Initial HTTPS API support implemented (untested)

api/restapi/restapi.go

@@ -4,6 +4,7 @@ package restapi
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"net"
 	"net/http"
@@ -66,14 +67,39 @@ type peerAddBody struct {
 	PeerMultiaddr string `json:"peer_multiaddress"`
 }
 
+// copied from https://github.com/denji/golang-tls
+var tlsCfg = &tls.Config{
+	MinVersion:               tls.VersionTLS12,
+	CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+	PreferServerCipherSuites: true,
+	CipherSuites: []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	},
+}
+
 // NewRESTAPI creates a new REST API component. It receives
-// the multiaddress on which the API listens.
-func NewRESTAPI(apiMAddr ma.Multiaddr) (*RESTAPI, error) {
+// the multiaddress on which the API listens, as well as (potentially empty)
+// paths to certificate and private key files for TLS usage
+func NewRESTAPI(apiMAddr ma.Multiaddr, certFile, keyFile string) (*RESTAPI, error) {
 	n, addr, err := manet.DialArgs(apiMAddr)
 	if err != nil {
 		return nil, err
 	}
-	l, err := net.Listen(n, addr)
+	var l net.Listener
+	if len(certFile) == 0 || len(keyFile) == 0 {
+		l, err = net.Listen(n, addr)
+	} else {
+		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return nil, err
+		}
+		tlsCfg.Certificates = []tls.Certificate{cert}
+		l, err = tls.Listen(n, addr, tlsCfg)
+	}
+	// check for error in creating listener
 	if err != nil {
 		return nil, err
 	}

api/restapi/restapi_test.go

@@ -21,7 +21,7 @@ var (
 func testRESTAPI(t *testing.T) *RESTAPI {
 	//logging.SetDebugLogging()
 	apiMAddr, _ := ma.NewMultiaddr("/ip4/127.0.0.1/tcp/10002")
-	rest, err := NewRESTAPI(apiMAddr)
+	rest, err := NewRESTAPI(apiMAddr, "", "")
 	if err != nil {
 		t.Fatal("should be able to create a new Api: ", err)
 	}

config.go

@@ -66,6 +66,18 @@ type Config struct {
 	// Listen parameters for the the Cluster HTTP API component.
 	APIAddr ma.Multiaddr
 
+	// TLSCertFile is a path to a certificate file used for identifying the
+	// Cluster's HTTP(S) API. TLSKeyFile must also be set in order to establish
+	// a TLS server. If both this and TLSKeyFile are empty, then HTTP (without
+	// TLS) will be used
+	TLSCertFile string
+
+	// TLSKeyFile is a path to a private key used for setting up TLS sessions for
+	// the HTTP(S) API. TLSCertFile must also be set in order to establish a TLS
+	// server. If both this and TLSCertFile are empty, then HTTP (without
+	// TLS) will be used
+	TLSKeyFile string
+
 	// Listen parameters for the IPFS Proxy. Used by the IPFS
 	// connector component.
 	IPFSProxyAddr ma.Multiaddr
@@ -137,11 +149,23 @@ type JSONConfig struct {
 	// interal RPC and Consensus communications between cluster peers.
 	ClusterListenMultiaddress string `json:"cluster_multiaddress"`
 
-	// Listen address for the the Cluster HTTP API component.
+	// Listen address for the the Cluster HTTP(S) API component.
 	// Tools like ipfs-cluster-ctl will connect to his endpoint to
 	// manage cluster.
 	APIListenMultiaddress string `json:"api_listen_multiaddress"`
 
+	// TLSCertFile is a path to a certificate file used for identifying the
+	// Cluster's HTTP(S) API. TLSKeyFile must also be set in order to establish
+	// a TLS server. If both this and TLSKeyFile are empty, then HTTP (without
+	// TLS) will be used
+	TLSCertFile string
+
+	// TLSKeyFile is a path to a private key used for setting up TLS sessions for
+	// the HTTP(S) API. TLSCertFile must also be set in order to establish a TLS
+	// server. If both this and TLSCertFile are empty, then HTTP (without
+	// TLS) will be used
+	TLSKeyFile string
+
 	// Listen address for the IPFS Proxy, which forwards requests to
 	// an IPFS daemon.
 	IPFSProxyListenMultiaddress string `json:"ipfs_proxy_listen_multiaddress"`
@@ -216,6 +240,8 @@ func (cfg *Config) ToJSONConfig() (j *JSONConfig, err error) {
 		LeaveOnShutdown:             cfg.LeaveOnShutdown,
 		ClusterListenMultiaddress:   cfg.ClusterAddr.String(),
 		APIListenMultiaddress:       cfg.APIAddr.String(),
+		TLSCertFile:                 cfg.TLSCertFile,
+		TLSKeyFile:                  cfg.TLSKeyFile,
 		IPFSProxyListenMultiaddress: cfg.IPFSProxyAddr.String(),
 		IPFSNodeMultiaddress:        cfg.IPFSNodeAddr.String(),
 		ConsensusDataFolder:         cfg.ConsensusDataFolder,
@@ -327,6 +353,8 @@ func (jcfg *JSONConfig) ToConfig() (c *Config, err error) {
 		LeaveOnShutdown:           jcfg.LeaveOnShutdown,
 		ClusterAddr:               clusterAddr,
 		APIAddr:                   apiAddr,
+		TLSCertFile:               jcfg.TLSCertFile,
+		TLSKeyFile:                jcfg.TLSKeyFile,
 		IPFSProxyAddr:             ipfsProxyAddr,
 		IPFSNodeAddr:              ipfsNodeAddr,
 		ConsensusDataFolder:       jcfg.ConsensusDataFolder,

