func NewGRPCClientDialOpt(c *Config) (grpc.DialOption, error) { var opt grpc.DialOption if c.InsecureSkipVerify { return grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})), nil } tlsConf, err := NewClientTLSConfig(c) if err != nil { return opt, err } return grpc.WithTransportCredentials(credentials.NewTLS(tlsConf)), nil }
// dialSetupOpts gives the dial opts prior to any authentication func (c *Client) dialSetupOpts(endpoint string, dopts ...grpc.DialOption) (opts []grpc.DialOption) { if c.cfg.DialTimeout > 0 { opts = []grpc.DialOption{grpc.WithTimeout(c.cfg.DialTimeout)} } opts = append(opts, dopts...) f := func(host string, t time.Duration) (net.Conn, error) { proto, host, _ := parseEndpoint(c.balancer.getEndpoint(host)) if proto == "" { return nil, fmt.Errorf("unknown scheme for %q", host) } select { case <-c.ctx.Done(): return nil, c.ctx.Err() default: } return net.DialTimeout(proto, host, t) } opts = append(opts, grpc.WithDialer(f)) creds := c.creds if _, _, scheme := parseEndpoint(endpoint); len(scheme) != 0 { creds = c.processCreds(scheme) } if creds != nil { opts = append(opts, grpc.WithTransportCredentials(*creds)) } else { opts = append(opts, grpc.WithInsecure()) } return opts }
//newEventsClientConnectionWithAddress Returns a new grpc.ClientConn to the configured local PEER. func newEventsClientConnectionWithAddress(peerAddress string) (*grpc.ClientConn, error) { var opts []grpc.DialOption if peer.TLSEnabled() { var sn string if viper.GetString("peer.tls.serverhostoverride") != "" { sn = viper.GetString("peer.tls.serverhostoverride") } var creds credentials.TransportAuthenticator if viper.GetString("peer.tls.cert.file") != "" { var err error creds, err = credentials.NewClientTLSFromFile(viper.GetString("peer.tls.cert.file"), sn) if err != nil { grpclog.Fatalf("Failed to create TLS credentials %v", err) } } else { creds = credentials.NewClientTLSFromCert(nil, sn) } opts = append(opts, grpc.WithTransportCredentials(creds)) } opts = append(opts, grpc.WithTimeout(defaultTimeout)) opts = append(opts, grpc.WithBlock()) opts = append(opts, grpc.WithInsecure()) return grpc.Dial(peerAddress, opts...) }
func NewContext() *Context { log := log.New(os.Stderr, "QPM: ", log.LstdFlags) address := os.Getenv("SERVER") if address == "" { address = Address } noTls := os.Getenv("NO_TLS") == "1" var tlsOption grpc.DialOption if noTls { tlsOption = grpc.WithInsecure() } else { tlsOption = grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")) } conn, err := grpc.Dial(address, tlsOption, grpc.WithUserAgent(UA)) if err != nil { log.Fatalf("did not connect: %v", err) } return &Context{ Log: log, Client: msg.NewQpmClient(conn), } }
// DialGRPC returns a GRPC connection for use communicating with a Google cloud // service, configured with the given ClientOptions. func DialGRPC(ctx context.Context, opts ...option.ClientOption) (*grpc.ClientConn, error) { var o internal.DialSettings for _, opt := range opts { opt.Apply(&o) } if o.HTTPClient != nil { return nil, errors.New("unsupported HTTP client specified") } if o.GRPCConn != nil { return o.GRPCConn, nil } if o.TokenSource == nil { var err error o.TokenSource, err = google.DefaultTokenSource(ctx, o.Scopes...) if err != nil { return nil, fmt.Errorf("google.DefaultTokenSource: %v", err) } } grpcOpts := []grpc.DialOption{ grpc.WithPerRPCCredentials(oauth.TokenSource{o.TokenSource}), grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), } if appengineDialerHook != nil { // Use the Socket API on App Engine. grpcOpts = append(grpcOpts, appengineDialerHook(ctx)) } grpcOpts = append(grpcOpts, o.GRPCDialOpts...) if o.UserAgent != "" { grpcOpts = append(grpcOpts, grpc.WithUserAgent(o.UserAgent)) } return grpc.Dial(o.Endpoint, grpcOpts...) }
