From cb1d6a09b3366ff75da154cdfcb335c732935d49 Mon Sep 17 00:00:00 2001
From: Olgun Cengiz <olgun.cengiz@vereign.com>
Date: Tue, 11 Aug 2020 12:06:22 +0300
Subject: [PATCH] tls changes
---
Gopkg.toml | 6 +++-
config/configs.go | 7 +++++
server/server.go | 76 ++++++++++++++++++++++++-----------------------
utils/utils.go | 7 +++--
4 files changed, 55 insertions(+), 41 deletions(-)
diff --git a/Gopkg.toml b/Gopkg.toml
index f915437..2623289 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -1,7 +1,11 @@
[[constraint]]
- branch = "master"
+ branch = "1-loadbalancing"
name = "code.vereign.com/code/viam-apis"
+[[override]]
+ branch = "1-loadbalancing"
+ name = "code.vereign.com/billing-and-federation/apis"
+
[[override]]
name = "github.com/hashicorp/go-retryablehttp"
version = "=v0.5.4"
diff --git a/config/configs.go b/config/configs.go
index a0af36e..7291dea 100644
--- a/config/configs.go
+++ b/config/configs.go
@@ -29,6 +29,7 @@ var VereignCaKeyPEM []byte
var ReplaceKey bool
var MaxMessageSize int
+var UseTLS bool
var GrpcListenAddress string
var RestListenAddress string
@@ -55,6 +56,7 @@ func SetConfigValues(configFile, etcdURL string) {
viper.SetDefault("viamSession", "viam-session")
viper.SetDefault("maxMessageSize", 64)
+ viper.SetDefault("useTls", 1)
// Certification Related
// File System Defaults
@@ -143,6 +145,11 @@ func SetConfigValues(configFile, etcdURL string) {
SystemAuth.Session = viper.GetString("viamSession")
MaxMessageSize = viper.GetInt("maxMessageSize")
+ if viper.GetInt("useTls") == 0 {
+ UseTLS = false
+ } else {
+ UseTLS = true
+ }
PrometeusListenAddress = viper.GetString("prometeusListenAddress")
diff --git a/server/server.go b/server/server.go
index f24dba1..74df5f3 100644
--- a/server/server.go
+++ b/server/server.go
@@ -155,10 +155,6 @@ func createQueryTime(funcName string) prometheus.Summary {
}
func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignCertPEM, vereignPrivateKeyPEM []byte, dataStorageAddress string, maxMessageSize int) error {
- pkgCertPEM = certPEM
- pkgKeyPEM = privateKeyPEM
- pkgCaCertPEM = caCertPEM
-
// create a listener on TCP port
lis, err := net.Listen("tcp", address)
if err != nil {
@@ -166,6 +162,45 @@ func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignC
return fmt.Errorf("failed to listen: %v", err)
}
+ pkgCertPEM = certPEM
+ pkgKeyPEM = privateKeyPEM
+ pkgCaCertPEM = caCertPEM
+
+ opts := []grpc.ServerOption{}
+ opts = append(opts, grpc.UnaryInterceptor(unaryInterceptor),
+ grpc.MaxRecvMsgSize(config.MaxMessageSize*1024*1024))
+
+ if config.UseTLS {
+ // Load the certificates from PEM Strings
+ certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
+
+ if err != nil {
+ log.Printf("Error: %v", err)
+ return fmt.Errorf("could not load server key pair: %s", err)
+ }
+
+ // Create a certificate pool from the certificate authority
+ // Get the SystemCertPool, continue with an empty pool on error
+ certPool, _ := x509.SystemCertPool()
+ if certPool == nil {
+ certPool = x509.NewCertPool()
+ }
+
+ if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
+ return fmt.Errorf("failed to append server certs")
+ }
+
+ // Create the TLS credentials
+ creds := credentials.NewTLS(&tls.Config{
+ //ClientAuth: tls.RequireAndVerifyClientCert,
+ Certificates: []tls.Certificate{certificate},
+ ClientCAs: certPool,
+ })
+
+ // Create an array of gRPC options with the credentials
+ opts = append(opts, grpc.Creds(creds))
+ }
+
// create a server instance
s := handler.KeyStorageServerImpl{
DataStorageUrl: dataStorageAddress,
@@ -177,39 +212,6 @@ func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignC
MaxMessageSize: maxMessageSize,
}
- // Load the certificates from PEM Strings
- certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
-
- if err != nil {
- log.Printf("Error: %v", err)
- return fmt.Errorf("could not load server key pair: %s", err)
- }
-
- // Create a certificate pool from the certificate authority
- // Get the SystemCertPool, continue with an empty pool on error
- certPool, _ := x509.SystemCertPool()
- if certPool == nil {
- certPool = x509.NewCertPool()
- }
-
- if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
- return fmt.Errorf("failed to append server certs")
- }
-
- // Create the TLS credentials
- creds := credentials.NewTLS(&tls.Config{
- //ClientAuth: tls.RequireAndVerifyClientCert,
- Certificates: []tls.Certificate{certificate},
- ClientCAs: certPool,
- })
-
- // Create an array of gRPC options with the credentials
- opts := []grpc.ServerOption{
- grpc.Creds(creds),
- grpc.UnaryInterceptor(unaryInterceptor),
- grpc.MaxRecvMsgSize(config.MaxMessageSize * 1024 * 1024),
- }
-
// create a gRPC server object
grpcServer := grpc.NewServer(opts...)
diff --git a/utils/utils.go b/utils/utils.go
index 315171f..0db3225 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -18,12 +18,13 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
package utils
import (
- "code.vereign.com/code/viam-apis/errors"
"crypto/rand"
"crypto/x509"
"fmt"
"io"
+ "code.vereign.com/code/viam-apis/errors"
+
"code.vereign.com/code/viam-apis/log"
"encoding/pem"
@@ -155,11 +156,11 @@ func GetKey(client *client.DataStorageClientImpl, uuid string, keyType api.KeyTy
}
func CreateDataStorageClient(auth *authentication.Authentication) *dsclient.DataStorageClientImpl {
- return clientutils.CreateDataStorageClient(auth, config.DataStorageUrl, config.CertificatePEM,
+ return clientutils.CreateDataStorageClient(auth, config.DataStorageUrl, config.UseTLS, config.CertificatePEM,
config.PrivateKeyPEM, config.CaCertificatePEM, config.MaxMessageSize)
}
func CreateEntitiesManagementClient(auth *authentication.Authentication) *emclient.EntitiesManagerClientImpl {
- return clientutils.CreateEntitiesManagementClient(auth, config.EntitiesManagerUrl, config.CertificatePEM,
+ return clientutils.CreateEntitiesManagementClient(auth, config.EntitiesManagerUrl, config.UseTLS, config.CertificatePEM,
config.PrivateKeyPEM, config.CaCertificatePEM, config.MaxMessageSize)
}
--
GitLab