grpc
/
grpc-node
mirror of https://github.com/grpc/grpc-node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
grpc-node/packages/grpc-js/src/server-credentials.ts

349 lines
11 KiB
TypeScript
Raw Blame History

/*
* Copyright 2019 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
import { SecureServerOptions } from 'http2';
import { CIPHER_SUITES, getDefaultRootsData } from './tls-helpers';
import { SecureContextOptions } from 'tls';
import { ServerInterceptor } from '.';
import { CaCertificateUpdate, CaCertificateUpdateListener, CertificateProvider, IdentityCertificateUpdate, IdentityCertificateUpdateListener } from './certificate-provider';
export interface KeyCertPair {
private_key: Buffer;
cert_chain: Buffer;
}
export interface SecureContextWatcher {
(context: SecureContextOptions | null): void;
}
export abstract class ServerCredentials {
private watchers: Set<SecureContextWatcher> = new Set();
private latestContextOptions: SecureServerOptions | null = null;
_addWatcher(watcher: SecureContextWatcher) {
this.watchers.add(watcher);
}
_removeWatcher(watcher: SecureContextWatcher) {
this.watchers.delete(watcher);
}
protected getWatcherCount() {
return this.watchers.size;
}
protected updateSecureContextOptions(options: SecureServerOptions | null) {
this.latestContextOptions = options;
for (const watcher of this.watchers) {
watcher(this.latestContextOptions);
}
}
abstract _isSecure(): boolean;
_getSettings(): SecureServerOptions | null {
return this.latestContextOptions;
}
_getInterceptors(): ServerInterceptor[] {
return [];
}
abstract _equals(other: ServerCredentials): boolean;
static createInsecure(): ServerCredentials {
return new InsecureServerCredentials();
}
static createSsl(
rootCerts: Buffer | null,
keyCertPairs: KeyCertPair[],
checkClientCertificate = false
): ServerCredentials {
if (rootCerts !== null && !Buffer.isBuffer(rootCerts)) {
throw new TypeError('rootCerts must be null or a Buffer');
}
if (!Array.isArray(keyCertPairs)) {
throw new TypeError('keyCertPairs must be an array');
}
if (typeof checkClientCertificate !== 'boolean') {
throw new TypeError('checkClientCertificate must be a boolean');
}
const cert: Buffer[] = [];
const key: Buffer[] = [];
for (let i = 0; i < keyCertPairs.length; i++) {
const pair = keyCertPairs[i];
if (pair === null || typeof pair !== 'object') {
throw new TypeError(`keyCertPair[${i}] must be an object`);
}
if (!Buffer.isBuffer(pair.private_key)) {
throw new TypeError(`keyCertPair[${i}].private_key must be a Buffer`);
}
if (!Buffer.isBuffer(pair.cert_chain)) {
throw new TypeError(`keyCertPair[${i}].cert_chain must be a Buffer`);
}
cert.push(pair.cert_chain);
key.push(pair.private_key);
}
return new SecureServerCredentials({
ca: rootCerts ?? getDefaultRootsData() ?? undefined,
cert,
key,
requestCert: checkClientCertificate,
ciphers: CIPHER_SUITES,
});
}
}
class InsecureServerCredentials extends ServerCredentials {
_isSecure(): boolean {
return false;
}
_getSettings(): null {
return null;
}
_equals(other: ServerCredentials): boolean {
return other instanceof InsecureServerCredentials;
}
}
class SecureServerCredentials extends ServerCredentials {
private options: SecureServerOptions;
constructor(options: SecureServerOptions) {
super();
this.options = options;
}
_isSecure(): boolean {
return true;
}
_getSettings(): SecureServerOptions {
return this.options;
}
/**
* Checks equality by checking the options that are actually set by
* createSsl.
