Skip to content

Commit

Permalink
Merge insecureGRPC and insecureJSONRPC (#435)
Browse files Browse the repository at this point in the history
Create insecureTransport as a unification of insecureGRPC and insecureJSONRPC.
  • Loading branch information
directionless authored Feb 27, 2019
1 parent 61f1d0e commit 69bed63
Show file tree
Hide file tree
Showing 9 changed files with 50 additions and 38 deletions.
10 changes: 5 additions & 5 deletions cmd/grpc.ext/grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,10 @@ func main() {
enrollSecret = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "")
rootDirectory = env.String("KOLIDE_LAUNCHER_ROOT_DIRECTORY", "")

serverURL = env.String("KOLIDE_LAUNCHER_HOSTNAME", "")
insecureTLS = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
insecureGRPC = env.Bool("KOLIDE_LAUNCHER_INSECURE_GRPC", false)
loggingInterval = env.Duration("KOLIDE_LAUNCHER_LOGGING_INTERVAL", 60*time.Second)
serverURL = env.String("KOLIDE_LAUNCHER_HOSTNAME", "")
insecureTLS = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
insecureTransport = env.Bool("KOLIDE_LAUNCHER_INSECURE_TRANSPORT", false)
loggingInterval = env.Duration("KOLIDE_LAUNCHER_LOGGING_INTERVAL", 60*time.Second)

// TODO(future pr): these values are unset
// they'll have to be parsed from a string
Expand All @@ -68,7 +68,7 @@ func main() {
conn, err := service.DialGRPC(
serverURL,
insecureTLS,
insecureGRPC,
insecureTransport,
certPins,
rootPool,
logger,
Expand Down
8 changes: 6 additions & 2 deletions cmd/launcher/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,13 @@ To use The Launcher to easily connect osquery to a server that is compliant with
--enroll_secret=32IeN3QLgckHUmMD3iW40kyLdNJcGzP5
```

You can also define the enroll secret via a file path (`--enroll_secret_path`) or an environment variable (`KOLIDE_LAUNCHER_ENROLL_SECRET`). See `launcher --help` for more information.
You can also define the enroll secret via a file path
(`--enroll_secret_path`) or an environment variable
(`KOLIDE_LAUNCHER_ENROLL_SECRET`). See `launcher --help` for more
information.

You may need to define the `--insecure` and/or `--insecure_grpc` flag depending on your server configurations.
Depending on your transport configuration, you may need any of the
`--transport`, `--insecure` or `--insecure_transport` flags.

### Running an extension socket

Expand Down
16 changes: 8 additions & 8 deletions cmd/launcher/flare.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,11 @@ func runFlare(args []string) error {
flHostname = flag.String("hostname", "dababe.launcher.kolide.com:443", "")

// not documented via flags on purpose
enrollSecret = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "flare_ping")
serverURL = env.String("KOLIDE_LAUNCHER_HOSTNAME", *flHostname)
insecureTLS = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
insecureGRPC = env.Bool("KOLIDE_LAUNCHER_INSECURE_GRPC", false)
flareSocketPath = env.String("FLARE_SOCKET_PATH", filepath.Join(os.TempDir(), "flare.sock"))
enrollSecret = env.String("KOLIDE_LAUNCHER_ENROLL_SECRET", "flare_ping")
serverURL = env.String("KOLIDE_LAUNCHER_HOSTNAME", *flHostname)
insecureTLS = env.Bool("KOLIDE_LAUNCHER_INSECURE", false)
insecureTransport = env.Bool("KOLIDE_LAUNCHER_INSECURE_TRANSPORT", false)
flareSocketPath = env.String("FLARE_SOCKET_PATH", filepath.Join(os.TempDir(), "flare.sock"))

certPins [][]byte
rootPool *x509.CertPool
Expand Down Expand Up @@ -115,7 +115,7 @@ func runFlare(args []string) error {
logger,
serverURL,
insecureTLS,
insecureGRPC,
insecureTransport,
enrollSecret,
certPins,
rootPool,
Expand Down Expand Up @@ -259,7 +259,7 @@ func reportGRPCNetwork(
