seaweedfs/weed/security/tls.go

169 lines
5.5 KiB
Go
Raw Permalink Normal View History

2019-02-18 20:11:52 +00:00
package security
import (
"crypto/tls"
"crypto/x509"
2022-06-23 20:42:04 +00:00
"fmt"
2022-07-29 08:34:39 +00:00
"google.golang.org/grpc/credentials/insecure"
2022-06-23 18:32:15 +00:00
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/security/advancedtls"
"os"
"strings"
2022-06-23 18:32:15 +00:00
"time"
2019-02-18 20:11:52 +00:00
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/util"
2022-06-23 20:42:04 +00:00
"google.golang.org/grpc"
2019-02-18 20:11:52 +00:00
)
const CredRefreshingInterval = time.Duration(5) * time.Hour
2022-06-23 18:32:15 +00:00
type Authenticator struct {
2021-03-10 09:02:13 +00:00
AllowedWildcardDomain string
AllowedCommonNames map[string]bool
}
func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
2019-02-18 20:11:52 +00:00
if config == nil {
return nil, nil
2019-02-18 20:11:52 +00:00
}
2022-06-23 18:32:15 +00:00
serverOptions := pemfile.Options{
CertFile: config.GetString(component + ".cert"),
KeyFile: config.GetString(component + ".key"),
RefreshDuration: CredRefreshingInterval,
}
if serverOptions.CertFile == "" || serverOptions.KeyFile == "" {
return nil, nil
2022-06-23 18:32:15 +00:00
}
serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
2019-02-18 20:11:52 +00:00
if err != nil {
glog.Warningf("pemfile.NewProvider(%v) %v failed: %v", serverOptions, component, err)
return nil, nil
2019-02-18 20:11:52 +00:00
}
2022-06-23 18:32:15 +00:00
serverRootOptions := pemfile.Options{
RootFile: config.GetString("grpc.ca"),
RefreshDuration: CredRefreshingInterval,
2022-06-23 18:32:15 +00:00
}
serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
2019-02-18 20:11:52 +00:00
if err != nil {
2022-06-23 18:32:15 +00:00
glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
return nil, nil
}
2022-06-23 20:50:13 +00:00
2022-06-23 18:32:15 +00:00
// Start a server and create a client using advancedtls API with Provider.
options := &advancedtls.ServerOptions{
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: serverIdentityProvider,
},
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: serverRootProvider,
},
2022-06-23 19:29:23 +00:00
RequireClientCert: true,
2022-06-23 20:42:04 +00:00
VType: advancedtls.CertVerification,
2019-02-18 20:11:52 +00:00
}
2021-03-10 09:42:39 +00:00
allowedCommonNames := config.GetString(component + ".allowed_commonNames")
2021-03-10 09:02:13 +00:00
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
2021-03-10 09:42:39 +00:00
if allowedCommonNames != "" || allowedWildcardDomain != "" {
2021-03-10 09:02:13 +00:00
allowedCommonNamesMap := make(map[string]bool)
2021-03-10 09:42:39 +00:00
for _, s := range strings.Split(allowedCommonNames, ",") {
2021-03-10 09:02:13 +00:00
allowedCommonNamesMap[s] = true
}
auther := Authenticator{
2021-03-10 09:02:13 +00:00
AllowedCommonNames: allowedCommonNamesMap,
AllowedWildcardDomain: allowedWildcardDomain,
}
2022-06-23 20:42:04 +00:00
options.VerifyPeer = auther.Authenticate
} else {
options.VerifyPeer = func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
return &advancedtls.VerificationResults{}, nil
}
}
ta, err := advancedtls.NewServerCreds(options)
if err != nil {
glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
return nil, nil
}
return grpc.Creds(ta), nil
2019-02-18 20:11:52 +00:00
}
2021-01-12 10:28:13 +00:00
func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
2019-02-18 20:11:52 +00:00
if config == nil {
2022-07-29 08:34:39 +00:00
return grpc.WithTransportCredentials(insecure.NewCredentials())
2019-02-18 20:11:52 +00:00
}
2020-11-22 12:27:15 +00:00
certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
2020-09-20 22:40:49 +00:00
if certFileName == "" || keyFileName == "" || caFileName == "" {
2022-07-29 08:34:39 +00:00
return grpc.WithTransportCredentials(insecure.NewCredentials())
2020-09-20 22:38:59 +00:00
}
2022-06-23 18:32:15 +00:00
clientOptions := pemfile.Options{
CertFile: certFileName,
KeyFile: keyFileName,
RefreshDuration: CredRefreshingInterval,
2022-06-23 18:32:15 +00:00
}
clientProvider, err := pemfile.NewProvider(clientOptions)
2019-02-18 20:11:52 +00:00
if err != nil {
2022-06-23 18:32:15 +00:00
glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
2022-07-29 08:34:39 +00:00
return grpc.WithTransportCredentials(insecure.NewCredentials())
2019-02-18 20:11:52 +00:00
}
2022-06-23 19:26:56 +00:00
clientRootOptions := pemfile.Options{
RootFile: config.GetString("grpc.ca"),
RefreshDuration: CredRefreshingInterval,
2022-06-23 19:26:56 +00:00
}
clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
if err != nil {
glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
2022-07-29 08:34:39 +00:00
return grpc.WithTransportCredentials(insecure.NewCredentials())
2022-06-23 19:26:56 +00:00
}
2022-06-23 18:32:15 +00:00
options := &advancedtls.ClientOptions{
2022-06-23 19:26:56 +00:00
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: clientProvider,
},
2022-06-23 18:32:15 +00:00
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
return &advancedtls.VerificationResults{}, nil
},
RootOptions: advancedtls.RootCertificateOptions{
2022-06-23 19:26:56 +00:00
RootProvider: clientRootProvider,
2022-06-23 18:32:15 +00:00
},
2022-06-23 19:29:23 +00:00
VType: advancedtls.CertVerification,
2022-06-23 18:32:15 +00:00
}
ta, err := advancedtls.NewClientCreds(options)
2019-02-18 20:11:52 +00:00
if err != nil {
2022-06-23 18:32:15 +00:00
glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
2022-07-29 08:34:39 +00:00
return grpc.WithTransportCredentials(insecure.NewCredentials())
2019-02-18 20:11:52 +00:00
}
return grpc.WithTransportCredentials(ta)
}
func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
clientCerts, err := os.ReadFile(clientCertFile)
if err != nil {
glog.Fatal(err)
}
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM(clientCerts)
if !ok {
glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
}
return &tls.Config{
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
}
2022-06-23 20:42:04 +00:00
func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) {
return &advancedtls.VerificationResults{}, nil
}
2022-06-23 20:42:04 +00:00
if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok {
return &advancedtls.VerificationResults{}, nil
}
2022-06-23 20:42:04 +00:00
err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName)
glog.Error(err)
return nil, err
}