support RpcClient Vertify With Unilateralism and Mutual (#647)

Co-authored-by: Kevin Wan <wanjunfeng@gmail.com>
3 years ago · 9df6786b09
parent bef5bd4e4f
commit 9df6786b09
5 changed files with 69 additions and 2 deletions
--- a/zrpc/client.go
+++ b/zrpc/client.go
@ -18,6 +18,12 @@ var (
 	WithRetry = internal.WithRetry
 	// WithUnaryClientInterceptor is an alias of internal.WithUnaryClientInterceptor.
 	WithUnaryClientInterceptor = internal.WithUnaryClientInterceptor
+	// WithInsecure is an alias of internal.WithInsecure.
+	WithInsecure = internal.WithInsecure
+	// WithTlsClientFromUnilateralism is an alias of internal.WithTlsClientFromUnilateralism
+	WithTlsClientFromUnilateralism = internal.WithTlsClientFromUnilateralism
+	// WithTlsClientFromMutual is an alias of internal.WithTlsClientFromMutual
+	WithTlsClientFromMutual = internal.WithTlsClientFromMutual
 )

 type (
@ -58,6 +64,9 @@ func NewClient(c RpcClientConf, options ...ClientOption) (Client, error) {
 		opts = append(opts, WithRetry())
 	}
 	opts = append(opts, options...)
+	if !c.HasSslVerify() {
+		opts = append(opts, WithInsecure())
+	}

 	var target string
 	var err error
--- a/zrpc/client_test.go
+++ b/zrpc/client_test.go
@ -76,7 +76,6 @@ func TestDepositServer_Deposit(t *testing.T) {
 			Token:     "bar",
 			Timeout:   1000,
 		},
-		WithDialOption(grpc.WithInsecure()),
 		WithDialOption(grpc.WithContextDialer(dialer())),
 		WithUnaryClientInterceptor(func(ctx context.Context, method string, req, reply interface{},
 			cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
--- a/zrpc/config.go
+++ b/zrpc/config.go
@ -30,6 +30,7 @@ type (
 		Token     string          `json:",optional"`
 		Retry     bool            `json:",optional"` // grpc auto retry
 		Timeout   int64           `json:",default=2000"`
+		InsecureVerify bool            `json:",default=false"`
 	}
 )

@ -72,3 +73,8 @@ func (sc RpcServerConf) Validate() error {
 func (cc RpcClientConf) HasCredential() bool {
 	return len(cc.App) > 0 && len(cc.Token) > 0
 }
+
+//HasTls checks if there is a SSL in config.
+func (cc RpcClientConf) HasSslVerify() bool {
+	return cc.InsecureVerify
+}
--- a/zrpc/config_test.go
+++ b/zrpc/config_test.go
@ -14,6 +14,11 @@ func TestRpcClientConf(t *testing.T) {
 	assert.True(t, conf.HasCredential())
 	conf = NewEtcdClientConf([]string{"localhost:1234", "localhost:5678"}, "key", "foo", "bar")
 	assert.True(t, conf.HasCredential())
+	// ssl on
+	conf = NewDirectClientConf([]string{"localhost:1234", "localhost:5678"}, "foo", "bar")
+	assert.False(t, conf.HasSslVerify())
+	conf.InsecureVerify = true
+	assert.True(t, conf.HasSslVerify())
 }

 func TestRpcServerConf(t *testing.T) {
--- a/zrpc/internal/client.go
+++ b/zrpc/internal/client.go
@ -2,8 +2,12 @@ package internal

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"log"
 	"strings"
 	"time"

@ -11,6 +15,7 @@ import (
 	"github.com/tal-tech/go-zero/zrpc/internal/clientinterceptors"
 	"github.com/tal-tech/go-zero/zrpc/internal/resolver"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )

 const (
@ -65,7 +70,6 @@ func (c *client) buildDialOptions(opts ...ClientOption) []grpc.DialOption {
 	}

 	options := []grpc.DialOption{
-		grpc.WithInsecure(),
 		grpc.WithBlock(),
 		WithUnaryClientInterceptors(
 			clientinterceptors.UnaryTracingInterceptor,
@ -112,6 +116,13 @@ func WithDialOption(opt grpc.DialOption) ClientOption {
 	}
 }

+// WithInsecure returns a func to customize a ClientOptions with secure option.
+func WithInsecure() ClientOption {
+	return func(options *ClientOptions) {
+		options.DialOptions = append(options.DialOptions, grpc.WithInsecure())
+	}
+}
+
 // WithTimeout returns a func to customize a ClientOptions with given timeout.
 func WithTimeout(timeout time.Duration) ClientOption {
 	return func(options *ClientOptions) {
@ -132,3 +143,40 @@ func WithUnaryClientInterceptor(interceptor grpc.UnaryClientInterceptor) ClientO
 		options.DialOptions = append(options.DialOptions, WithUnaryClientInterceptors(interceptor))
 	}
 }
+
+// WithTlsClientFromUnilateralism return a func to customize a ClientOptions Verify with Unilateralism authentication.
+func WithTlsClientFromUnilateralism(crt, domainName string) ClientOption {
+	return func(options *ClientOptions) {
+		c, err := credentials.NewClientTLSFromFile(crt, domainName)
+		if err != nil {
+			log.Fatalf("credentials.NewClientTLSFromFile err: %v", err)
+		}
+		options.DialOptions = append(options.DialOptions, grpc.WithTransportCredentials(c))
+	}
+}
+
+// WithTlsClientFromMutual return a func to customize a ClientOptions Verify with mutual authentication.
+func WithTlsClientFromMutual(crtFile, keyFile, caFile string) ClientOption {
+	return func(options *ClientOptions) {
+		cert, err := tls.LoadX509KeyPair(crtFile, keyFile)
+		if err != nil {
+			log.Fatalf("tls.LoadX509KeyPair err: %v", err)
+		}
+		certPool := x509.NewCertPool()
+		ca, err := ioutil.ReadFile(caFile)
+		if err != nil {
+			log.Fatalf("credentials: failed to ReadFile CA certificates err: %v", err)
+		}
+
+		if !certPool.AppendCertsFromPEM(ca) {
+			log.Fatalf("credentials: failed to append certificates err: %v", err)
+		}
+
+		config := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      certPool,
+		}
+
+		options.DialOptions = append(options.DialOptions, grpc.WithTransportCredentials(credentials.NewTLS(config)))
+	}
+}