[
https://issues.apache.org/jira/browse/SCB-714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532345#comment-16532345
]
ASF GitHub Bot commented on SCB-714:
------------------------------------
little-cui closed pull request #386: SCB-714 Support TLS plugin
URL: https://github.com/apache/incubator-servicecomb-service-center/pull/386
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/.gitignore b/.gitignore
index 2ca3e69b..72f2e11b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,17 +9,13 @@ service-center.iml
vendor/**
!vendor/manifest
-!vendor/manifest/github.com/grpc-ecosystem/go-grpc-prometheus
-!vendor/manifest/github.com/grpc-ecosystem/grpc-gateway
# for local UT
-server/service/conf/
-frontend/conf/
+**/conf/
+!etc/conf/
frontend/app/bower_components
etc/data/
etc/ssl/
-integration/conf/
frontend/bower_components/
frontend/node_modules/
-server/govern/conf/
tmp/
\ No newline at end of file
diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index 02bd0213..4b49680a 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -106,6 +106,7 @@ limit_iplookups = "RemoteAddr,X-Forwarded-For,X-Real-IP"
###################################################################
# ssl/tls options
###################################################################
+ssl_plugin = ""
# 0=Non-SSL mode, 1==SSL mode
ssl_mode = 0
ssl_verify_client = 1
diff --git a/pkg/rest/client.go b/pkg/rest/client.go
index 2fcac6d8..6fc15d15 100644
--- a/pkg/rest/client.go
+++ b/pkg/rest/client.go
@@ -21,14 +21,11 @@ import (
"compress/gzip"
"encoding/json"
"fmt"
- "github.com/apache/incubator-servicecomb-service-center/pkg/tlsutil"
"github.com/apache/incubator-servicecomb-service-center/pkg/util"
- sctls
"github.com/apache/incubator-servicecomb-service-center/server/tls"
"io"
"io/ioutil"
"net"
"net/http"
- "net/url"
"reflect"
"time"
)
@@ -43,7 +40,7 @@ const (
type HttpClient struct {
gzip bool
- client *http.Client
+ Client *http.Client
}
func NewDialer() *net.Dialer {
@@ -58,38 +55,10 @@ func NewTransport() *http.Transport {
Dial: NewDialer().Dial,
MaxIdleConnsPerHost: 5,
ResponseHeaderTimeout: DEFAULT_HTTP_RESPONSE_TIMEOUT,
+ TLSHandshakeTimeout: DEFAULT_TLS_HANDSHAKE_TIMEOUT,
}
}
-func getTLSTransport(verifyPeer bool, supplyCert bool, verifyCN bool)
(transport *http.Transport, err error) {
- opts := append(sctls.DefaultClientTLSOptions(),
- tlsutil.WithVerifyPeer(verifyPeer),
- tlsutil.WithVerifyHostName(verifyCN),
- )
-
- if supplyCert {
- _, decrypt := sctls.GetPassphase()
- opts = append(opts,
- tlsutil.WithKeyPass(decrypt),
- )
- } else {
- opts = append(opts,
- tlsutil.WithCert(""),
- tlsutil.WithKey(""),
- )
- }
-
- tlsConfig, err := tlsutil.GetClientTLSConfig(opts...)
