seaweedfs/weed/security/tls.go

package security

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
	"google.golang.org/grpc/security/advancedtls"
	"io/ioutil"
	"strings"
	"time"

	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/peer"
	"google.golang.org/grpc/status"

	"github.com/chrislusf/seaweedfs/weed/glog"
	"github.com/chrislusf/seaweedfs/weed/util"
)

const credRefreshingInterval = 5 * time.Minute

type Authenticator struct {
	AllowedWildcardDomain string
	AllowedCommonNames    map[string]bool
}

func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
	if config == nil {
		return nil, nil
	}

	serverOptions := pemfile.Options{
		CertFile:        config.GetString(component + ".cert"),
		KeyFile:         config.GetString(component + ".key"),
		RefreshDuration: credRefreshingInterval,
	}

	serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
	if err != nil {
		glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverOptions, err)
		return nil, nil
	}
	defer serverIdentityProvider.Close()

	serverRootOptions := pemfile.Options{
		RootFile:        config.GetString("grpc.ca"),
		RefreshDuration: credRefreshingInterval,
	}
	serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
	if err != nil {
		glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
		return nil, nil
	}
	defer serverIdentityProvider.Close()
	// Start a server and create a client using advancedtls API with Provider.
	options := &advancedtls.ServerOptions{
		IdentityOptions: advancedtls.IdentityCertificateOptions{
			IdentityProvider: serverIdentityProvider,
		},
		RootOptions: advancedtls.RootCertificateOptions{
			RootProvider: serverRootProvider,
		},
		RequireClientCert: true,
		VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
			glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName)
			return &advancedtls.VerificationResults{}, nil
		},
		VType: advancedtls.CertVerification,
	}
	ta, err := advancedtls.NewServerCreds(options)
	if err != nil {
		glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
		return nil, nil
	}
	allowedCommonNames := config.GetString(component + ".allowed_commonNames")
	allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
	if allowedCommonNames != "" || allowedWildcardDomain != "" {
		allowedCommonNamesMap := make(map[string]bool)
		for _, s := range strings.Split(allowedCommonNames, ",") {
			allowedCommonNamesMap[s] = true
		}
		auther := Authenticator{
			AllowedCommonNames:    allowedCommonNamesMap,
			AllowedWildcardDomain: allowedWildcardDomain,
		}
		return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
	}
	return grpc.Creds(ta), nil
}

func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
	if config == nil {
		return grpc.WithInsecure()
	}

	certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
	if certFileName == "" || keyFileName == "" || caFileName == "" {
		return grpc.WithInsecure()
	}

	// Initialize credential struct using reloading API.
	clientOptions := pemfile.Options{
		CertFile:        certFileName,
		KeyFile:         keyFileName,
		RootFile:        caFileName,
		RefreshDuration: credRefreshingInterval,
	}
	clientProvider, err := pemfile.NewProvider(clientOptions)
	if err != nil {
		glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
		return grpc.WithInsecure()
	}
	defer clientProvider.Close()
	options := &advancedtls.ClientOptions{
		VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
			return &advancedtls.VerificationResults{}, nil
		},
		RootOptions: advancedtls.RootCertificateOptions{
			RootProvider: clientProvider,
		},
		VType: advancedtls.CertVerification,
	}
	ta, err := advancedtls.NewClientCreds(options)
	if err != nil {
		glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
		return grpc.WithInsecure()
	}
	return grpc.WithTransportCredentials(ta)
}

func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
	clientCerts, err := ioutil.ReadFile(clientCertFile)
	if err != nil {
		glog.Fatal(err)
	}
	certPool := x509.NewCertPool()
	ok := certPool.AppendCertsFromPEM(clientCerts)
	if !ok {
		glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
	}

	return &tls.Config{
		ClientCAs:  certPool,
		ClientAuth: tls.RequireAndVerifyClientCert,
	}
}

func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
	p, ok := peer.FromContext(ctx)
	if !ok {
		return ctx, status.Error(codes.Unauthenticated, "no peer found")
	}

