func NewGRPCClientDialOpt(c *Config) (grpc.DialOption, error) {
var opt grpc.DialOption
if c.InsecureSkipVerify {
return grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})), nil
}
tlsConf, err := NewClientTLSConfig(c)
if err != nil {
return opt, err
}
return grpc.WithTransportCredentials(credentials.NewTLS(tlsConf)), nil
}
// dialSetupOpts gives the dial opts prior to any authentication
func (c *Client) dialSetupOpts(endpoint string, dopts ...grpc.DialOption) (opts []grpc.DialOption) {
if c.cfg.DialTimeout > 0 {
opts = []grpc.DialOption{grpc.WithTimeout(c.cfg.DialTimeout)}
}
opts = append(opts, dopts...)
f := func(host string, t time.Duration) (net.Conn, error) {
proto, host, _ := parseEndpoint(c.balancer.getEndpoint(host))
if proto == "" {
return nil, fmt.Errorf("unknown scheme for %q", host)
}
select {
case <-c.ctx.Done():
return nil, c.ctx.Err()
default:
}
return net.DialTimeout(proto, host, t)
}
opts = append(opts, grpc.WithDialer(f))
creds := c.creds
if _, _, scheme := parseEndpoint(endpoint); len(scheme) != 0 {
creds = c.processCreds(scheme)
}
if creds != nil {
opts = append(opts, grpc.WithTransportCredentials(*creds))
} else {
opts = append(opts, grpc.WithInsecure())
}
return opts
}
//newEventsClientConnectionWithAddress Returns a new grpc.ClientConn to the configured local PEER.
func newEventsClientConnectionWithAddress(peerAddress string) (*grpc.ClientConn, error) {
var opts []grpc.DialOption
if peer.TLSEnabled() {
var sn string
if viper.GetString("peer.tls.serverhostoverride") != "" {
sn = viper.GetString("peer.tls.serverhostoverride")
}
var creds credentials.TransportAuthenticator
if viper.GetString("peer.tls.cert.file") != "" {
var err error
creds, err = credentials.NewClientTLSFromFile(viper.GetString("peer.tls.cert.file"), sn)
if err != nil {
grpclog.Fatalf("Failed to create TLS credentials %v", err)
}
} else {
creds = credentials.NewClientTLSFromCert(nil, sn)
}
opts = append(opts, grpc.WithTransportCredentials(creds))
}
opts = append(opts, grpc.WithTimeout(defaultTimeout))
opts = append(opts, grpc.WithBlock())
opts = append(opts, grpc.WithInsecure())
return grpc.Dial(peerAddress, opts...)
}
func NewContext() *Context {
log := log.New(os.Stderr, "QPM: ", log.LstdFlags)
address := os.Getenv("SERVER")
if address == "" {
address = Address
}
noTls := os.Getenv("NO_TLS") == "1"
var tlsOption grpc.DialOption
if noTls {
tlsOption = grpc.WithInsecure()
} else {
tlsOption = grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, ""))
}
conn, err := grpc.Dial(address, tlsOption, grpc.WithUserAgent(UA))
if err != nil {
log.Fatalf("did not connect: %v", err)
}
return &Context{
Log: log,
Client: msg.NewQpmClient(conn),
}
}
// DialGRPC returns a GRPC connection for use communicating with a Google cloud
// service, configured with the given ClientOptions.
func DialGRPC(ctx context.Context, opts ...option.ClientOption) (*grpc.ClientConn, error) {
var o internal.DialSettings
for _, opt := range opts {
opt.Apply(&o)
}
if o.HTTPClient != nil {
return nil, errors.New("unsupported HTTP client specified")
}
if o.GRPCConn != nil {
return o.GRPCConn, nil
}
if o.TokenSource == nil {
var err error
o.TokenSource, err = google.DefaultTokenSource(ctx, o.Scopes...)
if err != nil {
return nil, fmt.Errorf("google.DefaultTokenSource: %v", err)
}
}
grpcOpts := []grpc.DialOption{
grpc.WithPerRPCCredentials(oauth.TokenSource{o.TokenSource}),
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
}
if appengineDialerHook != nil {
// Use the Socket API on App Engine.
grpcOpts = append(grpcOpts, appengineDialerHook(ctx))
}
grpcOpts = append(grpcOpts, o.GRPCDialOpts...)
if o.UserAgent != "" {
grpcOpts = append(grpcOpts, grpc.WithUserAgent(o.UserAgent))
}
return grpc.Dial(o.Endpoint, grpcOpts...)
}
// ClientSetup loads various TLS certificates and creates a
// gRPC TransportCredentials that presents the client certificate
// and validates the certificate presented by the server is for a
// specific hostname and issued by the provided issuer certificate
// thens dials and returns a grpc.ClientConn to the remote service.
func ClientSetup(c *cmd.GRPCClientConfig, stats metrics.Scope) (*grpc.ClientConn, error) {
if len(c.ServerAddresses) == 0 {
return nil, fmt.Errorf("boulder/grpc: ServerAddresses is empty")
}
if stats == nil {
return nil, errNilScope
}
serverIssuerBytes, err := ioutil.ReadFile(c.ServerIssuerPath)
if err != nil {
return nil, err
}
rootCAs := x509.NewCertPool()
if ok := rootCAs.AppendCertsFromPEM(serverIssuerBytes); !ok {
return nil, fmt.Errorf("Failed to parse server issues from '%s'", c.ServerIssuerPath)
}
clientCert, err := tls.LoadX509KeyPair(c.ClientCertificatePath, c.ClientKeyPath)
if err != nil {
return nil, err
}
grpc_prometheus.EnableHandlingTimeHistogram()
ci := clientInterceptor{stats.NewScope("gRPCClient"), clock.Default(), c.Timeout.Duration}
creds := bcreds.NewClientCredentials(rootCAs, []tls.Certificate{clientCert})
return grpc.Dial(
"", // Since our staticResolver provides addresses we don't need to pass an address here
grpc.WithTransportCredentials(creds),
grpc.WithBalancer(grpc.RoundRobin(newStaticResolver(c.ServerAddresses))),
grpc.WithUnaryInterceptor(ci.intercept),
)
}
func newPeerClientConnection() (*grpc.ClientConn, error) {
var opts []grpc.DialOption
if viper.GetBool("peer.tls.enabled") {
var sn string
if viper.GetString("peer.tls.serverhostoverride") != "" {
sn = viper.GetString("peer.tls.serverhostoverride")
}
var creds credentials.TransportAuthenticator
if viper.GetString("peer.tls.cert.file") != "" {
var err error
creds, err = credentials.NewClientTLSFromFile(viper.GetString("peer.tls.cert.file"), sn)
if err != nil {
grpclog.Fatalf("Failed to create TLS credentials %v", err)
}
} else {
creds = credentials.NewClientTLSFromCert(nil, sn)
}
opts = append(opts, grpc.WithTransportCredentials(creds))
}
opts = append(opts, grpc.WithTimeout(1*time.Second))
opts = append(opts, grpc.WithBlock())
opts = append(opts, grpc.WithInsecure())
conn, err := grpc.Dial(getPeerAddress(), opts...)
if err != nil {
return nil, err
}
return conn, err
}
func TestDropRequestFailedNonFailFast(t *testing.T) {
// Start a backend.
beLis, err := net.Listen("tcp", "localhost:0")
if err != nil {
t.Fatalf("Failed to listen %v", err)
}
beAddr := strings.Split(beLis.Addr().String(), ":")
bePort, err := strconv.Atoi(beAddr[1])
backends := startBackends(t, besn, beLis)
defer stopBackends(backends)
// Start a load balancer.
lbLis, err := net.Listen("tcp", "localhost:0")
if err != nil {
t.Fatalf("Failed to create the listener for the load balancer %v", err)
}
lbCreds := &serverNameCheckCreds{
sn: lbsn,
}
lb := grpc.NewServer(grpc.Creds(lbCreds))
if err != nil {
t.Fatalf("Failed to generate the port number %v", err)
}
be := &lbpb.Server{
IpAddress: []byte(beAddr[0]),
Port: int32(bePort),
LoadBalanceToken: lbToken,
DropRequest: true,
}
var bes []*lbpb.Server
bes = append(bes, be)
sl := &lbpb.ServerList{
Servers: bes,
}
ls := newRemoteBalancer(sl)
lbpb.RegisterLoadBalancerServer(lb, ls)
go func() {
lb.Serve(lbLis)
}()
defer func() {
ls.stop()
lb.Stop()
}()
creds := serverNameCheckCreds{
expected: besn,
}
ctx, _ := context.WithTimeout(context.Background(), 10*time.Second)
cc, err := grpc.DialContext(ctx, besn, grpc.WithBalancer(Balancer(&testNameResolver{
addr: lbLis.Addr().String(),
})), grpc.WithBlock(), grpc.WithTransportCredentials(&creds))
if err != nil {
t.Fatalf("Failed to dial to the backend %v", err)
}
helloC := hwpb.NewGreeterClient(cc)
ctx, _ = context.WithTimeout(context.Background(), 10*time.Millisecond)
if _, err := helloC.SayHello(ctx, &hwpb.HelloRequest{Name: "grpc"}, grpc.FailFast(false)); grpc.Code(err) != codes.DeadlineExceeded {
t.Fatalf("%v.SayHello(_, _) = _, %v, want _, %s", helloC, err, codes.DeadlineExceeded)
}
cc.Close()
}
func (c *pingCommand) Run() error {
app, err := server.New(clibazil.Bazil.Config.DataDir.String())
if err != nil {
return err
}
defer app.Close()
pub := (*[ed25519.PublicKeySize]byte)(&c.Arguments.Pub)
auth := &grpcedtls.Authenticator{
Config: app.GetTLSConfig,
PeerPub: pub,
}
addr := c.Arguments.Addr
conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(auth))
if err != nil {
return fmt.Errorf("did not connect: %v", err)
}
defer conn.Close()
client := wire.NewPeerClient(conn)
r, err := client.Ping(context.Background(), &wire.PingRequest{})
if err != nil {
return fmt.Errorf("could not greet: %v", err)
}
log.Printf("pong: %#v", r)
return nil
}
func NewCaClient(addr string, tls bool, serverHostOverride string, trustedCaFile string) (*CaClient, error) {
var opts []grpc.DialOption
if tls {
var sn string
if serverHostOverride != "" {
sn = serverHostOverride
}
var creds credentials.TransportAuthenticator
if trustedCaFile != "" {
var err error
creds, err = credentials.NewClientTLSFromFile(trustedCaFile, sn)
if err != nil {
return nil, err
}
}
opts = append(opts, grpc.WithTransportCredentials(creds))
}
conn, err := grpc.Dial(addr, opts...)
if err != nil {
return nil, err
}
defer conn.Close()
return &CaClient{
grpcClient: pb.NewCaClient(conn),
}, nil
}
func NewRoloClient(idToken jose.JWT, tls bool, addr, serverHostOverride, trustedCaFile string) (*RoloClient, error) {
var opts []grpc.DialOption
creds := grpcoidc.NewOIDCAccess(&idToken)
opts = append(opts, grpc.WithPerRPCCredentials(creds))
if tls {
var sn string
if serverHostOverride != "" {
sn = serverHostOverride
}
var creds credentials.TransportAuthenticator
if trustedCaFile != "" {
var err error
creds, err = credentials.NewClientTLSFromFile(trustedCaFile, sn)
if err != nil {
return nil, err
}
}
opts = append(opts, grpc.WithTransportCredentials(creds))
}
conn, err := grpc.Dial(addr, opts...)
