diff options
| author | molotkov-and <molotkov-and@ydb.tech> | 2022-11-18 12:50:29 +0300 |
|---|---|---|
| committer | molotkov-and <molotkov-and@ydb.tech> | 2022-11-18 12:50:29 +0300 |
| commit | a45acb262bfb6f7d06d70f9f04a763d61e811966 (patch) | |
| tree | 2e4eacaa4f1ecfba0bea894abf4888b7718712ad /library/cpp | |
| parent | d563b5b3a6578243440353c5cfafdb56cc05fff3 (diff) | |
| download | ydb-a45acb262bfb6f7d06d70f9f04a763d61e811966.tar.gz | |
Authorization of registration node
Diffstat (limited to 'library/cpp')
| -rw-r--r-- | library/cpp/grpc/client/grpc_common.h | 12 | ||||
| -rw-r--r-- | library/cpp/grpc/server/grpc_async_ctx_base.h | 10 | ||||
| -rw-r--r-- | library/cpp/grpc/server/grpc_request.h | 4 | ||||
| -rw-r--r-- | library/cpp/grpc/server/grpc_request_base.h | 2 | ||||
| -rw-r--r-- | library/cpp/grpc/server/grpc_server.cpp | 6 | ||||
| -rw-r--r-- | library/cpp/grpc/server/grpc_server.h | 1 |
6 files changed, 29 insertions, 6 deletions
diff --git a/library/cpp/grpc/client/grpc_common.h b/library/cpp/grpc/client/grpc_common.h index ffcdafe045..d19e42d4ac 100644 --- a/library/cpp/grpc/client/grpc_common.h +++ b/library/cpp/grpc/client/grpc_common.h @@ -19,7 +19,7 @@ struct TGRpcClientConfig { ui64 MaxOutboundMessageSize = 0; // overrides MaxMessageSize for outgoing requests ui32 MaxInFlight = 0; bool EnableSsl = false; - TString SslCaCert; //Implicitly enables Ssl if not empty + grpc::SslCredentialsOptions SslCredentials; grpc_compression_algorithm CompressionAlgoritm = GRPC_COMPRESS_NONE; ui64 MemQuota = 0; std::unordered_map<TString, TString> StringChannelParams; @@ -34,14 +34,14 @@ struct TGRpcClientConfig { TGRpcClientConfig& operator=(TGRpcClientConfig&&) = default; TGRpcClientConfig(const TString& locator, TDuration timeout = TDuration::Max(), - ui64 maxMessageSize = DEFAULT_GRPC_MESSAGE_SIZE_LIMIT, ui32 maxInFlight = 0, TString caCert = "", - grpc_compression_algorithm compressionAlgorithm = GRPC_COMPRESS_NONE, bool enableSsl = false) + ui64 maxMessageSize = DEFAULT_GRPC_MESSAGE_SIZE_LIMIT, ui32 maxInFlight = 0, const TString& caCert = "", const TString& clientCert = "", + const TString& clientPrivateKey = "", grpc_compression_algorithm compressionAlgorithm = GRPC_COMPRESS_NONE, bool enableSsl = false) : Locator(locator) , Timeout(timeout) , MaxMessageSize(maxMessageSize) , MaxInFlight(maxInFlight) , EnableSsl(enableSsl) - , SslCaCert(caCert) + , SslCredentials{.pem_root_certs = caCert, .pem_private_key = clientPrivateKey, .pem_cert_chain = clientCert} , CompressionAlgoritm(compressionAlgorithm) {} }; @@ -74,8 +74,8 @@ inline std::shared_ptr<grpc::ChannelInterface> CreateChannelInterface(const TGRp if (!config.SslTargetNameOverride.empty()) { args.SetSslTargetNameOverride(config.SslTargetNameOverride); } - if (config.EnableSsl || config.SslCaCert) { - return grpc::CreateCustomChannel(config.Locator, grpc::SslCredentials(grpc::SslCredentialsOptions{config.SslCaCert, "", ""}), args); + if (config.EnableSsl || config.SslCredentials.pem_root_certs) { + return grpc::CreateCustomChannel(config.Locator, grpc::SslCredentials(config.SslCredentials), args); } else { return grpc::CreateCustomChannel(config.Locator, grpc::InsecureChannelCredentials(), args); } diff --git a/library/cpp/grpc/server/grpc_async_ctx_base.h b/library/cpp/grpc/server/grpc_async_ctx_base.h index 51356d4ce5..079bce4102 100644 --- a/library/cpp/grpc/server/grpc_async_ctx_base.h +++ b/library/cpp/grpc/server/grpc_async_ctx_base.h @@ -69,6 +69,16 @@ public: return values; } + TVector<TStringBuf> FindClientCert() const { + auto authContext = Context.auth_context(); + + TVector<TStringBuf> values; + for (auto& value: authContext->FindPropertyValues(GRPC_X509_PEM_CERT_PROPERTY_NAME)) { + values.emplace_back(value.data(), value.size()); + } + return values; + } + grpc_compression_level GetCompressionLevel() const { return Context.compression_level(); } diff --git a/library/cpp/grpc/server/grpc_request.h b/library/cpp/grpc/server/grpc_request.h index a3a5c291f0..c4b7e9c040 100644 --- a/library/cpp/grpc/server/grpc_request.h +++ b/library/cpp/grpc/server/grpc_request.h @@ -170,6 +170,10 @@ public: return TBaseAsyncContext<TService>::GetPeerMetaValues(key); } + TVector<TStringBuf> FindClientCert() const override { + return TBaseAsyncContext<TService>::FindClientCert(); + } + grpc_compression_level GetCompressionLevel() const override { return TBaseAsyncContext<TService>::GetCompressionLevel(); } diff --git a/library/cpp/grpc/server/grpc_request_base.h b/library/cpp/grpc/server/grpc_request_base.h index 105f9515d0..42b78ed7df 100644 --- a/library/cpp/grpc/server/grpc_request_base.h +++ b/library/cpp/grpc/server/grpc_request_base.h @@ -82,6 +82,8 @@ public: //! Returns peer optional metavalue virtual TVector<TStringBuf> GetPeerMetaValues(TStringBuf key) const = 0; + virtual TVector<TStringBuf> FindClientCert() const = 0; + //! Returns request compression level virtual grpc_compression_level GetCompressionLevel() const = 0; diff --git a/library/cpp/grpc/server/grpc_server.cpp b/library/cpp/grpc/server/grpc_server.cpp index 7437b7a8f5..97472206e2 100644 --- a/library/cpp/grpc/server/grpc_server.cpp +++ b/library/cpp/grpc/server/grpc_server.cpp @@ -3,6 +3,7 @@ #include <util/string/join.h> #include <util/generic/yexception.h> #include <util/system/thread.h> +#include <util/generic/map.h> #include <grpc++/resource_quota.h> #include <contrib/libs/grpc/src/core/lib/iomgr/socket_mutator.h> @@ -64,6 +65,11 @@ void TGRpcServer::Start() { grpc::SslServerCredentialsOptions sslOps; sslOps.pem_root_certs = std::move(Options_.SslData->Root); sslOps.pem_key_cert_pairs.push_back(keycert); + + if (Options_.SslData->DoRequestClientCertificate) { + sslOps.client_certificate_request = GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY; + } + credentials = grpc::SslServerCredentials(sslOps); } if (Options_.ExternalListener) { diff --git a/library/cpp/grpc/server/grpc_server.h b/library/cpp/grpc/server/grpc_server.h index d6814a90a0..c9b48a6676 100644 --- a/library/cpp/grpc/server/grpc_server.h +++ b/library/cpp/grpc/server/grpc_server.h @@ -25,6 +25,7 @@ struct TSslData { TString Cert; TString Key; TString Root; + bool DoRequestClientCertificate = false; }; struct IExternalListener |