Commit e6553f47 authored by Richer Maximilien's avatar Richer Maximilien
Browse files

Merge branch '263_net_nonauth_handling' into 'master'

[net] Add the ability to handle non-auth users

- TLS security is not degraded
- Unable to create unit tests

See merge request !13
parents f9d27003 5dc7d485
Pipeline #172 passed with stage
......@@ -3,12 +3,13 @@ package net
import (
"crypto/tls"
"crypto/x509"
"log"
"net"
"golang.org/x/net/context"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/grpclog"
"google.golang.org/grpc/peer"
"log"
"net"
)
// NewServer creates a new grpc server with given tls credentials.
......@@ -33,7 +34,7 @@ func NewServer(cert, key, ca []byte) *grpc.Server {
Certificates: []tls.Certificate{serverCert},
RootCAs: caCertPool,
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
ClientAuth: tls.VerifyClientCertIfGiven,
})
opts = []grpc.ServerOption{grpc.Creds(ta)}
......@@ -55,3 +56,23 @@ func Listen(addrPort string, grpcServer *grpc.Server) {
grpclog.Fatalf("Failed to bind gRPC server: %v", err)
}
}
// GetTLSState returns the current tls connection state from a grpc context.
// If you just need to check that the connected peer provides its certificate, use `GetCN`.
func GetTLSState(ctx *context.Context) (tls.ConnectionState, bool) {
p, ok := peer.FromContext(*ctx)
if !ok {
return tls.ConnectionState{}, false
}
return p.AuthInfo.(credentials.TLSInfo).State, true
}
// GetCN returns the current common name of connected peer from grpc context.
// The returned string is empty if encountering a non-auth peer.
func GetCN(ctx *context.Context) string {
state, ok := GetTLSState(ctx)
if !ok || len(state.VerifiedChains) == 0 {
return ""
}
return state.VerifiedChains[0][0].Subject.CommonName
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment