Skip to content

Commit

Permalink
*: simplify approach and isolate gRPC-gateway requests only
Browse files Browse the repository at this point in the history
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
  • Loading branch information
hexfusion committed Jan 3, 2019
1 parent 187b6e9 commit 9d1885c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 48 deletions.
23 changes: 8 additions & 15 deletions embed/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ import (
etcdservergw "go.etcd.io/etcd/etcdserver/etcdserverpb/gw"
"go.etcd.io/etcd/pkg/debugutil"
"go.etcd.io/etcd/pkg/httputil"
"go.etcd.io/etcd/pkg/tlsutil"
"go.etcd.io/etcd/pkg/transport"

gw "github.com/grpc-ecosystem/grpc-gateway/runtime"
Expand Down Expand Up @@ -127,7 +126,7 @@ func (sctx *serveCtx) serve(
httpmux := sctx.createMux(gwmux, handler)

srvhttp := &http.Server{
Handler: createAccessController(sctx.lg, s, httpmux, nil),
Handler: createAccessController(sctx.lg, s, httpmux),
ErrorLog: logger, // do not log user error
}
httpl := m.Match(cmux.HTTP1())
Expand Down Expand Up @@ -177,7 +176,7 @@ func (sctx *serveCtx) serve(
httpmux := sctx.createMux(gwmux, handler)

srv := &http.Server{
Handler: createAccessController(sctx.lg, s, httpmux, tlsinfo),
Handler: createAccessController(sctx.lg, s, httpmux),
TLSConfig: tlscfg,
ErrorLog: logger, // do not log user error
}
Expand Down Expand Up @@ -208,6 +207,10 @@ func grpcHandlerFunc(grpcServer *grpc.Server, otherHandler http.Handler) http.Ha
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.ProtoMajor == 2 && strings.Contains(r.Header.Get("Content-Type"), "application/grpc") {
// gRPC-gateway should not include CN in request
if gw := r.Header.Get("Grpcgateway-Accept"); gw != "" {
r.TLS.PeerCertificates[0].Subject.CommonName = ""
}
grpcServer.ServeHTTP(w, r)
} else {
otherHandler.ServeHTTP(w, r)
Expand Down Expand Up @@ -294,15 +297,14 @@ func (sctx *serveCtx) createMux(gwmux *gw.ServeMux, handler http.Handler) *http.
// - mutate gRPC gateway request paths
// - check hostname whitelist
// client HTTP requests goes here first
func createAccessController(lg *zap.Logger, s *etcdserver.EtcdServer, mux *http.ServeMux, c *transport.TLSInfo) http.Handler {
return &accessController{lg: lg, s: s, mux: mux, c: c}
func createAccessController(lg *zap.Logger, s *etcdserver.EtcdServer, mux *http.ServeMux) http.Handler {
return &accessController{lg: lg, s: s, mux: mux}
}

type accessController struct {
lg *zap.Logger
s *etcdserver.EtcdServer
mux *http.ServeMux
c *transport.TLSInfo
}

func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
Expand Down Expand Up @@ -341,15 +343,6 @@ func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request)
return
}

if ac.s.Cfg.ClientCertAuthEnabled && req.TLS.PeerCertificates[0].Subject.CommonName != "" {
clientCertificates, _ := tlsutil.ParseCert(ac.c.CertFile)
peerSN := req.TLS.PeerCertificates[0].SerialNumber
clientSN := clientCertificates[0].SerialNumber
if clientSN.Cmp(peerSN) == 0 {
req.TLS.PeerCertificates[0].Subject.CommonName = ""
}
}

ac.mux.ServeHTTP(rw, req)
}

Expand Down
33 changes: 0 additions & 33 deletions pkg/tlsutil/tlsutil.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,36 +70,3 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi
}
return &tlsCert, nil
}

// ParseCert returns a slice of x509 Certificates when given a cert file.
func ParseCert(certFile string) ([]*x509.Certificate, error) {
var (
blocks [][]byte
cert []*x509.Certificate
)

pemCert, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, err
}
// convert PEM to DER
for {
var derCert *pem.Block
derCert, pemCert = pem.Decode(pemCert)
if derCert == nil {
break
}

if derCert.Type == "CERTIFICATE" {
blocks = append(blocks, derCert.Bytes)
}
}
for _, block := range blocks {
c, err := x509.ParseCertificate(block)
if err != nil {
continue
}
cert = append(cert, c)
}
return cert, nil
}

0 comments on commit 9d1885c

Please sign in to comment.