- if err != nil {
- return nil, err
- }
-
- transport = NewTransport()
- transport.TLSClientConfig = tlsConfig
- transport.TLSHandshakeTimeout = DEFAULT_TLS_HANDSHAKE_TIMEOUT
- return transport, nil
-}
-
/**
获取普通HTTP客户端
*/
@@ -97,78 +66,15 @@ func getTLSTransport(verifyPeer bool, supplyCert bool,
verifyCN bool) (transport
func GetHttpClient(gzip bool) (client *HttpClient, err error) {
return &HttpClient{
gzip: gzip,
- client: &http.Client{
+ Client: &http.Client{
Transport: NewTransport(),
Timeout: DEFAULT_REQUEST_TIMEOUT,
},
}, nil
}
-/**
- 获取匿名认证HTTP客户端(支持压缩, 不校验对端, 不提供证书, 不校验CN)
-*/
-func GetAnonymousHttpsClient(gzip bool) (client *HttpClient, err error) {
- return getHttpsClient(gzip, false, false, false)
-}
-
-/**
- 获取TLS认证HTTP客户端(支持压缩,提供证书,是否认证对端通过参数控制)
-*/
-func GetHttpsClient(gzip, verifyPeer bool) (client *HttpClient, err error) {
- return getHttpsClient(gzip, verifyPeer, true, false)
-}
-
-func getClientByScheme(scheme string) (*HttpClient, error) {
- var err error
- var client *HttpClient
- if scheme == "https" {
- client, err = getHttpsClient(false, false, true, false)
- if err != nil {
- util.Logger().Error("Create https rest.client failed.",
err)
- return nil, err
- }
- return client, nil
- }
- client, err = GetHttpClient(false)
- if err != nil {
- util.Logger().Error("Create http rest.client failed.", err)
- return nil, err
- }
- return client, nil
-}
-
-func GetClient(urlPath string) (*HttpClient, error) {
- var err error
- urlParsed, err := url.Parse(urlPath)
- if err != nil {
- util.Logger().Errorf(err, "nonstandard url %s", urlPath)
- return nil, err
- }
- return getClientByScheme(urlParsed.Scheme)
-}
-
-/**
- 获取TLS认证HTTP客户端
- gzip 控制是否支持压缩
- verifyPeer 控制是否认证客户端
- supplyCert 控制是否加载和发送证书
- verifyCN 控制是否认证对端CN
-*/
-func getHttpsClient(gzip, verifyPeer, supplyCert, verifyCN bool) (client
*HttpClient, err error) {
- transport, err := getTLSTransport(verifyPeer, supplyCert, verifyCN)
- if err != nil {
- util.Logger().Errorf(err, "get tls transport failed.")
- }
-
- client = &HttpClient{
- gzip: gzip,
- client: &http.Client{
- Transport: transport,
- Timeout: DEFAULT_REQUEST_TIMEOUT,
- },
- }
-
- return client, nil
+func GetClient() (*HttpClient, error) {
+ return GetHttpClient(false)
}
func (client *HttpClient) getHeaders(method string, headers map[string]string,
body interface{}) map[string]string {
@@ -264,7 +170,7 @@ func (client *HttpClient) httpDo(method string, url string,
headers map[string]s
req.Header.Set(key, value)
}
- resp, err := client.client.Do(req)
+ resp, err := client.Client.Do(req)
if err != nil {
util.Logger().Errorf(err, "invoke request failed.")
return status, result
@@ -327,7 +233,7 @@ func (client *HttpClient) HttpDo(method string, url string,
headers map[string]s
req.Header.Set(key, value)
}
- resp, err := client.client.Do(req)
+ resp, err := client.Client.Do(req)
if err != nil {
util.Logger().Errorf(err, "Request -----> %s failed.", url)
return resp, err
@@ -352,5 +258,5 @@ func (client *HttpClient) Delete(url string, headers
map[string]string) (int, st
}
func (client *HttpClient) Do(req *http.Request) (*http.Response, error) {
- return client.client.Do(req)
+ return client.Client.Do(req)
}
diff --git a/pkg/tlsutil/common.go b/pkg/tlsutil/common.go
new file mode 100644
index 00000000..ac4c3112
--- /dev/null
+++ b/pkg/tlsutil/common.go
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package tlsutil
+
+import (
+ "crypto/tls"
+)
+
+// const