// ClientSetup loads various TLS certificates and creates a // gRPC TransportCredentials that presents the client certificate // and validates the certificate presented by the server is for a // specific hostname and issued by the provided issuer certificate // thens dials and returns a grpc.ClientConn to the remote service. func ClientSetup(c *cmd.GRPCClientConfig, stats metrics.Scope) (*grpc.ClientConn, error) { if len(c.ServerAddresses) == 0 { return nil, fmt.Errorf("boulder/grpc: ServerAddresses is empty") } if stats == nil { return nil, errNilScope } serverIssuerBytes, err := ioutil.ReadFile(c.ServerIssuerPath) if err != nil { return nil, err } rootCAs := x509.NewCertPool() if ok := rootCAs.AppendCertsFromPEM(serverIssuerBytes); !ok { return nil, fmt.Errorf("Failed to parse server issues from '%s'", c.ServerIssuerPath) } clientCert, err := tls.LoadX509KeyPair(c.ClientCertificatePath, c.ClientKeyPath) if err != nil { return nil, err } grpc_prometheus.EnableHandlingTimeHistogram() ci := clientInterceptor{stats.NewScope("gRPCClient"), clock.Default(), c.Timeout.Duration} creds := bcreds.NewClientCredentials(rootCAs, []tls.Certificate{clientCert}) return grpc.Dial( "", // Since our staticResolver provides addresses we don't need to pass an address here grpc.WithTransportCredentials(creds), grpc.WithBalancer(grpc.RoundRobin(newStaticResolver(c.ServerAddresses))), grpc.WithUnaryInterceptor(ci.intercept), ) }
func newPeerClientConnection() (*grpc.ClientConn, error) { var opts []grpc.DialOption if viper.GetBool("peer.tls.enabled") { var sn string if viper.GetString("peer.tls.serverhostoverride") != "" { sn = viper.GetString("peer.tls.serverhostoverride") } var creds credentials.TransportAuthenticator if viper.GetString("peer.tls.cert.file") != "" { var err error creds, err = credentials.NewClientTLSFromFile(viper.GetString("peer.tls.cert.file"), sn) if err != nil { grpclog.Fatalf("Failed to create TLS credentials %v", err) } } else { creds = credentials.NewClientTLSFromCert(nil, sn) } opts = append(opts, grpc.WithTransportCredentials(creds)) } opts = append(opts, grpc.WithTimeout(1*time.Second)) opts = append(opts, grpc.WithBlock()) opts = append(opts, grpc.WithInsecure()) conn, err := grpc.Dial(getPeerAddress(), opts...) if err != nil { return nil, err } return conn, err }
func TestDropRequestFailedNonFailFast(t *testing.T) { // Start a backend. beLis, err := net.Listen("tcp", "localhost:0") if err != nil { t.Fatalf("Failed to listen %v", err) } beAddr := strings.Split(beLis.Addr().String(), ":") bePort, err := strconv.Atoi(beAddr[1]) backends := startBackends(t, besn, beLis) defer stopBackends(backends) // Start a load balancer. lbLis, err := net.Listen("tcp", "localhost:0") if err != nil { t.Fatalf("Failed to create the listener for the load balancer %v", err) } lbCreds := &serverNameCheckCreds{ sn: lbsn, } lb := grpc.NewServer(grpc.Creds(lbCreds)) if err != nil { t.Fatalf("Failed to generate the port number %v", err) } be := &lbpb.Server{ IpAddress: []byte(beAddr[0]), Port: int32(bePort), LoadBalanceToken: lbToken, DropRequest: true, } var bes []*lbpb.Server bes = append(bes, be) sl := &lbpb.ServerList{ Servers: bes, } ls := newRemoteBalancer(sl) lbpb.RegisterLoadBalancerServer(lb, ls) go func() { lb.Serve(lbLis) }() defer func() { ls.stop() lb.Stop() }() creds := serverNameCheckCreds{ expected: besn, } ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) cc, err := grpc.DialContext(ctx, besn, grpc.WithBalancer(Balancer(&testNameResolver{ addr: lbLis.Addr().String(), })), grpc.WithBlock(), grpc.WithTransportCredentials(&creds)) if err != nil { t.Fatalf("Failed to dial to the backend %v", err) } helloC := hwpb.NewGreeterClient(cc) ctx, _ = context.WithTimeout(context.Background(), 10*time.Millisecond) if _, err := helloC.SayHello(ctx, &hwpb.HelloRequest{Name: "grpc"}, grpc.FailFast(false)); grpc.Code(err) != codes.DeadlineExceeded { t.Fatalf("%v.SayHello(_, _) = _, %v, want _, %s", helloC, err, codes.DeadlineExceeded) } cc.Close() }
