From f0429156f79e3d63c6dbf715ff05fd743892e426 Mon Sep 17 00:00:00 2001 From: Sergey Bykov <8248806+sergeybykov@users.noreply.github.com> Date: Fri, 23 Apr 2021 13:52:01 -0700 Subject: [PATCH] Add logging for attempted and successful TLS connections to server (#1486) --- common/auth/tlsConfigHelper.go | 16 ++++++++ .../rpc/encryption/localStoreTlsProvider.go | 37 +++++++++++++++---- .../testDynamicTLSConfigProvider.go | 8 +++- 3 files changed, 51 insertions(+), 10 deletions(-) diff --git a/common/auth/tlsConfigHelper.go b/common/auth/tlsConfigHelper.go index 713c1244aea..005960729c0 100644 --- a/common/auth/tlsConfigHelper.go +++ b/common/auth/tlsConfigHelper.go @@ -27,6 +27,9 @@ package auth import ( "crypto/tls" "crypto/x509" + + "go.temporal.io/server/common/log" + "go.temporal.io/server/common/log/tag" ) // Helper methods for creating tls.Config structs to ensure MinVersion is 1.3 @@ -72,10 +75,23 @@ func NewTLSConfigWithCertsAndCAs( clientAuth tls.ClientAuthType, certificates []tls.Certificate, clientCAs *x509.CertPool, + logger log.Logger, ) *tls.Config { c := NewEmptyTLSConfig() c.ClientAuth = clientAuth c.Certificates = certificates c.ClientCAs = clientCAs + c.VerifyConnection = func(state tls.ConnectionState) error { + logger.Debug("successfully established incoming TLS connection", tag.HostID(state.ServerName), tag.Name(tlsCN(state))) + return nil + } return c } + +func tlsCN(state tls.ConnectionState) string { + + if len(state.PeerCertificates) == 0 { + return "" + } + return state.PeerCertificates[0].Subject.CommonName +} diff --git a/common/rpc/encryption/localStoreTlsProvider.go b/common/rpc/encryption/localStoreTlsProvider.go index fe966729ce1..c5d95e3c12d 100644 --- a/common/rpc/encryption/localStoreTlsProvider.go +++ b/common/rpc/encryption/localStoreTlsProvider.go @@ -32,6 +32,7 @@ import ( "time" "github.com/uber-go/tally" + "go.temporal.io/server/common/log/tag" "go.temporal.io/server/common/auth" "go.temporal.io/server/common/config" @@ -154,7 +155,7 @@ func (s *localStoreTlsProvider) GetFrontendServerConfig() (*tls.Config, error) { return s.getOrCreateConfig( &s.cachedFrontendServerConfig, func() (*tls.Config, error) { - return newServerTLSConfig(s.frontendCertProvider, s.frontendPerHostCertProviderMap, &s.settings.Frontend) + return newServerTLSConfig(s.frontendCertProvider, s.frontendPerHostCertProviderMap, &s.settings.Frontend, s.logger) }, s.settings.Frontend.IsEnabled()) } @@ -163,7 +164,7 @@ func (s *localStoreTlsProvider) GetInternodeServerConfig() (*tls.Config, error) return s.getOrCreateConfig( &s.cachedInternodeServerConfig, func() (*tls.Config, error) { - return newServerTLSConfig(s.internodeCertProvider, nil, &s.settings.Internode) + return newServerTLSConfig(s.internodeCertProvider, nil, &s.settings.Internode, s.logger) }, s.settings.Internode.IsEnabled()) } @@ -238,32 +239,48 @@ func newServerTLSConfig( certProvider CertProvider, perHostCertProviderMap PerHostCertProviderMap, config *config.GroupTLS, + logger log.Logger, ) (*tls.Config, error) { clientAuthRequired := config.Server.RequireClientAuth - tlsConfig, err := getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired) + tlsConfig, err := getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, "", "", logger) if err != nil { return nil, err } tlsConfig.GetConfigForClient = func(c *tls.ClientHelloInfo) (*tls.Config, error) { + + remoteAddress := c.Conn.RemoteAddr().String() + logger.Info("attempted incoming TLS connection", tag.Address(remoteAddress), tag.HostID(c.ServerName)) + if perHostCertProviderMap != nil { perHostCertProvider, hostClientAuthRequired, err := perHostCertProviderMap.GetCertProvider(c.ServerName) if