logger log.Logger,
serverURL string,
insecureTLS bool,
insecureGRPC bool,
insecureTransport bool,
enrollSecret string,
certPins [][]byte,
rootPool *x509.CertPool,
Expand All @@ -270,7 +270,7 @@ func reportGRPCNetwork(
conn, err := service.DialGRPC(
serverURL,
insecureTLS,
insecureGRPC,
insecureTransport,
certPins,
rootPool,
logger,
Expand Down
4 changes: 2 additions & 2 deletions cmd/launcher/launcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,7 @@ func runLauncher(ctx context.Context, cancel func(), opts *options, logger log.L
{
switch opts.transport {
case "grpc":
grpcConn, err := service.DialGRPC(opts.kolideServerURL, opts.insecureTLS, opts.insecureGRPC, opts.certPins, rootPool, logger)
grpcConn, err := service.DialGRPC(opts.kolideServerURL, opts.insecureTLS, opts.insecureTransport, opts.certPins, rootPool, logger)
if err != nil {
return errors.Wrap(err, "dialing grpc server")
}
Expand All @@ -259,7 +259,7 @@ func runLauncher(ctx context.Context, cancel func(), opts *options, logger log.L
queryTargeter := createQueryTargetUpdater(logger, db, grpcConn)
runGroup.Add(queryTargeter.Execute, queryTargeter.Interrupt)
case "jsonrpc":
client = service.NewJSONRPCClient(opts.kolideServerURL, opts.insecureTLS, opts.insecureJSONRPC, opts.certPins, rootPool, logger)
client = service.NewJSONRPCClient(opts.kolideServerURL, opts.insecureTLS, opts.insecureTransport, opts.certPins, rootPool, logger)
default:
return errors.New("invalid transport option selected")
}
Expand Down
11 changes: 4 additions & 7 deletions cmd/launcher/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,7 @@ type options struct {
debug bool
disableControlTLS bool
insecureTLS bool
insecureGRPC bool
insecureJSONRPC bool
insecureTransport bool
notaryServerURL string
mirrorServerURL string
autoupdateInterval time.Duration
Expand Down Expand Up @@ -85,8 +84,7 @@ func parseOptions(args []string) (*options, error) {
flDebug = flagset.Bool("debug", false, "Whether or not debug logging is enabled (default: false)")
flDeveloperUsage = flagset.Bool("dev_help", false, "Print full Launcher help, including developer options")
flDisableControlTLS = flagset.Bool("disable_control_tls", false, "Disable TLS encryption for the control features")
flInsecureGRPC = flagset.Bool("insecure_grpc", false, "Dial GRPC without a TLS config (default: false)")
flInsecureJSONRPC = flagset.Bool("insecure_jsonrpc", false, "Use JSONPRC without a tls config (default: false)")
flInsecureTransport = flagset.Bool("insecure_transport", false, "Do not use TLS for transport layer (default: false)")
flInsecureTLS = flagset.Bool("insecure", false, "Do not verify TLS certs for outgoing connections (default: false)")
)
ff.Parse(flagset, args,
Expand Down Expand Up @@ -160,8 +158,7 @@ func parseOptions(args []string) (*options, error) {
debug: *flDebug,
disableControlTLS: *flDisableControlTLS,
insecureTLS: *flInsecureTLS,
insecureGRPC: *flInsecureGRPC,
insecureJSONRPC: *flInsecureJSONRPC,
insecureTransport: *flInsecureTransport,
notaryServerURL: *flNotaryServerURL,
mirrorServerURL: *flMirrorURL,
autoupdateInterval: *flAutoupdateInterval,
Expand Down Expand Up @@ -243,7 +240,7 @@ func developerUsage(flagset *flag.FlagSet) {
printOpt("debug")
fmt.Fprintf(os.Stderr, "\n")
printOpt("insecure")
printOpt("insecure_grpc")
printOpt("insecure_transport")
fmt.Fprintf(os.Stderr, "\n")
printOpt("logging_interval")
fmt.Fprintf(os.Stderr, "\n")
Expand Down
16 changes: 11 additions & 5 deletions cmd/package-builder/package-builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,15 +69,20 @@ func runMake(args []string) error {
env.String("SIGNING_KEY", ""),
