tls.go 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168
  1. package security
  2. import (
  3. "crypto/tls"
  4. "crypto/x509"
  5. "fmt"
  6. "google.golang.org/grpc/credentials/insecure"
  7. "google.golang.org/grpc/credentials/tls/certprovider/pemfile"
  8. "google.golang.org/grpc/security/advancedtls"
  9. "os"
  10. "strings"
  11. "time"
  12. "github.com/seaweedfs/seaweedfs/weed/glog"
  13. "github.com/seaweedfs/seaweedfs/weed/util"
  14. "google.golang.org/grpc"
  15. )
  16. const CredRefreshingInterval = time.Duration(5) * time.Hour
  17. type Authenticator struct {
  18. AllowedWildcardDomain string
  19. AllowedCommonNames map[string]bool
  20. }
  21. func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
  22. if config == nil {
  23. return nil, nil
  24. }
  25. serverOptions := pemfile.Options{
  26. CertFile: config.GetString(component + ".cert"),
  27. KeyFile: config.GetString(component + ".key"),
  28. RefreshDuration: CredRefreshingInterval,
  29. }
  30. if serverOptions.CertFile == "" || serverOptions.KeyFile == "" {
  31. return nil, nil
  32. }
  33. serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
  34. if err != nil {
  35. glog.Warningf("pemfile.NewProvider(%v) %v failed: %v", serverOptions, component, err)
  36. return nil, nil
  37. }
  38. serverRootOptions := pemfile.Options{
  39. RootFile: config.GetString("grpc.ca"),
  40. RefreshDuration: CredRefreshingInterval,
  41. }
  42. serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
  43. if err != nil {
  44. glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
  45. return nil, nil
  46. }
  47. // Start a server and create a client using advancedtls API with Provider.
  48. options := &advancedtls.Options{
  49. IdentityOptions: advancedtls.IdentityCertificateOptions{
  50. IdentityProvider: serverIdentityProvider,
  51. },
  52. RootOptions: advancedtls.RootCertificateOptions{
  53. RootProvider: serverRootProvider,
  54. },
  55. RequireClientCert: true,
  56. VerificationType: advancedtls.CertVerification,
  57. }
  58. allowedCommonNames := config.GetString(component + ".allowed_commonNames")
  59. allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
  60. if allowedCommonNames != "" || allowedWildcardDomain != "" {
  61. allowedCommonNamesMap := make(map[string]bool)
  62. for _, s := range strings.Split(allowedCommonNames, ",") {
  63. allowedCommonNamesMap[s] = true
  64. }
  65. auther := Authenticator{
  66. AllowedCommonNames: allowedCommonNamesMap,
  67. AllowedWildcardDomain: allowedWildcardDomain,
  68. }
  69. options.AdditionalPeerVerification = auther.Authenticate
  70. } else {
  71. options.AdditionalPeerVerification = func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
  72. return &advancedtls.PostHandshakeVerificationResults{}, nil
  73. }
  74. }
  75. ta, err := advancedtls.NewServerCreds(options)
  76. if err != nil {
  77. glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
  78. return nil, nil
  79. }
  80. return grpc.Creds(ta), nil
  81. }
  82. func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
  83. if config == nil {
  84. return grpc.WithTransportCredentials(insecure.NewCredentials())
  85. }
  86. certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
  87. if certFileName == "" || keyFileName == "" || caFileName == "" {
  88. return grpc.WithTransportCredentials(insecure.NewCredentials())
  89. }
  90. clientOptions := pemfile.Options{
  91. CertFile: certFileName,
  92. KeyFile: keyFileName,
  93. RefreshDuration: CredRefreshingInterval,
  94. }
  95. clientProvider, err := pemfile.NewProvider(clientOptions)
  96. if err != nil {
  97. glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
  98. return grpc.WithTransportCredentials(insecure.NewCredentials())
  99. }
  100. clientRootOptions := pemfile.Options{
  101. RootFile: config.GetString("grpc.ca"),
  102. RefreshDuration: CredRefreshingInterval,
  103. }
  104. clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
  105. if err != nil {
  106. glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
  107. return grpc.WithTransportCredentials(insecure.NewCredentials())
  108. }
  109. options := &advancedtls.Options{
  110. IdentityOptions: advancedtls.IdentityCertificateOptions{
  111. IdentityProvider: clientProvider,
  112. },
  113. AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
  114. return &advancedtls.PostHandshakeVerificationResults{}, nil
  115. },
  116. RootOptions: advancedtls.RootCertificateOptions{
  117. RootProvider: clientRootProvider,
  118. },
  119. VerificationType: advancedtls.CertVerification,
  120. }
  121. ta, err := advancedtls.NewClientCreds(options)
  122. if err != nil {
  123. glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
  124. return grpc.WithTransportCredentials(insecure.NewCredentials())
  125. }
  126. return grpc.WithTransportCredentials(ta)
  127. }
  128. func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
  129. clientCerts, err := os.ReadFile(clientCertFile)
  130. if err != nil {
  131. glog.Fatal(err)
  132. }
  133. certPool := x509.NewCertPool()
  134. ok := certPool.AppendCertsFromPEM(clientCerts)
  135. if !ok {
  136. glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
  137. }
  138. return &tls.Config{
  139. ClientCAs: certPool,
  140. ClientAuth: tls.RequireAndVerifyClientCert,
  141. }
  142. }
  143. func (a Authenticator) Authenticate(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
  144. if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) {
  145. return &advancedtls.PostHandshakeVerificationResults{}, nil
  146. }
  147. if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok {
  148. return &advancedtls.PostHandshakeVerificationResults{}, nil
  149. }
  150. err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName)
  151. glog.Error(err)
  152. return nil, err
  153. }