This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch refactor-with-go
in repository https://gitbox.apache.org/repos/asf/dubbo-admin.git
The following commit(s) were added to refs/heads/refactor-with-go by this push:
new 468554b Enhance cert sign
468554b is described below
commit 468554b50475101081ffdc701f878aed68c82c3d
Author: Albumen Kevin <[email protected]>
AuthorDate: Thu Feb 23 16:12:36 2023 +0800
Enhance cert sign
---
ca/pkg/cert/util.go | 8 ++--
ca/pkg/security/server.go | 9 +++-
ca/pkg/v1alpha1/ca.pb.go | 96 ++++++++++++++++++++++---------------------
ca/pkg/v1alpha1/ca.proto | 8 ++--
ca/pkg/v1alpha1/ca_grpc.pb.go | 2 -
ca/pkg/v1alpha1/ca_impl.go | 55 ++++++++++++++++++-------
6 files changed, 107 insertions(+), 71 deletions(-)
diff --git a/ca/pkg/cert/util.go b/ca/pkg/cert/util.go
index 3314096..55d8e91 100644
--- a/ca/pkg/cert/util.go
+++ b/ca/pkg/cert/util.go
@@ -175,17 +175,17 @@ func SignFromCSR(csr *x509.CertificateRequest,
authorityCert *Cert, certValidity
return "", err
}
- pubPEM := new(bytes.Buffer)
- err = pem.Encode(pubPEM, &pem.Block{
+ certPem := new(bytes.Buffer)
+ err = pem.Encode(certPem, &pem.Block{
Type: "CERTIFICATE",
Bytes: result,
})
if err != nil {
return "", err
}
- pub := pubPEM.String()
+ cert := certPem.String()
- return pub, nil
+ return cert, nil
}
func EncodePri(caPrivKey *rsa.PrivateKey) string {
diff --git a/ca/pkg/security/server.go b/ca/pkg/security/server.go
index 531d574..0559c43 100644
--- a/ca/pkg/security/server.go
+++ b/ca/pkg/security/server.go
@@ -21,6 +21,8 @@ import (
"github.com/apache/dubbo-admin/ca/pkg/config"
"github.com/apache/dubbo-admin/ca/pkg/k8s"
"github.com/apache/dubbo-admin/ca/pkg/v1alpha1"
+ grpc_zap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
+ "go.uber.org/zap"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/reflection"
@@ -52,7 +54,6 @@ func (s *Server) Init() {
s.CertStorage = &cert.Storage{
AuthorityCert: &cert.Cert{},
- ServerCerts: map[string]*cert.Cert{},
TrustedCert: []*cert.Cert{},
Mutex: &sync.Mutex{},
CertValidity: s.Options.CertValidity,
@@ -71,6 +72,12 @@ func (s *Server) Init() {
KubeClient: s.KubeClient,
}
+ logger := zap.NewExample()
+ defer logger.Sync()
+
+ // Make sure that log statements internal to gRPC library are logged
using the zapLogger as well.
+ grpc_zap.ReplaceGrpcLoggerV2(logger)
+
s.PlainServer = grpc.NewServer()
v1alpha1.RegisterDubboCertificateServiceServer(s.PlainServer, impl)
reflection.Register(s.PlainServer)
diff --git a/ca/pkg/v1alpha1/ca.pb.go b/ca/pkg/v1alpha1/ca.pb.go
index 7d72b56..84abc1a 100644
--- a/ca/pkg/v1alpha1/ca.pb.go
+++ b/ca/pkg/v1alpha1/ca.pb.go
@@ -20,8 +20,6 @@
// protoc v3.21.6
// source: v1alpha1/ca.proto
-// Keep this package for backward compatibility.
-
package v1alpha1
import (
@@ -39,25 +37,13 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
-// Certificate request message. The authentication should be based on:
-// 1. Bearer tokens carried in the side channel;
-// 2. Client-side certificate via Mutual TLS handshake.
-// Note: the service implementation is REQUIRED to verify the authenticated
caller is authorize to
-// all SANs in the CSR. The server side may overwrite any requested
certificate field based on its
-// policies.
type DubboCertificateRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- // PEM-encoded certificate request.
- // The public key in the CSR is used to generate the certificate,
- // and other fields in the generated certificate may be overwritten by
the CA.
- Csr string `protobuf:"bytes,1,opt,name=csr,proto3"
json:"csr,omitempty"`
- Type string `protobuf:"bytes,2,opt,name=type,proto3"
json:"type,omitempty"`
- // $hide_from_docs
- // Optional: Opaque metadata provided by the XDS node to Istio.
