Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5303 Commits
32 Branches
297 Tags
164 MiB
Tree: c6d3735605
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c6d3735605'
${ noResults }
seaweedfs/weed/security/tls.go

113 lines
3.3 KiB
Raw Normal View History

adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
avoid concurrent map updates to viper
4 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
adjust log level
5 years ago
adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
adjust log level
5 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
fix tls grpc ca path
4 years ago
adding grpc mutual tls
6 years ago
adjust log level
5 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
adding grpc mutual tls
6 years ago
avoid concurrent map updates to viper
4 years ago
adding grpc mutual tls
6 years ago
fix tls grpc ca path
4 years ago
refactor
4 years ago
adjust logging
4 years ago
adding grpc mutual tls
6 years ago
adjust logging
4 years ago
adding grpc mutual tls
6 years ago
adjust log level
5 years ago
adding grpc mutual tls
6 years ago
refactor
4 years ago
adding grpc mutual tls
6 years ago
adjust log level
5 years ago
adding grpc mutual tls
6 years ago
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/
4 years ago
  1. package security
  3. import (
  4. "context"
  5. "crypto/tls"
  6. "crypto/x509"
  7. "github.com/chrislusf/seaweedfs/weed/util"
  8. grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
  9. "google.golang.org/grpc/codes"
  10. "google.golang.org/grpc/peer"
  11. "google.golang.org/grpc/status"
  12. "io/ioutil"
  14. "google.golang.org/grpc"
  15. "google.golang.org/grpc/credentials"
  17. "github.com/chrislusf/seaweedfs/weed/glog"
  18. )
  20. type Authenticator struct {
  21. PermitCommonNames map[string]bool
  22. }
  24. func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
  25. if config == nil {
  26. return nil, nil
  27. }
  29. // load cert/key, ca cert
  30. cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
  31. if err != nil {
  32. glog.V(1).Infof("load cert/key error: %v", err)
  33. return nil, nil
  34. }
  35. caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))
  36. if err != nil {
  37. glog.V(1).Infof("read ca cert file error: %v", err)
  38. return nil, nil
  39. }
  40. caCertPool := x509.NewCertPool()
  41. caCertPool.AppendCertsFromPEM(caCert)
  42. ta := credentials.NewTLS(&tls.Config{
  43. Certificates: []tls.Certificate{cert},
  44. ClientCAs: caCertPool,
  45. ClientAuth: tls.RequireAndVerifyClientCert,
  46. })
  47. permitCommonNames := config.GetStringSlice(component + "permitCommonNames")
  49. if len(permitCommonNames) > 0 {
  50. permitCommonNamesMap := make(map[string]bool)
  51. for _, s := range util.GetViper().GetStringSlice(component + "permitCommonNames") {
  52. permitCommonNamesMap[s] = true
  53. }
  54. auther := Authenticator{
  55. PermitCommonNames: permitCommonNamesMap,
  56. }
  57. return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
  58. }
  59. return grpc.Creds(ta), nil
  60. }
  62. func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
  63. if config == nil {
  64. return grpc.WithInsecure()
  65. }
  67. certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
  68. if certFileName == "" || keyFileName == "" || caFileName == "" {
  69. return grpc.WithInsecure()
  70. }
  72. // load cert/key, cacert
  73. cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
  74. if err != nil {
  75. glog.V(1).Infof("load cert/key error: %v", err)
  76. return grpc.WithInsecure()
  77. }
  78. caCert, err := ioutil.ReadFile(caFileName)
  79. if err != nil {
  80. glog.V(1).Infof("read ca cert file error: %v", err)
  81. return grpc.WithInsecure()
  82. }
  83. caCertPool := x509.NewCertPool()
  84. caCertPool.AppendCertsFromPEM(caCert)
  86. ta := credentials.NewTLS(&tls.Config{
  87. Certificates: []tls.Certificate{cert},
  88. RootCAs: caCertPool,
  89. InsecureSkipVerify: true,
  90. })
  91. return grpc.WithTransportCredentials(ta)
  92. }
  94. func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
  95. p, ok := peer.FromContext(ctx)
  96. if !ok {
  97. return ctx, status.Error(codes.Unauthenticated, "no peer found")
  98. }
  100. tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
  101. if !ok {
  102. return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
  103. }
  105. if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
  106. return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
  107. }
  109. if _, ok := a.PermitCommonNames[tlsAuth.State.VerifiedChains[0][0].Subject.CommonName]; !ok {
  110. return ctx, status.Error(codes.Unauthenticated, "invalid subject common name")
  111. }
  112. return ctx, nil
  113. }