seaweedfs/weed/security/tls.go

143 lines
4.2 KiB
Go
Raw Normal View History

2019-02-19 04:11:52 +08:00
package security
import (
"context"
2019-02-19 04:11:52 +08:00
"crypto/tls"
"crypto/x509"
"io/ioutil"
"os"
"strings"
2019-02-19 04:11:52 +08:00
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
2019-02-19 04:11:52 +08:00
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
2019-02-19 04:11:52 +08:00
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/peer"
"google.golang.org/grpc/status"
2020-02-23 13:23:30 +08:00
"github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/util"
2019-02-19 04:11:52 +08:00
)
type Authenticator struct {
2021-03-10 17:02:13 +08:00
AllowedWildcardDomain string
AllowedCommonNames map[string]bool
}
func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) {
2019-02-19 04:11:52 +08:00
if config == nil {
return nil, nil
2019-02-19 04:11:52 +08:00
}
// load cert/key, ca cert
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
if err != nil {
2021-03-09 00:39:44 +08:00
glog.V(1).Infof("load cert: %s / key: %s error: %v",
config.GetString(component+".cert"),
config.GetString(component+".key"),
err)
return nil, nil
2019-02-19 04:11:52 +08:00
}
caCert, err := os.ReadFile(config.GetString("grpc.ca"))
2019-02-19 04:11:52 +08:00
if err != nil {
2021-03-09 00:39:44 +08:00
glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)
return nil, nil
2019-02-19 04:11:52 +08:00
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
})
2021-03-10 17:42:39 +08:00
allowedCommonNames := config.GetString(component + ".allowed_commonNames")
2021-03-10 17:02:13 +08:00
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
2021-03-10 17:42:39 +08:00
if allowedCommonNames != "" || allowedWildcardDomain != "" {
2021-03-10 17:02:13 +08:00
allowedCommonNamesMap := make(map[string]bool)
2021-03-10 17:42:39 +08:00
for _, s := range strings.Split(allowedCommonNames, ",") {
2021-03-10 17:02:13 +08:00
allowedCommonNamesMap[s] = true
}
auther := Authenticator{
2021-03-10 17:02:13 +08:00
AllowedCommonNames: allowedCommonNamesMap,
AllowedWildcardDomain: allowedWildcardDomain,
}
return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
}
return grpc.Creds(ta), nil
2019-02-19 04:11:52 +08:00
}
2021-01-12 18:28:13 +08:00
func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
2019-02-19 04:11:52 +08:00
if config == nil {
return grpc.WithInsecure()
}
2020-11-22 20:27:15 +08:00
certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca")
2020-09-21 06:40:49 +08:00
if certFileName == "" || keyFileName == "" || caFileName == "" {
2020-09-21 06:38:59 +08:00
return grpc.WithInsecure()
}
2019-02-19 04:11:52 +08:00
// load cert/key, cacert
2020-09-21 06:38:59 +08:00
cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
2019-02-19 04:11:52 +08:00
if err != nil {
2020-02-23 13:23:30 +08:00
glog.V(1).Infof("load cert/key error: %v", err)
2019-02-19 04:11:52 +08:00
return grpc.WithInsecure()
}
caCert, err := os.ReadFile(caFileName)
2019-02-19 04:11:52 +08:00
if err != nil {
2020-02-23 13:23:30 +08:00
glog.V(1).Infof("read ca cert file error: %v", err)
2019-02-19 04:11:52 +08:00
return grpc.WithInsecure()
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
InsecureSkipVerify: true,
})
return grpc.WithTransportCredentials(ta)
}
func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
clientCerts, err := ioutil.ReadFile(clientCertFile)
if err != nil {
glog.Fatal(err)
}
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM(clientCerts)
if !ok {
glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
}
return &tls.Config{
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
}
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
p, ok := peer.FromContext(ctx)
if !ok {
return ctx, status.Error(codes.Unauthenticated, "no peer found")
}
tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
if !ok {
return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
}
if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
}
2021-03-10 17:42:39 +08:00
2021-03-10 17:02:13 +08:00
commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
return ctx, nil
}
if _, ok := a.AllowedCommonNames[commonName]; ok {
return ctx, nil
}
2021-03-10 17:42:39 +08:00
return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
}