grpc
/
grpc-node
mirror of https://github.com/grpc/grpc-node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
grpc-node/packages/grpc-js/src/server-credentials.ts

217 lines
6.0 KiB
TypeScript
Raw Blame History

/*
* Copyright 2019 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
import { SecureServerOptions } from 'http2';
import { CIPHER_SUITES, getDefaultRootsData } from './tls-helpers';
import { SecureContextOptions } from 'tls';
export interface KeyCertPair {
private_key: Buffer;
cert_chain: Buffer;
}
export interface SecureContextWatcher {
(context: SecureContextOptions | null): void;
}
export abstract class ServerCredentials {
private watchers: Set<SecureContextWatcher> = new Set();
private latestContextOptions: SecureServerOptions | null = null;
_addWatcher(watcher: SecureContextWatcher) {
this.watchers.add(watcher);
}
_removeWatcher(watcher: SecureContextWatcher) {
this.watchers.delete(watcher);
}
protected updateSecureContextOptions(options: SecureServerOptions | null) {
if (options) {
this.latestContextOptions = options;
} else {
this.latestContextOptions = null;
}
for (const watcher of this.watchers) {
watcher(this.latestContextOptions);
}
}
abstract _isSecure(): boolean;
_getSettings(): SecureServerOptions | null {
return this.latestContextOptions;
}
abstract _equals(other: ServerCredentials): boolean;
static createInsecure(): ServerCredentials {
return new InsecureServerCredentials();
}
static createSsl(
rootCerts: Buffer | null,
keyCertPairs: KeyCertPair[],
checkClientCertificate = false
): ServerCredentials {
if (rootCerts !== null && !Buffer.isBuffer(rootCerts)) {
throw new TypeError('rootCerts must be null or a Buffer');
}
if (!Array.isArray(keyCertPairs)) {
throw new TypeError('keyCertPairs must be an array');
}
if (typeof checkClientCertificate !== 'boolean') {
throw new TypeError('checkClientCertificate must be a boolean');
}
const cert: Buffer[] = [];
const key: Buffer[] = [];
for (let i = 0; i < keyCertPairs.length; i++) {
const pair = keyCertPairs[i];
if (pair === null || typeof pair !== 'object') {
throw new TypeError(`keyCertPair[${i}] must be an object`);
}
if (!Buffer.isBuffer(pair.private_key)) {
throw new TypeError(`keyCertPair[${i}].private_key must be a Buffer`);
}
if (!Buffer.isBuffer(pair.cert_chain)) {
throw new TypeError(`keyCertPair[${i}].cert_chain must be a Buffer`);
}
cert.push(pair.cert_chain);
key.push(pair.private_key);
}
return new SecureServerCredentials({
ca: rootCerts ?? getDefaultRootsData() ?? undefined,
cert,
key,
requestCert: checkClientCertificate,
ciphers: CIPHER_SUITES,
});
}
}
class InsecureServerCredentials extends ServerCredentials {
_isSecure(): boolean {
return false;
}
_getSettings(): null {
return null;
}
_equals(other: ServerCredentials): boolean {
return other instanceof InsecureServerCredentials;
}
}
class SecureServerCredentials extends ServerCredentials {
private options: SecureServerOptions;
constructor(options: SecureServerOptions) {
super();
this.options = options;
}
_isSecure(): boolean {
return true;
}
_getSettings(): SecureServerOptions {
return this.options;
}
/**
* Checks equality by checking the options that are actually set by
* createSsl.
* @param other
* @returns
*/
_equals(other: ServerCredentials): boolean {
if (this === other) {
return true;
}
if (!(other instanceof SecureServerCredentials)) {
return false;
}
// options.ca equality check
if (Buffer.isBuffer(this.options.ca) && Buffer.isBuffer(other.options.ca)) {
if (!this.options.ca.equals(other.options.ca)) {
return false;
}
} else {
if (this.options.ca !== other.options.ca) {
return false;
}
}
// options.cert equality check
if (Array.isArray(this.options.cert) && Array.isArray(other.options.cert)) {
if (this.options.cert.length !== other.options.cert.length) {
return false;
}
for (let i = 0; i < this.options.cert.length; i++) {
const thisCert = this.options.cert[i];
const otherCert = other.options.cert[i];
if (Buffer.isBuffer(thisCert) && Buffer.isBuffer(otherCert)) {
if (!thisCert.equals(otherCert)) {
return false;
}
} else {
if (thisCert !== otherCert) {
return false;
}
}
}
} else {
if (this.options.cert !== other.options.cert) {
return false;
}
}
// options.key equality check
if (Array.isArray(this.options.key) && Array.isArray(other.options.key)) {
if (this.options.key.length !== other.options.key.length) {
return false;
}
for (let i = 0; i < this.options.key.length; i++) {
const thisKey = this.options.key[i];
const otherKey = other.options.key[i];
if (Buffer.isBuffer(thisKey) && Buffer.isBuffer(otherKey)) {
if (!thisKey.equals(otherKey)) {
return false;
}
} else {
if (thisKey !== otherKey) {
return false;
}
}
}
} else {
if (this.options.key !== other.options.key) {
return false;
}
}
// options.requestCert equality check
if (this.options.requestCert !== other.options.requestCert) {
return false;
}
/* ciphers is derived from a value that is constant for the process, so no
* equality check is needed. */
return true;
}
}
Reference in New Issue View Git Blame Copy Permalink