if err != nil {
return nil, err
}
return &RoloClient{
grpcClient: pb.NewRoloClient(conn),
}, nil
}
func GroupWrite(c *GroupClientConfig) {
defer c.wg.Done()
var err error
var opts []grpc.DialOption
var creds credentials.TransportAuthenticator
creds = credentials.NewTLS(&tls.Config{
InsecureSkipVerify: true,
})
opts = append(opts, grpc.WithTransportCredentials(creds))
conn, err := grpc.Dial(c.addr, opts...)
if err != nil {
log.Fatalln(fmt.Sprintf("Failed to dial server: %s", err))
}
defer conn.Close()
client := gp.NewGroupStoreClient(conn)
w := &gp.WriteRequest{
Value: *c.value,
}
empty := []byte("")
for i, _ := range c.wm {
ctx, _ := context.WithTimeout(context.Background(), 10*time.Second)
c.wm[i].Value = *c.value
w.TimestampMicro = brimtime.TimeToUnixMicro(time.Now())
res, err := client.Write(ctx, c.wm[i])
if err != nil {
log.Println("Client", c.id, ":", err)
}
if res.TimestampMicro > w.TimestampMicro {
log.Printf("TSM is newer than attempted, Key %d-%d Got %s, Sent: %s", c.id, i, brimtime.UnixMicroToTime(res.TimestampMicro), brimtime.UnixMicroToTime(w.TimestampMicro))
}
c.wm[i].Value = empty
}
}
func GroupStreamRead(c *GroupClientConfig) {
defer c.wg.Done()
var err error
var opts []grpc.DialOption
var creds credentials.TransportAuthenticator
creds = credentials.NewTLS(&tls.Config{
InsecureSkipVerify: true,
})
opts = append(opts, grpc.WithTransportCredentials(creds))
conn, err := grpc.Dial(c.addr, opts...)
if err != nil {
log.Fatalln(fmt.Sprintf("Failed to dial server: %s", err))
}
defer conn.Close()
client := gp.NewGroupStoreClient(conn)
stream, err := client.StreamRead(context.Background())
for i, _ := range c.rm {
if err := stream.Send(c.rm[i]); err != nil {
log.Println(err)
continue
}
_, err := stream.Recv()
if err == io.EOF {
return
}
if err != nil {
log.Println(err)
continue
}
}
stream.CloseSend()
}
func serve(opts []grpc.ServerOption) {
grpcServer := grpc.NewServer(opts...)
pb.RegisterYourServiceServer(grpcServer, newServer())
ctx := context.Background()
name := fmt.Sprintf("localhost:%d", *port)
dcreds, err := credentials.NewClientTLSFromFile(*certFile, name)
if err != nil {
fmt.Printf("serve: %v\n", err)
return
}
dopts := []grpc.DialOption{grpc.WithTransportCredentials(dcreds)}
mux := runtime.NewServeMux()
err = pb.RegisterYourServiceHandlerFromEndpoint(ctx, mux, name, dopts)
if err != nil {
fmt.Printf("serve: %v\n", err)
return
}
err = http.ListenAndServeTLS(fmt.Sprintf(":%d", *port), *certFile, *keyFile, grpcHandlerFunc(grpcServer, mux))
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
return
}
func (n *Node) initManagerConnection(ctx context.Context, ready chan<- struct{}) error {
opts := []grpc.DialOption{}
insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})
opts = append(opts, grpc.WithTransportCredentials(insecureCreds))
// Using listen address instead of advertised address because this is a
// local connection.
addr := n.config.ListenControlAPI
opts = append(opts, grpc.WithDialer(
func(addr string, timeout time.Duration) (net.Conn, error) {
return net.DialTimeout("unix", addr, timeout)
}))
conn, err := grpc.Dial(addr, opts...)
