Complete support for TLS.

- disable TLS in tribe and auto discovery mode, - add support for passing root cert paths to plugins, - implement tests.
intelsdi-x · May 2, 2017 · 5e69931 · 5e69931
1 parent 3423948
commit 5e69931
Show file tree

Hide file tree

Showing 25 changed files with 1,355 additions and 120 deletions.
diff --git a/cmd/snaptel/commands.go b/cmd/snaptel/commands.go
@@ -101,12 +101,13 @@ var (
 			Subcommands: []cli.Command{
 				{
 					Name:   "load",
-					Usage:  "load <plugin_path> [--plugin-cert=<plugin_cert_path> --plugin-key=<plugin_key_path>]",
+					Usage:  "load <plugin_path> [--plugin-cert=<plugin_cert_path> --plugin-key=<plugin_key_path> --plugin-root-certs=<root_cert_paths>]",
 					Action: loadPlugin,
 					Flags: []cli.Flag{
 						flPluginAsc,
 						flPluginCert,
 						flPluginKey,
+						flPluginRootCerts,
 					},
 				},
 				{
@@ -116,7 +117,7 @@ var (
 				},
 				{
 					Name:   "swap",
-					Usage:  "swap <load_plugin_path> <unload_plugin_type>:<unload_plugin_name>:<unload_plugin_version> or swap <load_plugin_path> -t <unload_plugin_type> -n <unload_plugin_name> -v <unload_plugin_version> [--plugin-cert=<plugin_cert_path> --plugin-key=<plugin_key_path>]",
+					Usage:  "swap <load_plugin_path> <unload_plugin_type>:<unload_plugin_name>:<unload_plugin_version> or swap <load_plugin_path> -t <unload_plugin_type> -n <unload_plugin_name> -v <unload_plugin_version> [--plugin-cert=<plugin_cert_path> --plugin-key=<plugin_key_path> --plugin-root-certs=<root_cert_paths>]",
 					Action: swapPlugins,
 					Flags: []cli.Flag{
 						flPluginAsc,
@@ -125,6 +126,7 @@ var (
 						flPluginVersion,
 						flPluginCert,
 						flPluginKey,
+						flPluginRootCerts,
 					},
 				},
 				{

diff --git a/cmd/snaptel/flags.go b/cmd/snaptel/flags.go
@@ -79,6 +79,10 @@ var (
 		Name:  "plugin-key, k",
 		Usage: "The plugin key",
 	}
+	flPluginRootCerts = cli.StringFlag{
+		Name:  "plugin-root-certs, r",
+		Usage: "List of root cert paths for TLS to use (folder/file)",
+	}
 	flPluginType = cli.StringFlag{
 		Name:  "plugin-type, t",
 		Usage: "The plugin type",

diff --git a/cmd/snaptel/plugin.go b/cmd/snaptel/plugin.go
@@ -205,12 +205,13 @@ func listPlugins(ctx *cli.Context) error {
 	return nil
 }
 
-// storeTLSPaths extracts paths related to TLS (certificate, key) from command
-// line context into temporary files. Those files are appended to list of paths
-// returned from this function.
+// storeTLSPaths extracts paths related to TLS (certificate, key, root certs)
+// from command line context into temporary files. Those files are appended to
+// list of paths returned from this function.
 func storeTLSPaths(ctx *cli.Context, paths []string) ([]string, error) {
 	pCert := ctx.String("plugin-cert")
 	pKey := ctx.String("plugin-key")
+	pRootCertPaths := ctx.String("plugin-root-certs")
 	if pCert != pKey && (pCert == "" || pKey == "") {
 		return paths, fmt.Errorf("Error processing plugin TLS arguments - one of (certificate, key) arguments is missing")
 	}
@@ -236,5 +237,16 @@ func storeTLSPaths(ctx *cli.Context, paths []string) ([]string, error) {
 		}
 		paths = append(paths, tmpFile.Name())
 	}
+	if pRootCertPaths != "" {
+		tmpFile, err := ioutil.TempFile("", v1.TLSRootCertsPrefix)
+		if err != nil {
+			return paths, fmt.Errorf("Error processing plugin TLS root certificates - unable to create link:\n%v", err.Error())
+		}
+		_, err = tmpFile.WriteString(pRootCertPaths)
+		if err != nil {
+			return paths, fmt.Errorf("Error processing plugin TLS root certificates - unable to write link:\n%v", err.Error())
+		}
+		paths = append(paths, tmpFile.Name())
+	}
 	return paths, nil
 }
diff --git a/control/config.go b/control/config.go
@@ -48,6 +48,9 @@ var (
 	defaultCacheExpiration   = 500 * time.Millisecond
 	defaultPprof             = false
 	defaultTempDirPath       = os.TempDir()
+	defaultTLSCertPath       = ""
+	defaultTLSKeyPath        = ""
+	defaultRootCertPaths     = ""
 )
 
