Dynamic grpc client credentials (#204)

* Add an aTLS wrapper for grpc credentials * Move grpc dialers to internal and use aTLS grpc credentials Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-10 07:50:08 -04:00 · 2022-06-13 11:40:27 +02:00 · 2022-06-13 11:40:27 +02:00 · 1e19e64fbc
commit 1e19e64fbc
parent 6e9428a234
25 changed files with 291 additions and 189 deletions
--- a/internal/grpc/dialer/dialer.go
+++ b/internal/grpc/dialer/dialer.go
@ -0,0 +1,67 @@
+package dialer
+
+import (
+	"context"
+	"net"
+
+	"github.com/edgelesssys/constellation/internal/atls"
+	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+// Dialer can open grpc client connections with different levels of ATLS encryption / verification.
+type Dialer struct {
+	issuer    atls.Issuer
+	validator atls.Validator
+	netDialer NetDialer
+}
+
+// New creates a new Dialer.
+func New(issuer atls.Issuer, validator atls.Validator, netDialer NetDialer) *Dialer {
+	return &Dialer{
+		issuer:    issuer,
+		validator: validator,
+		netDialer: netDialer,
+	}
+}
+
+// Dial creates a new grpc client connection to the given target using the atls validator.
+func (d *Dialer) Dial(ctx context.Context, target string) (*grpc.ClientConn, error) {
+	credentials := atlscredentials.New(d.issuer, []atls.Validator{d.validator})
+
+	return grpc.DialContext(ctx, target,
+		d.grpcWithDialer(),
+		grpc.WithTransportCredentials(credentials),
+	)
+}
+
+// DialInsecure creates a new grpc client connection to the given target without using encryption or verification.
+// Only use this method when using another kind of encryption / verification (VPN, etc).
+func (d *Dialer) DialInsecure(ctx context.Context, target string) (*grpc.ClientConn, error) {
+	return grpc.DialContext(ctx, target,
+		d.grpcWithDialer(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+}
+
+// DialNoVerify creates a new grpc client connection to the given target without verifying the server's attestation.
+func (d *Dialer) DialNoVerify(ctx context.Context, target string) (*grpc.ClientConn, error) {
+	credentials := atlscredentials.New(nil, nil)
+
+	return grpc.DialContext(ctx, target,
+		d.grpcWithDialer(),
+		grpc.WithTransportCredentials(credentials),
+	)
+}
+
+func (d *Dialer) grpcWithDialer() grpc.DialOption {
+	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+		return d.netDialer.DialContext(ctx, "tcp", addr)
+	})
+}
+
+// NetDialer implements the net Dialer interface.
+type NetDialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}