You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

165 lines
5.4 KiB

3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
3 years ago
3 years ago
3 years ago
  1. package security
  2. import (
  3. "crypto/tls"
  4. "crypto/x509"
  5. "fmt"
  6. "google.golang.org/grpc/credentials/insecure"
  7. "google.golang.org/grpc/credentials/tls/certprovider/pemfile"
  8. "google.golang.org/grpc/security/advancedtls"
  9. "io/ioutil"
  10. "strings"
  11. "time"
  12. "github.com/seaweedfs/seaweedfs/weed/glog"
  13. "github.com/seaweedfs/seaweedfs/weed/util"
  14. "google.golang.org/grpc"
  15. )
  16. const credRefreshingInterval = time.Duration(5) * time.Hour
  17. type Authenticator struct {
  18. AllowedWildcardDomain string
  19. AllowedCommonNames map[string]bool
  20. }
  21. func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
  22. if config == nil {
  23. return nil, nil
  24. }
  25. serverOptions := pemfile.Options{
  26. CertFile: config.GetString(component + ".cert"),
  27. KeyFile: config.GetString(component + ".key"),
  28. RefreshDuration: credRefreshingInterval,
  29. }
  30. serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
  31. if err != nil {
  32. glog.Warningf("pemfile.NewProvider(%v) %v failed: %v", serverOptions, component, err)
  33. return nil, nil
  34. }
  35. serverRootOptions := pemfile.Options{
  36. RootFile: config.GetString("grpc.ca"),
  37. RefreshDuration: credRefreshingInterval,
  38. }
  39. serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
  40. if err != nil {
  41. glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
  42. return nil, nil
  43. }
  44. // Start a server and create a client using advancedtls API with Provider.
  45. options := &advancedtls.ServerOptions{
  46. IdentityOptions: advancedtls.IdentityCertificateOptions{
  47. IdentityProvider: serverIdentityProvider,
  48. },
  49. RootOptions: advancedtls.RootCertificateOptions{
  50. RootProvider: serverRootProvider,
  51. },
  52. RequireClientCert: true,
  53. VType: advancedtls.CertVerification,
  54. }
  55. allowedCommonNames := config.GetString(component + ".allowed_commonNames")
  56. allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
  57. if allowedCommonNames != "" || allowedWildcardDomain != "" {
  58. allowedCommonNamesMap := make(map[string]bool)
  59. for _, s := range strings.Split(allowedCommonNames, ",") {
  60. allowedCommonNamesMap[s] = true
  61. }
  62. auther := Authenticator{
  63. AllowedCommonNames: allowedCommonNamesMap,
  64. AllowedWildcardDomain: allowedWildcardDomain,
  65. }
  66. options.VerifyPeer = auther.Authenticate
  67. } else {
  68. options.VerifyPeer = func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  69. return &advancedtls.VerificationResults{}, nil
  70. }
  71. }
  72. ta, err := advancedtls.NewServerCreds(options)
  73. if err != nil {
  74. glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
  75. return nil, nil
  76. }
  77. return grpc.Creds(ta), nil
  78. }
  79. func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
  80. if config == nil {
  81. return grpc.WithTransportCredentials(insecure.NewCredentials())
  82. }
  83. certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
  84. if certFileName == "" || keyFileName == "" || caFileName == "" {
  85. return grpc.WithTransportCredentials(insecure.NewCredentials())
  86. }
  87. clientOptions := pemfile.Options{
  88. CertFile: certFileName,
  89. KeyFile: keyFileName,
  90. RefreshDuration: credRefreshingInterval,
  91. }
  92. clientProvider, err := pemfile.NewProvider(clientOptions)
  93. if err != nil {
  94. glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
  95. return grpc.WithTransportCredentials(insecure.NewCredentials())
  96. }
  97. clientRootOptions := pemfile.Options{
  98. RootFile: config.GetString("grpc.ca"),
  99. RefreshDuration: credRefreshingInterval,
  100. }
  101. clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
  102. if err != nil {
  103. glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
  104. return grpc.WithTransportCredentials(insecure.NewCredentials())
  105. }
  106. options := &advancedtls.ClientOptions{
  107. IdentityOptions: advancedtls.IdentityCertificateOptions{
  108. IdentityProvider: clientProvider,
  109. },
  110. VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  111. return &advancedtls.VerificationResults{}, nil
  112. },
  113. RootOptions: advancedtls.RootCertificateOptions{
  114. RootProvider: clientRootProvider,
  115. },
  116. VType: advancedtls.CertVerification,
  117. }
  118. ta, err := advancedtls.NewClientCreds(options)
  119. if err != nil {
  120. glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
  121. return grpc.WithTransportCredentials(insecure.NewCredentials())
  122. }
  123. return grpc.WithTransportCredentials(ta)
  124. }
  125. func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
  126. clientCerts, err := ioutil.ReadFile(clientCertFile)
  127. if err != nil {
  128. glog.Fatal(err)
  129. }
  130. certPool := x509.NewCertPool()
  131. ok := certPool.AppendCertsFromPEM(clientCerts)
  132. if !ok {
  133. glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
  134. }
  135. return &tls.Config{
  136. ClientCAs: certPool,
  137. ClientAuth: tls.RequireAndVerifyClientCert,
  138. }
  139. }
  140. func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
  141. if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) {
  142. return &advancedtls.VerificationResults{}, nil
  143. }
  144. if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok {
  145. return &advancedtls.VerificationResults{}, nil
  146. }
  147. err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName)
  148. glog.Error(err)
  149. return nil, err
  150. }