seaweedfs/weed/security/tls.go

package security

import (
	"crypto/tls"
	"crypto/x509"
	"github.com/chrislusf/seaweedfs/weed/util"
	"io/ioutil"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"

	"github.com/chrislusf/seaweedfs/weed/glog"
)

func LoadServerTLS(config *util.ViperProxy, component string) grpc.ServerOption {
	if config == nil {
		return nil
	}

	// load cert/key, ca cert
	cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
	if err != nil {
		glog.V(1).Infof("load cert/key error: %v", err)
		return nil
	}
	caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))
	if err != nil {
		glog.V(1).Infof("read ca cert file error: %v", err)
		return nil
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)
	ta := credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{cert},
		ClientCAs:    caCertPool,
		ClientAuth:   tls.RequireAndVerifyClientCert,
	})

	return grpc.Creds(ta)
}

func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
	if config == nil {
		return grpc.WithInsecure()
	}

	certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
	if certFileName == "" || keyFileName == "" || caFileName == "" {
		return grpc.WithInsecure()
	}

	// load cert/key, cacert
	cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
	if err != nil {
		glog.V(1).Infof("load cert/key error: %v", err)
		return grpc.WithInsecure()
	}
	caCert, err := ioutil.ReadFile(caFileName)
	if err != nil {
		glog.V(1).Infof("read ca cert file error: %v", err)
		return grpc.WithInsecure()
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	ta := credentials.NewTLS(&tls.Config{
		Certificates:       []tls.Certificate{cert},
		RootCAs:            caCertPool,
		InsecureSkipVerify: true,
	})
	return grpc.WithTransportCredentials(ta)
}
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`package security`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
avoid concurrent map updates to viper 2021-01-12 10:28:13 +00:00			`"github.com/chrislusf/seaweedfs/weed/util"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`"io/ioutil"`

			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/credentials"`
adjust log level 2020-02-23 05:23:30 +00:00
			`"github.com/chrislusf/seaweedfs/weed/glog"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`)`

avoid concurrent map updates to viper 2021-01-12 10:28:13 +00:00			`func LoadServerTLS(config *util.ViperProxy, component string) grpc.ServerOption {`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if config == nil {`
			`return nil`
			`}`

			`// load cert/key, ca cert`
			`cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))`
			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("load cert/key error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return nil`
			`}`
fix tls grpc ca path 2020-11-22 12:27:15 +00:00			`caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("read ca cert file error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return nil`
			`}`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`
			`ta := credentials.NewTLS(&tls.Config{`
			`Certificates: []tls.Certificate{cert},`
			`ClientCAs: caCertPool,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`})`

			`return grpc.Creds(ta)`
			`}`

avoid concurrent map updates to viper 2021-01-12 10:28:13 +00:00			`func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if config == nil {`
			`return grpc.WithInsecure()`
			`}`

fix tls grpc ca path 2020-11-22 12:27:15 +00:00			`certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")`
refactor 2020-09-20 22:40:49 +00:00			`if certFileName == "" \|\| keyFileName == "" \|\| caFileName == "" {`
adjust logging 2020-09-20 22:38:59 +00:00			`return grpc.WithInsecure()`
			`}`

adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`// load cert/key, cacert`
adjust logging 2020-09-20 22:38:59 +00:00			`cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("load cert/key error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return grpc.WithInsecure()`
			`}`
refactor 2020-09-20 22:40:49 +00:00			`caCert, err := ioutil.ReadFile(caFileName)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("read ca cert file error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return grpc.WithInsecure()`
			`}`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`

			`ta := credentials.NewTLS(&tls.Config{`
			`Certificates: []tls.Certificate{cert},`
			`RootCAs: caCertPool,`
			`InsecureSkipVerify: true,`
			`})`
			`return grpc.WithTransportCredentials(ta)`
			`}`