Skip to content

Secure connection for Hotpot osdsapiserver #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
himanshuvar wants to merge 1 commit into
base: mizar
Choose a base branch
from
Open

Secure connection for Hotpot osdsapiserver #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions client/cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// Copyright 2020 The OpenSDS Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package client

const (
//Opensds Certificate ENVs
OpensdsClientCert = "OPENSDS_CLIENT_CERT"
OpensdsClientKey = "OPENSDS_CLIENT_KEY"
OpensdsCACert = "OPENSDS_CA_CERT"
)

type Certificates interface {
GetClientCertFile() string
GetClientKeyFile() string
GetCACertFile() string
}

type TLSConfig struct {
CertFile string
KeyFile string
TrustedCAFile string
}

func NewCertificates(certFile string, keyFile string, caCertFile string) *TLSConfig {
return &TLSConfig{
CertFile: certFile,
KeyFile: keyFile,
TrustedCAFile: caCertFile,
}
}

func (cert *TLSConfig) GetClientCertFile() string {
return cert.CertFile
}

func (cert *TLSConfig) GetClientKeyFile() string {
return cert.KeyFile
}

func (cert *TLSConfig) GetCACertFile() string {
return cert.TrustedCAFile
}
15 changes: 10 additions & 5 deletions client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ import (
"fmt"
"log"
"net/url"
"os"
"strings"

"github.com/opensds/opensds/pkg/utils/constants"
Expand Down Expand Up @@ -49,8 +48,9 @@ type Client struct {

// Config is a struct that defines some options for calling the Client.
type Config struct {
Endpoint string
AuthOptions AuthOptions
Endpoint string
AuthOptions AuthOptions
Certificates Certificates
}

// NewClient method creates a new Client.
Expand All @@ -62,7 +62,7 @@ func NewClient(c *Config) (*Client, error) {
}

// If https is enabled, CA cert file should be provided.
u, _ := url.Parse(c.Endpoint)
/*u, _ := url.Parse(c.Endpoint)
if u.Scheme == "https" {
cacert = constants.OpensdsCaCertFile
_, err := os.Stat(cacert)
Expand All @@ -71,7 +71,7 @@ func NewClient(c *Config) (*Client, error) {
return nil, fmt.Errorf("CA file(%s) doesn't exist", cacert)
}
}
}
}*/

var r Receiver
var err error
Expand All @@ -89,6 +89,11 @@ func NewClient(c *Config) (*Client, error) {
c.AuthOptions = NewNoauthOptions(constants.DefaultTenantId)
}

u, _ := url.Parse(c.Endpoint)
if u.Scheme == "https" {
r.SetTLSConfig(c.Certificates.(*TLSConfig))
}

t := c.AuthOptions.GetTenantId()
return &Client{
cfg: c,
Expand Down
72 changes: 64 additions & 8 deletions client/fake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ func NewFakeDockReceiver() Receiver {
return &fakeDockReceiver{}
}

type fakeDockReceiver struct{}
type fakeDockReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeDockReceiver) Recv(
string,
Expand Down Expand Up @@ -106,11 +108,18 @@ func (*fakeDockReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakeDockReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakePoolReceiver() Receiver {
return &fakePoolReceiver{}
}

type fakePoolReceiver struct{}
type fakePoolReceiver struct{
tlsConfig *TLSConfig
}

func (*fakePoolReceiver) Recv(
string,
Expand Down Expand Up @@ -140,11 +149,18 @@ func (*fakePoolReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakePoolReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeProfileReceiver() Receiver {
return &fakeProfileReceiver{}
}

type fakeProfileReceiver struct{}
type fakeProfileReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeProfileReceiver) Recv(
string,
Expand Down Expand Up @@ -210,11 +226,18 @@ func (*fakeProfileReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakeProfileReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeVolumeReceiver() Receiver {
return &fakeVolumeReceiver{}
}

type fakeVolumeReceiver struct{}
type fakeVolumeReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeVolumeReceiver) Recv(
string,
Expand Down Expand Up @@ -304,11 +327,18 @@ func (*fakeVolumeReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakeVolumeReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeReplicationReceiver() Receiver {
return &fakeReplicationReceiver{}
}

type fakeReplicationReceiver struct{}
type fakeReplicationReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeReplicationReceiver) Recv(
url string,
Expand Down Expand Up @@ -339,11 +369,18 @@ func (*fakeReplicationReceiver) Recv(
return errors.New("input method format not supported")
}

// sets tls connection configurations for https requests
func (f *fakeReplicationReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeVersionReceiver() Receiver {
return &fakeVersionReceiver{}
}

type fakeVersionReceiver struct{}
type fakeVersionReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeVersionReceiver) Recv(
string,
Expand Down Expand Up @@ -377,11 +414,18 @@ func (*fakeVersionReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakeVersionReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeFileShareReceiver() Receiver {
return &fakeFileShareReceiver{}
}

type fakeFileShareReceiver struct{}
type fakeFileShareReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeFileShareReceiver) Recv(
string,
Expand Down Expand Up @@ -445,11 +489,18 @@ func (*fakeFileShareReceiver) Recv(
return nil
}

// sets tls connection configurations for https requests
func (f *fakeFileShareReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}

func NewFakeHostReceiver() Receiver {
return &fakeHostReceiver{}
}

type fakeHostReceiver struct{}
type fakeHostReceiver struct{
tlsConfig *TLSConfig
}

func (*fakeHostReceiver) Recv(
string,
Expand Down Expand Up @@ -488,3 +539,8 @@ func (*fakeHostReceiver) Recv(

return nil
}

// sets tls connection configurations for https requests
func (f *fakeHostReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
f.tlsConfig = tlsConfig
}
70 changes: 63 additions & 7 deletions client/receiver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ type HeaderOption map[string]string
// Receiver
type Receiver interface {
Recv(url string, method string, input interface{}, output interface{}) error
SetTLSConfig(tlsConfig *TLSConfig)
}

// NewReceiver
Expand Down Expand Up @@ -95,13 +96,33 @@ func customVerify(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
return nil
}

func request(urlStr string, method string, headers HeaderOption, input interface{}, output interface{}) error {
func request(urlStr string, method string, headers HeaderOption, input interface{}, output interface{}, tlsConfig *TLSConfig) error {
req := httplib.NewBeegoRequest(urlStr, strings.ToUpper(method))

u, _ := url.Parse(urlStr)
if u.Scheme == "https" && cacert != "" {
if u.Scheme == "https" {
log.Println("Https mode.")
req.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true, VerifyPeerCertificate: customVerify})

cert, err := tls.LoadX509KeyPair(tlsConfig.GetClientCertFile(), tlsConfig.GetClientKeyFile())
if err != nil {
log.Fatalf("loading key pair for client cert failed : %v", err)
}

rootCA, err := ioutil.ReadFile(tlsConfig.GetCACertFile())
if err != nil {
log.Fatalf("reading cert failed : %v", err)
}
rootCAPool := x509.NewCertPool()
rootCAPool.AppendCertsFromPEM(rootCA)
log.Println("RootCA loaded")

tlsConfig := &tls.Config{
RootCAs: rootCAPool,
GetClientCertificate: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cert, nil
},
}
req.SetTLSClientConfig(tlsConfig)
}

// Set the request timeout a little bit longer upload snapshot to cloud temporarily.
Expand Down Expand Up @@ -149,12 +170,41 @@ func request(urlStr string, method string, headers HeaderOption, input interface
return nil
}

type receiver struct{}
type receiver struct{
tlsConfig *TLSConfig
}

func (r *receiver) Recv(url string, method string, input interface{}, output interface{}) error {
headers := HeaderOption{}
headers["Content-Type"] = constants.ContentType
return request(url, method, headers, input, output, r.tlsConfig)
}

// sets tls connection configurations for https requests
func (r *receiver) SetTLSConfig(tlsConfig *TLSConfig) {
r.tlsConfig = tlsConfig
}

//TODO: Implement Basic Authentication
func NewBasicAuthReceiver(tlsConfig *TLSConfig) (Receiver, error) {
b := &BasicAuthReceiver{tlsConfig: tlsConfig}
return b, nil
}

type BasicAuthReceiver struct {
tlsConfig *TLSConfig
}

func (*receiver) Recv(url string, method string, input interface{}, output interface{}) error {
func (b *BasicAuthReceiver) Recv(url string, method string, input interface{}, output interface{}) error {
headers := HeaderOption{}
headers["Content-Type"] = constants.ContentType
return request(url, method, headers, input, output)

return request(url, method, headers, input, output, b.tlsConfig)
}

// sets tls connection configurations for https requests
func (b *BasicAuthReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
b.tlsConfig = tlsConfig
}

func NewKeystoneReceiver(auth *KeystoneAuthOptions) (Receiver, error) {
Expand All @@ -168,6 +218,7 @@ func NewKeystoneReceiver(auth *KeystoneAuthOptions) (Receiver, error) {

type KeystoneReceiver struct {
Auth *KeystoneAuthOptions
tlsConfig *TLSConfig
}

func (k *KeystoneReceiver) GetToken() error {
Expand Down Expand Up @@ -222,10 +273,15 @@ func (k *KeystoneReceiver) Recv(url string, method string, body interface{}, out
headers := HeaderOption{}
headers["Content-Type"] = constants.ContentType
headers[constants.AuthTokenHeader] = k.Auth.TokenID
return request(url, method, headers, body, output)
return request(url, method, headers, body, output, k.tlsConfig)
})
}

// sets tls connection configurations for https requests
func (k *KeystoneReceiver) SetTLSConfig(tlsConfig *TLSConfig) {
k.tlsConfig = tlsConfig
}

func checkHTTPResponseStatusCode(resp *http.Response) error {
if 400 <= resp.StatusCode && resp.StatusCode <= 599 {
return fmt.Errorf("response == %d, %s", resp.StatusCode, http.StatusText(resp.StatusCode))
Expand Down
Loading