rpcsrv: Allow to enable mTLS

If RootCA setting is enabled in the configuration, use it to verify client certificate. Signed-off-by: Evgenii Stratonikov <fyfyrchik@runbox.com>
2024-06-05 14:30:48 +03:00 · 2024-06-05 14:30:48 +03:00 · 90efaa4771
commit 90efaa4771
parent 5cbfe215a4
2 changed files with 28 additions and 3 deletions
--- a/pkg/config/rpc_config.go
+++ b/pkg/config/rpc_config.go
@ -29,8 +29,10 @@ type (

 	// TLS describes SSL/TLS configuration.
 	TLS struct {
-		BasicService `yaml:",inline"`
-		CertFile     string `yaml:"CertFile"`
-		KeyFile      string `yaml:"KeyFile"`
+		BasicService       `yaml:",inline"`
+		RootCA             []string `yaml:"RootCAs"`
+		InsecureSkipVerify bool     `yaml:"InsecureSkipVerify"`
+		CertFile           string   `yaml:"CertFile"`
+		KeyFile            string   `yaml:"KeyFile"`
 	}
 )
--- a/pkg/services/rpcsrv/server.go
+++ b/pkg/services/rpcsrv/server.go
@ -4,6 +4,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/elliptic"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/binary"
 	"encoding/hex"
 	"encoding/json"
@ -13,6 +15,7 @@ import (
 	"math/big"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@ -409,7 +412,27 @@ func (s *Server) Start() {
 	}

 	if cfg := s.config.TLSConfig; cfg.Enabled {
+		caCertPool := x509.NewCertPool()
+		for _, f := range cfg.RootCA {
+			data, err := os.ReadFile(f)
+			if err != nil {
+				s.errChan <- err
+				return
+			}
+
+			caCertPool.AppendCertsFromPEM(data)
+		}
+
 		for _, srv := range s.https {
+			if len(cfg.RootCA) == 0 {
+				s.log.Warn("client CAs are not provided, mTLS is disabled")
+				cfg.InsecureSkipVerify = true
+			}
+			srv.TLSConfig = &tls.Config{
+				ClientCAs:          caCertPool,
+				ClientAuth:         tls.RequireAndVerifyClientCert,
+				InsecureSkipVerify: cfg.InsecureSkipVerify,
+			}
 			srv.Handler = http.HandlerFunc(s.handleHTTPRequest)
 			s.log.Info("starting rpc-server (https)", zap.String("endpoint", srv.Addr))