Add logging for attempted and successful TLS connections to server (#…

…1486)
temporalio · Apr 23, 2021 · f042915 · f042915
1 parent 49d6bce
commit f042915
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 10 deletions.
diff --git a/common/auth/tlsConfigHelper.go b/common/auth/tlsConfigHelper.go
@@ -27,6 +27,9 @@ package auth
 import (
 	"crypto/tls"
 	"crypto/x509"
+
+	"go.temporal.io/server/common/log"
+	"go.temporal.io/server/common/log/tag"
 )
 
 // Helper methods for creating tls.Config structs to ensure MinVersion is 1.3
@@ -72,10 +75,23 @@ func NewTLSConfigWithCertsAndCAs(
 	clientAuth tls.ClientAuthType,
 	certificates []tls.Certificate,
 	clientCAs *x509.CertPool,
+	logger log.Logger,
 ) *tls.Config {
 	c := NewEmptyTLSConfig()
 	c.ClientAuth = clientAuth
 	c.Certificates = certificates
 	c.ClientCAs = clientCAs
+	c.VerifyConnection = func(state tls.ConnectionState) error {
+		logger.Debug("successfully established incoming TLS connection", tag.HostID(state.ServerName), tag.Name(tlsCN(state)))
+		return nil
+	}
 	return c
 }
+
+func tlsCN(state tls.ConnectionState) string {
+
+	if len(state.PeerCertificates) == 0 {
+		return ""
+	}
+	return state.PeerCertificates[0].Subject.CommonName
+}
diff --git a/common/rpc/encryption/localStoreTlsProvider.go b/common/rpc/encryption/localStoreTlsProvider.go
@@ -32,6 +32,7 @@ import (
 	"time"
 
 	"github.com/uber-go/tally"
+	"go.temporal.io/server/common/log/tag"
 
 	"go.temporal.io/server/common/auth"
 	"go.temporal.io/server/common/config"
@@ -154,7 +155,7 @@ func (s *localStoreTlsProvider) GetFrontendServerConfig() (*tls.Config, error) {
 	return s.getOrCreateConfig(
 		&s.cachedFrontendServerConfig,
 		func() (*tls.Config, error) {
-			return newServerTLSConfig(s.frontendCertProvider, s.frontendPerHostCertProviderMap, &s.settings.Frontend)
+			return newServerTLSConfig(s.frontendCertProvider, s.frontendPerHostCertProviderMap, &s.settings.Frontend, s.logger)
 		},
 		s.settings.Frontend.IsEnabled())
 }
@@ -163,7 +164,7 @@ func (s *localStoreTlsProvider) GetInternodeServerConfig() (*tls.Config, error)
 	return s.getOrCreateConfig(
 		&s.cachedInternodeServerConfig,
 		func() (*tls.Config, error) {
-			return newServerTLSConfig(s.internodeCertProvider, nil, &s.settings.Internode)
+			return newServerTLSConfig(s.internodeCertProvider, nil, &s.settings.Internode, s.logger)
 		},
 		s.settings.Internode.IsEnabled())
 }
@@ -238,32 +239,48 @@ func newServerTLSConfig(
 	certProvider CertProvider,
 	perHostCertProviderMap PerHostCertProviderMap,
 	config *config.GroupTLS,
+	logger log.Logger,
 ) (*tls.Config, error) {
 
 	clientAuthRequired := config.Server.RequireClientAuth
-	tlsConfig, err := getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired)
+	tlsConfig, err := getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, "", "", logger)
 	if err != nil {
 		return nil, err
 	}
 
 	tlsConfig.GetConfigForClient = func(c *tls.ClientHelloInfo) (*tls.Config, error) {
+
+		remoteAddress := c.Conn.RemoteAddr().String()
+		logger.Info("attempted incoming TLS connection", tag.Address(remoteAddress), tag.HostID(c.ServerName))
+
 		if perHostCertProviderMap != nil {
 			perHostCertProvider, hostClientAuthRequired, err := perHostCertProviderMap.GetCertProvider(c.ServerName)
 			if err != nil {
+				logger.Error("error while looking up per-host provider for attempted incoming TLS connection",
+					tag.HostID(c.ServerName), tag.Address(remoteAddress), tag.Error(err))
 				return nil, err
 			}
 
