tls support: dubbo/dubbo3/grpc protocol

apache · Oct 22, 2022 · ebbe9c3 · ebbe9c3
1 parent 19668c0
commit ebbe9c3
Show file tree

Hide file tree

Showing 12 changed files with 206 additions and 27 deletions.
diff --git a/common/constant/key.go b/common/constant/key.go
@@ -64,6 +64,14 @@ const (
 	MaxServerRecvMsgSize   = "max-server-recv-msg-size"
 )
 
+//tls constant
+const (
+	TLSKey        = "tls_key"
+	TLSCert       = "tls_cert"
+	CACert        = "ca_cert"
+	TLSServerNAME = "tls_server_name"
+)
+
 const (
 	ServiceFilterKey   = "service.filter"
 	ReferenceFilterKey = "reference.filter"

diff --git a/config/protocol_config.go b/config/protocol_config.go
@@ -27,10 +27,11 @@ import (
 
 // ProtocolConfig is protocol configuration
 type ProtocolConfig struct {
-	Name   string      `default:"dubbo" validate:"required" yaml:"name" json:"name,omitempty" property:"name"`
-	Ip     string      `yaml:"ip"  json:"ip,omitempty" property:"ip"`
-	Port   string      `default:"20000" yaml:"port" json:"port,omitempty" property:"port"`
-	Params interface{} `yaml:"params" json:"params,omitempty" property:"params"`
+	Name      string      `default:"dubbo" validate:"required" yaml:"name" json:"name,omitempty" property:"name"`
+	Ip        string      `yaml:"ip"  json:"ip,omitempty" property:"ip"`
+	Port      string      `default:"20000" yaml:"port" json:"port,omitempty" property:"port"`
+	Params    interface{} `yaml:"params" json:"params,omitempty" property:"params"`
+	TLSConfig *TLSConfig  `yaml:"tls_config" json:"tls_config,omitempty" property:"tls_config"`
 }
 
 // Prefix dubbo.config-center

diff --git a/config/reference_config.go b/config/reference_config.go
@@ -63,11 +63,12 @@ type ReferenceConfig struct {
 	Params         map[string]string `yaml:"params"  json:"params,omitempty" property:"params"`
 	invoker        protocol.Invoker
 	urls           []*common.URL
-	Generic        string `yaml:"generic"  json:"generic,omitempty" property:"generic"`
-	Sticky         bool   `yaml:"sticky"   json:"sticky,omitempty" property:"sticky"`
-	RequestTimeout string `yaml:"timeout"  json:"timeout,omitempty" property:"timeout"`
-	ForceTag       bool   `yaml:"force.tag"  json:"force.tag,omitempty" property:"force.tag"`
-	TracingKey     string `yaml:"tracing-key" json:"tracing-key,omitempty" propertiy:"tracing-key"`
+	Generic        string     `yaml:"generic"  json:"generic,omitempty" property:"generic"`
+	Sticky         bool       `yaml:"sticky"   json:"sticky,omitempty" property:"sticky"`
+	RequestTimeout string     `yaml:"timeout"  json:"timeout,omitempty" property:"timeout"`
+	ForceTag       bool       `yaml:"force.tag"  json:"force.tag,omitempty" property:"force.tag"`
+	TracingKey     string     `yaml:"tracing-key" json:"tracing-key,omitempty" propertiy:"tracing-key"`
+	TLSConfig      *TLSConfig `yaml:"tls_config" json:"tls_config,omitempty" property:"tls_config"`
 
 	rootConfig   *RootConfig
 	metaDataType string
@@ -137,6 +138,14 @@ func (rc *ReferenceConfig) Refer(srv interface{}) {
 		common.WithParamsValue(constant.BeanNameKey, rc.id),
 		common.WithParamsValue(constant.MetadataTypeKey, rc.metaDataType),
 	)
+	//client tls client
+	if rc.TLSConfig != nil {
+		cfgURL.AddParam(constant.SslEnabledKey, "true")
+		cfgURL.AddParam(constant.TLSCert, rc.TLSConfig.TLSCertFile)
+		cfgURL.AddParam(constant.TLSKey, rc.TLSConfig.TLSKeyFile)
+		cfgURL.AddParam(constant.CACert, rc.TLSConfig.CACertFile)
+		cfgURL.AddParam(constant.TLSServerNAME, rc.TLSConfig.TLSServerName)
+	}
 
 	SetConsumerServiceByInterfaceName(rc.InterfaceName, srv)
 	if rc.ForceTag {

diff --git a/config/service_config.go b/config/service_config.go
@@ -279,6 +279,14 @@ func (s *ServiceConfig) Export() error {
 			common.WithToken(s.Token),
 			common.WithParamsValue(constant.MetadataTypeKey, s.metadataType),
 		)
+		//server tls config
+		if proto.TLSConfig != nil {
+			ivkURL.AddParam(constant.SslEnabledKey, "true")
+			ivkURL.AddParam(constant.TLSCert, proto.TLSConfig.TLSCertFile)
+			ivkURL.AddParam(constant.TLSKey, proto.TLSConfig.TLSKeyFile)
+			ivkURL.AddParam(constant.CACert, proto.TLSConfig.CACertFile)
+			ivkURL.AddParam(constant.TLSServerNAME, proto.TLSConfig.TLSServerName)
+		}
 		if len(s.Tag) > 0 {
 			ivkURL.AddParam(constant.Tagkey, s.Tag)
 		}

diff --git a/config/ssl_config.go b/config/ssl_config.go
@@ -22,22 +22,28 @@ import (
 )
 
 var (
+	//Deprecated: use TLSConfig instead.
 	serverTlsConfigBuilder getty.TlsConfigBuilder
+	//Deprecated: use TLSConfig instead.
 	clientTlsConfigBuilder getty.TlsConfigBuilder
 )
 
