Modernize AkkaSpec and Akka.Remote DotNetty transport settings (#6854)

* Modernize AkkaSpec and Akka.Remote DotNetty transport settings

* Update API approval list

Author: Arkatufus

src/core/Akka.API.Tests/verify/CoreAPISpec.ApproveRemote.DotNet.verified.txt

@@ -855,4 +855,13 @@ namespace Akka.Remote.Transport
         public Akka.Actor.Address Recipient { get; }
         public Akka.Actor.Address Sender { get; }
     }
+}
+namespace Akka.Remote.Transport.DotNetty
+{
+    public sealed class DotNettySslSetup : Akka.Actor.Setup.Setup
+    {
+        public DotNettySslSetup(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, bool suppressValidation) { }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2 Certificate { get; }
+        public bool SuppressValidation { get; }
+    }
 }

src/core/Akka.API.Tests/verify/CoreAPISpec.ApproveRemote.Net.verified.txt

@@ -855,4 +855,13 @@ namespace Akka.Remote.Transport
         public Akka.Actor.Address Recipient { get; }
         public Akka.Actor.Address Sender { get; }
     }
+}
+namespace Akka.Remote.Transport.DotNetty
+{
+    public sealed class DotNettySslSetup : Akka.Actor.Setup.Setup
+    {
+        public DotNettySslSetup(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, bool suppressValidation) { }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2 Certificate { get; }
+        public bool SuppressValidation { get; }
+    }
 }

src/core/Akka.Remote.Tests/Transport/DotNettySslSetupSpec.cs

@@ -0,0 +1,123 @@
+//-----------------------------------------------------------------------
+// <copyright file="DotNettySslSupportSpec.cs" company="Akka.NET Project">
+//     Copyright (C) 2013-2023 .NET Foundation <https://github.com/akkadotnet/akka.net>
+// </copyright>
+//-----------------------------------------------------------------------
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
+using Akka.Actor;
+using Akka.Actor.Setup;
+using Akka.Configuration;
+using Akka.Remote.Transport.DotNetty;
+using Akka.TestKit;
+using Xunit;
+using Xunit.Abstractions;
+using static Akka.Util.RuntimeDetector;
+
+namespace Akka.Remote.Tests.Transport
+{
+    public class DotNettySslSetupSpec : AkkaSpec
+    {
+        #region Setup / Config
+
+        // valid to 01/01/2037
+        private const string ValidCertPath = "Resources/akka-validcert.pfx";
+
+        private const string Password = "password";
+
+        private static ActorSystemSetup TestActorSystemSetup(bool enableSsl)
+        {
+            var setup = ActorSystemSetup.Empty
+                .And(BootstrapSetup.Create()
+                    .WithConfig(ConfigurationFactory.ParseString($@"
+akka {{
+  loglevel = DEBUG
+  actor.provider = ""Akka.Remote.RemoteActorRefProvider,Akka.Remote""
+  remote {{
+    dot-netty.tcp {{
+      port = 0
+      hostname = ""127.0.0.1""
+      enable-ssl = ""{enableSsl.ToString().ToLowerInvariant()}""
+      log-transport = true
+    }}
+  }}
+}}")));
+
+            if (!enableSsl)
+                return setup;
+            
+            var certificate = new X509Certificate2(ValidCertPath, Password, X509KeyStorageFlags.DefaultKeySet);
+            return setup.And(new DotNettySslSetup(certificate, true));
+        }
+
+        private ActorSystem _sys2;
+        private ActorPath _echoPath;
+
+        private void Setup(bool enableSsl)
+        {
+            _sys2 = ActorSystem.Create("sys2", TestActorSystemSetup(enableSsl));
+            InitializeLogger(_sys2);
+
+            _sys2.ActorOf(Props.Create<Echo>(), "echo");
+
+            var address = RARP.For(_sys2).Provider.DefaultAddress;
+            _echoPath = new RootActorPath(address) / "user" / "echo";
+        }
+
+        #endregion
+
+        public DotNettySslSetupSpec(ITestOutputHelper output) : base(TestActorSystemSetup(true), output)
+        {
+        }
+
+        [Fact]
+        public async Task Secure_transport_should_be_possible_between_systems_sharing_the_same_certificate()
+        {
+            // skip this test due to linux/mono certificate issues
+            if (IsMono) return;
+
+            Setup(true);
+
+            var probe = CreateTestProbe();
+
+            await AwaitAssertAsync(async () =>
+            {
+                Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
+                await probe.ExpectMsgAsync("hello", TimeSpan.FromSeconds(3));
+            }, TimeSpan.FromSeconds(30), TimeSpan.FromMilliseconds(100));
+        }
+
+        [Fact]
+        public async Task Secure_transport_should_NOT_be_possible_between_systems_using_SSL_and_one_not_using_it()
+        {
+            Setup(false);
+
+            var probe = CreateTestProbe();
+            await Assert.ThrowsAsync<RemoteTransportException>(async () =>
+            {
+                Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
+                await probe.ExpectNoMsgAsync();
+            });
+        }
+
+        #region helper classes / methods
+
+        protected override void AfterAll()
+        {
+            base.AfterAll();
+            Shutdown(_sys2, TimeSpan.FromSeconds(3));
+        }
+
+        private class Echo : ReceiveActor
+        {
+            public Echo()
+            {
+                Receive<string>(str => Sender.Tell(str));
+            }
+        }
+
+        #endregion
+    }
+}

