[net] Add the ability to handle non-auth users

- TLS security is not degraded
- Unable to create unit tests

net/server.go

@@ -3,12 +3,13 @@ package net
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"log"
-	"net"
-
+	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/peer"
+	"log"
+	"net"
 )
 
 // NewServer creates a new grpc server with given tls credentials.
@@ -33,7 +34,7 @@ func NewServer(cert, key, ca []byte) *grpc.Server {
 		Certificates: []tls.Certificate{serverCert},
 		RootCAs:      caCertPool,
 		ClientCAs:    caCertPool,
-		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientAuth:   tls.VerifyClientCertIfGiven,
 	})
 
 	opts = []grpc.ServerOption{grpc.Creds(ta)}
@@ -55,3 +56,23 @@ func Listen(addrPort string, grpcServer *grpc.Server) {
 		grpclog.Fatalf("Failed to bind gRPC server: %v", err)
 	}
 }
+
+// GetTLSState returns the current tls connection state from a grpc context.
+// If you just need to check that the connected peer provides its certificate, use `GetCN`.
+func GetTLSState(ctx *context.Context) (tls.ConnectionState, bool) {
+	p, ok := peer.FromContext(*ctx)
+	if !ok {
+		return tls.ConnectionState{}, false
+	}
+	return p.AuthInfo.(credentials.TLSInfo).State, true
+}
+
+// GetCN returns the current common name of connected peer from grpc context.
+// The returned string is empty if encountering a non-auth peer.
+func GetCN(ctx *context.Context) string {
+	state, ok := GetTLSState(ctx)
+	if !ok || len(state.VerifiedChains) == 0 {
+		return ""
+	}
+	return state.VerifiedChains[0][0].Subject.CommonName
+}