grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

examples: Add a "hello-world" with TLS configured

This commit is contained in:
Nicholas DiPiazza 2018-02-06 19:33:32 -06:00 committed by Eric Anderson
parent 512e55444e
commit 14ed692974
7 changed files with 403 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
examples/BUILD.bazel
View File

@ -72,8 +72,10 @@ java_library(
"@com_google_protobuf//:protobuf_java",
"@com_google_protobuf//:protobuf_java_util",
"@grpc_java//core",
"@grpc_java//netty",
"@grpc_java//protobuf",
"@grpc_java//stub",
"@io_netty_netty_handler//jar",
],
)
@ -83,7 +85,6 @@ java_binary(
main_class = "io.grpc.examples.helloworld.HelloWorldClient",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
@ -93,7 +94,6 @@ java_binary(
main_class = "io.grpc.examples.helloworld.HelloWorldServer",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
@ -103,7 +103,6 @@ java_binary(
main_class = "io.grpc.examples.routeguide.RouteGuideClient",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
@ -113,7 +112,6 @@ java_binary(
main_class = "io.grpc.examples.routeguide.RouteGuideServer",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
@ -123,7 +121,6 @@ java_binary(
main_class = "io.grpc.examples.manualflowcontrol.ManualFlowControlClient",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
@ -133,6 +130,25 @@ java_binary(
main_class = "io.grpc.examples.manualflowcontrol.ManualFlowControlServer",
runtime_deps = [
":examples",
"@grpc_java//netty",
],
)
java_binary(
name = "hello-world-tls-client",
testonly = 1,
main_class = "io.grpc.examples.helloworldtls.HelloWorldClientTls",
runtime_deps = [
":examples",
"@io_netty_netty_tcnative_boringssl_static//jar",
],
)
java_binary(
name = "hello-world-tls-server",
testonly = 1,
main_class = "io.grpc.examples.helloworldtls.HelloWorldServerTls",
runtime_deps = [
":examples",
"@io_netty_netty_tcnative_boringssl_static//jar",
],
)

78
examples/README.md
View File

@ -15,7 +15,8 @@ To build the examples, run in this directory:
$ ./gradlew installDist
```
This creates the scripts `hello-world-server`, `hello-world-client`,
This creates the scripts `hello-world-server`, `hello-world-client`,
`hello-world-tls-server`, `hello-world-tls-client`,
`route-guide-server`, and `route-guide-client` in the
`build/install/examples/bin/` directory that run the examples. Each
example requires the server to be running before starting the client.
@ -32,6 +33,81 @@ And in a different terminal window run:
$ ./build/install/examples/bin/hello-world-client
```
### Hello World with TLS
Running the hello world with TLS is the same as the normal hello world, but takes additional args:
**hello-world-tls-server**:
```text
USAGE: HelloWorldServerTls host port certChainFilePath privateKeyFilePath [clientCertChainFilePath]
Note: You only need to supply clientCertChainFilePath if you want to enable Mutual TLS.
```
**hello-world-tls-client**:
```text
USAGE: HelloWorldClientTls host port [trustCertCollectionFilePath] [clientCertChainFilePath] [clientPrivateKeyFilePath]
Note: clientCertChainFilePath and clientPrivateKeyFilePath are only needed if mutual auth is desired. And if you specify clientCertChainFilePath you must also specify clientPrivateKeyFilePath
```
#### Generating self-signed certificates for use with grpc
You can use the following script to generate self-signed certificates for grpc-java including the hello world with TLS examples:
```bash
# Changes these CN's to match your hosts in your environment if needed.
SERVER_CN=localhost
CLIENT_CN=localhost # Used when doing mutual TLS
echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
# Generates ca.crt which is the trustCertCollectionFile
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"
echo Self-signed server certificate:
# Generates server.crt which is the certChainFile for the server
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}"
echo Self-signed client certificate:
# Generates client.crt which is the clientCertChainFile for the client (need for mutual TLS only)
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
echo Remove passphrase from client key:
openssl rsa -passin pass:1111 -in client.key -out client.key
echo Converting the private keys to X.509:
# Generates client.pem which is the clientPrivateKeyFile for the Client (needed for mutual TLS only)
openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem
# Generates server.pem which is the privateKeyFile for the Server
openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem
```
#### Hello world example with TLS (no mutual auth):
```bash
# Server
./build/install/examples/bin/hello-world-server-tls mate 50440 ~/Downloads/sslcert/server.crt ~/Downloads/sslcert/server.pem
# Client
./build/install/examples/bin/hello-world-client-tls mate 50440 ~/Downloads/sslcert/ca.crt
```
#### Hello world example with TLS with mutual auth:
```bash
# Server
./build/install/examples/bin/hello-world-server-tls mate 54440 ~/Downloads/sslcert/server.crt ~/Downloads/sslcert/server.pem ~/Downloads/sslcert/client.crt
# Client
./build/install/examples/bin/hello-world-client-tls mate 54440 ~/Downloads/sslcert/ca.crt ~/Downloads/sslcert/client.crt ~/Downloads/sslcert/client.pem
```
That's it!
Please refer to gRPC Java's [README](../README.md) and

