Support specifying TLS settings in resque.yml

Changelog: added
Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

config/resque.yml.example

@@ -3,6 +3,11 @@
 #
 development:
   url: redis://localhost:6379
+  # ssl_params:
+  #   ca_path: "/path/to/dir/with/certs"
+  #   ca_file: "/path/to/ca.crt"
+  #   cert_file: "/path/to/client.crt"
+  #   key_file: "/path/to/client.key"
   # sentinels:
   #   -
   #     host: localhost

lib/gitlab/redis/wrapper.rb

@@ -16,6 +16,8 @@
 module Gitlab
   module Redis
     class Wrapper
+      InvalidPathError = Class.new(StandardError)
+
       class << self
         delegate :params, :url, :store, to: :new
 
@@ -122,12 +124,14 @@ def redis_store_options
         config = raw_config_hash
         config[:instrumentation_class] ||= self.class.instrumentation_class
 
-        if config[:cluster].present?
-          config[:db] = 0 # Redis Cluster only supports db 0
-          config
-        else
-          parse_redis_url(config)
-        end
+        result = if config[:cluster].present?
+                   config[:db] = 0 # Redis Cluster only supports db 0
+                   config
+                 else
+                   parse_redis_url(config)
+                 end
+
+        parse_client_tls_options(result)
       end
 
       def parse_redis_url(config)
@@ -153,6 +157,33 @@ def parse_redis_url(config)
         end
       end
 
+      def parse_client_tls_options(config)
+        return config unless config&.key?(:ssl_params)
+
+        # Only cert_file and key_file are handled in this method. ca_file and
+        # ca_path are Strings, so they can be passed as-is. cert_store is not
+        # currently supported.
+
+        cert_file = config[:ssl_params].delete(:cert_file)
+        key_file = config[:ssl_params].delete(:key_file)
+
+        unless ::File.exist?(cert_file)
+          raise InvalidPathError,
+            "Certificate file #{cert_file} specified in in `resque.yml` does not exist."
+        end
+
+        config[:ssl_params][:cert] = OpenSSL::X509::Certificate.new(File.read(cert_file))
+
+        unless ::File.exist?(key_file)
+          raise InvalidPathError,
+            "Key file #{key_file} specified in in `resque.yml` does not exist."
+        end
+
+        config[:ssl_params][:key] = OpenSSL::PKey.read(File.read(key_file))
+
+        config
+      end
+
       def raw_config_hash
         config_data = fetch_config
 

spec/support/shared_examples/redis/redis_shared_examples.rb

@@ -365,6 +365,90 @@
     end
   end
 
+  describe "#parse_client_tls_options" do
+    let(:dummy_certificate) { OpenSSL::X509::Certificate.new }
+    let(:dummy_key) { OpenSSL::PKey::RSA.new }
+    let(:resque_yaml_config_without_tls) { { url: 'redis://localhost:6379' } }
+    let(:resque_yaml_config_with_tls) do
+      {
+        url: 'rediss://localhost:6380',
+        ssl_params: {
+          cert_file: '/tmp/client.crt',
+          key_file: '/tmp/client.key'
+        }
+      }
+    end
+
+    let(:parsed_config_with_tls) do
+      {
+        url: 'rediss://localhost:6380',
+        ssl_params: {
+          cert: dummy_certificate,
+          key: dummy_key
+        }
+      }
+    end
+
+    before do
+      allow(::File).to receive(:exist?).and_call_original
+      allow(::File).to receive(:read).and_call_original
+    end
+
+    context 'when configuration does not have TLS related options' do
+      it 'returns the coniguration as-is' do
+        expect(subject.send(:parse_client_tls_options,
+          resque_yaml_config_without_tls)).to eq(resque_yaml_config_without_tls)
+      end
+    end
+
+    context 'when specified certificate file does not exist' do
+      before do
+        allow(::File).to receive(:exist?).with("/tmp/client.crt").and_return(false)
+        allow(::File).to receive(:exist?).with("/tmp/client.key").and_return(true)
+      end
+
+      it 'raises error about missing certificate file' do
+        expect do
+          subject.send(:parse_client_tls_options,
+            resque_yaml_config_with_tls)
+        end.to raise_error(Gitlab::Redis::Wrapper::InvalidPathError,
+          "Certificate file /tmp/client.crt specified in in `resque.yml` does not exist.")
+      end
+    end
+
+    context 'when specified key file does not exist' do
+      before do
+        allow(::File).to receive(:exist?).with("/tmp/client.crt").and_return(true)
+        allow(::File).to receive(:read).with("/tmp/client.crt").and_return("DUMMY_CERTIFICATE")
+        allow(OpenSSL::X509::Certificate).to receive(:new).with("DUMMY_CERTIFICATE").and_return(dummy_certificate)
+        allow(::File).to receive(:exist?).with("/tmp/client.key").and_return(false)
+      end
+
+      it 'raises error about missing key file' do
+        expect do
+          subject.send(:parse_client_tls_options,
+            resque_yaml_config_with_tls)
+        end.to raise_error(Gitlab::Redis::Wrapper::InvalidPathError,
+          "Key file /tmp/client.key specified in in `resque.yml` does not exist.")
+      end
+    end
+
+    context 'when configuration valid TLS related options' do
+      before do
+        allow(::File).to receive(:exist?).with("/tmp/client.crt").and_return(true)
+        allow(::File).to receive(:exist?).with("/tmp/client.key").and_return(true)
+        allow(::File).to receive(:read).with("/tmp/client.crt").and_return("DUMMY_CERTIFICATE")
+        allow(::File).to receive(:read).with("/tmp/client.key").and_return("DUMMY_KEY")
+        allow(OpenSSL::X509::Certificate).to receive(:new).with("DUMMY_CERTIFICATE").and_return(dummy_certificate)
+        allow(OpenSSL::PKey).to receive(:read).with("DUMMY_KEY").and_return(dummy_key)
+      end
+
+      it "converts cert_file and key_file appropriately" do
+        expect(subject.send(:parse_client_tls_options, resque_yaml_config_with_tls)).to eq(parsed_config_with_tls)
+      end
+    end
+  end
+
   describe '#fetch_config' do
     before do
       FileUtils.mkdir_p(File.join(rails_root, 'config'))