Merge pull request #39 from ZLBer/tls_support

feat: grpc tls support

Author: AlexStocks

pkg/config/config.go

@@ -61,6 +61,12 @@ type Option struct {
 
 	// proxy mode for gateway
 	ProxyModeEnable bool
+
+	//tls
+	CACertFile    string
+	TLSCertFile   string
+	TLSKeyFile    string
+	TLSServerName string
 }
 
 // Validate sets empty field to default config

pkg/triple/dubbo3_client.go

@@ -19,13 +19,17 @@ package triple
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"reflect"
 	"sync"
 )
 
 import (
 	"github.com/dubbogo/grpc-go"
 	"github.com/dubbogo/grpc-go/codes"
+	"github.com/dubbogo/grpc-go/credentials"
 	"github.com/dubbogo/grpc-go/encoding"
 	"github.com/dubbogo/grpc-go/encoding/hessian"
 	"github.com/dubbogo/grpc-go/encoding/msgpack"
@@ -87,6 +91,13 @@ func NewTripleClient(impl interface{}, opt *config.Option) (*TripleClient, error
 		)
 	}
 
+	if creds, err := getClientTlsCertificate(opt); err != nil {
+		opt.Logger.Errorf("TripleClient.Start: TLS config err: %v", err)
+		return nil, err
+	} else if creds != nil {
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(creds))
+	}
+
 	defaultCallOpts := make([]grpc.CallOption, 0)
 	// max send/receive size
 	if opt.GRPCMaxCallSendMsgSize != 0 {
@@ -193,3 +204,34 @@ func (t *TripleClient) Close() {
 func (t *TripleClient) IsAvailable() bool {
 	return true
 }
+
+func getClientTlsCertificate(opt *config.Option) (credentials.TransportCredentials, error) {
+	// no TLS
+	if opt.TLSCertFile == "" && opt.TLSKeyFile == "" {
+		return nil, nil
+	}
+
+	if opt.CACertFile == "" {
+		return credentials.NewClientTLSFromFile(opt.TLSCertFile, opt.TLSServerName)
+	}
+
+	// need mTLS
+	ca := x509.NewCertPool()
+	caBytes, err := ioutil.ReadFile(opt.CACertFile)
+	if err != nil {
+		return nil, err
+	}
+	if ok := ca.AppendCertsFromPEM(caBytes); !ok {
+		return nil, err
+	}
+	cert, err := tls.LoadX509KeyPair(opt.TLSCertFile, opt.TLSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return credentials.NewTLS(&tls.Config{
+		ServerName:   opt.TLSServerName,
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      ca,
+	}), nil
+}

pkg/triple/dubbo3_server.go

@@ -19,7 +19,10 @@ package triple
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"reflect"
 	"sync"
@@ -36,6 +39,8 @@ import (
 	"github.com/dubbogo/grpc-go/encoding/raw_proto"
 
 	perrors "github.com/pkg/errors"
+
+	"github.com/dubbogo/grpc-go/credentials"
 )
 
 import (
@@ -215,6 +220,14 @@ func newGrpcServerWithCodec(opt *config.Option) *grpc.Server {
 	if opt.ProxyModeEnable {
 		serverOpts = append(serverOpts, grpc.ProxyModeEnable(true))
 	}
+	// TLS config
+	if creds, err := getServerTlsCertificate(opt); err != nil {
+		if err != nil {
+			opt.Logger.Errorf("TripleClient.Start: TLS config err: %v", err)
+		}
+	} else if creds != nil {
+		serverOpts = append(serverOpts, grpc.Creds(creds))
+	}
 
 	var err error
 	switch opt.CodecType {
@@ -289,3 +302,33 @@ func (t *TripleServer) RefreshService() {
 	t.grpcServer = grpcServer
 	t.lst = lst
 }
+
+func getServerTlsCertificate(opt *config.Option) (credentials.TransportCredentials, error) {
+	// no TLS
+	if opt.TLSCertFile == "" && opt.TLSKeyFile == "" {
+		return nil, nil
+	}
+	var ca *x509.CertPool
+	cfg := &tls.Config{}
+	// need mTLS
+	if opt.CACertFile != "" {
+		ca = x509.NewCertPool()
+		caBytes, err := ioutil.ReadFile(opt.CACertFile)
+		if err != nil {
+			return nil, err
+		}
+		if ok := ca.AppendCertsFromPEM(caBytes); !ok {
+			return nil, err
+		}
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+		cfg.ClientCAs = ca
+	}
+	cert, err := tls.LoadX509KeyPair(opt.TLSCertFile, opt.TLSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	cfg.Certificates = []tls.Certificate{cert}
+	cfg.ServerName = opt.TLSServerName
+
+	return credentials.NewTLS(cfg), nil
+}