add functionality and documentation for TLS certs and ACLs

.github/workflows/ci.yml

@@ -12,23 +12,23 @@ jobs:
     env:
       MIX_ENV: test
 
-    # YARD run eventstore/erlang versions in a matrix?
-    services:
-      eventstore:
-        # image: eventstore/eventstore:21.2.0-bionic
-        image: docker.pkg.github.com/eventstore/eventstore/eventstore:ci
-        credentials:
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-        env:
-          EVENTSTORE_INSECURE: "true"
-        ports:
-          - 2113:2113
-
     steps:
     - name: Checkout
       uses: actions/checkout@v2
 
+    - name: install EventStoreDB
+      run: |
+        curl -s https://packagecloud.io/install/repositories/EventStore/EventStore-OSS/script.deb.sh | sudo bash
+        sudo apt update
+        sudo apt install eventstore-oss
+        sudo mkdir -p /etc/eventstore/certs
+        sudo cp -r ./certs/ca /etc/eventstore/certs/
+        sudo cp ./certs/node1/* /etc/eventstore/certs/
+        sudo cp ./certs/eventstore.conf /etc/eventstore/
+        sudo chown -R eventstore /etc/eventstore
+        sudo chgrp -R eventstore /etc/eventstore
+        sudo systemctl restart eventstore
+
     - name: Determine the elixir version
       run: echo "ELIXIR_VERSION=$(grep -h elixir .tool-versions | awk '{ print $2 }')" >> $GITHUB_ENV
 

.iex.exs

@@ -1,5 +1,15 @@
 make_server = fn ->
-  {:ok, pid} = Spear.Connection.start_link(connection_string: "esdb://localhost:2113")
+  params = [
+    connection_string: "esdb://localhost:2113?tls=true",
+    credentials: {"admin", "changeit"},
+    opts: [
+      transport_opts: [
+        cacertfile: Path.join([__DIR__, "certs", "ca", "ca.crt"])
+      ]
+    ]
+  ]
+
+  {:ok, pid} = Spear.Connection.start_link(params)
 
   pid
 end

CHANGELOG.md

@@ -18,6 +18,20 @@ Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to
 
 -->
 
+## 0.1.3 - 2021-04-15
+
+### Added
+
+- Added documentation and functionality for using TLS certificates
+    - see `Spear.Connection` and the [security guide](guides/security.md)
+- Added documentation and functionality for setting the global stream ACL
+    - see `Spear.set_global_acl/4` and the `Spear.Acl` module
+- Added functionality for getting and setting stream-level metadata.
+    - `Spear.meta_stream/1`
+    - `Spear.get_stream_metadata/3`
+    - `Spear.set_stream_metadata/3`
+    - `Spear.StreamMetadata`
+
 ## 0.1.2 - 2021-04-14
 
 ### Added

certs/ca/ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzTCCArWgAwIBAgIRALwNR581upPaABvXc+DsPmwwDQYJKoZIhvcNAQELBQAw
+YjELMAkGA1UEBhMCVUsxGDAWBgNVBAoTD0V2ZW50IFN0b3JlIEx0ZDE5MDcGA1UE
+AxMwRXZlbnRTdG9yZURCIENBIGJjMGQ0NzlmMzViYTkzZGEwMDFiZDc3M2UwZWMz
+ZTZjMB4XDTIxMDQxNDIyMDYxN1oXDTI2MDQxNDIyMDYxN1owYjELMAkGA1UEBhMC
+VUsxGDAWBgNVBAoTD0V2ZW50IFN0b3JlIEx0ZDE5MDcGA1UEAxMwRXZlbnRTdG9y
+ZURCIENBIGJjMGQ0NzlmMzViYTkzZGEwMDFiZDc3M2UwZWMzZTZjMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzwwIW1IgG5kvn+claQAGbKL46a+rzV7r
++6WEAUltcLxo3Yq0oFuoc3qH1qmHrjVVdbpVuSyZHg2TDAVX3X6vE5jhRLmd9tVE
+VEORZjKB/GlZtYO6DgwCaK1k4AJYrad2Tk61W6aLhgp3IkozmVLanvx0cULjFons
+81sWl7TxP1Ig6nke3lKoiJT9igZS3KO5//xzuCg5oK7ix+MOBECmnQU0FeYjDIec
+Pf8Eet3AiAna7LTB4e39ADE5NC04oD3ZEjwuRi0M+nDXD2d+c9NiUGt7HXexpGiw
+IwRHFbfHMmuEyep4i7doo7JCLBtDfmkk1qN72A7+LcIOWh7tWy8UKwIDAQABo34w
+fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATApBgNVHQ4EIgQg
+ha9nFdT5TBLAirXPTkF5uec+CeCPJ13x7/as/OeEB5QwKwYDVR0jBCQwIoAgha9n
+FdT5TBLAirXPTkF5uec+CeCPJ13x7/as/OeEB5QwDQYJKoZIhvcNAQELBQADggEB
+AB7eSquv3nZJiktJI5pZQVdIj5YoJpOlsIAWizBo3xqHioW5gxhR01G7qBQRjoiZ
+n+xQJDs+cfmsXJunUek+kLr1k1Io3EDffGyIau3Qtig5iPVOyXSLgmYOM4npMQXR
+LMPGzdJRM0rtqioQCm2XT4cC98FqNjCZOx2fC2CMvuug7p73FA05f/Mo2jEfgy/L
+iBz5k3IExbWk24GN5Dp1q5VU2PLK2/ZcobcPTU2SKDOs/dr1gp3LfUk4dhTsLpQI
+eYKbvKHftLDYBJsXwU0vb5BtVL9E0yUV89edSiY6v0+Ax1iNLcYOOQ2tLz3K6zKc
+dWBiKrrcX1fLA8RXv42No+Q=
+-----END CERTIFICATE-----

