grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Main functionality of File Watcher (Directory) CRL provider

This commit is contained in:
Andrey Ermolov 2023-09-28 22:23:41 +00:00
parent c88d12da96
commit 1feaae3b5c
1 changed files with 144 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
security/advancedtls/crl_provider.go
View File

@ -20,8 +20,13 @@ package advancedtls
import (
"crypto/x509"
"fmt"
"os"
"time"
)
const defaultCRLRefreshDuration = 1 * time.Hour
type CRLProvider interface {
// Callers are expected to use the returned value as read-only.
CRL(cert *x509.Certificate) (*CRL, error)
@ -41,10 +46,147 @@ func MakeStaticCRLProvider() *StaticCRLProvider {
}
func (p *StaticCRLProvider) AddCRL(crl *CRL) {
p.crls[crl.CertList.Issuer.ToRDNSequence().String()] = crl
key := crl.CertList.Issuer.ToRDNSequence().String()
p.crls[key] = crl
}
func (p *StaticCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) {
// TODO handle no CRL found
return p.crls[cert.Issuer.ToRDNSequence().String()], nil
key := cert.Issuer.ToRDNSequence().String()
return p.crls[key], nil
}
type Options struct {
CRLDirectory string
RefreshDuration time.Duration
}
// NewFileWatcherCRLProvider creates a new FileWatcherCRLProvider.
type FileWatcherCRLProvider struct {
crls map[string]*CRL
opts Options
done chan bool
}
func NewFileWatcherCRLProvider(o Options) (*FileWatcherCRLProvider, error) {
if err := o.validate(); err != nil {
return nil, err
}
return &FileWatcherCRLProvider{
crls: make(map[string]*CRL),
opts: o,
done: make(chan bool),
}, nil
}
func (o Options) validate() error {
// Checks relates to CRLDirectory.
if o.CRLDirectory == "" {
return fmt.Errorf("advancedtls: CRLDirectory needs to be specified")
}
fileInfo, err := os.Stat(o.CRLDirectory)
if err != nil {
if os.IsNotExist(err) {
return fmt.Errorf("advancedtls: CRLDirectory %v does not exist", o.CRLDirectory)
} else {
return err
}
}
if !fileInfo.IsDir() {
return fmt.Errorf("advancedtls: CRLDirectory %v is not a directory", o.CRLDirectory)
}
_, err = os.Open(o.CRLDirectory)
if err != nil {
if os.IsPermission(err) {
return fmt.Errorf("advancedtls: CRLDirectory %v is not readable:", o.CRLDirectory)
} else {
return err
}
}
// Checks related to RefreshDuration.
if o.RefreshDuration <= 0 || o.RefreshDuration < time.Second {
grpclogLogger.Warningf("RefreshDuration must larger then 1 second: provided value %v, default value will be used %v", o.RefreshDuration, defaultCRLRefreshDuration)
}
return nil
}
// Start starts watching the directory for CRL files and updates the provider accordingly.
func (p *FileWatcherCRLProvider) Start() {
ticker := time.NewTicker(p.opts.RefreshDuration)
defer ticker.Stop()
// Initial CRL load
p.scanCRLDirectory()
for {
select {
case <-ticker.C:
p.scanCRLDirectory()
case <-p.done:
return
}
}
}
// Stop stops the CRL provider and releases resources.
func (p *FileWatcherCRLProvider) Stop() {
close(p.done)
}
func (p *FileWatcherCRLProvider) scanCRLDirectory() {
dir, err := os.Open(p.opts.CRLDirectory)
if err != nil {
grpclogLogger.Errorf("Can't open CRLDirectory %v", p.opts.CRLDirectory, err)
}
defer dir.Close()
files, err := dir.ReadDir(0)
if err != nil {
grpclogLogger.Errorf("Can't access files under CRLDirectory %v", p.opts.CRLDirectory, err)
}
successCounter := 0
failCounter := 0
for _, file := range files {
filePath := fmt.Sprintf("%s/%s", p.opts.CRLDirectory, file.Name())
err := p.addCRL(filePath)
if err != nil {
failCounter++
grpclogLogger.Warningf("Can't add CRL from file %v under CRLDirectory %v", filePath, p.opts.CRLDirectory, err)
continue
}
successCounter++
}
grpclogLogger.Infof("Scan of CRLDirectory %v completed, tried %v files, added %v CRLs, %v files failed", len(files), successCounter, failCounter)
}
func (p *FileWatcherCRLProvider) addCRL(filePath string) error {
crlBytes, err := os.ReadFile(filePath)
if err != nil {
return err
}
crl, err := parseRevocationList(crlBytes)
if err != nil {
return fmt.Errorf("addCRL: can't parse CRL from file %v: %v", filePath, err)
}
var certList *CRL
if certList, err = parseCRLExtensions(crl); err != nil {
return fmt.Errorf("addCRL: unsupported crl %v: %v", filePath, err)
}
rawCRLIssuer, err := extractCRLIssuer(crlBytes)
if err != nil {
return fmt.Errorf("addCRL: can't extract Issuer from CRL from file %v: %v", filePath, err)
}
certList.RawIssuer = rawCRLIssuer
key := certList.CertList.Issuer.ToRDNSequence().String()
p.crls[key] = certList
grpclogLogger.Infof("In-memory CRL storage of FileWatcherCRLProvider for key %v updated", key)
return nil
}
// CRL retrieves the CRL associated with the given certificate's issuer DN.
func (p *FileWatcherCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) {
// TODO handle no CRL found
key := cert.Issuer.ToRDNSequence().String()
return p.crls[key], nil
}