Merge pull request #3226 from kmlebedev/advancedtls

Advancedtls

weed/security/tls.go

@@ -1,24 +1,22 @@
 package security
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
+	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
+	"google.golang.org/grpc/security/advancedtls"
 	"io/ioutil"
-	"os"
 	"strings"
-
-	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
+	"time"
 
 	"github.com/chrislusf/seaweedfs/weed/glog"
 	"github.com/chrislusf/seaweedfs/weed/util"
+	"google.golang.org/grpc"
 )
 
+const credRefreshingInterval = time.Duration(5) * time.Hour
+
 type Authenticator struct {
 	AllowedWildcardDomain string
 	AllowedCommonNames    map[string]bool
@@ -29,28 +27,39 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
 		return nil, nil
 	}
 
-	// load cert/key, ca cert
-	cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
-	if err != nil {
-		glog.V(1).Infof("load cert: %s / key: %s error: %v",
-			config.GetString(component+".cert"),
-			config.GetString(component+".key"),
-			err)
-		return nil, nil
+	serverOptions := pemfile.Options{
+		CertFile:        config.GetString(component + ".cert"),
+		KeyFile:         config.GetString(component + ".key"),
+		RefreshDuration: credRefreshingInterval,
 	}
-	caCert, err := os.ReadFile(config.GetString("grpc.ca"))
-	if err != nil {
-		glog.V(1).Infof("read ca cert file %s error: %v", config.GetString("grpc.ca"), err)
-		return nil, nil
-	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-	ta := credentials.NewTLS(&tls.Config{
-		Certificates: []tls.Certificate{cert},
-		ClientCAs:    caCertPool,
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-	})
 
+	serverIdentityProvider, err := pemfile.NewProvider(serverOptions)
+	if err != nil {
+		glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverOptions, err)
+		return nil, nil
+	}
+
+	serverRootOptions := pemfile.Options{
+		RootFile:        config.GetString("grpc.ca"),
+		RefreshDuration: credRefreshingInterval,
+	}
+	serverRootProvider, err := pemfile.NewProvider(serverRootOptions)
+	if err != nil {
+		glog.Warningf("pemfile.NewProvider(%v) failed: %v", serverRootOptions, err)
+		return nil, nil
+	}
+
+	// Start a server and create a client using advancedtls API with Provider.
+	options := &advancedtls.ServerOptions{
+		IdentityOptions: advancedtls.IdentityCertificateOptions{
+			IdentityProvider: serverIdentityProvider,
+		},
+		RootOptions: advancedtls.RootCertificateOptions{
+			RootProvider: serverRootProvider,
+		},
+		RequireClientCert: true,
+		VType:             advancedtls.CertVerification,
+	}
 	allowedCommonNames := config.GetString(component + ".allowed_commonNames")
 	allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
 	if allowedCommonNames != "" || allowedWildcardDomain != "" {
@@ -62,7 +71,16 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
 			AllowedCommonNames:    allowedCommonNamesMap,
 			AllowedWildcardDomain: allowedWildcardDomain,
 		}
-		return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate))
+		options.VerifyPeer = auther.Authenticate
+	} else {
+		options.VerifyPeer = func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
+			return &advancedtls.VerificationResults{}, nil
+		}
+	}
+	ta, err := advancedtls.NewServerCreds(options)
+	if err != nil {
+		glog.Warningf("advancedtls.NewServerCreds(%v) failed: %v", options, err)
+		return nil, nil
 	}
 	return grpc.Creds(ta), nil
 }
@@ -77,25 +95,42 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
 		return grpc.WithInsecure()
 	}
 
-	// load cert/key, cacert
-	cert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
+	clientOptions := pemfile.Options{
+		CertFile:        certFileName,
+		KeyFile:         keyFileName,
+		RefreshDuration: credRefreshingInterval,
+	}
+	clientProvider, err := pemfile.NewProvider(clientOptions)
 	if err != nil {
-		glog.V(1).Infof("load cert/key error: %v", err)
+		glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err)
 		return grpc.WithInsecure()
 	}
-	caCert, err := os.ReadFile(caFileName)
+	clientRootOptions := pemfile.Options{
+		RootFile:        config.GetString("grpc.ca"),
+		RefreshDuration: credRefreshingInterval,
+	}
+	clientRootProvider, err := pemfile.NewProvider(clientRootOptions)
 	if err != nil {
-		glog.V(1).Infof("read ca cert file error: %v", err)
+		glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err)
+		return grpc.WithInsecure()
+	}
+	options := &advancedtls.ClientOptions{
+		IdentityOptions: advancedtls.IdentityCertificateOptions{
+			IdentityProvider: clientProvider,
+		},
+		VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
+			return &advancedtls.VerificationResults{}, nil
+		},
+		RootOptions: advancedtls.RootCertificateOptions{
+			RootProvider: clientRootProvider,
+		},
+		VType: advancedtls.CertVerification,
+	}
+	ta, err := advancedtls.NewClientCreds(options)
+	if err != nil {
+		glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err)
 		return grpc.WithInsecure()
 	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-
-	ta := credentials.NewTLS(&tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		RootCAs:            caCertPool,
-		InsecureSkipVerify: true,
-	})
 	return grpc.WithTransportCredentials(ta)
 }
 
@@ -116,27 +151,14 @@ func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
 	}
 }
 
-func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
-	p, ok := peer.FromContext(ctx)
-	if !ok {
-		return ctx, status.Error(codes.Unauthenticated, "no peer found")
+func (a Authenticator) Authenticate(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
+	if a.AllowedWildcardDomain != "" && strings.HasSuffix(params.Leaf.Subject.CommonName, a.AllowedWildcardDomain) {
+		return &advancedtls.VerificationResults{}, nil
 	}
-
-	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
-	if !ok {
-		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
+	if _, ok := a.AllowedCommonNames[params.Leaf.Subject.CommonName]; ok {
+		return &advancedtls.VerificationResults{}, nil
 	}
-	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
-		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
-	}
-
-	commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
-	if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) {
-		return ctx, nil
-	}
-	if _, ok := a.AllowedCommonNames[commonName]; ok {
-		return ctx, nil
-	}
-
-	return ctx, status.Errorf(codes.Unauthenticated, "invalid subject common name: %s", commonName)
+	err := fmt.Errorf("Authenticate: invalid subject client common name: %s", params.Leaf.Subject.CommonName)
+	glog.Error(err)
+	return nil, err
 }