func (c *pingCommand) Run() error { app, err := server.New(clibazil.Bazil.Config.DataDir.String()) if err != nil { return err } defer app.Close() pub := (*[ed25519.PublicKeySize]byte)(&c.Arguments.Pub) auth := &grpcedtls.Authenticator{ Config: app.GetTLSConfig, PeerPub: pub, } addr := c.Arguments.Addr conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(auth)) if err != nil { return fmt.Errorf("did not connect: %v", err) } defer conn.Close() client := wire.NewPeerClient(conn) r, err := client.Ping(context.Background(), &wire.PingRequest{}) if err != nil { return fmt.Errorf("could not greet: %v", err) } log.Printf("pong: %#v", r) return nil }
func NewCaClient(addr string, tls bool, serverHostOverride string, trustedCaFile string) (*CaClient, error) { var opts []grpc.DialOption if tls { var sn string if serverHostOverride != "" { sn = serverHostOverride } var creds credentials.TransportAuthenticator if trustedCaFile != "" { var err error creds, err = credentials.NewClientTLSFromFile(trustedCaFile, sn) if err != nil { return nil, err } } opts = append(opts, grpc.WithTransportCredentials(creds)) } conn, err := grpc.Dial(addr, opts...) if err != nil { return nil, err } defer conn.Close() return &CaClient{ grpcClient: pb.NewCaClient(conn), }, nil }
func NewRoloClient(idToken jose.JWT, tls bool, addr, serverHostOverride, trustedCaFile string) (*RoloClient, error) { var opts []grpc.DialOption creds := grpcoidc.NewOIDCAccess(&idToken) opts = append(opts, grpc.WithPerRPCCredentials(creds)) if tls { var sn string if serverHostOverride != "" { sn = serverHostOverride } var creds credentials.TransportAuthenticator if trustedCaFile != "" { var err error creds, err = credentials.NewClientTLSFromFile(trustedCaFile, sn) if err != nil { return nil, err } } opts = append(opts, grpc.WithTransportCredentials(creds)) } conn, err := grpc.Dial(addr, opts...) if err != nil { return nil, err } return &RoloClient{ grpcClient: pb.NewRoloClient(conn), }, nil }
func GroupWrite(c *GroupClientConfig) { defer c.wg.Done() var err error var opts []grpc.DialOption var creds credentials.TransportAuthenticator creds = credentials.NewTLS(&tls.Config{ InsecureSkipVerify: true, }) opts = append(opts, grpc.WithTransportCredentials(creds)) conn, err := grpc.Dial(c.addr, opts...) if err != nil { log.Fatalln(fmt.Sprintf("Failed to dial server: %s", err)) } defer conn.Close() client := gp.NewGroupStoreClient(conn) w := &gp.WriteRequest{ Value: *c.value, } empty := []byte("") for i, _ := range c.wm { ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) c.wm[i].Value = *c.value w.TimestampMicro = brimtime.TimeToUnixMicro(time.Now()) res, err := client.Write(ctx, c.wm[i]) if err != nil { log.Println("Client", c.id, ":", err) } if res.TimestampMicro > w.TimestampMicro { log.Printf("TSM is newer than attempted, Key %d-%d Got %s, Sent: %s", c.id, i, brimtime.UnixMicroToTime(res.TimestampMicro), brimtime.UnixMicroToTime(w.TimestampMicro)) } c.wm[i].Value = empty } }
func GroupStreamRead(c *GroupClientConfig) { defer c.wg.Done() var err error var opts []grpc.DialOption var creds credentials.TransportAuthenticator creds = credentials.NewTLS(&tls.Config{ InsecureSkipVerify: true, }) opts = append(opts, grpc.WithTransportCredentials(creds)) conn, err := grpc.Dial(c.addr, opts...) if err != nil { log.Fatalln(fmt.Sprintf("Failed to dial server: %s", err)) } defer conn.Close() client := gp.NewGroupStoreClient(conn) stream, err := client.StreamRead(context.Background()) for i, _ := range c.rm { if err := stream.Send(c.rm[i]); err != nil { log.Println(err) continue } _, err := stream.Recv() if err == io.EOF { return } if err != nil { log.Println(err) continue } } stream.CloseSend() }