	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
	if !ok {
		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
	}
	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
	}

	commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
	if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
		return ctx, nil
	}
	if _, ok := a.AllowedCommonNames[commonName]; ok {
		return ctx, nil
	}

	return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
}
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`package security`

			`import (`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`"context"`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`"crypto/tls"`
			`"crypto/x509"`
initial advancedtls 2022-06-24 02:32:15 +08:00			`"google.golang.org/grpc/credentials/tls/certprovider/pemfile"`
			`"google.golang.org/grpc/security/advancedtls"`
Add mTLS support for both master and volume http server. 2022-03-15 07:22:52 +08:00			`"io/ioutil"`
comma-separated SSL certificate common names 2021-03-10 15:42:44 +08:00			`"strings"`
initial advancedtls 2022-06-24 02:32:15 +08:00			`"time"`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 12:27:58 +08:00			`grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`"google.golang.org/grpc"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 12:27:58 +08:00			`"google.golang.org/grpc/codes"`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`"google.golang.org/grpc/credentials"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 12:27:58 +08:00			`"google.golang.org/grpc/peer"`
			`"google.golang.org/grpc/status"`
adjust log level 2020-02-23 13:23:30 +08:00
			`"github.com/chrislusf/seaweedfs/weed/glog"`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-10-14 12:27:58 +08:00			`"github.com/chrislusf/seaweedfs/weed/util"`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`)`

initial advancedtls 2022-06-24 02:32:15 +08:00			`const credRefreshingInterval = 5 * time.Minute`

permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`type Authenticator struct {`
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`AllowedWildcardDomain string`
			`AllowedCommonNames map[string]bool`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`}`

			`func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if config == nil {`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`return nil, nil`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`}`

initial advancedtls 2022-06-24 02:32:15 +08:00			`serverOptions := pemfile.Options{`
			`CertFile: config.GetString(component + ".cert"),`
			`KeyFile: config.GetString(component + ".key"),`
			`RefreshDuration: credRefreshingInterval,`
			`}`

			`serverIdentityProvider, err := pemfile.NewProvider(serverOptions)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if err != nil {`
initial advancedtls 2022-06-24 02:32:15 +08:00			`glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverOptions, err)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`return nil, nil`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`}`
initial advancedtls 2022-06-24 02:32:15 +08:00			`defer serverIdentityProvider.Close()`

			`serverRootOptions := pemfile.Options{`
			`RootFile: config.GetString("grpc.ca"),`
			`RefreshDuration: credRefreshingInterval,`
			`}`
			`serverRootProvider, err := pemfile.NewProvider(serverRootOptions)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if err != nil {`
initial advancedtls 2022-06-24 02:32:15 +08:00			`glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)`
			`return nil, nil`
			`}`
			`defer serverIdentityProvider.Close()`
			`// Start a server and create a client using advancedtls API with Provider.`
			`options := &advancedtls.ServerOptions{`
			`IdentityOptions: advancedtls.IdentityCertificateOptions{`
			`IdentityProvider: serverIdentityProvider,`
			`},`
			`RootOptions: advancedtls.RootCertificateOptions{`
			`RootProvider: serverRootProvider,`
			`},`
			`RequireClientCert: true,`
			`VerifyPeer: func(params advancedtls.VerificationFuncParams) (advancedtls.VerificationResults, error) {`
			`glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName)`
			`return &advancedtls.VerificationResults{}, nil`
			`},`
			`VType: advancedtls.CertVerification,`
			`}`
			`ta, err := advancedtls.NewServerCreds(options)`
			`if err != nil {`
			`glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`return nil, nil`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`}`
add comments 2021-03-10 17:42:39 +08:00			`allowedCommonNames := config.GetString(component + ".allowed_commonNames")`
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")`
add comments 2021-03-10 17:42:39 +08:00			`if allowedCommonNames != "" \|\| allowedWildcardDomain != "" {`
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`allowedCommonNamesMap := make(map[string]bool)`
add comments 2021-03-10 17:42:39 +08:00			`for _, s := range strings.Split(allowedCommonNames, ",") {`
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`allowedCommonNamesMap[s] = true`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`}`
			`auther := Authenticator{`
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`AllowedCommonNames: allowedCommonNamesMap,`
			`AllowedWildcardDomain: allowedWildcardDomain,`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`}`
			`return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))`
			`}`
			`return grpc.Creds(ta), nil`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`}`