certs/ca/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAzwwIW1IgG5kvn+claQAGbKL46a+rzV7r+6WEAUltcLxo3Yq0
+oFuoc3qH1qmHrjVVdbpVuSyZHg2TDAVX3X6vE5jhRLmd9tVEVEORZjKB/GlZtYO6
+DgwCaK1k4AJYrad2Tk61W6aLhgp3IkozmVLanvx0cULjFons81sWl7TxP1Ig6nke
+3lKoiJT9igZS3KO5//xzuCg5oK7ix+MOBECmnQU0FeYjDIecPf8Eet3AiAna7LTB
+4e39ADE5NC04oD3ZEjwuRi0M+nDXD2d+c9NiUGt7HXexpGiwIwRHFbfHMmuEyep4
+i7doo7JCLBtDfmkk1qN72A7+LcIOWh7tWy8UKwIDAQABAoIBABypHb8Gb0tiuST5
+akROrJT9Olee6blUGnaLQuqqr2ubqSiBut830OmrXIJqlU2YNGxHjvZDJi7y0hgn
+5THUB4g+8XACAcvZWcwQTmBHPZcjPjfSND8dinfTCNO5f20KcWYFnzVAqK+1Yyhr
+/RiMT5cSe0vyZl0IWrSVN1towLxy8iyeDmlCnmiLExMvAFsPgEZyI2/qctxTtnkS
+qy3RWsky35hUctBumY1ZOPUDmRo0S8Qvca5oRi4hQ905uDR/P+NX9ceqNYgxN6YA
+3A4bq/ETL+h6Xx0gn7w5UWWWknP2oToFU7HGZZjYw0zxWvdgHiAJHDybJ4AZOzAM
+RNMkcAECgYEA8S17gGmgWm4quozAXPZcgSTbmvQMD52jEL8eV6Ek5ts8lmcKLETz
+8S8O29Q46jDRRbY20WNUq88e8WGKv2/3YCy3ySG3jLO3am5Db40Mx8IquTPRUYPx
+LwPPfmx8/W5Xb3cnBnGl6gj9XYOa2WvfNUWZ/tJHqJvdqsiwllckLoECgYEA28WQ
+C4Mdi6TB+eVJBWsF4udALDxEuH6SScWwRmbRdd1kIo8j463NLafrA62Der+XOqx3
+54Zx6ENfbj4o3exXDdFuA6ESs63tWeoLKuxtX/PdZmF1Zjx3l8kqd2wNaUygWmJh
+iO2JYqH6FM6/ZqphmN/YYVHfmW3AZusRpSRKBKsCgYEAr64852aJ2zWixG8g9Na0
+vZIWsgISAxIGJX3CYXzNv6h1su1t+J9lvwtTXIhzyQw0dP5tYgtkMx7V4Gj4Q8kQ
+vqr0WXvJE6IZ+lpFny104NIsguofEKz29BNngyUNyyIkaNq3v7brb9aKkSL7mmM8
+nbaMnZWZg1W+m9hC4dCqV4ECgYEApc/rHCRymDdYeth5PXM/37AmBLn8B07HxI04
+sAVHJ6w/rqtcop0w3q+AayfwuR3wVb5mQPJ44opiZ+TSJI36KFzIqkhOue4R0/L3
+Ng1ngCuX8XS6hMY+XPDT74JApB/CJC9x80N0kkwvSJ+sXSNTu2m38cU59KKPtZbJ
+m1VD2z0CgYEAt3T1Ztdmu4a+SXZuqH3+NAxR5/0pyG6I6JgQRxY4QQQ3SYFfai1i
+QDi012A9WA/98J492Ro6ctk6GLCVZrvN39Ez3BB/Uw12/3wZcdOLCB8B7wRfPr5Q
+RfRSERKqCCIKpjXbXBbwDa5gKSYO5NxAD8WXyFwsqGbTPBQUaWyNAnE=
+-----END RSA PRIVATE KEY-----