func serve(opts []grpc.ServerOption) { grpcServer := grpc.NewServer(opts...) pb.RegisterYourServiceServer(grpcServer, newServer()) ctx := context.Background() name := fmt.Sprintf("localhost:%d", *port) dcreds, err := credentials.NewClientTLSFromFile(*certFile, name) if err != nil { fmt.Printf("serve: %v\n", err) return } dopts := []grpc.DialOption{grpc.WithTransportCredentials(dcreds)} mux := runtime.NewServeMux() err = pb.RegisterYourServiceHandlerFromEndpoint(ctx, mux, name, dopts) if err != nil { fmt.Printf("serve: %v\n", err) return } err = http.ListenAndServeTLS(fmt.Sprintf(":%d", *port), *certFile, *keyFile, grpcHandlerFunc(grpcServer, mux)) if err != nil { log.Fatal("ListenAndServe: ", err) } return }
func (n *Node) initManagerConnection(ctx context.Context, ready chan<- struct{}) error { opts := []grpc.DialOption{} insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}) opts = append(opts, grpc.WithTransportCredentials(insecureCreds)) // Using listen address instead of advertised address because this is a // local connection. addr := n.config.ListenControlAPI opts = append(opts, grpc.WithDialer( func(addr string, timeout time.Duration) (net.Conn, error) { return net.DialTimeout("unix", addr, timeout) })) conn, err := grpc.Dial(addr, opts...) if err != nil { return err } state := grpc.Idle for { s, err := conn.WaitForStateChange(ctx, state) if err != nil { n.setControlSocket(nil) return err } if s == grpc.Ready { n.setControlSocket(conn) if ready != nil { close(ready) ready = nil } } else if state == grpc.Shutdown { n.setControlSocket(nil) } state = s } }
func (s *SRVLoader) getConfig() (*pb.NodeConfig, error) { nconfig := &pb.NodeConfig{} var opts []grpc.DialOption var creds credentials.TransportAuthenticator creds = credentials.NewTLS(&tls.Config{ InsecureSkipVerify: true, }) opts = append(opts, grpc.WithTransportCredentials(creds)) conn, err := grpc.Dial(s.SyndicateURL, opts...) if err != nil { return nconfig, fmt.Errorf("Failed to dial ring server for config: %s", err) } defer conn.Close() client := pb.NewSyndicateClient(conn) ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) rr := &pb.RegisterRequest{} rr.Hostname, _ = os.Hostname() addrs, _ := net.InterfaceAddrs() for k, _ := range addrs { rr.Addrs = append(rr.Addrs, addrs[k].String()) } rr.Hardware, err = GetHardwareProfile() if err != nil { return nconfig, err } rr.Tiers = []string{rr.Hostname} nconfig, err = client.RegisterNode(ctx, rr) return nconfig, err }
// DialGRPC returns a GRPC connection for use communicating with a Google cloud // service, configured with the given ClientOptions. func DialGRPC(ctx context.Context, opt ...cloud.ClientOption) (*grpc.ClientConn, error) { var o opts.DialOpt for _, opt := range opt { opt.Resolve(&o) } if o.HTTPClient != nil { return nil, errors.New("unsupported HTTP base transport specified") } if o.GRPCClient != nil { return o.GRPCClient, nil } if o.TokenSource == nil { var err error o.TokenSource, err = google.DefaultTokenSource(ctx, o.Scopes...) if err != nil { return nil, fmt.Errorf("google.DefaultTokenSource: %v", err) } } grpcOpts := []grpc.DialOption{ grpc.WithPerRPCCredentials(oauth.TokenSource{o.TokenSource}), grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), } grpcOpts = append(grpcOpts, o.GRPCDialOpts...) if o.UserAgent != "" { grpcOpts = append(grpcOpts, grpc.WithUserAgent(o.UserAgent)) } return grpc.Dial(o.Endpoint, grpcOpts...) }