avoid concurrent map updates to viper 2021-01-12 18:28:13 +08:00			`func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if config == nil {`
			`return grpc.WithInsecure()`
			`}`

fix tls grpc ca path 2020-11-22 20:27:15 +08:00			`certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")`
refactor 2020-09-21 06:40:49 +08:00			`if certFileName == "" \|\| keyFileName == "" \|\| caFileName == "" {`
adjust logging 2020-09-21 06:38:59 +08:00			`return grpc.WithInsecure()`
			`}`

initial advancedtls 2022-06-24 02:32:15 +08:00			`// Initialize credential struct using reloading API.`
			`clientOptions := pemfile.Options{`
			`CertFile: certFileName,`
			`KeyFile: keyFileName,`
			`RootFile: caFileName,`
			`RefreshDuration: credRefreshingInterval,`
			`}`
			`clientProvider, err := pemfile.NewProvider(clientOptions)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if err != nil {`
initial advancedtls 2022-06-24 02:32:15 +08:00			`glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`return grpc.WithInsecure()`
			`}`
initial advancedtls 2022-06-24 02:32:15 +08:00			`defer clientProvider.Close()`
			`options := &advancedtls.ClientOptions{`
			`VerifyPeer: func(params advancedtls.VerificationFuncParams) (advancedtls.VerificationResults, error) {`
			`return &advancedtls.VerificationResults{}, nil`
			`},`
			`RootOptions: advancedtls.RootCertificateOptions{`
			`RootProvider: clientProvider,`
			`},`
			`VType: advancedtls.CertVerification,`
			`}`
			`ta, err := advancedtls.NewClientCreds(options)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`if err != nil {`
initial advancedtls 2022-06-24 02:32:15 +08:00			`glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)`
adding grpc mutual tls 2019-02-19 04:11:52 +08:00			`return grpc.WithInsecure()`
			`}`
			`return grpc.WithTransportCredentials(ta)`
			`}`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00
Add mTLS support for both master and volume http server. 2022-03-15 07:22:52 +08:00			`func LoadClientTLSHTTP(clientCertFile string) *tls.Config {`
			`clientCerts, err := ioutil.ReadFile(clientCertFile)`
			`if err != nil {`
			`glog.Fatal(err)`
			`}`
			`certPool := x509.NewCertPool()`
			`ok := certPool.AppendCertsFromPEM(clientCerts)`
			`if !ok {`
			`glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)`
			`}`

			`return &tls.Config{`
			`ClientCAs: certPool,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`}`
			`}`

permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {`
			`p, ok := peer.FromContext(ctx)`
			`if !ok {`
			`return ctx, status.Error(codes.Unauthenticated, "no peer found")`
			`}`

			`tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)`
			`if !ok {`
			`return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")`
			`}`
			`if len(tlsAuth.State.VerifiedChains) == 0 \|\| len(tlsAuth.State.VerifiedChains[0]) == 0 {`
			`return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")`
			`}`
add comments 2021-03-10 17:42:39 +08:00
allowed wildcard domain 2021-03-10 17:02:13 +08:00			`commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName`
			`if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {`
			`return ctx, nil`
			`}`
			`if _, ok := a.AllowedCommonNames[commonName]; ok {`
			`return ctx, nil`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`}`
add comments 2021-03-10 17:42:39 +08:00
			`return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)`
permitCommonNames https://github.com/chrislusf/seaweedfs/issues/1841 https://jbrandhorst.com/post/grpc-auth/ 2021-03-08 16:16:17 +08:00			`}`