if err != nil {
return err
}
state := grpc.Idle
for {
s, err := conn.WaitForStateChange(ctx, state)
if err != nil {
n.setControlSocket(nil)
return err
}
if s == grpc.Ready {
n.setControlSocket(conn)
if ready != nil {
close(ready)
ready = nil
}
} else if state == grpc.Shutdown {
n.setControlSocket(nil)
}
state = s
}
}
func (s *SRVLoader) getConfig() (*pb.NodeConfig, error) {
nconfig := &pb.NodeConfig{}
var opts []grpc.DialOption
var creds credentials.TransportAuthenticator
creds = credentials.NewTLS(&tls.Config{
InsecureSkipVerify: true,
})
opts = append(opts, grpc.WithTransportCredentials(creds))
conn, err := grpc.Dial(s.SyndicateURL, opts...)
if err != nil {
return nconfig, fmt.Errorf("Failed to dial ring server for config: %s", err)
}
defer conn.Close()
client := pb.NewSyndicateClient(conn)
ctx, _ := context.WithTimeout(context.Background(), 10*time.Second)
rr := &pb.RegisterRequest{}
rr.Hostname, _ = os.Hostname()
addrs, _ := net.InterfaceAddrs()
for k, _ := range addrs {
rr.Addrs = append(rr.Addrs, addrs[k].String())
}
rr.Hardware, err = GetHardwareProfile()
if err != nil {
return nconfig, err
}
rr.Tiers = []string{rr.Hostname}
nconfig, err = client.RegisterNode(ctx, rr)
return nconfig, err
}
// DialGRPC returns a GRPC connection for use communicating with a Google cloud
// service, configured with the given ClientOptions.
func DialGRPC(ctx context.Context, opt ...cloud.ClientOption) (*grpc.ClientConn, error) {
var o opts.DialOpt
for _, opt := range opt {
opt.Resolve(&o)
}
if o.HTTPClient != nil {
return nil, errors.New("unsupported HTTP base transport specified")
}
if o.GRPCClient != nil {
return o.GRPCClient, nil
}
if o.TokenSource == nil {
var err error
o.TokenSource, err = google.DefaultTokenSource(ctx, o.Scopes...)
if err != nil {
return nil, fmt.Errorf("google.DefaultTokenSource: %v", err)
}
}
grpcOpts := []grpc.DialOption{
grpc.WithPerRPCCredentials(oauth.TokenSource{o.TokenSource}),
grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
}
grpcOpts = append(grpcOpts, o.GRPCDialOpts...)
if o.UserAgent != "" {
grpcOpts = append(grpcOpts, grpc.WithUserAgent(o.UserAgent))
}
return grpc.Dial(o.Endpoint, grpcOpts...)
}
func benchmarkEchoGRPC(b *testing.B, size int) {
var conn *grpc.ClientConn
var client EchoClient
benchmarkEcho(b, size, listenAndServeGRPC,
func(addr net.Addr) {
var err error
conn, err = grpc.Dial(addr.String(), grpc.WithTransportCredentials(credentials.NewTLS(clientTLSConfig)))
if err != nil {
b.Fatal(err)
}
client = NewEchoClient(conn)
},
func() {
if err := conn.Close(); err != nil {
b.Fatal(err)
}
},
func(echoMsg string) string {
resp, err := client.Echo(context.Background(), &EchoRequest{Msg: echoMsg})
if err != nil {
b.Fatal(err)
}
return resp.Msg
},
)
}
// RegisterGRPCGateway starts the gateway (i.e. reverse proxy) that proxies
// HTTP requests to the appropriate gRPC endpoints.
func (s *adminServer) RegisterGRPCGateway(serverCtx *Context) error {
// Setup HTTP<->gRPC handlers.