+var TLS_CIPHER_SUITE_MAP = map[string]uint16{
+ "TLS_RSA_WITH_AES_128_GCM_SHA256":
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_RSA_WITH_AES_256_GCM_SHA384":
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_RSA_WITH_AES_128_CBC_SHA256":
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+}
+
+var TLS_VERSION_MAP = map[string]uint16{
+ "TLSv1.0": tls.VersionTLS10,
+ "TLSv1.1": tls.VersionTLS11,
+ "TLSv1.2": tls.VersionTLS12,
+}
+
+var TLS_CIPHER_SUITE []uint16
+
+func init() {
+ for _, c := range TLS_CIPHER_SUITE_MAP {
+ TLS_CIPHER_SUITE = append(TLS_CIPHER_SUITE, c)
+ }
+}
diff --git a/pkg/tlsutil/config.go b/pkg/tlsutil/config.go
new file mode 100644
index 00000000..60b62468
--- /dev/null
+++ b/pkg/tlsutil/config.go
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package tlsutil
+
+import (
+ "crypto/tls"
+)
+
+type SSLConfig struct {
+ VerifyPeer bool
+ VerifyHostName bool
+ CipherSuites []uint16
+ MinVersion uint16
+ MaxVersion uint16
+ CACertFile string
+ CertFile string
+ KeyFile string
+ KeyPassphase string
+}
+
+type SSLConfigOption func(*SSLConfig)
+
+func WithVerifyPeer(b bool) SSLConfigOption { return func(c *SSLConfig) {
c.VerifyPeer = b } }
+func WithVerifyHostName(b bool) SSLConfigOption { return func(c *SSLConfig) {
c.VerifyHostName = b } }
+func WithCipherSuits(s []uint16) SSLConfigOption { return func(c *SSLConfig) {
c.CipherSuites = s } }
+func WithVersion(min, max uint16) SSLConfigOption {
+ return func(c *SSLConfig) { c.MinVersion, c.MaxVersion = min, max }
+}
+func WithCert(f string) SSLConfigOption { return func(c *SSLConfig) {
c.CertFile = f } }
+func WithKey(k string) SSLConfigOption { return func(c *SSLConfig) {
c.KeyFile = k } }
+func WithKeyPass(p string) SSLConfigOption { return func(c *SSLConfig) {
c.KeyPassphase = p } }
+func WithCA(f string) SSLConfigOption { return func(c *SSLConfig) {
c.CACertFile = f } }
+
+func toSSLConfig(opts ...SSLConfigOption) (op SSLConfig) {
+ for _, opt := range opts {
+ opt(&op)
+ }
+ return
+}
+
+func DefaultClientTLSOptions() []SSLConfigOption {
+ return []SSLConfigOption{
+ WithVerifyPeer(true),
+ WithVerifyHostName(true),
+ WithVersion(tls.VersionTLS12, tls.VersionTLS12),
+ }
+}
+
+func DefaultServerTLSOptions() []SSLConfigOption {
+ return []SSLConfigOption{
+ WithVerifyPeer(true),
+ WithVersion(tls.VersionTLS12, tls.VersionTLS12),
+ WithCipherSuits(TLS_CIPHER_SUITE),
+ }
+}
diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
index d7d10fb9..063b30f5 100644
--- a/pkg/tlsutil/tlsutil.go
+++ b/pkg/tlsutil/tlsutil.go
@@ -25,52 +25,6 @@ import (
"strings"
)
-var TLS_CIPHER_SUITE_MAP = map[string]uint16{
- "TLS_RSA_WITH_AES_128_GCM_SHA256":
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_RSA_WITH_AES_256_GCM_SHA384":
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_RSA_WITH_AES_128_CBC_SHA256":
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-}
-
-var TLS_VERSION_MAP = map[string]uint16{
- "TLSv1.0": tls.VersionTLS10,
- "TLSv1.1": tls.VersionTLS11,
- "TLSv1.2": tls.VersionTLS12,
-}
-
-type SSLConfig struct {
- VerifyPeer bool
- VerifyHostName bool
- CipherSuites []uint16
- MinVersion uint16
- MaxVersion uint16
- CACertFile string
- CertFile string
- KeyFile string
- KeyPassphase string
-}
-
-type SSLConfigOption func(*SSLConfig)
-
-func WithVerifyPeer(b bool) SSLConfigOption { return func(c *SSLConfig) {
c.VerifyPeer = b } }
-func WithVerifyHostName(b bool) SSLConfigOption { return func(c *SSLConfig) {