func benchmarkEchoGRPC(b *testing.B, size int) { var conn *grpc.ClientConn var client EchoClient benchmarkEcho(b, size, listenAndServeGRPC, func(addr net.Addr) { var err error conn, err = grpc.Dial(addr.String(), grpc.WithTransportCredentials(credentials.NewTLS(clientTLSConfig))) if err != nil { b.Fatal(err) } client = NewEchoClient(conn) }, func() { if err := conn.Close(); err != nil { b.Fatal(err) } }, func(echoMsg string) string { resp, err := client.Echo(context.Background(), &EchoRequest{Msg: echoMsg}) if err != nil { b.Fatal(err) } return resp.Msg }, ) }
// RegisterGRPCGateway starts the gateway (i.e. reverse proxy) that proxies // HTTP requests to the appropriate gRPC endpoints. func (s *adminServer) RegisterGRPCGateway(serverCtx *Context) error { // Setup HTTP<->gRPC handlers. var opts []grpc.DialOption if serverCtx.Insecure { opts = append(opts, grpc.WithInsecure()) } else { tlsConfig, err := serverCtx.GetClientTLSConfig() if err != nil { return err } opts = append( opts, // TODO(tamird): remove this timeout. It is currently necessary because // GRPC will not actually bail on a bad certificate error - it will just // retry indefinitely. See https://github.com/grpc/grpc-go/issues/622. grpc.WithTimeout(time.Second), grpc.WithBlock(), grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), ) } if err := RegisterAdminHandlerFromEndpoint(s.gwCtx, s.gwMux, serverCtx.Addr, opts); err != nil { return util.Errorf("error constructing grpc-gateway: %s. are your certificates valid?", err) } // Pass all requests for gRPC-based API endpoints to the gateway mux. s.ServeMux.Handle(apiEndpoint, s.gwMux) return nil }
func agentTestEnv(t *testing.T) (*Agent, func()) { var cleanup []func() tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, "")) cleanup = append(cleanup, func() { tc.Stop() }) agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole) assert.NoError(t, err) addr := "localhost:4949" remotes := picker.NewRemotes(api.Peer{Addr: addr}) conn, err := grpc.Dial(addr, grpc.WithPicker(picker.NewPicker(remotes, addr)), grpc.WithTransportCredentials(agentSecurityConfig.ClientTLSCreds)) assert.NoError(t, err) db, cleanupStorage := storageTestEnv(t) cleanup = append(cleanup, func() { cleanupStorage() }) agent, err := New(&Config{ Executor: &NoopExecutor{}, Managers: remotes, Conn: conn, DB: db, }) return agent, func() { for i := len(cleanup) - 1; i > 0; i-- { cleanup[i]() } } }
func (n *Node) initManagerConnection(ctx context.Context, ready chan<- struct{}) error { opts := []grpc.DialOption{} insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}) opts = append(opts, grpc.WithTransportCredentials(insecureCreds)) // Using listen address instead of advertised address because this is a // local connection. addr := n.config.ListenControlAPI opts = append(opts, grpc.WithDialer( func(addr string, timeout time.Duration) (net.Conn, error) { return net.DialTimeout("unix", addr, timeout) })) conn, err := grpc.Dial(addr, opts...) if err != nil { return err } client := api.NewHealthClient(conn) for { resp, err := client.Check(ctx, &api.HealthCheckRequest{Service: "ControlAPI"}) if err != nil { return err } if resp.Status == api.HealthCheckResponse_SERVING { break } time.Sleep(500 * time.Millisecond) } n.setControlSocket(conn) if ready != nil { close(ready) } return nil }
// Dial establishes a connection for a given endpoint using the client's config func (c *Client) Dial(endpoint string) (*grpc.ClientConn, error) { opts := []grpc.DialOption{ grpc.WithBlock(), grpc.WithTimeout(c.cfg.DialTimeout), } if c.creds != nil { opts = append(opts, grpc.WithTransportCredentials(*c.creds)) } else { opts = append(opts, grpc.WithInsecure()) } proto := "tcp" if url, uerr := url.Parse(endpoint); uerr == nil && url.Scheme == "unix" { proto = "unix" // strip unix:// prefix so certs work endpoint = url.Host } f := func(a string, t time.Duration) (net.Conn, error) { select { case <-c.ctx.Done(): return nil, c.ctx.Err() default: } return net.DialTimeout(proto, a, t) } opts = append(opts, grpc.WithDialer(f)) conn, err := grpc.Dial(endpoint, opts...) if err != nil { return nil, err } return conn, nil }
