feat: initial NATS SSL connection configuration #3626

* allow to disable verify_peer intially
* paves way to passing custom ssl CA file or path

README.md

@@ -151,6 +151,7 @@ The Camunda worker requires the following environment variables:
 * `EXO__WORKER__NATS__PORT`: Port number of the NATS server, i.e. `4222` (defaut)
 * `EXO__WORKER__NATS__USERNAME`: Username to authenticate with, i.e. `exo`
 * `EXO__WORKER__NATS__PASSWORD`: Password to authenticate with
+* `EXO__WORKER__NATS__SSL__VERIFY_PEER`: Configure steam context SSL option `verify_peer` (defaults to `true`)
 
 You can now publish requests onto the `exo:request` "subject".
 

src/Console/Command/NatsRequestCommand.php

@@ -46,20 +46,34 @@ protected function execute(InputInterface $input, OutputInterface $output)
             throw new RuntimeException("Can't parse request JSON from " . $filename);
         }
 
+        $streamContextOptions = [
+            'ssl' => [
+            ],
+        ];
+
+
+
         $connectionOptions = new \Nats\ConnectionOptions();
 
         $this->host = getenv('EXO__WORKER__NATS__HOST');
         $this->port = getenv('EXO__WORKER__NATS__PORT') ?? 4222;
         $this->username = getenv('EXO__WORKER__NATS__USERNAME');
         $this->password = getenv('EXO__WORKER__NATS__PASSWORD');
 
+        if (getenv('EXO__WORKER__NATS__SSL__VERIFY_PEER')=='false') {
+            $exo->getLogger()->debug("Setting ssl.verify_peer to false");
+            $streamContextOptions['ssl']['verify_peer'] = false;
+        }
+        $streamContext = stream_context_get_default($streamContextOptions);
+
         $connectionOptions
             ->setHost($this->host)
             ->setPort($this->port)
             ->setUser($this->username)
             ->setPass($this->password)
             ->setVerbose(true)
             ->setPedantic(true)
+            ->setStreamContext($streamContext)
         ;
 
         $this->client = new \Nats\Connection($connectionOptions);

src/Worker/NatsWorker.php

@@ -13,7 +13,7 @@ class NatsWorker implements WorkerInterface
     protected $port;
     protected $username;
     protected $password;
-    protected $workerId;
+    protected $streamContextOptions;
     protected $messages = [];
 
     public function __construct(Exo $exo, array $options)
@@ -23,7 +23,12 @@ public function __construct(Exo $exo, array $options)
         $this->port = $options['PORT'] ?? 4222;
         $this->username = $options['USERNAME'] ?? null;
         $this->password = $options['PASSWORD'] ?? null;
-        $this->workerId = $options['WORKER_ID'] ?? 'exo-' . time();
+        $this->streamContextOptions = ['ssl' => []];
+
+        if (($options['SSL__VERIFY_PEER']??null)=='false') {
+            $exo->getLogger()->debug("Setting ssl.verify_peer to false");
+            $this->streamContextOptions['ssl']['verify_peer'] = false;
+        }
 
         if (!$this->host) {
             throw new RuntimeException("Required HOST for Nats worker not configured (correctly)");
@@ -34,13 +39,17 @@ public function connect()
     {
         $this->exo->getLogger()->info("Connecting to {$this->host}:{$this->port}");
         $connectionOptions = new \Nats\ConnectionOptions();
+
+        $streamContext = stream_context_get_default($this->streamContextOptions);
+
         $connectionOptions
             ->setHost($this->host)
             ->setPort($this->port)
             ->setUser($this->username)
             ->setPass($this->password)
             ->setVerbose(true)
             ->setPedantic(true)
+            ->setStreamContext($streamContext)
         ;
 
         $this->client = new \Nats\Connection($connectionOptions);