|
|
@ -1,24 +1,22 @@ |
|
|
|
package security |
|
|
|
|
|
|
|
import ( |
|
|
|
"context" |
|
|
|
"crypto/tls" |
|
|
|
"crypto/x509" |
|
|
|
"fmt" |
|
|
|
"google.golang.org/grpc/credentials/tls/certprovider/pemfile" |
|
|
|
"google.golang.org/grpc/security/advancedtls" |
|
|
|
"io/ioutil" |
|
|
|
"os" |
|
|
|
"strings" |
|
|
|
|
|
|
|
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth" |
|
|
|
"google.golang.org/grpc" |
|
|
|
"google.golang.org/grpc/codes" |
|
|
|
"google.golang.org/grpc/credentials" |
|
|
|
"google.golang.org/grpc/peer" |
|
|
|
"google.golang.org/grpc/status" |
|
|
|
"time" |
|
|
|
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/glog" |
|
|
|
"github.com/chrislusf/seaweedfs/weed/util" |
|
|
|
"google.golang.org/grpc" |
|
|
|
) |
|
|
|
|
|
|
|
const credRefreshingInterval = time.Duration(5) * time.Hour |
|
|
|
|
|
|
|
type Authenticator struct { |
|
|
|
AllowedWildcardDomain string |
|
|
|
AllowedCommonNames map[string]bool |
|
|
@ -29,28 +27,39 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption |
|
|
|
return nil, nil |
|
|
|
} |
|
|
|
|
|
|
|
// load cert/key, ca cert
|
|
|
|
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key")) |
|
|
|
serverOptions := pemfile.Options{ |
|
|
|
CertFile: config.GetString(component + ".cert"), |
|
|
|
KeyFile: config.GetString(component + ".key"), |
|
|
|
RefreshDuration: credRefreshingInterval, |
|
|
|
} |
|
|
|
|
|
|
|
serverIdentityProvider, err := pemfile.NewProvider(serverOptions) |
|
|
|
if err != nil { |
|
|
|
glog.V(1).Infof("load cert: %s / key: %s error: %v", |
|
|
|
config.GetString(component+".cert"), |
|
|
|
config.GetString(component+".key"), |
|
|
|
err) |
|
|
|
glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverOptions, err) |
|
|
|
return nil, nil |
|
|
|
} |
|
|
|
caCert, err := os.ReadFile(config.GetString("grpc.ca")) |
|
|
|
|
|
|
|
serverRootOptions := pemfile.Options{ |
|
|
|
RootFile: config.GetString("grpc.ca"), |
|
|
|
RefreshDuration: credRefreshingInterval, |
|
|
|
} |
|
|
|
serverRootProvider, err := pemfile.NewProvider(serverRootOptions) |
|
|
|
if err != nil { |
|
|
|
glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err) |
|
|
|
glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err) |
|
|
|
return nil, nil |
|
|
|
} |
|
|
|
caCertPool := x509.NewCertPool() |
|
|
|
caCertPool.AppendCertsFromPEM(caCert) |
|
|
|
ta := credentials.NewTLS(&tls.Config{ |
|
|
|
Certificates: []tls.Certificate{cert}, |
|
|
|
ClientCAs: caCertPool, |
|
|
|
ClientAuth: tls.RequireAndVerifyClientCert, |
|
|
|
}) |
|
|
|
|
|
|
|
// Start a server and create a client using advancedtls API with Provider.
