thehackercat commented on code in PR #1945: URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r964599566
########## xds/credentials/certprovider/remote/istioca_client.go: ########## @@ -0,0 +1,211 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Copyright Istio Authors + +package remote + +import ( + "context" + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "log" + "path/filepath" + "strings" + "time" +) + +import ( + structpb "github.com/golang/protobuf/ptypes/struct" + + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/metadata" +) + +import ( + v1alpha1 "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote/v1alpha1" +) + +const ( + // CertSigner info + CertSigner = "CertSigner" +) + +type Options struct { + CAEndpoint string + CAEndpointSAN string + + TokenProvider credentials.PerRPCCredentials + GRPCOptions []grpc.DialOption + + CertSigner string + ClusterID string + + TrustedRoots *x509.CertPool + + // ProvCert contains a long-lived 'provider' certificate that will be + // exchanged with the workload certificate. + // It is a cert signed by same CA (or a CA trusted by Istiod). + // It is still exchanged because Istiod may add info to the cert. + ProvCert string +} + +type CitadelClient struct { + enableTLS bool + client v1alpha1.IstioCertificateServiceClient + conn *grpc.ClientConn + opts *Options +} + +// NewCitadelClient create a CA client for Citadel. +func NewCitadelClient(opts *Options) (*CitadelClient, error) { + c := &CitadelClient{ + enableTLS: true, + opts: opts, + } + + conn, err := c.buildConnection() + + if err != nil { + log.Printf("Failed to connect to endpoint %s: %v", opts.CAEndpoint, err) + return nil, fmt.Errorf("failed to connect to endpoint %s", opts.CAEndpoint) + } + c.conn = conn + c.client = v1alpha1.NewIstioCertificateServiceClient(conn) + return c, nil +} + +func (c *CitadelClient) Close() { + if c.conn != nil { + c.conn.Close() + } +} + +// CSR Sign calls Citadel to sign a CSR. +func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) { + crMetaStruct := &structpb.Struct{ + Fields: map[string]*structpb.Value{ + CertSigner: { + Kind: &structpb.Value_StringValue{StringValue: c.opts.CertSigner}, + }, + }, + } + req := &v1alpha1.IstioCertificateRequest{ + Csr: string(csrPEM), + ValidityDuration: certValidTTLInSec, + Metadata: crMetaStruct, + } + ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("ClusterID", c.opts.ClusterID)) + resp, err := c.client.CreateCertificate(ctx, req) + if err != nil { + return nil, fmt.Errorf("create certificate: %v", err) + } + + if len(resp.CertChain) <= 1 { + return nil, errors.New("invalid empty CertChain") + } + + return resp.CertChain, nil +} + +func (c *CitadelClient) getTLSDialOption() (grpc.DialOption, error) { + // Load the TLS root certificate from the specified file. + // Create a certificate pool + var certPool *x509.CertPool + var err error + if c.opts.TrustedRoots == nil { + // No explicit certificate - assume the citadel-compatible server uses a public cert + certPool, err = x509.SystemCertPool() + if err != nil { + return nil, err + } + } else { + certPool = c.opts.TrustedRoots + } + var certificate tls.Certificate + config := tls.Config{ + GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { + if c.opts.ProvCert != "" { + // Load the certificate from disk + certificate, err = tls.LoadX509KeyPair( + filepath.Join(c.opts.ProvCert, "cert-chain.pem"), + filepath.Join(c.opts.ProvCert, "key.pem")) + + if err != nil { + // we will return an empty cert so that when user sets the Prov cert path + // but not have such cert in the file path we use the token to provide verification + // instead of just broken the workflow + log.Printf("cannot load key pair, using token instead: %v", err) + return &certificate, nil + } + if certificate.Leaf.NotAfter.Before(time.Now()) { + log.Printf("cannot parse the cert chain, using token instead: %v", err) + return &tls.Certificate{}, nil + } + } + return &certificate, nil + }, + } + config.RootCAs = certPool + + // For debugging on localhost (with port forward) + // TODO: remove once istiod is stable and we have a way to validate JWTs locally + if strings.Contains(c.opts.CAEndpoint, "localhost") { + config.ServerName = "istiod.istio-system.svc" + } + if c.opts.CAEndpointSAN != "" { + config.ServerName = c.opts.CAEndpointSAN + } + + transportCreds := credentials.NewTLS(&config) + return grpc.WithTransportCredentials(transportCreds), nil +} + +func (c *CitadelClient) buildConnection() (*grpc.ClientConn, error) { + var ol []grpc.DialOption + var opts grpc.DialOption + var err error + if c.enableTLS { + opts, err = c.getTLSDialOption() + if err != nil { + return nil, err + } + ol = append(ol, opts) + } else { + opts = grpc.WithInsecure() + ol = append(ol, opts) + } + ol = append(ol, grpc.WithPerRPCCredentials(c.opts.TokenProvider)) + ol = append(ol, c.opts.GRPCOptions...) + //security.CARetryInterceptor()) Review Comment: we should add it back ? https://github.com/istio/istio/blob/master/security/pkg/nodeagent/caclient/providers/citadel/client.go#L210 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
