secure the grpc client (#1215)

* secure the grpc client * make compile * Add system cert pool * Revert manually adding ca certs * Tweak comment Co-authored-by: ben-toogood <bentoogood@gmail.com>
2020-02-19 08:44:35 +00:00 · 2020-02-19 08:44:35 +00:00 · f4118dc357
commit f4118dc357
parent 58598d0fe0
1 changed files with 27 additions and 3 deletions
--- a/client/grpc/grpc.go
+++ b/client/grpc/grpc.go
@ -5,7 +5,9 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"net"
 	"os"
+	"strings"
 	"sync/atomic"
 	"time"

@ -36,14 +38,36 @@ func init() {
 }

 // secure returns the dial option for whether its a secure or insecure connection
-func (g *grpcClient) secure() grpc.DialOption {
+func (g *grpcClient) secure(addr string) grpc.DialOption {
+	// first we check if theres'a  tls config
 	if g.opts.Context != nil {
 		if v := g.opts.Context.Value(tlsAuth{}); v != nil {
 			tls := v.(*tls.Config)
 			creds := credentials.NewTLS(tls)
+			// return tls config if it exists
 			return grpc.WithTransportCredentials(creds)
 		}
 	}
+
+	// default config
+	tlsConfig := &tls.Config{}
+	defaultCreds := grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
+
+	// check if the address is prepended with https
+	if strings.HasPrefix(addr, "https://") {
+		return defaultCreds
+	}
+
+	// if no port is specified or port is 443 default to tls
+	_, port, err := net.SplitHostPort(addr)
+	// assuming with no port its going to be secured
+	if port == "443" {
+		return defaultCreds
+	} else if err != nil && strings.Contains(err.Error(), "missing port in address") {
+		return defaultCreds
+	}
+
+	// other fallback to insecure
 	return grpc.WithInsecure()
 }

@ -116,7 +140,7 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R
 	grpcDialOptions := []grpc.DialOption{
 		grpc.WithDefaultCallOptions(grpc.ForceCodec(cf)),
 		grpc.WithTimeout(opts.DialTimeout),
-		g.secure(),
+		g.secure(address),
 		grpc.WithDefaultCallOptions(
 			grpc.MaxCallRecvMsgSize(maxRecvMsgSize),
 			grpc.MaxCallSendMsgSize(maxSendMsgSize),
@ -194,7 +218,7 @@ func (g *grpcClient) stream(ctx context.Context, node *registry.Node, req client
 	grpcDialOptions := []grpc.DialOption{
 		grpc.WithDefaultCallOptions(grpc.ForceCodec(wc)),
 		grpc.WithTimeout(opts.DialTimeout),
-		g.secure(),
+		g.secure(address),
 	}

 	if opts := g.getGrpcDialOptions(); opts != nil {