 type pluginConfig struct {
@@ -88,6 +91,7 @@ type Config struct {
 	TempDirPath       string                       `json:"temp_dir_path"yaml:"temp_dir_path"`
 	TLSCertPath       string                       `json:"tls_cert_path"yaml:"tls_cert_path"`
 	TLSKeyPath        string                       `json:"tls_key_path"yaml:"tls_key_path"`
+	RootCertPaths     string                       `json:"root_cert_paths"yaml:"root_cert_paths"`
 }
 
 const (
@@ -148,6 +152,9 @@ const (
 					},
 					"tls_key_path": {
 						"type": "string"
+					},
+					"root_cert_paths": {
+						"type": "string"
 					}
 				},
 				"additionalProperties": false
@@ -171,6 +178,9 @@ func GetDefaultConfig() *Config {
 		Pprof:             defaultPprof,
 		MaxPluginRestarts: MaxPluginRestartCount,
 		TempDirPath:       defaultTempDirPath,
+		TLSCertPath:       defaultTLSCertPath,
+		TLSKeyPath:        defaultTLSKeyPath,
+		RootCertPaths:     defaultRootCertPaths,
 	}
 }
 

diff --git a/control/control.go b/control/control.go
@@ -32,13 +32,12 @@ import (
 	"sync"
 	"time"
 
-	"google.golang.org/grpc"
-
 	log "github.com/Sirupsen/logrus"
-
 	"github.com/intelsdi-x/gomit"
+	"google.golang.org/grpc"
 
 	"github.com/intelsdi-x/snap/control/plugin"
+	"github.com/intelsdi-x/snap/control/plugin/client"
 	"github.com/intelsdi-x/snap/control/strategy"
 	"github.com/intelsdi-x/snap/core"
 	"github.com/intelsdi-x/snap/core/cdata"
@@ -92,6 +91,7 @@ type pluginControl struct {
 	wg          sync.WaitGroup
 
 	subscriptionGroups ManagesSubscriptionGroups
+	grpcSecurity       client.GRPCSecurity
 }
 
 type subscribedPlugin struct {
@@ -223,7 +223,15 @@ func New(cfg *Config) *pluginControl {
 		OptSetTempDirPath(cfg.TempDirPath),
 	}
 	if cfg.IsTLSEnabled() {
-		managerOpts = append(managerOpts, OptEnableManagerTLS(cfg.TLSCertPath, cfg.TLSKeyPath))
+		if cfg.RootCertPaths != "" {
+			certPaths := filepath.SplitList(cfg.RootCertPaths)
+			c.grpcSecurity = client.SecurityTLSExtended(cfg.TLSCertPath, cfg.TLSKeyPath, client.SecureClient, certPaths)
+		} else {
+			c.grpcSecurity = client.SecurityTLSEnabled(cfg.TLSCertPath, cfg.TLSKeyPath, client.SecureClient)
+		}
+	}
+	if cfg.IsTLSEnabled() {
+		managerOpts = append(managerOpts, OptEnableManagerTLS(c.grpcSecurity))
 	}
 	c.pluginManager = newPluginManager(managerOpts...)
 	controlLogger.WithFields(log.Fields{
@@ -240,7 +248,7 @@ func New(cfg *Config) *pluginControl {
 
 	// Plugin Runner
 	if cfg.IsTLSEnabled() {
-		c.pluginRunner = newRunner(OptEnableRunnerTLS(cfg.TLSCertPath, cfg.TLSKeyPath))
+		c.pluginRunner = newRunner(OptEnableRunnerTLS(c.grpcSecurity))
 	} else {
 		c.pluginRunner = newRunner()
 	}
@@ -596,6 +604,7 @@ func (p *pluginControl) returnPluginDetails(rp *core.RequestedPlugin) (*pluginDe
 	details.Signature = rp.Signature()
 	details.CertPath = rp.CertPath()
 	details.KeyPath = rp.KeyPath()
+	details.RootCertPaths = rp.RootCertPaths()
 	details.TLSEnabled = rp.TLSEnabled()
 
 	if filepath.Ext(rp.Path()) == ".aci" {