c.VerifyHostName = b } }
-func WithCipherSuits(s []uint16) SSLConfigOption { return func(c *SSLConfig) {
c.CipherSuites = s } }
-func WithVersion(min, max uint16) SSLConfigOption {
- return func(c *SSLConfig) { c.MinVersion, c.MaxVersion = min, max }
-}
-func WithCert(f string) SSLConfigOption { return func(c *SSLConfig) {
c.CertFile = f } }
-func WithKey(k string) SSLConfigOption { return func(c *SSLConfig) {
c.KeyFile = k } }
-func WithKeyPass(p string) SSLConfigOption { return func(c *SSLConfig) {
c.KeyPassphase = p } }
-func WithCA(f string) SSLConfigOption { return func(c *SSLConfig) {
c.CACertFile = f } }
-
-func toSSLConfig(opts ...SSLConfigOption) (op SSLConfig) {
- for _, opt := range opts {
- opt(&op)
- }
- return
-}
-
func ParseSSLCipherSuites(ciphers string, permitTlsCipherSuiteMap
map[string]uint16) []uint16 {
if len(ciphers) == 0 || len(permitTlsCipherSuiteMap) == 0 {
return nil
@@ -221,9 +175,11 @@ func GetServerTLSConfig(opts ...SSLConfigOption)
(tlsConfig *tls.Config, err err
}
var certs []tls.Certificate
- certs, err = LoadTLSCertificate(cfg.CertFile, cfg.KeyFile,
cfg.KeyPassphase)
- if err != nil {
- return nil, err
+ if len(cfg.CertFile) > 0 {
+ certs, err = LoadTLSCertificate(cfg.CertFile, cfg.KeyFile,
cfg.KeyPassphase)
+ if err != nil {
+ return nil, err
+ }
}
tlsConfig = &tls.Config{
diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
index ebfe94ce..4a51f746 100644
--- a/pkg/tlsutil/tlsutil_test.go
+++ b/pkg/tlsutil/tlsutil_test.go
@@ -16,7 +16,11 @@
*/
package tlsutil
-import "testing"
+import (
+ "crypto/tls"
+ "io/ioutil"
+ "testing"
+)
func TestParseDefaultSSLCipherSuites(t *testing.T) {
c := ParseDefaultSSLCipherSuites("")
@@ -36,3 +40,76 @@ func TestParseDefaultSSLCipherSuites(t *testing.T) {
t.FailNow()
}
}
+
+func TestGetServerTLSConfig(t *testing.T) {
+ sslRoot := "../../etc/ssl/"
+ pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
+ opts := append(DefaultServerTLSOptions(),
+ WithVerifyPeer(true),
+ WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
+
WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
+ WithKeyPass(string(pw)),
+ WithCA(sslRoot+"trust.cer"),
+ WithCert(sslRoot+"server.cer"),
+ WithKey(sslRoot+"server_key.pem"),
+ )
+ serverTLSConfig, err := GetServerTLSConfig(opts...)
+ if err != nil {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if len(serverTLSConfig.Certificates) == 0 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.ClientCAs == nil {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if len(serverTLSConfig.CipherSuites) != 2 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.MinVersion != tls.VersionTLS10 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.MaxVersion != tls.VersionTLS12 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.ClientAuth != tls.RequireAndVerifyClientCert {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+}
+
+func TestGetClientTLSConfig(t *testing.T) {
+ sslRoot := "../../etc/ssl/"
+ pw, _ := ioutil.ReadFile(sslRoot + "cert_pwd")
+ opts := append(DefaultServerTLSOptions(),
+ WithVerifyPeer(true),
+ WithVerifyHostName(false),
+ WithVersion(ParseSSLProtocol("TLSv1.0"), tls.VersionTLS12),
+
WithCipherSuits(ParseDefaultSSLCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")),
+ WithKeyPass(string(pw)),
+ WithCA(sslRoot+"trust.cer"),
+ WithCert(sslRoot+"server.cer"),
+ WithKey(sslRoot+"server_key.pem"),
+ )
+ clientTLSConfig, err := GetClientTLSConfig(opts...)
+ if err != nil {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if len(clientTLSConfig.Certificates) == 0 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.RootCAs == nil {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if len(clientTLSConfig.CipherSuites) != 2 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.MinVersion != tls.VersionTLS10 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.MaxVersion != tls.VersionTLS12 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.InsecureSkipVerify != true {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+}
diff --git a/server/bootstrap/bootstrap.go b/server/bootstrap/bootstrap.go
index 90f98ec3..184cb6d4 100644
--- a/server/bootstrap/bootstrap.go
+++ b/server/bootstrap/bootstrap.go
@@ -42,6 +42,9 @@ import _
"github.com/apache/incubator-servicecomb-service-center/server/plugin/i
// tracing
import _
"github.com/apache/incubator-servicecomb-service-center/server/plugin/infra/tracing/buildin"
+// tls
+import _
"github.com/apache/incubator-servicecomb-service-center/server/plugin/infra/tls/buildin"
+
// module 'govern'
import _ "github.com/apache/incubator-servicecomb-service-center/server/govern"
diff --git a/server/infra/tls/tls.go b/server/infra/tls/tls.go
new file mode 100644
index 00000000..e27a20d6
--- /dev/null
+++ b/server/infra/tls/tls.go
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package tls
+
+import "crypto/tls"
+
+type TLS interface {
+ ClientConfig() (*tls.Config, error)
+
+ ServerConfig() (*tls.Config, error)
+}
diff --git a/server/plugin/README.md b/server/plugin/README.md
index c11ed53d..5ca70cff 100644
--- a/server/plugin/README.md
+++ b/server/plugin/README.md
@@ -3,6 +3,7 @@
1. Go version 1.8(+)
1. Compile service-center with GO_EXTLINK_ENABLED=1 and CGO_ENABLED=1
1. The plugin file name must has suffix '_plugin.so'
+1. All plugin interface files are in [infra](/server/infra) package
## Plug-in names
1. auth, Customize authentication of service-center.
@@ -11,11 +12,14 @@
1. cipher, Customize encryption and decryption of TLS certificate private key
password.
1. quota, Customize quota for instance registry.
1. tracing, Customize tracing data reporter.
+1. tls, Customize loading the tls certificates in server
## Example: an authentication plug-in
### Step 1: code auth.go
+auth.go is the implement from [auth interface](/server/infra/auth/auth.go)
+
```go
package main
diff --git a/server/plugin/infra/registry/embededetcd/embededetcd.go
b/server/plugin/infra/registry/embededetcd/embededetcd.go
index 1d013208..3c115331 100644
--- a/server/plugin/infra/registry/embededetcd/embededetcd.go
+++ b/server/plugin/infra/registry/embededetcd/embededetcd.go
@@ -25,7 +25,6 @@ import (
"github.com/apache/incubator-servicecomb-service-center/server/core"
"github.com/apache/incubator-servicecomb-service-center/server/infra/registry"
mgr
"github.com/apache/incubator-servicecomb-service-center/server/plugin"
- sctls
"github.com/apache/incubator-servicecomb-service-center/server/tls"
"github.com/astaxie/beego"
"github.com/coreos/etcd/embed"
"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"
@@ -520,7 +519,7 @@ func getEmbedInstance() mgr.PluginInstance {
if core.ServerInfo.Config.SslEnabled {
var err error
- embedTLSConfig, err = sctls.GetServerTLSConfig()
+ embedTLSConfig, err = mgr.Plugins().TLS().ServerConfig()
if err != nil {
util.Logger().Error("get service center tls config
failed", err)
