From b68fb8d69510beaf086b016606202badcfd2eda0 Mon Sep 17 00:00:00 2001 From: kalder <61064868+kalder@users.noreply.github.com> Date: Fri, 27 Jan 2023 09:59:42 -0800 Subject: vm/proxyapp: add TLS authentication (#3642) The "security" field must be set if ProxyApp-over-TCP is used. If "none", do no authentication If "tls", do server TLS, optionally using the certificate specified by "server_tls_cert". mTLS is unimplemented for now. --- vm/proxyapp/proxyappclient.go | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) (limited to 'vm/proxyapp/proxyappclient.go') diff --git a/vm/proxyapp/proxyappclient.go b/vm/proxyapp/proxyappclient.go index 1104d1901..1e6d679ac 100644 --- a/vm/proxyapp/proxyappclient.go +++ b/vm/proxyapp/proxyappclient.go @@ -7,10 +7,14 @@ package proxyapp import ( "context" + "crypto/tls" + "crypto/x509" "fmt" "io" + "net" "net/rpc" "net/rpc/jsonrpc" + "os" "sync" "time" @@ -100,7 +104,7 @@ func (p *pool) init(params *proxyAppParams, cfg *Config) error { if useTCPRPC { p.proxy.onLostConnection = make(chan bool, 1) - p.proxy.Client, err = initNetworkRPCClient(cfg.RPCServerURI) + p.proxy.Client, err = initNetworkRPCClient(cfg) if err != nil { p.closeProxy() return fmt.Errorf("failed to connect ProxyApp pipes: %w", err) @@ -193,8 +197,42 @@ func initPipedRPCClient(cmd subProcessCmd) (*rpc.Client, []io.Closer, error) { nil } -func initNetworkRPCClient(uri string) (*rpc.Client, error) { - return jsonrpc.Dial("tcp", uri) +func initNetworkRPCClient(cfg *Config) (*rpc.Client, error) { + var conn io.ReadWriteCloser + + switch cfg.Security { + case "none": + var err error + conn, err = net.Dial("tcp", cfg.RPCServerURI) + if err != nil { + return nil, fmt.Errorf("dial: %v", err) + } + case "tls": + var certPool *x509.CertPool + + if cfg.ServerTLSCert != "" { + certPool = x509.NewCertPool() + b, err := os.ReadFile(cfg.ServerTLSCert) + if err != nil { + return nil, fmt.Errorf("read server certificate: %v", err) + } + if !certPool.AppendCertsFromPEM(b) { + return nil, fmt.Errorf("append server certificate to empty pool: %v", err) + } + } + + var err error + conn, err = tls.Dial("tcp", cfg.RPCServerURI, &tls.Config{RootCAs: certPool}) + if err != nil { + return nil, fmt.Errorf("dial with tls: %v", err) + } + case "mtls": + return nil, fmt.Errorf("mutual TLS not implemented") + default: + return nil, fmt.Errorf("security value is %q, must be 'none', 'tls', or 'mtls'", cfg.Security) + } + + return jsonrpc.NewClient(conn), nil } func runProxyApp(params *proxyAppParams, cmd string, initRPClient bool) (*ProxyApp, error) { -- cgit mrf-deployment