ctx
 	var err error
-	grpcConnection := getGrpcConnection()
 	result := &szconfigmanager.Szconfigmanager{
-		GrpcClient: szconfigmanagerpb.NewSzConfigManagerClient(grpcConnection),
+		GrpcClient: szconfigmanagerpb.NewSzConfigManagerClient(getGrpcConnection()),
 	}
 	return result, err
 }
 
 func getSzEngine(ctx context.Context) (senzing.SzEngine, error) {
 	_ = ctx
 	var err error
-	grpcConnection := getGrpcConnection()
 	result := &szengine.Szengine{
-		GrpcClient: szenginepb.NewSzEngineClient(grpcConnection),
+		GrpcClient: szenginepb.NewSzEngineClient(getGrpcConnection()),
 	}
 	return result, err
 }
 
 func getSzProduct(ctx context.Context) (senzing.SzProduct, error) {
 	_ = ctx
 	var err error
-	grpcConnection := getGrpcConnection()
 	result := &szproduct.Szproduct{
-		GrpcClient: szproductpb.NewSzProductClient(grpcConnection),
+		GrpcClient: szproductpb.NewSzProductClient(getGrpcConnection()),
 	}
 	return result, err
 }

makefiles/linux.mk

@@ -69,6 +69,12 @@ setup-osarch-specific:
 test-osarch-specific:
 	@go test -json -v -p 1 ./... 2>&1 | tee /tmp/gotest.log | gotestfmt
 
+
+.PHONY: test-server-side-tls-osarch-specific
+test-server-side-tls-osarch-specific: export SENZING_TOOLS_CA_CERTIFICATE_PATH=$(MAKEFILE_DIRECTORY)/testdata/certificates/certificate-authority/certificate.pem
+test-server-side-tls-osarch-specific:
+	@go test -json -v -p 1 ./... 2>&1 | tee /tmp/gotest.log | gotestfmt
+
 # -----------------------------------------------------------------------------
 # Makefile targets supported only by this platform.
 # -----------------------------------------------------------------------------