inst.err <- err
diff --git a/server/plugin/infra/registry/etcd/etcd.go
b/server/plugin/infra/registry/etcd/etcd.go
index 81b8636a..6a4d5db6 100644
--- a/server/plugin/infra/registry/etcd/etcd.go
+++ b/server/plugin/infra/registry/etcd/etcd.go
@@ -25,7 +25,6 @@ import (
"github.com/apache/incubator-servicecomb-service-center/server/core"
"github.com/apache/incubator-servicecomb-service-center/server/infra/registry"
mgr
"github.com/apache/incubator-servicecomb-service-center/server/plugin"
- sctls
"github.com/apache/incubator-servicecomb-service-center/server/tls"
"github.com/coreos/etcd/clientv3"
"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"
"github.com/coreos/etcd/mvcc/mvccpb"
@@ -729,7 +728,7 @@ func NewRegistry() mgr.PluginInstance {
if sslEnabled() {
var err error
// go client tls限制,提供身份证书、不认证服务端、不校验CN
- clientTLSConfig, err = sctls.GetClientTLSConfig()
+ clientTLSConfig, err = mgr.Plugins().TLS().ClientConfig()
if err != nil {
util.Logger().Error("get etcd client tls config
failed", err)
inst.err <- err
diff --git a/server/plugin/infra/tls/buildin/buildin.go
b/server/plugin/infra/tls/buildin/buildin.go
new file mode 100644
index 00000000..1b404e4f
--- /dev/null
+++ b/server/plugin/infra/tls/buildin/buildin.go
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package buildin
+
+import (
+ "crypto/tls"
+ mgr
"github.com/apache/incubator-servicecomb-service-center/server/plugin"
+)
+
+func init() {
+ mgr.RegisterPlugin(mgr.Plugin{mgr.TLS, "buildin", New})
+}
+
+func New() mgr.PluginInstance {
+ return &DefaultTLS{}
+}
+
+// DefaultTLS support new the *tls.Config object from certs and private key
with password
+type DefaultTLS struct {
+}
+
+func (c *DefaultTLS) ClientConfig() (*tls.Config, error) {
+ df, ok := mgr.DynamicPluginFunc(mgr.TLS, "ClientConfig").(func()
(*tls.Config, error))
+ if ok {
+ return df()
+ }
+ return GetClientTLSConfig()
+}
+
+func (c *DefaultTLS) ServerConfig() (*tls.Config, error) {
+ df, ok := mgr.DynamicPluginFunc(mgr.TLS, "ServerConfig").(func()
(*tls.Config, error))
+ if ok {
+ return df()
+ }
+ return GetServerTLSConfig()
+}
diff --git a/server/tls/tls.go b/server/plugin/infra/tls/buildin/tls.go
similarity index 89%
rename from server/tls/tls.go
rename to server/plugin/infra/tls/buildin/tls.go
index 118bde46..9ed80643 100644
--- a/server/tls/tls.go
+++ b/server/plugin/infra/tls/buildin/tls.go
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package tls
+package buildin
import (
"crypto/tls"
@@ -61,30 +61,6 @@ func GetPassphase() (pass string, decrypt string) {
return pass, decrypt
}
-func DefaultClientTLSOptions() []tlsutil.SSLConfigOption {
- return []tlsutil.SSLConfigOption{
- tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
- tlsutil.WithVerifyHostName(false),
-
tlsutil.WithVersion(tlsutil.ParseSSLProtocol(beego.AppConfig.DefaultString("ssl_client_min_version",
- core.ServerInfo.Config.SslMinVersion)),
tls.VersionTLS12),
-
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))),
- tlsutil.WithCA(GetSSLPath("trust.cer")),
- tlsutil.WithCert(GetSSLPath("server.cer")),
- tlsutil.WithKey(GetSSLPath("server_key.pem")),
- }
-}
-
-func DefaultServerTLSOptions() []tlsutil.SSLConfigOption {
- return []tlsutil.SSLConfigOption{
- tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
-
tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion),
tls.VersionTLS12),
-
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