- // Supported metadata: WorkloadName, WorkloadIP, ClusterID
+ Csr string `protobuf:"bytes,1,opt,name=csr,proto3"
json:"csr,omitempty"`
+ Type string `protobuf:"bytes,2,opt,name=type,proto3"
json:"type,omitempty"`
Metadata *structpb.Struct `protobuf:"bytes,3,opt,name=metadata,proto3"
json:"metadata,omitempty"`
}
@@ -114,17 +100,16 @@ func (x *DubboCertificateRequest) GetMetadata()
*structpb.Struct {
return nil
}
-// Certificate response message.
type DubboCertificateResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- // PEM-encoded certificate chain.
- // The leaf cert is the first element, and the root cert is the last
element.
- PublicKey string
`protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3"
json:"public_key,omitempty"`
- TrustCerts []string
`protobuf:"bytes,2,rep,name=trust_certs,json=trustCerts,proto3"
json:"trust_certs,omitempty"`
- ExpireTime int64
`protobuf:"varint,3,opt,name=expire_time,json=expireTime,proto3"
json:"expire_time,omitempty"`
+ Success bool `protobuf:"varint,1,opt,name=success,proto3"
json:"success,omitempty"`
+ CertPem string
`protobuf:"bytes,2,opt,name=cert_pem,json=certPem,proto3"
json:"cert_pem,omitempty"`
+ TrustCerts []string
`protobuf:"bytes,3,rep,name=trust_certs,json=trustCerts,proto3"
json:"trust_certs,omitempty"`
+ ExpireTime int64
`protobuf:"varint,4,opt,name=expire_time,json=expireTime,proto3"
json:"expire_time,omitempty"`
+ Message string `protobuf:"bytes,5,opt,name=message,proto3"
json:"message,omitempty"`
}
func (x *DubboCertificateResponse) Reset() {
@@ -159,9 +144,16 @@ func (*DubboCertificateResponse) Descriptor() ([]byte,
[]int) {
return file_v1alpha1_ca_proto_rawDescGZIP(), []int{1}
}
-func (x *DubboCertificateResponse) GetPublicKey() string {
+func (x *DubboCertificateResponse) GetSuccess() bool {
+ if x != nil {
+ return x.Success
+ }
+ return false
+}
+
+func (x *DubboCertificateResponse) GetCertPem() string {
if x != nil {
- return x.PublicKey
+ return x.CertPem
}
return ""
}
@@ -180,6 +172,13 @@ func (x *DubboCertificateResponse) GetExpireTime() int64 {
return 0
}
+func (x *DubboCertificateResponse) GetMessage() string {
+ if x != nil {
+ return x.Message
+ }
+ return ""
+}
+
var File_v1alpha1_ca_proto protoreflect.FileDescriptor
var file_v1alpha1_ca_proto_rawDesc = []byte{
@@ -195,29 +194,32 @@ var file_v1alpha1_ca_proto_rawDesc = []byte{
0x70, 0x65, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
0x74, 0x61, 0x18, 0x03,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63,
0x74, 0x52, 0x08, 0x6d,
- 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7b, 0x0a, 0x18, 0x44,
0x75, 0x62, 0x62, 0x6f,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52,
0x65, 0x73, 0x70, 0x6f,
- 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69,
0x63, 0x5f, 0x6b, 0x65,
- 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62,
0x6c, 0x69, 0x63, 0x4b,
- 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f,
0x63, 0x65, 0x72, 0x74,
- 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x72, 0x75,
0x73, 0x74, 0x43, 0x65,
- 0x72, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x70, 0x69, 0x72,
0x65, 0x5f, 0x74, 0x69,
- 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65,
- 0x54, 0x69, 0x6d, 0x65, 0x32, 0xa4, 0x01, 0x0a, 0x17, 0x44, 0x75, 0x62,
0x62, 0x6f, 0x43, 0x65,
- 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72,
0x76, 0x69, 0x63, 0x65,
- 0x12, 0x88, 0x01, 0x0a, 0x11, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x43,
0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, 0x2e, 0x6f, 0x72, 0x67,
0x2e, 0x61, 0x70, 0x61,
- 0x63, 0x68, 0x65, 0x2e, 0x64, 0x75, 0x62, 0x62, 0x6f, 0x2e, 0x61, 0x75,
0x74, 0x68, 0x2e, 0x76,
- 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x75, 0x62, 0x62,
0x6f, 0x43, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75,
0x65, 0x73, 0x74, 0x1a,
- 0x38, 0x2e, 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70, 0x61, 0x63, 0x68, 0x65,
