Integration Tests for TLS

.devcontainer/docker-compose-cluster.yml

@@ -30,7 +30,12 @@ services:
   valkey:
     image: 'valkey/valkey:latest'
     network_mode: "host"
-    command: valkey-server --port 6379
+    ports:
+      - 6379:6379
+      - 6380:6380
+    volumes:
+      - ./valkey:/valkey
+    command: valkey-server --tls-port 6380 --tls-cert-file /valkey/certs/server.crt --tls-key-file /valkey/certs/server.key --tls-ca-cert-file /valkey/certs/ca.crt
 
   valkey_cluster_1:
     image: 'valkey/valkey:latest'

.github/workflows/ci.yml

@@ -9,9 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-ci
   cancel-in-progress: true
 
-env:
-  VALKEY_HOSTNAME: database
-  REDIS_HOSTNAME: database
 jobs:
   unit-tests:
     runs-on: ubuntu-latest
@@ -25,14 +22,42 @@ jobs:
     services:
       database:
         image: ${{ matrix.database }}
+        options: --name database
+        env:
+          VALKEY_EXTRA_FLAGS: "--tls-port 6380 --tls-cert-file /valkey/certs/server.crt --tls-key-file /valkey/certs/server.key --tls-ca-cert-file /valkey/certs/ca.crt"
+        ports:
+          - 6379:6379
+          - 6380:6380
+        volumes:
+          - ${{ github.workspace }}/valkey:/valkey
     steps:
       - name: Install jemalloc
         run: |
           apt-get update
           apt-get install -y libjemalloc-dev
+          apt-get install curl
       - name: Checkout
-        uses: actions/checkout@v4
-      - name: Test
+        uses: actions/checkout@v6
+      - name: Generate certificates
+        run: ./dev/generate-test-certs.sh
+      - name: Restart Docker
+        # The valkey service container is started *before* the certificates are
+        # generated. Restarting the container after the generate step is needed for the
+        # container to see the generated certificates.
+        uses: docker://docker
+        with:
+          args: docker restart database
+      - name: Test Redis
+        if: ${{ matrix.database == 'redis:latest' }}
+        env:
+          DISABLE_TLS_TESTS: true
+          VALKEY_HOSTNAME: database
+        run: |
+          swift test --enable-code-coverage
+      - name: Test Valkey
+        if: ${{ matrix.database != 'redis:latest' }}
+        env:
+          VALKEY_HOSTNAME: database
         run: |
           swift test --enable-code-coverage
       - name: Convert coverage files

.gitignore

@@ -12,3 +12,4 @@ Package.resolved
 .benchmarkBaselines/
 .swift-version
 .docc-build
+valkey

Tests/IntegrationTests/TLSIntegrationTests.swift

@@ -0,0 +1,103 @@
+//
+// This source file is part of the valkey-swift project
+// Copyright (c) 2025 the valkey-swift project authors
+//
+// See LICENSE.txt for license information
+// SPDX-License-Identifier: Apache-2.0
+//
+import Foundation
+import Logging
+import NIOCore
+import NIOSSL
+import Testing
+import Valkey
+
+@testable import Valkey
+
+@Suite(
+    "TLS Integration Tests",
+    .disabled(if: disableTLSTests != nil)
+)
+struct TLSIntegratedTests {
+    let valkeyHostname = ProcessInfo.processInfo.environment["VALKEY_HOSTNAME"] ?? "localhost"
+
+    @available(valkeySwift 1.0, *)
+    func withKey<Value>(connection: some ValkeyClientProtocol, _ operation: (ValkeyKey) async throws -> Value) async throws -> Value {
+        let key = ValkeyKey(UUID().uuidString)
+        let value: Value
+        do {
+            value = try await operation(key)
+        } catch {
+            _ = try? await connection.del(keys: [key])
+            throw error
+        }
+        _ = try await connection.del(keys: [key])
+        return value
+    }
+
+    @available(valkeySwift 1.0, *)
+    func withValkeyClient(
+        _ address: ValkeyServerAddress,
+        configuration: ValkeyClientConfiguration = .init(),
+        logger: Logger,
+        operation: @escaping @Sendable (ValkeyClient) async throws -> Void
+    ) async throws {
+        try await withThrowingTaskGroup(of: Void.self) { group in
+            let client = ValkeyClient(address, configuration: configuration, logger: logger)
+            group.addTask {
+                await client.run()
+            }
+            group.addTask {
+                try await operation(client)
+            }
+            try await group.next()
+            group.cancelAll()
+        }
+    }
+
+    @Test
+    @available(valkeySwift 1.0, *)
+    func testSetGet() async throws {
+        var logger = Logger(label: "Valkey")
+        logger.logLevel = .trace
+        let tlsConfiguration = try Self.getTLSConfiguration()
+        try await withValkeyClient(
+            .hostname(valkeyHostname, port: 6380),
+            configuration: .init(tls: .enable(tlsConfiguration, tlsServerName: "Server-only")),
+            logger: logger
+        ) { connection in
+            try await withKey(connection: connection) { key in
+                try await connection.set(key, value: "Hello")
+                let response = try await connection.get(key).map { String(buffer: $0) }
+                #expect(response == "Hello")
+                let response2 = try await connection.get("sdf65fsdf").map { String(buffer: $0) }
+                #expect(response2 == nil)
+            }
+        }
+    }
+
+    static let rootPath = #filePath
+        .split(separator: "/", omittingEmptySubsequences: false)
+        .dropLast(3)
+        .joined(separator: "/")
+
+    @available(valkeySwift 1.0, *)
+    static func getTLSConfiguration() throws -> TLSConfiguration {
+        do {
+            let rootCertificate = try NIOSSLCertificate.fromPEMFile(Self.rootPath + "/valkey/certs/ca.crt")
+            let certificate = try NIOSSLCertificate.fromPEMFile(Self.rootPath + "/valkey/certs/client.crt")
+            let privateKey = try NIOSSLPrivateKey(file: Self.rootPath + "/valkey/certs/client.key", format: .pem)
+            var tlsConfiguration = TLSConfiguration.makeClientConfiguration()
+            tlsConfiguration.trustRoots = .certificates(rootCertificate)
+            tlsConfiguration.certificateChain = certificate.map { .certificate($0) }
+            tlsConfiguration.privateKey = .privateKey(privateKey)
+            return tlsConfiguration
+        } catch NIOSSLError.failedToLoadCertificate {
+            fatalError("Run script ./dev/generate-test-certs.sh to generate test certificates and restart your valkey server.")
+        } catch NIOSSLError.failedToLoadPrivateKey {
+            fatalError("Run script ./dev/generate-test-certs.sh to generate test certificates and restart your valkey server.")
+        }
+    }
+}
+
+private let disableTLSTests: String? = ProcessInfo.processInfo.environment["DISABLE_TLS_TESTS"]