|
|
|
|
options := &advancedtls.ServerOptions{ |
|
|
|
IdentityOptions: advancedtls.IdentityCertificateOptions{ |
|
|
|
IdentityProvider: serverIdentityProvider, |
|
|
|
}, |
|
|
|
RootOptions: advancedtls.RootCertificateOptions{ |
|
|
|
RootProvider: serverRootProvider, |
|
|
|
}, |
|
|
|
RequireClientCert: true, |
|
|
|
VType: advancedtls.CertVerification, |
|
|
|
} |
|
|
|
allowedCommonNames := config.GetString(component + ".allowed_commonNames") |
|
|
|
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") |
|
|
|
if allowedCommonNames != "" || allowedWildcardDomain != "" { |
|
|
@ -62,7 +71,16 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption |
|
|
|
AllowedCommonNames: allowedCommonNamesMap, |
|
|
|
AllowedWildcardDomain: allowedWildcardDomain, |
|
|
|
} |
|
|
|
return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate)) |
|
|
|
options.VerifyPeer = auther.Authenticate |
|
|
|
} else { |
|
|
|
options.VerifyPeer = func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { |
|
|
|
return &advancedtls.VerificationResults{}, nil |
|
|
|
} |
|
|
|
} |
|
|
|
ta, err := advancedtls.NewServerCreds(options) |
|
|
|
if err != nil { |
|
|
|
glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err) |
|
|
|
return nil, nil |
|
|
|
} |
|
|
|
return grpc.Creds(ta), nil |
|
|
|
} |
|
|
@ -77,25 +95,42 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption { |
|
|
|
return grpc.WithInsecure() |
|
|
|
} |
|
|
|
|
|
|
|
// load cert/key, cacert
|
|
|
|
cert, err := tls.LoadX509KeyPair(certFileName, keyFileName) |
|
|
|
clientOptions := pemfile.Options{ |
|
|
|
CertFile: certFileName, |
|
|
|
KeyFile: keyFileName, |
|
|
|
RefreshDuration: credRefreshingInterval, |
|
|
|
} |
|
|
|
clientProvider, err := pemfile.NewProvider(clientOptions) |
|
|
|
if err != nil { |
|
|
|
glog.V(1).Infof("load cert/key error: %v", err) |
|
|
|
glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err) |
|
|
|
return grpc.WithInsecure() |
|
|
|
} |
|
|
|
caCert, err := os.ReadFile(caFileName) |
|
|
|
clientRootOptions := pemfile.Options{ |
|
|
|
RootFile: config.GetString("grpc.ca"), |
|
|
|
RefreshDuration: credRefreshingInterval, |
|
|
|
} |
|
|
|
clientRootProvider, err := pemfile.NewProvider(clientRootOptions) |
|
|
|
if err != nil { |
|
|
|
glog.V(1).Infof("read ca cert file error: %v", err) |
|
|
|
glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err) |
|
|
|
return grpc.WithInsecure() |
|
|
|
} |
|
|
|
options := &advancedtls.ClientOptions{ |
|
|
|
IdentityOptions: advancedtls.IdentityCertificateOptions{ |
|
|
|
IdentityProvider: clientProvider, |
|
|
|
}, |
|
|
|
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { |
|
|
|
return &advancedtls.VerificationResults{}, nil |
|
|
|
}, |
|
|
|
RootOptions: advancedtls.RootCertificateOptions{ |
|
|
|
RootProvider: clientRootProvider, |
|
|
|
}, |
|
|
|
VType: advancedtls.CertVerification, |
|
|
|
} |
|
|
|
ta, err := advancedtls.NewClientCreds(options) |
|
|
|
if err != nil { |
|
|
|
glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err) |
|
|
|
return grpc.WithInsecure() |
|
|
|
} |
|
|
|
caCertPool := x509.NewCertPool() |
|
|
|
caCertPool.AppendCertsFromPEM(caCert) |
|
|
|
|
|
|
|
ta := credentials.NewTLS(&tls.Config{ |
|
|
|
Certificates: []tls.Certificate{cert}, |
|
|
|
RootCAs: caCertPool, |
|
|
|
InsecureSkipVerify: true, |
|
|
|
}) |
|
|
|
return grpc.WithTransportCredentials(ta) |
|
|
|
} |
|
|
|
|
|
|
@ -116,27 +151,14 @@ func LoadClientTLSHTTP(clientCertFile string) *tls.Config { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) { |
|
|
|
p, ok := peer.FromContext(ctx) |
|
|
|
if !ok { |
|
|
|
return ctx, status.Error(codes.Unauthenticated, "no peer found") |
|
|
|
func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { |
|
|
|
if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) { |
|
|
|
return &advancedtls.VerificationResults{}, nil |
|
|
|
} |
|
|
|
|
|
|
|
tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo) |
|
|
|
if !ok { |
|
|
|
return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials") |
|
|
|
} |
|
|
|
if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { |
|
|
|
return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") |
|
|
|
} |
|
|
|
|
|
|
|
commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName |
|
|
|
if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { |
|
|
|
return ctx, nil |
|
|
|
} |
|
|
|
if _, ok := a.AllowedCommonNames[commonName]; ok { |
|
|
|
return ctx, nil |
|
|
|
if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok { |
|
|
|
return &advancedtls.VerificationResults{}, nil |
|
|
|
} |
|
|
|
|
|
|
|
return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName) |
|
|
|
err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName) |
|
|
|
glog.Error(err) |
|
|
|
return nil, err |
|
|
|
} |