func newSession(ctx context.Context, agent *Agent, delay time.Duration, sessionID string, description *api.NodeDescription) *session { s := &session{ agent: agent, sessionID: sessionID, errs: make(chan error, 1), messages: make(chan *api.SessionMessage), assignments: make(chan *api.AssignmentsMessage), subscriptions: make(chan *api.SubscriptionMessage), registered: make(chan struct{}), closed: make(chan struct{}), } // TODO(stevvooe): Need to move connection management up a level or create // independent connection for log broker client. peer, err := agent.config.Managers.Select() if err != nil { s.errs <- err return s } cc, err := grpc.Dial(peer.Addr, grpc.WithTransportCredentials(agent.config.Credentials), grpc.WithTimeout(dispatcherRPCTimeout), ) if err != nil { s.errs <- err return s } s.addr = peer.Addr s.conn = cc go s.run(ctx, delay, description) return s }
func main() { flag.Parse() var err error tls, err := createTLS("127.0.0.1") if err != nil { fmt.Printf("Could not create TLS config %s\n", err) } creds := credentials.NewTLS(tls) conn, err = grpc.Dial(*clientAddress, grpc.WithTransportCredentials(creds)) if err != nil { fmt.Printf("Could not dial client %s\n", err) } defer conn.Close() client = pb.NewTestServiceClient(conn) router := mux.NewRouter() router.StrictSlash(true) router.HandleFunc("/", indexHandler) router.HandleFunc("/hello/", indexHandler) router.HandleFunc("/hello/{name}", helloHandler).Methods("GET") fmt.Printf("Starting server at %s\n", *bind) err = http.ListenAndServe(*bind, router) if err != nil { fmt.Println(err) } }
func discovery() { var err error var opts []grpc.DialOption if insecureDiscovery { opts = append(opts, grpc.WithInsecure()) } else { auth := credentials.NewClientTLSFromCert(nil, getServerName(discoveryServiceURL)) opts = append(opts, grpc.WithTransportCredentials(auth)) } discoveryConn, err = grpc.Dial(discoveryServiceURL, opts...) if err != nil { logrus.Fatalf("grpc.go: error while connection to discovery service %v", err) } discoveryClient = pb.NewDiscoveryClient(discoveryConn) ctx, _ := context.WithTimeout(context.Background(), 5*time.Second) res, err := discoveryClient.Get(ctx, &pb.DiscoveryRequest{ Environment: discoveryEnv, SdkVersion: Version + "-otsimoctl", OsName: runtime.GOOS, }) if err != nil { logrus.Fatalf("grpc:go: failed to get discovery config err=%v", err) } discoveryServices = res }
func getDevopsClient(peerAddress string) (obc.DevopsClient, error) { var opts []grpc.DialOption if viper.GetBool("pki.validity-period.tls.enabled") { var sn string if viper.GetString("pki.validity-period.tls.server-host-override") != "" { sn = viper.GetString("pki.validity-period.tls.server-host-override") } var creds credentials.TransportAuthenticator if viper.GetString("pki.validity-period.tls.cert.file") != "" { var err error creds, err = credentials.NewClientTLSFromFile(viper.GetString("pki.validity-period.tls.cert.file"), sn) if err != nil { grpclog.Fatalf("Failed to create TLS credentials %v", err) } } else { creds = credentials.NewClientTLSFromCert(nil, sn) } opts = append(opts, grpc.WithTransportCredentials(creds)) } opts = append(opts, grpc.WithTimeout(systemChaincodeTimeout)) opts = append(opts, grpc.WithBlock()) opts = append(opts, grpc.WithInsecure()) conn, err := grpc.Dial(peerAddress, opts...) if err != nil { return nil, fmt.Errorf("Error trying to connect to local peer: %s", err) } devopsClient := obc.NewDevopsClient(conn) return devopsClient, nil }