src/core/Akka.Remote/Akka.Remote.csproj

@@ -7,12 +7,12 @@
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
     </PropertyGroup>
     <ItemGroup>
-        <EmbeddedResource Include="Configuration\Remote.conf"/>
-        <ProjectReference Include="..\Akka\Akka.csproj"/>
+        <EmbeddedResource Include="Configuration\Remote.conf" />
+        <ProjectReference Include="..\Akka\Akka.csproj" />
     </ItemGroup>
     <ItemGroup>
-        <PackageReference Include="DotNetty.Handlers" Version="0.6.0"/>
-        <PackageReference Include="Google.Protobuf" Version="$(ProtobufVersion)"/>
+        <PackageReference Include="DotNetty.Handlers" Version="0.6.0" />
+        <PackageReference Include="Google.Protobuf" Version="$(ProtobufVersion)" />
     </ItemGroup>
     <PropertyGroup>
         <AllowUnsafeBlocks>True</AllowUnsafeBlocks>

src/core/Akka.Remote/AkkaProtocolSettings.cs

@@ -51,11 +51,9 @@ public AkkaProtocolSettings(Config config)
             // backwards compatibility with the existing dot-netty.tcp.connection-timeout
             var enabledTransports = config.GetStringList("akka.remote.enabled-transports", new string[] { });
             if (enabledTransports.Contains("akka.remote.dot-netty.tcp"))
-                HandshakeTimeout = config.GetTimeSpan("akka.remote.dot-netty.tcp.connection-timeout", null);
-            else if (enabledTransports.Contains("akka.remote.dot-netty.ssl"))
-                HandshakeTimeout = config.GetTimeSpan("akka.remote.dot-netty.ssl.connection-timeout", null);
+                HandshakeTimeout = config.GetTimeSpan("akka.remote.dot-netty.tcp.connection-timeout", TimeSpan.FromSeconds(15), allowInfinite:false);
             else
-                HandshakeTimeout = config.GetTimeSpan("akka.remote.handshake-timeout", TimeSpan.FromSeconds(20), allowInfinite:false);
+                HandshakeTimeout = config.GetTimeSpan("akka.remote.handshake-timeout", TimeSpan.FromSeconds(15), allowInfinite:false);
         }
     }
 }

src/core/Akka.Remote/Configuration/Remote.conf

@@ -352,9 +352,6 @@ akka {
       trttl = "Akka.Remote.Transport.ThrottlerProvider,Akka.Remote"
     }
 
-	# necessary to keep backwards compatibility
-	helios.tcp.transport-class = "Akka.Remote.Transport.Helios.HeliosTcpTransport, Akka.Remote.Transport.Helios"
-
     ### Default configuration for the DotNetty based transport drivers
 
     dot-netty.tcp {
@@ -481,10 +478,10 @@ akka {
       # Sets the size of the connection backlog
       backlog = 4096
 
-      # Enables the TCP_NODELAY flag, i.e. disables Nagle’s algorithm
+      # Enables the TCP_NODELAY flag, i.e. disables Nagle's algorithm
       tcp-nodelay = on
 
-      # Enables TCP Keepalive, subject to the O/S kernel’s configuration
+      # Enables TCP Keepalive, subject to the O/S kernel's configuration
       tcp-keepalive = on
 
       # Enables SO_REUSEADDR, which determines when an ActorSystem can open
@@ -524,48 +521,45 @@ akka {
         pool-size-max = 2
       }
 