+//Deprecated: use TLSConfig instead.
 func GetServerTlsConfigBuilder() getty.TlsConfigBuilder {
 	return serverTlsConfigBuilder
 }
 
+//Deprecated: use TLSConfig instead.
 func GetClientTlsConfigBuilder() getty.TlsConfigBuilder {
 	return clientTlsConfigBuilder
 }
 
+// Deprecated: use TLSConfig instead.
 func SetServerTlsConfigBuilder(configBuilder getty.TlsConfigBuilder) {
 	serverTlsConfigBuilder = configBuilder
 }
 
+//Deprecated: use TLSConfig instead.
 func SetClientTlsConfigBuilder(configBuilder getty.TlsConfigBuilder) {
 	clientTlsConfigBuilder = configBuilder
 }
diff --git a/config/tls_config.go b/config/tls_config.go
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package config
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+)
+import (
+	"google.golang.org/grpc/credentials"
+)
+
+type TLSConfig struct {
+	CACertFile    string `yaml:"ca_cert_file" json:"ca_cert_file" property:"ca_cert_file"`
+	TLSCertFile   string `yaml:"tls_cert_file" json:"tls_cert_file" property:"tls_cert_file"`
+	TLSKeyFile    string `yaml:"tls_key_file" json:"tls_key_file" property:"tls_key_file"`
+	TLSServerName string `yaml:"tls_server_name" json:"tls_server_name" property:"tls_server_name"`
+}
+
+func GetServerTlsCertificate(opt *TLSConfig) (credentials.TransportCredentials, error) {
+	//no TLS
+	if opt.TLSCertFile == "" && opt.TLSKeyFile == "" {
+		return nil, nil
+	}
+	var ca *x509.CertPool
+	//need mTLS
+	if opt.CACertFile != "" {
+		ca = x509.NewCertPool()
+		caBytes, err := ioutil.ReadFile(opt.CACertFile)
+		if err != nil {
+			return nil, err
+		}
+		if ok := ca.AppendCertsFromPEM(caBytes); !ok {
+			return nil, err
+		}
+	}
+	cert, err := tls.LoadX509KeyPair(opt.TLSCertFile, opt.TLSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	return credentials.NewTLS(&tls.Config{
+		ServerName:   opt.TLSServerName,
+		Certificates: []tls.Certificate{cert},
+		ClientCAs:    ca,
+	}), nil
+}
+
+func GetClientTlsCertificate(opt *TLSConfig) (credentials.TransportCredentials, error) {
+	//no TLS
+	if opt.TLSCertFile == "" && opt.TLSKeyFile == "" {
+		return nil, nil
+	}
+
+	if opt.CACertFile == "" {
+		return credentials.NewClientTLSFromFile(opt.TLSCertFile, opt.TLSServerName)
+	}
+
+	//need mTLS
+	ca := x509.NewCertPool()
+	caBytes, err := ioutil.ReadFile(opt.CACertFile)
+	if err != nil {
+		return nil, err
+	}
+	if ok := ca.AppendCertsFromPEM(caBytes); !ok {
+		return nil, err
+	}
+	cert, err := tls.LoadX509KeyPair(opt.TLSCertFile, opt.TLSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return credentials.NewTLS(&tls.Config{
+		ServerName:   opt.TLSServerName,
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      ca,
+	}), nil
+}
diff --git a/protocol/grpc/client.go b/protocol/grpc/client.go
@@ -32,6 +32,7 @@ import (
 	"github.com/opentracing/opentracing-go"
 
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 
 	"gopkg.in/yaml.v2"
 )
@@ -65,7 +66,6 @@ func NewClient(url *common.URL) (*Client, error) {
 	//connectTimeout := config.GetConsumerConfig().ConnectTimeout
 
 	dialOpts = append(dialOpts,
-		grpc.WithInsecure(),
 		grpc.WithBlock(),
 		// todo config network timeout
 		grpc.WithTimeout(time.Second*3),
@@ -77,6 +77,20 @@ func NewClient(url *common.URL) (*Client, error) {
 			grpc.MaxCallSendMsgSize(1024*1024*maxMessageSize),
 		),
 	)
+	if url.GetParam(constant.SslEnabledKey, "false") == "true" {
+		creds, err := config.GetClientTlsCertificate(&config.TLSConfig{
+			CACertFile:    url.GetParam(constant.CACert, ""),
+			TLSCertFile:   url.GetParam(constant.TLSCert, ""),
+			TLSKeyFile:    url.GetParam(constant.TLSKey, ""),
+			TLSServerName: url.GetParam(constant.TLSServerNAME, ""),
+		})
+		if err != nil {
+			return nil, err
+		}
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(creds))
+	} else {
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
 
 	conn, err := grpc.Dial(url.Location, dialOpts...)
 	if err != nil {

diff --git a/protocol/grpc/server.go b/protocol/grpc/server.go
@@ -27,16 +27,20 @@ import (
 import (
 	"github.com/dubbogo/gost/log/logger"
 
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/reflection"
+
 	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
 
 	"github.com/opentracing/opentracing-go"
-
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/reflection"
 )
 
 import (
 	"dubbo.apache.org/dubbo-go/v3/common"
+	"dubbo.apache.org/dubbo-go/v3/common/constant"
 	"dubbo.apache.org/dubbo-go/v3/config"
 	"dubbo.apache.org/dubbo-go/v3/protocol"
 )
@@ -81,12 +85,30 @@ func (s *Server) Start(url *common.URL) {
 	// If global trace instance was set, then server tracer instance
 	// can be get. If not, will return NoopTracer.
 	tracer := opentracing.GlobalTracer()
-	server := grpc.NewServer(
+	var serverOpts []grpc.ServerOption
+	serverOpts = append(serverOpts,
 		grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer)),
 		grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer)),
 		grpc.MaxRecvMsgSize(1024*1024*s.bufferSize),
 		grpc.MaxSendMsgSize(1024*1024*s.bufferSize),
 	)
+
+	if url.GetParam(constant.SslEnabledKey, "false") == "true" {
+		var creds credentials.TransportCredentials
+		creds, err = config.GetServerTlsCertificate(&config.TLSConfig{
+			CACertFile:    url.GetParam(constant.CACert, ""),
+			TLSCertFile:   url.GetParam(constant.TLSCert, ""),
+			TLSKeyFile:    url.GetParam(constant.TLSKey, ""),
+			TLSServerName: url.GetParam(constant.TLSServerNAME, ""),
+		})
+		if err != nil {
+			return
+		}
+		serverOpts = append(serverOpts, grpc.Creds(creds))
+	} else {
+		serverOpts = append(serverOpts, grpc.Creds(insecure.NewCredentials()))
+	}
+	server := grpc.NewServer(serverOpts...)
 	s.grpcServer = server
 
 	go func() {

diff --git a/remoting/getty/config.go b/remoting/getty/config.go
@@ -22,6 +22,8 @@ import (
 )
 
 import (
+	getty "github.com/apache/dubbo-getty"
+
 	perrors "github.com/pkg/errors"
 )
 
@@ -56,6 +58,7 @@ type (
 	// ServerConfig holds supported types by the multiconfig package
 	ServerConfig struct {
 		SSLEnabled bool
+		TLSBuilder getty.TlsConfigBuilder
 
 		// heartbeat
 		HeartbeatPeriod string `default:"60s" yaml:"heartbeat-period" json:"heartbeat-period,omitempty"`
@@ -81,6 +84,9 @@ type (
 
 	// ClientConfig holds supported types by the multi config package
 	ClientConfig struct {
+		SSLEnabled bool
+		TLSBuilder getty.TlsConfigBuilder
+
 		ReconnectInterval int `default:"0" yaml:"reconnect-interval" json:"reconnect-interval,omitempty"`
 
 		// session pool

diff --git a/remoting/getty/getty_client.go b/remoting/getty/getty_client.go
@@ -39,7 +39,6 @@ import (
 
 import (
 	"dubbo.apache.org/dubbo-go/v3/common"
-	"dubbo.apache.org/dubbo-go/v3/common/constant"
 	"dubbo.apache.org/dubbo-go/v3/config"
 	"dubbo.apache.org/dubbo-go/v3/remoting"
 )
@@ -75,6 +74,16 @@ func initClient(protocol string) {
 		logger.Info("use default getty client config")
 		return
 	} else {
+		//client tls config
+		if protocolConf.TLSConfig != nil {
+			clientConf.SSLEnabled = true
+			clientConf.TLSBuilder = &getty.ClientTlsConfigBuilder{
+				ClientKeyCertChainPath:        protocolConf.TLSConfig.TLSCertFile,
+				ClientPrivateKeyPath:          protocolConf.TLSConfig.TLSKeyFile,
+				ClientTrustCertCollectionPath: protocolConf.TLSConfig.CACertFile,
+			}
+		}
+		//getty params
 		gettyClientConfig := protocolConf.Params
 		if gettyClientConfig == nil {
 			logger.Debugf("gettyClientConfig is nil")
@@ -158,7 +167,7 @@ func (c *Client) SetExchangeClient(client *remoting.ExchangeClient) {
 func (c *Client) Connect(url *common.URL) error {
 	initClient(url.Protocol)
 	c.conf = *clientConf
-	c.sslEnabled = url.GetParamBool(constant.SslEnabledKey, false)
+	c.sslEnabled = c.conf.SSLEnabled
 	// codec
 	c.codec = remoting.GetCodec(url.Protocol)
 	c.addr = url.Location