0x2e, 0x64, 0x75, 0x62,
- 0x62, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c,
0x70, 0x68, 0x61, 0x31,
- 0x2e, 0x44, 0x75, 0x62, 0x62, 0x6f, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74,
- 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42,
0x2d, 0x50, 0x01, 0x5a,
- 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x61, 0x70, 0x61, 0x63,
- 0x68, 0x65, 0x2f, 0x64, 0x75, 0x62, 0x62, 0x6f, 0x2d, 0x61, 0x64, 0x6d,
0x69, 0x6e, 0x2f, 0x63,
- 0x61, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06,
0x70, 0x72, 0x6f, 0x74,
- 0x6f, 0x33,
+ 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xab, 0x01, 0x0a, 0x18,
0x44, 0x75, 0x62, 0x62,
+ 0x6f, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
0x52, 0x65, 0x73, 0x70,
+ 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x63, 0x63,
0x65, 0x73, 0x73, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x73, 0x75, 0x63, 0x63, 0x65,
0x73, 0x73, 0x12, 0x19,
+ 0x0a, 0x08, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x70, 0x65, 0x6d, 0x18, 0x02,
0x20, 0x01, 0x28, 0x09,
+ 0x52, 0x07, 0x63, 0x65, 0x72, 0x74, 0x50, 0x65, 0x6d, 0x12, 0x1f, 0x0a,
0x0b, 0x74, 0x72, 0x75,
+ 0x73, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03,
0x28, 0x09, 0x52, 0x0a,
+ 0x74, 0x72, 0x75, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x1f,
0x0a, 0x0b, 0x65, 0x78,
+ 0x70, 0x69, 0x72, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x04, 0x20,
0x01, 0x28, 0x03, 0x52,
+ 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12,
0x18, 0x0a, 0x07, 0x6d,
+ 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
0x52, 0x07, 0x6d, 0x65,
+ 0x73, 0x73, 0x61, 0x67, 0x65, 0x32, 0xa4, 0x01, 0x0a, 0x17, 0x44, 0x75,
0x62, 0x62, 0x6f, 0x43,
+ 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65,
0x72, 0x76, 0x69, 0x63,
+ 0x65, 0x12, 0x88, 0x01, 0x0a, 0x11, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
0x43, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, 0x2e, 0x6f, 0x72,
0x67, 0x2e, 0x61, 0x70,
+ 0x61, 0x63, 0x68, 0x65, 0x2e, 0x64, 0x75, 0x62, 0x62, 0x6f, 0x2e, 0x61,
0x75, 0x74, 0x68, 0x2e,
+ 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x75, 0x62,
0x62, 0x6f, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71,
0x75, 0x65, 0x73, 0x74,
+ 0x1a, 0x38, 0x2e, 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70, 0x61, 0x63, 0x68,
0x65, 0x2e, 0x64, 0x75,
+ 0x62, 0x62, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61,
0x6c, 0x70, 0x68, 0x61,
+ 0x31, 0x2e, 0x44, 0x75, 0x62, 0x62, 0x6f, 0x43, 0x65, 0x72, 0x74, 0x69,
0x66, 0x69, 0x63, 0x61,
+ 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
0x42, 0x2d, 0x50, 0x01,
+ 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
0x2f, 0x61, 0x70, 0x61,
+ 0x63, 0x68, 0x65, 0x2f, 0x64, 0x75, 0x62, 0x62, 0x6f, 0x2d, 0x61, 0x64,
0x6d, 0x69, 0x6e, 0x2f,
+ 0x63, 0x61, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62,
0x06, 0x70, 0x72, 0x6f,
+ 0x74, 0x6f, 0x33,
}
var (
diff --git a/ca/pkg/v1alpha1/ca.proto b/ca/pkg/v1alpha1/ca.proto
index 77d8fc0..60c5f58 100644
--- a/ca/pkg/v1alpha1/ca.proto
+++ b/ca/pkg/v1alpha1/ca.proto
@@ -33,9 +33,11 @@ message DubboCertificateRequest {
}
message DubboCertificateResponse {
- string public_key = 1;
- repeated string trust_certs = 2;
- int64 expire_time = 3;
+ bool success = 1;
+ string cert_pem = 2;
+ repeated string trust_certs = 3;
+ int64 expire_time = 4;
+ string message = 5;
}
service DubboCertificateService {
diff --git a/ca/pkg/v1alpha1/ca_grpc.pb.go b/ca/pkg/v1alpha1/ca_grpc.pb.go
index c71e1af..aa14c4a 100644
--- a/ca/pkg/v1alpha1/ca_grpc.pb.go
+++ b/ca/pkg/v1alpha1/ca_grpc.pb.go
@@ -22,7 +22,6 @@ const _ = grpc.SupportPackageIsVersion7
//
// For semantics around ctx use and closing/ending streaming RPCs, please
refer to
https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type DubboCertificateServiceClient interface {
- // Using provided CSR, returns a signed certificate.
CreateCertificate(ctx context.Context, in *DubboCertificateRequest,
opts ...grpc.CallOption) (*DubboCertificateResponse, error)
}
@@ -47,7 +46,6 @@ func (c *dubboCertificateServiceClient) CreateCertificate(ctx
context.Context, i
// All implementations must embed UnimplementedDubboCertificateServiceServer
// for forward compatibility
type DubboCertificateServiceServer interface {
- // Using provided CSR, returns a signed certificate.
CreateCertificate(context.Context, *DubboCertificateRequest)
(*DubboCertificateResponse, error)
mustEmbedUnimplementedDubboCertificateServiceServer()
}
diff --git a/ca/pkg/v1alpha1/ca_impl.go b/ca/pkg/v1alpha1/ca_impl.go
index ad7df3a..f07e29e 100644
--- a/ca/pkg/v1alpha1/ca_impl.go
+++ b/ca/pkg/v1alpha1/ca_impl.go
@@ -21,6 +21,7 @@ import (
"github.com/apache/dubbo-admin/ca/pkg/config"
"github.com/apache/dubbo-admin/ca/pkg/k8s"
"google.golang.org/grpc/metadata"
+ "google.golang.org/grpc/peer"
"log"
"strings"
"time"
@@ -35,45 +36,71 @@ type DubboCertificateServiceServerImpl struct {
func (s *DubboCertificateServiceServerImpl) CreateCertificate(c
context.Context, req *DubboCertificateRequest) (*DubboCertificateResponse,
error) {
csr, _ := cert.LoadCSR(req.Csr)
+ p, _ := peer.FromContext(c)
+
if s.Options.EnableKubernetes {
md, ok := metadata.FromIncomingContext(c)
if !ok {
- log.Printf("Failed to get metadata from context.")
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to get metadata from context.
RemoteAddr: %s", p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: "Failed to get metadata from context.",
+ }, nil
}
authorization, ok := md["authorization"]
if !ok || len(authorization) != 1 {
- log.Printf("Failed to get Authorization header from
context.")
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to get Authorization header from
context. RemoteAddr: %s", p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: "Failed to get Authorization header
from context.",
+ }, nil
}
if !strings.HasPrefix(authorization[0], "Bearer ") {
- log.Printf("Failed to get Authorization header from
context.")
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to get Authorization header from
context. RemoteAddr: %s", p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: "Failed to get Authorization header
from context.",
+ }, nil
}
token := strings.ReplaceAll(authorization[0], "Bearer ", "")
// TODO load principal from k8s
if !s.KubeClient.VerifyServiceAccount(token) {
- log.Printf("Failed to verify Authorization header from
kubernetes.")
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to verify Authorization header from
kubernetes. RemoteAddr: %s", p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: "Failed to verify Authorization header
from kubernetes.",
+ }, nil
}
}
// TODO check server token
if csr == nil {
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to decode csr. RemoteAddr: %s",
p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: "Failed to read csr",
+ }, nil
}
- publicKey, err := cert.SignFromCSR(csr, s.CertStorage.AuthorityCert,
s.Options.CertValidity)
+ certPem, err := cert.SignFromCSR(csr, s.CertStorage.AuthorityCert,
s.Options.CertValidity)
if err != nil {
- log.Printf("Failed to sign certificate from csr: %v", err)
- return &DubboCertificateResponse{}, nil
+ log.Printf("Failed to sign certificate from csr: %v.
RemoteAddr: %s", err, p.Addr.String())
+ return &DubboCertificateResponse{
+ Success: false,
+ Message: err.Error(),
+ }, nil
}
+
+ log.Printf("Success to sign certificate from csr. RemoteAddr: %s",
p.Addr.String())
+
return &DubboCertificateResponse{
- PublicKey: publicKey,
+ Success: true,
+ Message: "OK",
+ CertPem: certPem,
TrustCerts: []string{s.CertStorage.AuthorityCert.CertPem},
- ExpireTime: time.Now().AddDate(0, 0, 1).UnixMilli(),
+ ExpireTime: time.Now().UnixMilli() + (s.Options.CertValidity /
2),
}, nil
}