- tlsutil.WithCA(GetSSLPath("trust.cer")),
- tlsutil.WithCert(GetSSLPath("server.cer")),
- tlsutil.WithKey(GetSSLPath("server_key.pem")),
- }
-}
-
func GetClientTLSConfig() (_ *tls.Config, err error) {
mux.Lock()
defer mux.Unlock()
@@ -94,8 +70,18 @@ func GetClientTLSConfig() (_ *tls.Config, err error) {
passphase, decrypt := GetPassphase()
- opts := append(DefaultClientTLSOptions(),
+ opts := append(tlsutil.DefaultClientTLSOptions(),
+ tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
+ tlsutil.WithVerifyHostName(false),
+ tlsutil.WithVersion(
+ tlsutil.ParseSSLProtocol(
+
beego.AppConfig.DefaultString("ssl_client_min_version",
core.ServerInfo.Config.SslMinVersion)),
+ tls.VersionTLS12),
+
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))),
tlsutil.WithKeyPass(decrypt),
+ tlsutil.WithCA(GetSSLPath("trust.cer")),
+ tlsutil.WithCert(GetSSLPath("server.cer")),
+ tlsutil.WithKey(GetSSLPath("server_key.pem")),
)
clientTLSConfig, err = tlsutil.GetClientTLSConfig(opts...)
@@ -118,8 +104,14 @@ func GetServerTLSConfig() (_ *tls.Config, err error) {
passphase, decrypt := GetPassphase()
- opts := append(DefaultServerTLSOptions(),
+ opts := append(tlsutil.DefaultServerTLSOptions(),
+ tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
+
tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion),
tls.VersionTLS12),
+
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
tlsutil.WithKeyPass(decrypt),
+ tlsutil.WithCA(GetSSLPath("trust.cer")),
+ tlsutil.WithCert(GetSSLPath("server.cer")),
+ tlsutil.WithKey(GetSSLPath("server_key.pem")),
)
serverTLSConfig, err = tlsutil.GetServerTLSConfig(opts...)
diff --git a/server/plugin/infra/tls/buildin/tls_test.go
b/server/plugin/infra/tls/buildin/tls_test.go
new file mode 100644
index 00000000..04ade81d
--- /dev/null
+++ b/server/plugin/infra/tls/buildin/tls_test.go
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package buildin
+
+import (
+ "crypto/tls"
+ _
"github.com/apache/incubator-servicecomb-service-center/server/plugin/infra/security/buildin"
+ "os"
+ "testing"
+)
+
+func init() {
+ sslRoot := "../../../../../etc/ssl/"
+ os.Setenv("SSL_ROOT", sslRoot)
+}
+
+func TestGetServerTLSConfig(t *testing.T) {
+ serverTLSConfig, err := GetServerTLSConfig()
+ if err != nil {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if len(serverTLSConfig.Certificates) == 0 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.ClientCAs == nil {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if len(serverTLSConfig.CipherSuites) != 4 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.MinVersion != tls.VersionTLS12 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.MaxVersion != tls.VersionTLS12 {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+ if serverTLSConfig.ClientAuth != tls.RequireAndVerifyClientCert {
+ t.Fatalf("GetServerTLSConfig failed")
+ }
+}
+
+func TestGetClientTLSConfig(t *testing.T) {
+ clientTLSConfig, err := GetClientTLSConfig()
+ if err != nil {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if len(clientTLSConfig.Certificates) == 0 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.RootCAs == nil {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if len(clientTLSConfig.CipherSuites) != 0 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.MinVersion != tls.VersionTLS12 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.MaxVersion != tls.VersionTLS12 {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+ if clientTLSConfig.InsecureSkipVerify != true {
