Skip to content
This repository has been archived by the owner on Aug 31, 2022. It is now read-only.

Fix Dial-out Insecure Mode #41

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
11 changes: 9 additions & 2 deletions dialout/dialout_client/dialout_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,20 @@ import (
"crypto/tls"
"errors"
"fmt"
"net"

spb "github.com/Azure/sonic-telemetry/proto"
sdc "github.com/Azure/sonic-telemetry/sonic_data_client"
sdcfg "github.com/Azure/sonic-telemetry/sonic_db_config"
"github.com/Workiva/go-datastructures/queue"
"github.com/go-redis/redis"
log "github.com/golang/glog"
gpb "github.com/openconfig/gnmi/proto/gnmi"
"github.com/openconfig/ygot/ygot"
"github.com/Workiva/go-datastructures/queue"
"golang.org/x/net/context"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"net"

//"reflect"
"strconv"
"strings"
Expand Down Expand Up @@ -264,9 +266,14 @@ func newClient(ctx context.Context, dest Destination) (*Client, error) {
opts := []grpc.DialOption{
grpc.WithBlock(),
}

if clientCfg.TLS != nil {
opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(clientCfg.TLS)))
} else {
opts = append(opts, grpc.WithInsecure())
log.V(2).Infof("gRPC without TLS")
}

conn, err := grpc.DialContext(ctx, dest.Addrs, opts...)
if err != nil {
return nil, fmt.Errorf("Dial to (%s, timeout %v): %v", dest, timeout, err)
Expand Down
21 changes: 15 additions & 6 deletions dialout/dialout_client_cli/dialout_client_cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,14 @@ package main
import (
"crypto/tls"
"flag"
"os"
"os/signal"
"time"

dc "github.com/Azure/sonic-telemetry/dialout/dialout_client"
log "github.com/golang/glog"
gpb "github.com/openconfig/gnmi/proto/gnmi"
"golang.org/x/net/context"
"os"
"os/signal"
"time"
)

var (
Expand All @@ -19,13 +20,15 @@ var (
RetryInterval: 30 * time.Second,
Encoding: gpb.Encoding_JSON_IETF,
Unidirectional: true,
TLS: &tls.Config{},
}
tlsCfg = tls.Config{}
tlsDisable bool
)

func init() {
flag.StringVar(&clientCfg.TLS.ServerName, "server_name", "", "When set, use this hostname to verify server certificate during TLS handshake.")
flag.BoolVar(&clientCfg.TLS.InsecureSkipVerify, "insecure", false, "When set, client will not verify the server certificate during TLS handshake.")
flag.StringVar(&tlsCfg.ServerName, "server_name", "", "When set, use this hostname to verify server certificate during TLS handshake.")
flag.BoolVar(&tlsCfg.InsecureSkipVerify, "insecure", false, "When set, client will not verify the server certificate during TLS handshake.")
flag.BoolVar(&tlsDisable, "tls_disable", false, "Without TLS, only for testing")
flag.DurationVar(&clientCfg.RetryInterval, "retry_interval", 30*time.Second, "Interval at which client tries to reconnect to destination servers")
flag.BoolVar(&clientCfg.Unidirectional, "unidirectional", true, "No repesponse from server is expected")
}
Expand All @@ -41,6 +44,12 @@ func main() {
cancel()
}()
log.V(1).Infof("Starting telemetry publish client")

if !tlsDisable {
clientCfg.TLS = &tlsCfg
log.V(1).Infof("TLS enable")
}

err := dc.DialOutRun(ctx, &clientCfg)
log.V(1).Infof("Exiting telemetry publish client: %v", err)
log.Flush()
Expand Down
51 changes: 24 additions & 27 deletions dialout/dialout_server_cli/dialout_server_cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"google.golang.org/grpc/credentials"

ds "github.com/Azure/sonic-telemetry/dialout/dialout_server"
testcert "github.com/Azure/sonic-telemetry/testdata/tls"
)

var (
Expand All @@ -21,6 +20,7 @@ var (
serverCert = flag.String("server_crt", "", "TLS server certificate")
serverKey = flag.String("server_key", "", "TLS server private key")
insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!")
TildenWinston marked this conversation as resolved.
Show resolved Hide resolved
tls_disable = flag.Bool("tls_disable", false, "Without TLS, for testing only!")
allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.")
)

Expand All @@ -35,12 +35,8 @@ func main() {
var certificate tls.Certificate
var err error

if *insecure {
certificate, err = testcert.NewCert()
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
} else {
var opts []grpc.ServerOption
if !*insecure {
switch {
case *serverCert == "":
log.Errorf("serverCert must be set.")
Expand All @@ -53,32 +49,33 @@ func main() {
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
}

tlsCfg := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
}
if *allowNoClientCert {
// RequestClientCert will ask client for a certificate but won't
// require it to proceed. If certificate is provided, it will be
// verified.
tlsCfg.ClientAuth = tls.RequestClientCert
}
tlsCfg := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
}

if *caCert != "" {
ca, err := ioutil.ReadFile(*caCert)
if err != nil {
log.Exitf("could not read CA certificate: %s", err)
if *allowNoClientCert {
// RequestClientCert will ask client for a certificate but won't
// require it to proceed. If certificate is provided, it will be
// verified.
tlsCfg.ClientAuth = tls.RequestClientCert
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Exit("failed to append CA certificate")

if *caCert != "" {
ca, err := ioutil.ReadFile(*caCert)
if err != nil {
log.Exitf("could not read CA certificate: %s", err)
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Exit("failed to append CA certificate")
}
tlsCfg.ClientCAs = certPool
}
tlsCfg.ClientCAs = certPool
opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
}

opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
cfg := &ds.Config{}
cfg.Port = int64(*port)
s, err := ds.NewServer(cfg, opts)
Expand Down