Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GRPC transport encryption #273

Merged
merged 9 commits into from
Aug 12, 2020
Merged

GRPC transport encryption #273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
acbba25
draft test
lanwen Feb 19, 2020
fae66dc
move dep to plugin
lanwen May 13, 2020
b2a15fd
rm duplicated method
lanwen May 14, 2020
ab87cc1
test method name
lanwen May 14, 2020
6a671e0
fix deprecation
lanwen May 14, 2020
81bf408
generate certs following
lanwen May 14, 2020
cc4be00
Merge branch 'master' into grpc-tls
bsideup Aug 11, 2020
dc785f4
Fix tests
bsideup Aug 11, 2020
ea80b36
Generate certs from Java
bsideup Aug 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions plugins/grpc-transport-auth/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,15 @@ dependencies {
compile 'com.auth0:java-jwt:3.9.0'
compile 'com.avast.grpc.jwt:grpc-java-jwt:0.2.0'

// see https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty for the compatibility version
runtimeOnly 'io.netty:netty-tcnative-boringssl-static:2.0.25.Final'
testRuntimeOnly 'io.netty:netty-tcnative-boringssl-static:2.0.25.Final'

testCompileOnly 'org.projectlombok:lombok'
testAnnotationProcessor 'org.projectlombok:lombok'
testCompile project(":tck")
testCompile project(":client")
testCompile 'org.springframework.boot:spring-boot-starter-test'
testCompile 'org.bouncycastle:bcpkix-jdk15on:1.66'
testRuntime project(":plugins:grpc-transport")
}
102 changes: 102 additions & 0 deletions .../src/main/java/com/github/bsideup/liiklus/transport/grpc/config/GRPCTLSConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package com.github.bsideup.liiklus.transport.grpc.config;

import com.github.bsideup.liiklus.transport.grpc.GRPCLiiklusTransportConfigurer;
import com.github.bsideup.liiklus.util.PropertiesUtil;
import com.google.auto.service.AutoService;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NettyServerBuilder;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import lombok.Data;
import lombok.SneakyThrows;
import lombok.Value;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.ApplicationContextInitializer;
import org.springframework.context.support.GenericApplicationContext;
import org.springframework.core.io.Resource;

import java.io.File;

@Slf4j
@AutoService(ApplicationContextInitializer.class)
public class GRPCTLSConfiguration implements ApplicationContextInitializer<GenericApplicationContext> {

@Override
public void initialize(GenericApplicationContext applicationContext) {
var environment = applicationContext.getEnvironment();

var tlsProperties = PropertiesUtil.bind(environment, new GRPCTLSProperties());

if (tlsProperties.getKey() == null) {
return;
}

log.info("GRPC {}TLS ENABLED", tlsProperties.getTrustCert() != null ? "mutual " : "");

applicationContext.registerBean(
TLSGRPCTransportConfigurer.class,
() -> new TLSGRPCTransportConfigurer(tlsProperties)
);
}

@Value
static class TLSGRPCTransportConfigurer implements GRPCLiiklusTransportConfigurer {

GRPCTLSProperties properties;

@Override
public void apply(NettyServerBuilder builder) {
SslContext ctx = createSSLContext(
properties.getKey(),
properties.getKeyPassword(),
properties.getKeyCertChain(),
properties.getTrustCert()
);

builder.sslContext(ctx);
}

/**
* Mostly copy of the https://github.com/grpc/grpc-java/tree/master/examples/example-tls
* and https://github.com/grpc/grpc-java/blob/master/SECURITY.md
*
* Refer to {@link io.netty.handler.ssl.SslContextBuilder#forServer(File keyCertChainFile, File keyFile, String keyPassword)}
* for more details.
*
* @param key a PKCS#8 private key file in PEM format
* @param keyPassword the password of the key or null if not protected
* @param keyCertChain an X.509 certificate chain file in PEM format
* @param trustCert file should contain an X.509 certificate collection in PEM format
* @return ready-to-use ssl context.
*/
@SneakyThrows
SslContext createSSLContext(Resource key, String keyPassword, Resource keyCertChain, Resource trustCert) {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
keyCertChain.getInputStream(),
key.getInputStream(),
keyPassword
);
if (trustCert != null) {
sslClientContextBuilder.trustManager(trustCert.getInputStream());
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder).build();
}
}

@ConfigurationProperties("grpc.tls")
@Data
static class GRPCTLSProperties {

Resource key;

String keyPassword;

Resource keyCertChain;

Resource trustCert;

}
}
Loading