tls support: dubbo/dubbo3/grpc protocol

apache · Oct 7, 2022 · a7f990c · a7f990c
1 parent 19668c0
commit a7f990c
Show file tree

Hide file tree

Showing 12 changed files with 118 additions and 31 deletions.
diff --git a/common/constant/key.go b/common/constant/key.go
@@ -64,6 +64,14 @@ const (
 	MaxServerRecvMsgSize   = "max-server-recv-msg-size"
 )
 
+//tls constant
+const (
+	TLSKey        = "tls_key"
+	TLSCert       = "tls_cert"
+	CACert        = "ca_cert"
+	TLSServerNAME = "tls_server_name"
+)
+
 const (
 	ServiceFilterKey   = "service.filter"
 	ReferenceFilterKey = "reference.filter"

diff --git a/config/protocol_config.go b/config/protocol_config.go
@@ -27,10 +27,11 @@ import (
 
 // ProtocolConfig is protocol configuration
 type ProtocolConfig struct {
-	Name   string      `default:"dubbo" validate:"required" yaml:"name" json:"name,omitempty" property:"name"`
-	Ip     string      `yaml:"ip"  json:"ip,omitempty" property:"ip"`
-	Port   string      `default:"20000" yaml:"port" json:"port,omitempty" property:"port"`
-	Params interface{} `yaml:"params" json:"params,omitempty" property:"params"`
+	Name      string      `default:"dubbo" validate:"required" yaml:"name" json:"name,omitempty" property:"name"`
+	Ip        string      `yaml:"ip"  json:"ip,omitempty" property:"ip"`
+	Port      string      `default:"20000" yaml:"port" json:"port,omitempty" property:"port"`
+	Params    interface{} `yaml:"params" json:"params,omitempty" property:"params"`
+	TLSConfig *TLSConfig  `yaml:"tls_config" json:"tls_config,omitempty" property:"tls_config"`
 }
 
 // Prefix dubbo.config-center

diff --git a/config/reference_config.go b/config/reference_config.go
@@ -63,11 +63,12 @@ type ReferenceConfig struct {
 	Params         map[string]string `yaml:"params"  json:"params,omitempty" property:"params"`
 	invoker        protocol.Invoker
 	urls           []*common.URL
-	Generic        string `yaml:"generic"  json:"generic,omitempty" property:"generic"`
-	Sticky         bool   `yaml:"sticky"   json:"sticky,omitempty" property:"sticky"`
-	RequestTimeout string `yaml:"timeout"  json:"timeout,omitempty" property:"timeout"`
-	ForceTag       bool   `yaml:"force.tag"  json:"force.tag,omitempty" property:"force.tag"`
-	TracingKey     string `yaml:"tracing-key" json:"tracing-key,omitempty" propertiy:"tracing-key"`
+	Generic        string     `yaml:"generic"  json:"generic,omitempty" property:"generic"`
+	Sticky         bool       `yaml:"sticky"   json:"sticky,omitempty" property:"sticky"`
+	RequestTimeout string     `yaml:"timeout"  json:"timeout,omitempty" property:"timeout"`
+	ForceTag       bool       `yaml:"force.tag"  json:"force.tag,omitempty" property:"force.tag"`
+	TracingKey     string     `yaml:"tracing-key" json:"tracing-key,omitempty" propertiy:"tracing-key"`
+	TLSConfig      *TLSConfig `yaml:"tls_config" json:"tls_config,omitempty" property:"tls_config"`
 
 	rootConfig   *RootConfig
 	metaDataType string
@@ -137,6 +138,14 @@ func (rc *ReferenceConfig) Refer(srv interface{}) {
 		common.WithParamsValue(constant.BeanNameKey, rc.id),
 		common.WithParamsValue(constant.MetadataTypeKey, rc.metaDataType),
 	)
+	//client tls client
+	if rc.TLSConfig != nil {
+		cfgURL.AddParam(constant.SslEnabledKey, "true")
+		cfgURL.AddParam(constant.TLSCert, rc.TLSConfig.TLSCertFile)
+		cfgURL.AddParam(constant.TLSKey, rc.TLSConfig.TLSKeyFile)
+		cfgURL.AddParam(constant.CACert, rc.TLSConfig.CACertFile)
+		cfgURL.AddParam(constant.TLSServerNAME, rc.TLSConfig.TLSServerName)
+	}
 
 	SetConsumerServiceByInterfaceName(rc.InterfaceName, srv)
 	if rc.ForceTag {

diff --git a/config/service_config.go b/config/service_config.go
@@ -279,6 +279,14 @@ func (s *ServiceConfig) Export() error {
 			common.WithToken(s.Token),
 			common.WithParamsValue(constant.MetadataTypeKey, s.metadataType),
 		)
+		//server tls config
+		if proto.TLSConfig != nil {
+			ivkURL.AddParam(constant.SslEnabledKey, "true")
+			ivkURL.AddParam(constant.TLSCert, proto.TLSConfig.TLSCertFile)
+			ivkURL.AddParam(constant.TLSKey, proto.TLSConfig.TLSKeyFile)
+			ivkURL.AddParam(constant.CACert, proto.TLSConfig.CACertFile)
+			ivkURL.AddParam(constant.TLSServerNAME, proto.TLSConfig.TLSServerName)
+		}
 		if len(s.Tag) > 0 {
 			ivkURL.AddParam(constant.Tagkey, s.Tag)
 		}

diff --git a/config/ssl_config.go b/config/ssl_config.go
@@ -22,22 +22,28 @@ import (
 )
 
 var (
+	//Deprecated: use TLSConfig instead.
 	serverTlsConfigBuilder getty.TlsConfigBuilder
+	//Deprecated: use TLSConfig instead.
 	clientTlsConfigBuilder getty.TlsConfigBuilder
 )
 
+//Deprecated: use TLSConfig instead.
 func GetServerTlsConfigBuilder() getty.TlsConfigBuilder {
 	return serverTlsConfigBuilder
 }
 
+//Deprecated: use TLSConfig instead.
 func GetClientTlsConfigBuilder() getty.TlsConfigBuilder {
 	return clientTlsConfigBuilder
 }
 
+// Deprecated: use TLSConfig instead.
 func SetServerTlsConfigBuilder(configBuilder getty.TlsConfigBuilder) {
 	serverTlsConfigBuilder = configBuilder
 }
 
+//Deprecated: use TLSConfig instead.
 func SetClientTlsConfigBuilder(configBuilder getty.TlsConfigBuilder) {
 	clientTlsConfigBuilder = configBuilder
 }
diff --git a/config/tls_config.go b/config/tls_config.go
@@ -0,0 +1,8 @@
+package config
+
+type TLSConfig struct {
+	CACertFile    string ` yaml:"ca_cert_file" json:"ca_cert_file" property:"ca_cert_file"`
+	TLSCertFile   string `yaml:"tls_cert_file" json:"tls_cert_file" property:"tls_cert_file"`
+	TLSKeyFile    string `yaml:"tls_key_file" json:"tls_key_file" property:"tls_key_file"`
+	TLSServerName string `yaml:"tls_server_name" json:"tls_server_name" property:"tls_server_name"`
+}
diff --git a/protocol/grpc/client.go b/protocol/grpc/client.go
@@ -27,13 +27,16 @@ import (
 import (
 	"github.com/dubbogo/gost/log/logger"
 
-	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
-
-	"github.com/opentracing/opentracing-go"
-
 	"google.golang.org/grpc"
 
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+
 	"gopkg.in/yaml.v2"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+
+	"github.com/opentracing/opentracing-go"
 )
 
 import (
@@ -65,7 +68,6 @@ func NewClient(url *common.URL) (*Client, error) {
 	//connectTimeout := config.GetConsumerConfig().ConnectTimeout
 
 	dialOpts = append(dialOpts,
-		grpc.WithInsecure(),
 		grpc.WithBlock(),
 		// todo config network timeout
 		grpc.WithTimeout(time.Second*3),
@@ -77,6 +79,15 @@ func NewClient(url *common.URL) (*Client, error) {
 			grpc.MaxCallSendMsgSize(1024*1024*maxMessageSize),
 		),
 	)
+	if url.GetParam(constant.SslEnabledKey, "false") == "true" {
+		creds, err := credentials.NewClientTLSFromFile(url.GetParam(constant.TLSCert, ""), url.GetParam(constant.TLSServerNAME, ""))
+		if err != nil {
+			return nil, err
+		}
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(creds))
+	} else {
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
 
 	conn, err := grpc.Dial(url.Location, dialOpts...)
 	if err != nil {

diff --git a/protocol/grpc/server.go b/protocol/grpc/server.go
@@ -27,16 +27,20 @@ import (
 import (
 	"github.com/dubbogo/gost/log/logger"
 
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/reflection"
+
 	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
 
 	"github.com/opentracing/opentracing-go"
-
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/reflection"
 )
 
 import (
 	"dubbo.apache.org/dubbo-go/v3/common"
+	"dubbo.apache.org/dubbo-go/v3/common/constant"
 	"dubbo.apache.org/dubbo-go/v3/config"
 	"dubbo.apache.org/dubbo-go/v3/protocol"
 )
@@ -81,12 +85,26 @@ func (s *Server) Start(url *common.URL) {
 	// If global trace instance was set, then server tracer instance
 	// can be get. If not, will return NoopTracer.
 	tracer := opentracing.GlobalTracer()
-	server := grpc.NewServer(
+	var serverOpts []grpc.ServerOption
+	serverOpts = append(serverOpts,
 		grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer)),
 		grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer)),
 		grpc.MaxRecvMsgSize(1024*1024*s.bufferSize),
 		grpc.MaxSendMsgSize(1024*1024*s.bufferSize),
 	)
+
+	if url.GetParam(constant.SslEnabledKey, "false") == "true" {
+		creds, err := credentials.NewServerTLSFromFile(url.GetParam(constant.TLSCert, ""),
+			url.GetParam(constant.TLSKey, ""))
+		if err != nil {
+
+			return
+		}
+		serverOpts = append(serverOpts, grpc.Creds(creds))
+	} else {
+		serverOpts = append(serverOpts, grpc.Creds(insecure.NewCredentials()))
+	}
+	server := grpc.NewServer(serverOpts...)
 	s.grpcServer = server
 
 	go func() {

diff --git a/remoting/getty/config.go b/remoting/getty/config.go
@@ -22,6 +22,8 @@ import (
 )
 
 import (
+	getty "github.com/apache/dubbo-getty"
+
 	perrors "github.com/pkg/errors"
 )
 
@@ -56,6 +58,7 @@ type (
 	// ServerConfig holds supported types by the multiconfig package
 	ServerConfig struct {
 		SSLEnabled bool
+		TLSBuilder getty.TlsConfigBuilder
 
 		// heartbeat
 		HeartbeatPeriod string `default:"60s" yaml:"heartbeat-period" json:"heartbeat-period,omitempty"`
@@ -81,6 +84,9 @@ type (
 
 	// ClientConfig holds supported types by the multi config package
 	ClientConfig struct {
+		SSLEnabled bool
+		TLSBuilder getty.TlsConfigBuilder
+
 		ReconnectInterval int `default:"0" yaml:"reconnect-interval" json:"reconnect-interval,omitempty"`
 
 		// session pool

diff --git a/remoting/getty/getty_client.go b/remoting/getty/getty_client.go
@@ -39,7 +39,6 @@ import (
 
 import (
 	"dubbo.apache.org/dubbo-go/v3/common"
-	"dubbo.apache.org/dubbo-go/v3/common/constant"
 	"dubbo.apache.org/dubbo-go/v3/config"
 	"dubbo.apache.org/dubbo-go/v3/remoting"
 )
@@ -75,6 +74,16 @@ func initClient(protocol string) {
 		logger.Info("use default getty client config")
 		return
 	} else {
+		//client tls config
+		if protocolConf.TLSConfig != nil {
+			clientConf.SSLEnabled = true
+			clientConf.TLSBuilder = &getty.ClientTlsConfigBuilder{
+				ClientKeyCertChainPath:        protocolConf.TLSConfig.TLSCertFile,
+				ClientPrivateKeyPath:          protocolConf.TLSConfig.TLSKeyFile,
+				ClientTrustCertCollectionPath: protocolConf.TLSConfig.CACertFile,
+			}
+		}
+		//getty params
 		gettyClientConfig := protocolConf.Params
 		if gettyClientConfig == nil {
 			logger.Debugf("gettyClientConfig is nil")
@@ -158,7 +167,7 @@ func (c *Client) SetExchangeClient(client *remoting.ExchangeClient) {
 func (c *Client) Connect(url *common.URL) error {
 	initClient(url.Protocol)
 	c.conf = *clientConf
-	c.sslEnabled = url.GetParamBool(constant.SslEnabledKey, false)
+	c.sslEnabled = c.conf.SSLEnabled
 	// codec
 	c.codec = remoting.GetCodec(url.Protocol)
 	c.addr = url.Location

diff --git a/remoting/getty/getty_server.go b/remoting/getty/getty_server.go
@@ -36,7 +36,6 @@ import (
 
 import (
 	"dubbo.apache.org/dubbo-go/v3/common"
-	"dubbo.apache.org/dubbo-go/v3/common/constant"
 	"dubbo.apache.org/dubbo-go/v3/config"
 	"dubbo.apache.org/dubbo-go/v3/protocol"
 	"dubbo.apache.org/dubbo-go/v3/protocol/invocation"
@@ -67,6 +66,16 @@ func initServer(protocol string) {
 		logger.Debug("use default getty server config")
 		return
 	} else {
+		//server tls config
+		if protocolConf.TLSConfig != nil {
+			srvConf.SSLEnabled = true
+			srvConf.TLSBuilder = &getty.ServerTlsConfigBuilder{
+				ServerKeyCertChainPath:        protocolConf.TLSConfig.TLSCertFile,
+				ServerPrivateKeyPath:          protocolConf.TLSConfig.TLSKeyFile,
+				ServerTrustCertCollectionPath: protocolConf.TLSConfig.CACertFile,
+			}
+		}
+		//getty params
 		gettyServerConfig := protocolConf.Params
 		if gettyServerConfig == nil {
 			logger.Debug("gettyServerConfig is nil")
@@ -82,6 +91,7 @@ func initServer(protocol string) {
 			panic(err)
 		}
 	}
+
 	if err := srvConf.CheckValidity(); err != nil {
 		panic(err)
 	}
@@ -116,9 +126,6 @@ type Server struct {
 func NewServer(url *common.URL, handlers func(*invocation.RPCInvocation) protocol.RPCResult) *Server {
 	// init
 	initServer(url.Protocol)
-
-	srvConf.SSLEnabled = url.GetParamBool(constant.SslEnabledKey, false)
-
 	s := &Server{
 		conf:           *srvConf,
 		addr:           url.Location,
@@ -205,7 +212,7 @@ func (s *Server) Start() {
 	serverOpts := []getty.ServerOption{getty.WithLocalAddress(addr)}
 	if s.conf.SSLEnabled {
 		serverOpts = append(serverOpts, getty.WithServerSslEnabled(s.conf.SSLEnabled),
-			getty.WithServerTlsConfigBuilder(config.GetServerTlsConfigBuilder()))
+			getty.WithServerTlsConfigBuilder(srvConf.TLSBuilder))
 	}
 
 	serverOpts = append(serverOpts, getty.WithServerTaskPool(gxsync.NewTaskPoolSimple(s.conf.GrPoolSize)))

diff --git a/remoting/getty/pool.go b/remoting/getty/pool.go
@@ -35,10 +35,6 @@ import (
 	perrors "github.com/pkg/errors"
 )
 
-import (
-	"dubbo.apache.org/dubbo-go/v3/config"
-)
-
 type gettyRPCClient struct {
 	once   sync.Once
 	addr   string // protocol string
@@ -56,14 +52,14 @@ func newGettyRPCClientConn(rpcClient *Client, addr string) (*gettyRPCClient, err
 		gettyClient getty.Client
 		sslEnabled  bool
 	)
-	sslEnabled = rpcClient.sslEnabled
+	sslEnabled = rpcClient.conf.SSLEnabled
 	clientOpts := []getty.ClientOption{
 		getty.WithServerAddress(addr),
 		getty.WithConnectionNumber((int)(rpcClient.conf.ConnectionNum)),
 		getty.WithReconnectInterval(rpcClient.conf.ReconnectInterval),
 	}
 	if sslEnabled {
-		clientOpts = append(clientOpts, getty.WithClientSslEnabled(sslEnabled), getty.WithClientTlsConfigBuilder(config.GetClientTlsConfigBuilder()))
+		clientOpts = append(clientOpts, getty.WithClientSslEnabled(sslEnabled), getty.WithClientTlsConfigBuilder(rpcClient.conf.TLSBuilder))
 	}
 
 	if clientGrPool != nil {