"The name of the key that should be used to packages. Behavior is platform and packaging specific",
)
flTransport = flagset.String(
"transport",
env.String("TRANSPORT", ""),
"Transport for launcher. Expected as grpc, jsonrpc. Default is up to launcher",
)
flInsecure = flagset.Bool(
"insecure",
env.Bool("INSECURE", false),
"whether or not the launcher packages should invoke the launcher's --insecure flag",
)
flInsecureGrpc = flagset.Bool(
"insecure_grpc",
env.Bool("INSECURE_GRPC", false),
"whether or not the launcher packages should invoke the launcher's --insecure_grpc flag",
flInsecureTransport = flagset.Bool(
"insecure_transport",
env.Bool("INSECURE_TRANSPORT", false),
"whether or not the launcher packages should invoke the launcher's --insecure_transport flag",
)
flAutoupdate = flagset.Bool(
"autoupdate",
Expand Down Expand Up @@ -194,8 +199,9 @@ func runMake(args []string) error {
Hostname: *flHostname,
Secret: *flEnrollSecret,
SigningKey: *flSigningKey,
Transport: *flTransport,
Insecure: *flInsecure,
InsecureGrpc: *flInsecureGrpc,
InsecureTransport: *flInsecureTransport,
Autoupdate: *flAutoupdate,
UpdateChannel: *flUpdateChannel,
Control: *flControl,
Expand Down
11 changes: 8 additions & 3 deletions pkg/packaging/packaging.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ type PackageOptions struct {
Hostname string
Secret string
SigningKey string
Transport string
Insecure bool
InsecureGrpc bool
InsecureTransport bool
Autoupdate bool
UpdateChannel string
Control bool
Expand Down Expand Up @@ -129,8 +130,12 @@ func (p *PackageOptions) Build(ctx context.Context, packageWriter io.Writer, tar
launcherBoolFlags = append(launcherBoolFlags, "disable_control_tls")
}

if p.InsecureGrpc {
launcherBoolFlags = append(launcherBoolFlags, "insecure_grpc")
if p.Transport != "" {
launcherMapFlags["transport"] = p.Transport
}

if p.InsecureTransport {
launcherBoolFlags = append(launcherBoolFlags, "insecure_transport")
}

if p.Insecure {
Expand Down
6 changes: 3 additions & 3 deletions pkg/service/client_grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func NewGRPCClient(conn *grpc.ClientConn, logger log.Logger) KolideService {
func DialGRPC(
serverURL string,
insecureTLS bool,
insecureGRPC bool,
insecureTransport bool,
certPins [][]byte,
rootPool *x509.CertPool,
logger log.Logger,
Expand All @@ -112,13 +112,13 @@ func DialGRPC(
"msg", "dialing grpc server",
"server", serverURL,
"tls_secure", insecureTLS == false,
"grpc_secure", insecureGRPC == false,
"transport_secure", insecureTransport == false,
"cert_pinning", len(certPins) > 0,
)
grpcOpts := []grpc.DialOption{
grpc.WithTimeout(time.Second),
}
if insecureGRPC {
if insecureTransport {
grpcOpts = append(grpcOpts, grpc.WithInsecure())
} else {
host, _, err := net.SplitHostPort(serverURL)
Expand Down
6 changes: 3 additions & 3 deletions pkg/service/client_jsonrpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func forceNoChunkedEncoding(ctx context.Context, r *http.Request) context.Contex
func NewJSONRPCClient(
serverURL string,
insecureTLS bool,
insecureJSONRPC bool,
insecureTransport bool,
certPins [][]byte,
rootPool *x509.CertPool,
logger log.Logger,
Expand All @@ -53,7 +53,7 @@ func NewJSONRPCClient(
Host: serverURL,
}

if insecureJSONRPC {
if insecureTransport {
serviceURL.Scheme = "http"
}

Expand All @@ -63,7 +63,7 @@ func NewJSONRPCClient(
DisableKeepAlives: true,
},
}
if !insecureJSONRPC {
if !insecureTransport {
tlsConfig := makeTLSConfig(serverURL, insecureTLS, certPins, rootPool, logger)
httpClient.Transport = &http.Transport{
TLSClientConfig: tlsConfig,
Expand Down

0 comments on commit 69bed63

Please sign in to comment.