err != nil { + logger.Error("error while looking up per-host provider for attempted incoming TLS connection", + tag.HostID(c.ServerName), tag.Address(remoteAddress), tag.Error(err)) return nil, err } if perHostCertProvider != nil { - return getServerTLSConfigFromCertProvider(perHostCertProvider, hostClientAuthRequired) + return getServerTLSConfigFromCertProvider(perHostCertProvider, hostClientAuthRequired, remoteAddress, c.ServerName, logger) } - return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired) + logger.Warn("cannot find a per-host provider for attempted incoming TLS connection. returning default TLS configuration", + tag.HostID(c.ServerName), tag.Address(remoteAddress)) + return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, remoteAddress, c.ServerName, logger) } - return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired) + return getServerTLSConfigFromCertProvider(certProvider, clientAuthRequired, remoteAddress, c.ServerName, logger) } + return tlsConfig, nil } -func getServerTLSConfigFromCertProvider(certProvider CertProvider, requireClientAuth bool) (*tls.Config, error) { +func getServerTLSConfigFromCertProvider( + certProvider CertProvider, + requireClientAuth bool, + remoteAddress string, + serverName string, + logger log.Logger) (*tls.Config, error) { + // Get serverCert from disk serverCert, err := certProvider.FetchServerCertificate() if err != nil { @@ -290,10 +307,14 @@ func getServerTLSConfigFromCertProvider(certProvider CertProvider, requireClient clientCaPool = ca } + if remoteAddress != "" { // remoteAddress=="" when we return initial tls.Config object when configuring server + logger.Debug("returning TLS config for connection", tag.Address(remoteAddress), tag.HostID(serverName)) + } return auth.NewTLSConfigWithCertsAndCAs( clientAuthType, []tls.Certificate{*serverCert}, - clientCaPool), nil + clientCaPool, + logger), nil } func newClientTLSConfig(clientProvider CertProvider, serverName string, isAuthRequired bool, diff --git a/common/rpc/encryption/testDynamicTLSConfigProvider.go b/common/rpc/encryption/testDynamicTLSConfigProvider.go index dcccb4b0afe..04989c00132 100644 --- a/common/rpc/encryption/testDynamicTLSConfigProvider.go +++ b/common/rpc/encryption/testDynamicTLSConfigProvider.go @@ -30,6 +30,7 @@ import ( "time" "go.temporal.io/server/common/config" + "go.temporal.io/server/common/log" ) type TestDynamicTLSConfigProvider struct { @@ -47,10 +48,12 @@ type TestDynamicTLSConfigProvider struct { internodeClientConfig *tls.Config frontendServerConfig *tls.Config frontendClientConfig *tls.Config + + logger log.Logger } func (t *TestDynamicTLSConfigProvider) GetInternodeServerConfig() (*tls.Config, error) { - return newServerTLSConfig(t.InternodeCertProvider, nil, &t.settings.Internode) + return newServerTLSConfig(t.InternodeCertProvider, nil, &t.settings.Internode, t.logger) } func (t *TestDynamicTLSConfigProvider) GetInternodeClientConfig() (*tls.Config, error) { @@ -58,7 +61,7 @@ func (t *TestDynamicTLSConfigProvider) GetInternodeClientConfig() (*tls.Config, } func (t *TestDynamicTLSConfigProvider) GetFrontendServerConfig() (*tls.Config, error) { - return newServerTLSConfig(t.FrontendCertProvider, t.FrontendPerHostCertProviderMap, &t.settings.Frontend) + return newServerTLSConfig(t.FrontendCertProvider, t.FrontendPerHostCertProviderMap, &t.settings.Frontend, t.logger) } func (t *TestDynamicTLSConfigProvider) GetFrontendClientConfig() (*tls.Config, error) { @@ -91,5 +94,6 @@ func NewTestDynamicTLSConfigProvider( WorkerCertProvider: frontendProvider, FrontendPerHostCertProviderMap: frontendProvider, settings: tlsConfig, + logger: log.NewDefaultLogger(), }, nil }