Sign upLogin

asteris-llc/converge

View on GitHub
Star
rpc/security.go

Summary

Maintainability
A
0 mins
Test Coverage
// Copyright © 2016 Asteris, LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rpc

import (
    "crypto/tls"
    "crypto/x509"
    "io/ioutil"
    "net"

    "github.com/Sirupsen/logrus"
    "github.com/pkg/errors"
    "google.golang.org/grpc"
    "google.golang.org/grpc/credentials"
)

// Security configuration for
type Security struct {
    Token string

    UseSSL   bool
    CAFile   string
    CertFile string // server only
    KeyFile  string // server only
}

// Server return a server option with the certificate credentials
func (s *Security) Server() (out []grpc.ServerOption) {
    if s.Token != "" {
        jwt := NewJWTAuth(s.Token)
        out = append(out, grpc.UnaryInterceptor(jwt.UnaryInterceptor))
        out = append(out, grpc.StreamInterceptor(jwt.StreamInterceptor))
    }

    return out
}

// WrapListener wraps a listener in a tls.Listener
func (s *Security) WrapListener(lis net.Listener) (net.Listener, error) {
    if s.CertFile == "" || s.KeyFile == "" {
        return nil, errors.New("need both certificate and key file")
    }

    cert, err := tls.LoadX509KeyPair(s.CertFile, s.KeyFile)
    if err != nil {
        return nil, errors.Wrap(err, "failed to load certificates")
    }

    config := &tls.Config{
        MinVersion:               tls.VersionTLS12,
        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
        PreferServerCipherSuites: true,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
        },

        Certificates: []tls.Certificate{cert},
    }

    return tls.NewListener(lis, config), nil
}

// Client returns a dial option for clients
func (s *Security) Client() (out []grpc.DialOption, err error) {
    if s.Token != "" {
        out = append(out, grpc.WithPerRPCCredentials(NewJWTAuth(s.Token)))
    }

    if s.UseSSL {
        logrus.Debug("setting up SSL")

        config, err := s.TLSConfig()
        if err != nil {
            return nil, err
        }

        out = append(out, grpc.WithTransportCredentials(credentials.NewTLS(config)))
    } else {
        logrus.Debug("not using SSL for client")

        out = append(out, grpc.WithInsecure())
    }

    return out, nil
}

// TLSConfig gets a TLS Config from this Security
func (s *Security) TLSConfig() (*tls.Config, error) {
    config := new(tls.Config)
    if s.CAFile != "" {
        certBytes, err := ioutil.ReadFile(s.CAFile)
        if err != nil {
            return nil, errors.Wrap(err, "could not load CA certificate")
        }
        logrus.WithField("cafile", s.CAFile).Debug("read CA certificate")

        roots := x509.NewCertPool()
        if !roots.AppendCertsFromPEM(certBytes) {
            return nil, errors.New("could not append CA certificate as PEM")
        }
        logrus.WithField("cafile", s.CAFile).Debug("loaded CA certificate as PEM")

        config.RootCAs = roots
    }

    return config, nil
}