20
examples/build.gradle
View File

@ -23,6 +23,7 @@ repositories {
// Feel free to delete the comment at the next line. It is just for safely
// updating the version in our release process.
def grpcVersion = '1.11.0-SNAPSHOT' // CURRENT_GRPC_VERSION
def nettyTcNativeVersion = '2.0.7.Final'
dependencies {
compile "com.google.api.grpc:proto-google-common-protos:1.0.0"
@ -30,6 +31,9 @@ dependencies {
compile "io.grpc:grpc-protobuf:${grpcVersion}"
compile "io.grpc:grpc-stub:${grpcVersion}"
// Used for TLS in HelloWorldServerTls
compile "io.netty:netty-tcnative-boringssl-static:${nettyTcNativeVersion}"
testCompile "io.grpc:grpc-testing:${grpcVersion}"
testCompile "junit:junit:4.12"
testCompile "org.mockito:mockito-core:1.9.5"
@ -97,6 +101,20 @@ task helloWorldClient(type: CreateStartScripts) {
classpath = jar.outputs.files + project.configurations.runtime
}
task helloWorldTlsServer(type: CreateStartScripts) {
mainClassName = 'io.grpc.examples.helloworldtls.HelloWorldServerTls'
applicationName = 'hello-world-tls-server'
outputDir = new File(project.buildDir, 'tmp')
classpath = jar.outputs.files + project.configurations.runtime
}
task helloWorldTlsClient(type: CreateStartScripts) {
mainClassName = 'io.grpc.examples.helloworldtls.HelloWorldClientTls'
applicationName = 'hello-world-tls-client'
outputDir = new File(project.buildDir, 'tmp')
classpath = jar.outputs.files + project.configurations.runtime
}
task compressingHelloWorldClient(type: CreateStartScripts) {
mainClassName = 'io.grpc.examples.experimental.CompressingHelloWorldClient'
applicationName = 'compressing-hello-world-client'
@ -109,6 +127,8 @@ applicationDistribution.into('bin') {
from(routeGuideClient)
from(helloWorldServer)
from(helloWorldClient)
from(helloWorldTlsServer)
from(helloWorldTlsClient)
from(compressingHelloWorldClient)
fileMode = 0755
}

6
examples/pom.xml
View File

@ -12,6 +12,7 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<grpc.version>1.11.0-SNAPSHOT</grpc.version><!-- CURRENT_GRPC_VERSION -->
<netty.tcnative.version>2.0.7.Final</netty.tcnative.version>
</properties>
<dependencies>
<dependency>
@ -35,6 +36,11 @@
<version>${grpc.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<version>${netty.tcnative.version}</version>
</dependency>
<dependency>
<groupId>com.google.api.grpc</groupId>
<artifactId>proto-google-common-protos</artifactId>

140
examples/src/main/java/io/grpc/examples/helloworldtls/HelloWorldClientTls.java Normal file
View File

