Skip to content

Commit

Permalink
Merge branch 'master' into update-tidb-dashboard/master-v8.4.0-6a0d34…
Browse files Browse the repository at this point in the history
…2d-1724822747
  • Loading branch information
ti-chi-bot[bot] authored Sep 4, 2024
2 parents 2cc3873 + 52a53c9 commit 95a467f
Show file tree
Hide file tree
Showing 5 changed files with 160 additions and 134 deletions.
104 changes: 45 additions & 59 deletions client/tlsutil/tlsconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,45 +43,45 @@ import (
"github.com/tikv/pd/client/errs"
)

// TLSInfo stores tls configuration to connect to etcd.
type TLSInfo struct {
CertFile string
KeyFile string
TrustedCAFile string
InsecureSkipVerify bool
// tlsInfo stores tls configuration to connect to etcd.
type tlsInfo struct {
certFile string
keyFile string
trustedCAFile string
insecureSkipVerify bool

// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
ServerName string
// serverName ensures the cert matches the given host in case of discovery / virtual hosting
serverName string

// CipherSuites is a list of supported cipher suites.
// cipherSuites is a list of supported cipher suites.
// If empty, Go auto-populates it by default.
// Note that cipher suites are prioritized in the given order.
CipherSuites []uint16
cipherSuites []uint16

selfCert bool

// parseFunc exists to simplify testing. Typically, parseFunc
// should be left nil. In that case, tls.X509KeyPair will be used.
parseFunc func([]byte, []byte) (tls.Certificate, error)

// AllowedCN is a CN which must be provided by a client.
AllowedCN string
// allowedCNs is a list of CNs which must be provided by a client.
allowedCNs []string
}

// ClientConfig generates a tls.Config object for use by an HTTP client.
func (info TLSInfo) ClientConfig() (*tls.Config, error) {
// clientConfig generates a tls.Config object for use by an HTTP client.
func (info tlsInfo) clientConfig() (*tls.Config, error) {
var cfg *tls.Config
var err error

if !info.Empty() {
if !info.empty() {
cfg, err = info.baseConfig()
if err != nil {
return nil, err
}
} else {
cfg = &tls.Config{ServerName: info.ServerName}
cfg = &tls.Config{ServerName: info.serverName}
}
cfg.InsecureSkipVerify = info.InsecureSkipVerify
cfg.InsecureSkipVerify = info.insecureSkipVerify

CAFiles := info.cafiles()
if len(CAFiles) > 0 {
Expand All @@ -97,36 +97,38 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
return cfg, nil
}

// Empty returns if the TLSInfo is unset.
func (info TLSInfo) Empty() bool {
return info.CertFile == "" && info.KeyFile == ""
// empty returns if the TLSInfo is unset.
func (info tlsInfo) empty() bool {
return info.certFile == "" && info.keyFile == ""
}

func (info TLSInfo) baseConfig() (*tls.Config, error) {
if info.KeyFile == "" || info.CertFile == "" {
return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
func (info tlsInfo) baseConfig() (*tls.Config, error) {
if info.keyFile == "" || info.certFile == "" {
return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.keyFile, info.certFile)
}

_, err := NewCert(info.CertFile, info.KeyFile, info.parseFunc)
_, err := NewCert(info.certFile, info.keyFile, info.parseFunc)
if err != nil {
return nil, err
}

cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
ServerName: info.ServerName,
ServerName: info.serverName,
}

if len(info.CipherSuites) > 0 {
cfg.CipherSuites = info.CipherSuites
if len(info.cipherSuites) > 0 {
cfg.CipherSuites = info.cipherSuites
}

if info.AllowedCN != "" {
if len(info.allowedCNs) > 0 {
cfg.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
for _, chains := range verifiedChains {
if len(chains) != 0 {
if info.AllowedCN == chains[0].Subject.CommonName {
return nil
for _, allowedCN := range info.allowedCNs {
if allowedCN == chains[0].Subject.CommonName {
return nil
}
}
}
}
Expand All @@ -137,19 +139,19 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
// this only reloads certs when there's a client request
// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return NewCert(info.CertFile, info.KeyFile, info.parseFunc)
return NewCert(info.certFile, info.keyFile, info.parseFunc)
}
cfg.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
return NewCert(info.CertFile, info.KeyFile, info.parseFunc)
return NewCert(info.certFile, info.keyFile, info.parseFunc)
}
return cfg, nil
}