func newSession(ctx context.Context, agent *Agent, delay time.Duration) *session { s := &session{ agent: agent, errs: make(chan error, 1), messages: make(chan *api.SessionMessage), tasks: make(chan *api.TasksMessage), registered: make(chan struct{}), closed: make(chan struct{}), } peer, err := agent.config.Managers.Select() if err != nil { s.errs <- err return s } cc, err := grpc.Dial(peer.Addr, grpc.WithTransportCredentials(agent.config.Credentials), grpc.WithTimeout(dispatcherRPCTimeout), ) if err != nil { s.errs <- err return s } s.addr = peer.Addr s.conn = cc go s.run(ctx, delay) return s }
// NewGRPCConnection is a convenience method that returns GRPC Client Connection given a hostname, endpoint, and TLS options func NewGRPCConnection(hostname string, port string, tlsConfig *tls.Config) (*grpc.ClientConn, error) { var opts []grpc.DialOption netAddr := net.JoinHostPort(hostname, port) creds := credentials.NewTLS(tlsConfig) opts = append(opts, grpc.WithTransportCredentials(creds)) return grpc.Dial(netAddr, opts...) }
// GetRemoteCA returns the remote endpoint's CA certificate func GetRemoteCA(ctx context.Context, d digest.Digest, picker *picker.Picker) (RootCA, error) { // We need a valid picker to be able to Dial to a remote CA if picker == nil { return RootCA{}, fmt.Errorf("valid remote address picker required") } // This TLS Config is intentionally using InsecureSkipVerify. Either we're // doing TOFU, in which case we don't validate the remote CA, or we're using // a user supplied hash to check the integrity of the CA certificate. insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}) opts := []grpc.DialOption{ grpc.WithTransportCredentials(insecureCreds), grpc.WithBackoffMaxDelay(10 * time.Second), grpc.WithPicker(picker)} firstAddr, err := picker.PickAddr() if err != nil { return RootCA{}, err } conn, err := grpc.Dial(firstAddr, opts...) if err != nil { return RootCA{}, err } defer conn.Close() client := api.NewCAClient(conn) response, err := client.GetRootCACertificate(ctx, &api.GetRootCACertificateRequest{}) if err != nil { return RootCA{}, err } if d != "" { verifier, err := digest.NewDigestVerifier(d) if err != nil { return RootCA{}, fmt.Errorf("unexpected error getting digest verifier: %v", err) } io.Copy(verifier, bytes.NewReader(response.Certificate)) if !verifier.Verified() { return RootCA{}, fmt.Errorf("remote CA does not match fingerprint. Expected: %s", d.Hex()) } } // Check the validity of the remote Cert _, err = helpers.ParseCertificatePEM(response.Certificate) if err != nil { return RootCA{}, err } // Create a Pool with our RootCACertificate pool := x509.NewCertPool() if !pool.AppendCertsFromPEM(response.Certificate) { return RootCA{}, fmt.Errorf("failed to append certificate to cert pool") } return RootCA{Cert: response.Certificate, Pool: pool}, nil }
func GRPCClient(addr, token, caFile string) (*RemoteU2FClient, error) { var err error var tCreds credentials.TransportCredentials if caFile == "" { tCreds = credentials.NewClientTLSFromCert(nil, "") } else { tCreds, err = credentials.NewClientTLSFromFile(caFile, "") if err != nil { return nil, fmt.Errorf("error reading CA file: %s", err) } } t := oauth2.Token{ AccessToken: token, TokenType: "Bearer", } rpcCreds := oauth.NewOauthAccess(&t) conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(tCreds), grpc.WithPerRPCCredentials(rpcCreds), grpc.WithBlock(), grpc.WithTimeout(30*time.Second)) if err != nil { return nil, fmt.Errorf("error connecting to server: %s", err) } c := pb.NewRemoteU2FClient(conn) return &RemoteU2FClient{c}, nil }