@ -0,0 +1,140 @@
/*
* Copyright 2015, gRPC Authors All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.grpc.examples.helloworldtls;
import io.grpc.ManagedChannel;
import io.grpc.StatusRuntimeException;
import io.grpc.examples.helloworld.GreeterGrpc;
import io.grpc.examples.helloworld.HelloReply;
import io.grpc.examples.helloworld.HelloRequest;
import io.grpc.examples.helloworld.HelloWorldServer;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NegotiationType;
import io.grpc.netty.NettyChannelBuilder;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import javax.net.ssl.SSLException;
import java.io.File;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* A simple client that requests a greeting from the {@link HelloWorldServer} with TLS.
*/
public class HelloWorldClientTls {
private static final Logger logger = Logger.getLogger(HelloWorldClientTls.class.getName());
private final ManagedChannel channel;
private final GreeterGrpc.GreeterBlockingStub blockingStub;
private static SslContext buildSslContext(String trustCertCollectionFilePath,
String clientCertChainFilePath,
String clientPrivateKeyFilePath) throws SSLException {
SslContextBuilder builder = GrpcSslContexts.forClient();
if (trustCertCollectionFilePath != null) {
builder.trustManager(new File(trustCertCollectionFilePath));
}
if (clientCertChainFilePath != null && clientPrivateKeyFilePath != null) {
builder.keyManager(new File(clientCertChainFilePath), new File(clientPrivateKeyFilePath));
}
return builder.build();
}
/**
* Construct client connecting to HelloWorld server at {@code host:port}.
*/
public HelloWorldClientTls(String host,
int port,
SslContext sslContext) throws SSLException {
this(NettyChannelBuilder.forAddress(host, port)
.negotiationType(NegotiationType.TLS)
.sslContext(sslContext)
.build());
}
/**
* Construct client for accessing RouteGuide server using the existing channel.
*/
HelloWorldClientTls(ManagedChannel channel) {
this.channel = channel;
blockingStub = GreeterGrpc.newBlockingStub(channel);
}
public void shutdown() throws InterruptedException {
channel.shutdown().awaitTermination(5, TimeUnit.SECONDS);
}
/**
* Say hello to server.
*/
public void greet(String name) {
logger.info("Will try to greet " + name + " ...");
HelloRequest request = HelloRequest.newBuilder().setName(name).build();
HelloReply response;
try {
response = blockingStub.sayHello(request);
} catch (StatusRuntimeException e) {
logger.log(Level.WARNING, "RPC failed: {0}", e.getStatus());
return;
}
logger.info("Greeting: " + response.getMessage());
}
/**
* Greet server. If provided, the first element of {@code args} is the name to use in the
* greeting.
*/
public static void main(String[] args) throws Exception {
if (args.length < 2 || args.length == 4 || args.length > 5) {
System.out.println("USAGE: HelloWorldClientTls host port [trustCertCollectionFilePath] " +
"[clientCertChainFilePath] [clientPrivateKeyFilePath]\n Note: clientCertChainFilePath and " +
"clientPrivateKeyFilePath are only needed if mutual auth is desired. And if you specify " +
"clientCertChainFilePath you must also specify clientPrivateKeyFilePath");
System.exit(0);
}
HelloWorldClientTls client;
switch (args.length) {
case 2:
client = new HelloWorldClientTls(args[0], Integer.parseInt(args[1]),
buildSslContext(null, null, null));
break;
case 3:
client = new HelloWorldClientTls(args[0], Integer.parseInt(args[1]),
buildSslContext(args[2], null, null));
break;
default:
client = new HelloWorldClientTls(args[0], Integer.parseInt(args[1]),
buildSslContext(args[2], args[3], args[4]));
}
try {
/* Access a service running on the local machine on port 50051 */
String user = "world";
if (args.length > 0) {
user = args[0]; /* Use the arg as the name to greet if provided */
}
client.greet(user);
} finally {
client.shutdown();
}
}
}