certs/eventstore.conf

@@ -0,0 +1,21 @@
+---
+# Paths
+Db: /var/lib/eventstore
+Index: /var/lib/eventstore/index
+Log: /var/log/eventstore
+
+# Certificates configuration
+CertificateFile: /etc/eventstore/certs/node.crt
+CertificatePrivateKeyFile: /etc/eventstore/certs/node.key
+TrustedRootCertificatesPath: /etc/eventstore/certs/ca
+
+# Network configuration
+IntIp: 0.0.0.0
+ExtIp: 0.0.0.0
+HttpPort: 2113
+IntTcpPort: 1112
+EnableExternalTcp: false
+EnableAtomPubOverHTTP: true
+
+# Projections configuration
+RunProjections: All

certs/node1/node.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIRANp2x4vHsAavXVZRkKzWCpUwDQYJKoZIhvcNAQELBQAw
+YjELMAkGA1UEBhMCVUsxGDAWBgNVBAoTD0V2ZW50IFN0b3JlIEx0ZDE5MDcGA1UE
+AxMwRXZlbnRTdG9yZURCIENBIGJjMGQ0NzlmMzViYTkzZGEwMDFiZDc3M2UwZWMz
+ZTZjMB4XDTIxMDQxNDIzMTIxMloXDTIyMDQxNDIzMTIxMlowHDEaMBgGA1UEAxMR
+ZXZlbnRzdG9yZWRiLW5vZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCoEM6YNq5p2invjpumUEwZfmeP8nR0kzhf9lu1mYHD7Qls4wtH6GSsDnpzHubg
+eSXEnovTQmKHEjPVtX7lxFfl3w3sQM0BouuLheJajLRUbfkV8l+Bbp1VbKgr+mZ9
+Ryeer8H+cbEyVPDRCqHvBdI7I16lzYFsgw+IKb1RpLLt1sCiA68b76JMWjs9l0iB
+PslBYMt7ZJ1gkiX6cXcuk9IbX4xUCrvAiL4v50Wa3aCKR+UWNepE1G6lRmneGBdk
+DnX9b+LMhqRWUimcYjQJsh+HS7WB0c8aRa4XlC4DYFfYspPeg7dOJ0xGv0mcDsbA
+BD6t0bSG/Qg3cZu0FkezK1bVAgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgWgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1Ud
+DgQiBCDEYEW376ALE6W8Wdt3WNsXJRYjeKyPu8Ofx2QWe3otsjArBgNVHSMEJDAi
+gCCFr2cV1PlMEsCKtc9OQXm55z4J4I8nXfHv9qz854QHlDAUBgNVHREEDTALggls
+b2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAJySXczvtf+f3IF0GxmjEVMJTvNa
+TSKaHt6yDaSnUBfa3vF+G+ASIVj1pmJV9/4bCSioV1GaqCpdcYa2fIstGKsy3hyR
+KtR08z1JR8+dBlu3Ob4hjQDXpuDkAK4DF+aNqEopOr1GfLyvfZ1k7Oo3qLrqUXQ3
+OKx47BUYaoerb/hfKJY0C2IyCbGlb+wrQvpyKIABM2EdpXTKmWUYhrNW8kYMN/x/
+83A3oTzCEduSDarTE6MTXFBR9StE3Ywu8BudJO8BNraNUEGba3/Fx8EKOojz3CP6
+rLYOI6WA0hbATxQw7Pa2XjbJ5nEYnJWl9XQ3B84AxR5zq6SifAh3Q2bvsso=
+-----END CERTIFICATE-----

