mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-09-24 23:08:43 -04:00
Dynamic grpc client credentials (#204)
* Add an aTLS wrapper for grpc credentials * Move grpc dialers to internal and use aTLS grpc credentials Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
6e9428a234
commit
1e19e64fbc
25 changed files with 291 additions and 189 deletions
|
|
@ -16,12 +16,12 @@ import (
|
|||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/ssh"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/edgelesssys/constellation/state/keyservice/keyproto"
|
||||
|
|
@ -30,7 +30,6 @@ import (
|
|||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/zap/zaptest"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
grpcpeer "google.golang.org/grpc/peer"
|
||||
)
|
||||
|
||||
|
|
@ -150,7 +149,7 @@ func TestActivateAsCoordinator(t *testing.T) {
|
|||
}
|
||||
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
getPublicIPAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
|
|
@ -302,7 +301,7 @@ func TestActivateAdditionalNodes(t *testing.T) {
|
|||
|
||||
core := &fakeCore{state: tc.state}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
getPublicIPAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
|
|
@ -432,11 +431,8 @@ func (n *stubPeer) GetPeerVPNPublicKey(ctx context.Context, in *pubproto.GetPeer
|
|||
}
|
||||
|
||||
func (n *stubPeer) newServer() *grpc.Server {
|
||||
tlsConfig, err := atls.CreateAttestationServerTLSConfig(fakeIssuer{}, nil)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
server := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)))
|
||||
creds := atlscredentials.New(fakeIssuer{}, nil)
|
||||
server := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(server, n)
|
||||
return server
|
||||
}
|
||||
|
|
@ -537,9 +533,8 @@ func TestRequestStateDiskKey(t *testing.T) {
|
|||
require.NoError(err)
|
||||
defer listener.Close()
|
||||
|
||||
tlsConfig, err := atls.CreateAttestationServerTLSConfig(issuer, nil)
|
||||
require.NoError(err)
|
||||
s := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)))
|
||||
creds := atlscredentials.New(issuer, nil)
|
||||
s := grpc.NewServer(grpc.Creds(creds))
|
||||
keyproto.RegisterAPIServer(s, stateDiskServer)
|
||||
defer s.GracefulStop()
|
||||
go s.Serve(listener)
|
||||
|
|
@ -559,7 +554,7 @@ func TestRequestStateDiskKey(t *testing.T) {
|
|||
getDataKeyErr: tc.getDataKeyErr,
|
||||
}
|
||||
|
||||
api := New(zaptest.NewLogger(t), &logging.NopLogger{}, core, grpcutil.NewDialer(dummyValidator{}, &net.Dialer{}), nil, nil, getPeerFromContext)
|
||||
api := New(zaptest.NewLogger(t), &logging.NopLogger{}, core, dialer.New(nil, dummyValidator{}, &net.Dialer{}), nil, nil, getPeerFromContext)
|
||||
|
||||
_, err = api.RequestStateDiskKey(ctx, &pubproto.RequestStateDiskKeyRequest{})
|
||||
if tc.wantErr {
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ import (
|
|||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/zap/zaptest"
|
||||
|
|
@ -95,7 +95,7 @@ func TestActivateAsAdditionalCoordinator(t *testing.T) {
|
|||
clusterID: []byte("clusterID"),
|
||||
}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
getPublicIPAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
|
|
@ -166,7 +166,7 @@ func TestTriggerCoordinatorUpdate(t *testing.T) {
|
|||
state: tc.state,
|
||||
peers: tc.peers,
|
||||
}
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, nil)
|
||||
dialer := dialer.New(nil, fakeValidator{}, nil)
|
||||
|
||||
api := New(logger, &logging.NopLogger{}, core, dialer, nil, nil, nil)
|
||||
|
||||
|
|
@ -240,7 +240,7 @@ func TestActivateAdditionalCoordinators(t *testing.T) {
|
|||
clusterID: []byte("clusterID"),
|
||||
}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
getPublicIPAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
|
|
@ -297,7 +297,7 @@ func TestGetPeerVPNPublicKey(t *testing.T) {
|
|||
vpnPubKey: tc.coordinator.peer.VPNPubKey,
|
||||
getvpnPubKeyErr: tc.getVPNPubKeyErr,
|
||||
}
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, testdialer.NewBufconnDialer())
|
||||
dialer := dialer.New(nil, fakeValidator{}, testdialer.NewBufconnDialer())
|
||||
|
||||
getPublicIPAddr := func() (string, error) {
|
||||
return "192.0.2.1", nil
|
||||
|
|
|
|||
|
|
@ -14,18 +14,18 @@ import (
|
|||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/ssh"
|
||||
"github.com/edgelesssys/constellation/internal/deploy/user"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/dialer"
|
||||
"github.com/edgelesssys/constellation/internal/grpc/testdialer"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/zap/zaptest"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
|
|
@ -152,7 +152,7 @@ func TestActivateAsNode(t *testing.T) {
|
|||
linuxUserManager := user.NewLinuxUserManagerFake(fs)
|
||||
cor := &fakeCore{state: tc.state, vpnPubKey: vpnPubKey, setVPNIPErr: tc.setVPNIPErr, linuxUserManager: linuxUserManager}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
api := New(logger, &logging.NopLogger{}, cor, dialer, nil, nil, nil)
|
||||
defer api.Close()
|
||||
|
|
@ -163,9 +163,8 @@ func TestActivateAsNode(t *testing.T) {
|
|||
go vserver.Serve(netDialer.GetListener(net.JoinHostPort("10.118.0.1", vpnAPIPort)))
|
||||
defer vserver.GracefulStop()
|
||||
|
||||
tlsConfig, err := atls.CreateAttestationServerTLSConfig(&core.MockIssuer{}, nil)
|
||||
require.NoError(err)
|
||||
pubserver := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)))
|
||||
creds := atlscredentials.New(&core.MockIssuer{}, nil)
|
||||
pubserver := grpc.NewServer(grpc.Creds(creds))
|
||||
pubproto.RegisterAPIServer(pubserver, api)
|
||||
go pubserver.Serve(netDialer.GetListener(net.JoinHostPort(nodeIP, endpointAVPNPort)))
|
||||
defer pubserver.GracefulStop()
|
||||
|
|
@ -260,7 +259,7 @@ func TestTriggerNodeUpdate(t *testing.T) {
|
|||
logger := zaptest.NewLogger(t)
|
||||
core := &fakeCore{state: tc.state}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
api := New(logger, &logging.NopLogger{}, core, dialer, nil, nil, nil)
|
||||
|
||||
|
|
@ -336,7 +335,7 @@ func TestJoinCluster(t *testing.T) {
|
|||
logger := zaptest.NewLogger(t)
|
||||
core := &fakeCore{state: tc.state, joinClusterErr: tc.joinClusterErr}
|
||||
netDialer := testdialer.NewBufconnDialer()
|
||||
dialer := grpcutil.NewDialer(fakeValidator{}, netDialer)
|
||||
dialer := dialer.New(nil, fakeValidator{}, netDialer)
|
||||
|
||||
api := New(logger, &logging.NopLogger{}, core, dialer, nil, nil, nil)
|
||||
|
||||
|
|
@ -433,16 +432,13 @@ func activateNode(require *require.Assertions, dialer netDialer, messageSequence
|
|||
}
|
||||
|
||||
func dialGRPC(ctx context.Context, dialer netDialer, target string) (*grpc.ClientConn, error) {
|
||||
tlsConfig, err := atls.CreateAttestationClientTLSConfig(nil, []atls.Validator{&core.MockValidator{}})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
|
||||
|
||||
return grpc.DialContext(ctx, target,
|
||||
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
|
||||
return dialer.DialContext(ctx, "tcp", addr)
|
||||
}),
|
||||
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
|
||||
grpc.WithTransportCredentials(creds),
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue