frostfs-node/cmd/neofs-node/config/grpc/config.go
Evgenii Stratonikov d1be5b5f9e [#878] neofs-node: default to secure TLS settings
Support TLS >=1.2 only and strong cipher suites.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-12-02 12:05:41 +03:00

105 lines
2.4 KiB
Go

package grpcconfig
import (
"errors"
"strconv"
"github.com/nspcc-dev/neofs-node/cmd/neofs-node/config"
)
var (
errEndpointNotSet = errors.New("empty/not set endpoint, see `grpc.endpoint` section")
errTLSKeyNotSet = errors.New("empty/not set TLS key file path, see `grpc.tls.key` section")
errTLSCertNotSet = errors.New("empty/not set TLS certificate file path, see `grpc.tls.certificate` section")
)
// Config is a wrapper over the config section
// which provides access to gRPC server configurations.
type Config config.Config
// Endpoint returns value of "endpoint" config parameter.
//
// Panics if value is not a non-empty string.
func (x *Config) Endpoint() string {
v := config.StringSafe(
(*config.Config)(x),
"endpoint")
if v == "" {
panic(errEndpointNotSet)
}
return v
}
// TLS returns "tls" subsection as a TLSConfig.
//
// Returns nil if "enabled" value of "tls" subsection is false.
func (x *Config) TLS() *TLSConfig {
sub := (*config.Config)(x).
Sub("tls")
if !config.BoolSafe(sub, "enabled") {
return nil
}
return &TLSConfig{
cfg: sub,
}
}
// TLSConfig is a wrapper over the config section
// which provides access to TLS configurations
// of the gRPC server.
type TLSConfig struct {
cfg *config.Config
}
// KeyFile returns value of "key" config parameter.
//
// Panics if value is not a non-empty string.
func (tls TLSConfig) KeyFile() string {
v := config.StringSafe(tls.cfg, "key")
if v == "" {
panic(errTLSKeyNotSet)
}
return v
}
// CertificateFile returns value of "certificate" config parameter.
//
// Panics if value is not a non-empty string.
func (tls TLSConfig) CertificateFile() string {
v := config.StringSafe(tls.cfg, "certificate")
if v == "" {
panic(errTLSCertNotSet)
}
return v
}
// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
func (tls TLSConfig) UseInsecureCrypto() bool {
return config.BoolSafe(tls.cfg, "use_insecure_crypto")
}
// IterateEndpoints iterates over subsections ["0":"N") (N - "num" value)
// of "grpc" section of c, wrap them into Config and passes to f.
//
// Panics if N is not a positive number.
func IterateEndpoints(c *config.Config, f func(*Config)) {
c = c.Sub("grpc")
num := config.Uint(c, "num")
if num == 0 {
panic("no gRPC server configured")
}
for i := uint64(0); i < num; i++ {
si := strconv.FormatUint(i, 10)
sc := (*Config)(c.Sub(si))
f(sc)
}
}