[FEAT] [CORE] connect to handshake_first configured NATS servers - specify {tls: {handshakeFirst: true}} connection option. Note that the server must match the configuration option, and will only accept with a matching option.

aricart · aricart · commit bb703fa37e33 · 2024-04-08T12:00:11.000-05:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -52,7 +52,9 @@ jobs:
           TMPDIR: ${{ runner.temp }}
           CI: true
           NGS_CI_USER: ${{ secrets.NGS_CI_USER }}
-        run: deno test --allow-all --unstable --parallel --fail-fast --coverage=./cov
+        run: |
+          deno test --allow-all --unstable --parallel --fail-fast --coverage=./cov tests/ jetstream/tests 
+          deno test --allow-all --unstable --parallel --fail-fast --unsafely-ignore-certificate-errors --coverage=./cov unsafe_tests/ 
 
       - name: Build nats.js
         run: deno bundle --unstable src/connect.ts nats.js
diff --git a/Makefile b/Makefile
@@ -8,7 +8,8 @@ lint:
 	deno lint --ignore=docs/
 
 test: clean
-	deno test --allow-all --unstable --parallel --reload --quiet --coverage=coverage tests/ jetstream/tests
+	deno test --allow-all --parallel --reload --quiet --coverage=coverage tests/ jetstream/tests
+	deno test --allow-all --parallel --reload --quiet --unsafely-ignore-certificate-errors --coverage=coverage unsafe_tests/
 
 
 testw: clean
diff --git a/nats-base-client/core.ts b/nats-base-client/core.ts
@@ -1397,6 +1397,10 @@ export interface ConnectionOptions {
  * the client is requesting to only use connections that are secured by TLS.
  */
 export interface TlsOptions {
+  /**
+   * handshakeFirst option requires the server to be configured with `handshakeFirst: true`.
+   */
+  handshakeFirst?: boolean;
   certFile?: string;
   cert?: string;
   caFile?: string;
diff --git a/src/deno_transport.ts b/src/deno_transport.ts
@@ -33,6 +33,7 @@ import {
   ServerInfo,
   Transport,
 } from "../nats-base-client/internal_mod.ts";
+import StartTlsOptions = Deno.StartTlsOptions;
 
 const VERSION = "1.21.0";
 const LANG = "nats.deno";
@@ -63,13 +64,29 @@ export class DenoTransport implements Transport {
     options: ConnectionOptions,
   ) {
     this.options = options;
+
+    const { tls } = this.options;
+    const { handshakeFirst } = tls || {};
+
     try {
-      this.conn = await Deno.connect(hp);
+      if (handshakeFirst === true) {
+        const opts = await this.loadTlsOptions(hp.hostname);
+        const ctls = {
+          caCerts: opts.caCerts,
+          hostname: hp.hostname,
+          port: hp.port,
+        };
+        this.conn = await Deno.connectTls(ctls);
+        this.encrypted = true;
+        // do nothing yet.
+      } else {
+        this.conn = await Deno.connect(hp);
+      }
       const info = await this.peekInfo();
       checkOptions(info, this.options);
       const { tls_required: tlsRequired, tls_available: tlsAvailable } = info;
       const desired = tlsAvailable === true && options.tls !== null;
-      if (tlsRequired || desired) {
+      if (!handshakeFirst && (tlsRequired || desired)) {
         const tlsn = hp.tlsName ? hp.tlsName : hp.hostname;
         await this.startTLS(tlsn);
       }
@@ -117,7 +134,7 @@ export class DenoTransport implements Transport {
     return JSON.parse(m[1]) as ServerInfo;
   }
 
-  async startTLS(hostname: string): Promise<void> {
+  async loadTlsOptions(hostname: string): Promise<StartTlsOptions> {
     const tls = this.options && this.options.tls
       ? this.options.tls
       : {} as TlsOptions;
@@ -134,7 +151,11 @@ export class DenoTransport implements Transport {
       const ca = await Deno.readTextFile(tls.caFile);
       sto.caCerts = [ca];
     }
+    return sto;
+  }
 
+  async startTLS(hostname: string): Promise<void> {
+    const sto = await (this.loadTlsOptions(hostname));
     this.conn = await Deno.startTls(
       this.conn,
       sto,
diff --git a/unsafe_tests/tlsunsafe_test.ts b/unsafe_tests/tlsunsafe_test.ts
@@ -0,0 +1,36 @@
+import {resolve} from "https://deno.land/std@0.221.0/path/resolve.ts";
+import {join} from "https://deno.land/std@0.221.0/path/join.ts";
+import {NatsServer} from "../tests/helpers/launcher.ts";
+import {connect} from "../src/connect.ts";
+
+Deno.test("tls-unsafe - handshake first", async () => {
+    const cwd = Deno.cwd();
+    const config = {
+        host: "localhost",
+        tls: {
+            handshake_first: true,
+            cert_file: resolve(join(cwd, "./tests/certs/localhost.crt")),
+            key_file: resolve(join(cwd, "./tests/certs/localhost.key")),
+            ca_file: resolve(join(cwd, "./tests/certs/RootCA.crt")),
+        },
+    };
+
+    const ns = await NatsServer.start(config);
+    const nc = await connect({
+        debug: true,
+        servers: `localhost:${ns.port}`,
+        tls: {
+            handshakeFirst: true,
+            caFile: config.tls.ca_file,
+        },
+    });
+    nc.subscribe("foo", {
+        callback(_err, msg) {
+            msg.respond(msg.data);
+        },
+    });
+
+    await nc.request("foo", "hello");
+    await nc.close();
+    await ns.stop();
+});
