add comments

This commit is contained in:
Konstantin Lebedev 2021-03-10 14:42:39 +05:00
parent 831953c55c
commit 348e21a08c
3 changed files with 12 additions and 6 deletions

View file

@ -7,4 +7,8 @@ WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key
WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt
WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key
WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt
WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key
WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"
WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01.dev,master01.dev,filer01.dev,client01.dev"

View file

@ -440,6 +440,7 @@ expires_after_seconds = 10 # seconds
# the host name is not checked, so the PERM files can be shared. # the host name is not checked, so the PERM files can be shared.
[grpc] [grpc]
ca = "" ca = ""
# Set wildcard domain for enable TLS authentication by common names
allowed_wildcard_domain = "" # .mycompany.com allowed_wildcard_domain = "" # .mycompany.com
[grpc.volume] [grpc.volume]

View file

@ -50,11 +50,11 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
ClientAuth: tls.RequireAndVerifyClientCert, ClientAuth: tls.RequireAndVerifyClientCert,
}) })
allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") allowedCommonNames := config.GetString(component + ".allowed_commonNames")
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" { if allowedCommonNames != "" || allowedWildcardDomain != "" {
allowedCommonNamesMap := make(map[string]bool) allowedCommonNamesMap := make(map[string]bool)
for _, s := range allowedCommonNames { for _, s := range strings.Split(allowedCommonNames, ",") {
allowedCommonNamesMap[s] = true allowedCommonNamesMap[s] = true
} }
auther := Authenticator{ auther := Authenticator{
@ -108,10 +108,10 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context
if !ok { if !ok {
return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials") return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
} }
if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
} }
commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
return ctx, nil return ctx, nil
@ -119,5 +119,6 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context
if _, ok := a.AllowedCommonNames[commonName]; ok { if _, ok := a.AllowedCommonNames[commonName]; ok {
return ctx, nil return ctx, nil
} }
return ctx, status.Error(codes.Unauthenticated, "invalid subject common name")
return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
} }