seaweedfs/weed/security/tls.go

package security

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"os"
	"strings"

	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/peer"
	"google.golang.org/grpc/status"

	"github.com/chrislusf/seaweedfs/weed/glog"
	"github.com/chrislusf/seaweedfs/weed/util"
)

type Authenticator struct {
	AllowedWildcardDomain string
	AllowedCommonNames    map[string]bool
}

func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
	if config == nil {
		return nil, nil
	}

	// load cert/key, ca cert
	cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
	if err != nil {
		glog.V(1).Infof("load cert: %s / key: %s error: %v",
			config.GetString(component+".cert"),
			config.GetString(component+".key"),
			err)
		return nil, nil
	}
	caCert, err := os.ReadFile(config.GetString("grpc.ca"))
	if err != nil {
		glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)
		return nil, nil
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)
	ta := credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{cert},
		ClientCAs:    caCertPool,
		ClientAuth:   tls.RequireAndVerifyClientCert,
	})

	allowedCommonNames := config.GetString(component + ".allowed_commonNames")
	allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
	if allowedCommonNames != "" || allowedWildcardDomain != "" {
		allowedCommonNamesMap := make(map[string]bool)
		for _, s := range strings.Split(allowedCommonNames, ",") {
			allowedCommonNamesMap[s] = true
		}
		auther := Authenticator{
			AllowedCommonNames:    allowedCommonNamesMap,
			AllowedWildcardDomain: allowedWildcardDomain,
		}
		return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
	}
	return grpc.Creds(ta), nil
}

func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
	if config == nil {
		return grpc.WithInsecure()
	}

	certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
	if certFileName == "" || keyFileName == "" || caFileName == "" {
		return grpc.WithInsecure()
	}

	// load cert/key, cacert
	cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
	if err != nil {
		glog.V(1).Infof("load cert/key error: %v", err)
		return grpc.WithInsecure()
	}
	caCert, err := os.ReadFile(caFileName)
	if err != nil {
		glog.V(1).Infof("read ca cert file error: %v", err)
		return grpc.WithInsecure()
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	ta := credentials.NewTLS(&tls.Config{
		Certificates:       []tls.Certificate{cert},
		RootCAs:            caCertPool,
		InsecureSkipVerify: true,
	})
	return grpc.WithTransportCredentials(ta)
}

func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
	p, ok := peer.FromContext(ctx)
	if !ok {
		return ctx, status.Error(codes.Unauthenticated, "no peer found")
	}

	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
	if !ok {
		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
	}
	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
	}

	commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
	if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
		return ctx, nil
	}
	if _, ok := a.AllowedCommonNames[commonName]; ok {
		return ctx, nil
	}

	return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
}
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`package security`

			`import (`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`"context"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`"crypto/tls"`
			`"crypto/x509"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`"os"`
comma-separated SSL certificate common names 2021-03-10 07:42:44 +00:00			`"strings"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`"google.golang.org/grpc"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`"google.golang.org/grpc/codes"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`"google.golang.org/grpc/credentials"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`"google.golang.org/grpc/peer"`
			`"google.golang.org/grpc/status"`
adjust log level 2020-02-23 05:23:30 +00:00
			`"github.com/chrislusf/seaweedfs/weed/glog"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`"github.com/chrislusf/seaweedfs/weed/util"`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`)`

permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`type Authenticator struct {`
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`AllowedWildcardDomain string`
			`AllowedCommonNames map[string]bool`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`}`

			`func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if config == nil {`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`return nil, nil`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`}`

			`// load cert/key, ca cert`
			`cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))`
			`if err != nil {`
TLS allowed commonNames 2021-03-08 16:39:44 +00:00			`glog.V(1).Infof("load cert: %s / key: %s error: %v",`
			`config.GetString(component+".cert"),`
			`config.GetString(component+".key"),`
			`err)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`return nil, nil`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`}`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`caCert, err := os.ReadFile(config.GetString("grpc.ca"))`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
TLS allowed commonNames 2021-03-08 16:39:44 +00:00			`glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`return nil, nil`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`}`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`
			`ta := credentials.NewTLS(&tls.Config{`
			`Certificates: []tls.Certificate{cert},`
			`ClientCAs: caCertPool,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`})`

add comments 2021-03-10 09:42:39 +00:00			`allowedCommonNames := config.GetString(component + ".allowed_commonNames")`
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")`
add comments 2021-03-10 09:42:39 +00:00			`if allowedCommonNames != "" \|\| allowedWildcardDomain != "" {`
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`allowedCommonNamesMap := make(map[string]bool)`
add comments 2021-03-10 09:42:39 +00:00			`for _, s := range strings.Split(allowedCommonNames, ",") {`
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`allowedCommonNamesMap[s] = true`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`}`
			`auther := Authenticator{`
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`AllowedCommonNames: allowedCommonNamesMap,`
			`AllowedWildcardDomain: allowedWildcardDomain,`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`}`
			`return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))`
			`}`
			`return grpc.Creds(ta), nil`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`}`

avoid concurrent map updates to viper 2021-01-12 10:28:13 +00:00			`func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if config == nil {`
			`return grpc.WithInsecure()`
			`}`

fix tls grpc ca path 2020-11-22 12:27:15 +00:00			`certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")`
refactor 2020-09-20 22:40:49 +00:00			`if certFileName == "" \|\| keyFileName == "" \|\| caFileName == "" {`
adjust logging 2020-09-20 22:38:59 +00:00			`return grpc.WithInsecure()`
			`}`

adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`// load cert/key, cacert`
adjust logging 2020-09-20 22:38:59 +00:00			`cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("load cert/key error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return grpc.WithInsecure()`
			`}`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 04:27:58 +00:00			`caCert, err := os.ReadFile(caFileName)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`if err != nil {`
adjust log level 2020-02-23 05:23:30 +00:00			`glog.V(1).Infof("read ca cert file error: %v", err)`
adding grpc mutual tls 2019-02-18 20:11:52 +00:00			`return grpc.WithInsecure()`
			`}`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`

			`ta := credentials.NewTLS(&tls.Config{`
			`Certificates: []tls.Certificate{cert},`
			`RootCAs: caCertPool,`
			`InsecureSkipVerify: true,`
			`})`
			`return grpc.WithTransportCredentials(ta)`
			`}`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00
			`func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {`
			`p, ok := peer.FromContext(ctx)`
			`if !ok {`
			`return ctx, status.Error(codes.Unauthenticated, "no peer found")`
			`}`

			`tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)`
			`if !ok {`
			`return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")`
			`}`
			`if len(tlsAuth.State.VerifiedChains) == 0 \|\| len(tlsAuth.State.VerifiedChains[0]) == 0 {`
			`return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")`
			`}`
add comments 2021-03-10 09:42:39 +00:00
allowed wildcard domain 2021-03-10 09:02:13 +00:00			`commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName`
			`if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {`
			`return ctx, nil`
			`}`
			`if _, ok := a.AllowedCommonNames[commonName]; ok {`
			`return ctx, nil`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`}`
add comments 2021-03-10 09:42:39 +00:00
			`return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 08:16:17 +00:00			`}`