From 348e21a08ccc52f6837613e7765e9d815850bd6c Mon Sep 17 00:00:00 2001
From: Konstantin Lebedev <lebedev_k@tochka.com>
Date: Wed, 10 Mar 2021 14:42:39 +0500
Subject: [PATCH] add comments

---
 docker/compose/tls.env   |  6 +++++-
 weed/command/scaffold.go |  1 +
 weed/security/tls.go     | 11 ++++++-----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/docker/compose/tls.env b/docker/compose/tls.env
index e03f42e95..a82954c4f 100644
--- a/docker/compose/tls.env
+++ b/docker/compose/tls.env
@@ -7,4 +7,8 @@ WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key
 WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt
 WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key
 WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt
-WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key
\ No newline at end of file
+WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key
+WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
+WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
+WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
+WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
\ No newline at end of file
diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go
index 1e81d4d58..07d448042 100644
--- a/weed/command/scaffold.go
+++ b/weed/command/scaffold.go
@@ -440,6 +440,7 @@ expires_after_seconds = 10           # seconds
 # the host name is not checked, so the PERM files can be shared.
 [grpc]
 ca = ""
+# Set wildcard domain for enable TLS authentication by common names
 allowed_wildcard_domain = "" # .mycompany.com
 
 [grpc.volume]
diff --git a/weed/security/tls.go b/weed/security/tls.go
index 59714d103..7d3ffcdca 100644
--- a/weed/security/tls.go
+++ b/weed/security/tls.go
@@ -50,11 +50,11 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 	})
 
-	allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",")
+	allowedCommonNames := config.GetString(component + ".allowed_commonNames")
 	allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
-	if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" {
+	if allowedCommonNames != "" || allowedWildcardDomain != "" {
 		allowedCommonNamesMap := make(map[string]bool)
-		for _, s := range allowedCommonNames {
+		for _, s := range strings.Split(allowedCommonNames, ",") {
 			allowedCommonNamesMap[s] = true
 		}
 		auther := Authenticator{
@@ -108,10 +108,10 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context
 	if !ok {
 		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
 	}
-
 	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
 		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
 	}
+
 	commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
 	if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
 		return ctx, nil
@@ -119,5 +119,6 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context
 	if _, ok := a.AllowedCommonNames[commonName]; ok {
 		return ctx, nil
 	}
-	return ctx, status.Error(codes.Unauthenticated, "invalid subject common name")
+
+	return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
 }