var opts []grpc.DialOption
if serverCtx.Insecure {
opts = append(opts, grpc.WithInsecure())
} else {
tlsConfig, err := serverCtx.GetClientTLSConfig()
if err != nil {
return err
}
opts = append(
opts,
// TODO(tamird): remove this timeout. It is currently necessary because
// GRPC will not actually bail on a bad certificate error - it will just
// retry indefinitely. See https://github.com/grpc/grpc-go/issues/622.
grpc.WithTimeout(time.Second),
grpc.WithBlock(),
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
)
}
if err := RegisterAdminHandlerFromEndpoint(s.gwCtx, s.gwMux, serverCtx.Addr, opts); err != nil {
return util.Errorf("error constructing grpc-gateway: %s. are your certificates valid?", err)
}
// Pass all requests for gRPC-based API endpoints to the gateway mux.
s.ServeMux.Handle(apiEndpoint, s.gwMux)
return nil
}
func agentTestEnv(t *testing.T) (*Agent, func()) {
var cleanup []func()
tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, ""))
cleanup = append(cleanup, func() { tc.Stop() })
agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole)
assert.NoError(t, err)
addr := "localhost:4949"
remotes := picker.NewRemotes(api.Peer{Addr: addr})
conn, err := grpc.Dial(addr,
grpc.WithPicker(picker.NewPicker(remotes, addr)),
grpc.WithTransportCredentials(agentSecurityConfig.ClientTLSCreds))
assert.NoError(t, err)
db, cleanupStorage := storageTestEnv(t)
cleanup = append(cleanup, func() { cleanupStorage() })
agent, err := New(&Config{
Executor: &NoopExecutor{},
Managers: remotes,
Conn: conn,
DB: db,
})
return agent, func() {
for i := len(cleanup) - 1; i > 0; i-- {
cleanup[i]()
}
}
}
func (n *Node) initManagerConnection(ctx context.Context, ready chan<- struct{}) error {
opts := []grpc.DialOption{}
insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})
opts = append(opts, grpc.WithTransportCredentials(insecureCreds))
// Using listen address instead of advertised address because this is a
// local connection.
addr := n.config.ListenControlAPI
opts = append(opts, grpc.WithDialer(
func(addr string, timeout time.Duration) (net.Conn, error) {
return net.DialTimeout("unix", addr, timeout)
}))
conn, err := grpc.Dial(addr, opts...)
if err != nil {
return err
}
client := api.NewHealthClient(conn)
for {
resp, err := client.Check(ctx, &api.HealthCheckRequest{Service: "ControlAPI"})
if err != nil {
return err
}
if resp.Status == api.HealthCheckResponse_SERVING {
break
}
time.Sleep(500 * time.Millisecond)
}
n.setControlSocket(conn)
if ready != nil {
close(ready)
}
return nil
}
// Dial establishes a connection for a given endpoint using the client's config
func (c *Client) Dial(endpoint string) (*grpc.ClientConn, error) {
opts := []grpc.DialOption{
grpc.WithBlock(),
grpc.WithTimeout(c.cfg.DialTimeout),
}
if c.creds != nil {
opts = append(opts, grpc.WithTransportCredentials(*c.creds))
} else {
opts = append(opts, grpc.WithInsecure())
}
proto := "tcp"
if url, uerr := url.Parse(endpoint); uerr == nil && url.Scheme == "unix" {
proto = "unix"
// strip unix:// prefix so certs work
endpoint = url.Host
}
f := func(a string, t time.Duration) (net.Conn, error) {
select {
case <-c.ctx.Done():
return nil, c.ctx.Err()
default:
}
return net.DialTimeout(proto, a, t)
}
opts = append(opts, grpc.WithDialer(f))
conn, err := grpc.Dial(endpoint, opts...)
if err != nil {
return nil, err
}
return conn, nil
}
func newSession(ctx context.Context, agent *Agent, delay time.Duration, sessionID string, description *api.NodeDescription) *session {
s := &session{
agent: agent,
sessionID: sessionID,
errs: make(chan error, 1),
messages: make(chan *api.SessionMessage),
assignments: make(chan *api.AssignmentsMessage),
subscriptions: make(chan *api.SubscriptionMessage),
registered: make(chan struct{}),
closed: make(chan struct{}),
}
// TODO(stevvooe): Need to move connection management up a level or create
// independent connection for log broker client.