dev/generate-test-certs.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+##
+## This source file is part of the valkey-swift project
+## Copyright (c) 2025 the valkey-swift project authors
+##
+## See LICENSE.txt for license information
+## SPDX-License-Identifier: Apache-2.0
+##
+
+# This is a copy of the gen-test-certs.sh script from https://github/valkey-io/valkey
+# BSD 3-Clause License
+#
+# Copyright (c) 2024-present, Valkey contributors
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+#     * Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Generate some test certificates which are used by the regression test suite:
+#
+#   valkey/certs/ca.{crt,key}          Self signed CA certificate.
+#   valkey/certs/client.{crt,key}      A certificate restricted for SSL client usage.
+#   valkey/certs/server.{crt,key}      A certificate restricted for SSL server usage.
+#   valkey/certs/valkey.dh              DH Params file.
+
+generate_cert() {
+    local name=$1
+    local cn="$2"
+    local opts="$3"
+
+    local keyfile=valkey/certs/${name}.key
+    local certfile=valkey/certs/${name}.crt
+
+    [ -f "$keyfile" ] || openssl genrsa -out "$keyfile" 2048
+    # shellcheck disable=SC2086
+    openssl req \
+        -new -sha256 \
+        -subj "/O=Valkey Test/CN=$cn" \
+        -key "$keyfile" | \
+        openssl x509 \
+            -req -sha256 \
+            -CA valkey/certs/ca.crt \
+            -CAkey valkey/certs/ca.key \
+            -CAserial valkey/certs/ca.txt \
+            -CAcreateserial \
+            -days 365 \
+            $opts \
+            -out "$certfile"
+    # Set all users to read private keys files so CI works
+    chmod a+r "$keyfile"
+}
+
+mkdir -p valkey/certs
+[ -f valkey/certs/ca.key ] || openssl genrsa -out valkey/certs/ca.key 4096
+openssl req \
+    -x509 -new -nodes -sha256 \
+    -key valkey/certs/ca.key \
+    -days 3650 \
+    -subj '/O=Valkey Test/CN=Certificate Authority' \
+    -out valkey/certs/ca.crt
+
+cat > valkey/certs/openssl.cnf <<_END_
+[ server_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = server
+
+[ client_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = client
+_END_
+
+generate_cert server "Server-only" "-extfile valkey/certs/openssl.cnf -extensions server_cert"
+generate_cert client "Client-only" "-extfile valkey/certs/openssl.cnf -extensions client_cert"

docker-compose.yml

@@ -1,12 +1,16 @@
+# This runs a valkey server with both non-TLS and TLS endpoints.
+# You need to run the script .dev/generate-test-certs.sh to generate the certificates needed for TLS
+
 services:
   valkey:
-    image: valkey/valkey:8.0
+    image: valkey/valkey:9.0
     ports:
       - 6379:6379
-    healthcheck:
-      test: ["CMD", "valkey-cli", "--raw", "incr", "ping"]
+      - 6380:6380
     volumes:
+      - ./valkey:/valkey
       - valkey_data:/data
+    command: valkey-server --tls-port 6380 --tls-cert-file /valkey/certs/server.crt --tls-key-file /valkey/certs/server.key --tls-ca-cert-file /valkey/certs/ca.crt
 
 volumes:
   valkey_data: