1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
// +build go1.13
/*
*
* Copyright 2020 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package meshca
import (
"crypto/x509"
"encoding/json"
"fmt"
"sync"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/sts"
"google.golang.org/grpc/credentials/tls/certprovider"
"google.golang.org/grpc/internal/backoff"
)
const pluginName = "mesh_ca"
// For overriding in unit tests.
var (
grpcDialFunc = grpc.Dial
backoffFunc = backoff.DefaultExponential.Backoff
)
func init() {
certprovider.Register(newPluginBuilder())
}
func newPluginBuilder() *pluginBuilder {
return &pluginBuilder{clients: make(map[ccMapKey]*refCountedCC)}
}
// Key for the map containing ClientConns to the MeshCA server. Only the server
// name and the STS options (which is used to create call creds) from the plugin
// configuration determine if two configs can share the same ClientConn. Hence
// only those form the key to this map.
type ccMapKey struct {
name string
stsOpts sts.Options
}
// refCountedCC wraps a grpc.ClientConn to MeshCA along with a reference count.
type refCountedCC struct {
cc *grpc.ClientConn
refCnt int
}
// pluginBuilder is an implementation of the certprovider.Builder interface,
// which build certificate provider instances which get certificates signed from
// the MeshCA.
type pluginBuilder struct {
// A collection of ClientConns to the MeshCA server along with a reference
// count. Provider instances whose config point to the same server name will
// end up sharing the ClientConn.
mu sync.Mutex
clients map[ccMapKey]*refCountedCC
}
// Build returns a MeshCA certificate provider for the passed in configuration
// and options.
//
// This builder takes care of sharing the ClientConn to the MeshCA server among
// different plugin instantiations.
func (b *pluginBuilder) Build(c certprovider.StableConfig, opts certprovider.Options) certprovider.Provider {
cfg, ok := c.(*pluginConfig)
if !ok {
// This is not expected when passing config returned by ParseConfig().
// This could indicate a bug in the certprovider.Store implementation or
// in cases where the user is directly using these APIs, could be a user
// error.
logger.Errorf("unsupported config type: %T", c)
return nil
}
b.mu.Lock()
defer b.mu.Unlock()
ccmk := ccMapKey{
name: cfg.serverURI,
stsOpts: cfg.stsOpts,
}
rcc, ok := b.clients[ccmk]
if !ok {
// STS call credentials take care of exchanging a locally provisioned
// JWT token for an access token which will be accepted by the MeshCA.
callCreds, err := sts.NewCredentials(cfg.stsOpts)
if err != nil {
logger.Errorf("sts.NewCredentials() failed: %v", err)
return nil
}
// MeshCA is a public endpoint whose certificate is Web-PKI compliant.
// So, we just need to use the system roots to authenticate the MeshCA.
cp, err := x509.SystemCertPool()
if err != nil {
logger.Errorf("x509.SystemCertPool() failed: %v", err)
return nil
}
transportCreds := credentials.NewClientTLSFromCert(cp, "")
cc, err := grpcDialFunc(cfg.serverURI, grpc.WithTransportCredentials(transportCreds), grpc.WithPerRPCCredentials(callCreds))
if err != nil {
logger.Errorf("grpc.Dial(%s) failed: %v", cfg.serverURI, err)
return nil
}
rcc = &refCountedCC{cc: cc}
b.clients[ccmk] = rcc
}
rcc.refCnt++
p := newProviderPlugin(providerParams{
cc: rcc.cc,
cfg: cfg,
opts: opts,
backoff: backoffFunc,
doneFunc: func() {
// The plugin implementation will invoke this function when it is
// being closed, and here we take care of closing the ClientConn
// when there are no more plugins using it. We need to acquire the
// lock before accessing the rcc from the enclosing function.
b.mu.Lock()
defer b.mu.Unlock()
rcc.refCnt--
if rcc.refCnt == 0 {
logger.Infof("Closing grpc.ClientConn to %s", ccmk.name)
rcc.cc.Close()
delete(b.clients, ccmk)
}
},
})
return p
}
// ParseConfig parses the configuration to be passed to the MeshCA plugin
// implementation. Expects the config to be a json.RawMessage which contains a
// serialized JSON representation of the meshca_experimental.GoogleMeshCaConfig
// proto message.
func (b *pluginBuilder) ParseConfig(c interface{}) (certprovider.StableConfig, error) {
data, ok := c.(json.RawMessage)
if !ok {
return nil, fmt.Errorf("meshca: unsupported config type: %T", c)
}
return pluginConfigFromJSON(data)
}
// Name returns the MeshCA plugin name.
func (b *pluginBuilder) Name() string {
return pluginName
}
|
