From e10981a7d30a80276dff1494683ab91642f864cf Mon Sep 17 00:00:00 2001 From: Pavel Karpy Date: Fri, 14 May 2021 12:11:49 +0300 Subject: [PATCH] [#549] grpc/server: Add TLS encryption Add TLS to config. Add server side encryption if it is configured so. Signed-off-by: Pavel Karpy --- cmd/neofs-node/config.go | 25 +++++++++++++++++++++++++ cmd/neofs-node/grpc.go | 16 ++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/cmd/neofs-node/config.go b/cmd/neofs-node/config.go index 6ceb5ff12..b22ee099c 100644 --- a/cmd/neofs-node/config.go +++ b/cmd/neofs-node/config.go @@ -68,6 +68,9 @@ const ( // config keys for cfgGRPC cfgListenAddress = "grpc.endpoint" + cfgTLSEnabled = "grpc.tls.enabled" + cfgTLSCertFile = "grpc.tls.certificate" + cfgTLSKeyFile = "grpc.tls.key" // config keys for API client cache cfgAPIClientDialTimeout = "apiclient.dial_timeout" @@ -206,6 +209,10 @@ type cfgGRPC struct { maxChunkSize uint64 maxAddrAmount uint64 + + tlsEnabled bool + tlsCertFile string + tlsKeyFile string } type cfgMorph struct { @@ -335,6 +342,18 @@ func initCfg(path string) *cfg { maxChunkSize := uint64(maxMsgSize) * 3 / 4 // 25% to meta, 75% to payload maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes + var ( + tlsEnabled bool + tlsCertFile string + tlsKeyFile string + ) + + if viperCfg.GetBool(cfgTLSEnabled) { + tlsEnabled = true + tlsCertFile = viperCfg.GetString(cfgTLSCertFile) + tlsKeyFile = viperCfg.GetString(cfgTLSKeyFile) + } + state := newNetworkState() containerWorkerPool, err := ants.NewPool(notificationHandlerPoolSize) @@ -377,6 +396,9 @@ func initCfg(path string) *cfg { cfgGRPC: cfgGRPC{ maxChunkSize: maxChunkSize, maxAddrAmount: maxAddrAmount, + tlsEnabled: tlsEnabled, + tlsCertFile: tlsCertFile, + tlsKeyFile: tlsKeyFile, }, localAddr: netAddr, respSvc: response.NewService( @@ -430,6 +452,9 @@ func defaultConfiguration(v *viper.Viper) { v.SetDefault(cfgMorphNotifyDialTimeout, 5*time.Second) v.SetDefault(cfgListenAddress, "127.0.0.1:50501") // listen address + v.SetDefault(cfgTLSEnabled, false) + v.SetDefault(cfgTLSCertFile, "") + v.SetDefault(cfgTLSKeyFile, "") v.SetDefault(cfgAPIClientDialTimeout, 5*time.Second) diff --git a/cmd/neofs-node/grpc.go b/cmd/neofs-node/grpc.go index 050c408b9..6f7205a33 100644 --- a/cmd/neofs-node/grpc.go +++ b/cmd/neofs-node/grpc.go @@ -7,6 +7,7 @@ import ( "github.com/nspcc-dev/neofs-node/pkg/util/logger" "go.uber.org/zap" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" ) func initGRPC(c *cfg) { @@ -15,9 +16,20 @@ func initGRPC(c *cfg) { c.cfgGRPC.listener, err = net.Listen("tcp", c.viper.GetString(cfgListenAddress)) fatalOnErr(err) - c.cfgGRPC.server = grpc.NewServer( + serverOpts := []grpc.ServerOption{ grpc.MaxSendMsgSize(maxMsgSize), - ) + } + + if c.cfgGRPC.tlsEnabled { + creds, err := credentials.NewServerTLSFromFile(c.cfgGRPC.tlsCertFile, c.cfgGRPC.tlsKeyFile) + if err != nil { + fatalOnErr(fmt.Errorf("could not read credentionals from file: %w", err)) + } + + serverOpts = append(serverOpts, grpc.Creds(creds)) + } + + c.cfgGRPC.server = grpc.NewServer(serverOpts...) c.onShutdown(func() { stopGRPC("NeoFS Public API", c.cfgGRPC.server, c.log)