* @param other
* @returns
*/
_equals(other: ServerCredentials): boolean {
if (this === other) {
return true;
}
if (!(other instanceof SecureServerCredentials)) {
return false;
}
// options.ca equality check
if (Buffer.isBuffer(this.options.ca) && Buffer.isBuffer(other.options.ca)) {
if (!this.options.ca.equals(other.options.ca)) {
return false;
}
} else {
if (this.options.ca !== other.options.ca) {
return false;
}
}
// options.cert equality check
if (Array.isArray(this.options.cert) && Array.isArray(other.options.cert)) {
if (this.options.cert.length !== other.options.cert.length) {
return false;
}
for (let i = 0; i < this.options.cert.length; i++) {
const thisCert = this.options.cert[i];
const otherCert = other.options.cert[i];
if (Buffer.isBuffer(thisCert) && Buffer.isBuffer(otherCert)) {
if (!thisCert.equals(otherCert)) {
return false;
}
} else {
if (thisCert !== otherCert) {
return false;
}
}
}
} else {
if (this.options.cert !== other.options.cert) {
return false;
}
}
// options.key equality check
if (Array.isArray(this.options.key) && Array.isArray(other.options.key)) {
if (this.options.key.length !== other.options.key.length) {
return false;
}
for (let i = 0; i < this.options.key.length; i++) {
const thisKey = this.options.key[i];
const otherKey = other.options.key[i];
if (Buffer.isBuffer(thisKey) && Buffer.isBuffer(otherKey)) {
if (!thisKey.equals(otherKey)) {
return false;
}
} else {
if (thisKey !== otherKey) {
return false;
}
}
}
} else {
if (this.options.key !== other.options.key) {
return false;
}
}
// options.requestCert equality check
if (this.options.requestCert !== other.options.requestCert) {
return false;
}
/* ciphers is derived from a value that is constant for the process, so no
* equality check is needed. */
return true;
}
}
class CertificateProviderServerCredentials extends ServerCredentials {
private latestCaUpdate: CaCertificateUpdate | null = null;
private latestIdentityUpdate: IdentityCertificateUpdate | null = null;
private caCertificateUpdateListener: CaCertificateUpdateListener = this.handleCaCertificateUpdate.bind(this);
private identityCertificateUpdateListener: IdentityCertificateUpdateListener = this.handleIdentityCertitificateUpdate.bind(this);
constructor(
private identityCertificateProvider: CertificateProvider,
private caCertificateProvider: CertificateProvider | null,
private requireClientCertificate: boolean
) {
super();
}
_addWatcher(watcher: SecureContextWatcher): void {
if (this.getWatcherCount() === 0) {
this.caCertificateProvider?.addCaCertificateListener(this.caCertificateUpdateListener);
this.identityCertificateProvider.addIdentityCertificateListener(this.identityCertificateUpdateListener);
}
super._addWatcher(watcher);
}
_removeWatcher(watcher: SecureContextWatcher): void {
super._removeWatcher(watcher);
if (this.getWatcherCount() === 0) {
this.caCertificateProvider?.removeCaCertificateListener(this.caCertificateUpdateListener);
this.identityCertificateProvider.removeIdentityCertificateListener(this.identityCertificateUpdateListener);
}
}
_isSecure(): boolean {
return true;
}
_equals(other: ServerCredentials): boolean {
if (this === other) {
return true;
}
if (!(other instanceof CertificateProviderServerCredentials)) {
return false;
}
return (
this.caCertificateProvider === other.caCertificateProvider &&
this.identityCertificateProvider === other.identityCertificateProvider &&
this.requireClientCertificate === other.requireClientCertificate
)
}
private calculateSecureContextOptions(): SecureServerOptions | null {
if (this.latestIdentityUpdate === null) {
return null;
}
if (this.caCertificateProvider !== null && this.latestCaUpdate === null) {
return null;
}
return {
ca: this.latestCaUpdate?.caCertificate,
cert: this.latestIdentityUpdate.certificate,
key: this.latestIdentityUpdate.privateKey,
requestCert: this.latestIdentityUpdate !== null,
rejectUnauthorized: this.requireClientCertificate
};
}
private finalizeUpdate() {
const secureContextOptions = this.calculateSecureContextOptions();
this.updateSecureContextOptions(secureContextOptions);
}
private handleCaCertificateUpdate(update: CaCertificateUpdate | null) {
this.latestCaUpdate = update;
this.finalizeUpdate();
}
private handleIdentityCertitificateUpdate(update: IdentityCertificateUpdate | null) {
this.latestIdentityUpdate = update;
this.finalizeUpdate();
}
}
export function createCertificateProviderServerCredentials(
caCertificateProvider: CertificateProvider,
identityCertificateProvider: CertificateProvider | null,
requireClientCertificate: boolean
) {
return new CertificateProviderServerCredentials(
caCertificateProvider,
identityCertificateProvider,
requireClientCertificate);
}
class InterceptorServerCredentials extends ServerCredentials {
constructor(private readonly childCredentials: ServerCredentials, private readonly interceptors: ServerInterceptor[]) {
super();
}
_isSecure(): boolean {
return this.childCredentials._isSecure();
}
_equals(other: ServerCredentials): boolean {
if (!(other instanceof InterceptorServerCredentials)) {
return false;
}
if (!(this.childCredentials._equals(other.childCredentials))) {
return false;
}
if (this.interceptors.length !== other.interceptors.length) {
return false;
}
for (let i = 0; i < this.interceptors.length; i++) {
if (this.interceptors[i] !== other.interceptors[i]) {
return false;
}
}
return true;
}
override _getInterceptors(): ServerInterceptor[] {
return this.interceptors;
}
override _addWatcher(watcher: SecureContextWatcher): void {
this.childCredentials._addWatcher(watcher);
}
override _removeWatcher(watcher: SecureContextWatcher): void {
this.childCredentials._removeWatcher(watcher);
}
override _getSettings(): SecureServerOptions | null {
return this.childCredentials._getSettings();
}
}
export function createServerCredentialsWithInterceptors(credentials: ServerCredentials, interceptors: ServerInterceptor[]): ServerCredentials {
return new InterceptorServerCredentials(credentials, interceptors);
}
Reference in New Issue View Git Blame Copy Permalink