*: simplify approach and isolate gRPC-gateway requests only

Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
etcd-io · Jan 3, 2019 · 30e8026 · 30e8026
1 parent 187b6e9
commit 30e8026
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 48 deletions.
diff --git a/embed/serve.go b/embed/serve.go
@@ -35,7 +35,6 @@ import (
 	etcdservergw "go.etcd.io/etcd/etcdserver/etcdserverpb/gw"
 	"go.etcd.io/etcd/pkg/debugutil"
 	"go.etcd.io/etcd/pkg/httputil"
-	"go.etcd.io/etcd/pkg/tlsutil"
 	"go.etcd.io/etcd/pkg/transport"
 
 	gw "github.com/grpc-ecosystem/grpc-gateway/runtime"
@@ -127,7 +126,7 @@ func (sctx *serveCtx) serve(
 		httpmux := sctx.createMux(gwmux, handler)
 
 		srvhttp := &http.Server{
-			Handler:  createAccessController(sctx.lg, s, httpmux, nil),
+			Handler:  createAccessController(sctx.lg, s, httpmux),
 			ErrorLog: logger, // do not log user error
 		}
 		httpl := m.Match(cmux.HTTP1())
@@ -177,7 +176,7 @@ func (sctx *serveCtx) serve(
 		httpmux := sctx.createMux(gwmux, handler)
 
 		srv := &http.Server{
-			Handler:   createAccessController(sctx.lg, s, httpmux, tlsinfo),
+			Handler:   createAccessController(sctx.lg, s, httpmux),
 			TLSConfig: tlscfg,
 			ErrorLog:  logger, // do not log user error
 		}
@@ -208,6 +207,10 @@ func grpcHandlerFunc(grpcServer *grpc.Server, otherHandler http.Handler) http.Ha
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.ProtoMajor == 2 && strings.Contains(r.Header.Get("Content-Type"), "application/grpc") {
+			// gRPC-gateway should not include CN in request
+			if gw := r.Header.Get("Grpcgateway-User-Agent"); gw != "" {
+				r.TLS.PeerCertificates[0].Subject.CommonName = ""
+			}
 			grpcServer.ServeHTTP(w, r)
 		} else {
 			otherHandler.ServeHTTP(w, r)
@@ -294,15 +297,14 @@ func (sctx *serveCtx) createMux(gwmux *gw.ServeMux, handler http.Handler) *http.
 // - mutate gRPC gateway request paths
 // - check hostname whitelist
 // client HTTP requests goes here first
-func createAccessController(lg *zap.Logger, s *etcdserver.EtcdServer, mux *http.ServeMux, c *transport.TLSInfo) http.Handler {
-	return &accessController{lg: lg, s: s, mux: mux, c: c}
+func createAccessController(lg *zap.Logger, s *etcdserver.EtcdServer, mux *http.ServeMux) http.Handler {
+	return &accessController{lg: lg, s: s, mux: mux}
 }
 
 type accessController struct {
 	lg  *zap.Logger
 	s   *etcdserver.EtcdServer
 	mux *http.ServeMux
-	c   *transport.TLSInfo
 }
 
 func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
@@ -341,15 +343,6 @@ func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	if ac.s.Cfg.ClientCertAuthEnabled && req.TLS.PeerCertificates[0].Subject.CommonName != "" {
-		clientCertificates, _ := tlsutil.ParseCert(ac.c.CertFile)
-		peerSN := req.TLS.PeerCertificates[0].SerialNumber
-		clientSN := clientCertificates[0].SerialNumber
-		if clientSN.Cmp(peerSN) == 0 {
-			req.TLS.PeerCertificates[0].Subject.CommonName = ""
-		}
-	}
-
 	ac.mux.ServeHTTP(rw, req)
 }
 

diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
@@ -70,36 +70,3 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi
 	}
 	return &tlsCert, nil
 }
-
-// ParseCert returns a slice of x509 Certificates when given a cert file.
-func ParseCert(certFile string) ([]*x509.Certificate, error) {
-	var (
-		blocks [][]byte
-		cert   []*x509.Certificate
-	)
-
-	pemCert, err := ioutil.ReadFile(certFile)
-	if err != nil {
-		return nil, err
-	}
-	// convert PEM to DER
-	for {
-		var derCert *pem.Block
-		derCert, pemCert = pem.Decode(pemCert)
-		if derCert == nil {
-			break
-		}
-
-		if derCert.Type == "CERTIFICATE" {
-			blocks = append(blocks, derCert.Bytes)
-		}
-	}
-	for _, block := range blocks {
-		c, err := x509.ParseCertificate(block)
-		if err != nil {
-			continue
-		}
-		cert = append(cert, c)
-	}
-	return cert, nil
-}