diff options
| author | Konstantin Lebedev <lebedev_k@tochka.com> | 2021-03-10 14:02:13 +0500 |
|---|---|---|
| committer | Konstantin Lebedev <lebedev_k@tochka.com> | 2021-03-10 14:02:13 +0500 |
| commit | 831953c55c04e8fca50bffd1c45197ea065e6b60 (patch) | |
| tree | 20a87e6a01a91516d5baa48d645d40f101a644bb /weed/security/tls.go | |
| parent | 4bf93d6e63d6e13355ee1cb989e571c9fc6b3507 (diff) | |
| download | seaweedfs-831953c55c04e8fca50bffd1c45197ea065e6b60.tar.xz seaweedfs-831953c55c04e8fca50bffd1c45197ea065e6b60.zip | |
allowed wildcard domain
Diffstat (limited to 'weed/security/tls.go')
| -rw-r--r-- | weed/security/tls.go | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/weed/security/tls.go b/weed/security/tls.go index 2550559bc..59714d103 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -19,7 +19,8 @@ import ( ) type Authenticator struct { - PermitCommonNames map[string]bool + AllowedWildcardDomain string + AllowedCommonNames map[string]bool } func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption, grpc.ServerOption) { @@ -49,14 +50,16 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption ClientAuth: tls.RequireAndVerifyClientCert, }) - permitCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") - if len(permitCommonNames) > 0 { - permitCommonNamesMap := make(map[string]bool) - for _, s := range permitCommonNames { - permitCommonNamesMap[s] = true + allowedCommonNames := strings.Split(config.GetString(component+".allowed_commonNames"), ",") + allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain") + if len(allowedCommonNames) > 0 || allowedWildcardDomain != "" { + allowedCommonNamesMap := make(map[string]bool) + for _, s := range allowedCommonNames { + allowedCommonNamesMap[s] = true } auther := Authenticator{ - PermitCommonNames: permitCommonNamesMap, + AllowedCommonNames: allowedCommonNamesMap, + AllowedWildcardDomain: allowedWildcardDomain, } return grpc.Creds(ta), grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(auther.Authenticate)) } @@ -109,9 +112,12 @@ func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 { return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate") } - - if _, ok := a.PermitCommonNames[tlsAuth.State.VerifiedChains[0][0].Subject.CommonName]; !ok { - return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") + commonName := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName + if a.AllowedWildcardDomain != "" && strings.HasSuffix(commonName, a.AllowedWildcardDomain) { + return ctx, nil + } + if _, ok := a.AllowedCommonNames[commonName]; ok { + return ctx, nil } - return ctx, nil + return ctx, status.Error(codes.Unauthenticated, "invalid subject common name") } |