-
Notifications
You must be signed in to change notification settings - Fork 390
/
fetchidentity.go
116 lines (98 loc) · 3.3 KB
/
fetchidentity.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package transport
import (
"context"
"net"
"sync"
"github.com/zeebo/errs"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"storj.io/storj/pkg/identity"
"storj.io/storj/pkg/pb"
"storj.io/storj/pkg/peertls"
)
// handshakeCapture implements a credentials.TransportCredentials for capturing handshake information.
type handshakeCapture struct {
credentials.TransportCredentials
mu sync.Mutex
authInfo credentials.AuthInfo
}
// ClientHandshake does the authentication handshake specified by the corresponding
// authentication protocol on conn for clients. It returns the authenticated
// connection and the corresponding auth information about the connection.
func (capture *handshakeCapture) ClientHandshake(ctx context.Context, s string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
conn, auth, err := capture.TransportCredentials.ClientHandshake(ctx, s, conn)
if err == nil {
capture.mu.Lock()
capture.authInfo = auth
capture.mu.Unlock()
}
return conn, auth, err
}
// ServerHandshake does the authentication handshake for servers. It returns
// the authenticated connection and the corresponding auth information about
// the connection.
func (capture *handshakeCapture) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
conn, auth, err := capture.TransportCredentials.ServerHandshake(conn)
if err == nil {
capture.mu.Lock()
capture.authInfo = auth
capture.mu.Unlock()
}
return conn, auth, err
}
// FetchPeerIdentity dials the node and fetches the identity
func (transport *Transport) FetchPeerIdentity(ctx context.Context, node *pb.Node, opts ...grpc.DialOption) (_ *identity.PeerIdentity, err error) {
defer mon.Task()(&ctx, "node: "+node.Id.String()[0:8])(&err)
if node.Address == nil || node.Address.Address == "" {
return nil, Error.New("no address")
}
tlsConfig := transport.tlsOpts.ClientTLSConfig(node.Id)
capture := &handshakeCapture{
TransportCredentials: credentials.NewTLS(tlsConfig),
}
options := append([]grpc.DialOption{
grpc.WithTransportCredentials(capture),
grpc.WithBlock(),
grpc.FailOnNonTempDialError(true),
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", addr)
if err != nil {
return nil, err
}
return &timeoutConn{conn: conn, timeout: transport.timeouts.Request}, nil
}),
}, opts...)
timedCtx, cancel := context.WithTimeout(ctx, transport.timeouts.Dial)
defer cancel()
conn, err := grpc.DialContext(timedCtx, node.GetAddress().Address, options...)
if err != nil {
if err == context.Canceled {
return nil, err
}
transport.AlertFail(timedCtx, node, err)
return nil, Error.Wrap(err)
}
defer func() {
err = errs.Combine(err, conn.Close())
}()
transport.AlertSuccess(timedCtx, node)
capture.mu.Lock()
authinfo := capture.authInfo
capture.mu.Unlock()
switch info := authinfo.(type) {
case credentials.TLSInfo:
chain := info.State.PeerCertificates
if len(chain)-1 < peertls.CAIndex {
return nil, Error.New("invalid certificate chain")
}
pi, err := identity.PeerIdentityFromChain(chain)
if err != nil {
return nil, err
}
return pi, nil
default:
return nil, Error.New("unknown capture info %T", authinfo)
}
}