peer, err := agent.config.Managers.Select()
if err != nil {
s.errs <- err
return s
}
cc, err := grpc.Dial(peer.Addr,
grpc.WithTransportCredentials(agent.config.Credentials),
grpc.WithTimeout(dispatcherRPCTimeout),
)
if err != nil {
s.errs <- err
return s
}
s.addr = peer.Addr
s.conn = cc
go s.run(ctx, delay, description)
return s
}
func main() {
flag.Parse()
var err error
tls, err := createTLS("127.0.0.1")
if err != nil {
fmt.Printf("Could not create TLS config %s\n", err)
}
creds := credentials.NewTLS(tls)
conn, err = grpc.Dial(*clientAddress, grpc.WithTransportCredentials(creds))
if err != nil {
fmt.Printf("Could not dial client %s\n", err)
}
defer conn.Close()
client = pb.NewTestServiceClient(conn)
router := mux.NewRouter()
router.StrictSlash(true)
router.HandleFunc("/", indexHandler)
router.HandleFunc("/hello/", indexHandler)
router.HandleFunc("/hello/{name}", helloHandler).Methods("GET")
fmt.Printf("Starting server at %s\n", *bind)
err = http.ListenAndServe(*bind, router)
if err != nil {
fmt.Println(err)
}
}
func discovery() {
var err error
var opts []grpc.DialOption
if insecureDiscovery {
opts = append(opts, grpc.WithInsecure())
} else {
auth := credentials.NewClientTLSFromCert(nil, getServerName(discoveryServiceURL))
opts = append(opts, grpc.WithTransportCredentials(auth))
}
discoveryConn, err = grpc.Dial(discoveryServiceURL, opts...)
if err != nil {
logrus.Fatalf("grpc.go: error while connection to discovery service %v", err)
}
discoveryClient = pb.NewDiscoveryClient(discoveryConn)
ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
res, err := discoveryClient.Get(ctx, &pb.DiscoveryRequest{
Environment: discoveryEnv,
SdkVersion: Version + "-otsimoctl",
OsName: runtime.GOOS,
})
if err != nil {
logrus.Fatalf("grpc:go: failed to get discovery config err=%v", err)
}
discoveryServices = res
}
func getDevopsClient(peerAddress string) (obc.DevopsClient, error) {
var opts []grpc.DialOption
if viper.GetBool("pki.validity-period.tls.enabled") {
var sn string
if viper.GetString("pki.validity-period.tls.server-host-override") != "" {
sn = viper.GetString("pki.validity-period.tls.server-host-override")
}
var creds credentials.TransportAuthenticator
if viper.GetString("pki.validity-period.tls.cert.file") != "" {
var err error
creds, err = credentials.NewClientTLSFromFile(viper.GetString("pki.validity-period.tls.cert.file"), sn)
if err != nil {
grpclog.Fatalf("Failed to create TLS credentials %v", err)
}
} else {
creds = credentials.NewClientTLSFromCert(nil, sn)
}
opts = append(opts, grpc.WithTransportCredentials(creds))
}
opts = append(opts, grpc.WithTimeout(systemChaincodeTimeout))
opts = append(opts, grpc.WithBlock())
opts = append(opts, grpc.WithInsecure())
conn, err := grpc.Dial(peerAddress, opts...)