-
+      ssl {
+        certificate {
+          # Valid certificate path required
+          path = ""
+          # Valid certificate password required
+          password = ""
+          # Default key storage flag is "default-key-set"
+          # Available flags include: 
+          #     default-key-set | exportable | machine-key-set | persist-key-set | user-key-set | user-protected
+          # flags = [ "default-key-set" ]
+          
+          # To use a Thumbprint instead of a file, set this to true
+          # And specify a thumbprint and it's storage location below
+          use-thumbprint-over-file = false
+          
+          # Valid Thumbprint required (if use-thumbprint-over-file is true)
+          # A typical thumbprint is a format similar to: "45df32e258c92a7abf6c112e54912ab15bbb9eb0"
+          # On Windows machines, The thumbprint for an installed certificate can be located
+          # By using certlm.msc and opening the certificate under the 'Details' tab.
+          thumbprint = ""
+          
+          # The Store name. Under windows The most common option is "My", which indicates the personal store.
+          # See System.Security.Cryptography.X509Certificates.StoreName for other common values.
+          store-name = ""
+          
+          # Valid options : local-machine or current-user
+          # current-user indicates a certificate stored under the user's account
+          # local-machine indicates a certificate stored at an operating system level (potentially shared by users)
+          store-location = "current-user"
+        }
+        suppress-validation = false
+      }
     }
 
     dot-netty.udp = ${akka.remote.dot-netty.tcp}
     dot-netty.udp {
       transport-protocol = udp
     }
 
-    dot-netty.ssl = ${akka.remote.dot-netty.tcp}
-    dot-netty.ssl = {
-		certificate {
-			# Valid certificate path required
-			path = ""
-			# Valid certificate password required
-			password = ""
-			# Default key storage flag is "default-key-set"
-			# Available flags include: 
-			#     default-key-set | exportable | machine-key-set | persist-key-set | user-key-set | user-protected
-			# flags = [ "default-key-set" ]
-
-			# To use a Thumbprint instead of a file, set this to true
-			# And specify a thumprint and it's storage location below
-			use-thumbprint-over-file = false
-
-			# Valid Thumprint required (if use-thumbprint-over-file is true)
-			# A typical thumbprint is a format similar to: "45df32e258c92a7abf6c112e54912ab15bbb9eb0"
-			# On Windows machines, The thumprint for an installed certificate can be located
-			# By using certlm.msc and opening the certificate under the 'Details' tab.
-			thumbprint = ""
-
-			# The Store name. Under windows The most common option is "My", which indicates the personal store.
-			# See System.Security.Cryptography.X509Certificates.StoreName for other common values.
-			store-name = ""
-
-			# Valid options : local-machine or current-user
-			# current-user indicates a certificate stored under the user's account
-			# local-machine indicates a certificate stored at an operating system level (potentially shared by users)
-			store-location = "current-user"
-		}
-		suppress-validation = false
-    }
-
     ### Default configuration for the failure injector transport adapter
 
     gremlin {

src/core/Akka.Remote/Transport/DotNetty/DotNettySslSetup.cs

@@ -0,0 +1,24 @@
+//-----------------------------------------------------------------------
+// <copyright file="SslSetup.cs" company="Akka.NET Project">
+//     Copyright (C) 2013-2023 .NET Foundation <https://github.com/akkadotnet/akka.net>
+// </copyright>
+//-----------------------------------------------------------------------
+
+using System.Security.Cryptography.X509Certificates;
+using Akka.Actor.Setup;
+
+namespace Akka.Remote.Transport.DotNetty;
+
+public sealed class DotNettySslSetup: Setup
+{
+    public DotNettySslSetup(X509Certificate2 certificate, bool suppressValidation)
+    {
+        Certificate = certificate;
+        SuppressValidation = suppressValidation;
+    }
+    
+    public X509Certificate2 Certificate { get; }
+    public bool SuppressValidation { get; }
+
+    internal SslSettings Settings => new SslSettings(Certificate, SuppressValidation);
+}

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

@@ -131,13 +131,17 @@ protected DotNettyTransport(ActorSystem system, Config config)
             System = system;
             Config = config;
 
+            // Helios compatibility
             if (system.Settings.Config.HasPath("akka.remote.helios.tcp"))
             {
-                var heliosFallbackConfig = system.Settings.Config.GetConfig("akka.remote.helios.tcp");
+                var heliosFallbackConfig = system.Settings.Config.GetConfig("akka.remote.helios.tcp")
+                    .WithFallback("transport-class = \"Akka.Remote.Transport.Helios.HeliosTcpTransport, Akka.Remote.Transport.Helios\"");
                 config = heliosFallbackConfig.WithFallback(config);
             }
 
-            Settings = DotNettyTransportSettings.Create(config);
+            var setup = system.Settings.Setup.Get<DotNettySslSetup>();
+            var sslSettings = setup.HasValue ? setup.Value.Settings : null;
+            Settings = DotNettyTransportSettings.Create(config, sslSettings);
             Log = Logging.GetLogger(System, GetType());
             _serverEventLoopGroup = new MultithreadEventLoopGroup(Settings.ServerSocketWorkerPoolSize);
             _clientEventLoopGroup = new MultithreadEventLoopGroup(Settings.ClientSocketWorkerPoolSize);