| #include "tls_auth.h" |
| |
| // Required for gBMC build, not used in g3 builds. |
| #include <filesystem> // NOLINT (build/c++17) |
| #include <memory> |
| #include <string> |
| #include <system_error> // NOLINT (build/c++17) |
| |
| #include "absl/log/log.h" |
| #include "absl/status/status.h" |
| #include "absl/status/statusor.h" |
| #include "absl/time/clock.h" |
| #include "absl/time/time.h" |
| #include "grpc/grpc_security_constants.h" |
| #include "grpcpp/security/authorization_policy_provider.h" |
| #include "grpcpp/security/server_credentials.h" |
| #include "grpcpp/security/tls_certificate_provider.h" |
| #include "grpcpp/security/tls_credentials_options.h" |
| #include "grpcpp/support/status.h" |
| #include "proxy_config.pb.h" |
| |
| namespace auth { |
| |
| using ::grpc::experimental::AuthorizationPolicyProviderInterface; |
| using ::grpc::experimental::FileWatcherAuthorizationPolicyProvider; |
| using ::grpc::experimental::FileWatcherCertificateProvider; |
| using ::grpc::experimental::TlsServerCredentials; |
| using ::grpc::experimental::TlsServerCredentialsOptions; |
| |
| absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo( |
| const milotic_grpc_proxy::MtlsServerCredentialsConfiguration& config) { |
| std::error_code file_error; |
| bool file_exist = false; |
| while (!file_exist) { |
| LOG(INFO) << "Checking ZatarCertFile at" << config.keypair_path(); |
| file_exist = std::filesystem::exists(config.keypair_path(), file_error); |
| if (file_error) { |
| return absl::UnknownError("tls file path error: " + file_error.message() + |
| "file path: " + config.keypair_path()); |
| } |
| if (file_exist) break; |
| |
| LOG(INFO) << "ZatarCertFile not found, sleeping for 10 seconds"; |
| absl::SleepFor( |
| absl::Seconds(config.keypair_file_check_retry_duration_sec())); |
| } |
| |
| std::string keypair_path = config.keypair_path(); |
| auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>( |
| keypair_path, keypair_path, config.trust_bundle_path(), |
| /* refresh_interval_sec */ 30); |
| |
| TlsServerCredentialsOptions options(certificate_provider); |
| options.watch_root_certs(); |
| options.set_root_cert_name(config.root_cert_name()); |
| options.watch_identity_key_cert_pairs(); |
| options.set_cert_request_type( |
| GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY); |
| std::shared_ptr<grpc::ServerCredentials> tls_server_credentials = |
| TlsServerCredentials(options); |
| if (tls_server_credentials == nullptr) { |
| LOG(ERROR) << "tls Server Credentials error:"; |
| return absl::NotFoundError("tls Server Credentials error"); |
| } |
| return tls_server_credentials; |
| } |
| |
| absl::StatusOr<std::shared_ptr<AuthorizationPolicyProviderInterface>> |
| GetAuthPolicy( |
| const milotic_grpc_proxy::MtlsServerCredentialsConfiguration& config) { |
| grpc::Status policy_status; |
| std::shared_ptr<AuthorizationPolicyProviderInterface> policy = |
| FileWatcherAuthorizationPolicyProvider::Create( |
| config.authz_policy_path(), |
| config.authz_policy_refresh_interval_sec(), &policy_status); |
| if (!policy_status.ok()) { |
| return absl::NotFoundError( |
| "failed to load policy file error: " + policy_status.error_message() + |
| "file path:" + std::string(config.authz_policy_path())); |
| } |
| return policy; |
| } |
| |
| } // namespace auth |
