allow option to specify tls key,cert for gw while connecting to grpc listener (#4)

vshiva · web-flow · commit d464c614a8d8 · 2020-09-03T10:44:05.000-07:00
diff --git a/log/log.go b/log/log.go
@@ -113,7 +113,7 @@ func (l *Logger) initWrappedLogger() {
 		// Tee off logs to rollbar
 		zcores = append(zcores, newRollbarCore(l.rollbarToken, l.getEvironment(), l.getVersion(), l.rollbarMinLevel))
 	}
-	wl := zap.New(zapcore.NewTee(zcores...), zap.AddCaller(), zap.AddCallerSkip(1), zap.AddStacktrace(zap.WarnLevel))
+	wl := zap.New(zapcore.NewTee(zcores...), zap.AddCaller(), zap.AddCallerSkip(1), zap.AddStacktrace(zap.ErrorLevel))
 	l.wrappedLogger = wl.Named(l.name).Sugar()
 }
 
diff --git a/server/option.go b/server/option.go
@@ -124,6 +124,14 @@ func TLSCred(certFile, keyFile, clientCA string) Option {
 	})
 }
 
+// GatewayClientTLSCred Key and Cert file to be used by gateway client to connect to the gw server
+func GatewayClientTLSCred(certFile, keyFile string) Option {
+	return optionFunc(func(r *runtime) {
+		r.gwClientKeyFile = keyFile
+		r.gwClientCertFile = certFile
+	})
+}
+
 // GRPCAPI that needs to be registered with Runtime
 func GRPCAPI(handler GRPCAPIHandler, gw bool) Option {
 	return optionFunc(func(r *runtime) {
diff --git a/server/runtime.go b/server/runtime.go
@@ -74,9 +74,12 @@ type (
 		mPort  uint // metrics server port
 		dPort  uint // debug server port
 
-		certFile string
-		keyFile  string
-		clientCA string
+		certFile string // TLS certificate used by server listener
+		keyFile  string // TLS private key used by server listener
+		clientCA string // mTLS. if specified connections are accepted from clients that present certs signed by this CA
+
+		gwClientCertFile string // TLS certificate for gw client to connect to grpc server
+		gwClientKeyFile  string // TLS private key for gw client to connect to grpc server
 
 		grpcEnabled      bool // enable grpc server
 		htEnabled        bool // enable http server
@@ -353,15 +356,14 @@ func (r *runtime) Stop(ctx context.Context) {
 
 	if r.gwEnabled {
 		r.logger.Info("shutting gateway server")
+		if err := r.gwClientConn.Close(); err != nil {
+			r.logger.Errorf("error happened while closing gateway grpc client -%v", err)
+		}
 		ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
 		defer cancel()
 		if err := r.gwServer.Shutdown(ctx); err != nil {
 			r.logger.Errorf("error happened while shutting gateway server -%v", err)
 		}
-
-		if err := r.gwClientConn.Close(); err != nil {
-			r.logger.Errorf("error happened while closing gateway grpc client -%v", err)
-		}
 	}
 
 	if r.grpcEnabled {
@@ -571,11 +573,30 @@ func (r *runtime) getGRPCClientConnectionForGateway(ctx context.Context) (*grpc.
 	opts := []grpc.DialOption{}
 
 	if r.isSecureConnection() {
-		tc, err := newTLSConfig()
-		if err != nil {
-			return nil, err
+
+		var (
+			cert tls.Certificate
+			err  error
+		)
+		if r.gwClientCertFile != "" && r.gwClientKeyFile != "" {
+			if cert, err = tls.LoadX509KeyPair(r.gwClientCertFile, r.gwClientKeyFile); err != nil {
+				return nil, err
+			}
+
+		} else if r.gwClientCertFile == "" && r.gwClientKeyFile == "" {
+			if cert, err = newClientCert(); err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, errors.New("gateway client connection: both cert and private key file must be specified")
 		}
-		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tc)))
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: true,
+			NextProtos:         []string{"h1"},
+			Certificates:       []tls.Certificate{cert},
+		}
+
+		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	} else {
 		opts = append(opts, grpc.WithInsecure())
 	}
diff --git a/server/tls.go b/server/tls.go
@@ -72,17 +72,3 @@ func newClientCert() (cert tls.Certificate, err error) {
 
 	return clientCert, nil
 }
-
-func newTLSConfig() (*tls.Config, error) {
-
-	certificate, err := newClientCert()
-	if err != nil {
-		return nil, err
-	}
-	tc := &tls.Config{
-		Certificates:       []tls.Certificate{certificate},
-		InsecureSkipVerify: true,
-		NextProtos:         []string{"h1"},
-	}
-	return tc, nil
-}

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ func (l *Logger) initWrappedLogger() {`
`113`	`113`	`// Tee off logs to rollbar`
`114`	`114`	`zcores = append(zcores, newRollbarCore(l.rollbarToken, l.getEvironment(), l.getVersion(), l.rollbarMinLevel))`
`115`	`115`	`}`
`116`		`- wl := zap.New(zapcore.NewTee(zcores...), zap.AddCaller(), zap.AddCallerSkip(1), zap.AddStacktrace(zap.WarnLevel))`
	`116`	`+ wl := zap.New(zapcore.NewTee(zcores...), zap.AddCaller(), zap.AddCallerSkip(1), zap.AddStacktrace(zap.ErrorLevel))`
`117`	`117`	`l.wrappedLogger = wl.Named(l.name).Sugar()`
`118`	`118`	`}`
`119`	`119`