From 831953c55c04e8fca50bffd1c45197ea065e6b60 Mon Sep 17 00:00:00 2001 From: Konstantin Lebedev Date: Wed, 10 Mar 2021 14:02:13 +0500 Subject: [PATCH] allowed wildcard domain --- docker/Makefile | 16 ++++++++-------- docker/compose/tls.env | 21 +++++++++------------ weed/command/scaffold.go | 1 + weed/security/tls.go | 28 +++++++++++++++++----------- 4 files changed, 35 insertions(+), 31 deletions(-) diff --git a/docker/Makefile b/docker/Makefile index c589fea83..345eac272 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -48,11 +48,11 @@ clean: certstrap: go get github.com/square/certstrap certstrap --depot-path compose/tls init --passphrase "" --common-name "SeaweedFS CA" || true - certstrap --depot-path compose/tls request-cert --passphrase "" --common-name volume01 || true - certstrap --depot-path compose/tls request-cert --passphrase "" --common-name master01 || true - certstrap --depot-path compose/tls request-cert --passphrase "" --common-name filer01 || true - certstrap --depot-path compose/tls request-cert --passphrase "" --common-name client01 || true - certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" volume01 || true - certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" master01 || true - certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" filer01 || true - certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" client01 || true \ No newline at end of file + certstrap --depot-path compose/tls request-cert --passphrase "" --common-name volume01.dev || true + certstrap --depot-path compose/tls request-cert --passphrase "" --common-name master01.dev || true + certstrap --depot-path compose/tls request-cert --passphrase "" --common-name filer01.dev || true + certstrap --depot-path compose/tls request-cert --passphrase "" --common-name client01.dev || true + certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" volume01.dev || true + certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" master01.dev || true + certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" filer01.dev || true + certstrap --depot-path compose/tls sign --CA "SeaweedFS CA" client01.dev || true \ No newline at end of file diff --git a/docker/compose/tls.env b/docker/compose/tls.env index 126b48e47..e03f42e95 100644 --- a/docker/compose/tls.env +++ b/docker/compose/tls.env @@ -1,13 +1,10 @@ WEED_GRPC_CA=/etc/seaweedfs/tls/SeaweedFS_CA.crt -WEED_GRPC_MASTER_CERT=/etc/seaweedfs/tls/master01.crt -WEED_GRPC_MASTER_KEY=/etc/seaweedfs/tls/master01.key -WEED_GRPC_VOLUME_CERT=/etc/seaweedfs/tls/volume01.crt -WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.key -WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.crt -WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.key -WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.crt -WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.key -WEED_GRPC_MASTER_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01" -WEED_GRPC_VOLUME_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01" -WEED_GRPC_FILER_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01" -WEED_GRPC_CLIENT_ALLOWED_COMMONNAMES="volume01,master01,filer01,client01" \ No newline at end of file +WEED_GRPC_ALLOWED_WILDCARD_DOMAIN=".dev" +WEED_GRPC_MASTER_CERT=/etc/seaweedfs/tls/master01.dev.crt +WEED_GRPC_MASTER_KEY=/etc/seaweedfs/tls/master01.dev.key +WEED_GRPC_VOLUME_CERT=/etc/seaweedfs/tls/volume01.dev.crt +WEED_GRPC_VOLUME_KEY=/etc/seaweedfs/tls/volume01.dev.key +WEED_GRPC_FILER_CERT=/etc/seaweedfs/tls/filer01.dev.crt +WEED_GRPC_FILER_KEY=/etc/seaweedfs/tls/filer01.dev.key +WEED_GRPC_CLIENT_CERT=/etc/seaweedfs/tls/client01.dev.crt +WEED_GRPC_CLIENT_KEY=/etc/seaweedfs/tls/client01.dev.key \ No newline at end of file diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go index 6893190a8..1e81d4d58 100644 --- a/weed/command/scaffold.go +++ b/weed/command/scaffold.go @@ -440,6 +440,7 @@ expires_after_seconds = 10 # seconds # the host name is not checked, so the PERM files can be shared. [grpc] ca = "" +allowed_wildcard_domain = "" # .mycompany.com [grpc.volume] cert = "" diff --git a/weed/security/tls.go b/weed/security/tls.go index 2550559bc..59714d103 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -19,7 +19,8 @@ import ( ) type Authenticator struct { - PermitCommonNames map[string]bool + AllowedWildcardDomain string + AllowedCommonNames map[string]bool } func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) { @@ -49,14 +50,16 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption ClientAuth: tls.RequireAndVerifyClientCert, }) - permitCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") - if len(permitCommonNames) > 0 { - permitCommonNamesMap := make(map[string]bool) - for _, s := range permitCommonNames { - permitCommonNamesMap[s] = true + allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") + allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") + if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" { + allowedCommonNamesMap := make(map[string]bool) + for _, s := range allowedCommonNames { + allowedCommonNamesMap[s] = true } auther := Authenticator{ - PermitCommonNames: permitCommonNamesMap, + AllowedCommonNames: allowedCommonNamesMap, + AllowedWildcardDomain: allowedWildcardDomain, } return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate)) } @@ -109,9 +112,12 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") } - - if _, ok := a.PermitCommonNames[tlsAuth.State.VerifiedChains[0][0].Subject.CommonName]; !ok { - return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") + commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName + if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { + return ctx, nil } - return ctx, nil + if _, ok := a.AllowedCommonNames[commonName]; ok { + return ctx, nil + } + return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") }