136
examples/src/main/java/io/grpc/examples/helloworldtls/HelloWorldServerTls.java Normal file
View File

@ -0,0 +1,136 @@
/*
* Copyright 2015, gRPC Authors All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.grpc.examples.helloworldtls;
import io.grpc.Server;
import io.grpc.examples.helloworld.GreeterGrpc;
import io.grpc.examples.helloworld.HelloReply;
import io.grpc.examples.helloworld.HelloRequest;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NettyServerBuilder;
import io.grpc.stub.StreamObserver;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.logging.Logger;
/**
* Server that manages startup/shutdown of a {@code Greeter} server with TLS enabled.
*/
public class HelloWorldServerTls {
private static final Logger logger = Logger.getLogger(HelloWorldServerTls.class.getName());
private Server server;
private final String host;
private final int port;
private final String certChainFilePath;
private final String privateKeyFilePath;
private final String clientCertChainFilePath;
public HelloWorldServerTls(String host,
int port,
String certChainFilePath,
String privateKeyFilePath,
String clientCertChainFilePath) {
this.host = host;
this.port = port;
this.certChainFilePath = certChainFilePath;
this.privateKeyFilePath = privateKeyFilePath;
this.clientCertChainFilePath = clientCertChainFilePath;
}
private SslContextBuilder getSslContextBuilder() {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
new File(privateKeyFilePath));
if (clientCertChainFilePath != null) {
sslClientContextBuilder.trustManager(new File(clientCertChainFilePath));
sslClientContextBuilder.clientAuth(ClientAuth.OPTIONAL);
}
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
private void start() throws IOException {
server = NettyServerBuilder.forAddress(new InetSocketAddress(host, port))
.addService(new GreeterImpl())
.sslContext(getSslContextBuilder().build())
.build()
.start();
logger.info("Server started, listening on " + port);
Runtime.getRuntime().addShutdownHook(new Thread() {
@Override
public void run() {
// Use stderr here since the logger may have been reset by its JVM shutdown hook.
System.err.println("*** shutting down gRPC server since JVM is shutting down");
HelloWorldServerTls.this.stop();
System.err.println("*** server shut down");
}
});
}
private void stop() {
if (server != null) {
server.shutdown();
}
}
/**
* Await termination on the main thread since the grpc library uses daemon threads.
*/
private void blockUntilShutdown() throws InterruptedException {
if (server != null) {
server.awaitTermination();
}
}
/**
* Main launches the server from the command line.
*/
public static void main(String[] args) throws IOException, InterruptedException {
if (args.length < 4 || args.length > 5) {
System.out.println(
"USAGE: HelloWorldServerTls host port certChainFilePath privateKeyFilePath " +
"[clientCertChainFilePath]\n Note: You only need to supply clientCertChainFilePath if you want " +
"to enable Mutual TLS.");
System.exit(0);
}
final HelloWorldServerTls server = new HelloWorldServerTls(args[0],
Integer.parseInt(args[1]),
args[2],
args[3],
args.length == 5 ? args[4] : null);
server.start();
server.blockUntilShutdown();
}
static class GreeterImpl extends GreeterGrpc.GreeterImplBase {
@Override
public void sayHello(HelloRequest req, StreamObserver<HelloReply> responseObserver) {
HelloReply reply = HelloReply.newBuilder().setMessage("Hello " + req.getName()).build();
responseObserver.onNext(reply);
responseObserver.onCompleted();
}
}
}

4
repositories.bzl
View File

@ -244,8 +244,8 @@ def io_netty_resolver():
def io_netty_tcnative_boringssl_static():
native.maven_jar(
name = "io_netty_netty_tcnative_boringssl_static",
artifact = "io.netty:netty-tcnative-boringssl-static:2.0.5.Final",
sha1 = "321c1239ceb3faec04531ffcdeb1bc8e85408b12",
artifact = "io.netty:netty-tcnative-boringssl-static:2.0.7.Final",
sha1 = "a8ec0f0ee612fa89c709bdd3881c3f79fa00431d",
)
def io_opencensus_api():