2019-02-19 04:11:52 +08:00
|
|
|
package security
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2021-01-12 18:28:13 +08:00
|
|
|
"github.com/chrislusf/seaweedfs/weed/util"
|
2019-02-19 04:11:52 +08:00
|
|
|
"io/ioutil"
|
|
|
|
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"google.golang.org/grpc/credentials"
|
2020-02-23 13:23:30 +08:00
|
|
|
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
2019-02-19 04:11:52 +08:00
|
|
|
)
|
|
|
|
|
2021-01-12 18:28:13 +08:00
|
|
|
func LoadServerTLS(config *util.ViperProxy, component string) grpc.ServerOption {
|
2019-02-19 04:11:52 +08:00
|
|
|
if config == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// load cert/key, ca cert
|
|
|
|
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
|
|
|
|
if err != nil {
|
2020-02-23 13:23:30 +08:00
|
|
|
glog.V(1).Infof("load cert/key error: %v", err)
|
2019-02-19 04:11:52 +08:00
|
|
|
return nil
|
|
|
|
}
|
2020-11-22 20:27:15 +08:00
|
|
|
caCert, err := ioutil.ReadFile(config.GetString("grpc.ca"))
|
2019-02-19 04:11:52 +08:00
|
|
|
if err != nil {
|
2020-02-23 13:23:30 +08:00
|
|
|
glog.V(1).Infof("read ca cert file error: %v", err)
|
2019-02-19 04:11:52 +08:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
ta := credentials.NewTLS(&tls.Config{
|
|
|
|
Certificates: []tls.Certificate{cert},
|
|
|
|
ClientCAs: caCertPool,
|
|
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
|
|
})
|
|
|
|
|
|
|
|
return grpc.Creds(ta)
|
|
|
|
}
|
|
|
|
|
2021-01-12 18:28:13 +08:00
|
|
|
func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
|
2019-02-19 04:11:52 +08:00
|
|
|
if config == nil {
|
|
|
|
return grpc.WithInsecure()
|
|
|
|
}
|
|
|
|
|
2020-11-22 20:27:15 +08:00
|
|
|
certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
|
2020-09-21 06:40:49 +08:00
|
|
|
if certFileName == "" || keyFileName == "" || caFileName == "" {
|
2020-09-21 06:38:59 +08:00
|
|
|
return grpc.WithInsecure()
|
|
|
|
}
|
|
|
|
|
2019-02-19 04:11:52 +08:00
|
|
|
// load cert/key, cacert
|
2020-09-21 06:38:59 +08:00
|
|
|
cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
|
2019-02-19 04:11:52 +08:00
|
|
|
if err != nil {
|
2020-02-23 13:23:30 +08:00
|
|
|
glog.V(1).Infof("load cert/key error: %v", err)
|
2019-02-19 04:11:52 +08:00
|
|
|
return grpc.WithInsecure()
|
|
|
|
}
|
2020-09-21 06:40:49 +08:00
|
|
|
caCert, err := ioutil.ReadFile(caFileName)
|
2019-02-19 04:11:52 +08:00
|
|
|
if err != nil {
|
2020-02-23 13:23:30 +08:00
|
|
|
glog.V(1).Infof("read ca cert file error: %v", err)
|
2019-02-19 04:11:52 +08:00
|
|
|
return grpc.WithInsecure()
|
|
|
|
}
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
|
|
|
|
ta := credentials.NewTLS(&tls.Config{
|
|
|
|
Certificates: []tls.Certificate{cert},
|
|
|
|
RootCAs: caCertPool,
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
})
|
|
|
|
return grpc.WithTransportCredentials(ta)
|
|
|
|
}
|