certs/node1/node.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqBDOmDauadop746bplBMGX5nj/J0dJM4X/ZbtZmBw+0JbOML
+R+hkrA56cx7m4HklxJ6L00JihxIz1bV+5cRX5d8N7EDNAaLri4XiWoy0VG35FfJf
+gW6dVWyoK/pmfUcnnq/B/nGxMlTw0Qqh7wXSOyNepc2BbIMPiCm9UaSy7dbAogOv
+G++iTFo7PZdIgT7JQWDLe2SdYJIl+nF3LpPSG1+MVAq7wIi+L+dFmt2gikflFjXq
+RNRupUZp3hgXZA51/W/izIakVlIpnGI0CbIfh0u1gdHPGkWuF5QuA2BX2LKT3oO3
+TidMRr9JnA7GwAQ+rdG0hv0IN3GbtBZHsytW1QIDAQABAoIBAB+Jl9sEV9JROBFW
+B2s8IiuehryCWMwPXELVrfvz5F/puR0Ptew2db27scqsf9KbqTSuM7re+DI0fjma
+J0figkQGiUxOFKo78ktqQkGPqb82K8msg7N8GFYRX7Vw9Y6Irayfep3Oo9u4CMCR
+aDW8N+kVCAvA9opwRZfdjUMmztTGa68Mc0pYbmqcPEsgojrYtLmdGnvvORHKWGAU
+IjW957LbrjmGGAuQbfcA7LJuP309gCzaxU1nimtKTIrG4LybrIqmWvfqLfSDFwIr
+XMZG+CBhNPdb4X2bbx74hTWghsj/liZL9zezgRwa8nnNqMeFoSv4F6qVR7iLwFKE
+37QNBbkCgYEA3uHhkkht9I8Ad4V6JbbgHLFVHa+pSc1m7y4taOt1ltscdvUWJkQF
+GCJRRxHFXSXKHLu5iSS2GAUmMSxjulFSzsCXYJ8YFyCXDCGPQOzfFVgbLxBlCNKd
+Gu3cc9aFLz7jyA4DVHZUJ37yOWO+DFpRkB4N7c9en5/x9vSt/PF9iwsCgYEAwQnH
+Y0CXGovLR0Ab29FC6fbh1f3SdBGpUPnigQvedi/pzNz4oZvP7gGeaQutWhfTJFrB
+8cu2F/NrCgBcZ1NWq3o8RMNz13fnwWdKX91sSBsYRFGEPNxZ/6ZKWqqiXObHcePb
+vRF4nftMsofUxnI4jvh8jNVofN7eQb1CXCPK0Z8CgYABdl3yhcMi7aVFI30Prkl+
+JrO2RCbKMyzPuO/XVmQpHzrqlOUWTy/xXphF7RnsaIkQ8zJecf033yDHBdGJsWrn
+rF/R5HlV/YLAM6Aq/uLf0voqruLa0fbx7EmcAPZSvwjjkSP4c+ZNdAnG0p62mgka
+9veEbe3jAjumMSjLFhKKzQKBgQCaWKhNSsrG1fnOWYss4pAfJGCESrPoTGrWLUcX
+KZdRZpQJUrGV/lBuHGs90LFl9ODFE7A5FkndsqrmT02S7EbDSzQ/Qwwvv1bWBDGq
+nw/CQ6/OiGM0ineHer2+6upxX7Ee9jKvZPXNU66KnSLbHV7tqe9kaApotYZ+h8Y0
+iAXWPwKBgQDAdRdAIpasJDBjFqTuc3XkTlYk0/WnjSbxFrNdtVQsCM4k3Ak28r7e
+8BlHg60oxK5hZvYFFZ9WdotfB4VihjBOj88t2T6+Gw7WF4XqAzkku93r5lWctCRr
+BjKp+H1MNDGzItbinmO98qSxbUctoqNjjRH6N3bE2DWgFg1ONM0Rqg==
+-----END RSA PRIVATE KEY-----

config/test.exs

@@ -1,3 +1,12 @@
 import Config
 
 config :spear, Spear.Test.ClientFixture, connection_string: "esdb://localhost:2113"
+
+config :spear, :config,
+  connection_string: "esdb://localhost:2113?tls=true",
+  opts: [
+    transport_opts: [
+      cacertfile: Path.join([__DIR__ | ~w(.. certs ca ca.crt)])
+    ]
+  ],
+  credentials: {"admin", "changeit"}