grpc-js: Add support for TLS-related environment variables

2019-12-05 17:51:25 -08:00 · 2019-12-05 17:51:25 -08:00 · 36cf935e7d
parent cb0792818c
commit 36cf935e7d
3 changed files with 40 additions and 3 deletions
--- a/packages/grpc-js/src/channel-credentials.ts
+++ b/packages/grpc-js/src/channel-credentials.ts
@ -18,7 +18,7 @@
 import { ConnectionOptions, createSecureContext, PeerCertificate } from 'tls';

 import { CallCredentials } from './call-credentials';
-import { Call } from '.';
+import {CIPHER_SUITES, getDefaultRootsData} from './tls-helpers';

 // tslint:disable-next-line:no-any
 function verifyIsBufferOrNull(obj: any, friendlyName: string): void {
@ -141,7 +141,7 @@ export abstract class ChannelCredentials {
      );
    }
    return new SecureChannelCredentialsImpl(
-      rootCerts || null,
+      rootCerts || getDefaultRootsData(),
      privateKey || null,
      certChain || null,
      verifyOptions || {}
@ -190,6 +190,7 @@ class SecureChannelCredentialsImpl extends ChannelCredentials {
      ca: rootCerts || undefined,
      key: privateKey || undefined,
      cert: certChain || undefined,
+      ciphers: CIPHER_SUITES
    });
    this.connectionOptions = { secureContext };
    if (verifyOptions && verifyOptions.checkServerIdentity) {
--- a/packages/grpc-js/src/server-credentials.ts
+++ b/packages/grpc-js/src/server-credentials.ts
@ -16,6 +16,7 @@
 */

 import { SecureServerOptions } from 'http2';
+import {CIPHER_SUITES, getDefaultRootsData} from './tls-helpers';

 export interface KeyCertPair {
  private_key: Buffer;
@ -70,10 +71,11 @@ export abstract class ServerCredentials {
    }

    return new SecureServerCredentials({
-      ca: rootCerts || undefined,
+      ca: rootCerts || getDefaultRootsData() || undefined,
      cert,
      key,
      requestCert: checkClientCertificate,
+      ciphers: CIPHER_SUITES
    });
  }
 }
--- a/packages/grpc-js/src/tls-helpers.ts
+++ b/packages/grpc-js/src/tls-helpers.ts
@ -0,0 +1,34 @@
+/*
+ * Copyright 2019 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+import * as fs from 'fs';
+
+export const CIPHER_SUITES: string | undefined = process.env.GRPC_SSL_CIPHER_SUITES;
+
+const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH;
+
+let defaultRootsData: Buffer | null = null;
+
+export function getDefaultRootsData(): Buffer | null {
+  if (DEFAULT_ROOTS_FILE_PATH) {
+    if (defaultRootsData === null) {
+      defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH);
+    }
+    return defaultRootsData;
+  }
+  return null;
+}