if err != nil {
return nil, fmt.Errorf("Error trying to connect to local peer: %s", err)
}
devopsClient := obc.NewDevopsClient(conn)
return devopsClient, nil
}
func newSession(ctx context.Context, agent *Agent, delay time.Duration) *session {
s := &session{
agent: agent,
errs: make(chan error, 1),
messages: make(chan *api.SessionMessage),
tasks: make(chan *api.TasksMessage),
registered: make(chan struct{}),
closed: make(chan struct{}),
}
peer, err := agent.config.Managers.Select()
if err != nil {
s.errs <- err
return s
}
cc, err := grpc.Dial(peer.Addr,
grpc.WithTransportCredentials(agent.config.Credentials),
grpc.WithTimeout(dispatcherRPCTimeout),
)
if err != nil {
s.errs <- err
return s
}
s.addr = peer.Addr
s.conn = cc
go s.run(ctx, delay)
return s
}
// NewGRPCConnection is a convenience method that returns GRPC Client Connection given a hostname, endpoint, and TLS options
func NewGRPCConnection(hostname string, port string, tlsConfig *tls.Config) (*grpc.ClientConn, error) {
var opts []grpc.DialOption
netAddr := net.JoinHostPort(hostname, port)
creds := credentials.NewTLS(tlsConfig)
opts = append(opts, grpc.WithTransportCredentials(creds))
return grpc.Dial(netAddr, opts...)
}
// GetRemoteCA returns the remote endpoint's CA certificate
func GetRemoteCA(ctx context.Context, d digest.Digest, picker *picker.Picker) (RootCA, error) {
// We need a valid picker to be able to Dial to a remote CA
if picker == nil {
return RootCA{}, fmt.Errorf("valid remote address picker required")
}
// This TLS Config is intentionally using InsecureSkipVerify. Either we're
// doing TOFU, in which case we don't validate the remote CA, or we're using
// a user supplied hash to check the integrity of the CA certificate.
insecureCreds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})
opts := []grpc.DialOption{
grpc.WithTransportCredentials(insecureCreds),
grpc.WithBackoffMaxDelay(10 * time.Second),
grpc.WithPicker(picker)}
firstAddr, err := picker.PickAddr()
if err != nil {
return RootCA{}, err
}
conn, err := grpc.Dial(firstAddr, opts...)
if err != nil {
return RootCA{}, err
}
defer conn.Close()
client := api.NewCAClient(conn)
response, err := client.GetRootCACertificate(ctx, &api.GetRootCACertificateRequest{})
if err != nil {
return RootCA{}, err
}
if d != "" {
verifier, err := digest.NewDigestVerifier(d)
if err != nil {
return RootCA{}, fmt.Errorf("unexpected error getting digest verifier: %v", err)
}
io.Copy(verifier, bytes.NewReader(response.Certificate))
if !verifier.Verified() {
return RootCA{}, fmt.Errorf("remote CA does not match fingerprint. Expected: %s", d.Hex())
}
}
// Check the validity of the remote Cert
_, err = helpers.ParseCertificatePEM(response.Certificate)
if err != nil {
return RootCA{}, err
}
// Create a Pool with our RootCACertificate
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(response.Certificate) {
return RootCA{}, fmt.Errorf("failed to append certificate to cert pool")
}
return RootCA{Cert: response.Certificate, Pool: pool}, nil
}
func GRPCClient(addr, token, caFile string) (*RemoteU2FClient, error) {
var err error
var tCreds credentials.TransportCredentials
if caFile == "" {
tCreds = credentials.NewClientTLSFromCert(nil, "")
} else {
tCreds, err = credentials.NewClientTLSFromFile(caFile, "")
if err != nil {
return nil, fmt.Errorf("error reading CA file: %s", err)
}
}
t := oauth2.Token{
AccessToken: token,
TokenType: "Bearer",
}
rpcCreds := oauth.NewOauthAccess(&t)
conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(tCreds),
grpc.WithPerRPCCredentials(rpcCreds),
grpc.WithBlock(),
grpc.WithTimeout(30*time.Second))
if err != nil {
return nil, fmt.Errorf("error connecting to server: %s", err)
}
c := pb.NewRemoteU2FClient(conn)
return &RemoteU2FClient{c}, nil
}