-
Notifications
You must be signed in to change notification settings - Fork 20
Add required mutual auth to gRPC Server/Client #254
Add required mutual auth to gRPC Server/Client #254
Conversation
Codecov Report
@@ Coverage Diff @@
## master #254 +/- ##
============================================
+ Coverage 66.14% 66.16% +0.01%
+ Complexity 1789 1733 -56
============================================
Files 270 259 -11
Lines 11988 11720 -268
Branches 952 929 -23
============================================
- Hits 7929 7754 -175
+ Misses 3744 3666 -78
+ Partials 315 300 -15 Continue to review full report at Codecov.
|
src/test/java/com/amazon/opendistro/elasticsearch/performanceanalyzer/net/GRPCTest.java
Show resolved
Hide resolved
.../java/com/amazon/opendistro/elasticsearch/performanceanalyzer/net/GRPCConnectionManager.java
Outdated
Show resolved
Hide resolved
src/main/java/com/amazon/opendistro/elasticsearch/performanceanalyzer/net/NetServer.java
Outdated
Show resolved
Hide resolved
private ManagedChannel buildSecureChannel(final String remoteHost) { | ||
try { | ||
SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient().keyManager(certFile, pkeyFile); | ||
if (trustedCasFile != null) { | ||
sslContextBuilder.trustManager(trustedCasFile); | ||
} | ||
return NettyChannelBuilder.forAddress(remoteHost, this.port) | ||
.sslContext(sslContextBuilder.build()) | ||
.build(); | ||
} catch (SSLException e) { | ||
LOG.error("Unable to build an SSL gRPC client. Exception: {}", e.getMessage()); | ||
e.printStackTrace(); | ||
|
||
// Wrap the SSL Exception in a generic RTE and re-throw. | ||
throw new RuntimeException(e); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: whitespace off by one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
channel.shutdownNow(); | ||
try { | ||
channel.awaitTermination(1, TimeUnit.MINUTES); | ||
} catch (InterruptedException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to propagate the interrupted status when catching an InterruptedException by calling Thread.currentThread().interrupt() after channel.shutdownNow();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
try { | ||
server.awaitTermination(1, TimeUnit.MINUTES); | ||
} catch (InterruptedException e) { | ||
server.shutdownNow(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above. You need to propagate the interrupted status by calling Thread.currentThread().interrupt();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good. Left some minor nits and one line changes.
Previously we had 1 sided TLS on the server side. Data between the client and server was send over an encrypted channel, but any client could make requests to the server. This commit changes the behavior so that only clients with the matching certificates can make requests to the server when TLS is enabled. This commit does NOT add support for installing a trust manager. That must be added in the future.
4b13b62
to
73d110e
Compare
Issue #, if available: 253
Description of changes:
Previously we had 1 sided TLS on the server side. Data between the
client and server was send over an encrypted channel, but any client
could make requests to the server.
This commit changes the behavior so that only clients with the matching
certificates can make requests to the server when TLS is enabled. This
commit does NOT add support for installing a trust manager. That must be
added in the future.
Tests:
requests, but an unauthenticated client is rejected.
Code coverage percentage for this patch:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.