remotecache: support SSL with redis (#18511)

* update go-redis lib from v2 -> v5 * add ssl option to the redis connection string fixes #18498
2025-02-25 18:55:37 -06:00 · 2019-08-13 06:51:13 -04:00
parent 494ac90c69
commit f689b60426
61 changed files with 8202 additions and 4734 deletions
--- a/pkg/infra/remotecache/redis_storage.go
+++ b/pkg/infra/remotecache/redis_storage.go
@@ -1,6 +1,7 @@
 package remotecache

 import (
+	"crypto/tls"
 	"fmt"
 	"strconv"
 	"strings"
@@ -8,7 +9,7 @@ import (

 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util/errutil"
-	redis "gopkg.in/redis.v2"
+	redis "gopkg.in/redis.v5"
 )

 const redisCacheType = "redis"
@@ -21,6 +22,7 @@ type redisStorage struct {
 func parseRedisConnStr(connStr string) (*redis.Options, error) {
 	keyValueCSV := strings.Split(connStr, ",")
 	options := &redis.Options{Network: "tcp"}
+	setTLSIsTrue := false
 	for _, rawKeyValue := range keyValueCSV {
 		keyValueTuple := strings.SplitN(rawKeyValue, "=", 2)
 		if len(keyValueTuple) != 2 {
@@ -38,7 +40,7 @@ func parseRedisConnStr(connStr string) (*redis.Options, error) {
 		case "password":
 			options.Password = connVal
 		case "db":
-			i, err := strconv.ParseInt(connVal, 10, 64)
+			i, err := strconv.Atoi(connVal)
 			if err != nil {
 				return nil, errutil.Wrap("value for db in redis connection string must be a number", err)
 			}
@@ -49,10 +51,28 @@ func parseRedisConnStr(connStr string) (*redis.Options, error) {
 				return nil, errutil.Wrap("value for pool_size in redis connection string must be a number", err)
 			}
 			options.PoolSize = i
+		case "ssl":
+			if connVal != "true" && connVal != "false" && connVal != "insecure" {
+				return nil, fmt.Errorf("ssl must be set to 'true', 'false', or 'insecure' when present")
+			}
+			if connVal == "true" {
+				setTLSIsTrue = true // Needs addr already parsed, so set later
+			}
+			if connVal == "insecure" {
+				options.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+			}
 		default:
-			return nil, fmt.Errorf("unrecorgnized option '%v' in redis connection string", connVal)
+			return nil, fmt.Errorf("unrecognized option '%v' in redis connection string", connKey)
 		}
 	}
+	if setTLSIsTrue {
+		// Get hostname from the Addr property and set it on the configuration for TLS
+		sp := strings.Split(options.Addr, ":")
+		if len(sp) < 1 {
+			return nil, fmt.Errorf("unable to get hostname from the addr field, expected host:port, got '%v'", options.Addr)
+		}
+		options.TLSConfig = &tls.Config{ServerName: sp[0]}
+	}
 	return options, nil
 }

@@ -71,7 +91,7 @@ func (s *redisStorage) Set(key string, val interface{}, expires time.Duration) e
 	if err != nil {
 		return err
 	}
-	status := s.c.SetEx(key, expires, string(value))
+	status := s.c.Set(key, string(value), expires)
 	return status.Err()
 }

--- a/pkg/infra/remotecache/redis_storage_test.go
+++ b/pkg/infra/remotecache/redis_storage_test.go
@@ -1,11 +1,12 @@
 package remotecache

 import (
+	"crypto/tls"
 	"fmt"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	redis "gopkg.in/redis.v2"
+	redis "gopkg.in/redis.v5"
 )

 func Test_parseRedisConnStr(t *testing.T) {
@@ -15,13 +16,14 @@ func Test_parseRedisConnStr(t *testing.T) {
 		ShouldErr     bool
 	}{
 		"all redis options should parse": {
-			"addr=127.0.0.1:6379,pool_size=100,db=1,password=grafanaRocks",
+			"addr=127.0.0.1:6379,pool_size=100,db=1,password=grafanaRocks,ssl=false",
 			&redis.Options{
-				Addr:     "127.0.0.1:6379",
-				PoolSize: 100,
-				DB:       1,
-				Password: "grafanaRocks",
-				Network:  "tcp",
+				Addr:      "127.0.0.1:6379",
+				PoolSize:  100,
+				DB:        1,
+				Password:  "grafanaRocks",
+				Network:   "tcp",
+				TLSConfig: nil,
 			},
 			false,
 		},
@@ -34,6 +36,39 @@ func Test_parseRedisConnStr(t *testing.T) {
 			},
 			false,
 		},
+		"ssl set to true should result in default TLS configuration with tls set to addr's host": {
+			"addr=grafana.com:6379,ssl=true",
+			&redis.Options{
+				Addr:      "grafana.com:6379",
+				Network:   "tcp",
+				TLSConfig: &tls.Config{ServerName: "grafana.com"},
+			},
+			false,
+		},
+		"ssl to insecure should result in TLS configuration with InsecureSkipVerify": {
+			"addr=127.0.0.1:6379,ssl=insecure",
+			&redis.Options{
+				Addr:      "127.0.0.1:6379",
+				Network:   "tcp",
+				TLSConfig: &tls.Config{InsecureSkipVerify: true},
+			},
+			false,
+		},
+		"invalid SSL option should err": {
+			"addr=127.0.0.1:6379,ssl=dragons",
+			nil,
+			true,
+		},
+		"invalid pool_size value should err": {
+			"addr=127.0.0.1:6379,pool_size=seven",
+			nil,
+			true,
+		},
+		"invalid db value should err": {
+			"addr=127.0.0.1:6379,db=seven",
+			nil,
+			true,
+		},
 		"trailing comma should err": {
 			"addr=127.0.0.1:6379,pool_size=100,",
 			nil,