pkg/rpc/credential.go

/*
 *     Copyright 2022 The Dragonfly Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package rpc

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"net"

	"github.com/johanbrandhorst/certify"
	"google.golang.org/grpc/credentials"

	logger "d7y.io/dragonfly/v2/internal/dflog"
)

const (
	// ForceTLSPolicy is both ClientHandshake and
	// ServerHandshake are only support tls.
	ForceTLSPolicy = "force"

	// PreferTLSPolicy is ServerHandshake supports tls and
	// insecure (non-tls), ClientHandshake will only support tls.
	PreferTLSPolicy = "prefer"

	// DefaultTLSPolicy is ServerHandshake supports tls
	// and insecure (non-tls), ClientHandshake will only support tls.
	DefaultTLSPolicy = "default"
)

// NewServerCredentialsByCertify returns server transport credentials by certify.
func NewServerCredentialsByCertify(tlsPolicy string, tlsVerify bool, pemClientCAs []byte, certifyClient *certify.Certify) (credentials.TransportCredentials, error) {
	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(pemClientCAs) {
		return nil, errors.New("invalid CA Cert")
	}

	tlsConfig := &tls.Config{
		GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
			if hello.ServerName == "" {
				host, _, err := net.SplitHostPort(hello.Conn.LocalAddr().String())
				if err == nil {
					hello.ServerName = host
				} else {
					logger.Warnf("failed to get host from %s: %s", hello.Conn.LocalAddr().String(), err)
				}
			}

			return certifyClient.GetCertificate(hello)
		},
		ClientCAs: certPool,
	}

	if tlsVerify {
		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
	}

	switch tlsPolicy {
	case DefaultTLSPolicy, PreferTLSPolicy:
		return NewMuxTransportCredentials(tlsConfig,
			WithTLSPreferClientHandshake(tlsPolicy == PreferTLSPolicy)), nil
	case ForceTLSPolicy:
		return credentials.NewTLS(tlsConfig), nil
	default:
		return nil, fmt.Errorf("invalid tlsPolicy: %s", tlsPolicy)
	}
}

// NewClientCredentialsByCertify returns client transport credentials by certify.
func NewClientCredentialsByCertify(tlsPolicy string, pemRootCAs []byte, certifyClient *certify.Certify) (credentials.TransportCredentials, error) {
	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(pemRootCAs) {
		return nil, errors.New("invalid CA Cert")
	}

	tlsConfig := &tls.Config{
		GetClientCertificate: certifyClient.GetClientCertificate,
		RootCAs:              certPool,
	}

	switch tlsPolicy {
	case DefaultTLSPolicy, PreferTLSPolicy:
		return NewMuxTransportCredentials(tlsConfig,
			WithTLSPreferClientHandshake(tlsPolicy == PreferTLSPolicy)), nil
	case ForceTLSPolicy:
		return credentials.NewTLS(tlsConfig), nil
	default:
		return nil, fmt.Errorf("invalid tlsPolicy: %s", tlsPolicy)
	}
}

// NewClientCredentials returns client transport credentials.
func NewClientCredentials(tlsPolicy string, certs []tls.Certificate, pemRootCAs []byte) (credentials.TransportCredentials, error) {
	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(pemRootCAs) {
		return nil, errors.New("invalid CA Cert")
	}

	tlsConfig := &tls.Config{
		RootCAs: certPool,
	}

	if len(certs) > 0 {
		tlsConfig.Certificates = certs
	}

	switch tlsPolicy {
	case DefaultTLSPolicy, PreferTLSPolicy:
		return NewMuxTransportCredentials(tlsConfig,
			WithTLSPreferClientHandshake(tlsPolicy == PreferTLSPolicy)), nil
	case ForceTLSPolicy:
		return credentials.NewTLS(tlsConfig), nil
	default:
		return nil, fmt.Errorf("invalid tlsPolicy: %s", tlsPolicy)
	}
}