// cafiles returns a list of CA file paths.
func (info TLSInfo) cafiles() []string {
func (info tlsInfo) cafiles() []string {
cs := make([]string, 0)
if info.TrustedCAFile != "" {
cs = append(cs, info.TrustedCAFile)
if info.trustedCAFile != "" {
cs = append(cs, info.trustedCAFile)
}
return cs
}
Expand All @@ -162,8 +164,8 @@ type TLSConfig struct {
CertPath string `toml:"cert-path" json:"cert-path"`
// KeyPath is the path of file that contains X509 key in PEM format.
KeyPath string `toml:"key-path" json:"key-path"`
// CertAllowedCN is a CN which must be provided by a client
CertAllowedCN []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`
// CertAllowedCNs is the list of CN which must be provided by a client
CertAllowedCNs []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`

SSLCABytes []byte
SSLCertBytes []byte
Expand Down Expand Up @@ -194,33 +196,17 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) {
if len(s.CertPath) == 0 && len(s.KeyPath) == 0 {
return nil, nil
}
allowedCN, err := s.GetOneAllowedCN()
if err != nil {
return nil, err
}

tlsInfo := TLSInfo{
CertFile: s.CertPath,
KeyFile: s.KeyPath,
TrustedCAFile: s.CAPath,
AllowedCN: allowedCN,
tlsInfo := tlsInfo{
certFile: s.CertPath,
keyFile: s.KeyPath,
trustedCAFile: s.CAPath,
allowedCNs: s.CertAllowedCNs,
}

tlsConfig, err := tlsInfo.ClientConfig()
tlsConfig, err := tlsInfo.clientConfig()
if err != nil {
return nil, errs.ErrEtcdTLSConfig.Wrap(err).GenWithStackByCause()
}
return tlsConfig, nil
}

// GetOneAllowedCN only gets the first one CN.
func (s TLSConfig) GetOneAllowedCN() (string, error) {
switch len(s.CertAllowedCN) {
case 1:
return s.CertAllowedCN[0], nil
case 0:
return "", nil
default:
return "", errs.ErrSecurityConfig.FastGenByArgs("only supports one CN")
}
}
22 changes: 3 additions & 19 deletions pkg/utils/grpcutil/grpcutil.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ type TLSConfig struct {
CertPath string `toml:"cert-path" json:"cert-path"`
// KeyPath is the path of file that contains X509 key in PEM format.
KeyPath string `toml:"key-path" json:"key-path"`
// CertAllowedCN is a CN which must be provided by a client
CertAllowedCN []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`
// CertAllowedCNs is the list of CN which must be provided by a client
CertAllowedCNs []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`

SSLCABytes []byte
SSLCertBytes []byte
Expand All @@ -65,16 +65,12 @@ func (s TLSConfig) ToTLSInfo() (*transport.TLSInfo, error) {
if len(s.CertPath) == 0 && len(s.KeyPath) == 0 {
return nil, nil
}
allowedCN, err := s.GetOneAllowedCN()
if err != nil {
return nil, err
}

return &transport.TLSInfo{
CertFile: s.CertPath,
KeyFile: s.KeyPath,
TrustedCAFile: s.CAPath,
AllowedCN: allowedCN,
AllowedCNs: s.CertAllowedCNs,
}, nil
}

Expand Down Expand Up @@ -114,18 +110,6 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) {
return tlsConfig, nil
}

// GetOneAllowedCN only gets the first one CN.
func (s TLSConfig) GetOneAllowedCN() (string, error) {
switch len(s.CertAllowedCN) {
case 1:
return s.CertAllowedCN[0], nil
case 0:
return "", nil
default:
return "", errs.ErrSecurityConfig.FastGenByArgs("only supports one CN")
}
}