ipfs-cluster-service/main.go

@@ -263,7 +263,7 @@ func run(c *cli.Context) error {
 		cfg.AllocationStrategy = a
 	}
 
-	api, err := restapi.NewRESTAPI(cfg.APIAddr)
+	api, err := restapi.NewRESTAPI(cfg.APIAddr, cfg.TLSCertFile, cfg.TLSKeyFile)
 	checkErr("creating REST API component", err)
 
 	proxy, err := ipfshttp.NewConnector(

ipfscluster_test.go

@@ -85,7 +85,7 @@ func createComponents(t *testing.T, i int, clusterSecret []byte) (*Config, API,
 	cfg.ReplicationFactor = -1
 	cfg.MonitoringIntervalSeconds = 2
 
-	api, err := restapi.NewRESTAPI(cfg.APIAddr)
+	api, err := restapi.NewRESTAPI(cfg.APIAddr, "", "")
 	checkErr(t, err)
 	ipfs, err := ipfshttp.NewConnector(
 		cfg.IPFSNodeAddr,

pnet_test.go

@@ -3,31 +3,31 @@ package ipfscluster
 import "testing"
 
 func TestClusterSecretFormat(t *testing.T) {
-    goodSecret := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
-    emptySecret := ""
-    tooShort := "0123456789abcdef"
-    tooLong := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
-    unsupportedChars := "0123456789abcdef0123456789!!!!!!0123456789abcdef0123456789abcdef"
+	goodSecret := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	emptySecret := ""
+	tooShort := "0123456789abcdef"
+	tooLong := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
+	unsupportedChars := "0123456789abcdef0123456789!!!!!!0123456789abcdef0123456789abcdef"
 
 	_, err := DecodeClusterSecret(goodSecret)
 	if err != nil {
-        t.Fatal("Failed to decode well-formatted secret.")
+		t.Fatal("Failed to decode well-formatted secret.")
 	}
 	decodedEmptySecret, err := DecodeClusterSecret(emptySecret)
 	if decodedEmptySecret != nil || err != nil {
-        t.Fatal("Unsuspected output of decoding empty secret.")
+		t.Fatal("Unsuspected output of decoding empty secret.")
 	}
 	_, err = DecodeClusterSecret(tooShort)
 	if err == nil {
-        t.Fatal("Successfully decoded secret that should haved failed (too short).")
+		t.Fatal("Successfully decoded secret that should haved failed (too short).")
 	}
 	_, err = DecodeClusterSecret(tooLong)
 	if err == nil {
-        t.Fatal("Successfully decoded secret that should haved failed (too long).")
+		t.Fatal("Successfully decoded secret that should haved failed (too long).")
 	}
 	_, err = DecodeClusterSecret(unsupportedChars)
 	if err == nil {
-        t.Fatal("Successfully decoded secret that should haved failed (unsupported chars).")
+		t.Fatal("Successfully decoded secret that should haved failed (unsupported chars).")
 	}
 }
 
@@ -54,10 +54,10 @@ func TestSimplePNet(t *testing.T) {
 }
 
 func TestClusterSecretRequired(t *testing.T) {
-    cl1Secret, err := generateClusterSecret()
-    if err != nil {
-        t.Fatal("Unable to generate cluster secret.")
-    }
+	cl1Secret, err := generateClusterSecret()
+	if err != nil {
+		t.Fatal("Unable to generate cluster secret.")
+	}
 	cl1, _ := createOnePeerCluster(t, 1, cl1Secret)
 	cl2, _ := createOnePeerCluster(t, 2, testingClusterSecret)
 	defer cleanRaft()