 			if perHostCertProvider != nil {
-				return getServerTLSConfigFromCertProvider(perHostCertProvider, hostClientAuthRequired)
+				return getServerTLSConfigFromCertProvider(perHostCertProvider, hostClientAuthRequired, remoteAddress, c.ServerName, logger)
 			}
-			return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired)
+			logger.Warn("cannot find a per-host provider for attempted incoming TLS connection. returning default TLS configuration",
+				tag.HostID(c.ServerName), tag.Address(remoteAddress))
+			return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, remoteAddress, c.ServerName, logger)
 		}
-		return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired)
+		return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, remoteAddress, c.ServerName, logger)
 	}
+
 	return tlsConfig, nil
 }
 
-func getServerTLSConfigFromCertProvider(certProvider CertProvider, requireClientAuth bool) (*tls.Config, error) {
+func getServerTLSConfigFromCertProvider(
+	certProvider CertProvider,
+	requireClientAuth bool,
+	remoteAddress string,
+	serverName string,
+	logger log.Logger) (*tls.Config, error) {
+
 	// Get serverCert from disk
 	serverCert, err := certProvider.FetchServerCertificate()
 	if err != nil {
@@ -290,10 +307,14 @@ func getServerTLSConfigFromCertProvider(certProvider CertProvider, requireClient
 
 		clientCaPool = ca
 	}
+	if remoteAddress != "" { // remoteAddress=="" when we return initial tls.Config object when configuring server
+		logger.Debug("returning TLS config for connection", tag.Address(remoteAddress), tag.HostID(serverName))
+	}
 	return auth.NewTLSConfigWithCertsAndCAs(
 		clientAuthType,
 		[]tls.Certificate{*serverCert},
-		clientCaPool), nil
+		clientCaPool,
+		logger), nil
 }
 
 func newClientTLSConfig(clientProvider CertProvider, serverName string, isAuthRequired bool,

diff --git a/common/rpc/encryption/testDynamicTLSConfigProvider.go b/common/rpc/encryption/testDynamicTLSConfigProvider.go
@@ -30,6 +30,7 @@ import (
 	"time"
 
 	"go.temporal.io/server/common/config"
+	"go.temporal.io/server/common/log"
 )
 
 type TestDynamicTLSConfigProvider struct {
@@ -47,18 +48,20 @@ type TestDynamicTLSConfigProvider struct {
 	internodeClientConfig *tls.Config
 	frontendServerConfig  *tls.Config
 	frontendClientConfig  *tls.Config
+
+	logger log.Logger
 }
 
 func (t *TestDynamicTLSConfigProvider) GetInternodeServerConfig() (*tls.Config, error) {
-	return newServerTLSConfig(t.InternodeCertProvider, nil, &t.settings.Internode)
+	return newServerTLSConfig(t.InternodeCertProvider, nil, &t.settings.Internode, t.logger)
 }
 
 func (t *TestDynamicTLSConfigProvider) GetInternodeClientConfig() (*tls.Config, error) {
 	return newClientTLSConfig(t.InternodeClientCertProvider, t.settings.Internode.Client.ServerName, true, false, true)
 }
 
 func (t *TestDynamicTLSConfigProvider) GetFrontendServerConfig() (*tls.Config, error) {
-	return newServerTLSConfig(t.FrontendCertProvider, t.FrontendPerHostCertProviderMap, &t.settings.Frontend)
+	return newServerTLSConfig(t.FrontendCertProvider, t.FrontendPerHostCertProviderMap, &t.settings.Frontend, t.logger)
 }
 
 func (t *TestDynamicTLSConfigProvider) GetFrontendClientConfig() (*tls.Config, error) {
@@ -91,5 +94,6 @@ func NewTestDynamicTLSConfigProvider(
 		WorkerCertProvider:             frontendProvider,
 		FrontendPerHostCertProviderMap: frontendProvider,
 		settings:                       tlsConfig,
+		logger:                         log.NewDefaultLogger(),
 	}, nil
 }