// GetClientConn returns a gRPC client connection.
// creates a client connection to the given target. By default, it's
// a non-blocking dial (the function won't wait for connections to be
Expand Down
15 changes: 6 additions & 9 deletions server/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -726,23 +726,20 @@ func (c *Config) GenEmbedEtcdConfig() (*embed.Config, error) {
cfg.QuotaBackendBytes = int64(c.QuotaBackendBytes)
cfg.MaxRequestBytes = c.MaxRequestBytes

allowedCN, serr := c.Security.GetOneAllowedCN()
if serr != nil {
return nil, serr
}
cfg.ClientTLSInfo.ClientCertAuth = len(c.Security.CAPath) != 0
cfg.ClientTLSInfo.TrustedCAFile = c.Security.CAPath
cfg.ClientTLSInfo.CertFile = c.Security.CertPath
cfg.ClientTLSInfo.KeyFile = c.Security.KeyPath
// Client no need to set the CN. (cfg.ClientTLSInfo.AllowedCN = allowedCN)
// Keep compatibility with https://github.com/tikv/pd/pull/2305
// Only check client cert when there are multiple CNs.
if len(c.Security.CertAllowedCNs) > 1 {
cfg.ClientTLSInfo.AllowedCNs = c.Security.CertAllowedCNs
}
cfg.PeerTLSInfo.ClientCertAuth = len(c.Security.CAPath) != 0
cfg.PeerTLSInfo.TrustedCAFile = c.Security.CAPath
cfg.PeerTLSInfo.CertFile = c.Security.CertPath
cfg.PeerTLSInfo.KeyFile = c.Security.KeyPath
// TODO: After https://github.com/etcd-io/etcd/pull/18015, AllowedCN is Deprecated.
// It will be replaced by AllowedCNs in the future to support multi cn.
// nolint:staticcheck
cfg.PeerTLSInfo.AllowedCN = allowedCN
cfg.PeerTLSInfo.AllowedCNs = c.Security.CertAllowedCNs
cfg.ForceNewCluster = c.ForceNewCluster
cfg.ZapLoggerBuilder = embed.NewZapCoreLoggerBuilder(c.Logger, c.Logger.Core(), c.LogProps.Syncer)
cfg.EnableGRPCGateway = c.EnableGRPCGateway
Expand Down
13 changes: 9 additions & 4 deletions tests/integrations/client/cert_opt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cert_dir="$2"

function generate_certs() {
if [[ ! -z "$cert_dir" ]]; then
cd "$cert_dir" || exit 255 # Change to the specified directory
cd "$cert_dir" || exit 255 # Change to the specified directory
fi

if ! [[ "$0" =~ "cert_opt.sh" ]]; then
Expand All @@ -21,10 +21,10 @@ function generate_certs() {
openssl req -new -x509 -key ca-key.pem -out ca.pem -days 1 -subj "/CN=ca"
# pd-server
openssl genpkey -algorithm RSA -out pd-server-key.pem
openssl req -new -key pd-server-key.pem -out pd-server.csr -subj "/CN=pd-server"
openssl req -new -key pd-server-key.pem -out pd-server.csr -subj "/CN=pd-server"

# Add IP address as a SAN
echo "subjectAltName = IP:127.0.0.1" > extfile.cnf
echo "subjectAltName = IP:127.0.0.1" >extfile.cnf
openssl x509 -req -in pd-server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out pd-server.pem -days 1 -extfile extfile.cnf

# Clean up the temporary extension file
Expand All @@ -34,11 +34,16 @@ function generate_certs() {
openssl genpkey -algorithm RSA -out client-key.pem
openssl req -new -key client-key.pem -out client.csr -subj "/CN=client"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client.pem -days 1

# client2
openssl genpkey -algorithm RSA -out tidb-client-key.pem
openssl req -new -key tidb-client-key.pem -out tidb-client.csr -subj "/CN=tidb"
openssl x509 -req -in tidb-client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out tidb-client.pem -days 1
}

function cleanup_certs() {
if [[ ! -z "$cert_dir" ]]; then
cd "$cert_dir" || exit 255 # Change to the specified directory
cd "$cert_dir" || exit 255 # Change to the specified directory
fi

rm -f ca.pem ca-key.pem ca.srl
Expand Down
Loading

0 comments on commit 95a467f

Please sign in to comment.