You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

164 lines
5.2 KiB

3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
3 years ago
3 years ago
  1. package security
  2. import (
  3. "crypto/tls"
  4. "crypto/x509"
  5. "fmt"
  6. "google.golang.org/grpc/credentials/tls/certprovider/pemfile"
  7. "google.golang.org/grpc/security/advancedtls"
  8. "io/ioutil"
  9. "strings"
  10. "time"
  11. "github.com/chrislusf/seaweedfs/weed/glog"
  12. "github.com/chrislusf/seaweedfs/weed/util"
  13. "google.golang.org/grpc"
  14. )
  15. const credRefreshingInterval = time.Duration(5) * time.Hour
  16. type Authenticator struct {
  17. AllowedWildcardDomain string
  18. AllowedCommonNames map[string]bool
  19. }
  20. func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
  21. if config == nil {
  22. return nil, nil
  23. }
  24. serverOptions := pemfile.Options{
  25. CertFile: config.GetString(component + ".cert"),
  26. KeyFile: config.GetString(component + ".key"),
  27. RefreshDuration: credRefreshingInterval,
  28. }
  29. serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
  30. if err != nil {
  31. glog.Warningf("pemfile.NewProvider(%v) %v failed: %v", serverOptions, component, err)
  32. return nil, nil
  33. }
  34. serverRootOptions := pemfile.Options{
  35. RootFile: config.GetString("grpc.ca"),
  36. RefreshDuration: credRefreshingInterval,
  37. }
  38. serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
  39. if err != nil {
  40. glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
  41. return nil, nil
  42. }
  43. // Start a server and create a client using advancedtls API with Provider.
  44. options := &advancedtls.ServerOptions{
  45. IdentityOptions: advancedtls.IdentityCertificateOptions{
  46. IdentityProvider: serverIdentityProvider,
  47. },
  48. RootOptions: advancedtls.RootCertificateOptions{
  49. RootProvider: serverRootProvider,
  50. },
  51. RequireClientCert: true,
  52. VType: advancedtls.CertVerification,
  53. }
  54. allowedCommonNames := config.GetString(component + ".allowed_commonNames")
  55. allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
  56. if allowedCommonNames != "" || allowedWildcardDomain != "" {
  57. allowedCommonNamesMap := make(map[string]bool)
  58. for _, s := range strings.Split(allowedCommonNames, ",") {
  59. allowedCommonNamesMap[s] = true
  60. }
  61. auther := Authenticator{
  62. AllowedCommonNames: allowedCommonNamesMap,
  63. AllowedWildcardDomain: allowedWildcardDomain,
  64. }
  65. options.VerifyPeer = auther.Authenticate
  66. } else {
  67. options.VerifyPeer = func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  68. return &advancedtls.VerificationResults{}, nil
  69. }
  70. }
  71. ta, err := advancedtls.NewServerCreds(options)
  72. if err != nil {
  73. glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
  74. return nil, nil
  75. }
  76. return grpc.Creds(ta), nil
  77. }
  78. func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
  79. if config == nil {
  80. return grpc.WithInsecure()
  81. }
  82. certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
  83. if certFileName == "" || keyFileName == "" || caFileName == "" {
  84. return grpc.WithInsecure()
  85. }
  86. clientOptions := pemfile.Options{
  87. CertFile: certFileName,
  88. KeyFile: keyFileName,
  89. RefreshDuration: credRefreshingInterval,
  90. }
  91. clientProvider, err := pemfile.NewProvider(clientOptions)
  92. if err != nil {
  93. glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
  94. return grpc.WithInsecure()
  95. }
  96. clientRootOptions := pemfile.Options{
  97. RootFile: config.GetString("grpc.ca"),
  98. RefreshDuration: credRefreshingInterval,
  99. }
  100. clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
  101. if err != nil {
  102. glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
  103. return grpc.WithInsecure()
  104. }
  105. options := &advancedtls.ClientOptions{
  106. IdentityOptions: advancedtls.IdentityCertificateOptions{
  107. IdentityProvider: clientProvider,
  108. },
  109. VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  110. return &advancedtls.VerificationResults{}, nil
  111. },
  112. RootOptions: advancedtls.RootCertificateOptions{
  113. RootProvider: clientRootProvider,
  114. },
  115. VType: advancedtls.CertVerification,
  116. }
  117. ta, err := advancedtls.NewClientCreds(options)
  118. if err != nil {
  119. glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
  120. return grpc.WithInsecure()
  121. }
  122. return grpc.WithTransportCredentials(ta)
  123. }
  124. func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
  125. clientCerts, err := ioutil.ReadFile(clientCertFile)
  126. if err != nil {
  127. glog.Fatal(err)
  128. }
  129. certPool := x509.NewCertPool()
  130. ok := certPool.AppendCertsFromPEM(clientCerts)
  131. if !ok {
  132. glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
  133. }
  134. return &tls.Config{
  135. ClientCAs: certPool,
  136. ClientAuth: tls.RequireAndVerifyClientCert,
  137. }
  138. }
  139. func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  140. if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) {
  141. return &advancedtls.VerificationResults{}, nil
  142. }
  143. if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok {
  144. return &advancedtls.VerificationResults{}, nil
  145. }
  146. err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName)
  147. glog.Error(err)
  148. return nil, err
  149. }