+ t.Fatalf("GetClientTLSConfig failed")
+ }
+}
diff --git a/server/plugin/plugin.go b/server/plugin/plugin.go
index 308a7132..7c8c1c2e 100644
--- a/server/plugin/plugin.go
+++ b/server/plugin/plugin.go
@@ -25,6 +25,7 @@ import (
"github.com/apache/incubator-servicecomb-service-center/server/infra/quota"
"github.com/apache/incubator-servicecomb-service-center/server/infra/registry"
"github.com/apache/incubator-servicecomb-service-center/server/infra/security"
+
"github.com/apache/incubator-servicecomb-service-center/server/infra/tls"
"github.com/apache/incubator-servicecomb-service-center/server/infra/tracing"
"github.com/apache/incubator-servicecomb-service-center/server/infra/uuid"
"github.com/astaxie/beego"
@@ -42,6 +43,7 @@ const (
QUOTA
REGISTRY
TRACING
+ TLS
typeEnd
)
@@ -53,6 +55,7 @@ var pluginNames = map[PluginName]string{
QUOTA: "quota",
REGISTRY: "registry",
TRACING: "trace",
+ TLS: "ssl",
}
var pluginMgr = &PluginManager{}
@@ -223,6 +226,10 @@ func (pm *PluginManager) Tracing() tracing.Tracing {
return pm.Instance(TRACING).(tracing.Tracing)
}
+func (pm *PluginManager) TLS() tls.TLS {
+ return pm.Instance(TLS).(tls.TLS)
+}
+
func Plugins() *PluginManager {
return pluginMgr
}
diff --git a/server/rest/server.go b/server/rest/server.go
index 005d919a..ec151c5c 100644
--- a/server/rest/server.go
+++ b/server/rest/server.go
@@ -21,7 +21,7 @@ import (
"github.com/apache/incubator-servicecomb-service-center/pkg/rest"
"github.com/apache/incubator-servicecomb-service-center/pkg/util"
"github.com/apache/incubator-servicecomb-service-center/server/core"
- sctls
"github.com/apache/incubator-servicecomb-service-center/server/tls"
+ "github.com/apache/incubator-servicecomb-service-center/server/plugin"
"net/http"
"time"
)
@@ -39,7 +39,7 @@ func LoadConfig() (srvCfg *rest.ServerConfig, err error) {
maxHeaderBytes := int(core.ServerInfo.Config.MaxHeaderBytes)
var tlsConfig *tls.Config
if core.ServerInfo.Config.SslEnabled {
- tlsConfig, err = sctls.GetServerTLSConfig()
+ tlsConfig, err = plugin.Plugins().TLS().ServerConfig()
if err != nil {
return
}
diff --git a/server/rpc/server.go b/server/rpc/server.go
index 140323b2..8c2a6624 100644
--- a/server/rpc/server.go
+++ b/server/rpc/server.go
@@ -20,7 +20,7 @@ import (
"github.com/apache/incubator-servicecomb-service-center/pkg/rpc"
"github.com/apache/incubator-servicecomb-service-center/pkg/util"
"github.com/apache/incubator-servicecomb-service-center/server/core"
- sctls
"github.com/apache/incubator-servicecomb-service-center/server/tls"
+ "github.com/apache/incubator-servicecomb-service-center/server/plugin"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"net"
@@ -38,7 +38,7 @@ func (srv *Server) Serve() error {
func NewServer(ipAddr string) (_ *Server, err error) {
var grpcSrv *grpc.Server
if core.ServerInfo.Config.SslEnabled {
- tlsConfig, err := sctls.GetServerTLSConfig()
+ tlsConfig, err := plugin.Plugins().TLS().ServerConfig()
if err != nil {
util.Logger().Error("error to get server tls config",
err)
return nil, err
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Support TLS plugin
> ------------------
>
> Key: SCB-714
> URL: https://issues.apache.org/jira/browse/SCB-714
> Project: Apache ServiceComb
> Issue Type: New Feature
> Components: Service-Center
> Reporter: little-cui
> Assignee: little-cui
> Priority: Major
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
